Merge
authorwetmore
Mon, 15 Sep 2008 00:41:02 -0700
changeset 1240 7567f0847c37
parent 1231 9b3e98cca850 (current diff)
parent 1239 545f6ef6ec26 (diff)
child 1241 495a689dfc36
child 1335 79ed7fd4bb49
Merge
--- a/jdk/src/share/classes/java/net/HttpCookie.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/java/net/HttpCookie.java	Mon Sep 15 00:41:02 2008 -0700
@@ -75,6 +75,7 @@
     private String path;        // Path=VALUE ... URLs that see the cookie
     private String portlist;    // Port[="portlist"] ... the port cookie may be returned to
     private boolean secure;     // Secure ... e.g. use SSL
+    private boolean httpOnly;   // HttpOnly ... i.e. not accessible to scripts
     private int version = 1;    // Version=1 ... RFC 2965 style
 
     //
@@ -656,6 +657,32 @@
         version = v;
     }
 
+    /**
+     * Returns {@code true} if this cookie contains the <i>HttpOnly</i>
+     * attribute. This means that the cookie should not be accessible to
+     * scripting engines, like javascript.
+     *
+     * @return {@code true} if this cookie should be considered http only.
+     * @see #setHttpOnly(boolean)
+     */
+    public boolean isHttpOnly()
+    {
+        return httpOnly;
+    }
+
+    /**
+     * Indicates whether the cookie should be considered HTTP Only. If set to
+     * {@code true} it means the cookie should not be accessible to scripting
+     * engines like javascript.
+     *
+     * @param httpOnly if {@code true} make the cookie HTTP only, i.e.
+     *                 only visible as part of an HTTP request.
+     * @see #isHttpOnly()
+     */
+    public void setHttpOnly(boolean httpOnly)
+    {
+        this.httpOnly = httpOnly;
+    }
 
     /**
      * The utility method to check whether a host name is in a domain
@@ -877,6 +904,7 @@
             || name.equalsIgnoreCase("Port")            // rfc2965 only
             || name.equalsIgnoreCase("Secure")
             || name.equalsIgnoreCase("Version")
+            || name.equalsIgnoreCase("HttpOnly")
             || name.charAt(0) == '$')
         {
             return true;
@@ -996,6 +1024,11 @@
                     cookie.setSecure(true);
                 }
             });
+        assignors.put("httponly", new CookieAttributeAssignor(){
+                public void assign(HttpCookie cookie, String attrName, String attrValue) {
+                    cookie.setHttpOnly(true);
+                }
+            });
         assignors.put("version", new CookieAttributeAssignor(){
                 public void assign(HttpCookie cookie, String attrName, String attrValue) {
                     try {
--- a/jdk/src/share/classes/java/security/cert/CertPathValidatorException.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/java/security/cert/CertPathValidatorException.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2005 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package java.security.cert;
 
+import java.io.InvalidObjectException;
+import java.io.IOException;
+import java.io.ObjectInputStream;
 import java.security.GeneralSecurityException;
 
 /**
@@ -36,10 +39,11 @@
  * if any, that caused this exception to be thrown.
  * <p>
  * A <code>CertPathValidatorException</code> may also include the
- * certification path that was being validated when the exception was thrown
- * and the index of the certificate in the certification path that caused the
- * exception to be thrown. Use the {@link #getCertPath getCertPath} and
- * {@link #getIndex getIndex} methods to retrieve this information.
+ * certification path that was being validated when the exception was thrown,
+ * the index of the certificate in the certification path that caused the
+ * exception to be thrown, and the reason that caused the failure. Use the
+ * {@link #getCertPath getCertPath}, {@link #getIndex getIndex}, and
+ * {@link #getReason getReason} methods to retrieve this information.
  *
  * <p>
  * <b>Concurrent Access</b>
@@ -72,11 +76,16 @@
     private CertPath certPath;
 
     /**
+     * @serial the reason the validation failed
+     */
+    private Reason reason = BasicReason.UNSPECIFIED;
+
+    /**
      * Creates a <code>CertPathValidatorException</code> with
      * no detail message.
      */
     public CertPathValidatorException() {
-        super();
+        this(null, null);
     }
 
     /**
@@ -87,7 +96,7 @@
      * @param msg the detail message
      */
     public CertPathValidatorException(String msg) {
-        super(msg);
+        this(msg, null);
     }
 
     /**
@@ -104,7 +113,7 @@
      * permitted, and indicates that the cause is nonexistent or unknown.)
      */
     public CertPathValidatorException(Throwable cause) {
-        super(cause);
+        this(null, cause);
     }
 
     /**
@@ -117,7 +126,7 @@
      * permitted, and indicates that the cause is nonexistent or unknown.)
      */
     public CertPathValidatorException(String msg, Throwable cause) {
-        super(msg, cause);
+        this(msg, cause, null, -1);
     }
 
     /**
@@ -139,6 +148,32 @@
      */
     public CertPathValidatorException(String msg, Throwable cause,
             CertPath certPath, int index) {
+        this(msg, cause, certPath, index, BasicReason.UNSPECIFIED);
+    }
+
+    /**
+     * Creates a <code>CertPathValidatorException</code> with the specified
+     * detail message, cause, certification path, index, and reason.
+     *
+     * @param msg the detail message (or <code>null</code> if none)
+     * @param cause the cause (or <code>null</code> if none)
+     * @param certPath the certification path that was in the process of
+     * being validated when the error was encountered
+     * @param index the index of the certificate in the certification path
+     * that caused the error (or -1 if not applicable). Note that
+     * the list of certificates in a <code>CertPath</code> is zero based.
+     * @param reason the reason the validation failed
+     * @throws IndexOutOfBoundsException if the index is out of range
+     * <code>(index < -1 || (certPath != null && index >=
+     * certPath.getCertificates().size())</code>
+     * @throws IllegalArgumentException if <code>certPath</code> is
+     * <code>null</code> and <code>index</code> is not -1
+     * @throws NullPointerException if <code>reason</code> is <code>null</code>
+     *
+     * @since 1.7
+     */
+    public CertPathValidatorException(String msg, Throwable cause,
+            CertPath certPath, int index, Reason reason) {
         super(msg, cause);
         if (certPath == null && index != -1) {
             throw new IllegalArgumentException();
@@ -147,8 +182,12 @@
             (certPath != null && index >= certPath.getCertificates().size())) {
             throw new IndexOutOfBoundsException();
         }
+        if (reason == null) {
+            throw new NullPointerException("reason can't be null");
+        }
         this.certPath = certPath;
         this.index = index;
+        this.reason = reason;
     }
 
     /**
@@ -174,4 +213,79 @@
         return this.index;
     }
 
+    /**
+     * Returns the reason that the validation failed. The reason is
+     * associated with the index of the certificate returned by
+     * {@link getIndex}.
+     *
+     * @return the reason that the validation failed, or
+     *    <code>BasicReason.UNSPECIFIED</code> if a reason has not been
+     *    specified
+     *
+     * @since 1.7
+     */
+    public Reason getReason() {
+        return this.reason;
+    }
+
+    private void readObject(ObjectInputStream stream)
+        throws ClassNotFoundException, IOException {
+        stream.defaultReadObject();
+        if (reason == null) {
+            reason = BasicReason.UNSPECIFIED;
+        }
+        if (certPath == null && index != -1) {
+            throw new InvalidObjectException("certpath is null and index != -1");
+        }
+        if (index < -1 ||
+            (certPath != null && index >= certPath.getCertificates().size())) {
+            throw new InvalidObjectException("index out of range");
+        }
+    }
+
+    /**
+     * The reason the validation algorithm failed.
+     *
+     * @since 1.7
+     */
+    public static interface Reason extends java.io.Serializable { }
+
+
+    /**
+     * The BasicReason enumerates the potential reasons that a certification
+     * path of any type may be invalid.
+     *
+     * @since 1.7
+     */
+    public static enum BasicReason implements Reason {
+        /**
+         * Unspecified reason.
+         */
+        UNSPECIFIED,
+
+        /**
+         * The certificate is expired.
+         */
+        EXPIRED,
+
+        /**
+         * The certificate is not yet valid.
+         */
+        NOT_YET_VALID,
+
+        /**
+         * The certificate is revoked.
+         */
+        REVOKED,
+
+        /**
+         * The revocation status of the certificate could not be determined.
+         */
+        UNDETERMINED_REVOCATION_STATUS,
+
+        /**
+         * The signature is invalid.
+         */
+        INVALID_SIGNATURE
+    }
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/java/security/cert/PKIXReason.java	Mon Sep 15 00:41:02 2008 -0700
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package java.security.cert;
+
+/**
+ * The <code>PKIXReason</code> enumerates the potential PKIX-specific reasons
+ * that an X.509 certification path may be invalid according to the PKIX
+ * (RFC 3280) standard. These reasons are in addition to those of the
+ * <code>CertPathValidatorException.BasicReason</code> enumeration.
+ *
+ * @since 1.7
+ */
+public enum PKIXReason implements CertPathValidatorException.Reason {
+    /**
+     * The certificate does not chain correctly.
+     */
+    NAME_CHAINING,
+
+    /**
+     * The certificate's key usage is invalid.
+     */
+    INVALID_KEY_USAGE,
+
+    /**
+     * The policy constraints have been violated.
+     */
+    INVALID_POLICY,
+
+    /**
+     * No acceptable trust anchor found.
+     */
+    NO_TRUST_ANCHOR,
+
+    /**
+     * The certificate contains one or more unrecognized critical
+     * extensions.
+     */
+    UNRECOGNIZED_CRIT_EXT,
+
+    /**
+     * The certificate is not a CA certificate.
+     */
+    NOT_CA_CERT,
+
+    /**
+     * The path length constraint has been violated.
+     */
+    PATH_TOO_LONG,
+
+    /**
+     * The name constraints have been violated.
+     */
+    INVALID_NAME
+}
--- a/jdk/src/share/classes/sun/net/httpserver/ChunkedOutputStream.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/net/httpserver/ChunkedOutputStream.java	Mon Sep 15 00:41:02 2008 -0700
@@ -73,6 +73,7 @@
         if (count == CHUNK_SIZE) {
             writeChunk();
         }
+        assert count < CHUNK_SIZE;
     }
 
     public void write (byte[]b, int off, int len) throws IOException {
@@ -86,20 +87,22 @@
             writeChunk();
             len -= remain;
             off += remain;
-            while (len > CHUNK_SIZE) {
+            while (len >= CHUNK_SIZE) {
                 System.arraycopy (b,off,buf,OFFSET,CHUNK_SIZE);
                 len -= CHUNK_SIZE;
                 off += CHUNK_SIZE;
                 count = CHUNK_SIZE;
                 writeChunk();
             }
-            pos = OFFSET;
         }
         if (len > 0) {
             System.arraycopy (b,off,buf,pos,len);
             count += len;
             pos += len;
         }
+        if (count == CHUNK_SIZE) {
+            writeChunk();
+        }
     }
 
     /**
--- a/jdk/src/share/classes/sun/security/krb5/Config.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/krb5/Config.java	Mon Sep 15 00:41:02 2008 -0700
@@ -803,7 +803,7 @@
             for (int j = 0; j < line.length(); j++) {
                 if (line.charAt(j) == '=') {
                     int index;
-                    key = line.substring(0, j - 1).trim();
+                    key = line.substring(0, j).trim();
                     if (! exists(key, keyVector)) {
                         keyVector.addElement(key);
                         nameVector = new Vector<String> ();
--- a/jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,12 +29,18 @@
 import java.util.Collection;
 import java.util.Date;
 import java.util.Set;
+import java.security.GeneralSecurityException;
 import java.security.KeyFactory;
 import java.security.PublicKey;
+import java.security.SignatureException;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.X509Certificate;
 import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXReason;
 import java.security.cert.TrustAnchor;
 import java.security.interfaces.DSAParams;
 import java.security.interfaces.DSAPublicKey;
@@ -152,11 +158,11 @@
 
         try {
             cert.verify(prevPubKey, sigProvider);
-        } catch (Exception e) {
-            if (debug != null) {
-                debug.println(e.getMessage());
-                e.printStackTrace();
-            }
+        } catch (SignatureException e) {
+            throw new CertPathValidatorException
+                (msg + " check failed", e, null, -1,
+                 BasicReason.INVALID_SIGNATURE);
+        } catch (GeneralSecurityException e) {
             throw new CertPathValidatorException(msg + " check failed", e);
         }
 
@@ -176,12 +182,12 @@
 
         try {
             cert.checkValidity(date);
-        } catch (Exception e) {
-            if (debug != null) {
-                debug.println(e.getMessage());
-                e.printStackTrace();
-            }
-            throw new CertPathValidatorException(msg + " check failed", e);
+        } catch (CertificateExpiredException e) {
+            throw new CertPathValidatorException
+                (msg + " check failed", e, null, -1, BasicReason.EXPIRED);
+        } catch (CertificateNotYetValidException e) {
+            throw new CertPathValidatorException
+                (msg + " check failed", e, null, -1, BasicReason.NOT_YET_VALID);
         }
 
         if (debug != null)
@@ -204,12 +210,16 @@
             // reject null or empty issuer DNs
 
             if (X500Name.asX500Name(currIssuer).isEmpty()) {
-                throw new CertPathValidatorException(msg + " check failed: " +
-                    "empty/null issuer DN in certificate is invalid");
+                throw new CertPathValidatorException
+                    (msg + " check failed: " +
+                     "empty/null issuer DN in certificate is invalid", null,
+                     null, -1, PKIXReason.NAME_CHAINING);
             }
 
             if (!(currIssuer.equals(prevSubject))) {
-                throw new CertPathValidatorException(msg + " check failed");
+                throw new CertPathValidatorException
+                    (msg + " check failed", null, null, -1,
+                     PKIXReason.NAME_CHAINING);
             }
 
             if (debug != null)
@@ -270,7 +280,7 @@
                                                        params.getQ(),
                                                        params.getG());
             usableKey = kf.generatePublic(ks);
-        } catch (Exception e) {
+        } catch (GeneralSecurityException e) {
             throw new CertPathValidatorException("Unable to generate key with" +
                                                  " inherited parameters: " +
                                                  e.getMessage(), e);
--- a/jdk/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,9 +32,10 @@
 import java.io.IOException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
+import java.security.cert.CertPathValidatorException;
 import java.security.cert.X509Certificate;
 import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXReason;
 import sun.security.util.Debug;
 import sun.security.x509.PKIXExtensions;
 import sun.security.x509.NameConstraintsExtension;
@@ -147,7 +148,8 @@
 
             try {
                 if (!prevNC.verify(currCert)) {
-                    throw new CertPathValidatorException(msg + " check failed");
+                    throw new CertPathValidatorException(msg + " check failed",
+                        null, null, -1, PKIXReason.INVALID_NAME);
                 }
             } catch (IOException ioe) {
                 throw new CertPathValidatorException(ioe);
@@ -228,8 +230,9 @@
         if (i < certPathLength) {
             int pathLenConstraint = currCert.getBasicConstraints();
             if (pathLenConstraint == -1) {
-                throw new CertPathValidatorException(msg + " check failed: "
-                    + "this is not a CA certificate");
+                throw new CertPathValidatorException
+                    (msg + " check failed: this is not a CA certificate", null,
+                     null, -1, PKIXReason.NOT_CA_CERT);
             }
 
             if (!X509CertImpl.isSelfIssued(currCert)) {
@@ -237,7 +240,8 @@
                    throw new CertPathValidatorException
                         (msg + " check failed: pathLenConstraint violated - "
                          + "this cert must be the last cert in the "
-                         + "certification path");
+                         + "certification path", null, null, -1,
+                         PKIXReason.PATH_TOO_LONG);
                 }
                 maxPathLength--;
             }
--- a/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,6 +39,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
 import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.interfaces.DSAPublicKey;
 import javax.security.auth.x500.X500Principal;
 import sun.security.util.Debug;
@@ -268,7 +269,8 @@
                     " circular dependency");
             }
             throw new CertPathValidatorException
-                ("Could not determine revocation status");
+                ("Could not determine revocation status", null, null, -1,
+                 BasicReason.UNDETERMINED_REVOCATION_STATUS);
         }
 
         // init the state for this run
@@ -324,7 +326,8 @@
                 return;
             } else {
                 throw new CertPathValidatorException
-                    ("Could not determine revocation status");
+                ("Could not determine revocation status", null, null, -1,
+                 BasicReason.UNDETERMINED_REVOCATION_STATUS);
             }
         }
 
@@ -370,7 +373,8 @@
                             + unresCritExts);
                         }
                         throw new CertPathValidatorException
-                            ("Could not determine revocation status");
+                        ("Could not determine revocation status", null, null,
+                         -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
                     }
                 }
 
@@ -378,10 +382,11 @@
                 if (reasonCode == null) {
                     reasonCode = CRLReason.UNSPECIFIED;
                 }
-                throw new CertPathValidatorException(
-                    new CertificateRevokedException
-                        (entry.getRevocationDate(), reasonCode,
-                         crl.getIssuerX500Principal(), entry.getExtensions()));
+                Throwable t = new CertificateRevokedException
+                    (entry.getRevocationDate(), reasonCode,
+                     crl.getIssuerX500Principal(), entry.getExtensions());
+                throw new CertPathValidatorException(t.getMessage(), t,
+                    null, -1, BasicReason.REVOKED);
             }
         }
     }
@@ -428,7 +433,8 @@
                     " circular dependency");
             }
             throw new CertPathValidatorException
-                ("Could not determine revocation status");
+                ("Could not determine revocation status", null, null,
+                 -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
         }
 
         // If prevKey wasn't trusted, maybe we just didn't have the right
@@ -617,7 +623,7 @@
                     return;
                 } catch (CertPathValidatorException cpve) {
                     // If it is revoked, rethrow exception
-                    if (cpve.getCause() instanceof CertificateRevokedException) {
+                    if (cpve.getReason() == BasicReason.REVOKED) {
                         throw cpve;
                     }
                     // Otherwise, ignore the exception and
@@ -628,7 +634,8 @@
                 throw new CertPathValidatorException(iape);
             } catch (CertPathBuilderException cpbe) {
                 throw new CertPathValidatorException
-                    ("Could not determine revocation status", cpbe);
+                    ("Could not determine revocation status", null, null,
+                     -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
             }
         }
     }
--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Mon Sep 15 00:41:02 2008 -0700
@@ -32,6 +32,7 @@
 import java.security.InvalidKeyException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXReason;
 import java.security.cert.CertStore;
 import java.security.cert.CertStoreException;
 import java.security.cert.PKIXBuilderParameters;
@@ -732,8 +733,9 @@
                     PKIXExtensions.ExtendedKeyUsage_Id.toString());
 
                 if (!unresCritExts.isEmpty())
-                    throw new CertificateException("Unrecognized critical "
-                        + "extension(s)");
+                    throw new CertPathValidatorException
+                        ("Unrecognized critical extension(s)", null, null, -1,
+                         PKIXReason.UNRECOGNIZED_CRIT_EXT);
             }
         }
 
--- a/jdk/src/share/classes/sun/security/provider/certpath/KeyChecker.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/KeyChecker.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2003 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
 
 import java.util.*;
 import java.security.cert.*;
+import java.security.cert.PKIXReason;
 
 import sun.security.util.Debug;
 import sun.security.x509.PKIXExtensions;
@@ -75,11 +76,12 @@
         if (!forward) {
             remainingCerts = certPathLen;
         } else {
-            throw new CertPathValidatorException("forward checking not supported");
+            throw new CertPathValidatorException
+                ("forward checking not supported");
         }
     }
 
-    public boolean isForwardCheckingSupported() {
+    public final boolean isForwardCheckingSupported() {
         return false;
     }
 
@@ -155,8 +157,9 @@
 
         // throw an exception if the keyCertSign bit is not set
         if (!keyUsageBits[keyCertSign]) {
-            throw new CertPathValidatorException(msg + " check failed: "
-                + "keyCertSign bit is not set");
+            throw new CertPathValidatorException
+                (msg + " check failed: keyCertSign bit is not set", null,
+                 null, -1, PKIXReason.INVALID_KEY_USAGE);
         }
 
         if (debug != null) {
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPChecker.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPChecker.java	Mon Sep 15 00:41:02 2008 -0700
@@ -33,6 +33,7 @@
 import java.security.PrivilegedAction;
 import java.security.Security;
 import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
 import java.net.*;
 import javax.security.auth.x500.X500Principal;
 
@@ -381,17 +382,18 @@
             }
 
             if (certOCSPStatus == OCSPResponse.CERT_STATUS_REVOKED) {
-                throw new CertPathValidatorException(
-                    new CertificateRevokedException(
+                Throwable t = new CertificateRevokedException(
                         ocspResponse.getRevocationTime(),
                         ocspResponse.getRevocationReason(),
                         responderCert.getSubjectX500Principal(),
-                        ocspResponse.getSingleExtensions()));
+                        ocspResponse.getSingleExtensions());
+                throw new CertPathValidatorException(t.getMessage(), t,
+                        null, -1, BasicReason.REVOKED);
 
             } else if (certOCSPStatus == OCSPResponse.CERT_STATUS_UNKNOWN) {
                 throw new CertPathValidatorException(
                     "Certificate's revocation status is unknown", null, cp,
-                    remainingCerts);
+                    remainingCerts, BasicReason.UNDETERMINED_REVOCATION_STATUS);
             }
         } catch (Exception e) {
             throw new CertPathValidatorException(e);
--- a/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -38,6 +38,7 @@
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.PKIXCertPathValidatorResult;
 import java.security.cert.PKIXParameters;
+import java.security.cert.PKIXReason;
 import java.security.cert.PolicyNode;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
@@ -47,7 +48,6 @@
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.Set;
-import java.util.HashSet;
 import javax.security.auth.x500.X500Principal;
 import sun.security.util.Debug;
 
@@ -67,6 +67,7 @@
     private List<PKIXCertPathChecker> userCheckers;
     private String sigProvider;
     private BasicChecker basicChecker;
+    private String ocspProperty;
 
     /**
      * Default constructor.
@@ -126,7 +127,7 @@
 
         // Must copy elements of certList into a new modifiable List before
         // calling Collections.reverse().
-        List<X509Certificate> certList = new ArrayList<X509Certificate>
+        ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>
             ((List<X509Certificate>)cp.getCertificates());
         if (debug != null) {
             if (certList.isEmpty()) {
@@ -201,7 +202,8 @@
         }
         // (b) otherwise, generate new exception
         throw new CertPathValidatorException
-                        ("Path does not chain with any of the trust anchors");
+            ("Path does not chain with any of the trust anchors",
+             null, null, -1, PKIXReason.NO_TRUST_ANCHOR);
     }
 
     /**
@@ -210,7 +212,6 @@
      */
     private boolean isWorthTrying(X509Certificate trustedCert,
                                   X509Certificate firstCert)
-        throws CertPathValidatorException
     {
         if (debug != null) {
             debug.println("PKIXCertPathValidator.isWorthTrying() checking "
@@ -240,7 +241,6 @@
      * Internal method to setup the internal state
      */
     private void populateVariables(PKIXParameters pkixParam)
-        throws CertPathValidatorException
     {
         // default value for testDate is current time
         testDate = pkixParam.getDate();
@@ -250,6 +250,17 @@
 
         userCheckers = pkixParam.getCertPathCheckers();
         sigProvider = pkixParam.getSigProvider();
+
+        if (pkixParam.isRevocationEnabled()) {
+            // Examine OCSP security property
+            ocspProperty = AccessController.doPrivileged(
+                new PrivilegedAction<String>() {
+                    public String run() {
+                        return
+                            Security.getProperty(OCSPChecker.OCSP_ENABLE_PROP);
+                    }
+                });
+        }
     }
 
     /**
@@ -259,12 +270,9 @@
      */
     private PolicyNode doValidate(
             TrustAnchor anchor, CertPath cpOriginal,
-            List<X509Certificate> certList, PKIXParameters pkixParam,
+            ArrayList<X509Certificate> certList, PKIXParameters pkixParam,
             PolicyNodeImpl rootNode) throws CertPathValidatorException
     {
-        List<PKIXCertPathChecker> certPathCheckers =
-            new ArrayList<PKIXCertPathChecker>();
-
         int certPathLen = certList.size();
 
         basicChecker = new BasicChecker(anchor, testDate, sigProvider, false);
@@ -281,6 +289,8 @@
                               pkixParam.getPolicyQualifiersRejected(),
                               rootNode);
 
+        ArrayList<PKIXCertPathChecker> certPathCheckers =
+            new ArrayList<PKIXCertPathChecker>();
         // add standard checkers that we will be using
         certPathCheckers.add(keyChecker);
         certPathCheckers.add(constraintsChecker);
@@ -290,15 +300,6 @@
         // only add a revocationChecker if revocation is enabled
         if (pkixParam.isRevocationEnabled()) {
 
-            // Examine OCSP security property
-            String ocspProperty = AccessController.doPrivileged(
-                new PrivilegedAction<String>() {
-                    public String run() {
-                        return
-                            Security.getProperty(OCSPChecker.OCSP_ENABLE_PROP);
-                    }
-                });
-
             // Use OCSP if it has been enabled
             if ("true".equalsIgnoreCase(ocspProperty)) {
                 OCSPChecker ocspChecker =
--- a/jdk/src/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,11 +30,12 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
-import java.util.Iterator;
+import java.security.cert.CertificateRevokedException;
 import java.security.cert.CertPath;
 import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertificateRevokedException;
+import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.PKIXCertPathChecker;
+import java.security.cert.PKIXReason;
 import java.security.cert.X509Certificate;
 
 /**
@@ -153,10 +154,11 @@
                      */
                     CertPathValidatorException currentCause =
                         new CertPathValidatorException(cpve.getMessage(),
-                            cpve.getCause(), cpOriginal, cpSize - (i + 1));
+                            cpve.getCause(), cpOriginal, cpSize - (i + 1),
+                            cpve.getReason());
 
                     // Check if OCSP has confirmed that the cert was revoked
-                    if (cpve.getCause() instanceof CertificateRevokedException) {
+                    if (cpve.getReason() == BasicReason.REVOKED) {
                         throw currentCause;
                     }
                     // Check if it is appropriate to failover
@@ -184,7 +186,8 @@
                 debug.println("checking for unresolvedCritExts");
             if (!unresolvedCritExts.isEmpty()) {
                 throw new CertPathValidatorException("unrecognized " +
-                    "critical extension(s)", null, cpOriginal, cpSize-(i+1));
+                    "critical extension(s)", null, cpOriginal, cpSize-(i+1),
+                    PKIXReason.UNRECOGNIZED_CRIT_EXT);
             }
 
             if (debug != null)
--- a/jdk/src/share/classes/sun/security/provider/certpath/PolicyChecker.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/PolicyChecker.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,11 +30,12 @@
 
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
+import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXCertPathChecker;
-import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXReason;
 import java.security.cert.PolicyNode;
 import java.security.cert.PolicyQualifierInfo;
+import java.security.cert.X509Certificate;
 
 import sun.security.util.Debug;
 import sun.security.x509.CertificatePoliciesExtension;
@@ -482,8 +483,9 @@
                     // the policyQualifiersRejected flag is set in the params
                     if (!pQuals.isEmpty() && rejectPolicyQualifiers &&
                         policiesCritical) {
-                            throw new CertPathValidatorException("critical " +
-                                "policy qualifiers present in certificate");
+                        throw new CertPathValidatorException(
+                            "critical policy qualifiers present in certificate",
+                            null, null, -1, PKIXReason.INVALID_POLICY);
                     }
 
                     // PKIX: Section 6.1.3: Step (d)(1)(i)
@@ -567,7 +569,8 @@
 
         if ((explicitPolicy == 0) && (rootNode == null)) {
             throw new CertPathValidatorException
-                ("non-null policy tree required and policy tree is null");
+                ("non-null policy tree required and policy tree is null",
+                 null, null, -1, PKIXReason.INVALID_POLICY);
         }
 
         return rootNode;
@@ -776,12 +779,14 @@
 
             if (issuerDomain.equals(ANY_POLICY)) {
                 throw new CertPathValidatorException
-                    ("encountered an issuerDomainPolicy of ANY_POLICY");
+                    ("encountered an issuerDomainPolicy of ANY_POLICY",
+                     null, null, -1, PKIXReason.INVALID_POLICY);
             }
 
             if (subjectDomain.equals(ANY_POLICY)) {
                 throw new CertPathValidatorException
-                    ("encountered a subjectDomainPolicy of ANY_POLICY");
+                    ("encountered a subjectDomainPolicy of ANY_POLICY",
+                     null, null, -1, PKIXReason.INVALID_POLICY);
             }
 
             Set<PolicyNodeImpl> validNodes =
--- a/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,14 +29,15 @@
 import java.security.GeneralSecurityException;
 import java.security.Principal;
 import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertStore;
 import java.security.cert.CertStoreException;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.PKIXParameters;
+import java.security.cert.PKIXReason;
 import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
 import java.security.cert.X509CertSelector;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -402,7 +403,8 @@
              */
             if ((currentState.remainingCACerts <= 0) && !X509CertImpl.isSelfIssued(cert)) {
                     throw new CertPathValidatorException
-                        ("pathLenConstraint violated, path too long");
+                        ("pathLenConstraint violated, path too long", null,
+                         null, -1, PKIXReason.PATH_TOO_LONG);
             }
 
             /*
@@ -438,7 +440,8 @@
                 try {
                     if (!currentState.nc.verify(cert)){
                         throw new CertPathValidatorException
-                            ("name constraints check failed");
+                            ("name constraints check failed", null, null, -1,
+                             PKIXReason.INVALID_NAME);
                     }
                 } catch (IOException ioe){
                     throw new CertPathValidatorException(ioe);
@@ -483,7 +486,9 @@
             unresolvedCritExts.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());
 
             if (!unresolvedCritExts.isEmpty())
-                throw new CertificateException("Unrecognized critical extension(s)");
+                throw new CertPathValidatorException
+                    ("Unrecognized critical extension(s)", null, null, -1,
+                     PKIXReason.UNRECOGNIZED_CRIT_EXT);
         }
 
         /*
--- a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,9 @@
 import java.security.InvalidAlgorithmParameterException;
 import java.security.Principal;
 import java.security.PublicKey;
+import java.security.cert.*;
+import java.security.cert.PKIXReason;
+import java.security.interfaces.DSAPublicKey;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -39,10 +42,6 @@
 import java.util.List;
 import java.util.LinkedList;
 import java.util.Set;
-
-import java.security.cert.*;
-import java.security.interfaces.DSAPublicKey;
-
 import javax.security.auth.x500.X500Principal;
 
 import sun.security.x509.X500Name;
@@ -565,8 +564,9 @@
                             (PKIXExtensions.ExtendedKeyUsage_Id.toString());
 
                         if (!unresCritExts.isEmpty()) {
-                            throw new CertPathValidatorException("unrecognized "
-                                + "critical extension(s)");
+                            throw new CertPathValidatorException
+                                ("unrecognized critical extension(s)", null,
+                                 null, -1, PKIXReason.UNRECOGNIZED_CRIT_EXT);
                         }
                     }
                 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/com/sun/net/httpserver/bugs/B6744329.java	Mon Sep 15 00:41:02 2008 -0700
@@ -0,0 +1,106 @@
+/*
+ * Copyright 2005-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ * @bug B6744329
+ * @summary  Exception in light weight Http server
+ */
+
+import com.sun.net.httpserver.*;
+
+import java.util.*;
+import java.util.concurrent.*;
+import java.io.*;
+import java.net.*;
+import java.security.*;
+import java.security.cert.*;
+import javax.net.ssl.*;
+
+public class B6744329 {
+
+    public static void main (String[] args) throws Exception {
+        Handler handler = new Handler();
+        InetSocketAddress addr = new InetSocketAddress (0);
+        HttpServer server = HttpServer.create (addr, 0);
+        HttpContext ctx = server.createContext ("/test", handler);
+        ExecutorService executor = Executors.newCachedThreadPool();
+        server.setExecutor (executor);
+        server.start ();
+
+        URL url = new URL ("http://localhost:"+server.getAddress().getPort()+"/test/foo.html");
+        HttpURLConnection urlc = (HttpURLConnection)url.openConnection ();
+        try {
+            InputStream is = urlc.getInputStream();
+            int c = 0;
+            while (is.read()!= -1) {
+                c ++;
+            }
+            System.out.println ("OK");
+        } catch (IOException e) {
+            System.out.println ("exception");
+            error = true;
+        }
+        server.stop(2);
+        executor.shutdown();
+        if (error) {
+            throw new RuntimeException ("Test failed");
+        }
+    }
+
+    public static boolean error = false;
+
+    /* this must be the same size as in ChunkedOutputStream.java
+     */
+    final static int CHUNK_SIZE = 4096;
+
+    static class Handler implements HttpHandler {
+        int invocation = 1;
+        public void handle (HttpExchange t)
+            throws IOException
+        {
+            InputStream is = t.getRequestBody();
+            Headers map = t.getRequestHeaders();
+            Headers rmap = t.getResponseHeaders();
+            while (is.read () != -1) ;
+            is.close();
+            /* chunked response */
+            t.sendResponseHeaders (200, 0);
+            OutputStream os = t.getResponseBody();
+            byte[] first = new byte [CHUNK_SIZE * 2];
+            byte[] second = new byte [2];
+            os.write (first);
+            os.write ('x');
+            os.write ('x');
+            /* An index out of bounds exception will be thrown
+             * below, which is caught by server, and connection
+             * will be closed. resulting in IOException to client
+             * - if bug present
+             */
+            os.write ('x');
+            os.write ('x');
+            os.write ('x');
+            t.close();
+        }
+    }
+}
--- a/jdk/test/java/net/CookieHandler/TestHttpCookie.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/test/java/net/CookieHandler/TestHttpCookie.java	Mon Sep 15 00:41:02 2008 -0700
@@ -24,7 +24,7 @@
 /**
  * @test
  * @summary Unit test for java.net.HttpCookie
- * @bug 6244040 6277796 6277801 6277808 6294071
+ * @bug 6244040 6277796 6277801 6277808 6294071 6692802
  * @author Edward Wang
  */
 
@@ -178,6 +178,19 @@
     }
     TestHttpCookie port(String p) { return port(0, p); }
 
+    // check http only
+    TestHttpCookie httpOnly(int index, boolean b) {
+        HttpCookie cookie = cookies.get(index);
+        if (cookie == null || b != cookie.isHttpOnly()) {
+            raiseError("HttpOnly", String.valueOf(cookie.isHttpOnly()), String.valueOf(b));
+        }
+        return this;
+    }
+
+    TestHttpCookie httpOnly(boolean b) {
+        return httpOnly(0, b);
+    }
+
     // check equality
     static void eq(HttpCookie ck1, HttpCookie ck2, boolean same) {
         testCount++;
@@ -362,6 +375,10 @@
         } catch (IllegalArgumentException ignored) {
             // expected exception; no-op
         }
+
+        // CR 6692802: HttpOnly flag
+        test("set-cookie: CUSTOMER=WILE_E_COYOTE;HttpOnly").httpOnly(true);
+        test("set-cookie: CUSTOMER=WILE_E_COYOTE").httpOnly(false);
     }
 
     static void header(String prompt) {
--- a/jdk/test/java/security/cert/CertPathValidator/nameConstraintsRFC822/ValidateCertPath.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/test/java/security/cert/CertPathValidator/nameConstraintsRFC822/ValidateCertPath.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,6 +34,7 @@
 import java.io.IOException;
 
 import java.security.cert.*;
+import java.security.cert.PKIXReason;
 
 import java.util.ArrayList;
 import java.util.Collections;
@@ -69,6 +70,9 @@
             validate(path, params);
             throw new Exception("Successfully validated invalid path.");
         } catch (CertPathValidatorException e) {
+            if (e.getReason() != PKIXReason.INVALID_NAME) {
+                throw new Exception("unexpected reason: " + e.getReason());
+            }
             System.out.println("Path rejected as expected: " + e);
         }
     }
@@ -86,14 +90,14 @@
         args = new String[] {"jane2jane.cer", "jane2steve.cer", "steve2tom.cer"};
 
         TrustAnchor anchor = new TrustAnchor(getCertFromFile(args[0]), null);
-        List list = new ArrayList();
+        List<X509Certificate> list = new ArrayList<X509Certificate>();
         for (int i = 1; i < args.length; i++) {
             list.add(0, getCertFromFile(args[i]));
         }
         CertificateFactory cf = CertificateFactory.getInstance("X509");
         path = cf.generateCertPath(list);
 
-        Set anchors = Collections.singleton(anchor);
+        Set<TrustAnchor> anchors = Collections.singleton(anchor);
         params = new PKIXParameters(anchors);
         params.setRevocationEnabled(false);
     }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidatorException/ReasonTest.java	Mon Sep 15 00:41:02 2008 -0700
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6465942
+ * @summary unit test for CertPathValidatorException.Reason
+ */
+
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class ReasonTest {
+    private static volatile boolean failed = false;
+    public static void main(String[] args) throws Exception {
+
+        // check that getReason returns UNSPECIFIED if reason not specified
+        CertPathValidatorException cpve = new CertPathValidatorException("abc");
+        if (cpve.getReason() != BasicReason.UNSPECIFIED) {
+            failed = true;
+            System.err.println("FAILED: unexpected reason: " + cpve.getReason());
+        }
+
+        // check that getReason returns specified reason
+        cpve = new CertPathValidatorException
+            ("abc", null, null, -1, BasicReason.REVOKED);
+        if (cpve.getReason() != BasicReason.REVOKED) {
+            failed = true;
+            System.err.println("FAILED: unexpected reason: " + cpve.getReason());
+        }
+
+        // check that ctor throws NPE when reason is null
+        try {
+            cpve = new CertPathValidatorException("abc", null, null, -1, null);
+            failed = true;
+            System.err.println("ctor did not throw NPE for null reason");
+        } catch (Exception e) {
+            if (!(e instanceof NullPointerException)) {
+                failed = true;
+                System.err.println("FAILED: unexpected exception: " + e);
+            }
+        }
+        if (failed) {
+            throw new Exception("Some tests FAILED");
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidatorException/Serial.java	Mon Sep 15 00:41:02 2008 -0700
@@ -0,0 +1,113 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6465942
+ * @summary Test deserialization of CertPathValidatorException
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+//import java.io.FileOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorException.BasicReason;
+import java.util.Collections;
+
+/**
+ * This class tests to see if CertPathValidatorException can be serialized and
+ * deserialized properly.
+ */
+public class Serial {
+    private static volatile boolean failed = false;
+    public static void main(String[] args) throws Exception {
+
+        File f = new File(System.getProperty("test.src", "."), "cert_file");
+        FileInputStream fis = new FileInputStream(f);
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        Certificate c = cf.generateCertificate(fis);
+        fis.close();
+        CertPath cp = cf.generateCertPath(Collections.singletonList(c));
+
+        CertPathValidatorException cpve1 =
+            new CertPathValidatorException
+                ("Test", new Exception("Expired"), cp, 0, BasicReason.EXPIRED);
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+//        FileOutputStream fos = new FileOutputStream("jdk7.serial");
+        ObjectOutputStream oos = new ObjectOutputStream(baos);
+//        ObjectOutputStream foos = new ObjectOutputStream(fos);
+        oos.writeObject(cpve1);
+//        foos.writeObject(cpve1);
+        ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
+        ObjectInputStream ois = new ObjectInputStream(bais);
+        CertPathValidatorException cpve2 =
+            (CertPathValidatorException) ois.readObject();
+        check(!cpve1.getMessage().equals(cpve2.getMessage()),
+            "CertPathValidatorException messages not equal");
+        check(!cpve1.getCause().getMessage().equals(cpve2.getCause().getMessage()),
+            "CertPathValidatorException causes not equal");
+        check(!cpve1.getCertPath().equals(cpve2.getCertPath()),
+            "CertPathValidatorException certpaths not equal");
+        check(cpve1.getIndex() != cpve2.getIndex(),
+            "CertPathValidatorException indexes not equal");
+        check(cpve1.getReason() != cpve2.getReason(),
+            "CertPathValidatorException reasons not equal");
+        oos.close();
+        ois.close();
+
+        f = new File(System.getProperty("test.src", "."), "jdk6.serial");
+        fis = new FileInputStream(f);
+        ois = new ObjectInputStream(fis);
+        cpve2 = (CertPathValidatorException) ois.readObject();
+        check(!cpve1.getMessage().equals(cpve2.getMessage()),
+            "CertPathValidatorException messages not equal");
+        check(!cpve1.getCause().getMessage().equals(cpve2.getCause().getMessage()),
+            "CertPathValidatorException causes not equal");
+        check(!cpve1.getCertPath().equals(cpve2.getCertPath()),
+            "CertPathValidatorException certpaths not equal");
+        check(cpve1.getIndex() != cpve2.getIndex(),
+            "CertPathValidatorException indexes not equal");
+//      System.out.println(cpve2.getReason());
+        check(cpve2.getReason() != BasicReason.UNSPECIFIED,
+            "CertPathValidatorException reasons not equal");
+        oos.close();
+        ois.close();
+        if (failed) {
+            throw new Exception("Some tests FAILED");
+        }
+    }
+
+    private static void check(boolean expr, String message) {
+        if (expr) {
+            failed = true;
+            System.err.println("FAILED: " + message);
+        }
+    }
+}
Binary file jdk/test/java/security/cert/CertPathValidatorException/cert_file has changed
Binary file jdk/test/java/security/cert/CertPathValidatorException/jdk6.serial has changed
--- a/jdk/test/java/security/cert/PolicyNode/GetPolicyQualifiers.java	Fri Sep 12 19:06:38 2008 +0200
+++ b/jdk/test/java/security/cert/PolicyNode/GetPolicyQualifiers.java	Mon Sep 15 00:41:02 2008 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2001-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -74,6 +74,10 @@
             throw new Exception("Validation of CertPath containing critical " +
                 "qualifiers should have failed when policyQualifiersRejected " +
                 "flag is true");
-        } catch (CertPathValidatorException cpve) {}
+        } catch (CertPathValidatorException cpve) {
+            if (cpve.getReason() != PKIXReason.INVALID_POLICY) {
+                throw new Exception("unexpected reason: " + cpve.getReason());
+            }
+        }
     }
 }