Merge
authorduke
Wed, 05 Jul 2017 17:54:13 +0200
changeset 10806 564c3eb64f71
parent 10805 043062d0d76a (current diff)
parent 10804 ce06fd763c34 (diff)
child 10808 882388c78d4e
Merge
jdk/make/sun/rmi/rmi/mapfile-vers
jdk/src/share/classes/sun/security/pkcs/EncodingException.java
jdk/src/share/classes/sun/security/pkcs/PKCS10.java
jdk/src/share/classes/sun/security/pkcs/PKCS10Attribute.java
jdk/src/share/classes/sun/security/pkcs/PKCS10Attributes.java
jdk/src/share/classes/sun/security/util/BigInt.java
jdk/src/share/classes/sun/security/util/PathList.java
jdk/src/share/classes/sun/security/x509/CertAndKeyGen.java
jdk/src/share/native/sun/rmi/server/MarshalInputStream.c
jdk/test/java/net/DatagramSocket/ChangingAddress.java
jdk/test/sun/security/util/BigInt/BigIntEqualsHashCode.java
--- a/.hgtags-top-repo	Thu Oct 27 13:54:37 2011 -0700
+++ b/.hgtags-top-repo	Wed Jul 05 17:54:13 2017 +0200
@@ -132,3 +132,4 @@
 fb1bc13260d76447e269e843859eb593fe2a8ab2 jdk8-b08
 8adb70647b5af5273dfe6a540f07be667cd50216 jdk8-b09
 a6c4c248e8fa350c35014fa94bab5ac1a1ac3299 jdk8-b10
+1defbc57940a56f0aa41e9dee87b71e8c8b71103 jdk8-b11
--- a/corba/.hgtags	Thu Oct 27 13:54:37 2011 -0700
+++ b/corba/.hgtags	Wed Jul 05 17:54:13 2017 +0200
@@ -132,3 +132,4 @@
 0d52b1c87aa8fdea7fdc9c4126ea58f95ca6b351 jdk8-b08
 a891732c1a83082177ff7a4cf1506068d9cc0a47 jdk8-b09
 cda87f7fefcee3b89742a57ce5ad9b03a54c210d jdk8-b10
+0199e4fef5cc2bd234c65b93220459ef7a3bb3b1 jdk8-b11
--- a/hotspot/.hgtags	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/.hgtags	Wed Jul 05 17:54:13 2017 +0200
@@ -193,3 +193,5 @@
 e4f412d2b75d2c797acff965aa2c420e3d358f09 hs23-b02
 d815de2e85e511b7deab2a83cf80c0224d011da9 jdk8-b10
 4d3850d9d326ac3a9bee2d867727e954322d014e hs23-b03
+4538caeef7b6cbd4302bebced805d65e68ccf301 jdk8-b11
+6534482ff68ad79066dfe15dfb6d8905f09681bd hs23-b04
--- a/hotspot/make/hotspot_version	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/make/hotspot_version	Wed Jul 05 17:54:13 2017 +0200
@@ -35,7 +35,7 @@
 
 HS_MAJOR_VER=23
 HS_MINOR_VER=0
-HS_BUILD_NUMBER=03
+HS_BUILD_NUMBER=04
 
 JDK_MAJOR_VER=1
 JDK_MINOR_VER=8
--- a/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp	Wed Jul 05 17:54:13 2017 +0200
@@ -62,7 +62,7 @@
   MinChunkSize = numQuanta(sizeof(FreeChunk), MinObjAlignmentInBytes) * MinObjAlignment;
 
   assert(IndexSetStart == 0 && IndexSetStride == 0, "already set");
-  IndexSetStart  = MinObjAlignment;
+  IndexSetStart  = (int) MinChunkSize;
   IndexSetStride = MinObjAlignment;
 }
 
@@ -138,7 +138,7 @@
   } else {
     _fitStrategy = FreeBlockStrategyNone;
   }
-  checkFreeListConsistency();
+  check_free_list_consistency();
 
   // Initialize locks for parallel case.
 
@@ -1358,17 +1358,29 @@
   ShouldNotReachHere();
 }
 
-bool CompactibleFreeListSpace::verifyChunkInIndexedFreeLists(FreeChunk* fc)
-  const {
+bool CompactibleFreeListSpace::verifyChunkInIndexedFreeLists(FreeChunk* fc) const {
   assert(fc->size() < IndexSetSize, "Size of chunk is too large");
   return _indexedFreeList[fc->size()].verifyChunkInFreeLists(fc);
 }
 
+bool CompactibleFreeListSpace::verify_chunk_is_linear_alloc_block(FreeChunk* fc) const {
+  assert((_smallLinearAllocBlock._ptr != (HeapWord*)fc) ||
+         (_smallLinearAllocBlock._word_size == fc->size()),
+         "Linear allocation block shows incorrect size");
+  return ((_smallLinearAllocBlock._ptr == (HeapWord*)fc) &&
+          (_smallLinearAllocBlock._word_size == fc->size()));
+}
+
+// Check if the purported free chunk is present either as a linear
+// allocation block, the size-indexed table of (smaller) free blocks,
+// or the larger free blocks kept in the binary tree dictionary.
 bool CompactibleFreeListSpace::verifyChunkInFreeLists(FreeChunk* fc) const {
-  if (fc->size() >= IndexSetSize) {
+  if (verify_chunk_is_linear_alloc_block(fc)) {
+    return true;
+  } else if (fc->size() < IndexSetSize) {
+    return verifyChunkInIndexedFreeLists(fc);
+  } else {
     return dictionary()->verifyChunkInFreeLists(fc);
-  } else {
-    return verifyChunkInIndexedFreeLists(fc);
   }
 }
 
@@ -2495,7 +2507,8 @@
   FreeChunk* tail =  _indexedFreeList[size].tail();
   size_t    num = _indexedFreeList[size].count();
   size_t      n = 0;
-  guarantee((size % 2 == 0) || fc == NULL, "Odd slots should be empty");
+  guarantee(((size >= MinChunkSize) && (size % IndexSetStride == 0)) || fc == NULL,
+            "Slot should have been empty");
   for (; fc != NULL; fc = fc->next(), n++) {
     guarantee(fc->size() == size, "Size inconsistency");
     guarantee(fc->isFree(), "!free?");
@@ -2506,14 +2519,14 @@
 }
 
 #ifndef PRODUCT
-void CompactibleFreeListSpace::checkFreeListConsistency() const {
+void CompactibleFreeListSpace::check_free_list_consistency() const {
   assert(_dictionary->minSize() <= IndexSetSize,
     "Some sizes can't be allocated without recourse to"
     " linear allocation buffers");
   assert(MIN_TREE_CHUNK_SIZE*HeapWordSize == sizeof(TreeChunk),
     "else MIN_TREE_CHUNK_SIZE is wrong");
-  assert((IndexSetStride == 2 && IndexSetStart == 2) ||
-         (IndexSetStride == 1 && IndexSetStart == 1), "just checking");
+  assert((IndexSetStride == 2 && IndexSetStart == 4) ||                   // 32-bit
+         (IndexSetStride == 1 && IndexSetStart == 3), "just checking");   // 64-bit
   assert((IndexSetStride != 2) || (MinChunkSize % 2 == 0),
       "Some for-loops may be incorrectly initialized");
   assert((IndexSetStride != 2) || (IndexSetSize % 2 == 1),
@@ -2688,33 +2701,27 @@
   }
 }
 
+// If this is changed in the future to allow parallel
+// access, one would need to take the FL locks and,
+// depending on how it is used, stagger access from
+// parallel threads to reduce contention.
 void CFLS_LAB::retire(int tid) {
   // We run this single threaded with the world stopped;
   // so no need for locks and such.
-#define CFLS_LAB_PARALLEL_ACCESS 0
   NOT_PRODUCT(Thread* t = Thread::current();)
   assert(Thread::current()->is_VM_thread(), "Error");
-  assert(CompactibleFreeListSpace::IndexSetStart == CompactibleFreeListSpace::IndexSetStride,
-         "Will access to uninitialized slot below");
-#if CFLS_LAB_PARALLEL_ACCESS
-  for (size_t i = CompactibleFreeListSpace::IndexSetSize - 1;
-       i > 0;
-       i -= CompactibleFreeListSpace::IndexSetStride) {
-#else // CFLS_LAB_PARALLEL_ACCESS
   for (size_t i =  CompactibleFreeListSpace::IndexSetStart;
        i < CompactibleFreeListSpace::IndexSetSize;
        i += CompactibleFreeListSpace::IndexSetStride) {
-#endif // !CFLS_LAB_PARALLEL_ACCESS
     assert(_num_blocks[i] >= (size_t)_indexedFreeList[i].count(),
            "Can't retire more than what we obtained");
     if (_num_blocks[i] > 0) {
       size_t num_retire =  _indexedFreeList[i].count();
       assert(_num_blocks[i] > num_retire, "Should have used at least one");
       {
-#if CFLS_LAB_PARALLEL_ACCESS
-        MutexLockerEx x(_cfls->_indexedFreeListParLocks[i],
-                        Mutex::_no_safepoint_check_flag);
-#endif // CFLS_LAB_PARALLEL_ACCESS
+        // MutexLockerEx x(_cfls->_indexedFreeListParLocks[i],
+        //                Mutex::_no_safepoint_check_flag);
+
         // Update globals stats for num_blocks used
         _global_num_blocks[i] += (_num_blocks[i] - num_retire);
         _global_num_workers[i]++;
--- a/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.hpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.hpp	Wed Jul 05 17:54:13 2017 +0200
@@ -502,10 +502,14 @@
   void verifyFreeLists()                  const PRODUCT_RETURN;
   void verifyIndexedFreeLists()           const;
   void verifyIndexedFreeList(size_t size) const;
-  // verify that the given chunk is in the free lists.
+  // Verify that the given chunk is in the free lists:
+  // i.e. either the binary tree dictionary, the indexed free lists
+  // or the linear allocation block.
   bool verifyChunkInFreeLists(FreeChunk* fc) const;
+  // Verify that the given chunk is the linear allocation block
+  bool verify_chunk_is_linear_alloc_block(FreeChunk* fc) const;
   // Do some basic checks on the the free lists.
-  void checkFreeListConsistency()         const PRODUCT_RETURN;
+  void check_free_list_consistency()      const PRODUCT_RETURN;
 
   // Printing support
   void dump_at_safepoint_with_locks(CMSCollector* c, outputStream* st);
--- a/hotspot/src/share/vm/gc_implementation/g1/concurrentMarkThread.cpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/concurrentMarkThread.cpp	Wed Jul 05 17:54:13 2017 +0200
@@ -147,12 +147,8 @@
           }
         }
       } while (cm()->restart_for_overflow());
+
       double counting_start_time = os::elapsedVTime();
-
-      // YSR: These look dubious (i.e. redundant) !!! FIX ME
-      slt()->manipulatePLL(SurrogateLockerThread::acquirePLL);
-      slt()->manipulatePLL(SurrogateLockerThread::releaseAndNotifyPLL);
-
       if (!cm()->has_aborted()) {
         double count_start_sec = os::elapsedTime();
         if (PrintGC) {
@@ -175,6 +171,7 @@
           }
         }
       }
+
       double end_time = os::elapsedVTime();
       _vtime_count_accum += (end_time - counting_start_time);
       // Update the total virtual time before doing this, since it will try
@@ -335,13 +332,15 @@
   clear_started();
 }
 
-// Note: this method, although exported by the ConcurrentMarkSweepThread,
-// which is a non-JavaThread, can only be called by a JavaThread.
-// Currently this is done at vm creation time (post-vm-init) by the
-// main/Primordial (Java)Thread.
-// XXX Consider changing this in the future to allow the CMS thread
+// Note: As is the case with CMS - this method, although exported
+// by the ConcurrentMarkThread, which is a non-JavaThread, can only
+// be called by a JavaThread. Currently this is done at vm creation
+// time (post-vm-init) by the main/Primordial (Java)Thread.
+// XXX Consider changing this in the future to allow the CM thread
 // itself to create this thread?
 void ConcurrentMarkThread::makeSurrogateLockerThread(TRAPS) {
+  assert(UseG1GC, "SLT thread needed only for concurrent GC");
+  assert(THREAD->is_Java_thread(), "must be a Java thread");
   assert(_slt == NULL, "SLT already created");
   _slt = SurrogateLockerThread::make(THREAD);
 }
--- a/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp	Wed Jul 05 17:54:13 2017 +0200
@@ -5502,34 +5502,36 @@
   CardTableModRefBS* ct_bs = (CardTableModRefBS*) (barrier_set());
   double start = os::elapsedTime();
 
-  // Iterate over the dirty cards region list.
-  G1ParCleanupCTTask cleanup_task(ct_bs, this);
-
-  if (ParallelGCThreads > 0) {
-    set_par_threads(workers()->total_workers());
-    workers()->run_task(&cleanup_task);
-    set_par_threads(0);
-  } else {
-    while (_dirty_cards_region_list) {
-      HeapRegion* r = _dirty_cards_region_list;
-      cleanup_task.clear_cards(r);
-      _dirty_cards_region_list = r->get_next_dirty_cards_region();
-      if (_dirty_cards_region_list == r) {
-        // The last region.
-        _dirty_cards_region_list = NULL;
+  {
+    // Iterate over the dirty cards region list.
+    G1ParCleanupCTTask cleanup_task(ct_bs, this);
+
+    if (ParallelGCThreads > 0) {
+      set_par_threads(workers()->total_workers());
+      workers()->run_task(&cleanup_task);
+      set_par_threads(0);
+    } else {
+      while (_dirty_cards_region_list) {
+        HeapRegion* r = _dirty_cards_region_list;
+        cleanup_task.clear_cards(r);
+        _dirty_cards_region_list = r->get_next_dirty_cards_region();
+        if (_dirty_cards_region_list == r) {
+          // The last region.
+          _dirty_cards_region_list = NULL;
+        }
+        r->set_next_dirty_cards_region(NULL);
       }
-      r->set_next_dirty_cards_region(NULL);
     }
+#ifndef PRODUCT
+    if (G1VerifyCTCleanup || VerifyAfterGC) {
+      G1VerifyCardTableCleanup cleanup_verifier(this, ct_bs);
+      heap_region_iterate(&cleanup_verifier);
+    }
+#endif
   }
 
   double elapsed = os::elapsedTime() - start;
   g1_policy()->record_clear_ct_time(elapsed * 1000.0);
-#ifndef PRODUCT
-  if (G1VerifyCTCleanup || VerifyAfterGC) {
-    G1VerifyCardTableCleanup cleanup_verifier(this, ct_bs);
-    heap_region_iterate(&cleanup_verifier);
-  }
-#endif
 }
 
 void G1CollectedHeap::free_collection_set(HeapRegion* cs_head) {
--- a/hotspot/src/share/vm/gc_implementation/g1/g1CollectorPolicy.cpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/g1CollectorPolicy.cpp	Wed Jul 05 17:54:13 2017 +0200
@@ -320,6 +320,7 @@
   _par_last_termination_attempts = new double[_parallel_gc_threads];
   _par_last_gc_worker_end_times_ms = new double[_parallel_gc_threads];
   _par_last_gc_worker_times_ms = new double[_parallel_gc_threads];
+  _par_last_gc_worker_other_times_ms = new double[_parallel_gc_threads];
 
   // start conservatively
   _expensive_region_limit_ms = 0.5 * (double) MaxGCPauseMillis;
@@ -497,7 +498,6 @@
   initialize_gc_policy_counters();
 
   G1YoungGenSizer sizer;
-  size_t initial_region_num = sizer.initial_young_region_num();
   _min_desired_young_length = sizer.min_young_region_num();
   _max_desired_young_length = sizer.max_young_region_num();
 
@@ -511,17 +511,14 @@
     }
   }
 
-  // GenCollectorPolicy guarantees that min <= initial <= max.
-  // Asserting here just to state that we rely on this property.
   assert(_min_desired_young_length <= _max_desired_young_length, "Invalid min/max young gen size values");
-  assert(initial_region_num <= _max_desired_young_length, "Initial young gen size too large");
-  assert(_min_desired_young_length <= initial_region_num, "Initial young gen size too small");
 
   set_adaptive_young_list_length(_min_desired_young_length < _max_desired_young_length);
   if (adaptive_young_list_length()) {
     _young_list_fixed_length = 0;
   } else {
-    _young_list_fixed_length = initial_region_num;
+    assert(_min_desired_young_length == _max_desired_young_length, "Min and max young size differ");
+    _young_list_fixed_length = _min_desired_young_length;
   }
   _free_regions_at_end_of_collection = _g1->free_regions();
   update_young_list_target_length();
@@ -976,6 +973,7 @@
     _par_last_termination_attempts[i] = -1234.0;
     _par_last_gc_worker_end_times_ms[i] = -1234.0;
     _par_last_gc_worker_times_ms[i] = -1234.0;
+    _par_last_gc_worker_other_times_ms[i] = -1234.0;
   }
 #endif
 
@@ -984,8 +982,10 @@
     _cur_aux_times_set[i] = false;
   }
 
-  _satb_drain_time_set = false;
-  _last_satb_drain_processed_buffers = -1;
+  // These are initialized to zero here and they are set during
+  // the evacuation pause if marking is in progress.
+  _cur_satb_drain_time_ms = 0.0;
+  _last_satb_drain_processed_buffers = 0;
 
   _last_young_gc_full = false;
 
@@ -1097,61 +1097,65 @@
     (int)total, (int)avg, (int)min, (int)max, (int)max - (int)min);
 }
 
-void G1CollectorPolicy::print_stats (int level,
-                                     const char* str,
-                                     double value) {
+void G1CollectorPolicy::print_stats(int level,
+                                    const char* str,
+                                    double value) {
   LineBuffer(level).append_and_print_cr("[%s: %5.1lf ms]", str, value);
 }
 
-void G1CollectorPolicy::print_stats (int level,
-                                     const char* str,
-                                     int value) {
+void G1CollectorPolicy::print_stats(int level,
+                                    const char* str,
+                                    int value) {
   LineBuffer(level).append_and_print_cr("[%s: %d]", str, value);
 }
 
-double G1CollectorPolicy::avg_value (double* data) {
+double G1CollectorPolicy::avg_value(double* data) {
   if (G1CollectedHeap::use_parallel_gc_threads()) {
     double ret = 0.0;
-    for (uint i = 0; i < ParallelGCThreads; ++i)
+    for (uint i = 0; i < ParallelGCThreads; ++i) {
       ret += data[i];
+    }
     return ret / (double) ParallelGCThreads;
   } else {
     return data[0];
   }
 }
 
-double G1CollectorPolicy::max_value (double* data) {
+double G1CollectorPolicy::max_value(double* data) {
   if (G1CollectedHeap::use_parallel_gc_threads()) {
     double ret = data[0];
-    for (uint i = 1; i < ParallelGCThreads; ++i)
-      if (data[i] > ret)
+    for (uint i = 1; i < ParallelGCThreads; ++i) {
+      if (data[i] > ret) {
         ret = data[i];
+      }
+    }
     return ret;
   } else {
     return data[0];
   }
 }
 
-double G1CollectorPolicy::sum_of_values (double* data) {
+double G1CollectorPolicy::sum_of_values(double* data) {
   if (G1CollectedHeap::use_parallel_gc_threads()) {
     double sum = 0.0;
-    for (uint i = 0; i < ParallelGCThreads; i++)
+    for (uint i = 0; i < ParallelGCThreads; i++) {
       sum += data[i];
+    }
     return sum;
   } else {
     return data[0];
   }
 }
 
-double G1CollectorPolicy::max_sum (double* data1,
-                                   double* data2) {
+double G1CollectorPolicy::max_sum(double* data1, double* data2) {
   double ret = data1[0] + data2[0];
 
   if (G1CollectedHeap::use_parallel_gc_threads()) {
     for (uint i = 1; i < ParallelGCThreads; ++i) {
       double data = data1[i] + data2[i];
-      if (data > ret)
+      if (data > ret) {
         ret = data;
+      }
     }
   }
   return ret;
@@ -1251,6 +1255,10 @@
 
   _n_pauses++;
 
+  // These values are used to update the summary information that is
+  // displayed when TraceGen0Time is enabled, and are output as part
+  // of the PrintGCDetails output, in the non-parallel case.
+
   double ext_root_scan_time = avg_value(_par_last_ext_root_scan_times_ms);
   double mark_stack_scan_time = avg_value(_par_last_mark_stack_scan_times_ms);
   double update_rs_time = avg_value(_par_last_update_rs_times_ms);
@@ -1260,42 +1268,68 @@
   double obj_copy_time = avg_value(_par_last_obj_copy_times_ms);
   double termination_time = avg_value(_par_last_termination_times_ms);
 
-  double parallel_known_time = update_rs_time +
-                               ext_root_scan_time +
-                               mark_stack_scan_time +
-                               scan_rs_time +
-                               obj_copy_time +
-                               termination_time;
-
-  double parallel_other_time = _cur_collection_par_time_ms - parallel_known_time;
-
-  PauseSummary* summary = _summary;
+  double known_time = ext_root_scan_time +
+                      mark_stack_scan_time +
+                      update_rs_time +
+                      scan_rs_time +
+                      obj_copy_time;
+
+  double other_time_ms = elapsed_ms;
+
+  // Subtract the SATB drain time. It's initialized to zero at the
+  // start of the pause and is updated during the pause if marking
+  // is in progress.
+  other_time_ms -= _cur_satb_drain_time_ms;
+
+  if (parallel) {
+    other_time_ms -= _cur_collection_par_time_ms;
+  } else {
+    other_time_ms -= known_time;
+  }
+
+  // Subtract the time taken to clean the card table from the
+  // current value of "other time"
+  other_time_ms -= _cur_clear_ct_time_ms;
+
+  // TraceGen0Time and TraceGen1Time summary info updating.
+  _all_pause_times_ms->add(elapsed_ms);
 
   if (update_stats) {
     _recent_rs_scan_times_ms->add(scan_rs_time);
     _recent_pause_times_ms->add(elapsed_ms);
     _recent_rs_sizes->add(rs_size);
 
-    MainBodySummary* body_summary = summary->main_body_summary();
-    guarantee(body_summary != NULL, "should not be null!");
-
-    if (_satb_drain_time_set)
-      body_summary->record_satb_drain_time_ms(_cur_satb_drain_time_ms);
-    else
-      body_summary->record_satb_drain_time_ms(0.0);
+    _summary->record_total_time_ms(elapsed_ms);
+    _summary->record_other_time_ms(other_time_ms);
+
+    MainBodySummary* body_summary = _summary->main_body_summary();
+    assert(body_summary != NULL, "should not be null!");
+
+    // This will be non-zero iff marking is currently in progress (i.e.
+    // _g1->mark_in_progress() == true) and the currrent pause was not
+    // an initial mark pause. Since the body_summary items are NumberSeqs,
+    // however, they have to be consistent and updated in lock-step with
+    // each other. Therefore we unconditionally record the SATB drain
+    // time - even if it's zero.
+    body_summary->record_satb_drain_time_ms(_cur_satb_drain_time_ms);
 
     body_summary->record_ext_root_scan_time_ms(ext_root_scan_time);
     body_summary->record_mark_stack_scan_time_ms(mark_stack_scan_time);
     body_summary->record_update_rs_time_ms(update_rs_time);
     body_summary->record_scan_rs_time_ms(scan_rs_time);
     body_summary->record_obj_copy_time_ms(obj_copy_time);
+
     if (parallel) {
       body_summary->record_parallel_time_ms(_cur_collection_par_time_ms);
-      body_summary->record_clear_ct_time_ms(_cur_clear_ct_time_ms);
       body_summary->record_termination_time_ms(termination_time);
+
+      double parallel_known_time = known_time + termination_time;
+      double parallel_other_time = _cur_collection_par_time_ms - parallel_known_time;
       body_summary->record_parallel_other_time_ms(parallel_other_time);
     }
+
     body_summary->record_mark_closure_time_ms(_mark_closure_time_ms);
+    body_summary->record_clear_ct_time_ms(_cur_clear_ct_time_ms);
 
     // We exempt parallel collection from this check because Alloc Buffer
     // fragmentation can produce negative collections.  Same with evac
@@ -1307,6 +1341,7 @@
            || _g1->evacuation_failed()
            || surviving_bytes <= _collection_set_bytes_used_before,
            "Or else negative collection!");
+
     _recent_CS_bytes_used_before->add(_collection_set_bytes_used_before);
     _recent_CS_bytes_surviving->add(surviving_bytes);
 
@@ -1357,6 +1392,13 @@
     }
   }
 
+  for (int i = 0; i < _aux_num; ++i) {
+    if (_cur_aux_times_set[i]) {
+      _all_aux_times_ms[i].add(_cur_aux_times_ms[i]);
+    }
+  }
+
+
   if (G1PolicyVerbose > 1) {
     gclog_or_tty->print_cr("   Recording collection pause(%d)", _n_pauses);
   }
@@ -1383,61 +1425,60 @@
                            recent_avg_pause_time_ratio() * 100.0);
   }
 
-  double other_time_ms = elapsed_ms;
-
-  if (_satb_drain_time_set) {
-    other_time_ms -= _cur_satb_drain_time_ms;
-  }
-
-  if (parallel) {
-    other_time_ms -= _cur_collection_par_time_ms + _cur_clear_ct_time_ms;
-  } else {
-    other_time_ms -=
-      update_rs_time +
-      ext_root_scan_time + mark_stack_scan_time +
-      scan_rs_time + obj_copy_time;
-  }
-
+  // PrintGCDetails output
   if (PrintGCDetails) {
+    bool print_marking_info =
+      _g1->mark_in_progress() && !last_pause_included_initial_mark;
+
     gclog_or_tty->print_cr("%s, %1.8lf secs]",
                            (last_pause_included_initial_mark) ? " (initial-mark)" : "",
                            elapsed_ms / 1000.0);
 
-    if (_satb_drain_time_set) {
+    if (print_marking_info) {
       print_stats(1, "SATB Drain Time", _cur_satb_drain_time_ms);
-    }
-    if (_last_satb_drain_processed_buffers >= 0) {
       print_stats(2, "Processed Buffers", _last_satb_drain_processed_buffers);
     }
+
     if (parallel) {
       print_stats(1, "Parallel Time", _cur_collection_par_time_ms);
-      print_par_stats(2, "GC Worker Start Time", _par_last_gc_worker_start_times_ms);
+      print_par_stats(2, "GC Worker Start", _par_last_gc_worker_start_times_ms);
+      print_par_stats(2, "Ext Root Scanning", _par_last_ext_root_scan_times_ms);
+      if (print_marking_info) {
+        print_par_stats(2, "Mark Stack Scanning", _par_last_mark_stack_scan_times_ms);
+      }
       print_par_stats(2, "Update RS", _par_last_update_rs_times_ms);
       print_par_sizes(3, "Processed Buffers", _par_last_update_rs_processed_buffers);
-      print_par_stats(2, "Ext Root Scanning", _par_last_ext_root_scan_times_ms);
-      print_par_stats(2, "Mark Stack Scanning", _par_last_mark_stack_scan_times_ms);
       print_par_stats(2, "Scan RS", _par_last_scan_rs_times_ms);
       print_par_stats(2, "Object Copy", _par_last_obj_copy_times_ms);
       print_par_stats(2, "Termination", _par_last_termination_times_ms);
       print_par_sizes(3, "Termination Attempts", _par_last_termination_attempts);
-      print_par_stats(2, "GC Worker End Time", _par_last_gc_worker_end_times_ms);
+      print_par_stats(2, "GC Worker End", _par_last_gc_worker_end_times_ms);
 
       for (int i = 0; i < _parallel_gc_threads; i++) {
         _par_last_gc_worker_times_ms[i] = _par_last_gc_worker_end_times_ms[i] - _par_last_gc_worker_start_times_ms[i];
+
+        double worker_known_time = _par_last_ext_root_scan_times_ms[i] +
+                                   _par_last_mark_stack_scan_times_ms[i] +
+                                   _par_last_update_rs_times_ms[i] +
+                                   _par_last_scan_rs_times_ms[i] +
+                                   _par_last_obj_copy_times_ms[i] +
+                                   _par_last_termination_times_ms[i];
+
+        _par_last_gc_worker_other_times_ms[i] = _cur_collection_par_time_ms - worker_known_time;
       }
-      print_par_stats(2, "GC Worker Times", _par_last_gc_worker_times_ms);
-
-      print_stats(2, "Parallel Other", parallel_other_time);
-      print_stats(1, "Clear CT", _cur_clear_ct_time_ms);
+      print_par_stats(2, "GC Worker", _par_last_gc_worker_times_ms);
+      print_par_stats(2, "GC Worker Other", _par_last_gc_worker_other_times_ms);
     } else {
+      print_stats(1, "Ext Root Scanning", ext_root_scan_time);
+      if (print_marking_info) {
+        print_stats(1, "Mark Stack Scanning", mark_stack_scan_time);
+      }
       print_stats(1, "Update RS", update_rs_time);
-      print_stats(2, "Processed Buffers",
-                  (int)update_rs_processed_buffers);
-      print_stats(1, "Ext Root Scanning", ext_root_scan_time);
-      print_stats(1, "Mark Stack Scanning", mark_stack_scan_time);
+      print_stats(2, "Processed Buffers", (int)update_rs_processed_buffers);
       print_stats(1, "Scan RS", scan_rs_time);
       print_stats(1, "Object Copying", obj_copy_time);
     }
+    print_stats(1, "Clear CT", _cur_clear_ct_time_ms);
 #ifndef PRODUCT
     print_stats(1, "Cur Clear CC", _cur_clear_cc_time_ms);
     print_stats(1, "Cum Clear CC", _cum_clear_cc_time_ms);
@@ -1461,16 +1502,6 @@
     }
   }
 
-  _all_pause_times_ms->add(elapsed_ms);
-  if (update_stats) {
-    summary->record_total_time_ms(elapsed_ms);
-    summary->record_other_time_ms(other_time_ms);
-  }
-  for (int i = 0; i < _aux_num; ++i)
-    if (_cur_aux_times_set[i]) {
-      _all_aux_times_ms[i].add(_cur_aux_times_ms[i]);
-    }
-
   // Update the efficiency-since-mark vars.
   double proc_ms = elapsed_ms * (double) _parallel_gc_threads;
   if (elapsed_ms < MIN_TIMER_GRANULARITY) {
@@ -2138,17 +2169,17 @@
   _g1->collection_set_iterate(&cs_closure);
 }
 
-void G1CollectorPolicy::print_summary (int level,
-                                       const char* str,
-                                       NumberSeq* seq) const {
+void G1CollectorPolicy::print_summary(int level,
+                                      const char* str,
+                                      NumberSeq* seq) const {
   double sum = seq->sum();
   LineBuffer(level + 1).append_and_print_cr("%-24s = %8.2lf s (avg = %8.2lf ms)",
                 str, sum / 1000.0, seq->avg());
 }
 
-void G1CollectorPolicy::print_summary_sd (int level,
-                                          const char* str,
-                                          NumberSeq* seq) const {
+void G1CollectorPolicy::print_summary_sd(int level,
+                                         const char* str,
+                                         NumberSeq* seq) const {
   print_summary(level, str, seq);
   LineBuffer(level + 6).append_and_print_cr("(num = %5d, std dev = %8.2lf ms, max = %8.2lf ms)",
                 seq->num(), seq->sd(), seq->maximum());
@@ -2211,20 +2242,18 @@
       print_summary(1, "SATB Drain", body_summary->get_satb_drain_seq());
       if (parallel) {
         print_summary(1, "Parallel Time", body_summary->get_parallel_seq());
+        print_summary(2, "Ext Root Scanning", body_summary->get_ext_root_scan_seq());
+        print_summary(2, "Mark Stack Scanning", body_summary->get_mark_stack_scan_seq());
         print_summary(2, "Update RS", body_summary->get_update_rs_seq());
-        print_summary(2, "Ext Root Scanning",
-                      body_summary->get_ext_root_scan_seq());
-        print_summary(2, "Mark Stack Scanning",
-                      body_summary->get_mark_stack_scan_seq());
         print_summary(2, "Scan RS", body_summary->get_scan_rs_seq());
         print_summary(2, "Object Copy", body_summary->get_obj_copy_seq());
         print_summary(2, "Termination", body_summary->get_termination_seq());
-        print_summary(2, "Other", body_summary->get_parallel_other_seq());
+        print_summary(2, "Parallel Other", body_summary->get_parallel_other_seq());
         {
           NumberSeq* other_parts[] = {
-            body_summary->get_update_rs_seq(),
             body_summary->get_ext_root_scan_seq(),
             body_summary->get_mark_stack_scan_seq(),
+            body_summary->get_update_rs_seq(),
             body_summary->get_scan_rs_seq(),
             body_summary->get_obj_copy_seq(),
             body_summary->get_termination_seq()
@@ -2234,18 +2263,16 @@
           check_other_times(2, body_summary->get_parallel_other_seq(),
                             &calc_other_times_ms);
         }
-        print_summary(1, "Mark Closure", body_summary->get_mark_closure_seq());
-        print_summary(1, "Clear CT", body_summary->get_clear_ct_seq());
       } else {
+        print_summary(1, "Ext Root Scanning", body_summary->get_ext_root_scan_seq());
+        print_summary(1, "Mark Stack Scanning", body_summary->get_mark_stack_scan_seq());
         print_summary(1, "Update RS", body_summary->get_update_rs_seq());
-        print_summary(1, "Ext Root Scanning",
-                      body_summary->get_ext_root_scan_seq());
-        print_summary(1, "Mark Stack Scanning",
-                      body_summary->get_mark_stack_scan_seq());
         print_summary(1, "Scan RS", body_summary->get_scan_rs_seq());
         print_summary(1, "Object Copy", body_summary->get_obj_copy_seq());
       }
     }
+    print_summary(1, "Mark Closure", body_summary->get_mark_closure_seq());
+    print_summary(1, "Clear CT", body_summary->get_clear_ct_seq());
     print_summary(1, "Other", summary->get_other_seq());
     {
       if (body_summary != NULL) {
--- a/hotspot/src/share/vm/gc_implementation/g1/g1CollectorPolicy.hpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/g1CollectorPolicy.hpp	Wed Jul 05 17:54:13 2017 +0200
@@ -74,7 +74,7 @@
     define_num_seq(termination) // parallel only
     define_num_seq(parallel_other) // parallel only
   define_num_seq(mark_closure)
-  define_num_seq(clear_ct)  // parallel only
+  define_num_seq(clear_ct)
 };
 
 class Summary: public PauseSummary,
@@ -115,7 +115,6 @@
   double _cur_collection_par_time_ms;
   double _cur_satb_drain_time_ms;
   double _cur_clear_ct_time_ms;
-  bool   _satb_drain_time_set;
   double _cur_ref_proc_time_ms;
   double _cur_ref_enq_time_ms;
 
@@ -176,6 +175,11 @@
   double* _par_last_gc_worker_end_times_ms;
   double* _par_last_gc_worker_times_ms;
 
+  // Each workers 'other' time i.e. the elapsed time of the parallel
+  // phase of the pause minus the sum of the individual sub-phase
+  // times for a given worker thread.
+  double* _par_last_gc_worker_other_times_ms;
+
   // indicates whether we are in full young or partially young GC mode
   bool _full_young_gcs;
 
@@ -892,11 +896,12 @@
   }
 
   void record_satb_drain_time(double ms) {
+    assert(_g1->mark_in_progress(), "shouldn't be here otherwise");
     _cur_satb_drain_time_ms = ms;
-    _satb_drain_time_set    = true;
   }
 
-  void record_satb_drain_processed_buffers (int processed_buffers) {
+  void record_satb_drain_processed_buffers(int processed_buffers) {
+    assert(_g1->mark_in_progress(), "shouldn't be here otherwise");
     _last_satb_drain_processed_buffers = processed_buffers;
   }
 
--- a/hotspot/src/share/vm/gc_implementation/g1/g1RemSet.cpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/g1RemSet.cpp	Wed Jul 05 17:54:13 2017 +0200
@@ -122,10 +122,10 @@
   void set_try_claimed() { _try_claimed = true; }
 
   void scanCard(size_t index, HeapRegion *r) {
-    DirtyCardToOopClosure* cl =
-      r->new_dcto_closure(_oc,
-                         CardTableModRefBS::Precise,
-                         HeapRegionDCTOC::IntoCSFilterKind);
+    // Stack allocate the DirtyCardToOopClosure instance
+    HeapRegionDCTOC cl(_g1h, r, _oc,
+                       CardTableModRefBS::Precise,
+                       HeapRegionDCTOC::IntoCSFilterKind);
 
     // Set the "from" region in the closure.
     _oc->set_region(r);
@@ -140,7 +140,7 @@
       // scans (the rsets of the regions in the cset can intersect).
       _ct_bs->set_card_claimed(index);
       _cards_done++;
-      cl->do_MemRegion(mr);
+      cl.do_MemRegion(mr);
     }
   }
 
--- a/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp	Wed Jul 05 17:54:13 2017 +0200
@@ -340,14 +340,6 @@
   init_top_at_mark_start();
 }
 
-DirtyCardToOopClosure*
-HeapRegion::new_dcto_closure(OopClosure* cl,
-                             CardTableModRefBS::PrecisionStyle precision,
-                             HeapRegionDCTOC::FilterKind fk) {
-  return new HeapRegionDCTOC(G1CollectedHeap::heap(),
-                             this, cl, precision, fk);
-}
-
 void HeapRegion::hr_clear(bool par, bool clear_space) {
   assert(_humongous_type == NotHumongous,
          "we should have already filtered out humongous regions");
--- a/hotspot/src/share/vm/gc_implementation/g1/heapRegion.hpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/heapRegion.hpp	Wed Jul 05 17:54:13 2017 +0200
@@ -431,6 +431,14 @@
     return _humongous_start_region;
   }
 
+  // Same as Space::is_in_reserved, but will use the original size of the region.
+  // The original size is different only for start humongous regions. They get
+  // their _end set up to be the end of the last continues region of the
+  // corresponding humongous object.
+  bool is_in_reserved_raw(const void* p) const {
+    return _bottom <= p && p < _orig_end;
+  }
+
   // Makes the current region be a "starts humongous" region, i.e.,
   // the first region in a series of one or more contiguous regions
   // that will contain a single "humongous" object. The two parameters
@@ -569,11 +577,6 @@
   // allocated in the current region before the last call to "save_mark".
   void oop_before_save_marks_iterate(OopClosure* cl);
 
-  DirtyCardToOopClosure*
-  new_dcto_closure(OopClosure* cl,
-                   CardTableModRefBS::PrecisionStyle precision,
-                   HeapRegionDCTOC::FilterKind fk);
-
   // Note the start or end of marking. This tells the heap region
   // that the collector is about to start or has finished (concurrently)
   // marking the heap.
--- a/hotspot/src/share/vm/gc_implementation/g1/heapRegionRemSet.cpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/heapRegionRemSet.cpp	Wed Jul 05 17:54:13 2017 +0200
@@ -143,7 +143,11 @@
     // If the test below fails, then this table was reused concurrently
     // with this operation.  This is OK, since the old table was coarsened,
     // and adding a bit to the new table is never incorrect.
-    if (loc_hr->is_in_reserved(from)) {
+    // If the table used to belong to a continues humongous region and is
+    // now reused for the corresponding start humongous region, we need to
+    // make sure that we detect this. Thus, we call is_in_reserved_raw()
+    // instead of just is_in_reserved() here.
+    if (loc_hr->is_in_reserved_raw(from)) {
       size_t hw_offset = pointer_delta((HeapWord*)from, loc_hr->bottom());
       CardIdx_t from_card = (CardIdx_t)
           hw_offset >> (CardTableModRefBS::card_shift - LogHeapWordSize);
--- a/hotspot/src/share/vm/gc_implementation/g1/vm_operations_g1.cpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/vm_operations_g1.cpp	Wed Jul 05 17:54:13 2017 +0200
@@ -23,6 +23,7 @@
  */
 
 #include "precompiled.hpp"
+#include "gc_implementation/g1/concurrentMarkThread.inline.hpp"
 #include "gc_implementation/g1/g1CollectedHeap.inline.hpp"
 #include "gc_implementation/g1/g1CollectorPolicy.hpp"
 #include "gc_implementation/g1/vm_operations_g1.hpp"
@@ -165,6 +166,20 @@
   }
 }
 
+void VM_CGC_Operation::acquire_pending_list_lock() {
+  // The caller may block while communicating
+  // with the SLT thread in order to acquire/release the PLL.
+  ConcurrentMarkThread::slt()->
+    manipulatePLL(SurrogateLockerThread::acquirePLL);
+}
+
+void VM_CGC_Operation::release_and_notify_pending_list_lock() {
+  // The caller may block while communicating
+  // with the SLT thread in order to acquire/release the PLL.
+  ConcurrentMarkThread::slt()->
+    manipulatePLL(SurrogateLockerThread::releaseAndNotifyPLL);
+}
+
 void VM_CGC_Operation::doit() {
   gclog_or_tty->date_stamp(PrintGC && PrintGCDateStamps);
   TraceCPUTime tcpu(PrintGCDetails, true, gclog_or_tty);
@@ -180,12 +195,19 @@
 }
 
 bool VM_CGC_Operation::doit_prologue() {
+  // Note the relative order of the locks must match that in
+  // VM_GC_Operation::doit_prologue() or deadlocks can occur
+  acquire_pending_list_lock();
+
   Heap_lock->lock();
   SharedHeap::heap()->_thread_holds_heap_lock_for_gc = true;
   return true;
 }
 
 void VM_CGC_Operation::doit_epilogue() {
+  // Note the relative order of the unlocks must match that in
+  // VM_GC_Operation::doit_epilogue()
   SharedHeap::heap()->_thread_holds_heap_lock_for_gc = false;
   Heap_lock->unlock();
+  release_and_notify_pending_list_lock();
 }
--- a/hotspot/src/share/vm/gc_implementation/g1/vm_operations_g1.hpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/g1/vm_operations_g1.hpp	Wed Jul 05 17:54:13 2017 +0200
@@ -93,11 +93,17 @@
   }
 };
 
-// Concurrent GC stop-the-world operations such as initial and final mark;
+// Concurrent GC stop-the-world operations such as remark and cleanup;
 // consider sharing these with CMS's counterparts.
 class VM_CGC_Operation: public VM_Operation {
   VoidClosure* _cl;
   const char* _printGCMessage;
+
+protected:
+  // java.lang.ref.Reference support
+  void acquire_pending_list_lock();
+  void release_and_notify_pending_list_lock();
+
 public:
   VM_CGC_Operation(VoidClosure* cl, const char *printGCMsg)
     : _cl(cl), _printGCMessage(printGCMsg) { }
--- a/hotspot/src/share/vm/gc_implementation/shared/concurrentGCThread.cpp	Thu Oct 27 13:54:37 2011 -0700
+++ b/hotspot/src/share/vm/gc_implementation/shared/concurrentGCThread.cpp	Wed Jul 05 17:54:13 2017 +0200
@@ -224,6 +224,8 @@
   MutexLockerEx x(&_monitor, Mutex::_no_safepoint_check_flag);
   assert(_buffer == empty, "Should be empty");
   assert(msg != empty, "empty message");
+  assert(!Heap_lock->owned_by_self(), "Heap_lock owned by requesting thread");
+
   _buffer = msg;
   while (_buffer != empty) {
     _monitor.notify();
--- a/jdk/.hgtags	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/.hgtags	Wed Jul 05 17:54:13 2017 +0200
@@ -132,3 +132,4 @@
 1c023bcd0c5a01ac07bc7eea728aafbb0d8991e9 jdk8-b08
 f1ec21b8142168ff40f3278d2f6b5fe4bd5f3b26 jdk8-b09
 4788745572ef2bde34924ef34e7e4d55ba07e979 jdk8-b10
+7ab0d613cd1a271a9763ffb894dc1f0a5b95a7e4 jdk8-b11
--- a/jdk/make/com/sun/security/auth/module/Makefile	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/com/sun/security/auth/module/Makefile	Wed Jul 05 17:54:13 2017 +0200
@@ -78,7 +78,3 @@
 #
 include $(BUILDDIR)/common/Library.gmk
 
-#
-# JVMDI implementation lives in the VM.
-#
-OTHER_LDLIBS = $(JVMLIB)
--- a/jdk/make/common/Defs.gmk	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/common/Defs.gmk	Wed Jul 05 17:54:13 2017 +0200
@@ -220,14 +220,30 @@
 JRE_NONEXIST_LOCALES = en en_US de_DE es_ES fr_FR it_IT ja_JP ko_KR sv_SE zh
 
 #
-# All libraries except libjava and libjvm itself link against libjvm and
-# libjava, the latter for its exported common utilities.  libjava only links
-# against libjvm.  Programs' makefiles take their own responsibility for
+# For now, most libraries except libjava and libjvm itself link against libjvm
+# and libjava, the latter for its exported common utilities. libjava only
+# links against libjvm. Programs' makefiles take their own responsibility for
 # adding other libs.
 #
+# The makefiles for these packages do not link against libjvm and libjava.
+# This list will eventually go away and each Programs' makefiles
+# will have to explicitly declare that they want to link to libjava/libjvm
+#
+NO_JAVALIB_PKGS = \
+		sun.security.mscapi \
+		sun.security.krb5 \
+		sun.security.pkcs11 \
+		sun.security.jgss \
+		sun.security.jgss.wrapper \
+		sun.security.ec \
+		sun.security.smartcardio \
+		com.sun.security.auth.module
+
 ifdef PACKAGE
 # put JAVALIB first, but do not lose any platform specific values....
-  LDLIBS_COMMON = $(JAVALIB)
+  ifeq (,$(findstring $(PACKAGE),$(NO_JAVALIB_PKGS)))
+    LDLIBS_COMMON = $(JAVALIB)
+  endif
 endif # PACKAGE
 
 #
--- a/jdk/make/common/Library.gmk	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/common/Library.gmk	Wed Jul 05 17:54:13 2017 +0200
@@ -165,7 +165,7 @@
 	$(LINK) -dll -out:$(OBJDIR)/$(@F) \
 	  -map:$(OBJDIR)/$(LIBRARY).map \
 	  $(LFLAGS) @$(OBJDIR)/$(LIBRARY).lcf \
-	  $(OTHER_LCF) $(JAVALIB) $(LDLIBS)
+	  $(OTHER_LCF) $(LDLIBS)
 	$(CP) $(OBJDIR)/$(@F) $@
 	@$(call binary_file_verification,$@)
 	$(CP) $(OBJDIR)/$(LIBRARY).map $(@D)
--- a/jdk/make/java/java/mapfile-vers	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/java/java/mapfile-vers	Wed Jul 05 17:54:13 2017 +0200
@@ -90,7 +90,6 @@
 		Java_java_io_FileSystem_getFileSystem;
 		Java_java_io_ObjectInputStream_bytesToDoubles;
 		Java_java_io_ObjectInputStream_bytesToFloats;
-		Java_java_io_ObjectInputStream_latestUserDefinedLoader;
 		Java_java_io_ObjectOutputStream_doublesToBytes;
 		Java_java_io_ObjectOutputStream_floatsToBytes;
 		Java_java_io_ObjectStreamClass_hasStaticInitializer;
@@ -275,6 +274,7 @@
                 Java_sun_misc_Version_getJvmVersionInfo;
                 Java_sun_misc_Version_getJvmSpecialVersion;
                 Java_sun_misc_VM_getThreadStateValues;
+		Java_sun_misc_VM_latestUserDefinedLoader;
                 Java_sun_misc_VM_initialize;
 		Java_sun_misc_VMSupport_initAgentProperties;
 
--- a/jdk/make/sun/javazic/tzdata/VERSION	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/javazic/tzdata/VERSION	Wed Jul 05 17:54:13 2017 +0200
@@ -21,4 +21,4 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
-tzdata2011j
+tzdata2011l
--- a/jdk/make/sun/javazic/tzdata/asia	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/javazic/tzdata/asia	Wed Jul 05 17:54:13 2017 +0200
@@ -2216,7 +2216,47 @@
 # http://www.timeanddate.com/news/time/westbank-gaza-end-dst-2010.html
 # </a>
 
+# From Steffen Thorsen (2011-08-26):
+# Gaza and the West Bank did go back to standard time in the beginning of
+# August, and will now enter daylight saving time again on 2011-08-30
+# 00:00 (so two periods of DST in 2011). The pause was because of
+# Ramadan.
+#
+# <a href="http://www.maannews.net/eng/ViewDetails.aspx?ID=416217">
+# http://www.maannews.net/eng/ViewDetails.aspx?ID=416217
+# </a>
+# Additional info:
+# <a href="http://www.timeanddate.com/news/time/palestine-dst-2011.html">
+# http://www.timeanddate.com/news/time/palestine-dst-2011.html
+# </a>
+
+# From Alexander Krivenyshev (2011-08-27):
+# According to the article in The Jerusalem Post:
+# "...Earlier this month, the Palestinian government in the West Bank decided to
+# move to standard time for 30 days, during Ramadan. The Palestinians in the
+# Gaza Strip accepted the change and also moved their clocks one hour back.
+# The Hamas government said on Saturday that it won't observe summertime after
+# the Muslim feast of Id al-Fitr, which begins on Tuesday..."
+# ...
+# <a href="http://www.jpost.com/MiddleEast/Article.aspx?id=235650">
+# http://www.jpost.com/MiddleEast/Article.aspx?id=235650
+# </a>
+# or
+# <a href="http://www.worldtimezone.com/dst_news/dst_news_gazastrip05.html">
+# http://www.worldtimezone.com/dst_news/dst_news_gazastrip05.html
+# </a>
 # The rules for Egypt are stolen from the `africa' file.
+
+# From Steffen Thorsen (2011-09-30):
+# West Bank did end Daylight Saving Time this morning/midnight (2011-09-30 
+# 00:00).
+# So West Bank and Gaza now have the same time again.
+#
+# Many sources, including:
+# <a href="http://www.maannews.net/eng/ViewDetails.aspx?ID=424808">
+# http://www.maannews.net/eng/ViewDetails.aspx?ID=424808
+# </a>
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
 Rule EgyptAsia	1957	1958	-	Oct	 1	0:00	0	-
@@ -2232,19 +2272,37 @@
 Rule Palestine	2006	2008	-	Apr	 1	0:00	1:00	S
 Rule Palestine	2006	only	-	Sep	22	0:00	0	-
 Rule Palestine	2007	only	-	Sep	Thu>=8	2:00	0	-
-Rule Palestine	2008	only	-	Aug	lastFri	2:00	0	-
+Rule Palestine	2008	only	-	Aug	lastFri	0:00	0	-
 Rule Palestine	2009	only	-	Mar	lastFri	0:00	1:00	S
-Rule Palestine	2010	max	-	Mar	lastSat	0:01	1:00	S
-Rule Palestine	2009	max	-	Sep	Fri>=1	2:00	0	-
+Rule Palestine	2009	only	-	Sep	Fri>=1	2:00	0	-
+Rule Palestine	2010	only	-	Mar	lastSat	0:01	1:00	S
 Rule Palestine	2010	only	-	Aug	11	0:00	0	-
 
+# From Arthur David Olson (2011-09-20):
+# 2011 transitions per http://www.timeanddate.com as of 2011-09-20.
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Gaza	2:17:52	-	LMT	1900 Oct
 			2:00	Zion	EET	1948 May 15
 			2:00 EgyptAsia	EE%sT	1967 Jun  5
 			2:00	Zion	I%sT	1996
 			2:00	Jordan	EE%sT	1999
-			2:00 Palestine	EE%sT
+			2:00 Palestine	EE%sT	2011 Apr  2 12:01
+			2:00	1:00	EEST	2011 Aug  1
+			2:00	-	EET
+
+Zone	Asia/Hebron	2:20:23	-	LMT	1900 Oct
+			2:00	Zion	EET	1948 May 15
+			2:00 EgyptAsia	EE%sT	1967 Jun  5
+			2:00	Zion	I%sT	1996
+			2:00	Jordan	EE%sT	1999
+			2:00 Palestine	EE%sT	2008 Aug
+			2:00 	1:00	EEST	2008 Sep
+			2:00 Palestine	EE%sT	2011 Apr  1 12:01
+			2:00	1:00	EEST	2011 Aug  1
+			2:00	-	EET	2011 Aug 30
+			2:00	1:00	EEST	2011 Sep 30 3:00
+			2:00	-	EET
 
 # Paracel Is
 # no information
--- a/jdk/make/sun/javazic/tzdata/australasia	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/javazic/tzdata/australasia	Wed Jul 05 17:54:13 2017 +0200
@@ -318,6 +318,18 @@
 # http://www.worldtimezone.com/dst_news/dst_news_fiji04.html
 # </a>
 
+# From Steffen Thorsen (2011-10-03):
+# Now the dates have been confirmed, and at least our start date 
+# assumption was correct (end date was one week wrong).
+#
+# <a href="http://www.fiji.gov.fj/index.php?option=com_content&view=article&id=4966:daylight-saving-starts-in-fiji&catid=71:press-releases&Itemid=155">
+# www.fiji.gov.fj/index.php?option=com_content&view=article&id=4966:daylight-saving-starts-in-fiji&catid=71:press-releases&Itemid=155
+# </a>
+# which says
+# Members of the public are reminded to change their time to one hour in 
+# advance at 2am to 3am on October 23, 2011 and one hour back at 3am to 
+# 2am on February 26 next year.
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Fiji	1998	1999	-	Nov	Sun>=1	2:00	1:00	S
 Rule	Fiji	1999	2000	-	Feb	lastSun	3:00	0	-
@@ -325,6 +337,8 @@
 Rule	Fiji	2010	only	-	Mar	lastSun	3:00	0	-
 Rule	Fiji	2010	only	-	Oct	24	2:00	1:00	S
 Rule	Fiji	2011	only	-	Mar	Sun>=1	3:00	0	-
+Rule	Fiji	2011	only	-	Oct	23	2:00	1:00	S
+Rule	Fiji	2012	only	-	Feb	26	3:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Pacific/Fiji	11:53:40 -	LMT	1915 Oct 26	# Suva
 			12:00	Fiji	FJ%sT	# Fiji Time
--- a/jdk/make/sun/javazic/tzdata/europe	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/javazic/tzdata/europe	Wed Jul 05 17:54:13 2017 +0200
@@ -583,9 +583,9 @@
 #
 Rule	Russia	1992	only	-	Mar	lastSat	 23:00	1:00	S
 Rule	Russia	1992	only	-	Sep	lastSat	 23:00	0	-
-Rule	Russia	1993	max	-	Mar	lastSun	 2:00s	1:00	S
+Rule	Russia	1993	2010	-	Mar	lastSun	 2:00s	1:00	S
 Rule	Russia	1993	1995	-	Sep	lastSun	 2:00s	0	-
-Rule	Russia	1996	max	-	Oct	lastSun	 2:00s	0	-
+Rule	Russia	1996	2010	-	Oct	lastSun	 2:00s	0	-
 
 # From Alexander Krivenyshev (2011-06-14):
 # According to Kremlin press service, Russian President Dmitry Medvedev
@@ -605,7 +605,6 @@
 # From Arthur David Olson (2011-06-15):
 # Take "abolishing daylight saving time" to mean that time is now considered
 # to be standard.
-# At least for now, keep the "old" Russia rules for the benefit of Belarus.
 
 # These are for backward compatibility with older versions.
 
@@ -711,6 +710,23 @@
 			1:00	EU	CE%sT
 
 # Belarus
+# From Yauhen Kharuzhy (2011-09-16):
+# By latest Belarus government act Europe/Minsk timezone was changed to
+# GMT+3 without DST (was GMT+2 with DST).
+#
+# Sources (Russian language):
+# 1.
+# <a href="http://www.belta.by/ru/all_news/society/V-Belarusi-otmenjaetsja-perexod-na-sezonnoe-vremja_i_572952.html">
+# http://www.belta.by/ru/all_news/society/V-Belarusi-otmenjaetsja-perexod-na-sezonnoe-vremja_i_572952.html
+# </a>
+# 2.
+# <a href="http://naviny.by/rubrics/society/2011/09/16/ic_articles_116_175144/">
+# http://naviny.by/rubrics/society/2011/09/16/ic_articles_116_175144/
+# </a>
+# 3.
+# <a href="http://news.tut.by/society/250578.html">
+# http://news.tut.by/society/250578.html
+# </a>
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Minsk	1:50:16 -	LMT	1880
 			1:50	-	MMT	1924 May 2 # Minsk Mean Time
@@ -722,7 +738,8 @@
 			2:00	1:00	EEST	1991 Sep 29 2:00s
 			2:00	-	EET	1992 Mar 29 0:00s
 			2:00	1:00	EEST	1992 Sep 27 0:00s
-			2:00	Russia	EE%sT
+			2:00	Russia	EE%sT	2011 Mar 27 2:00s
+			3:00	-	FET # Further-eastern European Time
 
 # Belgium
 #
@@ -2056,7 +2073,7 @@
 			 2:00	Poland	CE%sT	1946
 			 3:00	Russia	MSK/MSD	1991 Mar 31 2:00s
 			 2:00	Russia	EE%sT	2011 Mar 27 2:00s
-			 3:00	-	KALT
+			 3:00	-	FET # Further-eastern European Time
 #
 # From Oscar van Vlijmen (2001-08-25): [This region consists of]
 # Respublika Adygeya, Arkhangel'skaya oblast',
@@ -2211,7 +2228,7 @@
 # [parts of] Respublika Sakha (Yakutiya), Chitinskaya oblast'.
 
 # From Oscar van Vlijmen (2009-11-29):
-# ...some regions of RUssia were merged with others since 2005...
+# ...some regions of [Russia] were merged with others since 2005...
 # Some names were changed, no big deal, except for one instance: a new name.
 # YAK/YAKST: UTC+9 Zabajkal'skij kraj.
 
@@ -2635,6 +2652,28 @@
 # of March at 3am the time is changing to 4am and each last Sunday of
 # October the time at 4am is changing to 3am"
 
+# From Alexander Krivenyshev (2011-09-20):
+# On September 20, 2011 the deputies of the Verkhovna Rada agreed to
+# abolish the transfer clock to winter time.
+#
+# Bill number 8330 of MP from the Party of Regions Oleg Nadoshi got
+# approval from 266 deputies.
+#
+# Ukraine abolishes transter back to the winter time (in Russian)
+# <a href="http://news.mail.ru/politics/6861560/">
+# http://news.mail.ru/politics/6861560/
+# </a>
+#
+# The Ukrainians will no longer change the clock (in Russian)
+# <a href="http://www.segodnya.ua/news/14290482.html">
+# http://www.segodnya.ua/news/14290482.html
+# </a>
+#
+# Deputies cancelled the winter time (in Russian)
+# <a href="http://www.pravda.com.ua/rus/news/2011/09/20/6600616/">
+# http://www.pravda.com.ua/rus/news/2011/09/20/6600616/
+# </a>
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 # Most of Ukraine since 1970 has been like Kiev.
 # "Kyiv" is the transliteration of the Ukrainian name, but
@@ -2648,7 +2687,8 @@
 			3:00	-	MSK	1990 Jul  1 2:00
 			2:00	-	EET	1992
 			2:00	E-Eur	EE%sT	1995
-			2:00	EU	EE%sT
+			2:00	EU	EE%sT	2011 Mar lastSun 1:00u
+			3:00	-	FET # Further-eastern European Time
 # Ruthenia used CET 1990/1991.
 # "Uzhhorod" is the transliteration of the Ukrainian name, but
 # "Uzhgorod" is more common in English.
@@ -2662,7 +2702,8 @@
 			1:00	-	CET	1991 Mar 31 3:00
 			2:00	-	EET	1992
 			2:00	E-Eur	EE%sT	1995
-			2:00	EU	EE%sT
+			2:00	EU	EE%sT	2011 Mar lastSun 1:00u
+			3:00	-	FET # Further-eastern European Time
 # Zaporozh'ye and eastern Lugansk oblasts observed DST 1990/1991.
 # "Zaporizhia" is the transliteration of the Ukrainian name, but
 # "Zaporozh'ye" is more common in English.  Use the common English
@@ -2675,7 +2716,8 @@
 			1:00	C-Eur	CE%sT	1943 Oct 25
 			3:00	Russia	MSK/MSD	1991 Mar 31 2:00
 			2:00	E-Eur	EE%sT	1995
-			2:00	EU	EE%sT
+			2:00	EU	EE%sT	2011 Mar lastSun 1:00u
+			3:00	-	FET # Further-eastern European Time
 # Central Crimea used Moscow time 1994/1997.
 Zone Europe/Simferopol	2:16:24 -	LMT	1880
 			2:16	-	SMT	1924 May  2 # Simferopol Mean T
@@ -2700,7 +2742,8 @@
 # Assume it happened in March by not changing the clocks.
 			3:00	Russia	MSK/MSD	1997
 			3:00	-	MSK	1997 Mar lastSun 1:00u
-			2:00	EU	EE%sT
+			2:00	EU	EE%sT	2011 Mar lastSun 1:00u
+			3:00	-	FET # Further-eastern European Time
 
 ###############################################################################
 
--- a/jdk/make/sun/javazic/tzdata/northamerica	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/javazic/tzdata/northamerica	Wed Jul 05 17:54:13 2017 +0200
@@ -505,7 +505,7 @@
 			 -8:00	US	P%sT	1983 Oct 30 2:00
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Sitka	 -14:58:47 -	LMT	1867 Oct 18
+Zone America/Sitka	 14:58:47 -	LMT	1867 Oct 18
 			 -9:01:13 -	LMT	1900 Aug 20 12:00
 			 -8:00	-	PST	1942
 			 -8:00	US	P%sT	1946
@@ -1190,31 +1190,21 @@
 # INMS (2000-09-12) says that, since 1988 at least, Newfoundland switches
 # at 00:01 local time.  For now, assume it started in 1987.
 
-# From Michael Pelley (2011-08-05):
-# The Government of Newfoundland and Labrador has pending changes to
-# modify the hour for daylight savings time to come into effect in
-# November 2011. This modification would change the time from 12:01AM to
-# 2:00AM on the dates of the switches of Daylight Savings Time to/from
-# Standard Time.
-#
-# As a matter of reference, in Canada provinces have the authority of
-# setting time zone information. The legislation has passed our
-# legislative body (The House of Assembly) and is awaiting the
-# proclamation to come into effect. You may find this information at:
-# <a href="http://www.assembly.nl.ca/legislation/sr/lists/Proclamation.htm">
-# http://www.assembly.nl.ca/legislation/sr/lists/Proclamation.htm
-# </a>
-# and
-# search within that web page for Standard Time (Amendment) Act. The Act
-# may be found at:
-# <a href="http://www.assembly.nl.ca/business/bills/Bill1106.htm">
-# http://www.assembly.nl.ca/business/bills/Bill1106.htm
+# From Michael Pelley (2011-09-12):
+# We received today, Monday, September 12, 2011, notification that the
+# changes to the Newfoundland Standard Time Act have been proclaimed.
+# The change in the Act stipulates that the change from Daylight Savings
+# Time to Standard Time and from Standard Time to Daylight Savings Time
+# now occurs at 2:00AM.
+# ...
+# <a href="http://www.assembly.nl.ca/legislation/sr/annualstatutes/2011/1106.chp.htm">
+# http://www.assembly.nl.ca/legislation/sr/annualstatutes/2011/1106.chp.htm
 # </a>
 # ...
-# MICHAEL PELLEY | Manager of Enterprise Architecture - Solution Delivery
-# Office of the Chief Information Officer Executive Council Government of
-# Newfoundland & Labrador P.O. Box 8700, 40 Higgins Line, St. John's NL
-# A1B 4J6
+# MICHAEL PELLEY  |  Manager of Enterprise Architecture - Solution Delivery
+# Office of the Chief Information Officer
+# Executive Council
+# Government of Newfoundland & Labrador
 
 Rule	StJohns	1987	only	-	Apr	Sun>=1	0:01	1:00	D
 Rule	StJohns	1987	2006	-	Oct	lastSun	0:01	0	S
--- a/jdk/make/sun/javazic/tzdata/southamerica	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/javazic/tzdata/southamerica	Wed Jul 05 17:54:13 2017 +0200
@@ -819,6 +819,26 @@
 # <a href="http://www.timeanddate.com/news/time/brazil-dst-2008-2009.html">
 # http://www.timeanddate.com/news/time/brazil-dst-2008-2009.html
 # </a>
+#
+# From Alexander Krivenyshev (2011-10-04):
+# State Bahia will return to Daylight savings time this year after 8 years off.
+# The announcement was made by Governor Jaques Wagner in an interview to a 
+# television station in Salvador. 
+
+# In Portuguese:
+# <a href="http://g1.globo.com/bahia/noticia/2011/10/governador-jaques-wagner-confirma-horario-de-verao-na-bahia.html">
+# http://g1.globo.com/bahia/noticia/2011/10/governador-jaques-wagner-confirma-horario-de-verao-na-bahia.html
+# </a> and
+# <a href="http://noticias.terra.com.br/brasil/noticias/0,,OI5390887-EI8139,00-Bahia+volta+a+ter+horario+de+verao+apos+oito+anos.html">
+# http://noticias.terra.com.br/brasil/noticias/0,,OI5390887-EI8139,00-Bahia+volta+a+ter+horario+de+verao+apos+oito+anos.html
+# </a>
+
+# From Guilherme Bernardes Rodrigues (2011-10-07):
+# There is news in the media, however there is still no decree about it.
+# I just send a e-mail to Zulmira Brandão at
+# <a href="http://pcdsh01.on.br/">http://pcdsh01.on.br/</a> the
+# oficial agency about time in Brazil, and she confirmed that the old rule is
+# still in force.
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 # Decree <a href="http://pcdsh01.on.br/HV20466.htm">20,466</a> (1931-10-01)
@@ -1057,6 +1077,9 @@
 Zone America/Bahia	-2:34:04 -	LMT	1914
 			-3:00	Brazil	BR%sT	2003 Sep 24
 			-3:00	-	BRT
+# as noted above, not yet in operation.
+#			-3:00	-	BRT	2011 Oct 16
+#			-3:00	Brazil	BR%sT
 #
 # Goias (GO), Distrito Federal (DF), Minas Gerais (MG),
 # Espirito Santo (ES), Rio de Janeiro (RJ), Sao Paulo (SP), Parana (PR),
--- a/jdk/make/sun/javazic/tzdata/zone.tab	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/javazic/tzdata/zone.tab	Wed Jul 05 17:54:13 2017 +0200
@@ -341,7 +341,8 @@
 PM	+4703-05620	America/Miquelon
 PN	-2504-13005	Pacific/Pitcairn
 PR	+182806-0660622	America/Puerto_Rico
-PS	+3130+03428	Asia/Gaza
+PS	+3130+03428	Asia/Gaza	Gaza Strip
+PS	+313200+0350542	Asia/Hebron	West Bank
 PT	+3843-00908	Europe/Lisbon	mainland
 PT	+3238-01654	Atlantic/Madeira	Madeira Islands
 PT	+3744-02540	Atlantic/Azores	Azores
--- a/jdk/make/sun/rmi/rmi/Makefile	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/rmi/rmi/Makefile	Wed Jul 05 17:54:13 2017 +0200
@@ -30,16 +30,9 @@
 BUILDDIR = ../../..
 PACKAGE = sun.rmi
 PRODUCT = sun
-LIBRARY = rmi
 include $(BUILDDIR)/common/Defs.gmk
 
 #
-# Add use of a mapfile
-#
-FILES_m = mapfile-vers
-include $(BUILDDIR)/common/Mapfile-vers.gmk
-
-#
 # Java files to compile.
 #
 AUTO_FILES_JAVA_DIRS = \
@@ -52,31 +45,9 @@
 	com/sun/rmi
 
 #
-# Native files to compile.
-#
-FILES_c = \
-	sun/rmi/server/MarshalInputStream.c
-
-#
-# Add ambient vpath to pick up files not part of sun.rmi package
-#
-vpath %.c $(SHARE_SRC)/native/sun/rmi/server
-
-#
-# Exported files that require generated .h 
-#
-FILES_export = \
-    sun/rmi/server/MarshalInputStream.java
-
-#
-# Link to JVM for JVM_LatestUserDefinedLoader
-#
-OTHER_LDLIBS = $(JVMLIB)
-
-#
 # Rules
 #
-include $(BUILDDIR)/common/Library.gmk
+include $(BUILDDIR)/common/Rules.gmk
 
 #
 # Full package names of implementations requiring stubs
--- a/jdk/make/sun/rmi/rmi/mapfile-vers	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,33 +0,0 @@
-#
-# Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.  Oracle designates this
-# particular file as subject to the "Classpath" exception as provided
-# by Oracle in the LICENSE file that accompanied this code.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-# Define library interface.
-
-SUNWprivate_1.1 {
-	global:
-	    Java_sun_rmi_server_MarshalInputStream_latestUserDefinedLoader;
-	local:
-	    *;
-};
--- a/jdk/make/sun/security/ec/Makefile	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/security/ec/Makefile	Wed Jul 05 17:54:13 2017 +0200
@@ -192,10 +192,8 @@
   #
   # Libraries to link
   #
-  ifeq ($(PLATFORM), windows)
-    OTHER_LDLIBS += $(JVMLIB)
-  else
-    OTHER_LDLIBS = -ldl $(JVMLIB) $(LIBCXX)
+  ifneq ($(PLATFORM), windows)
+    OTHER_LDLIBS = $(LIBCXX)
   endif
 
   include $(BUILDDIR)/common/Mapfile-vers.gmk
--- a/jdk/make/sun/security/jgss/wrapper/Makefile	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/security/jgss/wrapper/Makefile	Wed Jul 05 17:54:13 2017 +0200
@@ -72,5 +72,6 @@
 # Libraries to link
 #
 ifneq ($(PLATFORM), windows)
-  OTHER_LDLIBS = -ldl $(JVMLIB)
+  OTHER_LDLIBS = -ldl
 endif
+
--- a/jdk/make/sun/security/krb5/Makefile	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/security/krb5/Makefile	Wed Jul 05 17:54:13 2017 +0200
@@ -69,15 +69,6 @@
 include $(BUILDDIR)/common/Classes.gmk
 endif # PLATFORM
 
-#
-# Libraries to link
-#
-ifeq ($(PLATFORM), windows)
-  OTHER_LDLIBS = $(JVMLIB)
-else
-  OTHER_LDLIBS = -ldl $(JVMLIB)
-endif
-
 build:
 ifeq ($(PLATFORM),windows)
 	$(call make-launcher, kinit, sun.security.krb5.internal.tools.Kinit, , )
--- a/jdk/make/sun/security/mscapi/Makefile	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/security/mscapi/Makefile	Wed Jul 05 17:54:13 2017 +0200
@@ -159,7 +159,7 @@
 # Libraries to link
 #
 ifeq ($(PLATFORM), windows)
-  OTHER_LDLIBS += $(JVMLIB) Crypt32.Lib
+  OTHER_LDLIBS += Crypt32.Lib
 endif
 
 #
--- a/jdk/make/sun/security/other/Makefile	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/security/other/Makefile	Wed Jul 05 17:54:13 2017 +0200
@@ -38,6 +38,7 @@
     sun/security/acl \
     sun/security/jca \
     sun/security/pkcs \
+    sun/security/pkcs10 \
     sun/security/pkcs12 \
     sun/security/provider \
     sun/security/rsa \
--- a/jdk/make/sun/security/pkcs11/Makefile	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/security/pkcs11/Makefile	Wed Jul 05 17:54:13 2017 +0200
@@ -159,10 +159,8 @@
 #
 # Libraries to link
 #
-ifeq ($(PLATFORM), windows)
-  OTHER_LDLIBS = $(JVMLIB)
-else
-  OTHER_LDLIBS = -ldl $(JVMLIB)
+ifneq ($(PLATFORM), windows)
+  OTHER_LDLIBS = -ldl
 endif
 
 # Other config files
--- a/jdk/make/sun/security/smartcardio/Makefile	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/make/sun/security/smartcardio/Makefile	Wed Jul 05 17:54:13 2017 +0200
@@ -73,8 +73,8 @@
 # Libraries to link
 #
 ifeq ($(PLATFORM), windows)
-  OTHER_LDLIBS = $(JVMLIB) winscard.lib
+  OTHER_LDLIBS = winscard.lib
 else
-  OTHER_LDLIBS = -ldl $(JVMLIB)
+  OTHER_LDLIBS = -ldl
   OTHER_CFLAGS = -D__sun_jdk
 endif
--- a/jdk/src/share/classes/java/io/ObjectInputStream.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/java/io/ObjectInputStream.java	Wed Jul 05 17:54:13 2017 +0200
@@ -2025,8 +2025,9 @@
      * This method should not be removed or its signature changed without
      * corresponding modifications to the above class.
      */
-    // REMIND: change name to something more accurate?
-    private static native ClassLoader latestUserDefinedLoader();
+    private static ClassLoader latestUserDefinedLoader() {
+        return sun.misc.VM.latestUserDefinedLoader();
+    }
 
     /**
      * Default GetField implementation.
--- a/jdk/src/share/classes/java/util/Collections.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/java/util/Collections.java	Wed Jul 05 17:54:13 2017 +0200
@@ -2352,6 +2352,64 @@
     }
 
     /**
+     * Returns a dynamically typesafe view of the specified queue.
+     * Any attempt to insert an element of the wrong type will result in
+     * an immediate {@link ClassCastException}.  Assuming a queue contains
+     * no incorrectly typed elements prior to the time a dynamically typesafe
+     * view is generated, and that all subsequent access to the queue
+     * takes place through the view, it is <i>guaranteed</i> that the
+     * queue cannot contain an incorrectly typed element.
+     *
+     * <p>A discussion of the use of dynamically typesafe views may be
+     * found in the documentation for the {@link #checkedCollection
+     * checkedCollection} method.
+     *
+     * <p>The returned queue will be serializable if the specified queue
+     * is serializable.
+     *
+     * <p>Since {@code null} is considered to be a value of any reference
+     * type, the returned queue permits insertion of {@code null} elements
+     * whenever the backing queue does.
+     *
+     * @param queue the queue for which a dynamically typesafe view is to be
+     *             returned
+     * @param type the type of element that {@code queue} is permitted to hold
+     * @return a dynamically typesafe view of the specified queue
+     * @since 1.8
+     */
+    public static <E> Queue<E> checkedQueue(Queue<E> queue, Class<E> type) {
+        return new CheckedQueue<>(queue, type);
+    }
+
+    /**
+     * @serial include
+     */
+    static class CheckedQueue<E>
+        extends CheckedCollection<E>
+        implements Queue<E>, Serializable
+    {
+        private static final long serialVersionUID = 1433151992604707767L;
+        final Queue<E> queue;
+
+        CheckedQueue(Queue<E> queue, Class<E> elementType) {
+            super(queue, elementType);
+            this.queue = queue;
+        }
+
+        public E element()              {return queue.element();}
+        public boolean equals(Object o) {return o == this || c.equals(o);}
+        public int hashCode()           {return c.hashCode();}
+        public E peek()                 {return queue.peek();}
+        public E poll()                 {return queue.poll();}
+        public E remove()               {return queue.remove();}
+
+        public boolean offer(E e) {
+            typeCheck(e);
+            return add(e);
+        }
+    }
+
+    /**
      * Returns a dynamically typesafe view of the specified set.
      * Any attempt to insert an element of the wrong type will result in
      * an immediate {@link ClassCastException}.  Assuming a set contains
--- a/jdk/src/share/classes/sun/misc/VM.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/misc/VM.java	Wed Jul 05 17:54:13 2017 +0200
@@ -371,6 +371,12 @@
     private final static int JVMTI_THREAD_STATE_WAITING_INDEFINITELY = 0x0010;
     private final static int JVMTI_THREAD_STATE_WAITING_WITH_TIMEOUT = 0x0020;
 
+    /*
+     * Returns the first non-null class loader up the execution stack,
+     * or null if only code from the null class loader is on the stack.
+     */
+    public static native ClassLoader latestUserDefinedLoader();
+
     static {
         initialize();
     }
--- a/jdk/src/share/classes/sun/rmi/server/MarshalInputStream.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/rmi/server/MarshalInputStream.java	Wed Jul 05 17:54:13 2017 +0200
@@ -110,14 +110,6 @@
     }
 
     /**
-     * Load the "rmi" native library.
-     */
-    static {
-        java.security.AccessController.doPrivileged(
-            new sun.security.action.LoadLibraryAction("rmi"));
-    }
-
-    /**
      * Create a new MarshalInputStream object.
      */
     public MarshalInputStream(InputStream in)
@@ -262,7 +254,9 @@
      * Returns the first non-null class loader up the execution stack, or null
      * if only code from the null class loader is on the stack.
      */
-    private static native ClassLoader latestUserDefinedLoader();
+    private static ClassLoader latestUserDefinedLoader() {
+        return sun.misc.VM.latestUserDefinedLoader();
+    }
 
     /**
      * Fix for 4179055: Need to assist resolving sun stubs; resolve
--- a/jdk/src/share/classes/sun/security/pkcs/EncodingException.java	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,45 +0,0 @@
-/*
- * Copyright (c) 1996, 2003, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/**
- * Generic PKCS Encoding exception.
- *
- * @author Benjamin Renaud
- */
-
-package sun.security.pkcs;
-
-public class EncodingException extends Exception {
-
-    private static final long serialVersionUID = 4060198374240668325L;
-
-    public EncodingException() {
-        super();
-    }
-
-    public EncodingException(String s) {
-        super(s);
-    }
-}
--- a/jdk/src/share/classes/sun/security/pkcs/PKCS10.java	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,353 +0,0 @@
-/*
- * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-
-package sun.security.pkcs;
-
-import java.io.PrintStream;
-import java.io.IOException;
-import java.math.BigInteger;
-
-import java.security.cert.CertificateException;
-import java.security.NoSuchAlgorithmException;
-import java.security.InvalidKeyException;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.PublicKey;
-
-import sun.misc.BASE64Encoder;
-
-import sun.security.util.*;
-import sun.security.x509.AlgorithmId;
-import sun.security.x509.X509Key;
-import sun.security.x509.X500Name;
-
-/**
- * A PKCS #10 certificate request is created and sent to a Certificate
- * Authority, which then creates an X.509 certificate and returns it to
- * the entity that requested it. A certificate request basically consists
- * of the subject's X.500 name, public key, and optionally some attributes,
- * signed using the corresponding private key.
- *
- * The ASN.1 syntax for a Certification Request is:
- * <pre>
- * CertificationRequest ::= SEQUENCE {
- *    certificationRequestInfo CertificationRequestInfo,
- *    signatureAlgorithm       SignatureAlgorithmIdentifier,
- *    signature                Signature
- *  }
- *
- * SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
- * Signature ::= BIT STRING
- *
- * CertificationRequestInfo ::= SEQUENCE {
- *    version                 Version,
- *    subject                 Name,
- *    subjectPublicKeyInfo    SubjectPublicKeyInfo,
- *    attributes [0] IMPLICIT Attributes
- * }
- * Attributes ::= SET OF Attribute
- * </pre>
- *
- * @author David Brownell
- * @author Amit Kapoor
- * @author Hemma Prafullchandra
- */
-public class PKCS10 {
-    /**
-     * Constructs an unsigned PKCS #10 certificate request.  Before this
-     * request may be used, it must be encoded and signed.  Then it
-     * must be retrieved in some conventional format (e.g. string).
-     *
-     * @param publicKey the public key that should be placed
-     *          into the certificate generated by the CA.
-     */
-    public PKCS10(PublicKey publicKey) {
-        subjectPublicKeyInfo = publicKey;
-        attributeSet = new PKCS10Attributes();
-    }
-
-    /**
-     * Constructs an unsigned PKCS #10 certificate request.  Before this
-     * request may be used, it must be encoded and signed.  Then it
-     * must be retrieved in some conventional format (e.g. string).
-     *
-     * @param publicKey the public key that should be placed
-     *          into the certificate generated by the CA.
-     * @param attributes additonal set of PKCS10 attributes requested
-     *          for in the certificate.
-     */
-    public PKCS10(PublicKey publicKey, PKCS10Attributes attributes) {
-        subjectPublicKeyInfo = publicKey;
-        attributeSet = attributes;
-    }
-
-    /**
-     * Parses an encoded, signed PKCS #10 certificate request, verifying
-     * the request's signature as it does so.  This constructor would
-     * typically be used by a Certificate Authority, from which a new
-     * certificate would then be constructed.
-     *
-     * @param data the DER-encoded PKCS #10 request.
-     * @exception IOException for low level errors reading the data
-     * @exception SignatureException when the signature is invalid
-     * @exception NoSuchAlgorithmException when the signature
-     *  algorithm is not supported in this environment
-     */
-    public PKCS10(byte[] data)
-    throws IOException, SignatureException, NoSuchAlgorithmException {
-        DerInputStream  in;
-        DerValue[]      seq;
-        AlgorithmId     id;
-        byte[]          sigData;
-        Signature       sig;
-
-        encoded = data;
-
-        //
-        // Outer sequence:  request, signature algorithm, signature.
-        // Parse, and prepare to verify later.
-        //
-        in = new DerInputStream(data);
-        seq = in.getSequence(3);
-
-        if (seq.length != 3)
-            throw new IllegalArgumentException("not a PKCS #10 request");
-
-        data = seq[0].toByteArray();            // reusing this variable
-        id = AlgorithmId.parse(seq[1]);
-        sigData = seq[2].getBitString();
-
-        //
-        // Inner sequence:  version, name, key, attributes
-        //
-        BigInteger      serial;
-        DerValue        val;
-
-        serial = seq[0].data.getBigInteger();
-        if (!serial.equals(BigInteger.ZERO))
-            throw new IllegalArgumentException("not PKCS #10 v1");
-
-        subject = new X500Name(seq[0].data);
-        subjectPublicKeyInfo = X509Key.parse(seq[0].data.getDerValue());
-
-        // Cope with a somewhat common illegal PKCS #10 format
-        if (seq[0].data.available() != 0)
-            attributeSet = new PKCS10Attributes(seq[0].data);
-        else
-            attributeSet = new PKCS10Attributes();
-
-        if (seq[0].data.available() != 0)
-            throw new IllegalArgumentException("illegal PKCS #10 data");
-
-        //
-        // OK, we parsed it all ... validate the signature using the
-        // key and signature algorithm we found.
-        //
-        try {
-            sig = Signature.getInstance(id.getName());
-            sig.initVerify(subjectPublicKeyInfo);
-            sig.update(data);
-            if (!sig.verify(sigData))
-                throw new SignatureException("Invalid PKCS #10 signature");
-        } catch (InvalidKeyException e) {
-            throw new SignatureException("invalid key");
-        }
-    }
-
-    /**
-     * Create the signed certificate request.  This will later be
-     * retrieved in either string or binary format.
-     *
-     * @param subject identifies the signer (by X.500 name).
-     * @param signature private key and signing algorithm to use.
-     * @exception IOException on errors.
-     * @exception CertificateException on certificate handling errors.
-     * @exception SignatureException on signature handling errors.
-     */
-    public void encodeAndSign(X500Name subject, Signature signature)
-    throws CertificateException, IOException, SignatureException {
-        DerOutputStream out, scratch;
-        byte[]          certificateRequestInfo;
-        byte[]          sig;
-
-        if (encoded != null)
-            throw new SignatureException("request is already signed");
-
-        this.subject = subject;
-
-        /*
-         * Encode cert request info, wrap in a sequence for signing
-         */
-        scratch = new DerOutputStream();
-        scratch.putInteger(BigInteger.ZERO);            // PKCS #10 v1.0
-        subject.encode(scratch);                        // X.500 name
-        scratch.write(subjectPublicKeyInfo.getEncoded()); // public key
-        attributeSet.encode(scratch);
-
-        out = new DerOutputStream();
-        out.write(DerValue.tag_Sequence, scratch);      // wrap it!
-        certificateRequestInfo = out.toByteArray();
-        scratch = out;
-
-        /*
-         * Sign it ...
-         */
-        signature.update(certificateRequestInfo, 0,
-                certificateRequestInfo.length);
-        sig = signature.sign();
-
-        /*
-         * Build guts of SIGNED macro
-         */
-        AlgorithmId algId = null;
-        try {
-            algId = AlgorithmId.get(signature.getAlgorithm());
-        } catch (NoSuchAlgorithmException nsae) {
-            throw new SignatureException(nsae);
-        }
-        algId.encode(scratch);     // sig algorithm
-        scratch.putBitString(sig);                      // sig
-
-        /*
-         * Wrap those guts in a sequence
-         */
-        out = new DerOutputStream();
-        out.write(DerValue.tag_Sequence, scratch);
-        encoded = out.toByteArray();
-    }
-
-    /**
-     * Returns the subject's name.
-     */
-    public X500Name getSubjectName() { return subject; }
-
-    /**
-     * Returns the subject's public key.
-     */
-    public PublicKey getSubjectPublicKeyInfo()
-        { return subjectPublicKeyInfo; }
-
-    /**
-     * Returns the additional attributes requested.
-     */
-    public PKCS10Attributes getAttributes()
-        { return attributeSet; }
-
-    /**
-     * Returns the encoded and signed certificate request as a
-     * DER-encoded byte array.
-     *
-     * @return the certificate request, or null if encodeAndSign()
-     *          has not yet been called.
-     */
-    public byte[] getEncoded() {
-        if (encoded != null)
-            return encoded.clone();
-        else
-            return null;
-    }
-
-    /**
-     * Prints an E-Mailable version of the certificate request on the print
-     * stream passed.  The format is a common base64 encoded one, supported
-     * by most Certificate Authorities because Netscape web servers have
-     * used this for some time.  Some certificate authorities expect some
-     * more information, in particular contact information for the web
-     * server administrator.
-     *
-     * @param out the print stream where the certificate request
-     *  will be printed.
-     * @exception IOException when an output operation failed
-     * @exception SignatureException when the certificate request was
-     *  not yet signed.
-     */
-    public void print(PrintStream out)
-    throws IOException, SignatureException {
-        if (encoded == null)
-            throw new SignatureException("Cert request was not signed");
-
-        BASE64Encoder   encoder = new BASE64Encoder();
-
-        out.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
-        encoder.encodeBuffer(encoded, out);
-        out.println("-----END NEW CERTIFICATE REQUEST-----");
-    }
-
-    /**
-     * Provides a short description of this request.
-     */
-    public String toString() {
-        return "[PKCS #10 certificate request:\n"
-            + subjectPublicKeyInfo.toString()
-            + " subject: <" + subject + ">" + "\n"
-            + " attributes: " + attributeSet.toString()
-            + "\n]";
-    }
-
-    /**
-     * Compares this object for equality with the specified
-     * object. If the <code>other</code> object is an
-     * <code>instanceof</code> <code>PKCS10</code>, then
-     * its encoded form is retrieved and compared with the
-     * encoded form of this certificate request.
-     *
-     * @param other the object to test for equality with this object.
-     * @return true iff the encoded forms of the two certificate
-     * requests match, false otherwise.
-     */
-    public boolean equals(Object other) {
-        if (this == other)
-            return true;
-        if (!(other instanceof PKCS10))
-            return false;
-        if (encoded == null) // not signed yet
-            return false;
-        byte[] otherEncoded = ((PKCS10)other).getEncoded();
-        if (otherEncoded == null)
-            return false;
-
-        return java.util.Arrays.equals(encoded, otherEncoded);
-    }
-
-    /**
-     * Returns a hashcode value for this certificate request from its
-     * encoded form.
-     *
-     * @return the hashcode value.
-     */
-    public int hashCode() {
-        int     retval = 0;
-        if (encoded != null)
-            for (int i = 1; i < encoded.length; i++)
-             retval += encoded[i] * i;
-        return(retval);
-    }
-
-    private X500Name            subject;
-    private PublicKey           subjectPublicKeyInfo;
-    private PKCS10Attributes    attributeSet;
-    private byte[]              encoded;        // signed
-}
--- a/jdk/src/share/classes/sun/security/pkcs/PKCS10Attribute.java	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,135 +0,0 @@
-/*
- * Copyright (c) 1997, 1998, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.pkcs;
-
-import java.io.OutputStream;
-import java.io.IOException;
-
-import sun.security.util.*;
-
-/**
- * Represent a PKCS#10 Attribute.
- *
- * <p>Attributes are additonal information which can be inserted in a PKCS#10
- * certificate request. For example a "Driving License Certificate" could have
- * the driving license number as an attribute.
- *
- * <p>Attributes are represented as a sequence of the attribute identifier
- * (Object Identifier) and a set of DER encoded attribute values.
- *
- * ASN.1 definition of Attribute:
- * <pre>
- * Attribute :: SEQUENCE {
- *    type    AttributeType,
- *    values  SET OF AttributeValue
- * }
- * AttributeType  ::= OBJECT IDENTIFIER
- * AttributeValue ::= ANY defined by type
- * </pre>
- *
- * @author Amit Kapoor
- * @author Hemma Prafullchandra
- */
-public class PKCS10Attribute implements DerEncoder {
-
-    protected ObjectIdentifier  attributeId = null;
-    protected Object            attributeValue = null;
-
-    /**
-     * Constructs an attribute from a DER encoding.
-     * This constructor expects the value to be encoded as defined above,
-     * i.e. a SEQUENCE of OID and SET OF value(s), not a literal
-     * X.509 v3 extension. Only PKCS9 defined attributes are supported
-     * currently.
-     *
-     * @param derVal the der encoded attribute.
-     * @exception IOException on parsing errors.
-     */
-    public PKCS10Attribute(DerValue derVal) throws IOException {
-        PKCS9Attribute attr = new PKCS9Attribute(derVal);
-        this.attributeId = attr.getOID();
-        this.attributeValue = attr.getValue();
-    }
-
-    /**
-     * Constructs an attribute from individual components of
-     * ObjectIdentifier and the value (any java object).
-     *
-     * @param attributeId the ObjectIdentifier of the attribute.
-     * @param attributeValue an instance of a class that implements
-     * the attribute identified by the ObjectIdentifier.
-     */
-    public PKCS10Attribute(ObjectIdentifier attributeId,
-                           Object attributeValue) {
-        this.attributeId = attributeId;
-        this.attributeValue = attributeValue;
-    }
-
-    /**
-     * Constructs an attribute from PKCS9 attribute.
-     *
-     * @param attr the PKCS9Attribute to create from.
-     */
-    public PKCS10Attribute(PKCS9Attribute attr) {
-        this.attributeId = attr.getOID();
-        this.attributeValue = attr.getValue();
-    }
-
-    /**
-     * DER encode this object onto an output stream.
-     * Implements the <code>DerEncoder</code> interface.
-     *
-     * @param out
-     * the OutputStream on which to write the DER encoding.
-     *
-     * @exception IOException on encoding errors.
-     */
-    public void derEncode(OutputStream out) throws IOException {
-        PKCS9Attribute attr = new PKCS9Attribute(attributeId, attributeValue);
-        attr.derEncode(out);
-    }
-
-    /**
-     * Returns the ObjectIdentifier of the attribute.
-     */
-    public ObjectIdentifier getAttributeId() {
-        return (attributeId);
-    }
-
-    /**
-     * Returns the attribute value.
-     */
-    public Object getAttributeValue() {
-        return (attributeValue);
-    }
-
-    /**
-     * Returns the attribute in user readable form.
-     */
-    public String toString() {
-        return (attributeValue.toString());
-    }
-}
--- a/jdk/src/share/classes/sun/security/pkcs/PKCS10Attributes.java	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,219 +0,0 @@
-/*
- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.pkcs;
-
-import java.io.IOException;
-import java.io.OutputStream;
-import java.security.cert.CertificateException;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.Hashtable;
-
-import sun.security.util.*;
-
-/**
- * This class defines the PKCS10 attributes for the request.
- * The ASN.1 syntax for this is:
- * <pre>
- * Attributes ::= SET OF Attribute
- * </pre>
- *
- * @author Amit Kapoor
- * @author Hemma Prafullchandra
- * @see PKCS10
- * @see PKCS10Attribute
- */
-public class PKCS10Attributes implements DerEncoder {
-
-    private Hashtable<String, PKCS10Attribute> map =
-                        new Hashtable<String, PKCS10Attribute>(3);
-
-    /**
-     * Default constructor for the PKCS10 attribute.
-     */
-    public PKCS10Attributes() { }
-
-    /**
-     * Create the object from the array of PKCS10Attribute objects.
-     *
-     * @param attrs the array of PKCS10Attribute objects.
-     */
-    public PKCS10Attributes(PKCS10Attribute[] attrs) {
-        for (int i = 0; i < attrs.length; i++) {
-            map.put(attrs[i].getAttributeId().toString(), attrs[i]);
-        }
-    }
-
-    /**
-     * Create the object, decoding the values from the passed DER stream.
-     * The DER stream contains the SET OF Attribute.
-     *
-     * @param in the DerInputStream to read the attributes from.
-     * @exception IOException on decoding errors.
-     */
-    public PKCS10Attributes(DerInputStream in) throws IOException {
-        DerValue[] attrs = in.getSet(3, true);
-
-        if (attrs == null)
-            throw new IOException("Illegal encoding of attributes");
-        for (int i = 0; i < attrs.length; i++) {
-            PKCS10Attribute attr = new PKCS10Attribute(attrs[i]);
-            map.put(attr.getAttributeId().toString(), attr);
-        }
-    }
-
-    /**
-     * Encode the attributes in DER form to the stream.
-     *
-     * @param out the OutputStream to marshal the contents to.
-     * @exception IOException on encoding errors.
-     */
-    public void encode(OutputStream out) throws IOException {
-        derEncode(out);
-    }
-
-    /**
-     * Encode the attributes in DER form to the stream.
-     * Implements the <code>DerEncoder</code> interface.
-     *
-     * @param out the OutputStream to marshal the contents to.
-     * @exception IOException on encoding errors.
-     */
-    public void derEncode(OutputStream out) throws IOException {
-        // first copy the elements into an array
-        Collection<PKCS10Attribute> allAttrs = map.values();
-        PKCS10Attribute[] attribs =
-                allAttrs.toArray(new PKCS10Attribute[map.size()]);
-
-        DerOutputStream attrOut = new DerOutputStream();
-        attrOut.putOrderedSetOf(DerValue.createTag(DerValue.TAG_CONTEXT,
-                                                   true, (byte)0),
-                                attribs);
-        out.write(attrOut.toByteArray());
-    }
-
-    /**
-     * Set the attribute value.
-     */
-    public void setAttribute(String name, Object obj) {
-        if (obj instanceof PKCS10Attribute) {
-            map.put(name, (PKCS10Attribute)obj);
-        }
-    }
-
-    /**
-     * Get the attribute value.
-     */
-    public Object getAttribute(String name) {
-        return map.get(name);
-    }
-
-    /**
-     * Delete the attribute value.
-     */
-    public void deleteAttribute(String name) {
-        map.remove(name);
-    }
-
-    /**
-     * Return an enumeration of names of attributes existing within this
-     * attribute.
-     */
-    public Enumeration<PKCS10Attribute> getElements() {
-        return (map.elements());
-    }
-
-    /**
-     * Return a Collection of attributes existing within this
-     * PKCS10Attributes object.
-     */
-    public Collection<PKCS10Attribute> getAttributes() {
-        return (Collections.unmodifiableCollection(map.values()));
-    }
-
-    /**
-     * Compares this PKCS10Attributes for equality with the specified
-     * object. If the <code>other</code> object is an
-     * <code>instanceof</code> <code>PKCS10Attributes</code>, then
-     * all the entries are compared with the entries from this.
-     *
-     * @param other the object to test for equality with this PKCS10Attributes.
-     * @return true if all the entries match that of the Other,
-     * false otherwise.
-     */
-    public boolean equals(Object other) {
-        if (this == other)
-            return true;
-        if (!(other instanceof PKCS10Attributes))
-            return false;
-
-        Collection<PKCS10Attribute> othersAttribs =
-                ((PKCS10Attributes)other).getAttributes();
-        PKCS10Attribute[] attrs =
-            othersAttribs.toArray(new PKCS10Attribute[othersAttribs.size()]);
-        int len = attrs.length;
-        if (len != map.size())
-            return false;
-        PKCS10Attribute thisAttr, otherAttr;
-        String key = null;
-        for (int i=0; i < len; i++) {
-            otherAttr = attrs[i];
-            key = otherAttr.getAttributeId().toString();
-
-            if (key == null)
-                return false;
-            thisAttr = map.get(key);
-            if (thisAttr == null)
-                return false;
-            if (! thisAttr.equals(otherAttr))
-                return false;
-        }
-        return true;
-    }
-
-    /**
-     * Returns a hashcode value for this PKCS10Attributes.
-     *
-     * @return the hashcode value.
-     */
-    public int hashCode() {
-        return map.hashCode();
-    }
-
-    /**
-     * Returns a string representation of this <tt>PKCS10Attributes</tt> object
-     * in the form of a set of entries, enclosed in braces and separated
-     * by the ASCII characters "<tt>,&nbsp;</tt>" (comma and space).
-     * <p>Overrides the <tt>toString</tt> method of <tt>Object</tt>.
-     *
-     * @return  a string representation of this PKCS10Attributes.
-     */
-    public String toString() {
-        String s = map.size() + "\n" + map.toString();
-        return s;
-    }
-}
--- a/jdk/src/share/classes/sun/security/pkcs/PKCS7.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/pkcs/PKCS7.java	Wed Jul 05 17:54:13 2017 +0200
@@ -27,6 +27,7 @@
 
 import java.io.*;
 import java.math.BigInteger;
+import java.net.URI;
 import java.util.*;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
@@ -35,6 +36,7 @@
 import java.security.cert.CertificateFactory;
 import java.security.*;
 
+import sun.security.timestamp.*;
 import sun.security.util.*;
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.CertificateIssuerName;
@@ -68,6 +70,30 @@
 
     private Principal[] certIssuerNames;
 
+    /*
+     * Random number generator for creating nonce values
+     */
+    private static final SecureRandom RANDOM;
+    static {
+        SecureRandom tmp = null;
+        try {
+            tmp = SecureRandom.getInstance("SHA1PRNG");
+        } catch (NoSuchAlgorithmException e) {
+            // should not happen
+        }
+        RANDOM = tmp;
+    }
+
+    /*
+     * Object identifier for the timestamping key purpose.
+     */
+    private static final String KP_TIMESTAMPING_OID = "1.3.6.1.5.5.7.3.8";
+
+    /*
+     * Object identifier for extendedKeyUsage extension
+     */
+    private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37";
+
     /**
      * Unmarshals a PKCS7 block from its encoded form, parsing the
      * encoded bytes from the InputStream.
@@ -733,4 +759,164 @@
     public boolean isOldStyle() {
         return this.oldStyle;
     }
+
+    /**
+     * Assembles a PKCS #7 signed data message that optionally includes a
+     * signature timestamp.
+     *
+     * @param signature the signature bytes
+     * @param signerChain the signer's X.509 certificate chain
+     * @param content the content that is signed; specify null to not include
+     *        it in the PKCS7 data
+     * @param signatureAlgorithm the name of the signature algorithm
+     * @param tsaURI the URI of the Timestamping Authority; or null if no
+     *         timestamp is requested
+     * @return the bytes of the encoded PKCS #7 signed data message
+     * @throws NoSuchAlgorithmException The exception is thrown if the signature
+     *         algorithm is unrecognised.
+     * @throws CertificateException The exception is thrown if an error occurs
+     *         while processing the signer's certificate or the TSA's
+     *         certificate.
+     * @throws IOException The exception is thrown if an error occurs while
+     *         generating the signature timestamp or while generating the signed
+     *         data message.
+     */
+    public static byte[] generateSignedData(byte[] signature,
+                                            X509Certificate[] signerChain,
+                                            byte[] content,
+                                            String signatureAlgorithm,
+                                            URI tsaURI)
+        throws CertificateException, IOException, NoSuchAlgorithmException
+    {
+
+        // Generate the timestamp token
+        PKCS9Attributes unauthAttrs = null;
+        if (tsaURI != null) {
+            // Timestamp the signature
+            HttpTimestamper tsa = new HttpTimestamper(tsaURI);
+            byte[] tsToken = generateTimestampToken(tsa, signature);
+
+            // Insert the timestamp token into the PKCS #7 signer info element
+            // (as an unsigned attribute)
+            unauthAttrs =
+                new PKCS9Attributes(new PKCS9Attribute[]{
+                    new PKCS9Attribute(
+                        PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_STR,
+                        tsToken)});
+        }
+
+        // Create the SignerInfo
+        X500Name issuerName =
+            X500Name.asX500Name(signerChain[0].getIssuerX500Principal());
+        BigInteger serialNumber = signerChain[0].getSerialNumber();
+        String encAlg = AlgorithmId.getEncAlgFromSigAlg(signatureAlgorithm);
+        String digAlg = AlgorithmId.getDigAlgFromSigAlg(signatureAlgorithm);
+        SignerInfo signerInfo = new SignerInfo(issuerName, serialNumber,
+                                               AlgorithmId.get(digAlg), null,
+                                               AlgorithmId.get(encAlg),
+                                               signature, unauthAttrs);
+
+        // Create the PKCS #7 signed data message
+        SignerInfo[] signerInfos = {signerInfo};
+        AlgorithmId[] algorithms = {signerInfo.getDigestAlgorithmId()};
+        // Include or exclude content
+        ContentInfo contentInfo = (content == null)
+            ? new ContentInfo(ContentInfo.DATA_OID, null)
+            : new ContentInfo(content);
+        PKCS7 pkcs7 = new PKCS7(algorithms, contentInfo,
+                                signerChain, signerInfos);
+        ByteArrayOutputStream p7out = new ByteArrayOutputStream();
+        pkcs7.encodeSignedData(p7out);
+
+        return p7out.toByteArray();
+    }
+
+    /**
+     * Requests, processes and validates a timestamp token from a TSA using
+     * common defaults. Uses the following defaults in the timestamp request:
+     * SHA-1 for the hash algorithm, a 64-bit nonce, and request certificate
+     * set to true.
+     *
+     * @param tsa the timestamping authority to use
+     * @param toBeTimestamped the token that is to be timestamped
+     * @return the encoded timestamp token
+     * @throws IOException The exception is thrown if an error occurs while
+     *                     communicating with the TSA.
+     * @throws CertificateException The exception is thrown if the TSA's
+     *                     certificate is not permitted for timestamping.
+     */
+    private static byte[] generateTimestampToken(Timestamper tsa,
+                                                 byte[] toBeTimestamped)
+        throws IOException, CertificateException
+    {
+        // Generate a timestamp
+        MessageDigest messageDigest = null;
+        TSRequest tsQuery = null;
+        try {
+            // SHA-1 is always used.
+            messageDigest = MessageDigest.getInstance("SHA-1");
+            tsQuery = new TSRequest(toBeTimestamped, messageDigest);
+        } catch (NoSuchAlgorithmException e) {
+            // ignore
+        }
+
+        // Generate a nonce
+        BigInteger nonce = null;
+        if (RANDOM != null) {
+            nonce = new BigInteger(64, RANDOM);
+            tsQuery.setNonce(nonce);
+        }
+        tsQuery.requestCertificate(true);
+
+        TSResponse tsReply = tsa.generateTimestamp(tsQuery);
+        int status = tsReply.getStatusCode();
+        // Handle TSP error
+        if (status != 0 && status != 1) {
+            throw new IOException("Error generating timestamp: " +
+                tsReply.getStatusCodeAsText() + " " +
+                tsReply.getFailureCodeAsText());
+        }
+        PKCS7 tsToken = tsReply.getToken();
+
+        TimestampToken tst = tsReply.getTimestampToken();
+        if (!tst.getHashAlgorithm().getName().equals("SHA")) {
+            throw new IOException("Digest algorithm not SHA-1 in "
+                                  + "timestamp token");
+        }
+        if (!MessageDigest.isEqual(tst.getHashedMessage(),
+                                   tsQuery.getHashedMessage())) {
+            throw new IOException("Digest octets changed in timestamp token");
+        }
+
+        BigInteger replyNonce = tst.getNonce();
+        if (replyNonce == null && nonce != null) {
+            throw new IOException("Nonce missing in timestamp token");
+        }
+        if (replyNonce != null && !replyNonce.equals(nonce)) {
+            throw new IOException("Nonce changed in timestamp token");
+        }
+
+        // Examine the TSA's certificate (if present)
+        for (SignerInfo si: tsToken.getSignerInfos()) {
+            X509Certificate cert = si.getCertificate(tsToken);
+            if (cert == null) {
+                // Error, we've already set tsRequestCertificate = true
+                throw new CertificateException(
+                "Certificate not included in timestamp token");
+            } else {
+                if (!cert.getCriticalExtensionOIDs().contains(
+                        EXTENDED_KEY_USAGE_OID)) {
+                    throw new CertificateException(
+                    "Certificate is not valid for timestamping");
+                }
+                List<String> keyPurposes = cert.getExtendedKeyUsage();
+                if (keyPurposes == null ||
+                        !keyPurposes.contains(KP_TIMESTAMPING_OID)) {
+                    throw new CertificateException(
+                    "Certificate is not valid for timestamping");
+                }
+            }
+        }
+        return tsReply.getEncodedToken();
+    }
 }
--- a/jdk/src/share/classes/sun/security/pkcs/SignerInfo.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/pkcs/SignerInfo.java	Wed Jul 05 17:54:13 2017 +0200
@@ -28,10 +28,14 @@
 import java.io.OutputStream;
 import java.io.IOException;
 import java.math.BigInteger;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertPath;
 import java.security.cert.X509Certificate;
 import java.security.*;
 import java.util.ArrayList;
 
+import sun.security.timestamp.TimestampToken;
 import sun.security.util.*;
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.X500Name;
@@ -51,6 +55,8 @@
     AlgorithmId digestAlgorithmId;
     AlgorithmId digestEncryptionAlgorithmId;
     byte[] encryptedDigest;
+    Timestamp timestamp;
+    private boolean hasTimestamp = true;
 
     PKCS9Attributes authenticatedAttributes;
     PKCS9Attributes unauthenticatedAttributes;
@@ -442,6 +448,62 @@
         return unauthenticatedAttributes;
     }
 
+    /*
+     * Extracts a timestamp from a PKCS7 SignerInfo.
+     *
+     * Examines the signer's unsigned attributes for a
+     * <tt>signatureTimestampToken</tt> attribute. If present,
+     * then it is parsed to extract the date and time at which the
+     * timestamp was generated.
+     *
+     * @param info A signer information element of a PKCS 7 block.
+     *
+     * @return A timestamp token or null if none is present.
+     * @throws IOException if an error is encountered while parsing the
+     *         PKCS7 data.
+     * @throws NoSuchAlgorithmException if an error is encountered while
+     *         verifying the PKCS7 object.
+     * @throws SignatureException if an error is encountered while
+     *         verifying the PKCS7 object.
+     * @throws CertificateException if an error is encountered while generating
+     *         the TSA's certpath.
+     */
+    public Timestamp getTimestamp()
+        throws IOException, NoSuchAlgorithmException, SignatureException,
+               CertificateException
+    {
+        if (timestamp != null || !hasTimestamp)
+            return timestamp;
+
+        if (unauthenticatedAttributes == null) {
+            hasTimestamp = false;
+            return null;
+        }
+        PKCS9Attribute tsTokenAttr =
+            unauthenticatedAttributes.getAttribute(
+                PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
+        if (tsTokenAttr == null) {
+            hasTimestamp = false;
+            return null;
+        }
+
+        PKCS7 tsToken = new PKCS7((byte[])tsTokenAttr.getValue());
+        // Extract the content (an encoded timestamp token info)
+        byte[] encTsTokenInfo = tsToken.getContentInfo().getData();
+        // Extract the signer (the Timestamping Authority)
+        // while verifying the content
+        SignerInfo[] tsa = tsToken.verify(encTsTokenInfo);
+        // Expect only one signer
+        ArrayList<X509Certificate> chain = tsa[0].getCertificateChain(tsToken);
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        CertPath tsaChain = cf.generateCertPath(chain);
+        // Create a timestamp token info object
+        TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo);
+        // Create a timestamp object
+        timestamp = new Timestamp(tsTokenInfo.getDate(), tsaChain);
+        return timestamp;
+    }
+
     public String toString() {
         HexDumpEncoder hexDump = new HexDumpEncoder();
 
@@ -467,5 +529,4 @@
         }
         return out;
     }
-
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,353 @@
+/*
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+
+package sun.security.pkcs10;
+
+import java.io.PrintStream;
+import java.io.IOException;
+import java.math.BigInteger;
+
+import java.security.cert.CertificateException;
+import java.security.NoSuchAlgorithmException;
+import java.security.InvalidKeyException;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.PublicKey;
+
+import sun.misc.BASE64Encoder;
+
+import sun.security.util.*;
+import sun.security.x509.AlgorithmId;
+import sun.security.x509.X509Key;
+import sun.security.x509.X500Name;
+
+/**
+ * A PKCS #10 certificate request is created and sent to a Certificate
+ * Authority, which then creates an X.509 certificate and returns it to
+ * the entity that requested it. A certificate request basically consists
+ * of the subject's X.500 name, public key, and optionally some attributes,
+ * signed using the corresponding private key.
+ *
+ * The ASN.1 syntax for a Certification Request is:
+ * <pre>
+ * CertificationRequest ::= SEQUENCE {
+ *    certificationRequestInfo CertificationRequestInfo,
+ *    signatureAlgorithm       SignatureAlgorithmIdentifier,
+ *    signature                Signature
+ *  }
+ *
+ * SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
+ * Signature ::= BIT STRING
+ *
+ * CertificationRequestInfo ::= SEQUENCE {
+ *    version                 Version,
+ *    subject                 Name,
+ *    subjectPublicKeyInfo    SubjectPublicKeyInfo,
+ *    attributes [0] IMPLICIT Attributes
+ * }
+ * Attributes ::= SET OF Attribute
+ * </pre>
+ *
+ * @author David Brownell
+ * @author Amit Kapoor
+ * @author Hemma Prafullchandra
+ */
+public class PKCS10 {
+    /**
+     * Constructs an unsigned PKCS #10 certificate request.  Before this
+     * request may be used, it must be encoded and signed.  Then it
+     * must be retrieved in some conventional format (e.g. string).
+     *
+     * @param publicKey the public key that should be placed
+     *          into the certificate generated by the CA.
+     */
+    public PKCS10(PublicKey publicKey) {
+        subjectPublicKeyInfo = publicKey;
+        attributeSet = new PKCS10Attributes();
+    }
+
+    /**
+     * Constructs an unsigned PKCS #10 certificate request.  Before this
+     * request may be used, it must be encoded and signed.  Then it
+     * must be retrieved in some conventional format (e.g. string).
+     *
+     * @param publicKey the public key that should be placed
+     *          into the certificate generated by the CA.
+     * @param attributes additonal set of PKCS10 attributes requested
+     *          for in the certificate.
+     */
+    public PKCS10(PublicKey publicKey, PKCS10Attributes attributes) {
+        subjectPublicKeyInfo = publicKey;
+        attributeSet = attributes;
+    }
+
+    /**
+     * Parses an encoded, signed PKCS #10 certificate request, verifying
+     * the request's signature as it does so.  This constructor would
+     * typically be used by a Certificate Authority, from which a new
+     * certificate would then be constructed.
+     *
+     * @param data the DER-encoded PKCS #10 request.
+     * @exception IOException for low level errors reading the data
+     * @exception SignatureException when the signature is invalid
+     * @exception NoSuchAlgorithmException when the signature
+     *  algorithm is not supported in this environment
+     */
+    public PKCS10(byte[] data)
+    throws IOException, SignatureException, NoSuchAlgorithmException {
+        DerInputStream  in;
+        DerValue[]      seq;
+        AlgorithmId     id;
+        byte[]          sigData;
+        Signature       sig;
+
+        encoded = data;
+
+        //
+        // Outer sequence:  request, signature algorithm, signature.
+        // Parse, and prepare to verify later.
+        //
+        in = new DerInputStream(data);
+        seq = in.getSequence(3);
+
+        if (seq.length != 3)
+            throw new IllegalArgumentException("not a PKCS #10 request");
+
+        data = seq[0].toByteArray();            // reusing this variable
+        id = AlgorithmId.parse(seq[1]);
+        sigData = seq[2].getBitString();
+
+        //
+        // Inner sequence:  version, name, key, attributes
+        //
+        BigInteger      serial;
+        DerValue        val;
+
+        serial = seq[0].data.getBigInteger();
+        if (!serial.equals(BigInteger.ZERO))
+            throw new IllegalArgumentException("not PKCS #10 v1");
+
+        subject = new X500Name(seq[0].data);
+        subjectPublicKeyInfo = X509Key.parse(seq[0].data.getDerValue());
+
+        // Cope with a somewhat common illegal PKCS #10 format
+        if (seq[0].data.available() != 0)
+            attributeSet = new PKCS10Attributes(seq[0].data);
+        else
+            attributeSet = new PKCS10Attributes();
+
+        if (seq[0].data.available() != 0)
+            throw new IllegalArgumentException("illegal PKCS #10 data");
+
+        //
+        // OK, we parsed it all ... validate the signature using the
+        // key and signature algorithm we found.
+        //
+        try {
+            sig = Signature.getInstance(id.getName());
+            sig.initVerify(subjectPublicKeyInfo);
+            sig.update(data);
+            if (!sig.verify(sigData))
+                throw new SignatureException("Invalid PKCS #10 signature");
+        } catch (InvalidKeyException e) {
+            throw new SignatureException("invalid key");
+        }
+    }
+
+    /**
+     * Create the signed certificate request.  This will later be
+     * retrieved in either string or binary format.
+     *
+     * @param subject identifies the signer (by X.500 name).
+     * @param signature private key and signing algorithm to use.
+     * @exception IOException on errors.
+     * @exception CertificateException on certificate handling errors.
+     * @exception SignatureException on signature handling errors.
+     */
+    public void encodeAndSign(X500Name subject, Signature signature)
+    throws CertificateException, IOException, SignatureException {
+        DerOutputStream out, scratch;
+        byte[]          certificateRequestInfo;
+        byte[]          sig;
+
+        if (encoded != null)
+            throw new SignatureException("request is already signed");
+
+        this.subject = subject;
+
+        /*
+         * Encode cert request info, wrap in a sequence for signing
+         */
+        scratch = new DerOutputStream();
+        scratch.putInteger(BigInteger.ZERO);            // PKCS #10 v1.0
+        subject.encode(scratch);                        // X.500 name
+        scratch.write(subjectPublicKeyInfo.getEncoded()); // public key
+        attributeSet.encode(scratch);
+
+        out = new DerOutputStream();
+        out.write(DerValue.tag_Sequence, scratch);      // wrap it!
+        certificateRequestInfo = out.toByteArray();
+        scratch = out;
+
+        /*
+         * Sign it ...
+         */
+        signature.update(certificateRequestInfo, 0,
+                certificateRequestInfo.length);
+        sig = signature.sign();
+
+        /*
+         * Build guts of SIGNED macro
+         */
+        AlgorithmId algId = null;
+        try {
+            algId = AlgorithmId.get(signature.getAlgorithm());
+        } catch (NoSuchAlgorithmException nsae) {
+            throw new SignatureException(nsae);
+        }
+        algId.encode(scratch);     // sig algorithm
+        scratch.putBitString(sig);                      // sig
+
+        /*
+         * Wrap those guts in a sequence
+         */
+        out = new DerOutputStream();
+        out.write(DerValue.tag_Sequence, scratch);
+        encoded = out.toByteArray();
+    }
+
+    /**
+     * Returns the subject's name.
+     */
+    public X500Name getSubjectName() { return subject; }
+
+    /**
+     * Returns the subject's public key.
+     */
+    public PublicKey getSubjectPublicKeyInfo()
+        { return subjectPublicKeyInfo; }
+
+    /**
+     * Returns the additional attributes requested.
+     */
+    public PKCS10Attributes getAttributes()
+        { return attributeSet; }
+
+    /**
+     * Returns the encoded and signed certificate request as a
+     * DER-encoded byte array.
+     *
+     * @return the certificate request, or null if encodeAndSign()
+     *          has not yet been called.
+     */
+    public byte[] getEncoded() {
+        if (encoded != null)
+            return encoded.clone();
+        else
+            return null;
+    }
+
+    /**
+     * Prints an E-Mailable version of the certificate request on the print
+     * stream passed.  The format is a common base64 encoded one, supported
+     * by most Certificate Authorities because Netscape web servers have
+     * used this for some time.  Some certificate authorities expect some
+     * more information, in particular contact information for the web
+     * server administrator.
+     *
+     * @param out the print stream where the certificate request
+     *  will be printed.
+     * @exception IOException when an output operation failed
+     * @exception SignatureException when the certificate request was
+     *  not yet signed.
+     */
+    public void print(PrintStream out)
+    throws IOException, SignatureException {
+        if (encoded == null)
+            throw new SignatureException("Cert request was not signed");
+
+        BASE64Encoder   encoder = new BASE64Encoder();
+
+        out.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
+        encoder.encodeBuffer(encoded, out);
+        out.println("-----END NEW CERTIFICATE REQUEST-----");
+    }
+
+    /**
+     * Provides a short description of this request.
+     */
+    public String toString() {
+        return "[PKCS #10 certificate request:\n"
+            + subjectPublicKeyInfo.toString()
+            + " subject: <" + subject + ">" + "\n"
+            + " attributes: " + attributeSet.toString()
+            + "\n]";
+    }
+
+    /**
+     * Compares this object for equality with the specified
+     * object. If the <code>other</code> object is an
+     * <code>instanceof</code> <code>PKCS10</code>, then
+     * its encoded form is retrieved and compared with the
+     * encoded form of this certificate request.
+     *
+     * @param other the object to test for equality with this object.
+     * @return true iff the encoded forms of the two certificate
+     * requests match, false otherwise.
+     */
+    public boolean equals(Object other) {
+        if (this == other)
+            return true;
+        if (!(other instanceof PKCS10))
+            return false;
+        if (encoded == null) // not signed yet
+            return false;
+        byte[] otherEncoded = ((PKCS10)other).getEncoded();
+        if (otherEncoded == null)
+            return false;
+
+        return java.util.Arrays.equals(encoded, otherEncoded);
+    }
+
+    /**
+     * Returns a hashcode value for this certificate request from its
+     * encoded form.
+     *
+     * @return the hashcode value.
+     */
+    public int hashCode() {
+        int     retval = 0;
+        if (encoded != null)
+            for (int i = 1; i < encoded.length; i++)
+             retval += encoded[i] * i;
+        return(retval);
+    }
+
+    private X500Name            subject;
+    private PublicKey           subjectPublicKeyInfo;
+    private PKCS10Attributes    attributeSet;
+    private byte[]              encoded;        // signed
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/security/pkcs10/PKCS10Attribute.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs10;
+
+import java.io.OutputStream;
+import java.io.IOException;
+
+import sun.security.pkcs.PKCS9Attribute;
+import sun.security.util.*;
+
+/**
+ * Represent a PKCS#10 Attribute.
+ *
+ * <p>Attributes are additonal information which can be inserted in a PKCS#10
+ * certificate request. For example a "Driving License Certificate" could have
+ * the driving license number as an attribute.
+ *
+ * <p>Attributes are represented as a sequence of the attribute identifier
+ * (Object Identifier) and a set of DER encoded attribute values.
+ *
+ * ASN.1 definition of Attribute:
+ * <pre>
+ * Attribute :: SEQUENCE {
+ *    type    AttributeType,
+ *    values  SET OF AttributeValue
+ * }
+ * AttributeType  ::= OBJECT IDENTIFIER
+ * AttributeValue ::= ANY defined by type
+ * </pre>
+ *
+ * @author Amit Kapoor
+ * @author Hemma Prafullchandra
+ */
+public class PKCS10Attribute implements DerEncoder {
+
+    protected ObjectIdentifier  attributeId = null;
+    protected Object            attributeValue = null;
+
+    /**
+     * Constructs an attribute from a DER encoding.
+     * This constructor expects the value to be encoded as defined above,
+     * i.e. a SEQUENCE of OID and SET OF value(s), not a literal
+     * X.509 v3 extension. Only PKCS9 defined attributes are supported
+     * currently.
+     *
+     * @param derVal the der encoded attribute.
+     * @exception IOException on parsing errors.
+     */
+    public PKCS10Attribute(DerValue derVal) throws IOException {
+        PKCS9Attribute attr = new PKCS9Attribute(derVal);
+        this.attributeId = attr.getOID();
+        this.attributeValue = attr.getValue();
+    }
+
+    /**
+     * Constructs an attribute from individual components of
+     * ObjectIdentifier and the value (any java object).
+     *
+     * @param attributeId the ObjectIdentifier of the attribute.
+     * @param attributeValue an instance of a class that implements
+     * the attribute identified by the ObjectIdentifier.
+     */
+    public PKCS10Attribute(ObjectIdentifier attributeId,
+                           Object attributeValue) {
+        this.attributeId = attributeId;
+        this.attributeValue = attributeValue;
+    }
+
+    /**
+     * Constructs an attribute from PKCS9 attribute.
+     *
+     * @param attr the PKCS9Attribute to create from.
+     */
+    public PKCS10Attribute(PKCS9Attribute attr) {
+        this.attributeId = attr.getOID();
+        this.attributeValue = attr.getValue();
+    }
+
+    /**
+     * DER encode this object onto an output stream.
+     * Implements the <code>DerEncoder</code> interface.
+     *
+     * @param out
+     * the OutputStream on which to write the DER encoding.
+     *
+     * @exception IOException on encoding errors.
+     */
+    public void derEncode(OutputStream out) throws IOException {
+        PKCS9Attribute attr = new PKCS9Attribute(attributeId, attributeValue);
+        attr.derEncode(out);
+    }
+
+    /**
+     * Returns the ObjectIdentifier of the attribute.
+     */
+    public ObjectIdentifier getAttributeId() {
+        return (attributeId);
+    }
+
+    /**
+     * Returns the attribute value.
+     */
+    public Object getAttributeValue() {
+        return (attributeValue);
+    }
+
+    /**
+     * Returns the attribute in user readable form.
+     */
+    public String toString() {
+        return (attributeValue.toString());
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/security/pkcs10/PKCS10Attributes.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,219 @@
+/*
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs10;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.cert.CertificateException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+import sun.security.util.*;
+
+/**
+ * This class defines the PKCS10 attributes for the request.
+ * The ASN.1 syntax for this is:
+ * <pre>
+ * Attributes ::= SET OF Attribute
+ * </pre>
+ *
+ * @author Amit Kapoor
+ * @author Hemma Prafullchandra
+ * @see PKCS10
+ * @see PKCS10Attribute
+ */
+public class PKCS10Attributes implements DerEncoder {
+
+    private Hashtable<String, PKCS10Attribute> map =
+                        new Hashtable<String, PKCS10Attribute>(3);
+
+    /**
+     * Default constructor for the PKCS10 attribute.
+     */
+    public PKCS10Attributes() { }
+
+    /**
+     * Create the object from the array of PKCS10Attribute objects.
+     *
+     * @param attrs the array of PKCS10Attribute objects.
+     */
+    public PKCS10Attributes(PKCS10Attribute[] attrs) {
+        for (int i = 0; i < attrs.length; i++) {
+            map.put(attrs[i].getAttributeId().toString(), attrs[i]);
+        }
+    }
+
+    /**
+     * Create the object, decoding the values from the passed DER stream.
+     * The DER stream contains the SET OF Attribute.
+     *
+     * @param in the DerInputStream to read the attributes from.
+     * @exception IOException on decoding errors.
+     */
+    public PKCS10Attributes(DerInputStream in) throws IOException {
+        DerValue[] attrs = in.getSet(3, true);
+
+        if (attrs == null)
+            throw new IOException("Illegal encoding of attributes");
+        for (int i = 0; i < attrs.length; i++) {
+            PKCS10Attribute attr = new PKCS10Attribute(attrs[i]);
+            map.put(attr.getAttributeId().toString(), attr);
+        }
+    }
+
+    /**
+     * Encode the attributes in DER form to the stream.
+     *
+     * @param out the OutputStream to marshal the contents to.
+     * @exception IOException on encoding errors.
+     */
+    public void encode(OutputStream out) throws IOException {
+        derEncode(out);
+    }
+
+    /**
+     * Encode the attributes in DER form to the stream.
+     * Implements the <code>DerEncoder</code> interface.
+     *
+     * @param out the OutputStream to marshal the contents to.
+     * @exception IOException on encoding errors.
+     */
+    public void derEncode(OutputStream out) throws IOException {
+        // first copy the elements into an array
+        Collection<PKCS10Attribute> allAttrs = map.values();
+        PKCS10Attribute[] attribs =
+                allAttrs.toArray(new PKCS10Attribute[map.size()]);
+
+        DerOutputStream attrOut = new DerOutputStream();
+        attrOut.putOrderedSetOf(DerValue.createTag(DerValue.TAG_CONTEXT,
+                                                   true, (byte)0),
+                                attribs);
+        out.write(attrOut.toByteArray());
+    }
+
+    /**
+     * Set the attribute value.
+     */
+    public void setAttribute(String name, Object obj) {
+        if (obj instanceof PKCS10Attribute) {
+            map.put(name, (PKCS10Attribute)obj);
+        }
+    }
+
+    /**
+     * Get the attribute value.
+     */
+    public Object getAttribute(String name) {
+        return map.get(name);
+    }
+
+    /**
+     * Delete the attribute value.
+     */
+    public void deleteAttribute(String name) {
+        map.remove(name);
+    }
+
+    /**
+     * Return an enumeration of names of attributes existing within this
+     * attribute.
+     */
+    public Enumeration<PKCS10Attribute> getElements() {
+        return (map.elements());
+    }
+
+    /**
+     * Return a Collection of attributes existing within this
+     * PKCS10Attributes object.
+     */
+    public Collection<PKCS10Attribute> getAttributes() {
+        return (Collections.unmodifiableCollection(map.values()));
+    }
+
+    /**
+     * Compares this PKCS10Attributes for equality with the specified
+     * object. If the <code>other</code> object is an
+     * <code>instanceof</code> <code>PKCS10Attributes</code>, then
+     * all the entries are compared with the entries from this.
+     *
+     * @param other the object to test for equality with this PKCS10Attributes.
+     * @return true if all the entries match that of the Other,
+     * false otherwise.
+     */
+    public boolean equals(Object other) {
+        if (this == other)
+            return true;
+        if (!(other instanceof PKCS10Attributes))
+            return false;
+
+        Collection<PKCS10Attribute> othersAttribs =
+                ((PKCS10Attributes)other).getAttributes();
+        PKCS10Attribute[] attrs =
+            othersAttribs.toArray(new PKCS10Attribute[othersAttribs.size()]);
+        int len = attrs.length;
+        if (len != map.size())
+            return false;
+        PKCS10Attribute thisAttr, otherAttr;
+        String key = null;
+        for (int i=0; i < len; i++) {
+            otherAttr = attrs[i];
+            key = otherAttr.getAttributeId().toString();
+
+            if (key == null)
+                return false;
+            thisAttr = map.get(key);
+            if (thisAttr == null)
+                return false;
+            if (! thisAttr.equals(otherAttr))
+                return false;
+        }
+        return true;
+    }
+
+    /**
+     * Returns a hashcode value for this PKCS10Attributes.
+     *
+     * @return the hashcode value.
+     */
+    public int hashCode() {
+        return map.hashCode();
+    }
+
+    /**
+     * Returns a string representation of this <tt>PKCS10Attributes</tt> object
+     * in the form of a set of entries, enclosed in braces and separated
+     * by the ASCII characters "<tt>,&nbsp;</tt>" (comma and space).
+     * <p>Overrides the <tt>toString</tt> method of <tt>Object</tt>.
+     *
+     * @return  a string representation of this PKCS10Attributes.
+     */
+    public String toString() {
+        String s = map.size() + "\n" + map.toString();
+        return s;
+    }
+}
--- a/jdk/src/share/classes/sun/security/pkcs11/Config.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/pkcs11/Config.java	Wed Jul 05 17:54:13 2017 +0200
@@ -192,6 +192,11 @@
     // works only for NSS providers created via the Secmod API
     private boolean nssUseSecmodTrust = false;
 
+    // Flag to indicate whether the X9.63 encoding for EC points shall be used
+    // (true) or whether that encoding shall be wrapped in an ASN.1 OctetString
+    // (false).
+    private boolean useEcX963Encoding = false;
+
     private Config(String filename, InputStream in) throws IOException {
         if (in == null) {
             if (filename.startsWith("--")) {
@@ -320,6 +325,10 @@
         return nssUseSecmodTrust;
     }
 
+    boolean getUseEcX963Encoding() {
+        return useEcX963Encoding;
+    }
+
     private static String expand(final String s) throws IOException {
         try {
             return PropertyExpander.expand(s);
@@ -440,6 +449,8 @@
                 parseNSSArgs(word);
             } else if (word.equals("nssUseSecmodTrust")) {
                 nssUseSecmodTrust = parseBooleanEntry(word);
+            } else if (word.equals("useEcX963Encoding")) {
+                useEcX963Encoding = parseBooleanEntry(word);
             } else {
                 throw new ConfigurationException
                         ("Unknown keyword '" + word + "', line " + st.lineno());
--- a/jdk/src/share/classes/sun/security/pkcs11/KeyCache.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/pkcs11/KeyCache.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -48,7 +48,7 @@
  */
 final class KeyCache {
 
-    private final Cache strongCache;
+    private final Cache<IdentityWrapper, P11Key> strongCache;
 
     private WeakReference<Map<Key,P11Key>> cacheReference;
 
@@ -77,7 +77,7 @@
     }
 
     synchronized P11Key get(Key key) {
-        P11Key p11Key = (P11Key)strongCache.get(new IdentityWrapper(key));
+        P11Key p11Key = strongCache.get(new IdentityWrapper(key));
         if (p11Key != null) {
             return p11Key;
         }
@@ -94,8 +94,8 @@
         Map<Key,P11Key> map =
                 (cacheReference == null) ? null : cacheReference.get();
         if (map == null) {
-            map = new IdentityHashMap<Key,P11Key>();
-            cacheReference = new WeakReference<Map<Key,P11Key>>(map);
+            map = new IdentityHashMap<>();
+            cacheReference = new WeakReference<>(map);
         }
         map.put(key, p11Key);
     }
--- a/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Wed Jul 05 17:54:13 2017 +0200
@@ -203,14 +203,20 @@
 
     private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception {
         byte[] encodedParams = ECParameters.encodeParameters(params);
-        byte[] encodedPoint = null;
-        DerValue pkECPoint = new DerValue(DerValue.tag_OctetString,
-            ECParameters.encodePoint(point, params.getCurve()));
+        byte[] encodedPoint =
+            ECParameters.encodePoint(point, params.getCurve());
 
-        try {
-            encodedPoint = pkECPoint.toByteArray();
-        } catch (IOException e) {
-            throw new IllegalArgumentException("Could not DER encode point", e);
+        // Check whether the X9.63 encoding of an EC point shall be wrapped
+        // in an ASN.1 OCTET STRING
+        if (!token.config.getUseEcX963Encoding()) {
+            try {
+                encodedPoint =
+                    new DerValue(DerValue.tag_OctetString, encodedPoint)
+                        .toByteArray();
+            } catch (IOException e) {
+                throw new
+                    IllegalArgumentException("Could not DER encode point", e);
+            }
         }
 
         CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
--- a/jdk/src/share/classes/sun/security/pkcs11/P11Key.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/pkcs11/P11Key.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1028,28 +1028,21 @@
             try {
                 params = P11ECKeyFactory.decodeParameters
                             (attributes[1].getByteArray());
-
-                /*
-                 * An uncompressed EC point may be in either of two formats.
-                 * First try the OCTET STRING encoding:
-                 *   04 <length> 04 <X-coordinate> <Y-coordinate>
-                 *
-                 * Otherwise try the raw encoding:
-                 *   04 <X-coordinate> <Y-coordinate>
-                 */
                 byte[] ecKey = attributes[0].getByteArray();
 
-                try {
+                // Check whether the X9.63 encoding of an EC point is wrapped
+                // in an ASN.1 OCTET STRING
+                if (!token.config.getUseEcX963Encoding()) {
                     DerValue wECPoint = new DerValue(ecKey);
-                    if (wECPoint.getTag() != DerValue.tag_OctetString)
-                        throw new IOException("Unexpected tag: " +
-                            wECPoint.getTag());
 
+                    if (wECPoint.getTag() != DerValue.tag_OctetString) {
+                        throw new IOException("Could not DER decode EC point." +
+                            " Unexpected tag: " + wECPoint.getTag());
+                    }
                     w = P11ECKeyFactory.decodePoint
                         (wECPoint.getDataBytes(), params.getCurve());
 
-                } catch (IOException e) {
-                    // Failover
+                } else {
                     w = P11ECKeyFactory.decodePoint(ecKey, params.getCurve());
                 }
 
--- a/jdk/src/share/classes/sun/security/provider/X509Factory.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/provider/X509Factory.java	Wed Jul 05 17:54:13 2017 +0200
@@ -64,8 +64,10 @@
 
     private static final int ENC_MAX_LENGTH = 4096 * 1024; // 4 MB MAX
 
-    private static final Cache certCache = Cache.newSoftMemoryCache(750);
-    private static final Cache crlCache = Cache.newSoftMemoryCache(750);
+    private static final Cache<Object, X509CertImpl> certCache
+        = Cache.newSoftMemoryCache(750);
+    private static final Cache<Object, X509CRLImpl> crlCache
+        = Cache.newSoftMemoryCache(750);
 
     /**
      * Generates an X.509 certificate object and initializes it with
@@ -90,7 +92,7 @@
         try {
             byte[] encoding = readOneBlock(is);
             if (encoding != null) {
-                X509CertImpl cert = (X509CertImpl)getFromCache(certCache, encoding);
+                X509CertImpl cert = getFromCache(certCache, encoding);
                 if (cert != null) {
                     return cert;
                 }
@@ -151,7 +153,7 @@
         } else {
             encoding = c.getEncoded();
         }
-        X509CertImpl newC = (X509CertImpl)getFromCache(certCache, encoding);
+        X509CertImpl newC = getFromCache(certCache, encoding);
         if (newC != null) {
             return newC;
         }
@@ -181,7 +183,7 @@
         } else {
             encoding = c.getEncoded();
         }
-        X509CRLImpl newC = (X509CRLImpl)getFromCache(crlCache, encoding);
+        X509CRLImpl newC = getFromCache(crlCache, encoding);
         if (newC != null) {
             return newC;
         }
@@ -198,18 +200,17 @@
     /**
      * Get the X509CertImpl or X509CRLImpl from the cache.
      */
-    private static synchronized Object getFromCache(Cache cache,
+    private static synchronized <K,V> V getFromCache(Cache<K,V> cache,
             byte[] encoding) {
         Object key = new Cache.EqualByteArray(encoding);
-        Object value = cache.get(key);
-        return value;
+        return cache.get(key);
     }
 
     /**
      * Add the X509CertImpl or X509CRLImpl to the cache.
      */
-    private static synchronized void addToCache(Cache cache, byte[] encoding,
-            Object value) {
+    private static synchronized <V> void addToCache(Cache<Object, V> cache,
+            byte[] encoding, V value) {
         if (encoding.length > ENC_MAX_LENGTH) {
             return;
         }
@@ -361,7 +362,7 @@
         try {
             byte[] encoding = readOneBlock(is);
             if (encoding != null) {
-                X509CRLImpl crl = (X509CRLImpl)getFromCache(crlCache, encoding);
+                X509CRLImpl crl = getFromCache(crlCache, encoding);
                 if (crl != null) {
                     return crl;
                 }
@@ -669,6 +670,23 @@
                 bout.write(midByte);
                 bout.write(lowByte);
                 length = (highByte << 16) | (midByte << 8) | lowByte;
+            } else if (n == 0x84) {
+                int highByte = is.read();
+                int nextByte = is.read();
+                int midByte = is.read();
+                int lowByte = is.read();
+                if (lowByte == -1) {
+                    throw new IOException("Incomplete BER/DER length info");
+                }
+                if (highByte > 127) {
+                    throw new IOException("Invalid BER/DER data (a little huge?)");
+                }
+                bout.write(highByte);
+                bout.write(nextByte);
+                bout.write(midByte);
+                bout.write(lowByte);
+                length = (highByte << 24 ) | (nextByte << 16) |
+                        (midByte << 8) | lowByte;
             } else { // ignore longer length forms
                 throw new IOException("Invalid BER/DER data (too huge?)");
             }
--- a/jdk/src/share/classes/sun/security/provider/certpath/CertStoreHelper.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CertStoreHelper.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,32 +27,87 @@
 
 import java.net.URI;
 import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+import java.security.AccessController;
 import java.security.NoSuchAlgorithmException;
 import java.security.InvalidAlgorithmParameterException;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.security.cert.CertStore;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509CRLSelector;
 import javax.security.auth.x500.X500Principal;
 import java.io.IOException;
 
+import sun.security.util.Cache;
+
 /**
- * Helper used by URICertStore when delegating to another CertStore to
- * fetch certs and CRLs.
+ * Helper used by URICertStore and others when delegating to another CertStore
+ * to fetch certs and CRLs.
  */
 
-public interface CertStoreHelper {
+public abstract class CertStoreHelper {
+
+    private static final int NUM_TYPES = 2;
+    private final static Map<String,String> classMap = new HashMap<>(NUM_TYPES);
+    static {
+        classMap.put(
+            "LDAP",
+            "sun.security.provider.certpath.ldap.LDAPCertStoreHelper");
+        classMap.put(
+            "SSLServer",
+            "sun.security.provider.certpath.ssl.SSLServerCertStoreHelper");
+    };
+    private static Cache<String, CertStoreHelper> cache
+        = Cache.newSoftMemoryCache(NUM_TYPES);
+
+    public static CertStoreHelper getInstance(final String type)
+        throws NoSuchAlgorithmException
+    {
+        CertStoreHelper helper = cache.get(type);
+        if (helper != null) {
+            return helper;
+        }
+        final String cl = classMap.get(type);
+        if (cl == null) {
+            throw new NoSuchAlgorithmException(type + " not available");
+        }
+        try {
+            helper = AccessController.doPrivileged(
+                new PrivilegedExceptionAction<CertStoreHelper>() {
+                    public CertStoreHelper run() throws ClassNotFoundException {
+                        try {
+                            Class<?> c = Class.forName(cl, true, null);
+                            CertStoreHelper csh
+                                = (CertStoreHelper)c.newInstance();
+                            cache.put(type, csh);
+                            return csh;
+                        } catch (InstantiationException e) {
+                            throw new AssertionError(e);
+                        } catch (IllegalAccessException e) {
+                            throw new AssertionError(e);
+                        }
+                    }
+            });
+            return helper;
+        } catch (PrivilegedActionException e) {
+            throw new NoSuchAlgorithmException(type + " not available",
+                                               e.getException());
+        }
+    }
 
     /**
      * Returns a CertStore using the given URI as parameters.
      */
-    CertStore getCertStore(URI uri)
+    public abstract CertStore getCertStore(URI uri)
         throws NoSuchAlgorithmException, InvalidAlgorithmParameterException;
 
     /**
      * Wraps an existing X509CertSelector when needing to avoid DN matching
      * issues.
      */
-    X509CertSelector wrap(X509CertSelector selector,
+    public abstract X509CertSelector wrap(X509CertSelector selector,
                           X500Principal certSubject,
                           String dn)
         throws IOException;
@@ -61,7 +116,7 @@
      * Wraps an existing X509CRLSelector when needing to avoid DN matching
      * issues.
      */
-    X509CRLSelector wrap(X509CRLSelector selector,
+    public abstract X509CRLSelector wrap(X509CRLSelector selector,
                          Collection<X500Principal> certIssuers,
                          String dn)
         throws IOException;
--- a/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java	Wed Jul 05 17:54:13 2017 +0200
@@ -30,8 +30,6 @@
 import java.net.HttpURLConnection;
 import java.net.URI;
 import java.net.URLConnection;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
@@ -102,8 +100,7 @@
     private final CertificateFactory factory;
 
     // cached Collection of X509Certificates (may be empty, never null)
-    private Collection<X509Certificate> certs =
-        Collections.<X509Certificate>emptySet();
+    private Collection<X509Certificate> certs = Collections.emptySet();
 
     // cached X509CRL (may be null)
     private X509CRL crl;
@@ -120,36 +117,11 @@
 
     // true if URI is ldap
     private boolean ldap = false;
+    private CertStoreHelper ldapHelper;
     private CertStore ldapCertStore;
     private String ldapPath;
 
     /**
-     * Holder class to lazily load LDAPCertStoreHelper if present.
-     */
-    private static class LDAP {
-        private static final String CERT_STORE_HELPER =
-            "sun.security.provider.certpath.ldap.LDAPCertStoreHelper";
-        private static final CertStoreHelper helper =
-            AccessController.doPrivileged(
-                new PrivilegedAction<CertStoreHelper>() {
-                    public CertStoreHelper run() {
-                        try {
-                            Class<?> c = Class.forName(CERT_STORE_HELPER, true, null);
-                            return (CertStoreHelper)c.newInstance();
-                        } catch (ClassNotFoundException cnf) {
-                            return null;
-                        } catch (InstantiationException e) {
-                            throw new AssertionError(e);
-                        } catch (IllegalAccessException e) {
-                            throw new AssertionError(e);
-                        }
-                    }});
-        static CertStoreHelper helper() {
-            return helper;
-        }
-    }
-
-    /**
      * Creates a URICertStore.
      *
      * @param parameters specifying the URI
@@ -164,10 +136,9 @@
         this.uri = ((URICertStoreParameters) params).uri;
         // if ldap URI, use an LDAPCertStore to fetch certs and CRLs
         if (uri.getScheme().toLowerCase(Locale.ENGLISH).equals("ldap")) {
-            if (LDAP.helper() == null)
-                throw new NoSuchAlgorithmException("LDAP not present");
             ldap = true;
-            ldapCertStore = LDAP.helper().getCertStore(uri);
+            ldapHelper = CertStoreHelper.getInstance("LDAP");
+            ldapCertStore = ldapHelper.getCertStore(uri);
             ldapPath = uri.getPath();
             // strip off leading '/'
             if (ldapPath.charAt(0) == '/') {
@@ -185,14 +156,14 @@
      * Returns a URI CertStore. This method consults a cache of
      * CertStores (shared per JVM) using the URI as a key.
      */
-    private static final Cache certStoreCache =
-        Cache.newSoftMemoryCache(CACHE_SIZE);
+    private static final Cache<URICertStoreParameters, CertStore>
+        certStoreCache = Cache.newSoftMemoryCache(CACHE_SIZE);
     static synchronized CertStore getInstance(URICertStoreParameters params)
         throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
         if (debug != null) {
             debug.println("CertStore URI:" + params.uri);
         }
-        CertStore ucs = (CertStore) certStoreCache.get(params);
+        CertStore ucs = certStoreCache.get(params);
         if (ucs == null) {
             ucs = new UCS(new URICertStore(params), null, "URI", params);
             certStoreCache.put(params, ucs);
@@ -251,7 +222,7 @@
         if (ldap) {
             X509CertSelector xsel = (X509CertSelector) selector;
             try {
-                xsel = LDAP.helper().wrap(xsel, xsel.getSubject(), ldapPath);
+                xsel = ldapHelper.wrap(xsel, xsel.getSubject(), ldapPath);
             } catch (IOException ioe) {
                 throw new CertStoreException(ioe);
             }
@@ -273,62 +244,49 @@
             return getMatchingCerts(certs, selector);
         }
         lastChecked = time;
-        InputStream in = null;
         try {
             URLConnection connection = uri.toURL().openConnection();
             if (lastModified != 0) {
                 connection.setIfModifiedSince(lastModified);
             }
-            in = connection.getInputStream();
             long oldLastModified = lastModified;
-            lastModified = connection.getLastModified();
-            if (oldLastModified != 0) {
-                if (oldLastModified == lastModified) {
-                    if (debug != null) {
-                        debug.println("Not modified, using cached copy");
-                    }
-                    return getMatchingCerts(certs, selector);
-                } else if (connection instanceof HttpURLConnection) {
-                    // some proxy servers omit last modified
-                    HttpURLConnection hconn = (HttpURLConnection) connection;
-                    if (hconn.getResponseCode()
-                                == HttpURLConnection.HTTP_NOT_MODIFIED) {
+            try (InputStream in = connection.getInputStream()) {
+                lastModified = connection.getLastModified();
+                if (oldLastModified != 0) {
+                    if (oldLastModified == lastModified) {
                         if (debug != null) {
                             debug.println("Not modified, using cached copy");
                         }
                         return getMatchingCerts(certs, selector);
+                    } else if (connection instanceof HttpURLConnection) {
+                        // some proxy servers omit last modified
+                        HttpURLConnection hconn = (HttpURLConnection)connection;
+                        if (hconn.getResponseCode()
+                                    == HttpURLConnection.HTTP_NOT_MODIFIED) {
+                            if (debug != null) {
+                                debug.println("Not modified, using cached copy");
+                            }
+                            return getMatchingCerts(certs, selector);
+                        }
                     }
                 }
-            }
-            if (debug != null) {
-                debug.println("Downloading new certificates...");
+                if (debug != null) {
+                    debug.println("Downloading new certificates...");
+                }
+                // Safe cast since factory is an X.509 certificate factory
+                certs = (Collection<X509Certificate>)
+                    factory.generateCertificates(in);
             }
-            // Safe cast since factory is an X.509 certificate factory
-            certs = (Collection<X509Certificate>)
-                factory.generateCertificates(in);
             return getMatchingCerts(certs, selector);
-        } catch (IOException e) {
+        } catch (IOException | CertificateException e) {
             if (debug != null) {
                 debug.println("Exception fetching certificates:");
                 e.printStackTrace();
             }
-        } catch (CertificateException e) {
-            if (debug != null) {
-                debug.println("Exception fetching certificates:");
-                e.printStackTrace();
-            }
-        } finally {
-            if (in != null) {
-                try {
-                    in.close();
-                } catch (IOException e) {
-                    // ignore
-                }
-            }
         }
         // exception, forget previous values
         lastModified = 0;
-        certs = Collections.<X509Certificate>emptySet();
+        certs = Collections.emptySet();
         return certs;
     }
 
@@ -343,8 +301,7 @@
         if (selector == null) {
             return certs;
         }
-        List<X509Certificate> matchedCerts =
-            new ArrayList<X509Certificate>(certs.size());
+        List<X509Certificate> matchedCerts = new ArrayList<>(certs.size());
         for (X509Certificate cert : certs) {
             if (selector.match(cert)) {
                 matchedCerts.add(cert);
@@ -374,7 +331,7 @@
         if (ldap) {
             X509CRLSelector xsel = (X509CRLSelector) selector;
             try {
-                xsel = LDAP.helper().wrap(xsel, null, ldapPath);
+                xsel = ldapHelper.wrap(xsel, null, ldapPath);
             } catch (IOException ioe) {
                 throw new CertStoreException(ioe);
             }
@@ -395,61 +352,48 @@
             return getMatchingCRLs(crl, selector);
         }
         lastChecked = time;
-        InputStream in = null;
         try {
             URLConnection connection = uri.toURL().openConnection();
             if (lastModified != 0) {
                 connection.setIfModifiedSince(lastModified);
             }
-            in = connection.getInputStream();
             long oldLastModified = lastModified;
-            lastModified = connection.getLastModified();
-            if (oldLastModified != 0) {
-                if (oldLastModified == lastModified) {
-                    if (debug != null) {
-                        debug.println("Not modified, using cached copy");
-                    }
-                    return getMatchingCRLs(crl, selector);
-                } else if (connection instanceof HttpURLConnection) {
-                    // some proxy servers omit last modified
-                    HttpURLConnection hconn = (HttpURLConnection) connection;
-                    if (hconn.getResponseCode()
-                                == HttpURLConnection.HTTP_NOT_MODIFIED) {
+            try (InputStream in = connection.getInputStream()) {
+                lastModified = connection.getLastModified();
+                if (oldLastModified != 0) {
+                    if (oldLastModified == lastModified) {
                         if (debug != null) {
                             debug.println("Not modified, using cached copy");
                         }
                         return getMatchingCRLs(crl, selector);
+                    } else if (connection instanceof HttpURLConnection) {
+                        // some proxy servers omit last modified
+                        HttpURLConnection hconn = (HttpURLConnection)connection;
+                        if (hconn.getResponseCode()
+                                    == HttpURLConnection.HTTP_NOT_MODIFIED) {
+                            if (debug != null) {
+                                debug.println("Not modified, using cached copy");
+                            }
+                            return getMatchingCRLs(crl, selector);
+                        }
                     }
                 }
-            }
-            if (debug != null) {
-                debug.println("Downloading new CRL...");
+                if (debug != null) {
+                    debug.println("Downloading new CRL...");
+                }
+                crl = (X509CRL) factory.generateCRL(in);
             }
-            crl = (X509CRL) factory.generateCRL(in);
             return getMatchingCRLs(crl, selector);
-        } catch (IOException e) {
+        } catch (IOException | CRLException e) {
             if (debug != null) {
                 debug.println("Exception fetching CRL:");
                 e.printStackTrace();
             }
-        } catch (CRLException e) {
-            if (debug != null) {
-                debug.println("Exception fetching CRL:");
-                e.printStackTrace();
-            }
-        } finally {
-            if (in != null) {
-                try {
-                    in.close();
-                } catch (IOException e) {
-                    // ignore
-                }
-            }
         }
         // exception, forget previous values
         lastModified = 0;
         crl = null;
-        return Collections.<X509CRL>emptyList();
+        return Collections.emptyList();
     }
 
     /**
@@ -459,9 +403,9 @@
     private static Collection<X509CRL> getMatchingCRLs
         (X509CRL crl, CRLSelector selector) {
         if (selector == null || (crl != null && selector.match(crl))) {
-            return Collections.<X509CRL>singletonList(crl);
+            return Collections.singletonList(crl);
         } else {
-            return Collections.<X509CRL>emptyList();
+            return Collections.emptyList();
         }
     }
 
--- a/jdk/src/share/classes/sun/security/provider/certpath/X509CertificatePair.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/X509CertificatePair.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2002, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -79,7 +79,8 @@
     private X509Certificate reverse;
     private byte[] encoded;
 
-    private static final Cache cache = Cache.newSoftMemoryCache(750);
+    private static final Cache<Object, X509CertificatePair> cache
+        = Cache.newSoftMemoryCache(750);
 
     /**
      * Creates an empty instance of X509CertificatePair.
@@ -114,7 +115,7 @@
      *
      * For internal use only, external code should use generateCertificatePair.
      */
-    private X509CertificatePair(byte[] encoded)throws CertificateException {
+    private X509CertificatePair(byte[] encoded) throws CertificateException {
         try {
             parse(new DerValue(encoded));
             this.encoded = encoded;
@@ -138,7 +139,7 @@
     public static synchronized X509CertificatePair generateCertificatePair
             (byte[] encoded) throws CertificateException {
         Object key = new Cache.EqualByteArray(encoded);
-        X509CertificatePair pair = (X509CertificatePair)cache.get(key);
+        X509CertificatePair pair = cache.get(key);
         if (pair != null) {
             return pair;
         }
--- a/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -103,7 +103,7 @@
  * @author      Steve Hanna
  * @author      Andreas Sterbenz
  */
-public class LDAPCertStore extends CertStoreSpi {
+public final class LDAPCertStore extends CertStoreSpi {
 
     private static final Debug debug = Debug.getInstance("certpath");
 
@@ -160,7 +160,7 @@
      */
     private boolean prefetchCRLs = false;
 
-    private final Cache valueCache;
+    private final Cache<String, byte[][]> valueCache;
 
     private int cacheHits = 0;
     private int cacheMisses = 0;
@@ -207,10 +207,11 @@
      * Returns an LDAP CertStore. This method consults a cache of
      * CertStores (shared per JVM) using the LDAP server/port as a key.
      */
-    private static final Cache certStoreCache = Cache.newSoftMemoryCache(185);
+    private static final Cache<LDAPCertStoreParameters, CertStore>
+        certStoreCache = Cache.newSoftMemoryCache(185);
     static synchronized CertStore getInstance(LDAPCertStoreParameters params)
         throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
-        CertStore lcs = (CertStore) certStoreCache.get(params);
+        CertStore lcs = certStoreCache.get(params);
         if (lcs == null) {
             lcs = CertStore.getInstance("LDAP", params);
             certStoreCache.put(params, lcs);
@@ -232,7 +233,7 @@
     private void createInitialDirContext(String server, int port)
             throws InvalidAlgorithmParameterException {
         String url = "ldap://" + server + ":" + port;
-        Hashtable<String,Object> env = new Hashtable<String,Object>();
+        Hashtable<String,Object> env = new Hashtable<>();
         env.put(Context.INITIAL_CONTEXT_FACTORY,
                 "com.sun.jndi.ldap.LdapCtxFactory");
         env.put(Context.PROVIDER_URL, url);
@@ -283,7 +284,7 @@
 
         LDAPRequest(String name) {
             this.name = name;
-            requestedAttributes = new ArrayList<String>(5);
+            requestedAttributes = new ArrayList<>(5);
         }
 
         String getName() {
@@ -311,7 +312,7 @@
                         + cacheMisses);
             }
             String cacheKey = name + "|" + attrId;
-            byte[][] values = (byte[][])valueCache.get(cacheKey);
+            byte[][] values = valueCache.get(cacheKey);
             if (values != null) {
                 cacheHits++;
                 return values;
@@ -347,7 +348,7 @@
                     System.out.println("LDAP requests: " + requests);
                 }
             }
-            valueMap = new HashMap<String, byte[][]>(8);
+            valueMap = new HashMap<>(8);
             String[] attrIds = requestedAttributes.toArray(STRING0);
             Attributes attrs;
             try {
@@ -429,10 +430,10 @@
 
         int n = encodedCert.length;
         if (n == 0) {
-            return Collections.<X509Certificate>emptySet();
+            return Collections.emptySet();
         }
 
-        List<X509Certificate> certs = new ArrayList<X509Certificate>(n);
+        List<X509Certificate> certs = new ArrayList<>(n);
         /* decode certs and check if they satisfy selector */
         for (int i = 0; i < n; i++) {
             ByteArrayInputStream bais = new ByteArrayInputStream(encodedCert[i]);
@@ -477,11 +478,10 @@
 
         int n = encodedCertPair.length;
         if (n == 0) {
-            return Collections.<X509CertificatePair>emptySet();
+            return Collections.emptySet();
         }
 
-        List<X509CertificatePair> certPairs =
-                                new ArrayList<X509CertificatePair>(n);
+        List<X509CertificatePair> certPairs = new ArrayList<>(n);
         /* decode each cert pair and add it to the Collection */
         for (int i = 0; i < n; i++) {
             try {
@@ -528,8 +528,7 @@
                                 getCertPairs(request, CROSS_CERT);
 
         // Find Certificates that match and put them in a list
-        ArrayList<X509Certificate> matchingCerts =
-                                        new ArrayList<X509Certificate>();
+        ArrayList<X509Certificate> matchingCerts = new ArrayList<>();
         for (X509CertificatePair certPair : certPairs) {
             X509Certificate cert;
             if (forward != null) {
@@ -587,7 +586,7 @@
         int basicConstraints = xsel.getBasicConstraints();
         String subject = xsel.getSubjectAsString();
         String issuer = xsel.getIssuerAsString();
-        HashSet<X509Certificate> certs = new HashSet<X509Certificate>();
+        HashSet<X509Certificate> certs = new HashSet<>();
         if (debug != null) {
             debug.println("LDAPCertStore.engineGetCertificates() basicConstraints: "
                 + basicConstraints);
@@ -706,10 +705,10 @@
 
         int n = encodedCRL.length;
         if (n == 0) {
-            return Collections.<X509CRL>emptySet();
+            return Collections.emptySet();
         }
 
-        List<X509CRL> crls = new ArrayList<X509CRL>(n);
+        List<X509CRL> crls = new ArrayList<>(n);
         /* decode each crl and check if it matches selector */
         for (int i = 0; i < n; i++) {
             try {
@@ -765,13 +764,13 @@
             throw new CertStoreException("need X509CRLSelector to find CRLs");
         }
         X509CRLSelector xsel = (X509CRLSelector) selector;
-        HashSet<X509CRL> crls = new HashSet<X509CRL>();
+        HashSet<X509CRL> crls = new HashSet<>();
 
         // Look in directory entry for issuer of cert we're checking.
         Collection<Object> issuerNames;
         X509Certificate certChecking = xsel.getCertificateChecking();
         if (certChecking != null) {
-            issuerNames = new HashSet<Object>();
+            issuerNames = new HashSet<>();
             X500Principal issuer = certChecking.getIssuerX500Principal();
             issuerNames.add(issuer.getName(X500Principal.RFC2253));
         } else {
@@ -796,7 +795,7 @@
                 issuerName = (String)nameObject;
             }
             // If all we want is CA certs, try to get the (probably shorter) ARL
-            Collection<X509CRL> entryCRLs = Collections.<X509CRL>emptySet();
+            Collection<X509CRL> entryCRLs = Collections.emptySet();
             if (certChecking == null || certChecking.getBasicConstraints() != -1) {
                 LDAPRequest request = new LDAPRequest(issuerName);
                 request.addRequestedAttribute(CROSS_CERT);
@@ -1028,9 +1027,9 @@
             throws IOException {
             this.selector = selector == null ? new X509CRLSelector() : selector;
             this.certIssuers = certIssuers;
-            issuerNames = new HashSet<Object>();
+            issuerNames = new HashSet<>();
             issuerNames.add(ldapDN);
-            issuers = new HashSet<X500Principal>();
+            issuers = new HashSet<>();
             issuers.add(new X500Name(ldapDN).asX500Principal());
         }
         // we only override the get (accessor methods) since the set methods
--- a/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -41,11 +41,9 @@
  * LDAP implementation of CertStoreHelper.
  */
 
-public class LDAPCertStoreHelper
-    implements CertStoreHelper
+public final class LDAPCertStoreHelper
+    extends CertStoreHelper
 {
-    public LDAPCertStoreHelper() { }
-
     @Override
     public CertStore getCertStore(URI uri)
         throws NoSuchAlgorithmException, InvalidAlgorithmParameterException
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ssl/SSLServerCertStore.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.provider.certpath.ssl;
+
+import java.io.IOException;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.Provider;
+import java.security.cert.CertificateException;
+import java.security.cert.CertSelector;
+import java.security.cert.CertStore;
+import java.security.cert.CertStoreException;
+import java.security.cert.CertStoreParameters;
+import java.security.cert.CertStoreSpi;
+import java.security.cert.CRLSelector;
+import java.security.cert.X509Certificate;
+import java.security.cert.X509CRL;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+/**
+ * A CertStore that retrieves an SSL server's certificate chain.
+ */
+public final class SSLServerCertStore extends CertStoreSpi {
+
+    private final URI uri;
+
+    SSLServerCertStore(URI uri) throws InvalidAlgorithmParameterException {
+        super(null);
+        this.uri = uri;
+    }
+
+    public synchronized Collection<X509Certificate> engineGetCertificates
+        (CertSelector selector) throws CertStoreException
+    {
+        try {
+            SSLContext sc = SSLContext.getInstance("SSL");
+            GetChainTrustManager xtm = new GetChainTrustManager();
+            sc.init(null, new TrustManager[] { xtm }, null);
+            HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+            HttpsURLConnection.setDefaultHostnameVerifier(
+                new HostnameVerifier() {
+                    public boolean verify(String hostname, SSLSession session) {
+                        return true;
+                    }
+            });
+            uri.toURL().openConnection().connect();
+            return getMatchingCerts(xtm.serverChain, selector);
+        } catch (GeneralSecurityException | IOException e) {
+            throw new CertStoreException(e);
+        }
+    }
+
+    private static List<X509Certificate> getMatchingCerts
+        (List<X509Certificate> certs, CertSelector selector)
+    {
+        // if selector not specified, all certs match
+        if (selector == null) {
+            return certs;
+        }
+        List<X509Certificate> matchedCerts = new ArrayList<>(certs.size());
+        for (X509Certificate cert : certs) {
+            if (selector.match(cert)) {
+                matchedCerts.add(cert);
+            }
+        }
+        return matchedCerts;
+    }
+
+    public Collection<X509CRL> engineGetCRLs(CRLSelector selector)
+        throws CertStoreException
+    {
+        throw new UnsupportedOperationException();
+    }
+
+    static synchronized CertStore getInstance(URI uri)
+        throws InvalidAlgorithmParameterException
+    {
+        return new CS(new SSLServerCertStore(uri), null, "SSLServer", null);
+    }
+
+    /*
+     * An X509TrustManager that simply stores a reference to the server's
+     * certificate chain.
+     */
+    private static class GetChainTrustManager implements X509TrustManager {
+        private List<X509Certificate> serverChain;
+
+        public X509Certificate[] getAcceptedIssuers() {
+            throw new UnsupportedOperationException();
+        }
+
+        public void checkClientTrusted(X509Certificate[] chain,
+                                       String authType)
+            throws CertificateException
+        {
+            throw new UnsupportedOperationException();
+        }
+
+        public void checkServerTrusted(X509Certificate[] chain,
+                                       String authType)
+            throws CertificateException
+        {
+            this.serverChain = (chain == null)
+                               ? Collections.<X509Certificate>emptyList()
+                               : Arrays.asList(chain);
+        }
+    }
+
+    /**
+     * This class allows the SSLServerCertStore to be accessed as a CertStore.
+     */
+    private static class CS extends CertStore {
+        protected CS(CertStoreSpi spi, Provider p, String type,
+                     CertStoreParameters params)
+        {
+            super(spi, p, type, params);
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ssl/SSLServerCertStoreHelper.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.provider.certpath.ssl;
+
+import java.net.URI;
+import java.util.Collection;
+import java.security.NoSuchAlgorithmException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.cert.CertStore;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509CRLSelector;
+import javax.security.auth.x500.X500Principal;
+import java.io.IOException;
+
+import sun.security.provider.certpath.CertStoreHelper;
+
+/**
+ * SSL implementation of CertStoreHelper.
+ */
+public final class SSLServerCertStoreHelper extends CertStoreHelper {
+
+    @Override
+    public CertStore getCertStore(URI uri)
+        throws NoSuchAlgorithmException, InvalidAlgorithmParameterException
+    {
+        return SSLServerCertStore.getInstance(uri);
+    }
+
+    @Override
+    public X509CertSelector wrap(X509CertSelector selector,
+                                 X500Principal certSubject,
+                                 String ldapDN)
+        throws IOException
+    {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public X509CRLSelector wrap(X509CRLSelector selector,
+                                Collection<X500Principal> certIssuers,
+                                String ldapDN)
+        throws IOException
+    {
+        throw new UnsupportedOperationException();
+    }
+}
--- a/jdk/src/share/classes/sun/security/ssl/CipherBox.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/ssl/CipherBox.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -305,9 +305,11 @@
                     byte[] buf = null;
                     int limit = bb.limit();
                     if (bb.hasArray()) {
+                        int arrayOffset = bb.arrayOffset();
                         buf = bb.array();
-                        System.arraycopy(buf, pos,
-                                buf, pos + prefix.length, limit - pos);
+                        System.arraycopy(buf, arrayOffset + pos,
+                            buf, arrayOffset + pos + prefix.length,
+                            limit - pos);
                         bb.limit(limit + prefix.length);
                     } else {
                         buf = new byte[limit - pos];
@@ -491,9 +493,10 @@
                     byte[] buf = null;
                     int limit = bb.limit();
                     if (bb.hasArray()) {
+                        int arrayOffset = bb.arrayOffset();
                         buf = bb.array();
-                        System.arraycopy(buf, pos + blockSize,
-                                         buf, pos, limit - pos - blockSize);
+                        System.arraycopy(buf, arrayOffset + pos + blockSize,
+                            buf, arrayOffset + pos, limit - pos - blockSize);
                         bb.limit(limit - blockSize);
                     } else {
                         buf = new byte[limit - pos - blockSize];
--- a/jdk/src/share/classes/sun/security/ssl/SSLSessionContextImpl.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/ssl/SSLSessionContextImpl.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,11 +43,14 @@
 import javax.net.ssl.SSLSession;
 
 import sun.security.util.Cache;
+import sun.security.util.Cache.CacheVisitor;
 
 
 final class SSLSessionContextImpl implements SSLSessionContext {
-    private Cache sessionCache;         // session cache, session id as key
-    private Cache sessionHostPortCache; // session cache, "host:port" as key
+    private Cache<SessionId, SSLSessionImpl> sessionCache;
+                                        // session cache, session id as key
+    private Cache<String, SSLSessionImpl> sessionHostPortCache;
+                                        // session cache, "host:port" as key
     private int cacheLimit;             // the max cache size
     private int timeout;                // timeout in seconds
 
@@ -71,8 +74,7 @@
             throw new NullPointerException("session id cannot be null");
         }
 
-        SSLSessionImpl sess =
-                (SSLSessionImpl)sessionCache.get(new SessionId(sessionId));
+        SSLSessionImpl sess = sessionCache.get(new SessionId(sessionId));
         if (!isTimedout(sess)) {
             return sess;
         }
@@ -157,8 +159,7 @@
             return null;
         }
 
-        SSLSessionImpl sess =
-            (SSLSessionImpl)sessionHostPortCache.get(getKey(hostname, port));
+        SSLSessionImpl sess = sessionHostPortCache.get(getKey(hostname, port));
         if (!isTimedout(sess)) {
             return sess;
         }
@@ -193,7 +194,7 @@
 
     // package-private method, remove a cached SSLSession
     void remove(SessionId key) {
-        SSLSessionImpl s = (SSLSessionImpl)sessionCache.get(key);
+        SSLSessionImpl s = sessionCache.get(key);
         if (s != null) {
             sessionCache.remove(key);
             sessionHostPortCache.remove(
@@ -233,17 +234,17 @@
     }
 
     final class SessionCacheVisitor
-            implements sun.security.util.Cache.CacheVisitor {
+            implements Cache.CacheVisitor<SessionId, SSLSessionImpl> {
         Vector<byte[]> ids = null;
 
-        // public void visit(java.util.Map<Object, Object> map) {}
-        public void visit(java.util.Map<Object, Object> map) {
-            ids = new Vector<byte[]>(map.size());
+        // public void visit(java.util.Map<K,V> map) {}
+        public void visit(java.util.Map<SessionId, SSLSessionImpl> map) {
+            ids = new Vector<>(map.size());
 
-            for (Object key : map.keySet()) {
-                SSLSessionImpl value = (SSLSessionImpl)map.get(key);
+            for (SessionId key : map.keySet()) {
+                SSLSessionImpl value = map.get(key);
                 if (!isTimedout(value)) {
-                    ids.addElement(((SessionId)key).getId());
+                    ids.addElement(key.getId());
                 }
             }
         }
--- a/jdk/src/share/classes/sun/security/timestamp/HttpTimestamper.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/timestamp/HttpTimestamper.java	Wed Jul 05 17:54:13 2017 +0200
@@ -28,13 +28,13 @@
 import java.io.BufferedInputStream;
 import java.io.DataOutputStream;
 import java.io.IOException;
+import java.net.URI;
 import java.net.URL;
 import java.net.HttpURLConnection;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 import sun.misc.IOUtils;
+import sun.security.util.Debug;
 
 /**
  * A timestamper that communicates with a Timestamping Authority (TSA)
@@ -58,20 +58,23 @@
     private static final String TS_REPLY_MIME_TYPE =
         "application/timestamp-reply";
 
-    private static final boolean DEBUG = false;
+    private static final Debug debug = Debug.getInstance("ts");
 
     /*
-     * HTTP URL identifying the location of the TSA
+     * HTTP URI identifying the location of the TSA
      */
-    private String tsaUrl = null;
+    private URI tsaURI = null;
 
     /**
      * Creates a timestamper that connects to the specified TSA.
      *
-     * @param tsa The location of the TSA. It must be an HTTP URL.
+     * @param tsa The location of the TSA. It must be an HTTP URI.
+     * @throws IllegalArgumentException if tsaURI is not an HTTP URI
      */
-    public HttpTimestamper(String tsaUrl) {
-        this.tsaUrl = tsaUrl;
+    public HttpTimestamper(URI tsaURI) {
+        if (!tsaURI.getScheme().equalsIgnoreCase("http"))
+            throw new IllegalArgumentException("TSA must be an HTTP URI");
+        this.tsaURI = tsaURI;
     }
 
     /**
@@ -85,7 +88,7 @@
     public TSResponse generateTimestamp(TSRequest tsQuery) throws IOException {
 
         HttpURLConnection connection =
-            (HttpURLConnection) new URL(tsaUrl).openConnection();
+            (HttpURLConnection) tsaURI.toURL().openConnection();
         connection.setDoOutput(true);
         connection.setUseCaches(false); // ignore cache
         connection.setRequestProperty("Content-Type", TS_QUERY_MIME_TYPE);
@@ -93,15 +96,15 @@
         // Avoids the "hang" when a proxy is required but none has been set.
         connection.setConnectTimeout(CONNECT_TIMEOUT);
 
-        if (DEBUG) {
+        if (debug != null) {
             Set<Map.Entry<String, List<String>>> headers =
-                    connection.getRequestProperties().entrySet();
-            System.out.println(connection.getRequestMethod() + " " + tsaUrl +
+                connection.getRequestProperties().entrySet();
+            debug.println(connection.getRequestMethod() + " " + tsaURI +
                 " HTTP/1.1");
-            for (Map.Entry<String, List<String>> entry : headers) {
-                System.out.println("  " + entry);
+            for (Map.Entry<String, List<String>> e : headers) {
+                debug.println("  " + e);
             }
-            System.out.println();
+            debug.println();
         }
         connection.connect(); // No HTTP authentication is performed
 
@@ -112,8 +115,8 @@
             byte[] request = tsQuery.encode();
             output.write(request, 0, request.length);
             output.flush();
-            if (DEBUG) {
-                System.out.println("sent timestamp query (length=" +
+            if (debug != null) {
+                debug.println("sent timestamp query (length=" +
                         request.length + ")");
             }
         } finally {
@@ -127,17 +130,17 @@
         byte[] replyBuffer = null;
         try {
             input = new BufferedInputStream(connection.getInputStream());
-            if (DEBUG) {
+            if (debug != null) {
                 String header = connection.getHeaderField(0);
-                System.out.println(header);
+                debug.println(header);
                 int i = 1;
                 while ((header = connection.getHeaderField(i)) != null) {
                     String key = connection.getHeaderFieldKey(i);
-                    System.out.println("  " + ((key==null) ? "" : key + ": ") +
+                    debug.println("  " + ((key==null) ? "" : key + ": ") +
                         header);
                     i++;
                 }
-                System.out.println();
+                debug.println();
             }
             verifyMimeType(connection.getContentType());
 
@@ -145,8 +148,8 @@
             int contentLength = connection.getContentLength();
             replyBuffer = IOUtils.readFully(input, contentLength, false);
 
-            if (DEBUG) {
-                System.out.println("received timestamp response (length=" +
+            if (debug != null) {
+                debug.println("received timestamp response (length=" +
                         total + ")");
             }
         } finally {
--- a/jdk/src/share/classes/sun/security/timestamp/TSRequest.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/timestamp/TSRequest.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,10 +27,13 @@
 
 import java.io.IOException;
 import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Extension;
 import sun.security.util.DerValue;
 import sun.security.util.DerOutputStream;
 import sun.security.util.ObjectIdentifier;
+import sun.security.x509.AlgorithmId;
 
 /**
  * This class provides a timestamp request, as defined in
@@ -64,24 +67,9 @@
 
 public class TSRequest {
 
-    private static final ObjectIdentifier SHA1_OID;
-    private static final ObjectIdentifier MD5_OID;
-    static {
-        ObjectIdentifier sha1 = null;
-        ObjectIdentifier md5 = null;
-        try {
-            sha1 = new ObjectIdentifier("1.3.14.3.2.26");
-            md5 = new ObjectIdentifier("1.2.840.113549.2.5");
-        } catch (IOException ioe) {
-            // should not happen
-        }
-        SHA1_OID = sha1;
-        MD5_OID = md5;
-    }
-
     private int version = 1;
 
-    private ObjectIdentifier hashAlgorithmId = null;
+    private AlgorithmId hashAlgorithmId = null;
 
     private byte[] hashValue;
 
@@ -94,30 +82,21 @@
     private X509Extension[] extensions = null;
 
     /**
-     * Constructs a timestamp request for the supplied hash value..
+     * Constructs a timestamp request for the supplied data.
      *
-     * @param hashValue     The hash value. This is the data to be timestamped.
-     * @param hashAlgorithm The name of the hash algorithm.
+     * @param toBeTimeStamped  The data to be timestamped.
+     * @param messageDigest The MessageDigest of the hash algorithm to use.
+     * @throws NoSuchAlgorithmException if the hash algorithm is not supported
      */
-    public TSRequest(byte[] hashValue, String hashAlgorithm) {
+    public TSRequest(byte[] toBeTimeStamped, MessageDigest messageDigest)
+        throws NoSuchAlgorithmException {
 
-        // Check the common hash algorithms
-        if ("MD5".equalsIgnoreCase(hashAlgorithm)) {
-            hashAlgorithmId = MD5_OID;
-            // Check that the hash value matches the hash algorithm
-            assert hashValue.length == 16;
+        this.hashAlgorithmId = AlgorithmId.get(messageDigest.getAlgorithm());
+        this.hashValue = messageDigest.digest(toBeTimeStamped);
+    }
 
-        } else if ("SHA-1".equalsIgnoreCase(hashAlgorithm) ||
-            "SHA".equalsIgnoreCase(hashAlgorithm) ||
-            "SHA1".equalsIgnoreCase(hashAlgorithm)) {
-            hashAlgorithmId = SHA1_OID;
-            // Check that the hash value matches the hash algorithm
-            assert hashValue.length == 20;
-
-        }
-        // Clone the hash value
-        this.hashValue = new byte[hashValue.length];
-        System.arraycopy(hashValue, 0, this.hashValue, 0, hashValue.length);
+    public byte[] getHashedMessage() {
+        return hashValue.clone();
     }
 
     /**
@@ -176,9 +155,7 @@
 
         // encode messageImprint
         DerOutputStream messageImprint = new DerOutputStream();
-        DerOutputStream hashAlgorithm = new DerOutputStream();
-        hashAlgorithm.putOID(hashAlgorithmId);
-        messageImprint.write(DerValue.tag_Sequence, hashAlgorithm);
+        hashAlgorithmId.encode(messageImprint);
         messageImprint.putOctetString(hashValue);
         request.write(DerValue.tag_Sequence, messageImprint);
 
--- a/jdk/src/share/classes/sun/security/timestamp/TSResponse.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/timestamp/TSResponse.java	Wed Jul 05 17:54:13 2017 +0200
@@ -27,6 +27,7 @@
 
 import java.io.IOException;
 import sun.security.pkcs.PKCS7;
+import sun.security.util.Debug;
 import sun.security.util.DerValue;
 
 /**
@@ -175,18 +176,20 @@
      */
     public static final int SYSTEM_FAILURE = 25;
 
-    private static final boolean DEBUG = false;
+    private static final Debug debug = Debug.getInstance("ts");
 
     private int status;
 
     private String[] statusString = null;
 
-    private int failureInfo = -1;
+    private boolean[] failureInfo = null;
 
     private byte[] encodedTsToken = null;
 
     private PKCS7 tsToken = null;
 
+    private TimestampToken tstInfo;
+
     /**
      * Constructs an object to store the response to a timestamp request.
      *
@@ -215,11 +218,11 @@
     }
 
     /**
-     * Retrieve the failure code returned by the TSA.
+     * Retrieve the failure info returned by the TSA.
      *
-     * @return If -1 then no failure code was received.
+     * @return the failure info, or null if no failure code was received.
      */
-    public int getFailureCode() {
+    public boolean[] getFailureInfo() {
         return failureInfo;
     }
 
@@ -250,42 +253,38 @@
         }
     }
 
+    private boolean isSet(int position) {
+        return failureInfo[position];
+    }
+
     public String getFailureCodeAsText() {
 
-        if (failureInfo == -1) {
-            return null;
+        if (failureInfo == null) {
+            return "";
         }
 
-        switch (failureInfo)  {
-
-        case BAD_ALG:
-            return "Unrecognized or unsupported alrorithm identifier.";
-
-        case BAD_REQUEST:
-            return "The requested transaction is not permitted or supported.";
-
-        case BAD_DATA_FORMAT:
-            return "The data submitted has the wrong format.";
-
-        case TIME_NOT_AVAILABLE:
-            return "The TSA's time source is not available.";
+        try {
+            if (isSet(BAD_ALG))
+                return "Unrecognized or unsupported algorithm identifier.";
+            if (isSet(BAD_REQUEST))
+                return "The requested transaction is not permitted or " +
+                       "supported.";
+            if (isSet(BAD_DATA_FORMAT))
+                return "The data submitted has the wrong format.";
+            if (isSet(TIME_NOT_AVAILABLE))
+                return "The TSA's time source is not available.";
+            if (isSet(UNACCEPTED_POLICY))
+                return "The requested TSA policy is not supported by the TSA.";
+            if (isSet(UNACCEPTED_EXTENSION))
+                return "The requested extension is not supported by the TSA.";
+            if (isSet(ADD_INFO_NOT_AVAILABLE))
+                return "The additional information requested could not be " +
+                       "understood or is not available.";
+            if (isSet(SYSTEM_FAILURE))
+                return "The request cannot be handled due to system failure.";
+        } catch (ArrayIndexOutOfBoundsException ex) {}
 
-        case UNACCEPTED_POLICY:
-            return "The requested TSA policy is not supported by the TSA.";
-
-        case UNACCEPTED_EXTENSION:
-            return "The requested extension is not supported by the TSA.";
-
-        case ADD_INFO_NOT_AVAILABLE:
-            return "The additional information requested could not be " +
-                "understood or is not available.";
-
-        case SYSTEM_FAILURE:
-            return "The request cannot be handled due to system failure.";
-
-        default:
-            return ("unknown status code " + status);
-        }
+        return ("unknown failure code");
     }
 
     /**
@@ -297,6 +296,10 @@
         return tsToken;
     }
 
+    public TimestampToken getTimestampToken() {
+        return tstInfo;
+    }
+
     /**
      * Retrieve the ASN.1 BER encoded timestamp token returned by the TSA.
      *
@@ -323,29 +326,30 @@
 
         // Parse status
 
-        DerValue status = derValue.data.getDerValue();
-        // Parse status
-        this.status = status.data.getInteger();
-        if (DEBUG) {
-            System.out.println("timestamp response: status=" + this.status);
+        DerValue statusInfo = derValue.data.getDerValue();
+        this.status = statusInfo.data.getInteger();
+        if (debug != null) {
+            debug.println("timestamp response: status=" + this.status);
         }
         // Parse statusString, if present
-        if (status.data.available() > 0) {
-            DerValue[] strings = status.data.getSequence(1);
-            statusString = new String[strings.length];
-            for (int i = 0; i < strings.length; i++) {
-                statusString[i] = strings[i].data.getUTF8String();
+        if (statusInfo.data.available() > 0) {
+            byte tag = (byte)statusInfo.data.peekByte();
+            if (tag == DerValue.tag_SequenceOf) {
+                DerValue[] strings = statusInfo.data.getSequence(1);
+                statusString = new String[strings.length];
+                for (int i = 0; i < strings.length; i++) {
+                    statusString[i] = strings[i].getUTF8String();
+                    if (debug != null) {
+                        debug.println("timestamp response: statusString=" +
+                                      statusString[i]);
+                    }
+                }
             }
         }
         // Parse failInfo, if present
-        if (status.data.available() > 0) {
-            byte[] failInfo = status.data.getBitString();
-            int failureInfo = (new Byte(failInfo[0])).intValue();
-            if (failureInfo < 0 || failureInfo > 25 || failInfo.length != 1) {
-                throw new IOException("Bad encoding for timestamp response: " +
-                    "unrecognized value for the failInfo element");
-            }
-            this.failureInfo = failureInfo;
+        if (statusInfo.data.available() > 0) {
+            this.failureInfo
+                = statusInfo.data.getUnalignedBitString().toBooleanArray();
         }
 
         // Parse timeStampToken, if present
@@ -353,6 +357,7 @@
             DerValue timestampToken = derValue.data.getDerValue();
             encodedTsToken = timestampToken.toByteArray();
             tsToken = new PKCS7(encodedTsToken);
+            tstInfo = new TimestampToken(tsToken.getContentInfo().getData());
         }
 
         // Check the format of the timestamp response
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/security/tools/CertAndKeyGen.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,313 @@
+/*
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.tools;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateEncodingException;
+import java.security.*;
+import java.util.Date;
+
+import sun.security.pkcs10.PKCS10;
+import sun.security.x509.AlgorithmId;
+import sun.security.x509.CertificateAlgorithmId;
+import sun.security.x509.CertificateIssuerName;
+import sun.security.x509.CertificateSerialNumber;
+import sun.security.x509.CertificateSubjectName;
+import sun.security.x509.CertificateValidity;
+import sun.security.x509.CertificateVersion;
+import sun.security.x509.CertificateX509Key;
+import sun.security.x509.X500Name;
+import sun.security.x509.X509CertImpl;
+import sun.security.x509.X509CertInfo;
+import sun.security.x509.X509Key;
+
+
+/**
+ * Generate a pair of keys, and provide access to them.  This class is
+ * provided primarily for ease of use.
+ *
+ * <P>This provides some simple certificate management functionality.
+ * Specifically, it allows you to create self-signed X.509 certificates
+ * as well as PKCS 10 based certificate signing requests.
+ *
+ * <P>Keys for some public key signature algorithms have algorithm
+ * parameters, such as DSS/DSA.  Some sites' Certificate Authorities
+ * adopt fixed algorithm parameters, which speeds up some operations
+ * including key generation and signing.  <em>At this time, this interface
+ * does not provide a way to provide such algorithm parameters, e.g.
+ * by providing the CA certificate which includes those parameters.</em>
+ *
+ * <P>Also, note that at this time only signature-capable keys may be
+ * acquired through this interface.  Diffie-Hellman keys, used for secure
+ * key exchange, may be supported later.
+ *
+ * @author David Brownell
+ * @author Hemma Prafullchandra
+ * @see PKCS10
+ * @see X509CertImpl
+ */
+public final class CertAndKeyGen {
+    /**
+     * Creates a CertAndKeyGen object for a particular key type
+     * and signature algorithm.
+     *
+     * @param keyType type of key, e.g. "RSA", "DSA"
+     * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA",
+     *          "MD2WithRSA", "SHAwithDSA".
+     * @exception NoSuchAlgorithmException on unrecognized algorithms.
+     */
+    public CertAndKeyGen (String keyType, String sigAlg)
+    throws NoSuchAlgorithmException
+    {
+        keyGen = KeyPairGenerator.getInstance(keyType);
+        this.sigAlg = sigAlg;
+    }
+
+    /**
+     * Creates a CertAndKeyGen object for a particular key type,
+     * signature algorithm, and provider.
+     *
+     * @param keyType type of key, e.g. "RSA", "DSA"
+     * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA",
+     *          "MD2WithRSA", "SHAwithDSA".
+     * @param providerName name of the provider
+     * @exception NoSuchAlgorithmException on unrecognized algorithms.
+     * @exception NoSuchProviderException on unrecognized providers.
+     */
+    public CertAndKeyGen (String keyType, String sigAlg, String providerName)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+    {
+        if (providerName == null) {
+            keyGen = KeyPairGenerator.getInstance(keyType);
+        } else {
+            try {
+                keyGen = KeyPairGenerator.getInstance(keyType, providerName);
+            } catch (Exception e) {
+                // try first available provider instead
+                keyGen = KeyPairGenerator.getInstance(keyType);
+            }
+        }
+        this.sigAlg = sigAlg;
+    }
+
+    /**
+     * Sets the source of random numbers used when generating keys.
+     * If you do not provide one, a system default facility is used.
+     * You may wish to provide your own source of random numbers
+     * to get a reproducible sequence of keys and signatures, or
+     * because you may be able to take advantage of strong sources
+     * of randomness/entropy in your environment.
+     */
+    public void         setRandom (SecureRandom generator)
+    {
+        prng = generator;
+    }
+
+    // want "public void generate (X509Certificate)" ... inherit DSA/D-H param
+
+    /**
+     * Generates a random public/private key pair, with a given key
+     * size.  Different algorithms provide different degrees of security
+     * for the same key size, because of the "work factor" involved in
+     * brute force attacks.  As computers become faster, it becomes
+     * easier to perform such attacks.  Small keys are to be avoided.
+     *
+     * <P>Note that not all values of "keyBits" are valid for all
+     * algorithms, and not all public key algorithms are currently
+     * supported for use in X.509 certificates.  If the algorithm
+     * you specified does not produce X.509 compatible keys, an
+     * invalid key exception is thrown.
+     *
+     * @param keyBits the number of bits in the keys.
+     * @exception InvalidKeyException if the environment does not
+     *  provide X.509 public keys for this signature algorithm.
+     */
+    public void generate (int keyBits)
+    throws InvalidKeyException
+    {
+        KeyPair pair;
+
+        try {
+            if (prng == null) {
+                prng = new SecureRandom();
+            }
+            keyGen.initialize(keyBits, prng);
+            pair = keyGen.generateKeyPair();
+
+        } catch (Exception e) {
+            throw new IllegalArgumentException(e.getMessage());
+        }
+
+        publicKey = pair.getPublic();
+        privateKey = pair.getPrivate();
+    }
+
+
+    /**
+     * Returns the public key of the generated key pair if it is of type
+     * <code>X509Key</code>, or null if the public key is of a different type.
+     *
+     * XXX Note: This behaviour is needed for backwards compatibility.
+     * What this method really should return is the public key of the
+     * generated key pair, regardless of whether or not it is an instance of
+     * <code>X509Key</code>. Accordingly, the return type of this method
+     * should be <code>PublicKey</code>.
+     */
+    public X509Key getPublicKey()
+    {
+        if (!(publicKey instanceof X509Key)) {
+            return null;
+        }
+        return (X509Key)publicKey;
+    }
+
+
+    /**
+     * Returns the private key of the generated key pair.
+     *
+     * <P><STRONG><em>Be extremely careful when handling private keys.
+     * When private keys are not kept secret, they lose their ability
+     * to securely authenticate specific entities ... that is a huge
+     * security risk!</em></STRONG>
+     */
+    public PrivateKey getPrivateKey ()
+    {
+        return privateKey;
+    }
+
+
+    /**
+     * Returns a self-signed X.509v3 certificate for the public key.
+     * The certificate is immediately valid. No extensions.
+     *
+     * <P>Such certificates normally are used to identify a "Certificate
+     * Authority" (CA).  Accordingly, they will not always be accepted by
+     * other parties.  However, such certificates are also useful when
+     * you are bootstrapping your security infrastructure, or deploying
+     * system prototypes.
+     *
+     * @param myname X.500 name of the subject (who is also the issuer)
+     * @param firstDate the issue time of the certificate
+     * @param validity how long the certificate should be valid, in seconds
+     * @exception CertificateException on certificate handling errors.
+     * @exception InvalidKeyException on key handling errors.
+     * @exception SignatureException on signature handling errors.
+     * @exception NoSuchAlgorithmException on unrecognized algorithms.
+     * @exception NoSuchProviderException on unrecognized providers.
+     */
+    public X509Certificate getSelfCertificate (
+            X500Name myname, Date firstDate, long validity)
+    throws CertificateException, InvalidKeyException, SignatureException,
+        NoSuchAlgorithmException, NoSuchProviderException
+    {
+        X509CertImpl    cert;
+        Date            lastDate;
+
+        try {
+            lastDate = new Date ();
+            lastDate.setTime (firstDate.getTime () + validity * 1000);
+
+            CertificateValidity interval =
+                                   new CertificateValidity(firstDate,lastDate);
+
+            X509CertInfo info = new X509CertInfo();
+            // Add all mandatory attributes
+            info.set(X509CertInfo.VERSION,
+                     new CertificateVersion(CertificateVersion.V3));
+            info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
+                    new java.util.Random().nextInt() & 0x7fffffff));
+            AlgorithmId algID = AlgorithmId.get(sigAlg);
+            info.set(X509CertInfo.ALGORITHM_ID,
+                     new CertificateAlgorithmId(algID));
+            info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(myname));
+            info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
+            info.set(X509CertInfo.VALIDITY, interval);
+            info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname));
+
+            cert = new X509CertImpl(info);
+            cert.sign(privateKey, this.sigAlg);
+
+            return (X509Certificate)cert;
+
+        } catch (IOException e) {
+             throw new CertificateEncodingException("getSelfCert: " +
+                                                    e.getMessage());
+        }
+    }
+
+    // Keep the old method
+    public X509Certificate getSelfCertificate (X500Name myname, long validity)
+    throws CertificateException, InvalidKeyException, SignatureException,
+        NoSuchAlgorithmException, NoSuchProviderException
+    {
+        return getSelfCertificate(myname, new Date(), validity);
+    }
+
+    /**
+     * Returns a PKCS #10 certificate request.  The caller uses either
+     * <code>PKCS10.print</code> or <code>PKCS10.toByteArray</code>
+     * operations on the result, to get the request in an appropriate
+     * transmission format.
+     *
+     * <P>PKCS #10 certificate requests are sent, along with some proof
+     * of identity, to Certificate Authorities (CAs) which then issue
+     * X.509 public key certificates.
+     *
+     * @param myname X.500 name of the subject
+     * @exception InvalidKeyException on key handling errors.
+     * @exception SignatureException on signature handling errors.
+     */
+    public PKCS10 getCertRequest (X500Name myname)
+    throws InvalidKeyException, SignatureException
+    {
+        PKCS10  req = new PKCS10 (publicKey);
+
+        try {
+            Signature signature = Signature.getInstance(sigAlg);
+            signature.initSign (privateKey);
+            req.encodeAndSign(myname, signature);
+
+        } catch (CertificateException e) {
+            throw new SignatureException (sigAlg + " CertificateException");
+
+        } catch (IOException e) {
+            throw new SignatureException (sigAlg + " IOException");
+
+        } catch (NoSuchAlgorithmException e) {
+            // "can't happen"
+            throw new SignatureException (sigAlg + " unavailable?");
+        }
+        return req;
+    }
+
+    private SecureRandom        prng;
+    private String              sigAlg;
+    private KeyPairGenerator    keyGen;
+    private PublicKey           publicKey;
+    private PrivateKey          privateKey;
+}
--- a/jdk/src/share/classes/sun/security/tools/JarSigner.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1277,11 +1277,10 @@
                     System.out.println(rb.getString("TSA.location.") + tsaUrl);
                 }
                 if (tsaCert != null) {
-                    String certUrl =
-                        TimestampedSigner.getTimestampingUrl(tsaCert);
-                    if (certUrl != null) {
+                    URI tsaURI = TimestampedSigner.getTimestampingURI(tsaCert);
+                    if (tsaURI != null) {
                         System.out.println(rb.getString("TSA.location.") +
-                            certUrl);
+                            tsaURI);
                     }
                     System.out.println(rb.getString("TSA.certificate.") +
                         printCert("", tsaCert, false, 0, false));
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java	Wed Jul 05 17:54:13 2017 +0200
@@ -38,10 +38,12 @@
 import java.security.Timestamp;
 import java.security.UnrecoverableEntryException;
 import java.security.UnrecoverableKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.security.Provider;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
+import java.security.cert.CertStoreException;
 import java.security.cert.CRL;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
@@ -63,23 +65,16 @@
 import javax.security.auth.x500.X500Principal;
 import sun.misc.BASE64Encoder;
 import sun.security.util.ObjectIdentifier;
-import sun.security.pkcs.PKCS10;
+import sun.security.pkcs10.PKCS10;
+import sun.security.pkcs10.PKCS10Attribute;
 import sun.security.provider.X509Factory;
+import sun.security.provider.certpath.CertStoreHelper;
 import sun.security.util.Password;
-import sun.security.util.PathList;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
 import sun.misc.BASE64Decoder;
-import sun.security.pkcs.PKCS10Attribute;
 import sun.security.pkcs.PKCS9Attribute;
-import sun.security.provider.certpath.ldap.LDAPCertStoreHelper;
 import sun.security.util.DerValue;
 import sun.security.x509.*;
 
@@ -917,18 +912,13 @@
 
         // Perform the specified command
         if (command == CERTREQ) {
-            PrintStream ps = null;
             if (filename != null) {
-                ps = new PrintStream(new FileOutputStream
-                                                 (filename));
-                out = ps;
-            }
-            try {
+                try (PrintStream ps = new PrintStream(new FileOutputStream
+                                                      (filename))) {
+                    doCertReq(alias, sigAlgName, ps);
+                }
+            } else {
                 doCertReq(alias, sigAlgName, out);
-            } finally {
-                if (ps != null) {
-                    ps.close();
-                }
             }
             if (verbose && filename != null) {
                 MessageFormat form = new MessageFormat(rb.getString
@@ -941,18 +931,13 @@
             doDeleteEntry(alias);
             kssave = true;
         } else if (command == EXPORTCERT) {
-            PrintStream ps = null;
             if (filename != null) {
-                ps = new PrintStream(new FileOutputStream
-                                                 (filename));
-                out = ps;
-            }
-            try {
+                try (PrintStream ps = new PrintStream(new FileOutputStream
+                                                   (filename))) {
+                    doExportCert(alias, ps);
+                }
+            } else {
                 doExportCert(alias, out);
-            } finally {
-                if (ps != null) {
-                    ps.close();
-                }
             }
             if (filename != null) {
                 MessageFormat form = new MessageFormat(rb.getString
@@ -973,16 +958,12 @@
             doGenSecretKey(alias, keyAlgName, keysize);
             kssave = true;
         } else if (command == IDENTITYDB) {
-            InputStream inStream = System.in;
             if (filename != null) {
-                inStream = new FileInputStream(filename);
-            }
-            try {
-                doImportIdentityDatabase(inStream);
-            } finally {
-                if (inStream != System.in) {
-                    inStream.close();
+                try (InputStream inStream = new FileInputStream(filename)) {
+                    doImportIdentityDatabase(inStream);
                 }
+            } else {
+                doImportIdentityDatabase(System.in);
             }
         } else if (command == IMPORTCERT) {
             InputStream inStream = System.in;
@@ -1101,29 +1082,21 @@
             if (alias == null) {
                 alias = keyAlias;
             }
-            PrintStream ps = null;
             if (filename != null) {
-                ps = new PrintStream(new FileOutputStream(filename));
-                out = ps;
-            }
-            try {
+                try (PrintStream ps =
+                         new PrintStream(new FileOutputStream(filename))) {
+                    doGenCRL(ps);
+                }
+            } else {
                 doGenCRL(out);
-            } finally {
-                if (ps != null) {
-                    ps.close();
-                }
             }
         } else if (command == PRINTCERTREQ) {
-            InputStream inStream = System.in;
             if (filename != null) {
-                inStream = new FileInputStream(filename);
-            }
-            try {
-                doPrintCertReq(inStream, out);
-            } finally {
-                if (inStream != System.in) {
-                    inStream.close();
+                try (InputStream inStream = new FileInputStream(filename)) {
+                    doPrintCertReq(inStream, out);
                 }
+            } else {
+                doPrintCertReq(System.in, out);
             }
         } else if (command == PRINTCRL) {
             doPrintCRL(filename, out);
@@ -2070,12 +2043,13 @@
                 }
             }
         } else {    // must be LDAP, and uri is not null
+            // Lazily load LDAPCertStoreHelper if present
+            CertStoreHelper helper = CertStoreHelper.getInstance("LDAP");
             String path = uri.getPath();
             if (path.charAt(0) == '/') path = path.substring(1);
-            LDAPCertStoreHelper h = new LDAPCertStoreHelper();
-            CertStore s = h.getCertStore(uri);
+            CertStore s = helper.getCertStore(uri);
             X509CRLSelector sel =
-                    h.wrap(new X509CRLSelector(), null, path);
+                    helper.wrap(new X509CRLSelector(), null, path);
             return s.getCRLs(sel);
         }
     }
@@ -2259,18 +2233,12 @@
             int pos = 0;
             while (entries.hasMoreElements()) {
                 JarEntry je = entries.nextElement();
-                InputStream is = null;
-                try {
-                    is = jf.getInputStream(je);
+                try (InputStream is = jf.getInputStream(je)) {
                     while (is.read(buffer) != -1) {
                         // we just read. this will throw a SecurityException
                         // if a signature/digest check fails. This also
                         // populate the signers
                     }
-                } finally {
-                    if (is != null) {
-                        is.close();
-                    }
                 }
                 CodeSigner[] signers = je.getCodeSigners();
                 if (signers != null) {
@@ -2316,85 +2284,52 @@
                 out.println(rb.getString("Not.a.signed.jar.file"));
             }
         } else if (sslserver != null) {
-            SSLContext sc = SSLContext.getInstance("SSL");
-            final boolean[] certPrinted = new boolean[1];
-            sc.init(null, new TrustManager[] {
-                new X509TrustManager() {
-
-                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
-                        return null;
-                    }
-
-                    public void checkClientTrusted(
-                        java.security.cert.X509Certificate[] certs, String authType) {
+            // Lazily load SSLCertStoreHelper if present
+            CertStoreHelper helper = CertStoreHelper.getInstance("SSLServer");
+            CertStore cs = helper.getCertStore(new URI("https://" + sslserver));
+            Collection<? extends Certificate> chain;
+            try {
+                chain = cs.getCertificates(null);
+                if (chain.isEmpty()) {
+                    // If the certs are not retrieved, we consider it an error
+                    // even if the URL connection is successful.
+                    throw new Exception(rb.getString(
+                                        "No.certificate.from.the.SSL.server"));
+                }
+            } catch (CertStoreException cse) {
+                if (cse.getCause() instanceof IOException) {
+                    throw new Exception(rb.getString(
+                                        "No.certificate.from.the.SSL.server"),
+                                        cse.getCause());
+                } else {
+                    throw cse;
+                }
+            }
+
+            int i = 0;
+            for (Certificate cert : chain) {
+                try {
+                    if (rfc) {
+                        dumpCert(cert, out);
+                    } else {
+                        out.println("Certificate #" + i++);
+                        out.println("====================================");
+                        printX509Cert((X509Certificate)cert, out);
+                        out.println();
                     }
-
-                    public void checkServerTrusted(
-                            java.security.cert.X509Certificate[] certs, String authType) {
-                        for (int i=0; i<certs.length; i++) {
-                            X509Certificate cert = certs[i];
-                            try {
-                                if (rfc) {
-                                    dumpCert(cert, out);
-                                } else {
-                                    out.println("Certificate #" + i);
-                                    out.println("====================================");
-                                    printX509Cert(cert, out);
-                                    out.println();
-                                }
-                            } catch (Exception e) {
-                                if (debug) {
-                                    e.printStackTrace();
-                                }
-                            }
-                        }
-
-                        // Set to true where there's something to print
-                        if (certs.length > 0) {
-                            certPrinted[0] = true;
-                        }
+                } catch (Exception e) {
+                    if (debug) {
+                        e.printStackTrace();
                     }
                 }
-            }, null);
-            HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
-            HttpsURLConnection.setDefaultHostnameVerifier(
-                    new HostnameVerifier() {
-                        public boolean verify(String hostname, SSLSession session) {
-                            return true;
-                        }
-                    });
-            // HTTPS instead of raw SSL, so that -Dhttps.proxyHost and
-            // -Dhttps.proxyPort can be used. Since we only go through
-            // the handshake process, an HTTPS server is not needed.
-            // This program should be able to deal with any SSL-based
-            // network service.
-            Exception ex = null;
-            try {
-                new URL("https://" + sslserver).openConnection().connect();
-            } catch (Exception e) {
-                ex = e;
-            }
-            // If the certs are not printed out, we consider it an error even
-            // if the URL connection is successful.
-            if (!certPrinted[0]) {
-                Exception e = new Exception(
-                        rb.getString("No.certificate.from.the.SSL.server"));
-                if (ex != null) {
-                    e.initCause(ex);
-                }
-                throw e;
             }
         } else {
-            InputStream inStream = System.in;
             if (filename != null) {
-                inStream = new FileInputStream(filename);
-            }
-            try {
-                printCertFromStream(inStream, out);
-            } finally {
-                if (inStream != System.in) {
-                    inStream.close();
+                try (FileInputStream inStream = new FileInputStream(filename)) {
+                    printCertFromStream(inStream, out);
                 }
+            } else {
+                printCertFromStream(System.in, out);
             }
         }
     }
@@ -2590,9 +2525,7 @@
         X509Certificate cert = null;
         try {
             cert = (X509Certificate)cf.generateCertificate(in);
-        } catch (ClassCastException cce) {
-            throw new Exception(rb.getString("Input.not.an.X.509.certificate"));
-        } catch (CertificateException ce) {
+        } catch (ClassCastException | CertificateException ce) {
             throw new Exception(rb.getString("Input.not.an.X.509.certificate"));
         }
 
@@ -3441,16 +3374,10 @@
         if (!file.exists()) {
             return null;
         }
-        FileInputStream fis = null;
         KeyStore caks = null;
-        try {
-            fis = new FileInputStream(file);
+        try (FileInputStream fis = new FileInputStream(file)) {
             caks = KeyStore.getInstance(JKS);
             caks.load(fis, null);
-        } finally {
-            if (fis != null) {
-                fis.close();
-            }
         }
         return caks;
     }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/security/tools/PathList.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,111 @@
+/*
+ * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.tools;
+
+import java.io.File;
+import java.io.IOException;
+import java.lang.String;
+import java.util.StringTokenizer;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.net.MalformedURLException;
+
+/**
+ * A utility class for handle path list
+ *
+ */
+public class PathList {
+    /**
+     * Utility method for appending path from pathFrom to pathTo.
+     *
+     * @param pathTo the target path
+     * @param pathSource the path to be appended to pathTo
+     * @return the resulting path
+     */
+    public static String appendPath(String pathTo, String pathFrom) {
+        if (pathTo == null || pathTo.length() == 0) {
+            return pathFrom;
+        } else if (pathFrom == null || pathFrom.length() == 0) {
+            return pathTo;
+        } else {
+            return pathTo  + File.pathSeparator + pathFrom;
+        }
+    }
+
+    /**
+     * Utility method for converting a search path string to an array
+     * of directory and JAR file URLs.
+     *
+     * @param path the search path string
+     * @return the resulting array of directory and JAR file URLs
+     */
+    public static URL[] pathToURLs(String path) {
+        StringTokenizer st = new StringTokenizer(path, File.pathSeparator);
+        URL[] urls = new URL[st.countTokens()];
+        int count = 0;
+        while (st.hasMoreTokens()) {
+            URL url = fileToURL(new File(st.nextToken()));
+            if (url != null) {
+                urls[count++] = url;
+            }
+        }
+        if (urls.length != count) {
+            URL[] tmp = new URL[count];
+            System.arraycopy(urls, 0, tmp, 0, count);
+            urls = tmp;
+        }
+        return urls;
+    }
+
+    /**
+     * Returns the directory or JAR file URL corresponding to the specified
+     * local file name.
+     *
+     * @param file the File object
+     * @return the resulting directory or JAR file URL, or null if unknown
+     */
+    private static URL fileToURL(File file) {
+        String name;
+        try {
+            name = file.getCanonicalPath();
+        } catch (IOException e) {
+            name = file.getAbsolutePath();
+        }
+        name = name.replace(File.separatorChar, '/');
+        if (!name.startsWith("/")) {
+            name = "/" + name;
+        }
+        // If the file does not exist, then assume that it's a directory
+        if (!file.isFile()) {
+            name = name + "/";
+        }
+        try {
+            return new URL("file", "", name);
+        } catch (MalformedURLException e) {
+            throw new IllegalArgumentException("file");
+        }
+    }
+}
--- a/jdk/src/share/classes/sun/security/tools/TimestampedSigner.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/tools/TimestampedSigner.java	Wed Jul 05 17:54:13 2017 +0200
@@ -25,22 +25,14 @@
 
 package sun.security.tools;
 
-import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.math.BigInteger;
 import java.net.URI;
-import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.security.Principal;
-import java.security.SecureRandom;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.util.List;
 
 import com.sun.jarsigner.*;
-import java.util.Arrays;
-import sun.security.pkcs.*;
-import sun.security.timestamp.*;
+import sun.security.pkcs.PKCS7;
 import sun.security.util.*;
 import sun.security.x509.*;
 
@@ -57,36 +49,12 @@
 public final class TimestampedSigner extends ContentSigner {
 
     /*
-     * Random number generator for creating nonce values
-     */
-    private static final SecureRandom RANDOM;
-    static {
-        SecureRandom tmp = null;
-        try {
-            tmp = SecureRandom.getInstance("SHA1PRNG");
-        } catch (NoSuchAlgorithmException e) {
-            // should not happen
-        }
-        RANDOM = tmp;
-    }
-
-    /*
      * Object identifier for the subject information access X.509 certificate
      * extension.
      */
     private static final String SUBJECT_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.11";
 
     /*
-     * Object identifier for the timestamping key purpose.
-     */
-    private static final String KP_TIMESTAMPING_OID = "1.3.6.1.5.5.7.3.8";
-
-    /*
-     * Object identifier for extendedKeyUsage extension
-     */
-    private static final String EXTENDED_KEY_USAGE_OID = "2.5.29.37";
-
-    /*
      * Object identifier for the timestamping access descriptors.
      */
     private static final ObjectIdentifier AD_TIMESTAMPING_Id;
@@ -100,26 +68,6 @@
         AD_TIMESTAMPING_Id = tmp;
     }
 
-    /*
-     * Location of the TSA.
-     */
-    private String tsaUrl = null;
-
-    /*
-     * TSA's X.509 certificate.
-     */
-    private X509Certificate tsaCertificate = null;
-
-    /*
-     * Generates an SHA-1 hash value for the data to be timestamped.
-     */
-    private MessageDigest messageDigest = null;
-
-    /*
-     * Parameters for the timestamping protocol.
-     */
-    private boolean tsRequestCertificate = true;
-
     /**
      * Instantiates a content signer that supports timestamped signatures.
      */
@@ -134,7 +82,7 @@
      * and optionally the content that was signed, are packaged into a PKCS #7
      * signed data message.
      *
-     * @param parameters The non-null input parameters.
+     * @param params The non-null input parameters.
      * @param omitContent true if the content should be omitted from the
      *        signed data message. Otherwise the content is included.
      * @param applyTimestamp true if the signature should be timestamped.
@@ -151,98 +99,41 @@
      * @throws NullPointerException The exception is thrown if parameters is
      *         null.
      */
-    public byte[] generateSignedData(ContentSignerParameters parameters,
+    public byte[] generateSignedData(ContentSignerParameters params,
         boolean omitContent, boolean applyTimestamp)
             throws NoSuchAlgorithmException, CertificateException, IOException {
 
-        if (parameters == null) {
+        if (params == null) {
             throw new NullPointerException();
         }
 
-        // Parse the signature algorithm to extract the digest and key
-        // algorithms. The expected format is:
+        // Parse the signature algorithm to extract the digest
+        // algorithm. The expected format is:
         //     "<digest>with<encryption>"
         // or  "<digest>with<encryption>and<mgf>"
-        String signatureAlgorithm = parameters.getSignatureAlgorithm();
-        String keyAlgorithm =
-                AlgorithmId.getEncAlgFromSigAlg(signatureAlgorithm);
-        String digestAlgorithm =
-                AlgorithmId.getDigAlgFromSigAlg(signatureAlgorithm);
-        AlgorithmId digestAlgorithmId = AlgorithmId.get(digestAlgorithm);
+        String signatureAlgorithm = params.getSignatureAlgorithm();
 
-        // Examine signer's certificate
-        X509Certificate[] signerCertificateChain =
-            parameters.getSignerCertificateChain();
-        Principal issuerName = signerCertificateChain[0].getIssuerDN();
-        if (!(issuerName instanceof X500Name)) {
-            // must extract the original encoded form of DN for subsequent
-            // name comparison checks (converting to a String and back to
-            // an encoded DN could cause the types of String attribute
-            // values to be changed)
-            X509CertInfo tbsCert = new
-                X509CertInfo(signerCertificateChain[0].getTBSCertificate());
-            issuerName = (Principal)
-                tbsCert.get(CertificateIssuerName.NAME + "." +
-                CertificateIssuerName.DN_NAME);
-        }
-        BigInteger serialNumber = signerCertificateChain[0].getSerialNumber();
+        X509Certificate[] signerChain = params.getSignerCertificateChain();
+        byte[] signature = params.getSignature();
 
         // Include or exclude content
-        byte[] content = parameters.getContent();
-        ContentInfo contentInfo;
-        if (omitContent) {
-            contentInfo = new ContentInfo(ContentInfo.DATA_OID, null);
-        } else {
-            contentInfo = new ContentInfo(content);
-        }
+        byte[] content = (omitContent == true) ? null : params.getContent();
 
-        // Generate the timestamp token
-        byte[] signature = parameters.getSignature();
-        SignerInfo signerInfo = null;
+        URI tsaURI = null;
         if (applyTimestamp) {
-
-            tsaCertificate = parameters.getTimestampingAuthorityCertificate();
-            URI tsaUri = parameters.getTimestampingAuthority();
-            if (tsaUri != null) {
-                tsaUrl = tsaUri.toString();
-            } else {
+            tsaURI = params.getTimestampingAuthority();
+            if (tsaURI == null) {
                 // Examine TSA cert
-                String certUrl = getTimestampingUrl(tsaCertificate);
-                if (certUrl == null) {
+                tsaURI = getTimestampingURI(
+                    params.getTimestampingAuthorityCertificate());
+                if (tsaURI == null) {
                     throw new CertificateException(
                         "Subject Information Access extension not found");
                 }
-                tsaUrl = certUrl;
             }
-
-            // Timestamp the signature
-            byte[] tsToken = generateTimestampToken(signature);
-
-            // Insert the timestamp token into the PKCS #7 signer info element
-            // (as an unsigned attribute)
-            PKCS9Attributes unsignedAttrs =
-                new PKCS9Attributes(new PKCS9Attribute[]{
-                    new PKCS9Attribute(
-                        PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_STR,
-                        tsToken)});
-            signerInfo = new SignerInfo((X500Name)issuerName, serialNumber,
-                digestAlgorithmId, null, AlgorithmId.get(keyAlgorithm),
-                    signature, unsignedAttrs);
-        } else {
-            signerInfo = new SignerInfo((X500Name)issuerName, serialNumber,
-                digestAlgorithmId, AlgorithmId.get(keyAlgorithm), signature);
         }
-
-        SignerInfo[] signerInfos = {signerInfo};
-        AlgorithmId[] algorithms = {digestAlgorithmId};
-
-        // Create the PKCS #7 signed data message
-        PKCS7 p7 = new PKCS7(algorithms, contentInfo, signerCertificateChain,
-                null, signerInfos);
-        ByteArrayOutputStream p7out = new ByteArrayOutputStream();
-        p7.encodeSignedData(p7out);
-
-        return p7out.toByteArray();
+        return PKCS7.generateSignedData(signature, signerChain, content,
+                                        params.getSignatureAlgorithm(), tsaURI);
     }
 
     /**
@@ -253,9 +144,9 @@
      * <tt>accessLocation</tt> field should contain an HTTP or HTTPS URL.
      *
      * @param tsaCertificate An X.509 certificate for the TSA.
-     * @return An HTTP or HTTPS URL or null if none was found.
+     * @return An HTTP or HTTPS URI or null if none was found.
      */
-    public static String getTimestampingUrl(X509Certificate tsaCertificate) {
+    public static URI getTimestampingURI(X509Certificate tsaCertificate) {
 
         if (tsaCertificate == null) {
             return null;
@@ -282,7 +173,7 @@
                         uri = (URIName) location.getName();
                         if (uri.getScheme().equalsIgnoreCase("http") ||
                                 uri.getScheme().equalsIgnoreCase("https")) {
-                            return uri.getName();
+                            return uri.getURI();
                         }
                     }
                 }
@@ -292,97 +183,4 @@
         }
         return null;
     }
-
-    /*
-     * Returns a timestamp token from a TSA for the given content.
-     * Performs a basic check on the token to confirm that it has been signed
-     * by a certificate that is permitted to sign timestamps.
-     *
-     * @param  toBeTimestamped The data to be timestamped.
-     * @throws IOException The exception is throw if an error occurs while
-     *                     communicating with the TSA.
-     * @throws CertificateException The exception is throw if the TSA's
-     *                     certificate is not permitted for timestamping.
-     */
-    private byte[] generateTimestampToken(byte[] toBeTimestamped)
-            throws CertificateException, IOException {
-
-        // Generate hash value for the data to be timestamped
-        // SHA-1 is always used.
-        if (messageDigest == null) {
-            try {
-                messageDigest = MessageDigest.getInstance("SHA-1");
-            } catch (NoSuchAlgorithmException e) {
-                // ignore
-            }
-        }
-        byte[] digest = messageDigest.digest(toBeTimestamped);
-
-        // Generate a timestamp
-        TSRequest tsQuery = new TSRequest(digest, "SHA-1");
-        // Generate a nonce
-        BigInteger nonce = null;
-        if (RANDOM != null) {
-            nonce = new BigInteger(64, RANDOM);
-            tsQuery.setNonce(nonce);
-        }
-        tsQuery.requestCertificate(tsRequestCertificate);
-
-        Timestamper tsa = new HttpTimestamper(tsaUrl); // use supplied TSA
-        TSResponse tsReply = tsa.generateTimestamp(tsQuery);
-        int status = tsReply.getStatusCode();
-        // Handle TSP error
-        if (status != 0 && status != 1) {
-            int failureCode = tsReply.getFailureCode();
-            if (failureCode == -1) {
-                throw new IOException("Error generating timestamp: " +
-                    tsReply.getStatusCodeAsText());
-            } else {
-                throw new IOException("Error generating timestamp: " +
-                    tsReply.getStatusCodeAsText() + " " +
-                    tsReply.getFailureCodeAsText());
-            }
-        }
-        PKCS7 tsToken = tsReply.getToken();
-
-        TimestampToken tst = new TimestampToken(tsToken.getContentInfo().getData());
-        if (!tst.getHashAlgorithm().equals(
-                new AlgorithmId(new ObjectIdentifier("1.3.14.3.2.26")))) {
-            throw new IOException("Digest algorithm not SHA-1 in timestamp token");
-        }
-        if (!Arrays.equals(tst.getHashedMessage(), digest)) {
-            throw new IOException("Digest octets changed in timestamp token");
-        }
-
-        BigInteger replyNonce = tst.getNonce();
-        if (replyNonce == null && nonce != null) {
-            throw new IOException("Nonce missing in timestamp token");
-        }
-        if (replyNonce != null && !replyNonce.equals(nonce)) {
-            throw new IOException("Nonce changed in timestamp token");
-        }
-
-        // Examine the TSA's certificate (if present)
-        for (SignerInfo si: tsToken.getSignerInfos()) {
-            X509Certificate cert = si.getCertificate(tsToken);
-            if (cert == null) {
-                // Error, we've already set tsRequestCertificate = true
-                throw new CertificateException(
-                "Certificate not included in timestamp token");
-            } else {
-                if (!cert.getCriticalExtensionOIDs().contains(
-                        EXTENDED_KEY_USAGE_OID)) {
-                    throw new CertificateException(
-                    "Certificate is not valid for timestamping");
-                }
-                List<String> keyPurposes = cert.getExtendedKeyUsage();
-                if (keyPurposes == null ||
-                        ! keyPurposes.contains(KP_TIMESTAMPING_OID)) {
-                    throw new CertificateException(
-                    "Certificate is not valid for timestamping");
-                }
-            }
-        }
-        return tsReply.getEncodedToken();
-    }
 }
--- a/jdk/src/share/classes/sun/security/util/BigInt.java	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,198 +0,0 @@
-/*
- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.util;
-
-import java.math.BigInteger;
-
-
-/**
- * A low-overhead arbitrary-precision <em>unsigned</em> integer.
- * This is intended for use with ASN.1 parsing, and printing of
- * such parsed values.  Convert to "BigInteger" if you need to do
- * arbitrary precision arithmetic, rather than just represent
- * the number as a wrapped array of bytes.
- *
- * <P><em><b>NOTE:</b>  This class may eventually disappear, to
- * be supplanted by big-endian byte arrays which hold both signed
- * and unsigned arbitrary-precision integers.</em>
- *
- * @author David Brownell
- */
-public final class BigInt {
-
-    // Big endian -- MSB first.
-    private byte[]      places;
-
-    /**
-     * Constructs a "Big" integer from a set of (big-endian) bytes.
-     * Leading zeroes should be stripped off.
-     *
-     * @param data a sequence of bytes, most significant bytes/digits
-     *          first.  CONSUMED.
-     */
-    public BigInt(byte[] data) { places = data.clone(); }
-
-    /**
-     * Constructs a "Big" integer from a "BigInteger", which must be
-     * positive (or zero) in value.
-     */
-    public BigInt(BigInteger i) {
-        byte[]  temp = i.toByteArray();
-
-        if ((temp[0] & 0x80) != 0)
-            throw new IllegalArgumentException("negative BigInteger");
-
-        // XXX we assume exactly _one_ sign byte is used...
-
-        if (temp[0] != 0)
-            places = temp;
-        else {
-            places = new byte[temp.length - 1];
-            for (int j = 1; j < temp.length; j++)
-                places[j - 1] = temp[j];
-        }
-    }
-
-    /**
-     * Constructs a "Big" integer from a normal Java integer.
-     *
-     * @param i the java primitive integer
-     */
-    public BigInt(int i) {
-        if (i < (1 << 8)) {
-            places = new byte[1];
-            places[0] = (byte) i;
-        } else if (i < (1 << 16)) {
-            places = new byte[2];
-            places[0] = (byte) (i >> 8);
-            places[1] = (byte) i;
-        } else if (i < (1 << 24)) {
-            places = new byte[3];
-            places[0] = (byte) (i >> 16);
-            places[1] = (byte) (i >> 8);
-            places[2] = (byte) i;
-        } else {
-            places = new byte[4];
-            places[0] = (byte) (i >> 24);
-            places[1] = (byte) (i >> 16);
-            places[2] = (byte) (i >> 8);
-            places[3] = (byte) i;
-        }
-    }
-
-    /**
-     * Converts the "big" integer to a java primitive integer.
-     *
-     * @excpet NumberFormatException if 32 bits is insufficient.
-     */
-    public int toInt() {
-        if (places.length > 4)
-            throw new NumberFormatException("BigInt.toLong, too big");
-        int retval = 0, i = 0;
-        for (; i < places.length; i++)
-            retval = (retval << 8) + ((int)places[i] & 0xff);
-        return retval;
-    }
-
-    /**
-     * Returns a hexadecimal printed representation.  The value is
-     * formatted to fit on lines of at least 75 characters, with
-     * embedded newlines.  Words are separated for readability,
-     * with eight words (32 bytes) per line.
-     */
-    public String toString() { return hexify(); }
-
-    /**
-     * Returns a BigInteger value which supports many arithmetic
-     * operations. Assumes negative values will never occur.
-     */
-    public BigInteger toBigInteger()
-        { return new BigInteger(1, places); }
-
-    /**
-     * Returns the data as a byte array.  The most significant bit
-     * of the array is bit zero (as in <code>java.math.BigInteger</code>).
-     */
-    public byte[] toByteArray() { return places.clone(); }
-
-    private static final String digits = "0123456789abcdef";
-    private String hexify() {
-        if (places.length == 0)
-            return "  0  ";
-
-        StringBuffer buf = new StringBuffer(places.length * 2);
-        buf.append("    ");     // four spaces
-        for (int i = 0; i < places.length; i++) {
-            buf.append(digits.charAt((places[i] >> 4) & 0x0f));
-            buf.append(digits.charAt(places[i] & 0x0f));
-            if (((i + 1) % 32) == 0) {
-                if ((i +  1) != places.length)
-                    buf.append("\n    ");       // line after four words
-            } else if (((i + 1) % 4) == 0)
-                buf.append(' ');                // space between words
-        }
-        return buf.toString();
-    }
-
-    /**
-     * Returns true iff the parameter is a numerically equivalent
-     * BigInt.
-     *
-     * @param other the object being compared with this one.
-     */
-    public boolean equals(Object other) {
-        if (other instanceof BigInt)
-            return equals((BigInt) other);
-        return false;
-    }
-
-    /**
-     * Returns true iff the parameter is numerically equivalent.
-     *
-     * @param other the BigInt being compared with this one.
-     */
-    public boolean equals(BigInt other) {
-        if (this == other)
-            return true;
-
-        byte[] otherPlaces = other.toByteArray();
-        if (places.length != otherPlaces.length)
-            return false;
-        for (int i = 0; i < places.length; i++)
-            if (places[i] != otherPlaces[i])
-                return false;
-        return true;
-    }
-
-    /**
-     * Returns a hashcode for this BigInt.
-     *
-     * @return a hashcode for this BigInt.
-     */
-    public int hashCode() {
-        return hexify().hashCode();
-    }
-}
--- a/jdk/src/share/classes/sun/security/util/Cache.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/util/Cache.java	Wed Jul 05 17:54:13 2017 +0200
@@ -43,7 +43,7 @@
  *
  *  . optional lifetime, specified in seconds.
  *
- *  . save for concurrent use by multiple threads
+ *  . safe for concurrent use by multiple threads
  *
  *  . values are held by either standard references or via SoftReferences.
  *    SoftReferences have the advantage that they are automatically cleared
@@ -69,7 +69,7 @@
  *
  * @author Andreas Sterbenz
  */
-public abstract class Cache {
+public abstract class Cache<K,V> {
 
     protected Cache() {
         // empty
@@ -88,12 +88,12 @@
     /**
      * Add an entry to the cache.
      */
-    public abstract void put(Object key, Object value);
+    public abstract void put(K key, V value);
 
     /**
      * Get a value from the cache.
      */
-    public abstract Object get(Object key);
+    public abstract V get(Object key);
 
     /**
      * Remove an entry from the cache.
@@ -113,14 +113,14 @@
     /**
      * accept a visitor
      */
-    public abstract void accept(CacheVisitor visitor);
+    public abstract void accept(CacheVisitor<K,V> visitor);
 
     /**
      * Return a new memory cache with the specified maximum size, unlimited
      * lifetime for entries, with the values held by SoftReferences.
      */
-    public static Cache newSoftMemoryCache(int size) {
-        return new MemoryCache(true, size);
+    public static <K,V> Cache<K,V> newSoftMemoryCache(int size) {
+        return new MemoryCache<>(true, size);
     }
 
     /**
@@ -128,23 +128,24 @@
      * specified maximum lifetime (in seconds), with the values held
      * by SoftReferences.
      */
-    public static Cache newSoftMemoryCache(int size, int timeout) {
-        return new MemoryCache(true, size, timeout);
+    public static <K,V> Cache<K,V> newSoftMemoryCache(int size, int timeout) {
+        return new MemoryCache<>(true, size, timeout);
     }
 
     /**
      * Return a new memory cache with the specified maximum size, unlimited
      * lifetime for entries, with the values held by standard references.
      */
-    public static Cache newHardMemoryCache(int size) {
-        return new MemoryCache(false, size);
+    public static <K,V> Cache<K,V> newHardMemoryCache(int size) {
+        return new MemoryCache<>(false, size);
     }
 
     /**
      * Return a dummy cache that does nothing.
      */
-    public static Cache newNullCache() {
-        return NullCache.INSTANCE;
+    @SuppressWarnings("unchecked")
+    public static <K,V> Cache<K,V> newNullCache() {
+        return (Cache<K,V>) NullCache.INSTANCE;
     }
 
     /**
@@ -152,8 +153,8 @@
      * specified maximum lifetime (in seconds), with the values held
      * by standard references.
      */
-    public static Cache newHardMemoryCache(int size, int timeout) {
-        return new MemoryCache(false, size, timeout);
+    public static <K,V> Cache<K,V> newHardMemoryCache(int size, int timeout) {
+        return new MemoryCache<>(false, size, timeout);
     }
 
     /**
@@ -193,15 +194,15 @@
         }
     }
 
-    public interface CacheVisitor {
-        public void visit(Map<Object, Object> map);
+    public interface CacheVisitor<K,V> {
+        public void visit(Map<K,V> map);
     }
 
 }
 
-class NullCache extends Cache {
+class NullCache<K,V> extends Cache<K,V> {
 
-    final static Cache INSTANCE = new NullCache();
+    final static Cache<Object,Object> INSTANCE = new NullCache<>();
 
     private NullCache() {
         // empty
@@ -215,11 +216,11 @@
         // empty
     }
 
-    public void put(Object key, Object value) {
+    public void put(K key, V value) {
         // empty
     }
 
-    public Object get(Object key) {
+    public V get(Object key) {
         return null;
     }
 
@@ -235,23 +236,26 @@
         // empty
     }
 
-    public void accept(CacheVisitor visitor) {
+    public void accept(CacheVisitor<K,V> visitor) {
         // empty
     }
 
 }
 
-class MemoryCache extends Cache {
+class MemoryCache<K,V> extends Cache<K,V> {
 
     private final static float LOAD_FACTOR = 0.75f;
 
     // XXXX
     private final static boolean DEBUG = false;
 
-    private final Map<Object, CacheEntry> cacheMap;
+    private final Map<K, CacheEntry<K,V>> cacheMap;
     private int maxSize;
     private long lifetime;
-    private final ReferenceQueue<Object> queue;
+
+    // ReferenceQueue is of type V instead of Cache<K,V>
+    // to allow SoftCacheEntry to extend SoftReference<V>
+    private final ReferenceQueue<V> queue;
 
     public MemoryCache(boolean soft, int maxSize) {
         this(soft, maxSize, 0);
@@ -260,10 +264,13 @@
     public MemoryCache(boolean soft, int maxSize, int lifetime) {
         this.maxSize = maxSize;
         this.lifetime = lifetime * 1000;
-        this.queue = soft ? new ReferenceQueue<Object>() : null;
+        if (soft)
+            this.queue = new ReferenceQueue<>();
+        else
+            this.queue = null;
+
         int buckets = (int)(maxSize / LOAD_FACTOR) + 1;
-        cacheMap = new LinkedHashMap<Object, CacheEntry>(buckets,
-                                                        LOAD_FACTOR, true);
+        cacheMap = new LinkedHashMap<>(buckets, LOAD_FACTOR, true);
     }
 
     /**
@@ -279,16 +286,17 @@
         }
         int startSize = cacheMap.size();
         while (true) {
-            CacheEntry entry = (CacheEntry)queue.poll();
+            @SuppressWarnings("unchecked")
+            CacheEntry<K,V> entry = (CacheEntry<K,V>)queue.poll();
             if (entry == null) {
                 break;
             }
-            Object key = entry.getKey();
+            K key = entry.getKey();
             if (key == null) {
                 // key is null, entry has already been removed
                 continue;
             }
-            CacheEntry currentEntry = cacheMap.remove(key);
+            CacheEntry<K,V> currentEntry = cacheMap.remove(key);
             // check if the entry in the map corresponds to the expired
             // entry. If not, readd the entry
             if ((currentEntry != null) && (entry != currentEntry)) {
@@ -314,9 +322,9 @@
         }
         int cnt = 0;
         long time = System.currentTimeMillis();
-        for (Iterator<CacheEntry> t = cacheMap.values().iterator();
+        for (Iterator<CacheEntry<K,V>> t = cacheMap.values().iterator();
                 t.hasNext(); ) {
-            CacheEntry entry = t.next();
+            CacheEntry<K,V> entry = t.next();
             if (entry.isValid(time) == false) {
                 t.remove();
                 cnt++;
@@ -339,7 +347,7 @@
         if (queue != null) {
             // if this is a SoftReference cache, first invalidate() all
             // entries so that GC does not have to enqueue them
-            for (CacheEntry entry : cacheMap.values()) {
+            for (CacheEntry<K,V> entry : cacheMap.values()) {
                 entry.invalidate();
             }
             while (queue.poll() != null) {
@@ -349,12 +357,12 @@
         cacheMap.clear();
     }
 
-    public synchronized void put(Object key, Object value) {
+    public synchronized void put(K key, V value) {
         emptyQueue();
         long expirationTime = (lifetime == 0) ? 0 :
                                         System.currentTimeMillis() + lifetime;
-        CacheEntry newEntry = newEntry(key, value, expirationTime, queue);
-        CacheEntry oldEntry = cacheMap.put(key, newEntry);
+        CacheEntry<K,V> newEntry = newEntry(key, value, expirationTime, queue);
+        CacheEntry<K,V> oldEntry = cacheMap.put(key, newEntry);
         if (oldEntry != null) {
             oldEntry.invalidate();
             return;
@@ -362,8 +370,8 @@
         if (maxSize > 0 && cacheMap.size() > maxSize) {
             expungeExpiredEntries();
             if (cacheMap.size() > maxSize) { // still too large?
-                Iterator<CacheEntry> t = cacheMap.values().iterator();
-                CacheEntry lruEntry = t.next();
+                Iterator<CacheEntry<K,V>> t = cacheMap.values().iterator();
+                CacheEntry<K,V> lruEntry = t.next();
                 if (DEBUG) {
                     System.out.println("** Overflow removal "
                         + lruEntry.getKey() + " | " + lruEntry.getValue());
@@ -374,9 +382,9 @@
         }
     }
 
-    public synchronized Object get(Object key) {
+    public synchronized V get(Object key) {
         emptyQueue();
-        CacheEntry entry = cacheMap.get(key);
+        CacheEntry<K,V> entry = cacheMap.get(key);
         if (entry == null) {
             return null;
         }
@@ -393,7 +401,7 @@
 
     public synchronized void remove(Object key) {
         emptyQueue();
-        CacheEntry entry = cacheMap.remove(key);
+        CacheEntry<K,V> entry = cacheMap.remove(key);
         if (entry != null) {
             entry.invalidate();
         }
@@ -402,9 +410,9 @@
     public synchronized void setCapacity(int size) {
         expungeExpiredEntries();
         if (size > 0 && cacheMap.size() > size) {
-            Iterator<CacheEntry> t = cacheMap.values().iterator();
+            Iterator<CacheEntry<K,V>> t = cacheMap.values().iterator();
             for (int i = cacheMap.size() - size; i > 0; i--) {
-                CacheEntry lruEntry = t.next();
+                CacheEntry<K,V> lruEntry = t.next();
                 if (DEBUG) {
                     System.out.println("** capacity reset removal "
                         + lruEntry.getKey() + " | " + lruEntry.getValue());
@@ -431,60 +439,61 @@
     }
 
     // it is a heavyweight method.
-    public synchronized void accept(CacheVisitor visitor) {
+    public synchronized void accept(CacheVisitor<K,V> visitor) {
         expungeExpiredEntries();
-        Map<Object, Object> cached = getCachedEntries();
+        Map<K,V> cached = getCachedEntries();
 
         visitor.visit(cached);
     }
 
-    private Map<Object, Object> getCachedEntries() {
-        Map<Object,Object> kvmap = new HashMap<Object,Object>(cacheMap.size());
+    private Map<K,V> getCachedEntries() {
+        Map<K,V> kvmap = new HashMap<>(cacheMap.size());
 
-        for (CacheEntry entry : cacheMap.values()) {
+        for (CacheEntry<K,V> entry : cacheMap.values()) {
             kvmap.put(entry.getKey(), entry.getValue());
         }
 
         return kvmap;
     }
 
-    protected CacheEntry newEntry(Object key, Object value,
-            long expirationTime, ReferenceQueue<Object> queue) {
+    protected CacheEntry<K,V> newEntry(K key, V value,
+            long expirationTime, ReferenceQueue<V> queue) {
         if (queue != null) {
-            return new SoftCacheEntry(key, value, expirationTime, queue);
+            return new SoftCacheEntry<>(key, value, expirationTime, queue);
         } else {
-            return new HardCacheEntry(key, value, expirationTime);
+            return new HardCacheEntry<>(key, value, expirationTime);
         }
     }
 
-    private static interface CacheEntry {
+    private static interface CacheEntry<K,V> {
 
         boolean isValid(long currentTime);
 
         void invalidate();
 
-        Object getKey();
+        K getKey();
 
-        Object getValue();
+        V getValue();
 
     }
 
-    private static class HardCacheEntry implements CacheEntry {
+    private static class HardCacheEntry<K,V> implements CacheEntry<K,V> {
 
-        private Object key, value;
+        private K key;
+        private V value;
         private long expirationTime;
 
-        HardCacheEntry(Object key, Object value, long expirationTime) {
+        HardCacheEntry(K key, V value, long expirationTime) {
             this.key = key;
             this.value = value;
             this.expirationTime = expirationTime;
         }
 
-        public Object getKey() {
+        public K getKey() {
             return key;
         }
 
-        public Object getValue() {
+        public V getValue() {
             return value;
         }
 
@@ -503,24 +512,25 @@
         }
     }
 
-    private static class SoftCacheEntry
-            extends SoftReference<Object> implements CacheEntry {
+    private static class SoftCacheEntry<K,V>
+            extends SoftReference<V>
+            implements CacheEntry<K,V> {
 
-        private Object key;
+        private K key;
         private long expirationTime;
 
-        SoftCacheEntry(Object key, Object value, long expirationTime,
-                ReferenceQueue<Object> queue) {
+        SoftCacheEntry(K key, V value, long expirationTime,
+                ReferenceQueue<V> queue) {
             super(value, queue);
             this.key = key;
             this.expirationTime = expirationTime;
         }
 
-        public Object getKey() {
+        public K getKey() {
             return key;
         }
 
-        public Object getValue() {
+        public V getValue() {
             return get();
         }
 
--- a/jdk/src/share/classes/sun/security/util/Debug.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/util/Debug.java	Wed Jul 05 17:54:13 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -80,6 +80,7 @@
         System.err.println("policy        loading and granting");
         System.err.println("provider      security provider debugging");
         System.err.println("scl           permissions SecureClassLoader assigns");
+        System.err.println("ts            timestamping");
         System.err.println();
         System.err.println("The following can be used with access:");
         System.err.println();
--- a/jdk/src/share/classes/sun/security/util/PathList.java	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,111 +0,0 @@
-/*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.util;
-
-import java.io.File;
-import java.io.IOException;
-import java.lang.String;
-import java.util.StringTokenizer;
-import java.net.URL;
-import java.net.URLClassLoader;
-import java.net.MalformedURLException;
-
-/**
- * A utility class for handle path list
- *
- */
-public class PathList {
-    /**
-     * Utility method for appending path from pathFrom to pathTo.
-     *
-     * @param pathTo the target path
-     * @param pathSource the path to be appended to pathTo
-     * @return the resulting path
-     */
-    public static String appendPath(String pathTo, String pathFrom) {
-        if (pathTo == null || pathTo.length() == 0) {
-            return pathFrom;
-        } else if (pathFrom == null || pathFrom.length() == 0) {
-            return pathTo;
-        } else {
-            return pathTo  + File.pathSeparator + pathFrom;
-        }
-    }
-
-    /**
-     * Utility method for converting a search path string to an array
-     * of directory and JAR file URLs.
-     *
-     * @param path the search path string
-     * @return the resulting array of directory and JAR file URLs
-     */
-    public static URL[] pathToURLs(String path) {
-        StringTokenizer st = new StringTokenizer(path, File.pathSeparator);
-        URL[] urls = new URL[st.countTokens()];
-        int count = 0;
-        while (st.hasMoreTokens()) {
-            URL url = fileToURL(new File(st.nextToken()));
-            if (url != null) {
-                urls[count++] = url;
-            }
-        }
-        if (urls.length != count) {
-            URL[] tmp = new URL[count];
-            System.arraycopy(urls, 0, tmp, 0, count);
-            urls = tmp;
-        }
-        return urls;
-    }
-
-    /**
-     * Returns the directory or JAR file URL corresponding to the specified
-     * local file name.
-     *
-     * @param file the File object
-     * @return the resulting directory or JAR file URL, or null if unknown
-     */
-    private static URL fileToURL(File file) {
-        String name;
-        try {
-            name = file.getCanonicalPath();
-        } catch (IOException e) {
-            name = file.getAbsolutePath();
-        }
-        name = name.replace(File.separatorChar, '/');
-        if (!name.startsWith("/")) {
-            name = "/" + name;
-        }
-        // If the file does not exist, then assume that it's a directory
-        if (!file.isFile()) {
-            name = name + "/";
-        }
-        try {
-            return new URL("file", "", name);
-        } catch (MalformedURLException e) {
-            throw new IllegalArgumentException("file");
-        }
-    }
-}
--- a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java	Wed Jul 05 17:54:13 2017 +0200
@@ -35,7 +35,6 @@
 import java.util.jar.*;
 
 import sun.security.pkcs.*;
-import sun.security.timestamp.TimestampToken;
 import sun.misc.BASE64Decoder;
 
 import sun.security.jca.Providers;
@@ -485,7 +484,7 @@
                 signers = new ArrayList<CodeSigner>();
             }
             // Append the new code signer
-            signers.add(new CodeSigner(certChain, getTimestamp(info)));
+            signers.add(new CodeSigner(certChain, info.getTimestamp()));
 
             if (debug != null) {
                 debug.println("Signature Block Certificate: " +
@@ -500,62 +499,6 @@
         }
     }
 
-    /*
-     * Examines a signature timestamp token to generate a timestamp object.
-     *
-     * Examines the signer's unsigned attributes for a
-     * <tt>signatureTimestampToken</tt> attribute. If present,
-     * then it is parsed to extract the date and time at which the
-     * timestamp was generated.
-     *
-     * @param info A signer information element of a PKCS 7 block.
-     *
-     * @return A timestamp token or null if none is present.
-     * @throws IOException if an error is encountered while parsing the
-     *         PKCS7 data.
-     * @throws NoSuchAlgorithmException if an error is encountered while
-     *         verifying the PKCS7 object.
-     * @throws SignatureException if an error is encountered while
-     *         verifying the PKCS7 object.
-     * @throws CertificateException if an error is encountered while generating
-     *         the TSA's certpath.
-     */
-    private Timestamp getTimestamp(SignerInfo info)
-        throws IOException, NoSuchAlgorithmException, SignatureException,
-            CertificateException {
-
-        Timestamp timestamp = null;
-
-        // Extract the signer's unsigned attributes
-        PKCS9Attributes unsignedAttrs = info.getUnauthenticatedAttributes();
-        if (unsignedAttrs != null) {
-            PKCS9Attribute timestampTokenAttr =
-                unsignedAttrs.getAttribute("signatureTimestampToken");
-            if (timestampTokenAttr != null) {
-                PKCS7 timestampToken =
-                    new PKCS7((byte[])timestampTokenAttr.getValue());
-                // Extract the content (an encoded timestamp token info)
-                byte[] encodedTimestampTokenInfo =
-                    timestampToken.getContentInfo().getData();
-                // Extract the signer (the Timestamping Authority)
-                // while verifying the content
-                SignerInfo[] tsa =
-                    timestampToken.verify(encodedTimestampTokenInfo);
-                // Expect only one signer
-                ArrayList<X509Certificate> chain =
-                                tsa[0].getCertificateChain(timestampToken);
-                CertPath tsaChain = certificateFactory.generateCertPath(chain);
-                // Create a timestamp token info object
-                TimestampToken timestampTokenInfo =
-                    new TimestampToken(encodedTimestampTokenInfo);
-                // Create a timestamp object
-                timestamp =
-                    new Timestamp(timestampTokenInfo.getDate(), tsaChain);
-            }
-        }
-        return timestamp;
-    }
-
     // for the toHex function
     private static final char[] hexc =
             {'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'};
--- a/jdk/src/share/classes/sun/security/x509/CertAndKeyGen.java	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,301 +0,0 @@
-/*
- * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.x509;
-
-import java.io.IOException;
-import java.security.cert.X509Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateEncodingException;
-import java.security.*;
-import java.util.Date;
-
-import sun.security.pkcs.PKCS10;
-
-
-/**
- * Generate a pair of keys, and provide access to them.  This class is
- * provided primarily for ease of use.
- *
- * <P>This provides some simple certificate management functionality.
- * Specifically, it allows you to create self-signed X.509 certificates
- * as well as PKCS 10 based certificate signing requests.
- *
- * <P>Keys for some public key signature algorithms have algorithm
- * parameters, such as DSS/DSA.  Some sites' Certificate Authorities
- * adopt fixed algorithm parameters, which speeds up some operations
- * including key generation and signing.  <em>At this time, this interface
- * does not provide a way to provide such algorithm parameters, e.g.
- * by providing the CA certificate which includes those parameters.</em>
- *
- * <P>Also, note that at this time only signature-capable keys may be
- * acquired through this interface.  Diffie-Hellman keys, used for secure
- * key exchange, may be supported later.
- *
- * @author David Brownell
- * @author Hemma Prafullchandra
- * @see PKCS10
- * @see X509CertImpl
- */
-public final class CertAndKeyGen {
-    /**
-     * Creates a CertAndKeyGen object for a particular key type
-     * and signature algorithm.
-     *
-     * @param keyType type of key, e.g. "RSA", "DSA"
-     * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA",
-     *          "MD2WithRSA", "SHAwithDSA".
-     * @exception NoSuchAlgorithmException on unrecognized algorithms.
-     */
-    public CertAndKeyGen (String keyType, String sigAlg)
-    throws NoSuchAlgorithmException
-    {
-        keyGen = KeyPairGenerator.getInstance(keyType);
-        this.sigAlg = sigAlg;
-    }
-
-    /**
-     * Creates a CertAndKeyGen object for a particular key type,
-     * signature algorithm, and provider.
-     *
-     * @param keyType type of key, e.g. "RSA", "DSA"
-     * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA",
-     *          "MD2WithRSA", "SHAwithDSA".
-     * @param providerName name of the provider
-     * @exception NoSuchAlgorithmException on unrecognized algorithms.
-     * @exception NoSuchProviderException on unrecognized providers.
-     */
-    public CertAndKeyGen (String keyType, String sigAlg, String providerName)
-    throws NoSuchAlgorithmException, NoSuchProviderException
-    {
-        if (providerName == null) {
-            keyGen = KeyPairGenerator.getInstance(keyType);
-        } else {
-            try {
-                keyGen = KeyPairGenerator.getInstance(keyType, providerName);
-            } catch (Exception e) {
-                // try first available provider instead
-                keyGen = KeyPairGenerator.getInstance(keyType);
-            }
-        }
-        this.sigAlg = sigAlg;
-    }
-
-    /**
-     * Sets the source of random numbers used when generating keys.
-     * If you do not provide one, a system default facility is used.
-     * You may wish to provide your own source of random numbers
-     * to get a reproducible sequence of keys and signatures, or
-     * because you may be able to take advantage of strong sources
-     * of randomness/entropy in your environment.
-     */
-    public void         setRandom (SecureRandom generator)
-    {
-        prng = generator;
-    }
-
-    // want "public void generate (X509Certificate)" ... inherit DSA/D-H param
-
-    /**
-     * Generates a random public/private key pair, with a given key
-     * size.  Different algorithms provide different degrees of security
-     * for the same key size, because of the "work factor" involved in
-     * brute force attacks.  As computers become faster, it becomes
-     * easier to perform such attacks.  Small keys are to be avoided.
-     *
-     * <P>Note that not all values of "keyBits" are valid for all
-     * algorithms, and not all public key algorithms are currently
-     * supported for use in X.509 certificates.  If the algorithm
-     * you specified does not produce X.509 compatible keys, an
-     * invalid key exception is thrown.
-     *
-     * @param keyBits the number of bits in the keys.
-     * @exception InvalidKeyException if the environment does not
-     *  provide X.509 public keys for this signature algorithm.
-     */
-    public void generate (int keyBits)
-    throws InvalidKeyException
-    {
-        KeyPair pair;
-
-        try {
-            if (prng == null) {
-                prng = new SecureRandom();
-            }
-            keyGen.initialize(keyBits, prng);
-            pair = keyGen.generateKeyPair();
-
-        } catch (Exception e) {
-            throw new IllegalArgumentException(e.getMessage());
-        }
-
-        publicKey = pair.getPublic();
-        privateKey = pair.getPrivate();
-    }
-
-
-    /**
-     * Returns the public key of the generated key pair if it is of type
-     * <code>X509Key</code>, or null if the public key is of a different type.
-     *
-     * XXX Note: This behaviour is needed for backwards compatibility.
-     * What this method really should return is the public key of the
-     * generated key pair, regardless of whether or not it is an instance of
-     * <code>X509Key</code>. Accordingly, the return type of this method
-     * should be <code>PublicKey</code>.
-     */
-    public X509Key getPublicKey()
-    {
-        if (!(publicKey instanceof X509Key)) {
-            return null;
-        }
-        return (X509Key)publicKey;
-    }
-
-
-    /**
-     * Returns the private key of the generated key pair.
-     *
-     * <P><STRONG><em>Be extremely careful when handling private keys.
-     * When private keys are not kept secret, they lose their ability
-     * to securely authenticate specific entities ... that is a huge
-     * security risk!</em></STRONG>
-     */
-    public PrivateKey getPrivateKey ()
-    {
-        return privateKey;
-    }
-
-
-    /**
-     * Returns a self-signed X.509v3 certificate for the public key.
-     * The certificate is immediately valid. No extensions.
-     *
-     * <P>Such certificates normally are used to identify a "Certificate
-     * Authority" (CA).  Accordingly, they will not always be accepted by
-     * other parties.  However, such certificates are also useful when
-     * you are bootstrapping your security infrastructure, or deploying
-     * system prototypes.
-     *
-     * @param myname X.500 name of the subject (who is also the issuer)
-     * @param firstDate the issue time of the certificate
-     * @param validity how long the certificate should be valid, in seconds
-     * @exception CertificateException on certificate handling errors.
-     * @exception InvalidKeyException on key handling errors.
-     * @exception SignatureException on signature handling errors.
-     * @exception NoSuchAlgorithmException on unrecognized algorithms.
-     * @exception NoSuchProviderException on unrecognized providers.
-     */
-    public X509Certificate getSelfCertificate (
-            X500Name myname, Date firstDate, long validity)
-    throws CertificateException, InvalidKeyException, SignatureException,
-        NoSuchAlgorithmException, NoSuchProviderException
-    {
-        X509CertImpl    cert;
-        Date            lastDate;
-
-        try {
-            lastDate = new Date ();
-            lastDate.setTime (firstDate.getTime () + validity * 1000);
-
-            CertificateValidity interval =
-                                   new CertificateValidity(firstDate,lastDate);
-
-            X509CertInfo info = new X509CertInfo();
-            // Add all mandatory attributes
-            info.set(X509CertInfo.VERSION,
-                     new CertificateVersion(CertificateVersion.V3));
-            info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
-                    new java.util.Random().nextInt() & 0x7fffffff));
-            AlgorithmId algID = AlgorithmId.get(sigAlg);
-            info.set(X509CertInfo.ALGORITHM_ID,
-                     new CertificateAlgorithmId(algID));
-            info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(myname));
-            info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
-            info.set(X509CertInfo.VALIDITY, interval);
-            info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname));
-
-            cert = new X509CertImpl(info);
-            cert.sign(privateKey, this.sigAlg);
-
-            return (X509Certificate)cert;
-
-        } catch (IOException e) {
-             throw new CertificateEncodingException("getSelfCert: " +
-                                                    e.getMessage());
-        }
-    }
-
-    // Keep the old method
-    public X509Certificate getSelfCertificate (X500Name myname, long validity)
-    throws CertificateException, InvalidKeyException, SignatureException,
-        NoSuchAlgorithmException, NoSuchProviderException
-    {
-        return getSelfCertificate(myname, new Date(), validity);
-    }
-
-    /**
-     * Returns a PKCS #10 certificate request.  The caller uses either
-     * <code>PKCS10.print</code> or <code>PKCS10.toByteArray</code>
-     * operations on the result, to get the request in an appropriate
-     * transmission format.
-     *
-     * <P>PKCS #10 certificate requests are sent, along with some proof
-     * of identity, to Certificate Authorities (CAs) which then issue
-     * X.509 public key certificates.
-     *
-     * @param myname X.500 name of the subject
-     * @exception InvalidKeyException on key handling errors.
-     * @exception SignatureException on signature handling errors.
-     */
-    public PKCS10 getCertRequest (X500Name myname)
-    throws InvalidKeyException, SignatureException
-    {
-        PKCS10  req = new PKCS10 (publicKey);
-
-        try {
-            Signature signature = Signature.getInstance(sigAlg);
-            signature.initSign (privateKey);
-            req.encodeAndSign(myname, signature);
-
-        } catch (CertificateException e) {
-            throw new SignatureException (sigAlg + " CertificateException");
-
-        } catch (IOException e) {
-            throw new SignatureException (sigAlg + " IOException");
-
-        } catch (NoSuchAlgorithmException e) {
-            // "can't happen"
-            throw new SignatureException (sigAlg + " unavailable?");
-        }
-        return req;
-    }
-
-    private SecureRandom        prng;
-    private String              sigAlg;
-    private KeyPairGenerator    keyGen;
-    private PublicKey           publicKey;
-    private PrivateKey          privateKey;
-}
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "Eastern Daylight Time", "EDT"};
         String EST_NSW[] = new String[] {"Eastern Standard Time (New South Wales)", "EST",
                                          "Eastern Summer Time (New South Wales)", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"Ghana Mean Time", "GMT",
                                      "Ghana Summer Time", "GHST"};
         String GAMBIER[] =  new String[] {"Gambier Time", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"Samoa Standard Time", "SST",
                                        "Samoa Daylight Time", "SDT"};
         String WST_SAMOA[] = new String[] {"West Samoa Time", "WST",
-                                           "West Samoa Summer Time", "WSST"};
+                                           "West Samoa Daylight Time", "WSDT"};
         String ChST[] = new String[] {"Chamorro Standard Time", "ChST",
                                       "Chamorro Daylight Time", "ChDT"};
         String VICTORIA[] = new String[] {"Eastern Standard Time (Victoria)", "EST",
@@ -511,6 +513,7 @@
                                             "Tajikistan Summer Time", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"Hovd Time", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "Samara Summer Time", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "Volgograd Summer Time", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_de.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_de.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "\u00d6stliche Sommerzeit", "EDT"};
         String EST_NSW[] = new String[] {"\u00d6stliche Normalzeit (New South Wales)", "EST",
                                          "\u00d6stliche Sommerzeit (New South Wales)", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"Ghanaische Normalzeit", "GMT",
                                       "Ghanaische Sommerzeit", "GHST"};
         String GAMBIER[] =  new String[] {"Gambier Zeit", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"Samoa Normalzeit", "SST",
                                        "Samoa Sommerzeit", "SDT"};
         String WST_SAMOA[] = new String[] {"West Samoa Zeit", "WST",
-                                           "West Samoa Sommerzeit", "WSST"};
+                                           "West Samoa Sommerzeit", "WSDT"};
         String ChST[] = new String[] {"Chamorro Normalzeit", "ChST",
                       "Chamorro Sommerzeit", "ChDT"};
         String VICTORIA[] = new String[] {"\u00d6stliche Normalzeit (Victoria)", "EST",
@@ -511,6 +513,7 @@
                                             "Tadschikische Sommerzeit", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"Hovd Zeit", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "Samarische Sommerzeit", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "Wolgograder Sommerzeit", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_es.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_es.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "Hora de verano Oriental", "EDT"};
         String EST_NSW[] = new String[] {"Hora est\u00e1ndar Oriental (Nueva Gales del Sur)", "EST",
                                          "Hora de verano Oriental (Nueva Gales del Sur)", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"Hora central de Ghana", "GMT",
                                       "Hora de verano de Ghana", "GHST"};
         String GAMBIER[] =  new String[] {"Hora de Gambier", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"Hora est\u00e1ndar de Samoa", "SST",
                                        "Hora de verano de Samoa", "SDT"};
         String WST_SAMOA[] = new String[] {"Hora de Samoa Occidental", "WST",
-                                           "Hora de verano de Samoa Occidental", "WSST"};
+                                           "Hora de verano de Samoa Occidental", "WSDT"};
         String ChST[] = new String[] {"Hora est\u00e1ndar de Chamorro", "ChST",
                                       "Hora de verano de Chamorro", "ChDT"};
         String VICTORIA[] = new String[] {"Hora est\u00e1ndar del Este (Victoria)", "EST",
@@ -511,6 +513,7 @@
                                             "Hora de verano de Tajikist\u00e1n", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"Hora de Hovd", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "Hora de verano de Samara", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "Hora de verano de Volgogrado", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_fr.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_fr.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "Heure avanc\u00e9e de l'Est", "EDT"} ;
         String EST_NSW[] = new String[] {"Heure normale de l'Est (Nouvelle-Galles du Sud)", "EST",
                                          "Heure d'\u00e9t\u00e9 de l'Est (Nouvelle-Galles du Sud)", "EST"} ;
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"Heure du Ghana", "GMT",
                                       "Heure d'\u00e9t\u00e9 du Ghana", "GHST"};
         String GAMBIER[] =  new String[] {"Heure de Gambi", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"Heure standard de Samoa", "SST",
                                        "Heure avanc\u00e9e de Samoa", "SDT"};
         String WST_SAMOA[] = new String[] {"Heure des Samoas occidentales", "WST",
-                                           "Heure d'\u00e9t\u00e9 des Samoas occidentales", "WSST"} ;
+                                           "Heure d'\u00e9t\u00e9 des Samoas occidentales", "WSDT"} ;
         String ChST[] = new String[] {"Heure normale des \u00eeles Mariannes", "ChST",
                       "Heure d'\u00e9t\u00e9 des \u00eeles Mariannes", "ChDT"};
         String VICTORIA[] = new String[] {"Heure standard d'Australie orientale (Victoria)", "EST",
@@ -511,6 +513,7 @@
                                             "Heure d'\u00e9t\u00e9 du Tadjikistan", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"Heure de Hovd", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "Heure d'\u00e9t\u00e9 de Samara", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "Heure d'\u00e9t\u00e9 de Volgograd", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_it.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_it.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "Ora legale USA orientale", "EDT"};
         String EST_NSW[] = new String[] {"Ora solare dell'Australia orientale (Nuovo Galles del Sud)", "EST",
                                          "Ora estiva dell'Australia orientale (Nuovo Galles del Sud)", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"Ora media del Ghana", "GMT",
                                       "Ora legale del Ghana", "GHST"};
         String GAMBIER[] =  new String[] {"Ora di Gambier", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"Ora standard di Samoa", "SST",
                                        "Ora legale di Samoa", "SDT"};
         String WST_SAMOA[] = new String[] {"Ora di Samoa", "WST",
-                                           "Ora estiva di Samoa", "WSST"};
+                                           "Ora estiva di Samoa", "WSDT"};
         String ChST[] = new String[] {"Ora standard di Chamorro", "ChST",
                               "Ora legale di Chamorro", "ChDT"};
         String VICTORIA[] = new String[] {"Ora orientale standard (Victoria)", "EST",
@@ -511,6 +513,7 @@
                                             "Ora estiva del Tagikistan", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"Ora di Hovd", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "Ora estiva di Samara", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "Ora estiva di Volgograd", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ja.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ja.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "\u6771\u90e8\u590f\u6642\u9593", "EDT"};
         String EST_NSW[] = new String[] {"\u6771\u90e8\u6a19\u6e96\u6642 (\u30cb\u30e5\u30fc\u30b5\u30a6\u30b9\u30a6\u30a7\u30fc\u30eb\u30ba)", "EST",
                                          "\u6771\u90e8\u590f\u6642\u9593 (\u30cb\u30e5\u30fc\u30b5\u30a6\u30b9\u30a6\u30a7\u30fc\u30eb\u30ba)", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"\u30ac\u30fc\u30ca\u6a19\u6e96\u6642", "GMT",
                                      "\u30ac\u30fc\u30ca\u590f\u6642\u9593", "GHST"};
         String GAMBIER[] =  new String[] {"\u30ac\u30f3\u30d3\u30a2\u6642\u9593", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"\u30b5\u30e2\u30a2\u6a19\u6e96\u6642", "SST",
                                        "\u30b5\u30e2\u30a2\u590f\u6642\u9593", "SDT"};
         String WST_SAMOA[] = new String[] {"\u897f\u30b5\u30e2\u30a2\u6642\u9593", "WST",
-                                           "\u897f\u30b5\u30e2\u30a2\u590f\u6642\u9593", "WSST"};
+                                           "\u897f\u30b5\u30e2\u30a2\u590f\u6642\u9593", "WSDT"};
         String ChST[] = new String[] {"\u30b0\u30a2\u30e0\u6a19\u6e96\u6642", "ChST",
                                       "\u30b0\u30a2\u30e0\u590f\u6642\u9593", "ChDT"};
         String VICTORIA[] = new String[] {"\u6771\u90e8\u6a19\u6e96\u6642 (\u30d3\u30af\u30c8\u30ea\u30a2)", "EST",
@@ -511,6 +513,7 @@
                                             "\u30bf\u30b8\u30ad\u30b9\u30bf\u30f3\u590f\u6642\u9593", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"\u30db\u30d6\u30c9\u6642\u9593", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "\u30b5\u30de\u30e9\u590f\u6642\u9593", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "\u30dc\u30eb\u30b4\u30b0\u30e9\u30fc\u30c9\u590f\u6642\u9593", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ko.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ko.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "\ub3d9\ubd80 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "EDT"};
         String EST_NSW[] = new String[] {"\ub3d9\ubd80 \ud45c\uc900\uc2dc(\ub274 \uc0ac\uc6b0\uc2a4 \uc6e8\uc77c\uc988)", "EST",
                                          "\ub3d9\ubd80 \uc77c\uad11\uc808\uc57d\uc2dc\uac04(\ub274 \uc0ac\uc6b0\uc2a4 \uc6e8\uc77c\uc988)", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"\uac00\ub098 \ud45c\uc900\uc2dc", "GMT",
                                      "\uac00\ub098 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "GHST"};
         String GAMBIER[] =  new String[] {"\uac10\ube44\uc544 \uc2dc\uac04", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"\uc0ac\ubaa8\uc544 \ud45c\uc900\uc2dc", "SST",
                                        "\uc0ac\ubaa8\uc544 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "SDT"};
         String WST_SAMOA[] = new String[] {"\uc11c\uc0ac\ubaa8\uc544 \uc2dc\uac04", "WST",
-                                           "\uc11c\uc0ac\ubaa8\uc544 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "WSST"};
+                                           "\uc11c\uc0ac\ubaa8\uc544 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "WSDT"};
         String ChST[] = new String[] {"\ucc28\ubaa8\ub85c \ud45c\uc900\uc2dc", "ChST",
                                       "\ucc28\ubaa8\ub85c \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "ChDT"};
         String VICTORIA[] = new String[] {"\ub3d9\ubd80 \ud45c\uc900\uc2dc(\ube45\ud1a0\ub9ac\uc544)", "EST",
@@ -511,6 +513,7 @@
                                             "\ud0c0\uc9c0\ud0a4\uc2a4\ud0c4 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"Hovd \uc2dc\uac04", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "\uc0ac\ub9c8\ub77c \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "\ubcfc\uace0\uadf8\ub77c\ub4dc \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_pt_BR.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_pt_BR.java	Wed Jul 05 17:54:13 2017 +0200
@@ -101,6 +101,8 @@
                                      "Hor\u00e1rio de luz natural oriental", "EDT"};
         String EST_NSW[] = new String[] {"Fuso hor\u00e1rio padr\u00e3o oriental (Nova Gales do Sul)", "EST",
                                          "Fuso hor\u00e1rio de ver\u00e3o oriental (Nova Gales do Sul)", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"Fuso hor\u00e1rio do meridiano de Gana", "GMT",
                                       "Fuso hor\u00e1rio de ver\u00e3o de Gana", "GHST"};
         String GAMBIER[] =  new String[] {"Fuso hor\u00e1rio de Gambier", "GAMT",
@@ -184,7 +186,7 @@
         String SAMOA[] = new String[] {"Fuso hor\u00e1rio padr\u00e3o de Samoa", "SST",
                                        "Hor\u00e1rio de luz natural de Samoa", "SDT"};
         String WST_SAMOA[] = new String[] {"Fuso hor\u00e1rio de Samoa Ocidental", "WST",
-                                           "Fuso hor\u00e1rio de ver\u00e3o de Samoa Ocidental", "WSST"};
+                                           "Fuso hor\u00e1rio de ver\u00e3o de Samoa Ocidental", "WSDT"};
         String ChST[] = new String[] {"Fuso hor\u00e1rio padr\u00e3o de Chamorro", "ChST",
                                       "Hor\u00e1rio de luz natural de Chamorro", "ChDT"};
         String VICTORIA[] = new String[] {"Fuso hor\u00e1rio padr\u00e3o oriental (Victoria)", "EST",
@@ -511,6 +513,7 @@
                                             "Fuso hor\u00e1rio de ver\u00e3o do Tadjiquist\u00e3o", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"Fuso hor\u00e1rio de Hovd", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "Fuso hor\u00e1rio de ver\u00e3o de Samara", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "Fuso hor\u00e1rio de ver\u00e3o de Volgogrado", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_sv.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_sv.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "Eastern, sommartid", "EDT"};
         String EST_NSW[] = new String[] {"Eastern, normaltid (Nya Sydwales)", "EST",
                                          "Eastern, sommartid (Nya Sydwales)", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"Ghana, normaltid", "GMT",
                                       "Ghana, sommartid", "GHST"};
         String GAMBIER[] =  new String[] {"Gambier, normaltid", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"Samoa, normaltid", "SST",
                                        "Samoa, sommartid", "SDT"};
         String WST_SAMOA[] = new String[] {"V\u00e4stsamoansk tid", "WST",
-                                           "V\u00e4stsamoansk sommartid", "WSST"};
+                                           "V\u00e4stsamoansk sommartid", "WSDT"};
         String ChST[] = new String[] {"Chamorro, normaltid", "ChST",
                                       "Chamorro, sommartid", "ChDT"};
         String VICTORIA[] = new String[] {"\u00d6stlig normaltid (Victoria)", "EST",
@@ -511,6 +513,7 @@
                                             "Tadzjikistan, sommartid", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"Hovd, normaltid", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "Samara, sommartid", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "Volgograd, sommartid", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_CN.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_CN.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "\u4e1c\u90e8\u590f\u4ee4\u65f6", "EDT"};
         String EST_NSW[] = new String[] {"\u4e1c\u90e8\u6807\u51c6\u65f6\u95f4\uff08\u65b0\u5357\u5a01\u5c14\u65af\uff09", "EST",
                                          "\u4e1c\u90e8\u590f\u4ee4\u65f6\uff08\u65b0\u5357\u5a01\u5c14\u65af\uff09", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"\u52a0\u7eb3\u65f6\u95f4", "GMT",
                                      "\u52a0\u7eb3\u590f\u4ee4\u65f6", "GHST"};
         String GAMBIER[] =  new String[] {"\u5188\u6bd4\u4e9a\u65f6\u95f4", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"\u8428\u6469\u4e9a\u7fa4\u5c9b\u6807\u51c6\u65f6\u95f4", "SST",
                                        "\u8428\u6469\u4e9a\u7fa4\u5c9b\u590f\u4ee4\u65f6", "SDT"};
         String WST_SAMOA[] = new String[] {"\u897f\u8428\u6469\u4e9a\u65f6\u95f4", "WST",
-                                           "\u897f\u8428\u6469\u4e9a\u590f\u4ee4\u65f6", "WSST"};
+                                           "\u897f\u8428\u6469\u4e9a\u590f\u4ee4\u65f6", "WSDT"};
         String ChST[] = new String[] {"Chamorro \u6807\u51c6\u65f6\u95f4", "ChST",
                                       "Chamorro \u590f\u4ee4\u65f6", "ChDT"};
         String VICTORIA[] = new String[] {"\u4e1c\u90e8\u6807\u51c6\u65f6\u95f4\uff08\u7ef4\u591a\u5229\u4e9a\uff09", "EST",
@@ -511,6 +513,7 @@
                                             "\u5854\u5409\u514b\u65af\u5766\u590f\u4ee4\u65f6", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"\u79d1\u5e03\u591a\u65f6\u95f4", "HOVT",
@@ -674,9 +677,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -684,7 +686,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -697,14 +699,14 @@
                                             "\u6c99\u9a6c\u62c9\u590f\u4ee4\u65f6", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -713,7 +715,7 @@
                                                "\u4f0f\u5c14\u52a0\u683c\u52d2\u590f\u4ee4\u65f6", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_TW.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_TW.java	Wed Jul 05 17:54:13 2017 +0200
@@ -103,6 +103,8 @@
                                      "\u6771\u65b9\u65e5\u5149\u7bc0\u7d04\u6642\u9593", "EDT"};
         String EST_NSW[] = new String[] {"\u6771\u65b9\u6a19\u6e96\u6642\u9593 (\u65b0\u5357\u5a01\u723e\u65af)", "EST",
                                          "\u6771\u65b9\u590f\u4ee4\u6642\u9593 (\u65b0\u5357\u5a01\u723e\u65af)", "EST"};
+        String FET[] = new String[] {"Further-eastern European Time", "FET",
+                                     "Further-eastern European Summer Time", "FEST"};
         String GHMT[] = new String[] {"\u8fe6\u7d0d\u5e73\u5747\u6642\u9593", "GMT",
                                       "\u8fe6\u7d0d\u590f\u4ee4\u6642\u9593", "GHST"};
         String GAMBIER[] =  new String[] {"\u7518\u6bd4\u723e\u6642\u9593", "GAMT",
@@ -186,7 +188,7 @@
         String SAMOA[] = new String[] {"\u85a9\u6469\u4e9e\u6a19\u6e96\u6642\u9593", "SST",
                                        "\u85a9\u6469\u4e9e\u65e5\u5149\u7bc0\u7d04\u6642\u9593", "SDT"};
         String WST_SAMOA[] = new String[] {"\u897f\u85a9\u6469\u4e9e\u6642\u9593", "WST",
-                                           "\u897f\u85a9\u6469\u4e9e\u590f\u4ee4\u6642\u9593", "WSST"};
+                                           "\u897f\u85a9\u6469\u4e9e\u590f\u4ee4\u6642\u9593", "WSDT"};
         String ChST[] = new String[] {"\u67e5\u83ab\u6d1b\u6a19\u6e96\u6642\u9593", "ChST",
                                      "\u67e5\u83ab\u6d1b\u65e5\u5149\u7bc0\u7d04\u6642\u9593", "ChDT"};
         String VICTORIA[] = new String[] {"\u6771\u90e8\u6a19\u6e96\u6642\u9593 (\u7dad\u591a\u5229\u4e9e\u90a6)", "EST",
@@ -511,6 +513,7 @@
                                             "\u5854\u5409\u514b\u590f\u4ee4\u6642\u9593", "TJST"}},
             {"Asia/Gaza", EET},
             {"Asia/Harbin", CTT},
+            {"Asia/Hebron", EET},
             {"Asia/Ho_Chi_Minh", ICT},
             {"Asia/Hong_Kong", HKT},
             {"Asia/Hovd", new String[] {"\u4faf\u5fb7 (Hovd) \u6642\u9593", "HOVT",
@@ -675,9 +678,8 @@
             {"Europe/Isle_of_Man", GMTBST},
             {"Europe/Istanbul", EET},
             {"Europe/Jersey", GMTBST},
-            {"Europe/Kaliningrad", new String[] {"Kaliningrad Time", "KALT",
-                                                 "Kaliningrad Summer Time", "KALST"}},
-            {"Europe/Kiev", EET},
+            {"Europe/Kaliningrad", FET},
+            {"Europe/Kiev", FET},
             {"Europe/Lisbon", WET},
             {"Europe/Ljubljana", CET},
             {"Europe/London", GMTBST},
@@ -685,7 +687,7 @@
             {"Europe/Madrid", CET},
             {"Europe/Malta", CET},
             {"Europe/Mariehamn", EET},
-            {"Europe/Minsk", EET},
+            {"Europe/Minsk", FET},
             {"Europe/Monaco", CET},
             {"Europe/Moscow", MSK},
             {"Europe/Nicosia", EET},
@@ -698,14 +700,14 @@
                                             "\u6c99\u99ac\u62c9\u590f\u4ee4\u6642\u9593", "SAMST"}},
             {"Europe/San_Marino", CET},
             {"Europe/Sarajevo", CET},
-            {"Europe/Simferopol", EET},
+            {"Europe/Simferopol", FET},
             {"Europe/Skopje", CET},
             {"Europe/Sofia", EET},
             {"Europe/Stockholm", CET},
             {"Europe/Tallinn", EET},
             {"Europe/Tirane", CET},
             {"Europe/Tiraspol", EET},
-            {"Europe/Uzhgorod", EET},
+            {"Europe/Uzhgorod", FET},
             {"Europe/Vaduz", CET},
             {"Europe/Vatican", CET},
             {"Europe/Vienna", CET},
@@ -714,7 +716,7 @@
                                                "\u4f0f\u723e\u52a0\u683c\u52d2\u590f\u4ee4\u6642\u9593", "VOLST"}},
             {"Europe/Warsaw", CET},
             {"Europe/Zagreb", CET},
-            {"Europe/Zaporozhye", EET},
+            {"Europe/Zaporozhye", FET},
             {"Europe/Zurich", CET},
             {"GB", GMTBST},
             {"GB-Eire", GMTBST},
--- a/jdk/src/share/lib/security/sunpkcs11-solaris.cfg	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/lib/security/sunpkcs11-solaris.cfg	Wed Jul 05 17:54:13 2017 +0200
@@ -11,6 +11,9 @@
 
 handleStartupErrors = ignoreAll
 
+# Use the X9.63 encoding for EC points (do not wrap in an ASN.1 OctetString).
+useEcX963Encoding = true
+
 attributes = compatibility
 
 disabledMechanisms = {
--- a/jdk/src/share/native/java/io/ObjectInputStream.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/java/io/ObjectInputStream.c	Wed Jul 05 17:54:13 2017 +0200
@@ -173,16 +173,3 @@
     (*env)->ReleasePrimitiveArrayCritical(env, dst, doubles, 0);
 }
 
-/*
- * Class:     java_io_ObjectInputStream
- * Method:    latestUserDefinedLoader
- * Signature: ()Ljava/lang/ClassLoader;
- *
- * Returns the first non-null class loader up the execution stack, or null
- * if only code from the null class loader is on the stack.
- */
-JNIEXPORT jobject JNICALL
-Java_java_io_ObjectInputStream_latestUserDefinedLoader(JNIEnv *env, jclass cls)
-{
-    return JVM_LatestUserDefinedLoader(env);
-}
--- a/jdk/src/share/native/sun/misc/VM.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/misc/VM.c	Wed Jul 05 17:54:13 2017 +0200
@@ -111,6 +111,11 @@
     get_thread_state_info(env, JAVA_THREAD_STATE_TERMINATED, values, names);
 }
 
+JNIEXPORT jobject JNICALL
+Java_sun_misc_VM_latestUserDefinedLoader(JNIEnv *env, jclass cls) {
+    return JVM_LatestUserDefinedLoader(env);
+}
+
 typedef void (JNICALL *GetJvmVersionInfo_fp)(JNIEnv*, jvm_version_info*, size_t);
 
 JNIEXPORT void JNICALL
--- a/jdk/src/share/native/sun/rmi/server/MarshalInputStream.c	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,44 +0,0 @@
-/*
- * Copyright (c) 2000, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-#include "jni.h"
-#include "jvm.h"
-#include "jni_util.h"
-
-#include "sun_rmi_server_MarshalInputStream.h"
-
-/*
- * Class:     sun_rmi_server_MarshalInputStream
- * Method:    latestUserDefinedLoader
- * Signature: ()Ljava/lang/ClassLoader;
- *
- * Returns the first non-null class loader up the execution stack, or null
- * if only code from the null class loader is on the stack.
- */
-JNIEXPORT jobject JNICALL
-Java_sun_rmi_server_MarshalInputStream_latestUserDefinedLoader(JNIEnv *env, jclass cls)
-{
-    return JVM_LatestUserDefinedLoader(env);
-}
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c	Wed Jul 05 17:54:13 2017 +0200
@@ -273,7 +273,7 @@
     /* allocate memory for CK_VERSION pointer */
     ckpVersion = (CK_VERSION_PTR) malloc(sizeof(CK_VERSION));
     if (ckpVersion == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     ckpVersion->major = jByteToCKByte(jMajor);
@@ -326,7 +326,7 @@
     /* allocate memory for CK_DATE pointer */
     ckpDate = (CK_DATE *) malloc(sizeof(CK_DATE));
     if (ckpDate == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
@@ -340,7 +340,7 @@
         jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar));
         if (jTempChars == NULL) {
             free(ckpDate);
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return NULL;
         }
         (*env)->GetCharArrayRegion(env, jYear, 0, ckLength, jTempChars);
@@ -364,7 +364,7 @@
         jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar));
         if (jTempChars == NULL) {
             free(ckpDate);
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return NULL;
         }
         (*env)->GetCharArrayRegion(env, jMonth, 0, ckLength, jTempChars);
@@ -388,7 +388,7 @@
         jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar));
         if (jTempChars == NULL) {
             free(ckpDate);
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return NULL;
         }
         (*env)->GetCharArrayRegion(env, jDay, 0, ckLength, jTempChars);
@@ -558,7 +558,7 @@
     if (ckParam.pulOutputLen == NULL) {
         free(ckParam.pSeed);
         free(ckParam.pLabel);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return ckParam;
     }
     jByteArrayToCKByteArray(env, jOutput, &(ckParam.pOutput), ckParam.pulOutputLen);
@@ -665,7 +665,7 @@
     if (ckParam.pReturnedKeyMaterial == NULL) {
         free(ckParam.RandomInfo.pClientRandom);
         free(ckParam.RandomInfo.pServerRandom);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return ckParam;
     }
 
@@ -1013,7 +1013,7 @@
 
         ckpParam = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR) malloc(sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1040,7 +1040,7 @@
 
         ckpParam = (CK_SSL3_KEY_MAT_PARAMS_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1067,7 +1067,7 @@
 
         ckpParam = (CK_TLS_PRF_PARAMS_PTR) malloc(sizeof(CK_TLS_PRF_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1094,7 +1094,7 @@
 
         ckpParam = (CK_AES_CTR_PARAMS_PTR) malloc(sizeof(CK_AES_CTR_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1121,7 +1121,7 @@
 
         ckpParam = (CK_RSA_PKCS_OAEP_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_OAEP_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1148,7 +1148,7 @@
 
         ckpParam = (CK_PBE_PARAMS_PTR) malloc(sizeof(CK_PBE_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1175,7 +1175,7 @@
 
         ckpParam = (CK_PKCS5_PBKD2_PARAMS_PTR) malloc(sizeof(CK_PKCS5_PBKD2_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1202,7 +1202,7 @@
 
         ckpParam = (CK_RSA_PKCS_PSS_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_PSS_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1229,7 +1229,7 @@
 
         ckpParam = (CK_ECDH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH1_DERIVE_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1256,7 +1256,7 @@
 
         ckpParam = (CK_ECDH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH2_DERIVE_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1283,7 +1283,7 @@
 
         ckpParam = (CK_X9_42_DH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH1_DERIVE_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
@@ -1310,7 +1310,7 @@
 
         ckpParam = (CK_X9_42_DH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH2_DERIVE_PARAMS));
         if (ckpParam == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
 
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c	Wed Jul 05 17:54:13 2017 +0200
@@ -131,7 +131,7 @@
         /* always use single part op, even for large data */
         bufP = (CK_BYTE_PTR) malloc((size_t)jInLen);
         if (bufP == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return 0;
         }
     }
@@ -190,7 +190,7 @@
         bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen);
         bufP = (CK_BYTE_PTR) malloc((size_t)bufLen);
         if (bufP == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
     }
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c	Wed Jul 05 17:54:13 2017 +0200
@@ -92,7 +92,7 @@
     ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE));
     if (ckpEncryptedPart == NULL) {
         free(ckpPart);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
@@ -144,7 +144,7 @@
     ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE));
     if (ckpPart == NULL) {
         free(ckpEncryptedPart);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
@@ -196,7 +196,7 @@
     ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE));
     if (ckpEncryptedPart == NULL) {
         free(ckpPart);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
@@ -248,7 +248,7 @@
     ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE));
     if (ckpPart == NULL) {
         free(ckpEncryptedPart);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c	Wed Jul 05 17:54:13 2017 +0200
@@ -71,7 +71,10 @@
 jclass jByteArrayClass;
 jclass jLongClass;
 
+JavaVM* jvm = NULL;
+
 JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void *reserved) {
+    jvm = vm;
     return JNI_VERSION_1_4;
 }
 
@@ -351,7 +354,7 @@
 
     ckpSlotList = (CK_SLOT_ID_PTR) malloc(ckTokenNumber * sizeof(CK_SLOT_ID));
     if (ckpSlotList == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
@@ -652,7 +655,7 @@
     ckpMechanismList = (CK_MECHANISM_TYPE_PTR)
       malloc(ckMechanismNumber * sizeof(CK_MECHANISM_TYPE));
     if (ckpMechanismList == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c	Wed Jul 05 17:54:13 2017 +0200
@@ -165,7 +165,7 @@
         if (ckMechanism.pParameter != NULL_PTR) {
             free(ckMechanism.pParameter);
         }
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     ckpPublicKeyHandle = ckpKeyHandles;   /* first element of array is Public Key */
@@ -253,7 +253,7 @@
             if (ckMechanism.pParameter != NULL_PTR) {
                 free(ckMechanism.pParameter);
             }
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return NULL;
         }
 
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c	Wed Jul 05 17:54:13 2017 +0200
@@ -92,7 +92,7 @@
     /* convert the Java InitArgs object to a pointer to a CK_C_INITIALIZE_ARGS structure */
     ckpInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS));
     if (ckpInitArgs == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL_PTR;
     }
 
@@ -141,7 +141,7 @@
         ckpGlobalInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS));
         if (ckpGlobalInitArgs == NULL) {
             free(ckpInitArgs);
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return NULL_PTR;
         }
 
@@ -178,9 +178,8 @@
  */
 CK_RV callJCreateMutex(CK_VOID_PTR_PTR ppMutex)
 {
-    JavaVM *jvm;
+    extern JavaVM *jvm;
     JNIEnv *env;
-    jsize actualNumberVMs;
     jint returnValue;
     jthrowable pkcs11Exception;
     jclass pkcs11ExceptionClass;
@@ -196,8 +195,7 @@
 
 
     /* Get the currently running Java VM */
-    returnValue = JNI_GetCreatedJavaVMs(&jvm, (jsize) 1, &actualNumberVMs);
-    if ((returnValue != 0) || (actualNumberVMs <= 0)) { return rv ;} /* there is no VM running */
+    if (jvm == NULL) { return rv ;} /* there is no VM running */
 
     /* Determine, if current thread is already attached */
     returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2);
@@ -273,9 +271,8 @@
  */
 CK_RV callJDestroyMutex(CK_VOID_PTR pMutex)
 {
-    JavaVM *jvm;
+    extern JavaVM *jvm;
     JNIEnv *env;
-    jsize actualNumberVMs;
     jint returnValue;
     jthrowable pkcs11Exception;
     jclass pkcs11ExceptionClass;
@@ -291,8 +288,7 @@
 
 
     /* Get the currently running Java VM */
-    returnValue = JNI_GetCreatedJavaVMs(&jvm, (jsize) 1, &actualNumberVMs);
-    if ((returnValue != 0) || (actualNumberVMs <= 0)) { return rv ; } /* there is no VM running */
+    if (jvm == NULL) { return rv ; } /* there is no VM running */
 
     /* Determine, if current thread is already attached */
     returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2);
@@ -367,9 +363,8 @@
  */
 CK_RV callJLockMutex(CK_VOID_PTR pMutex)
 {
-    JavaVM *jvm;
+    extern JavaVM *jvm;
     JNIEnv *env;
-    jsize actualNumberVMs;
     jint returnValue;
     jthrowable pkcs11Exception;
     jclass pkcs11ExceptionClass;
@@ -385,8 +380,7 @@
 
 
     /* Get the currently running Java VM */
-    returnValue = JNI_GetCreatedJavaVMs(&jvm, (jsize) 1, &actualNumberVMs);
-    if ((returnValue != 0) || (actualNumberVMs <= 0)) { return rv ; } /* there is no VM running */
+    if (jvm == NULL) { return rv ; } /* there is no VM running */
 
     /* Determine, if current thread is already attached */
     returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2);
@@ -457,9 +451,8 @@
  */
 CK_RV callJUnlockMutex(CK_VOID_PTR pMutex)
 {
-    JavaVM *jvm;
+    extern JavaVM *jvm;
     JNIEnv *env;
-    jsize actualNumberVMs;
     jint returnValue;
     jthrowable pkcs11Exception;
     jclass pkcs11ExceptionClass;
@@ -475,8 +468,7 @@
 
 
     /* Get the currently running Java VM */
-    returnValue = JNI_GetCreatedJavaVMs(&jvm, (jsize) 1, &actualNumberVMs);
-    if ((returnValue != 0) || (actualNumberVMs <= 0)) { return rv ; } /* there is no VM running */
+    if (jvm == NULL) { return rv ; } /* there is no VM running */
 
     /* Determine, if current thread is already attached */
     returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2);
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c	Wed Jul 05 17:54:13 2017 +0200
@@ -258,7 +258,7 @@
         ckpAttributes[i].pValue = (void *) malloc(ckBufferLength);
         if (ckpAttributes[i].pValue == NULL) {
             freeCKAttributeArray(ckpAttributes, i);
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
         ckpAttributes[i].ulValueLen = ckBufferLength;
@@ -390,7 +390,7 @@
     ckMaxObjectLength = jLongToCKULong(jMaxObjectCount);
     ckpObjectHandleArray = (CK_OBJECT_HANDLE_PTR) malloc(sizeof(CK_OBJECT_HANDLE) * ckMaxObjectLength);
     if (ckpObjectHandleArray == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c	Wed Jul 05 17:54:13 2017 +0200
@@ -98,7 +98,7 @@
     if (jNotify != NULL) {
         notifyEncapsulation = (NotifyEncapsulation *) malloc(sizeof(NotifyEncapsulation));
         if (notifyEncapsulation == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return 0L;
         }
         notifyEncapsulation->jApplicationData = (jApplication != NULL)
@@ -301,7 +301,7 @@
 
     ckpState = (CK_BYTE_PTR) malloc(ckStateLength);
     if (ckpState == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
@@ -435,7 +435,7 @@
 
     newNode = (NotifyListNode *) malloc(sizeof(NotifyListNode));
     if (newNode == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     newNode->hSession = hSession;
@@ -558,9 +558,8 @@
 )
 {
     NotifyEncapsulation *notifyEncapsulation;
-    JavaVM *jvm;
+    extern JavaVM *jvm;
     JNIEnv *env;
-    jsize actualNumberVMs;
     jint returnValue;
     jlong jSessionHandle;
     jlong jEvent;
@@ -577,8 +576,7 @@
     notifyEncapsulation = (NotifyEncapsulation *) pApplication;
 
     /* Get the currently running Java VM */
-    returnValue = JNI_GetCreatedJavaVMs(&jvm, (jsize) 1, &actualNumberVMs);
-    if ((returnValue != 0) || (actualNumberVMs <= 0)) { return rv ; } /* there is no VM running */
+    if (jvm == NULL) { return rv ; } /* there is no VM running */
 
     /* Determine, if current thread is already attached */
     returnValue = (*jvm)->GetEnv(jvm, (void **) &env, JNI_VERSION_1_2);
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c	Wed Jul 05 17:54:13 2017 +0200
@@ -132,7 +132,7 @@
     ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE));
     if (ckpSignature == NULL) {
         free(ckpData);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
 
@@ -146,7 +146,7 @@
     ckpSignature = (CK_BYTE_PTR) malloc(256 * sizeof(CK_BYTE));
     if (ckpSignature == NULL) {
         free(ckpData);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength);
@@ -156,7 +156,7 @@
         ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE));
         if (ckpSignature == NULL) {
             free(ckpData);
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return NULL;
         }
         rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength);
@@ -210,7 +210,7 @@
         bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen);
         bufP = (CK_BYTE_PTR) malloc((size_t)bufLen);
         if (bufP == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
     }
@@ -270,7 +270,7 @@
     if (rv == CKR_BUFFER_TOO_SMALL) {
         bufP = (CK_BYTE_PTR) malloc(ckSignatureLength);
         if (bufP == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return NULL;
         }
         rv = (*ckpFunctions->C_SignFinal)(ckSessionHandle, bufP, &ckSignatureLength);
@@ -355,7 +355,7 @@
     } else {
         inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen);
         if (inBufP == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return 0;
         }
     }
@@ -373,7 +373,7 @@
             if (inBufP != INBUF) {
                 free(inBufP);
             }
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return 0;
         }
         rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength);
@@ -508,7 +508,7 @@
         bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen);
         bufP = (CK_BYTE_PTR) malloc((size_t)bufLen);
         if (bufP == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
     }
@@ -638,7 +638,7 @@
     } else {
         inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen);
         if (inBufP == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return 0;
         }
     }
@@ -656,7 +656,7 @@
         outBufP = (CK_BYTE_PTR) malloc(ckDataLength);
         if (outBufP == NULL) {
             if (inBufP != INBUF) { free(inBufP); }
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return 0;
         }
         rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength);
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c	Wed Jul 05 17:54:13 2017 +0200
@@ -213,28 +213,52 @@
     return jErrorCode ;
 }
 
+
 /*
- * This function simply throws an IOException
- *
- * @param env Used to call JNI funktions and to get the Exception class.
- * @param message The message string of the Exception object.
+ * Throws a Java Exception by name
+ */
+void throwByName(JNIEnv *env, const char *name, const char *msg)
+{
+    jclass cls = (*env)->FindClass(env, name);
+
+    if (cls != 0) /* Otherwise an exception has already been thrown */
+        (*env)->ThrowNew(env, cls, msg);
+}
+
+/*
+ * Throws java.lang.OutOfMemoryError
  */
-void throwIOException(JNIEnv *env, const char *message)
+void throwOutOfMemoryError(JNIEnv *env, const char *msg)
+{
+    throwByName(env, "java/lang/OutOfMemoryError", msg);
+}
+
+/*
+ * Throws java.lang.NullPointerException
+ */
+void throwNullPointerException(JNIEnv *env, const char *msg)
 {
-    JNU_ThrowByName(env, CLASS_IO_EXCEPTION, message);
+    throwByName(env, "java/lang/NullPointerException", msg);
+}
+
+/*
+ * Throws java.io.IOException
+ */
+void throwIOException(JNIEnv *env, const char *msg)
+{
+    throwByName(env, "java/io/IOException", msg);
 }
 
 /*
  * This function simply throws a PKCS#11RuntimeException with the given
- * string as its message. If the message is NULL, the exception is created
- * using the default constructor.
+ * string as its message.
  *
  * @param env Used to call JNI funktions and to get the Exception class.
  * @param jmessage The message string of the Exception object.
  */
 void throwPKCS11RuntimeException(JNIEnv *env, const char *message)
 {
-    JNU_ThrowByName(env, CLASS_PKCS11RUNTIMEEXCEPTION, message);
+    throwByName(env, CLASS_PKCS11RUNTIMEEXCEPTION, message);
 }
 
 /*
@@ -318,7 +342,7 @@
     *ckpLength = (*env)->GetArrayLength(env, jArray);
     jpTemp = (jboolean*) malloc((*ckpLength) * sizeof(jboolean));
     if (jpTemp == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     (*env)->GetBooleanArrayRegion(env, jArray, 0, *ckpLength, jpTemp);
@@ -330,7 +354,7 @@
     *ckpArray = (CK_BBOOL*) malloc ((*ckpLength) * sizeof(CK_BBOOL));
     if (*ckpArray == NULL) {
         free(jpTemp);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     for (i=0; i<(*ckpLength); i++) {
@@ -360,7 +384,7 @@
     *ckpLength = (*env)->GetArrayLength(env, jArray);
     jpTemp = (jbyte*) malloc((*ckpLength) * sizeof(jbyte));
     if (jpTemp == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     (*env)->GetByteArrayRegion(env, jArray, 0, *ckpLength, jpTemp);
@@ -376,7 +400,7 @@
         *ckpArray = (CK_BYTE_PTR) malloc ((*ckpLength) * sizeof(CK_BYTE));
         if (*ckpArray == NULL) {
             free(jpTemp);
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return;
         }
         for (i=0; i<(*ckpLength); i++) {
@@ -407,7 +431,7 @@
     *ckpLength = (*env)->GetArrayLength(env, jArray);
     jTemp = (jlong*) malloc((*ckpLength) * sizeof(jlong));
     if (jTemp == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     (*env)->GetLongArrayRegion(env, jArray, 0, *ckpLength, jTemp);
@@ -419,7 +443,7 @@
     *ckpArray = (CK_ULONG_PTR) malloc (*ckpLength * sizeof(CK_ULONG));
     if (*ckpArray == NULL) {
         free(jTemp);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     for (i=0; i<(*ckpLength); i++) {
@@ -449,7 +473,7 @@
     *ckpLength = (*env)->GetArrayLength(env, jArray);
     jpTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar));
     if (jpTemp == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jpTemp);
@@ -461,7 +485,7 @@
     *ckpArray = (CK_CHAR_PTR) malloc (*ckpLength * sizeof(CK_CHAR));
     if (*ckpArray == NULL) {
         free(jpTemp);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     for (i=0; i<(*ckpLength); i++) {
@@ -491,7 +515,7 @@
     *ckpLength = (*env)->GetArrayLength(env, jArray);
     jTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar));
     if (jTemp == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jTemp);
@@ -503,7 +527,7 @@
     *ckpArray = (CK_UTF8CHAR_PTR) malloc (*ckpLength * sizeof(CK_UTF8CHAR));
     if (*ckpArray == NULL) {
         free(jTemp);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     for (i=0; i<(*ckpLength); i++) {
@@ -538,7 +562,7 @@
     *ckpArray = (CK_UTF8CHAR_PTR) malloc((*ckpLength + 1) * sizeof(CK_UTF8CHAR));
     if (*ckpArray == NULL) {
         (*env)->ReleaseStringUTFChars(env, (jstring) jArray, pCharArray);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     strcpy((char*)*ckpArray, pCharArray);
@@ -571,7 +595,7 @@
     *ckpLength = jLongToCKULong(jLength);
     *ckpArray = (CK_ATTRIBUTE_PTR) malloc(*ckpLength * sizeof(CK_ATTRIBUTE));
     if (*ckpArray == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     TRACE1(", converting %d attibutes", jLength);
@@ -613,7 +637,7 @@
     } else {
         jpTemp = (jbyte*) malloc((ckLength) * sizeof(jbyte));
         if (jpTemp == NULL) {
-            JNU_ThrowOutOfMemoryError(env, 0);
+            throwOutOfMemoryError(env, 0);
             return NULL;
         }
         for (i=0; i<ckLength; i++) {
@@ -647,7 +671,7 @@
 
     jpTemp = (jlong*) malloc((ckLength) * sizeof(jlong));
     if (jpTemp == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     for (i=0; i<ckLength; i++) {
@@ -678,7 +702,7 @@
 
     jpTemp = (jchar*) malloc(ckLength * sizeof(jchar));
     if (jpTemp == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     for (i=0; i<ckLength; i++) {
@@ -709,7 +733,7 @@
 
     jpTemp = (jchar*) malloc(ckLength * sizeof(jchar));
     if (jpTemp == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     for (i=0; i<ckLength; i++) {
@@ -812,7 +836,7 @@
     jValue = (*env)->CallBooleanMethod(env, jObject, jValueMethod);
     ckpValue = (CK_BBOOL *) malloc(sizeof(CK_BBOOL));
     if (ckpValue == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     *ckpValue = jBooleanToCKBBool(jValue);
@@ -842,7 +866,7 @@
     jValue = (*env)->CallByteMethod(env, jObject, jValueMethod);
     ckpValue = (CK_BYTE_PTR) malloc(sizeof(CK_BYTE));
     if (ckpValue == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     *ckpValue = jByteToCKByte(jValue);
@@ -871,7 +895,7 @@
     jValue = (*env)->CallIntMethod(env, jObject, jValueMethod);
     ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG));
     if (ckpValue == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     *ckpValue = jLongToCKLong(jValue);
@@ -900,7 +924,7 @@
     jValue = (*env)->CallLongMethod(env, jObject, jValueMethod);
     ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG));
     if (ckpValue == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     *ckpValue = jLongToCKULong(jValue);
@@ -930,7 +954,7 @@
     jValue = (*env)->CallCharMethod(env, jObject, jValueMethod);
     ckpValue = (CK_CHAR_PTR) malloc(sizeof(CK_CHAR));
     if (ckpValue == NULL) {
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return NULL;
     }
     *ckpValue = jCharToCKChar(jValue);
@@ -1087,7 +1111,7 @@
         malloc((strlen(exceptionMsgPrefix) + strlen(classNameString) + 1));
     if (exceptionMsg == NULL) {
         (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString);
-        JNU_ThrowOutOfMemoryError(env, 0);
+        throwOutOfMemoryError(env, 0);
         return;
     }
     strcpy(exceptionMsg, exceptionMsgPrefix);
--- a/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	Wed Jul 05 17:54:13 2017 +0200
@@ -228,7 +228,6 @@
 #define CLASS_PKCS11EXCEPTION "sun/security/pkcs11/wrapper/PKCS11Exception"
 #define CLASS_PKCS11RUNTIMEEXCEPTION "sun/security/pkcs11/wrapper/PKCS11RuntimeException"
 #define CLASS_FILE_NOT_FOUND_EXCEPTION "java/io/FileNotFoundException"
-#define CLASS_IO_EXCEPTION "java/io/IOException"
 #define CLASS_C_INITIALIZE_ARGS "sun/security/pkcs11/wrapper/CK_C_INITIALIZE_ARGS"
 #define CLASS_CREATEMUTEX "sun/security/pkcs11/wrapper/CK_CREATEMUTEX"
 #define CLASS_DESTROYMUTEX "sun/security/pkcs11/wrapper/CK_DESTROYMUTEX"
@@ -280,6 +279,8 @@
  */
 
 jlong ckAssertReturnValueOK(JNIEnv *env, CK_RV returnValue);
+void throwOutOfMemoryError(JNIEnv *env, const char *message);
+void throwNullPointerException(JNIEnv *env, const char *message);
 void throwIOException(JNIEnv *env, const char *message);
 void throwPKCS11RuntimeException(JNIEnv *env, const char *message);
 void throwDisconnectedRuntimeException(JNIEnv *env);
--- a/jdk/src/solaris/classes/sun/print/UnixPrintServiceLookup.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/solaris/classes/sun/print/UnixPrintServiceLookup.java	Wed Jul 05 17:54:13 2017 +0200
@@ -189,7 +189,7 @@
         if (printServices == null) {
             return new PrintService[0];
         } else {
-            return printServices;
+            return (PrintService[])printServices.clone();
         }
     }
 
--- a/jdk/src/solaris/native/sun/nio/fs/genSolarisConstants.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/solaris/native/sun/nio/fs/genSolarisConstants.c	Wed Jul 05 17:54:13 2017 +0200
@@ -27,7 +27,7 @@
 #include <errno.h>
 #include <unistd.h>
 #include <sys/acl.h>
-#include <sys/fcntl.h>
+#include <fcntl.h>
 #include <sys/stat.h>
 
 /**
--- a/jdk/src/solaris/native/sun/nio/fs/genUnixConstants.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/solaris/native/sun/nio/fs/genUnixConstants.c	Wed Jul 05 17:54:13 2017 +0200
@@ -26,7 +26,7 @@
 #include <stdio.h>
 #include <errno.h>
 #include <unistd.h>
-#include <sys/fcntl.h>
+#include <fcntl.h>
 #include <sys/stat.h>
 
 /**
--- a/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.c	Wed Jul 05 17:54:13 2017 +0200
@@ -40,7 +40,7 @@
     if (fAddress == NULL) {
         char errorMessage[256];
         snprintf(errorMessage, sizeof(errorMessage), "Symbol not found: %s", functionName);
-        JNU_ThrowNullPointerException(env, errorMessage);
+        throwNullPointerException(env, errorMessage);
         return NULL;
     }
     return fAddress;
@@ -69,7 +69,7 @@
     dprintf2("-handle: %u (0X%X)\n", hModule, hModule);
 
     if (hModule == NULL) {
-        JNU_ThrowIOException(env, dlerror());
+        throwIOException(env, dlerror());
         return 0;
     }
 
--- a/jdk/src/solaris/native/sun/security/smartcardio/pcsc_md.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/solaris/native/sun/security/smartcardio/pcsc_md.c	Wed Jul 05 17:54:13 2017 +0200
@@ -51,12 +51,40 @@
 FPTR_SCardEndTransaction scardEndTransaction;
 FPTR_SCardControl scardControl;
 
+/*
+ * Throws a Java Exception by name
+ */
+void throwByName(JNIEnv *env, const char *name, const char *msg)
+{
+    jclass cls = (*env)->FindClass(env, name);
+
+    if (cls != 0) /* Otherwise an exception has already been thrown */
+        (*env)->ThrowNew(env, cls, msg);
+}
+
+/*
+ * Throws java.lang.NullPointerException
+ */
+void throwNullPointerException(JNIEnv *env, const char *msg)
+{
+    throwByName(env, "java/lang/NullPointerException", msg);
+}
+
+/*
+ * Throws java.io.IOException
+ */
+void throwIOException(JNIEnv *env, const char *msg)
+{
+    throwByName(env, "java/io/IOException", msg);
+}
+
+
 void *findFunction(JNIEnv *env, void *hModule, char *functionName) {
     void *fAddress = dlsym(hModule, functionName);
     if (fAddress == NULL) {
         char errorMessage[256];
         snprintf(errorMessage, sizeof(errorMessage), "Symbol not found: %s", functionName);
-        JNU_ThrowNullPointerException(env, errorMessage);
+        throwNullPointerException(env, errorMessage);
         return NULL;
     }
     return fAddress;
@@ -69,7 +97,7 @@
     (*env)->ReleaseStringUTFChars(env, jLibName, libName);
 
     if (hModule == NULL) {
-        JNU_ThrowIOException(env, dlerror());
+        throwIOException(env, dlerror());
         return;
     }
     scardEstablishContext = (FPTR_SCardEstablishContext)findFunction(env, hModule, "SCardEstablishContext");
--- a/jdk/src/windows/classes/sun/java2d/d3d/D3DSurfaceData.java	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/windows/classes/sun/java2d/d3d/D3DSurfaceData.java	Wed Jul 05 17:54:13 2017 +0200
@@ -486,7 +486,7 @@
             int dataType = 0;
             int scanStride = width;
 
-            if (dcm.getPixelSize() == 24 || dcm.getPixelSize() == 32) {
+            if (dcm.getPixelSize() > 16) {
                 dataType = DataBuffer.TYPE_INT;
             } else {
                 // 15, 16
--- a/jdk/src/windows/native/sun/security/pkcs11/j2secmod_md.c	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/src/windows/native/sun/security/pkcs11/j2secmod_md.c	Wed Jul 05 17:54:13 2017 +0200
@@ -37,7 +37,7 @@
     if (fAddress == NULL) {
         char errorMessage[256];
         _snprintf(errorMessage, sizeof(errorMessage), "Symbol not found: %s", functionName);
-        JNU_ThrowNullPointerException(env, errorMessage);
+        throwNullPointerException(env, errorMessage);
         return NULL;
     }
     return fAddress;
@@ -78,7 +78,7 @@
             NULL
         );
         dprintf1("-error: %s\n", lpMsgBuf);
-        JNU_ThrowIOException(env, (char*)lpMsgBuf);
+        throwIOException(env, (char*)lpMsgBuf);
         LocalFree(lpMsgBuf);
         return 0;
     }
--- a/jdk/test/ProblemList.txt	Thu Oct 27 13:54:37 2011 -0700
+++ b/jdk/test/ProblemList.txt	Wed Jul 05 17:54:13 2017 +0200
@@ -377,6 +377,12 @@
 # 7081476
 java/net/InetSocketAddress/B6469803.java                        generic-all
 
+# 7102670
+java/net/InetAddress/CheckJNI.java                              linux-all
+
+# failing on vista 32/64 on nightly
+# 7102702
+java/net/PortUnreachableException/OneExceptionOnly.java         windows-all
 ############################################################################
 
 # jdk_io
@@ -517,9 +523,6 @@
 # 7079203 sun/security/tools/keytool/printssl.sh fails on solaris with timeout
 sun/security/tools/keytool/printssl.sh                          solaris-all
 
-# 7054637
-sun/security/tools/jarsigner/ec.sh                             solaris-all
-
 # 7081817
 sun/security/provider/certpath/X509CertPath/IllegalCertiticates.java    generic-all
 
--- a/jdk/test/java/net/DatagramSocket/ChangingAddress.java	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,56 +0,0 @@
-/*
- * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/* @test
- * @bug 7084030
- * @summary Tests that DatagramSocket.getLocalAddress returns the right local
- *          address after connect/disconnect.
- */
-import java.net.*;
-
-public class ChangingAddress {
-
-    static void check(DatagramSocket ds, InetAddress expected) {
-        InetAddress actual = ds.getLocalAddress();
-        if (!expected.equals(actual)) {
-            throw new RuntimeException("Expected:"+expected+" Actual"+
-                                       actual);
-        }
-    }
-
-    public static void main(String[] args) throws Exception {
-        InetAddress lh = InetAddress.getLocalHost();
-        SocketAddress remote = new InetSocketAddress(lh, 1234);
-        InetAddress wildcard = InetAddress.getByAddress
-                               ("localhost", new byte[]{0,0,0,0});
-        try (DatagramSocket ds = new DatagramSocket()) {
-            check(ds, wildcard);
-
-            ds.connect(remote);
-            check(ds, lh);
-
-            ds.disconnect();
-            check(ds, wildcard);
-       }
-    }
-}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/util/Collections/CheckedQueue.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 5020931
+ * @summary Unit test for Collections.checkedQueue
+ */
+
+import java.lang.reflect.Method;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.Queue;
+import java.util.concurrent.ArrayBlockingQueue;
+
+public class CheckedQueue {
+    static int status = 0;
+
+    public static void main(String[] args) throws Exception {
+        new CheckedQueue();
+    }
+
+    public CheckedQueue() throws Exception {
+        run();
+    }
+
+    private void run() throws Exception {
+        Method[] methods = this.getClass().getDeclaredMethods();
+
+        for (int i = 0; i < methods.length; i++) {
+            Method method = methods[i];
+            String methodName = method.getName();
+
+            if (methodName.startsWith("test")) {
+                try {
+                    Object obj = method.invoke(this, new Object[0]);
+                } catch(Exception e) {
+                    throw new Exception(this.getClass().getName() + "." +
+                            methodName + " test failed, test exception "
+                            + "follows\n" + e.getCause());
+                }
+            }
+        }
+    }
+
+    /**
+     * This test adds items to a queue.
+     */
+    private void test00() {
+        int arrayLength = 10;
+        ArrayBlockingQueue<String> abq = new ArrayBlockingQueue(arrayLength);
+
+        for (int i = 0; i < arrayLength; i++) {
+            abq.add(new String(Integer.toString(i)));
+        }
+    }
+
+    /**
+     * This test tests the CheckedQueue.add method.  It creates a queue of
+     * {@code String}s gets the checked queue, and attempt to add an Integer to
+     * the checked queue.
+     */
+    private void test01() throws Exception {
+        int arrayLength = 10;
+        ArrayBlockingQueue<String> abq = new ArrayBlockingQueue(arrayLength + 1);
+
+        for (int i = 0; i < arrayLength; i++) {
+            abq.add(new String(Integer.toString(i)));
+        }
+
+        Queue q = Collections.checkedQueue(abq, String.class);
+
+        try {
+            q.add(new Integer(0));
+            throw new Exception(this.getClass().getName() + "." + "test01 test"
+                    + " failed, should throw ClassCastException.");
+        } catch(ClassCastException cce) {
+            // Do nothing.
+        }
+    }
+
+    /**
+     * This test tests the CheckedQueue.add method.  It creates a queue of one
+     * {@code String}, gets the checked queue, and attempt to add an Integer to
+     * the checked queue.
+     */
+    private void test02() throws Exception {
+        ArrayBlockingQueue<String> abq = new ArrayBlockingQueue(1);
+        Queue q = Collections.checkedQueue(abq, String.class);
+
+        try {
+            q.add(new Integer(0));
+            throw new Exception(this.getClass().getName() + "." + "test02 test"
+                    + " failed, should throw ClassCastException.");
+        } catch(ClassCastException e) {
+            // Do nothing.
+        }
+    }
+
+    /**
+     * This test tests the Collections.checkedQueue method call for nulls in
+     * each and both of the parameters.
+     */
+    private void test03() throws Exception {
+        ArrayBlockingQueue<String> abq = new ArrayBlockingQueue(1);
+        Queue q;
+
+        try {
+            q = Collections.checkedQueue(null, String.class);
+            throw new Exception(this.getClass().getName() + "." + "test03 test"
+                    + " failed, should throw NullPointerException.");
+        } catch(NullPointerException npe) {
+            // Do nothing
+        }
+
+        try {
+            q = Collections.checkedQueue(abq, null);
+            throw new Exception(this.getClass().getName() + "." + "test03 test"
+                    + " failed, should throw NullPointerException.");
+        } catch(Exception e) {
+            // Do nothing
+        }
+
+        try {
+            q = Collections.checkedQueue(null, null);
+            throw new Exception(this.getClass().getName() + "." + "test03 test"
+                    + " failed, should throw NullPointerException.");
+        } catch(Exception e) {
+            // Do nothing
+        }
+    }
+
+    /**
+     * This test tests the CheckedQueue.offer method.
+     */
+    private void test04() throws Exception {
+        ArrayBlockingQueue<String> abq = new ArrayBlockingQueue(1);
+        Queue q = Collections.checkedQueue(abq, String.class);
+
+        try {
+            q.offer(null);
+            throw new Exception(this.getClass().getName() + "." + "test04 test"
+                    + " failed, should throw NullPointerException.");
+        } catch (NullPointerException npe) {
+            // Do nothing
+        }
+
+        try {
+            q.offer(new Integer(0));
+            throw new Exception(this.getClass().getName() + "." + "test04 test"
+                    + " failed, should throw ClassCastException.");
+        } catch (ClassCastException cce) {
+            // Do nothing
+        }
+
+        q.offer(new String("0"));
+
+        try {
+            q.offer(new String("1"));
+            throw new Exception(this.getClass().getName() + "." + "test04 test"
+                    + " failed, should throw IllegalStateException.");
+        } catch(IllegalStateException ise) {
+            // Do nothing
+        }
+    }
+
+    private void test05() {
+
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/java2d/DirectX/DrawBitmaskToSurfaceTest.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug     6997116
+ * @summary Test verifies that rendering of images with bitmap transparency
+ *          to a D3D surface does not cause an ClassCastException.
+ *
+ * @run main/othervm -Dsun.java2d.d3d=True DrawBitmaskToSurfaceTest
+ */
+
+import java.awt.Graphics;
+import java.awt.Image;
+import java.awt.image.BufferedImage;
+import java.awt.image.IndexColorModel;
+import java.util.concurrent.CountDownLatch;
+import javax.swing.JFrame;
+
+public class DrawBitmaskToSurfaceTest extends JFrame {
+
+    private final Image src;
+    private static java.util.concurrent.CountDownLatch latch = null;
+    private static Throwable theError = null;
+
+    public DrawBitmaskToSurfaceTest() {
+        src = createTestImage();
+    }
+
+    private static Image createTestImage() {
+        byte[] r = new byte[]{(byte)0x00, (byte)0x80, (byte)0xff, (byte)0xff};
+        byte[] g = new byte[]{(byte)0x00, (byte)0x80, (byte)0xff, (byte)0x00};
+        byte[] b = new byte[]{(byte)0x00, (byte)0x80, (byte)0xff, (byte)0x00};
+
+        IndexColorModel icm = new IndexColorModel(2, 4, r, g, b, 3);
+
+        BufferedImage img = new BufferedImage(100, 100,
+                                              BufferedImage.TYPE_BYTE_INDEXED,
+                                              icm);
+        return img;
+    }
+
+    @Override
+    public void paint(final Graphics g) {
+        try {
+            System.err.println("paint frame....");
+            g.drawImage(src, 30, 30, this);
+        } catch (Throwable e) {
+            theError = e;
+        } finally {
+            if (latch != null) {
+                latch.countDown();
+            }
+        }
+    }
+
+    public static void main(final String[] args) throws Exception {
+        final JFrame frame = new DrawBitmaskToSurfaceTest();
+        frame.setBounds(10, 350, 200, 200);
+        frame.setVisible(true);
+
+        Thread.sleep(2000);
+
+        System.err.println("Change frame bounds...");
+        latch = new CountDownLatch(1);
+        frame.setBounds(10, 350, 90, 90);
+        frame.repaint();
+
+        try {
+            if (latch.getCount() > 0) {
+                latch.await();
+            }
+        } catch (InterruptedException e) {
+        }
+
+        frame.dispose();
+
+        if (theError != null) {
+            throw new RuntimeException("Test failed.", theError);
+        }
+
+        System.err.println("Test passed");
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/provider/X509Factory/BigCRL.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7099399
+ * @summary cannot deal with CRL file larger than 16MB
+ * @run main/othervm -Xmx1024m BigCRL
+ */
+
+import java.io.FileInputStream;
+import java.math.BigInteger;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.PrivateKey;
+import java.security.cert.X509CRLEntry;
+import java.util.Arrays;
+import java.util.Date;
+import sun.security.x509.*;
+import java.security.cert.CertificateFactory;
+import java.io.ByteArrayInputStream;
+
+public class BigCRL {
+
+    public static void main(String[] args) throws Exception {
+        int n = 500000;
+        String ks = System.getProperty("test.src", ".")
+                + "/../../ssl/etc/keystore";
+        String pass = "passphrase";
+        String alias = "dummy";
+
+        KeyStore keyStore = KeyStore.getInstance("JKS");
+        keyStore.load(new FileInputStream(ks), pass.toCharArray());
+        Certificate signerCert = keyStore.getCertificate(alias);
+        byte[] encoded = signerCert.getEncoded();
+        X509CertImpl signerCertImpl = new X509CertImpl(encoded);
+        X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get(
+                X509CertImpl.NAME + "." + X509CertImpl.INFO);
+        X500Name owner = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "."
+                + CertificateSubjectName.DN_NAME);
+
+        Date date = new Date();
+        PrivateKey privateKey = (PrivateKey)
+                keyStore.getKey(alias, pass.toCharArray());
+        String sigAlgName = signerCertImpl.getSigAlgOID();
+
+        X509CRLEntry[] badCerts = new X509CRLEntry[n];
+        CRLExtensions ext = new CRLExtensions();
+        ext.set("Reason", new CRLReasonCodeExtension(1));
+        for (int i = 0; i < n; i++) {
+            badCerts[i] = new X509CRLEntryImpl(
+                    BigInteger.valueOf(i), date, ext);
+        }
+        X509CRLImpl crl = new X509CRLImpl(owner, date, date, badCerts);
+        crl.sign(privateKey, sigAlgName);
+        byte[] data = crl.getEncodedInternal();
+
+        // Make sure the CRL is big enough
+        if ((data[1]&0xff) != 0x84) {
+            throw new Exception("The file should be big enough?");
+        }
+
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        cf.generateCRL(new ByteArrayInputStream(data));
+    }
+}
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/SSLEngineBadBufferArrayAccess.java	Wed Jul 05 17:54:13 2017 +0200
@@ -0,0 +1,479 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7031830
+ * @summary bad_record_mac failure on TLSv1.2 enabled connection with SSLEngine
+ * @run main/othervm SSLEngineBadBufferArrayAccess
+ *
+ *     SunJSSE does not support dynamic system properties, no way to re-use
+ *     system properties in samevm/agentvm mode.
+ */
+
+/**
+ * A SSLSocket/SSLEngine interop test case.  This is not the way to
+ * code SSLEngine-based servers, but works for what we need to do here,
+ * which is to make sure that SSLEngine/SSLSockets can talk to each other.
+ * SSLEngines can use direct or indirect buffers, and different code
+ * is used to get at the buffer contents internally, so we test that here.
+ *
+ * The test creates one SSLSocket (client) and one SSLEngine (server).
+ * The SSLSocket talks to a raw ServerSocket, and the server code
+ * does the translation between byte [] and ByteBuffers that the SSLEngine
+ * can use.  The "transport" layer consists of a Socket Input/OutputStream
+ * and two byte buffers for the SSLEngines:  think of them
+ * as directly connected pipes.
+ *
+ * Again, this is a *very* simple example: real code will be much more
+ * involved.  For example, different threading and I/O models could be
+ * used, transport mechanisms could close unexpectedly, and so on.
+ *
+ * When this application runs, notice that several messages
+ * (wrap/unwrap) pass before any application data is consumed or
+ * produced.  (For more information, please see the SSL/TLS
+ * specifications.)  There may several steps for a successful handshake,
+ * so it's typical to see the following series of operations:
+ *
+ *      client          server          message
+ *      ======          ======          =======
+ *      write()         ...             ClientHello
+ *      ...             unwrap()        ClientHello
+ *      ...             wrap()          ServerHello/Certificate
+ *      read()         ...             ServerHello/Certificate
+ *      write()         ...             ClientKeyExchange
+ *      write()         ...             ChangeCipherSpec
+ *      write()         ...             Finished
+ *      ...             unwrap()        ClientKeyExchange
+ *      ...             unwrap()        ChangeCipherSpec
+ *      ...             unwrap()        Finished
+ *      ...             wrap()          ChangeCipherSpec
+ *      ...             wrap()          Finished
+ *      read()          ...             ChangeCipherSpec
+ *      read()          ...             Finished
+ *
+ * This particular bug had a problem where byte buffers backed by an
+ * array didn't offset correctly, and we got bad MAC errors.
+ */
+import javax.net.ssl.*;
+import javax.net.ssl.SSLEngineResult.*;
+import java.io.*;
+import java.net.*;
+import java.security.*;
+import java.nio.*;
+
+public class SSLEngineBadBufferArrayAccess {
+
+    /*
+     * Enables logging of the SSL/TLS operations.
+     */
+    private static boolean logging = true;
+
+    /*
+     * Enables the JSSE system debugging system property:
+     *
+     *     -Djavax.net.debug=all
+     *
+     * This gives a lot of low-level information about operations underway,
+     * including specific handshake messages, and might be best examined
+     * after gaining some familiarity with this application.
+     */
+    private static boolean debug = false;
+    private SSLContext sslc;
+    private SSLEngine serverEngine;     // server-side SSLEngine
+    private SSLSocket sslSocket;        // client-side socket
+    private ServerSocket serverSocket;  // server-side Socket, generates the...
+    private Socket socket;              // server-side socket that will read
+
+    private final byte[] serverMsg = "Hi there Client, I'm a Server".getBytes();
+    private final byte[] clientMsg = "Hello Server, I'm a Client".getBytes();
+
+    private ByteBuffer serverOut;       // write side of serverEngine
+    private ByteBuffer serverIn;        // read side of serverEngine
+
+    private volatile Exception clientException;
+    private volatile Exception serverException;
+
+    /*
+     * For data transport, this example uses local ByteBuffers.
+     */
+    private ByteBuffer cTOs;            // "reliable" transport client->server
+    private ByteBuffer sTOc;            // "reliable" transport server->client
+
+    /*
+     * The following is to set up the keystores/trust material.
+     */
+    private static final String pathToStores = "../../../../../../../etc/";
+    private static final String keyStoreFile = "keystore";
+    private static final String trustStoreFile = "truststore";
+    private static final String passwd = "passphrase";
+    private static String keyFilename =
+            System.getProperty("test.src", ".") + "/" + pathToStores
+            + "/" + keyStoreFile;
+    private static String trustFilename =
+            System.getProperty("test.src", ".") + "/" + pathToStores
+            + "/" + trustStoreFile;
+
+    /*
+     * Main entry point for this test.
+     */
+    public static void main(String args[]) throws Exception {
+        if (debug) {
+            System.setProperty("javax.net.debug", "all");
+        }
+
+        String [] protocols = new String [] {
+            "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" };
+
+        for (String protocol : protocols) {
+            log("Testing " + protocol);
+            /*
+             * Run the tests with direct and indirect buffers.
+             */
+            SSLEngineBadBufferArrayAccess test =
+                new SSLEngineBadBufferArrayAccess(protocol);
+            test.runTest(true);
+            test.runTest(false);
+        }
+
+        System.out.println("Test Passed.");
+    }
+
+    /*
+     * Create an initialized SSLContext to use for these tests.
+     */
+    public SSLEngineBadBufferArrayAccess(String protocol) throws Exception {
+
+        KeyStore ks = KeyStore.getInstance("JKS");
+        KeyStore ts = KeyStore.getInstance("JKS");
+
+        char[] passphrase = "passphrase".toCharArray();
+
+        ks.load(new FileInputStream(keyFilename), passphrase);
+        ts.load(new FileInputStream(trustFilename), passphrase);
+
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+        kmf.init(ks, passphrase);
+
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+        tmf.init(ts);
+
+        SSLContext sslCtx = SSLContext.getInstance(protocol);
+
+        sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+
+        sslc = sslCtx;
+    }
+
+    /*
+     * Run the test.
+     *
+     * Sit in a tight loop, with the server engine calling wrap/unwrap
+     * regardless of whether data is available or not.  We do this until
+     * we get the application data.  Then we shutdown and go to the next one.
+     *
+     * The main loop handles all of the I/O phases of the SSLEngine's
+     * lifetime:
+     *
+     *     initial handshaking
+     *     application data transfer
+     *     engine closing
+     *
+     * One could easily separate these phases into separate
+     * sections of code.
+     */
+    private void runTest(boolean direct) throws Exception {
+        boolean serverClose = direct;
+
+        serverSocket = new ServerSocket(0);
+        int port = serverSocket.getLocalPort();
+        Thread thread = createClientThread(port, serverClose);
+
+        socket = serverSocket.accept();
+        socket.setSoTimeout(500);
+        serverSocket.close();
+
+        createSSLEngine();
+        createBuffers(direct);
+
+        try {
+            boolean closed = false;
+
+            InputStream is = socket.getInputStream();
+            OutputStream os = socket.getOutputStream();
+
+            SSLEngineResult serverResult;   // results from last operation
+
+            /*
+             * Examining the SSLEngineResults could be much more involved,
+             * and may alter the overall flow of the application.
+             *
+             * For example, if we received a BUFFER_OVERFLOW when trying
+             * to write to the output pipe, we could reallocate a larger
+             * pipe, but instead we wait for the peer to drain it.
+             */
+            byte[] inbound = new byte[8192];
+            byte[] outbound = new byte[8192];
+
+            while (!isEngineClosed(serverEngine)) {
+                int len = 0;
+
+                // Inbound data
+                log("================");
+
+                // Read from the Client side.
+                try {
+                    len = is.read(inbound);
+                    if (len == -1) {
+                        throw new Exception("Unexpected EOF");
+                    }
+                    cTOs.put(inbound, 0, len);
+                } catch (SocketTimeoutException ste) {
+                    // swallow.  Nothing yet, probably waiting on us.
+                }
+
+                cTOs.flip();
+
+                serverResult = serverEngine.unwrap(cTOs, serverIn);
+                log("server unwrap: ", serverResult);
+                runDelegatedTasks(serverResult, serverEngine);
+                cTOs.compact();
+
+                // Outbound data
+                log("----");
+
+                serverResult = serverEngine.wrap(serverOut, sTOc);
+                log("server wrap: ", serverResult);
+                runDelegatedTasks(serverResult, serverEngine);
+
+                sTOc.flip();
+
+                if ((len = sTOc.remaining()) != 0) {
+                    sTOc.get(outbound, 0, len);
+                    os.write(outbound, 0, len);
+                    // Give the other side a chance to process
+                }
+
+                sTOc.compact();
+
+                if (!closed && (serverOut.remaining() == 0)) {
+                    closed = true;
+
+                    /*
+                     * We'll alternate initiatating the shutdown.
+                     * When the server initiates, it will take one more
+                     * loop, but tests the orderly shutdown.
+                     */
+                    if (serverClose) {
+                        serverEngine.closeOutbound();
+                    }
+                    serverIn.flip();
+
+                    /*
+                     * A sanity check to ensure we got what was sent.
+                     */
+                    if (serverIn.remaining() != clientMsg.length) {
+                        throw new Exception("Client:  Data length error");
+                    }
+
+                    for (int i = 0; i < clientMsg.length; i++) {
+                        if (clientMsg[i] != serverIn.get()) {
+                            throw new Exception("Client:  Data content error");
+                        }
+                    }
+                    serverIn.compact();
+                }
+            }
+            return;
+        } catch (Exception e) {
+            serverException = e;
+        } finally {
+            socket.close();
+
+            // Wait for the client to join up with us.
+            thread.join();
+            if (serverException != null) {
+                throw serverException;
+            }
+            if (clientException != null) {
+                throw clientException;
+            }
+        }
+    }
+
+    /*
+     * Create a client thread which does simple SSLSocket operations.
+     * We'll write and read one data packet.
+     */
+    private Thread createClientThread(final int port,
+            final boolean serverClose) throws Exception {
+
+        Thread t = new Thread("ClientThread") {
+
+            @Override
+            public void run() {
+                try {
+                    Thread.sleep(1000);  // Give server time to finish setup.
+
+                    sslSocket = (SSLSocket) sslc.getSocketFactory().
+                            createSocket("localhost", port);
+                    OutputStream os = sslSocket.getOutputStream();
+                    InputStream is = sslSocket.getInputStream();
+
+                    // write(byte[]) goes in one shot.
+                    os.write(clientMsg);
+
+                    byte[] inbound = new byte[2048];
+                    int pos = 0;
+
+                    int len;
+done:
+                    while ((len = is.read(inbound, pos, 2048 - pos)) != -1) {
+                        pos += len;
+                        // Let the client do the closing.
+                        if ((pos == serverMsg.length) && !serverClose) {
+                            sslSocket.close();
+                            break done;
+                        }
+                    }
+
+                    if (pos != serverMsg.length) {
+                        throw new Exception("Client:  Data length error");
+                    }
+
+                    for (int i = 0; i < serverMsg.length; i++) {
+                        if (inbound[i] != serverMsg[i]) {
+                            throw new Exception("Client:  Data content error");
+                        }
+                    }
+                } catch (Exception e) {
+                    clientException = e;
+                }
+            }
+        };
+        t.start();
+        return t;
+    }
+
+    /*
+     * Using the SSLContext created during object creation,
+     * create/configure the SSLEngines we'll use for this test.
+     */
+    private void createSSLEngine() throws Exception {
+        /*
+         * Configure the serverEngine to act as a server in the SSL/TLS
+         * handshake.
+         */
+        serverEngine = sslc.createSSLEngine();
+        serverEngine.setUseClientMode(false);
+        serverEngine.getNeedClientAuth();
+    }
+
+    /*
+     * Create and size the buffers appropriately.
+     */
+    private void createBuffers(boolean direct) {
+
+        SSLSession session = serverEngine.getSession();
+        int appBufferMax = session.getApplicationBufferSize();
+        int netBufferMax = session.getPacketBufferSize();
+
+        /*
+         * We'll make the input buffers a bit bigger than the max needed
+         * size, so that unwrap()s following a successful data transfer
+         * won't generate BUFFER_OVERFLOWS.
+         *
+         * We'll use a mix of direct and indirect ByteBuffers for
+         * tutorial purposes only.  In reality, only use direct
+         * ByteBuffers when they give a clear performance enhancement.
+         */
+        if (direct) {
+            serverIn = ByteBuffer.allocateDirect(appBufferMax + 50);
+            cTOs = ByteBuffer.allocateDirect(netBufferMax);
+            sTOc = ByteBuffer.allocateDirect(netBufferMax);
+        } else {
+            serverIn = ByteBuffer.allocate(appBufferMax + 50);
+            cTOs = ByteBuffer.allocate(netBufferMax);
+            sTOc = ByteBuffer.allocate(netBufferMax);
+        }
+
+        serverOut = ByteBuffer.wrap(serverMsg);
+    }
+
+    /*
+     * If the result indicates that we have outstanding tasks to do,
+     * go ahead and run them in this thread.
+     */
+    private static void runDelegatedTasks(SSLEngineResult result,
+            SSLEngine engine) throws Exception {
+
+        if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
+            Runnable runnable;
+            while ((runnable = engine.getDelegatedTask()) != null) {
+                log("\trunning delegated task...");
+                runnable.run();
+            }
+            HandshakeStatus hsStatus = engine.getHandshakeStatus();
+            if (hsStatus == HandshakeStatus.NEED_TASK) {
+                throw new Exception(
+                        "handshake shouldn't need additional tasks");
+            }
+            log("\tnew HandshakeStatus: " + hsStatus);
+        }
+    }
+
+    private static boolean isEngineClosed(SSLEngine engine) {
+        return (engine.isOutboundDone() && engine.isInboundDone());
+    }
+
+    /*
+     * Logging code
+     */
+    private static boolean resultOnce = true;
+
+    private static void log(String str, SSLEngineResult result) {
+        if (!logging) {
+            return;
+        }
+        if (resultOnce) {
+            resultOnce = false;
+            System.out.println("The format of the SSLEngineResult is: \n"
+                    + "\t\"getStatus() / getHandshakeStatus()\" +\n"
+                    + "\t\"bytesConsumed() / bytesProduced()\"\n");
+        }
+        HandshakeStatus hsStatus = result.getHandshakeStatus();
+        log(str
+                + result.getStatus() + "/" + hsStatus + ", "
+                + result.bytesConsumed() + "/" + result.bytesProduced()
+                + " bytes");
+        if (hsStatus == HandshakeStatus.FINISHED) {
+            log("\t...ready for application data");
+        }
+    }
+
+    private static void log(String str) {
+        if (logging) {
+            System.out.println(str);
+        }
+    }
+}
--- a/jdk/test/sun/security/util/BigInt/BigIntEqualsHashCode.java	Thu Oct 27 13:54:37 2011 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,46 +0,0 @@
-/*
- * Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @author Gary Ellison
- * @bug 4170635
- * @summary Verify equals()/hashCode() contract honored
- */
-
-import java.io.*;
-import sun.security.util.*;
-
-
-public class BigIntEqualsHashCode {
-    public static void main(String[] args) throws Exception {
-        BigInt bi1 = new BigInt(12345678);
-        BigInt bi2 = new BigInt(12345678);
-
-        if ( (bi1.equals(bi2)) == (bi1.hashCode()==bi2.hashCode()) )
-            System.out.println("PASSED");
-        else
-            throw new Exception ("FAILED equals()/hashCode() contract");
-
-    }
-}