--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java	Wed May 03 08:00:00 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java	Wed May 03 09:04:35 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -214,7 +214,7 @@
         try {
             byte[] extVal = xcert.getExtensionValue("2.5.29.14");
             if (extVal == null) {
-                if (debug != null) {
+                if (debug != null && Debug.isVerbose()) {
                     debug.println("AdaptableX509CertSelector.match: "
                         + "no subject key ID extension. Subject: "
                         + xcert.getSubjectX500Principal());
@@ -225,7 +225,7 @@
             byte[] certSubjectKeyID = in.getOctetString();
             if (certSubjectKeyID == null ||
                     !Arrays.equals(ski, certSubjectKeyID)) {
-                if (debug != null) {
+                if (debug != null && Debug.isVerbose()) {
                     debug.println("AdaptableX509CertSelector.match: "
                         + "subject key IDs don't match. "
                         + "Expected: " + Arrays.toString(ski) + " "
@@ -234,7 +234,7 @@
                 return false;
             }
         } catch (IOException ex) {
-            if (debug != null) {
+            if (debug != null && Debug.isVerbose()) {
                 debug.println("AdaptableX509CertSelector.match: "
                     + "exception in subject key ID check");
             }

--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Wed May 03 08:00:00 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Wed May 03 09:04:35 2017 -0700
@@ -117,7 +117,7 @@
                 // if this trust anchor is not worth trying,
                 // we move on to the next one
                 if (selector != null && !selector.match(trustedCert)) {
-                    if (debug != null) {
+                    if (debug != null && Debug.isVerbose()) {
                         debug.println("NO - don't try this trustedCert");
                     }
                     continue;

--- a/jdk/src/java.base/share/classes/sun/security/util/Debug.java	Wed May 03 08:00:00 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/Debug.java	Wed May 03 09:04:35 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
 
 package sun.security.util;
 
+import java.io.PrintStream;
 import java.math.BigInteger;
 import java.util.regex.Pattern;
 import java.util.regex.Matcher;
@@ -32,7 +33,7 @@
 import sun.security.action.GetPropertyAction;
 
 /**
- * A utility class for debuging.
+ * A utility class for debugging.
  *
  * @author Roland Schemers
  */
@@ -118,6 +119,7 @@
         System.err.println("The following can be used with certpath:");
         System.err.println();
         System.err.println("ocsp          dump the OCSP protocol exchanges");
+        System.err.println("verbose       verbose debugging");
         System.err.println();
         System.err.println("Note: Separate multiple options with a comma");
         System.exit(0);
@@ -166,6 +168,13 @@
     }
 
     /**
+     * Check if verbose messages is enabled for extra debugging.
+     */
+    public static boolean isVerbose() {
+        return isOn("verbose");
+    }
+
+    /**
      * print a message to stderr that is prefixed with the prefix
      * created from the call to getInstance.
      */
@@ -204,6 +213,13 @@
     }
 
     /**
+     * PrintStream for debug methods. Currently only System.err is supported.
+     */
+    public PrintStream getPrintStream() {
+        return System.err;
+    }
+
+    /**
      * return a hexadecimal printed representation of the specified
      * BigInteger object. the value is formatted to fit on lines of
      * at least 75 characters, with embedded newlines. Words are

--- a/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java	Wed May 03 08:00:00 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java	Wed May 03 09:04:35 2017 -0700
@@ -674,12 +674,11 @@
                 if (debug != null) {
                     debug.println("Checking if usage constraint \"" + v +
                             "\" matches \"" + cp.getVariant() + "\"");
-                    // Because usage checking can come from many places
-                    // a stack trace is very helpful.
-                    ByteArrayOutputStream ba = new ByteArrayOutputStream();
-                    PrintStream ps = new PrintStream(ba);
-                    (new Exception()).printStackTrace(ps);
-                    debug.println(ba.toString());
+                    if (Debug.isVerbose()) {
+                        // Because usage checking can come from many places
+                        // a stack trace is very helpful.
+                        (new Exception()).printStackTrace(debug.getPrintStream());
+                    }
                 }
                 if (cp.getVariant().compareTo(v) == 0) {
                     if (next(cp)) {