changeset 54884:cb1642ccc732

8217835: Remove the experimental SunJSSE FIPS compliant mode Reviewed-by: mullan
author xuelei
date Tue, 12 Feb 2019 13:36:15 -0800
parents b5d45c2fe8a0
children fedc89081b57
files src/java.base/share/classes/com/sun/net/ssl/internal/ssl/Provider.java src/java.base/share/classes/sun/security/ssl/Authenticator.java src/java.base/share/classes/sun/security/ssl/CertificateVerify.java src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java src/java.base/share/classes/sun/security/ssl/Finished.java src/java.base/share/classes/sun/security/ssl/HKDF.java src/java.base/share/classes/sun/security/ssl/HandshakeHash.java src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java src/java.base/share/classes/sun/security/ssl/JsseJce.java src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java src/java.base/share/classes/sun/security/ssl/RSASignature.java src/java.base/share/classes/sun/security/ssl/SSLCipher.java src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java src/java.base/share/classes/sun/security/ssl/SignatureScheme.java src/java.base/share/classes/sun/security/ssl/SunJSSE.java src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java test/jdk/sun/security/pkcs11/fips/CipherTest.java test/jdk/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java test/jdk/sun/security/pkcs11/fips/ImportKeyStore.java test/jdk/sun/security/pkcs11/fips/JSSEClient.java test/jdk/sun/security/pkcs11/fips/JSSEServer.java test/jdk/sun/security/pkcs11/fips/TestTLS12.java test/jdk/sun/security/pkcs11/fips/TrustManagerTest.java test/jdk/sun/security/pkcs11/fips/TrustManagerTest.policy test/jdk/sun/security/pkcs11/fips/cert8.db test/jdk/sun/security/pkcs11/fips/certs/anchor.cer test/jdk/sun/security/pkcs11/fips/certs/ca.cer test/jdk/sun/security/pkcs11/fips/certs/server.cer test/jdk/sun/security/pkcs11/fips/fips.cfg test/jdk/sun/security/pkcs11/fips/key3.db test/jdk/sun/security/pkcs11/fips/keystore test/jdk/sun/security/pkcs11/fips/secmod.db test/jdk/sun/security/pkcs11/fips/truststore
diffstat 46 files changed, 364 insertions(+), 2350 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/com/sun/net/ssl/internal/ssl/Provider.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/com/sun/net/ssl/internal/ssl/Provider.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,21 +42,6 @@
         super();
     }
 
-    // preferred constructor to enable FIPS mode at runtime
-    public Provider(java.security.Provider cryptoProvider) {
-        super(cryptoProvider);
-    }
-
-    // constructor to enable FIPS mode from java.security file
-    public Provider(String cryptoProvider) {
-        super(cryptoProvider);
-    }
-
-    // public for now, but we may want to change it or not document it.
-    public static synchronized boolean isFIPS() {
-        return SunJSSE.isFIPS();
-    }
-
     /**
      * Installs the JSSE provider.
      */
--- a/src/java.base/share/classes/sun/security/ssl/Authenticator.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/Authenticator.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -484,7 +484,7 @@
                     throw new RuntimeException("Unknown MacAlg " + macAlg);
             }
 
-            Mac m = JsseJce.getMac(algorithm);
+            Mac m = Mac.getInstance(algorithm);
             m.init(key);
             this.macAlg = macAlg;
             this.mac = m;
--- a/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -196,13 +196,13 @@
             Signature signer = null;
             switch (algorithm) {
                 case "RSA":
-                    signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+                    signer = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA);
                     break;
                 case "DSA":
-                    signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+                    signer = Signature.getInstance(JsseJce.SIGNATURE_RAWDSA);
                     break;
                 case "EC":
-                    signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+                    signer = Signature.getInstance(JsseJce.SIGNATURE_RAWECDSA);
                     break;
                 default:
                     throw new SignatureException("Unrecognized algorithm: "
@@ -439,13 +439,13 @@
             Signature signer = null;
             switch (algorithm) {
                 case "RSA":
-                    signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+                    signer = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA);
                     break;
                 case "DSA":
-                    signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+                    signer = Signature.getInstance(JsseJce.SIGNATURE_RAWDSA);
                     break;
                 case "EC":
-                    signer = JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+                    signer = Signature.getInstance(JsseJce.SIGNATURE_RAWECDSA);
                     break;
                 default:
                     throw new SignatureException("Unrecognized algorithm: "
--- a/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -280,7 +280,7 @@
                 DHPublicKeySpec spec = new DHPublicKeySpec(
                         new BigInteger(1, ckem.y),
                         params.getP(), params.getG());
-                KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+                KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
                 DHPublicKey peerPublicKey =
                         (DHPublicKey)kf.generatePublic(spec);
 
--- a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java	Tue Feb 12 13:36:15 2019 -0800
@@ -87,7 +87,7 @@
                 return null;
             }
 
-            KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+            KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
             DHPublicKeySpec spec = new DHPublicKeySpec(
                     new BigInteger(1, encodedPublic),
                     params.getP(), params.getG());
@@ -106,7 +106,7 @@
         DHEPossession(NamedGroup namedGroup, SecureRandom random) {
             try {
                 KeyPairGenerator kpg =
-                        JsseJce.getKeyPairGenerator("DiffieHellman");
+                        KeyPairGenerator.getInstance("DiffieHellman");
                 DHParameterSpec params =
                         (DHParameterSpec)namedGroup.getParameterSpec();
                 kpg.initialize(params, random);
@@ -129,7 +129,7 @@
                     PredefinedDHParameterSpecs.definedParams.get(keyLength);
             try {
                 KeyPairGenerator kpg =
-                    JsseJce.getKeyPairGenerator("DiffieHellman");
+                    KeyPairGenerator.getInstance("DiffieHellman");
                 if (params != null) {
                     kpg.initialize(params, random);
                 } else {
@@ -155,7 +155,7 @@
         DHEPossession(DHECredentials credentials, SecureRandom random) {
             try {
                 KeyPairGenerator kpg =
-                        JsseJce.getKeyPairGenerator("DiffieHellman");
+                        KeyPairGenerator.getInstance("DiffieHellman");
                 kpg.initialize(credentials.popPublicKey.getParams(), random);
                 KeyPair kp = generateDHKeyPair(kpg);
                 if (kp == null) {
@@ -208,7 +208,7 @@
                                         params.getP(), params.getG());
             }
             try {
-                KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
+                KeyFactory factory = KeyFactory.getInstance("DiffieHellman");
                 return factory.getKeySpec(key, DHPublicKeySpec.class);
             } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                 // unlikely
@@ -473,7 +473,7 @@
             private SecretKey t12DeriveKey(String algorithm,
                     AlgorithmParameterSpec params) throws IOException {
                 try {
-                    KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
+                    KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");
                     ka.init(localPrivateKey);
                     ka.doPhase(peerPublicKey, true);
                     SecretKey preMasterSecret =
@@ -499,7 +499,7 @@
             private SecretKey t13DeriveKey(String algorithm,
                     AlgorithmParameterSpec params) throws IOException {
                 try {
-                    KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
+                    KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");
                     ka.init(localPrivateKey);
                     ka.doPhase(peerPublicKey, true);
                     SecretKey sharedSecret =
--- a/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -420,7 +420,7 @@
             Signature signer = null;
             switch (keyAlgorithm) {
                 case "DSA":
-                    signer = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
+                    signer = Signature.getInstance(JsseJce.SIGNATURE_DSA);
                     break;
                 case "RSA":
                     signer = RSASignature.getInstance();
@@ -524,7 +524,7 @@
             // check constraints of EC PublicKey
             DHPublicKey publicKey;
             try {
-                KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+                KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
                 DHPublicKeySpec spec = new DHPublicKeySpec(
                         new BigInteger(1, skem.y),
                         new BigInteger(1, skem.p),
--- a/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -49,6 +49,7 @@
 import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
 import sun.security.ssl.X509Authentication.X509Credentials;
 import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.ECUtil;
 import sun.security.util.HexDumpEncoder;
 
 /**
@@ -78,7 +79,7 @@
 
             ECPoint point = publicKey.getW();
             ECParameterSpec params = publicKey.getParams();
-            encodedPoint = JsseJce.encodePoint(point, params.getCurve());
+            encodedPoint = ECUtil.encodePoint(point, params.getCurve());
         }
 
         ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext,
@@ -99,10 +100,10 @@
             try {
                 ECParameterSpec params = publicKey.getParams();
                 ECPoint point =
-                        JsseJce.decodePoint(encodedPoint, params.getCurve());
+                        ECUtil.decodePoint(encodedPoint, params.getCurve());
                 ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
 
-                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                KeyFactory kf = KeyFactory.getInstance("EC");
                 ECPublicKey peerPublicKey =
                         (ECPublicKey)kf.generatePublic(spec);
 
@@ -319,10 +320,10 @@
             // create the credentials
             try {
                 ECPoint point =
-                    JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
+                    ECUtil.decodePoint(cke.encodedPoint, params.getCurve());
                 ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
 
-                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                KeyFactory kf = KeyFactory.getInstance("EC");
                 ECPublicKey peerPublicKey =
                         (ECPublicKey)kf.generatePublic(spec);
 
@@ -493,10 +494,10 @@
             // create the credentials
             try {
                 ECPoint point =
-                    JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
+                    ECUtil.decodePoint(cke.encodedPoint, params.getCurve());
                 ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
 
-                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                KeyFactory kf = KeyFactory.getInstance("EC");
                 ECPublicKey peerPublicKey =
                         (ECPublicKey)kf.generatePublic(spec);
 
--- a/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -85,14 +85,14 @@
             }
 
             ECParameterSpec parameters =
-                    JsseJce.getECParameterSpec(namedGroup.oid);
+                    ECUtil.getECParameterSpec(null, namedGroup.oid);
             if (parameters == null) {
                 return null;
             }
 
-            ECPoint point = JsseJce.decodePoint(
+            ECPoint point = ECUtil.decodePoint(
                     encodedPoint, parameters.getCurve());
-            KeyFactory factory = JsseJce.getKeyFactory("EC");
+            KeyFactory factory = KeyFactory.getInstance("EC");
             ECPublicKey publicKey = (ECPublicKey)factory.generatePublic(
                     new ECPublicKeySpec(point, parameters));
             return new ECDHECredentials(publicKey, namedGroup);
@@ -106,7 +106,7 @@
 
         ECDHEPossession(NamedGroup namedGroup, SecureRandom random) {
             try {
-                KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
+                KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
                 ECGenParameterSpec params =
                         (ECGenParameterSpec)namedGroup.getParameterSpec();
                 kpg.initialize(params, random);
@@ -124,7 +124,7 @@
         ECDHEPossession(ECDHECredentials credentials, SecureRandom random) {
             ECParameterSpec params = credentials.popPublicKey.getParams();
             try {
-                KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
+                KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
                 kpg.initialize(params, random);
                 KeyPair kp = kpg.generateKeyPair();
                 privateKey = kp.getPrivate();
@@ -149,7 +149,7 @@
                 PublicKey peerPublicKey) throws SSLHandshakeException {
 
             try {
-                KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
+                KeyAgreement ka = KeyAgreement.getInstance("ECDH");
                 ka.init(privateKey);
                 ka.doPhase(peerPublicKey, true);
                 return ka.generateSecret("TlsPremasterSecret");
@@ -165,8 +165,8 @@
             try {
                 ECParameterSpec params = publicKey.getParams();
                 ECPoint point =
-                        JsseJce.decodePoint(encodedPoint, params.getCurve());
-                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                        ECUtil.decodePoint(encodedPoint, params.getCurve());
+                KeyFactory kf = KeyFactory.getInstance("EC");
                 ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
                 PublicKey peerPublicKey = kf.generatePublic(spec);
                 return getAgreedSecret(peerPublicKey);
@@ -183,10 +183,10 @@
 
                 ECParameterSpec params = publicKey.getParams();
                 ECPoint point =
-                        JsseJce.decodePoint(encodedPoint, params.getCurve());
+                        ECUtil.decodePoint(encodedPoint, params.getCurve());
                 ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
 
-                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                KeyFactory kf = KeyFactory.getInstance("EC");
                 ECPublicKey pubKey = (ECPublicKey)kf.generatePublic(spec);
 
                 // check constraints of ECPublicKey
@@ -424,7 +424,7 @@
         private SecretKey t12DeriveKey(String algorithm,
                 AlgorithmParameterSpec params) throws IOException {
             try {
-                KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
+                KeyAgreement ka = KeyAgreement.getInstance("ECDH");
                 ka.init(localPrivateKey);
                 ka.doPhase(peerPublicKey, true);
                 SecretKey preMasterSecret =
@@ -451,7 +451,7 @@
         private SecretKey t13DeriveKey(String algorithm,
                 AlgorithmParameterSpec params) throws IOException {
             try {
-                KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
+                KeyAgreement ka = KeyAgreement.getInstance("ECDH");
                 ka.init(localPrivateKey);
                 ka.doPhase(peerPublicKey, true);
                 SecretKey sharedSecret =
--- a/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -52,6 +52,7 @@
 import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
 import sun.security.ssl.X509Authentication.X509Credentials;
 import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.ECUtil;
 import sun.security.util.HexDumpEncoder;
 
 /**
@@ -120,7 +121,7 @@
             publicKey = ecdhePossession.publicKey;
             ECParameterSpec params = publicKey.getParams();
             ECPoint point = publicKey.getW();
-            publicPoint = JsseJce.encodePoint(point, params.getCurve());
+            publicPoint = ECUtil.encodePoint(point, params.getCurve());
 
             this.namedGroup = NamedGroup.valueOf(params);
             if ((namedGroup == null) || (namedGroup.oid == null) ) {
@@ -221,7 +222,7 @@
             }
 
             ECParameterSpec parameters =
-                    JsseJce.getECParameterSpec(namedGroup.oid);
+                    ECUtil.getECParameterSpec(null, namedGroup.oid);
             if (parameters == null) {
                 throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No supported EC parameter: " + namedGroup);
@@ -236,8 +237,8 @@
             ECPublicKey ecPublicKey = null;
             try {
                 ECPoint point =
-                        JsseJce.decodePoint(publicPoint, parameters.getCurve());
-                KeyFactory factory = JsseJce.getKeyFactory("EC");
+                        ECUtil.decodePoint(publicPoint, parameters.getCurve());
+                KeyFactory factory = KeyFactory.getInstance("EC");
                 ecPublicKey = (ECPublicKey)factory.generatePublic(
                     new ECPublicKeySpec(point, parameters));
             } catch (NoSuchAlgorithmException |
@@ -446,7 +447,7 @@
             Signature signer = null;
             switch (keyAlgorithm) {
                 case "EC":
-                    signer = JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
+                    signer = Signature.getInstance(JsseJce.SIGNATURE_ECDSA);
                     break;
                 case "RSA":
                     signer = RSASignature.getInstance();
--- a/src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -69,7 +69,7 @@
             KeyPair kp = keys[index].getKeyPair();
             if (kp == null) {
                 try {
-                    KeyPairGenerator kgen = JsseJce.getKeyPairGenerator("RSA");
+                    KeyPairGenerator kgen = KeyPairGenerator.getInstance("RSA");
                     kgen.initialize(length, random);
                     keys[index] = new EphemeralKeyPair(kgen.genKeyPair());
                     kp = keys[index].getKeyPair();
--- a/src/java.base/share/classes/sun/security/ssl/Finished.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/Finished.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -257,7 +257,7 @@
                 TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
                     masterSecretKey, tlsLabel, seed, 12,
                     hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
-                KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
+                KeyGenerator kg = KeyGenerator.getInstance(prfAlg);
                 kg.init(spec);
                 SecretKey prfKey = kg.generateKey();
                 if (!"RAW".equals(prfKey.getFormat())) {
@@ -309,7 +309,7 @@
                 TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
                     masterSecretKey, tlsLabel, seed, 12,
                     hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
-                KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
+                KeyGenerator kg = KeyGenerator.getInstance(prfAlg);
                 kg.init(spec);
                 SecretKey prfKey = kg.generateKey();
                 if (!"RAW".equals(prfKey.getFormat())) {
@@ -350,7 +350,7 @@
             String hmacAlg =
                 "Hmac" + hashAlg.name.replace("-", "");
             try {
-                Mac hmac = JsseJce.getMac(hmacAlg);
+                Mac hmac = Mac.getInstance(hmacAlg);
                 hmac.init(finishedSecret);
                 return hmac.doFinal(context.handshakeHash.digest());
             } catch (NoSuchAlgorithmException |InvalidKeyException ex) {
--- a/src/java.base/share/classes/sun/security/ssl/HKDF.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/HKDF.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -62,7 +62,7 @@
         Objects.requireNonNull(hashAlg,
                 "Must provide underlying HKDF Digest algorithm.");
         hmacAlg = "Hmac" + hashAlg.replace("-", "");
-        hmacObj = JsseJce.getMac(hmacAlg);
+        hmacObj = Mac.getInstance(hmacAlg);
         hmacLen = hmacObj.getMacLength();
     }
 
--- a/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java	Tue Feb 12 13:36:15 2019 -0800
@@ -29,6 +29,7 @@
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.LinkedList;
 import javax.crypto.SecretKey;
@@ -269,8 +270,13 @@
         private final ByteArrayOutputStream baos;
 
         S30HandshakeHash(CipherSuite cipherSuite) {
-            this.mdMD5 = JsseJce.getMessageDigest("MD5");
-            this.mdSHA = JsseJce.getMessageDigest("SHA");
+            try {
+                this.mdMD5 = MessageDigest.getInstance("MD5");
+                this.mdSHA = MessageDigest.getInstance("SHA");
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new RuntimeException(
+                    "Hash algorithm MD5 or SHA is not available", nsae);
+            }
 
             boolean hasArchived = false;
             if (mdMD5 instanceof Cloneable) {
@@ -379,7 +385,12 @@
                             "MessageDigest does no support clone operation");
                 }
             } else {
-                md5Clone = JsseJce.getMessageDigest("MD5");
+                try {
+                    md5Clone = MessageDigest.getInstance("MD5");
+                } catch (NoSuchAlgorithmException nsae) {
+                    throw new RuntimeException(
+                        "Hash algorithm MD5 is not available", nsae);
+                }
                 md5Clone.update(md5.archived());
             }
 
@@ -396,7 +407,12 @@
                             "MessageDigest does no support clone operation");
                 }
             } else {
-                shaClone = JsseJce.getMessageDigest("SHA");
+                try {
+                    shaClone = MessageDigest.getInstance("SHA");
+                } catch (NoSuchAlgorithmException nsae) {
+                    throw new RuntimeException(
+                        "Hash algorithm SHA is not available", nsae);
+                }
                 shaClone.update(sha.archived());
             }
 
@@ -447,8 +463,15 @@
         private final ByteArrayOutputStream baos;
 
         T10HandshakeHash(CipherSuite cipherSuite) {
-            MessageDigest mdMD5 = JsseJce.getMessageDigest("MD5");
-            MessageDigest mdSHA = JsseJce.getMessageDigest("SHA");
+            MessageDigest mdMD5;
+            MessageDigest mdSHA;
+            try {
+                mdMD5 = MessageDigest.getInstance("MD5");
+                mdSHA = MessageDigest.getInstance("SHA");
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new RuntimeException(
+                    "Hash algorithm MD5 or SHA is not available", nsae);
+            }
 
             boolean hasArchived = false;
             if (mdMD5 instanceof Cloneable) {
@@ -514,8 +537,15 @@
         private final ByteArrayOutputStream baos;
 
         T12HandshakeHash(CipherSuite cipherSuite) {
-            MessageDigest md =
-                    JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
+            MessageDigest md;
+            try {
+                md = MessageDigest.getInstance(cipherSuite.hashAlg.name);
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new RuntimeException(
+                        "Hash algorithm " +
+                        cipherSuite.hashAlg.name + " is not available", nsae);
+            }
+
             if (md instanceof Cloneable) {
                 transcriptHash = new CloneableHash(md);
                 this.baos = new ByteArrayOutputStream();
@@ -552,8 +582,15 @@
         private final TranscriptHash transcriptHash;
 
         T13HandshakeHash(CipherSuite cipherSuite) {
-            MessageDigest md =
-                    JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
+            MessageDigest md;
+            try {
+                md = MessageDigest.getInstance(cipherSuite.hashAlg.name);
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new RuntimeException(
+                        "Hash algorithm " +
+                        cipherSuite.hashAlg.name + " is not available", nsae);
+            }
+
             if (md instanceof Cloneable) {
                 transcriptHash = new CloneableHash(md);
             } else {
--- a/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
 
 import java.io.IOException;
 import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import static sun.security.ssl.ClientHello.ClientHelloMessage;
@@ -143,7 +144,13 @@
                 cookieVersion++;
             }
 
-            MessageDigest md = JsseJce.getMessageDigest("SHA-256");
+            MessageDigest md;
+            try {
+                md = MessageDigest.getInstance("SHA-256");
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new RuntimeException(
+                    "MessageDigest algorithm SHA-256 is not available", nsae);
+            }
             byte[] helloBytes = clientHello.getHelloCookieBytes();
             md.update(helloBytes);
             byte[] cookie = md.digest(secret);      // 32 bytes
@@ -169,7 +176,13 @@
                 }
             }
 
-            MessageDigest md = JsseJce.getMessageDigest("SHA-256");
+            MessageDigest md;
+            try {
+                md = MessageDigest.getInstance("SHA-256");
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new RuntimeException(
+                    "MessageDigest algorithm SHA-256 is not available", nsae);
+            }
             byte[] helloBytes = clientHello.getHelloCookieBytes();
             md.update(helloBytes);
             byte[] target = md.digest(secret);      // 32 bytes
@@ -234,8 +247,16 @@
                 cookieVersion++;        // allow wrapped version number
             }
 
-            MessageDigest md = JsseJce.getMessageDigest(
+            MessageDigest md;
+            try {
+                md = MessageDigest.getInstance(
                     context.negotiatedCipherSuite.hashAlg.name);
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new RuntimeException(
+                        "MessageDigest algorithm " +
+                        context.negotiatedCipherSuite.hashAlg.name +
+                        " is not available", nsae);
+            }
             byte[] headerBytes = clientHello.getHeaderBytes();
             md.update(headerBytes);
             byte[] headerCookie = md.digest(secret);
@@ -300,7 +321,14 @@
                 }
             }
 
-            MessageDigest md = JsseJce.getMessageDigest(cs.hashAlg.name);
+            MessageDigest md;
+            try {
+                md = MessageDigest.getInstance(cs.hashAlg.name);
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new RuntimeException(
+                        "MessageDigest algorithm " +
+                        cs.hashAlg.name + " is not available", nsae);
+            }
             byte[] headerBytes = clientHello.getHeaderBytes();
             md.update(headerBytes);
             byte[] headerCookie = md.digest(secret);
--- a/src/java.base/share/classes/sun/security/ssl/JsseJce.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/JsseJce.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,13 +29,7 @@
 import java.security.*;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.*;
-import java.util.*;
 import javax.crypto.*;
-import sun.security.jca.ProviderList;
-import sun.security.jca.Providers;
-import static sun.security.ssl.SunJSSE.cryptoProvider;
-import sun.security.util.ECUtil;
-import static sun.security.util.SecurityConstants.PROVIDER_VER;
 
 /**
  * This class contains a few static methods for interaction with the JCA/JCE
@@ -47,54 +41,6 @@
     static final boolean ALLOW_ECC =
             Utilities.getBooleanProperty("com.sun.net.ssl.enableECC", true);
 
-    private static final ProviderList fipsProviderList;
-
-    static {
-        // force FIPS flag initialization
-        // Because isFIPS() is synchronized and cryptoProvider is not modified
-        // after it completes, this also eliminates the need for any further
-        // synchronization when accessing cryptoProvider
-        if (SunJSSE.isFIPS() == false) {
-            fipsProviderList = null;
-        } else {
-            // Setup a ProviderList that can be used by the trust manager
-            // during certificate chain validation. All the crypto must be
-            // from the FIPS provider, but we also allow the required
-            // certificate related services from the SUN provider.
-            Provider sun = Security.getProvider("SUN");
-            if (sun == null) {
-                throw new RuntimeException
-                    ("FIPS mode: SUN provider must be installed");
-            }
-            Provider sunCerts = new SunCertificates(sun);
-            fipsProviderList = ProviderList.newList(cryptoProvider, sunCerts);
-        }
-    }
-
-    private static final class SunCertificates extends Provider {
-        private static final long serialVersionUID = -3284138292032213752L;
-
-        SunCertificates(final Provider p) {
-            super("SunCertificates", PROVIDER_VER, "SunJSSE internal");
-            AccessController.doPrivileged(new PrivilegedAction<Object>() {
-                @Override
-                public Object run() {
-                    // copy certificate related services from the Sun provider
-                    for (Map.Entry<Object,Object> entry : p.entrySet()) {
-                        String key = (String)entry.getKey();
-                        if (key.startsWith("CertPathValidator.")
-                                || key.startsWith("CertPathBuilder.")
-                                || key.startsWith("CertStore.")
-                                || key.startsWith("CertificateFactory.")) {
-                            put(key, entry.getValue());
-                        }
-                    }
-                    return null;
-                }
-            });
-        }
-    }
-
     /**
      * JCE transformation string for RSA with PKCS#1 v1.5 padding.
      * Can be used for encryption, decryption, signing, verifying.
@@ -180,153 +126,6 @@
         return EcAvailability.isAvailable;
     }
 
-    /**
-     * Return an JCE cipher implementation for the specified algorithm.
-     */
-    static Cipher getCipher(String transformation)
-            throws NoSuchAlgorithmException {
-        try {
-            if (cryptoProvider == null) {
-                return Cipher.getInstance(transformation);
-            } else {
-                return Cipher.getInstance(transformation, cryptoProvider);
-            }
-        } catch (NoSuchPaddingException e) {
-            throw new NoSuchAlgorithmException(e);
-        }
-    }
-
-    /**
-     * Return an JCA signature implementation for the specified algorithm.
-     * The algorithm string should be one of the constants defined
-     * in this class.
-     */
-    static Signature getSignature(String algorithm)
-            throws NoSuchAlgorithmException {
-        if (cryptoProvider == null) {
-            return Signature.getInstance(algorithm);
-        } else {
-            // reference equality
-            if (algorithm == SIGNATURE_SSLRSA) {
-                // The SunPKCS11 provider currently does not support this
-                // special algorithm. We allow a fallback in this case because
-                // the SunJSSE implementation does the actual crypto using
-                // a NONEwithRSA signature obtained from the cryptoProvider.
-                if (cryptoProvider.getService("Signature", algorithm) == null) {
-                    // Calling Signature.getInstance() and catching the
-                    // exception would be cleaner, but exceptions are a little
-                    // expensive. So we check directly via getService().
-                    try {
-                        return Signature.getInstance(algorithm, "SunJSSE");
-                    } catch (NoSuchProviderException e) {
-                        throw new NoSuchAlgorithmException(e);
-                    }
-                }
-            }
-            return Signature.getInstance(algorithm, cryptoProvider);
-        }
-    }
-
-    static KeyGenerator getKeyGenerator(String algorithm)
-            throws NoSuchAlgorithmException {
-        if (cryptoProvider == null) {
-            return KeyGenerator.getInstance(algorithm);
-        } else {
-            return KeyGenerator.getInstance(algorithm, cryptoProvider);
-        }
-    }
-
-    static KeyPairGenerator getKeyPairGenerator(String algorithm)
-            throws NoSuchAlgorithmException {
-        if (cryptoProvider == null) {
-            return KeyPairGenerator.getInstance(algorithm);
-        } else {
-            return KeyPairGenerator.getInstance(algorithm, cryptoProvider);
-        }
-    }
-
-    static KeyAgreement getKeyAgreement(String algorithm)
-            throws NoSuchAlgorithmException {
-        if (cryptoProvider == null) {
-            return KeyAgreement.getInstance(algorithm);
-        } else {
-            return KeyAgreement.getInstance(algorithm, cryptoProvider);
-        }
-    }
-
-    static Mac getMac(String algorithm)
-            throws NoSuchAlgorithmException {
-        if (cryptoProvider == null) {
-            return Mac.getInstance(algorithm);
-        } else {
-            return Mac.getInstance(algorithm, cryptoProvider);
-        }
-    }
-
-    static KeyFactory getKeyFactory(String algorithm)
-            throws NoSuchAlgorithmException {
-        if (cryptoProvider == null) {
-            return KeyFactory.getInstance(algorithm);
-        } else {
-            return KeyFactory.getInstance(algorithm, cryptoProvider);
-        }
-    }
-
-    static AlgorithmParameters getAlgorithmParameters(String algorithm)
-            throws NoSuchAlgorithmException {
-        if (cryptoProvider == null) {
-            return AlgorithmParameters.getInstance(algorithm);
-        } else {
-            return AlgorithmParameters.getInstance(algorithm, cryptoProvider);
-        }
-    }
-
-    static SecureRandom getSecureRandom() throws KeyManagementException {
-        if (cryptoProvider == null) {
-            return new SecureRandom();
-        }
-        // Try "PKCS11" first. If that is not supported, iterate through
-        // the provider and return the first working implementation.
-        try {
-            return SecureRandom.getInstance("PKCS11", cryptoProvider);
-        } catch (NoSuchAlgorithmException e) {
-            // ignore
-        }
-        for (Provider.Service s : cryptoProvider.getServices()) {
-            if (s.getType().equals("SecureRandom")) {
-                try {
-                    return SecureRandom.getInstance(
-                            s.getAlgorithm(), cryptoProvider);
-                } catch (NoSuchAlgorithmException ee) {
-                    // ignore
-                }
-            }
-        }
-        throw new KeyManagementException("FIPS mode: no SecureRandom "
-            + " implementation found in provider " + cryptoProvider.getName());
-    }
-
-    static MessageDigest getMD5() {
-        return getMessageDigest("MD5");
-    }
-
-    static MessageDigest getSHA() {
-        return getMessageDigest("SHA");
-    }
-
-    static MessageDigest getMessageDigest(String algorithm) {
-        try {
-            if (cryptoProvider == null) {
-                return MessageDigest.getInstance(algorithm);
-            } else {
-                return MessageDigest.getInstance(algorithm, cryptoProvider);
-            }
-        } catch (NoSuchAlgorithmException e) {
-            throw new RuntimeException
-                        ("Algorithm " + algorithm + " not available", e);
-        }
-    }
-
     static int getRSAKeyLength(PublicKey key) {
         BigInteger modulus;
         if (key instanceof RSAPublicKey) {
@@ -345,47 +144,13 @@
                                         rsaKey.getPublicExponent());
         }
         try {
-            KeyFactory factory = JsseJce.getKeyFactory("RSA");
+            KeyFactory factory = KeyFactory.getInstance("RSA");
             return factory.getKeySpec(key, RSAPublicKeySpec.class);
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
     }
 
-    static ECParameterSpec getECParameterSpec(String namedCurveOid) {
-        return ECUtil.getECParameterSpec(cryptoProvider, namedCurveOid);
-    }
-
-    static String getNamedCurveOid(ECParameterSpec params) {
-        return ECUtil.getCurveName(cryptoProvider, params);
-    }
-
-    static ECPoint decodePoint(byte[] encoded, EllipticCurve curve)
-            throws java.io.IOException {
-        return ECUtil.decodePoint(encoded, curve);
-    }
-
-    static byte[] encodePoint(ECPoint point, EllipticCurve curve) {
-        return ECUtil.encodePoint(point, curve);
-    }
-
-    // In FIPS mode, set thread local providers; otherwise a no-op.
-    // Must be paired with endFipsProvider.
-    static Object beginFipsProvider() {
-        if (fipsProviderList == null) {
-            return null;
-        } else {
-            return Providers.beginThreadProviderList(fipsProviderList);
-        }
-    }
-
-    static void endFipsProvider(Object o) {
-        if (fipsProviderList != null) {
-            Providers.endThreadProviderList((ProviderList)o);
-        }
-    }
-
-
     // lazy initialization holder class idiom for static default parameters
     //
     // See Effective Java Second Edition: Item 71.
@@ -396,12 +161,12 @@
         static {
             boolean mediator = true;
             try {
-                JsseJce.getSignature(SIGNATURE_ECDSA);
-                JsseJce.getSignature(SIGNATURE_RAWECDSA);
-                JsseJce.getKeyAgreement("ECDH");
-                JsseJce.getKeyFactory("EC");
-                JsseJce.getKeyPairGenerator("EC");
-                JsseJce.getAlgorithmParameters("EC");
+                Signature.getInstance(SIGNATURE_ECDSA);
+                Signature.getInstance(SIGNATURE_RAWECDSA);
+                KeyAgreement.getInstance("ECDH");
+                KeyFactory.getInstance("EC");
+                KeyPairGenerator.getInstance("EC");
+                AlgorithmParameters.getInstance("EC");
             } catch (Exception e) {
                 mediator = false;
             }
--- a/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -61,12 +61,6 @@
         protected void engineInit(KeyStore ks, char[] password) throws
                 KeyStoreException, NoSuchAlgorithmException,
                 UnrecoverableKeyException {
-            if ((ks != null) && SunJSSE.isFIPS()) {
-                if (ks.getProvider() != SunJSSE.cryptoProvider) {
-                    throw new KeyStoreException("FIPS mode: KeyStore must be "
-                        + "from provider " + SunJSSE.cryptoProvider.getName());
-                }
-            }
             keyManager = new SunX509KeyManagerImpl(ks, password);
             isInitialized = true;
         }
@@ -91,12 +85,6 @@
                 keyManager = new X509KeyManagerImpl(
                         Collections.<Builder>emptyList());
             } else {
-                if (SunJSSE.isFIPS() &&
-                        (ks.getProvider() != SunJSSE.cryptoProvider)) {
-                    throw new KeyStoreException(
-                        "FIPS mode: KeyStore must be " +
-                        "from provider " + SunJSSE.cryptoProvider.getName());
-                }
                 try {
                     Builder builder = Builder.newInstance(ks,
                         new PasswordProtection(password));
@@ -115,10 +103,7 @@
                 throw new InvalidAlgorithmParameterException(
                 "Parameters must be instance of KeyStoreBuilderParameters");
             }
-            if (SunJSSE.isFIPS()) {
-                throw new InvalidAlgorithmParameterException
-                    ("FIPS mode: KeyStoreBuilderParameters not supported");
-            }
+
             List<Builder> builders =
                 ((KeyStoreBuilderParameters)params).getParameters();
             keyManager = new X509KeyManagerImpl(builders);
--- a/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java	Tue Feb 12 13:36:15 2019 -0800
@@ -765,7 +765,7 @@
             String hmacAlg =
                 "Hmac" + hashAlg.name.replace("-", "");
             try {
-                Mac hmac = JsseJce.getMac(hmacAlg);
+                Mac hmac = Mac.getInstance(hmacAlg);
                 hmac.init(finishedKey);
                 return hmac.doFinal(digest);
             } catch (NoSuchAlgorithmException | InvalidKeyException ex) {
--- a/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -109,7 +109,7 @@
 
         byte[] getEncoded(PublicKey publicKey,
                 SecureRandom secureRandom) throws GeneralSecurityException {
-            Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+            Cipher cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1);
             cipher.init(Cipher.WRAP_MODE, publicKey, secureRandom);
             return cipher.wrap(premasterSecret);
         }
@@ -119,7 +119,7 @@
                 ClientHandshakeContext chc) throws GeneralSecurityException {
             String algorithm = chc.negotiatedProtocol.useTLS12PlusSpec() ?
                     "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret";
-            KeyGenerator kg = JsseJce.getKeyGenerator(algorithm);
+            KeyGenerator kg = KeyGenerator.getInstance(algorithm);
             TlsRsaPremasterSecretParameterSpec spec =
                     new TlsRsaPremasterSecretParameterSpec(
                             chc.clientHelloVersion,
@@ -136,7 +136,7 @@
 
             byte[] encoded = null;
             boolean needFailover = false;
-            Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+            Cipher cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1);
             try {
                 // Try UNWRAP_MODE mode firstly.
                 cipher.init(Cipher.UNWRAP_MODE, privateKey,
@@ -163,7 +163,7 @@
             if (needFailover) {
                 // The cipher might be spoiled by unsuccessful call to init(),
                 // so request a fresh instance
-                cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+                cipher = Cipher.getInstance(JsseJce.CIPHER_RSA_PKCS1);
 
                 // Use DECRYPT_MODE and dispose the previous initialization.
                 cipher.init(Cipher.DECRYPT_MODE, privateKey);
@@ -227,7 +227,7 @@
             try {
                 String s = ((clientVersion >= ProtocolVersion.TLS12.id) ?
                     "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
-                KeyGenerator kg = JsseJce.getKeyGenerator(s);
+                KeyGenerator kg = KeyGenerator.getInstance(s);
                 kg.init(new TlsRsaPremasterSecretParameterSpec(
                         clientVersion, serverVersion, encodedSecret),
                         generator);
--- a/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -306,7 +306,7 @@
             // check constraints of RSA PublicKey
             RSAPublicKey publicKey;
             try {
-                KeyFactory kf = JsseJce.getKeyFactory("RSA");
+                KeyFactory kf = KeyFactory.getInstance("RSA");
                 RSAPublicKeySpec spec = new RSAPublicKeySpec(
                     new BigInteger(1, skem.modulus),
                     new BigInteger(1, skem.exponent));
--- a/src/java.base/share/classes/sun/security/ssl/RSASignature.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/RSASignature.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,9 +53,9 @@
 
     public RSASignature() throws NoSuchAlgorithmException {
         super();
-        rawRsa = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
-        this.mdMD5 = JsseJce.getMessageDigest("MD5");
-        this.mdSHA = JsseJce.getMessageDigest("SHA");
+        rawRsa = Signature.getInstance(JsseJce.SIGNATURE_RAWRSA);
+        this.mdMD5 = MessageDigest.getInstance("MD5");
+        this.mdSHA = MessageDigest.getInstance("SHA");
     }
 
     /**
@@ -66,7 +66,7 @@
      * which may be this class.
      */
     static Signature getInstance() throws NoSuchAlgorithmException {
-        return JsseJce.getSignature(JsseJce.SIGNATURE_SSLRSA);
+        return Signature.getInstance(JsseJce.SIGNATURE_SSLRSA);
     }
 
     @Override
--- a/src/java.base/share/classes/sun/security/ssl/SSLCipher.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLCipher.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -851,7 +851,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 cipher.init(Cipher.DECRYPT_MODE, key, params, random);
             }
 
@@ -933,7 +933,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 cipher.init(Cipher.ENCRYPT_MODE, key, params, random);
             }
 
@@ -1023,7 +1023,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 cipher.init(Cipher.DECRYPT_MODE, key, params, random);
             }
 
@@ -1175,7 +1175,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 cipher.init(Cipher.ENCRYPT_MODE, key, params, random);
             }
 
@@ -1291,7 +1291,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 if (params == null) {
                     params = new IvParameterSpec(new byte[sslCipher.ivSize]);
                 }
@@ -1455,7 +1455,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 this.random = random;
                 if (params == null) {
                     params = new IvParameterSpec(new byte[sslCipher.ivSize]);
@@ -1590,7 +1590,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 this.tagSize = sslCipher.tagSize;
                 this.key = key;
                 this.fixedIv = ((IvParameterSpec)params).getIV();
@@ -1705,7 +1705,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 this.tagSize = sslCipher.tagSize;
                 this.key = key;
                 this.fixedIv = ((IvParameterSpec)params).getIV();
@@ -1838,7 +1838,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 this.tagSize = sslCipher.tagSize;
                 this.key = key;
                 this.iv = ((IvParameterSpec)params).getIV();
@@ -1992,7 +1992,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 this.tagSize = sslCipher.tagSize;
                 this.key = key;
                 this.iv = ((IvParameterSpec)params).getIV();
@@ -2133,7 +2133,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 this.tagSize = sslCipher.tagSize;
                 this.key = key;
                 this.iv = ((IvParameterSpec)params).getIV();
@@ -2252,7 +2252,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 this.tagSize = sslCipher.tagSize;
                 this.key = key;
                 this.iv = ((IvParameterSpec)params).getIV();
@@ -2392,7 +2392,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 this.tagSize = sslCipher.tagSize;
                 this.key = key;
                 this.iv = ((IvParameterSpec)params).getIV();
@@ -2534,7 +2534,7 @@
                     Key key, AlgorithmParameterSpec params,
                     SecureRandom random) throws GeneralSecurityException {
                 super(authenticator, protocolVersion);
-                this.cipher = JsseJce.getCipher(algorithm);
+                this.cipher = Cipher.getInstance(algorithm);
                 this.tagSize = sslCipher.tagSize;
                 this.key = key;
                 this.iv = ((IvParameterSpec)params).getIV();
--- a/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -36,6 +36,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.function.BiFunction;
+import javax.crypto.KeyGenerator;
 import javax.net.ssl.HandshakeCompletedListener;
 import javax.net.ssl.SNIMatcher;
 import javax.net.ssl.SNIServerName;
@@ -104,7 +105,7 @@
                     "jdk.tls.useExtendedMasterSecret", true);
         if (supportExtendedMasterSecret) {
             try {
-                JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret");
+                KeyGenerator.getInstance("SunTlsExtendedMasterSecret");
             } catch (NoSuchAlgorithmException nae) {
                 supportExtendedMasterSecret = false;
             }
--- a/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -94,14 +94,8 @@
         trustManager = chooseTrustManager(tm);
 
         if (sr == null) {
-            secureRandom = JsseJce.getSecureRandom();
+            secureRandom = new SecureRandom();
         } else {
-            if (SunJSSE.isFIPS() &&
-                        (sr.getProvider() != SunJSSE.cryptoProvider)) {
-                throw new KeyManagementException
-                    ("FIPS mode: SecureRandom must be from provider "
-                    + SunJSSE.cryptoProvider.getName());
-            }
             secureRandom = sr;
         }
 
@@ -127,12 +121,6 @@
         // We only use the first instance of X509TrustManager passed to us.
         for (int i = 0; tm != null && i < tm.length; i++) {
             if (tm[i] instanceof X509TrustManager) {
-                if (SunJSSE.isFIPS() &&
-                        !(tm[i] instanceof X509TrustManagerImpl)) {
-                    throw new KeyManagementException
-                        ("FIPS mode: only SunJSSE TrustManagers may be used");
-                }
-
                 if (tm[i] instanceof X509ExtendedTrustManager) {
                     return (X509TrustManager)tm[i];
                 } else {
@@ -153,20 +141,7 @@
             if (!(km instanceof X509KeyManager)) {
                 continue;
             }
-            if (SunJSSE.isFIPS()) {
-                // In FIPS mode, require that one of SunJSSE's own keymanagers
-                // is used. Otherwise, we cannot be sure that only keys from
-                // the FIPS token are used.
-                if ((km instanceof X509KeyManagerImpl)
-                            || (km instanceof SunX509KeyManagerImpl)) {
-                    return (X509ExtendedKeyManager)km;
-                } else {
-                    // throw exception, we don't want to silently use the
-                    // dummy keymanager without telling the user.
-                    throw new KeyManagementException
-                        ("FIPS mode: only SunJSSE KeyManagers may be used");
-                }
-            }
+
             if (km instanceof X509ExtendedKeyManager) {
                 return (X509ExtendedKeyManager)km;
             }
@@ -548,41 +523,24 @@
         private static final List<CipherSuite> serverDefaultCipherSuites;
 
         static {
-            if (SunJSSE.isFIPS()) {
-                supportedProtocols = Arrays.asList(
-                    ProtocolVersion.TLS13,
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10
-                );
+            supportedProtocols = Arrays.asList(
+                ProtocolVersion.TLS13,
+                ProtocolVersion.TLS12,
+                ProtocolVersion.TLS11,
+                ProtocolVersion.TLS10,
+                ProtocolVersion.SSL30,
+                ProtocolVersion.SSL20Hello
+            );
 
-                serverDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS13,
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10
-                });
-            } else {
-                supportedProtocols = Arrays.asList(
-                    ProtocolVersion.TLS13,
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10,
-                    ProtocolVersion.SSL30,
-                    ProtocolVersion.SSL20Hello
-                );
-
-                serverDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS13,
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10,
-                    ProtocolVersion.SSL30,
-                    ProtocolVersion.SSL20Hello
-                });
-            }
+            serverDefaultProtocols = getAvailableProtocols(
+                    new ProtocolVersion[] {
+                ProtocolVersion.TLS13,
+                ProtocolVersion.TLS12,
+                ProtocolVersion.TLS11,
+                ProtocolVersion.TLS10,
+                ProtocolVersion.SSL30,
+                ProtocolVersion.SSL20Hello
+            });
 
             supportedCipherSuites = getApplicableSupportedCipherSuites(
                     supportedProtocols);
@@ -626,23 +584,14 @@
         }
 
         static ProtocolVersion[] getSupportedProtocols() {
-            if (SunJSSE.isFIPS()) {
-                return new ProtocolVersion[] {
-                        ProtocolVersion.TLS13,
-                        ProtocolVersion.TLS12,
-                        ProtocolVersion.TLS11,
-                        ProtocolVersion.TLS10
-                };
-            } else {
-                return new ProtocolVersion[]{
-                        ProtocolVersion.TLS13,
-                        ProtocolVersion.TLS12,
-                        ProtocolVersion.TLS11,
-                        ProtocolVersion.TLS10,
-                        ProtocolVersion.SSL30,
-                        ProtocolVersion.SSL20Hello
-                };
-            }
+            return new ProtocolVersion[]{
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.SSL20Hello
+            };
         }
     }
 
@@ -656,18 +605,11 @@
         private static final List<CipherSuite> clientDefaultCipherSuites;
 
         static {
-            if (SunJSSE.isFIPS()) {
-                clientDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS10
-                });
-            } else {
-                clientDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS10,
-                    ProtocolVersion.SSL30
-                });
-            }
+            clientDefaultProtocols = getAvailableProtocols(
+                    new ProtocolVersion[] {
+                ProtocolVersion.TLS10,
+                ProtocolVersion.SSL30
+            });
 
             clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
                     clientDefaultProtocols, true);
@@ -694,20 +636,12 @@
         private static final List<CipherSuite> clientDefaultCipherSuites;
 
         static {
-            if (SunJSSE.isFIPS()) {
-                clientDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10
-                });
-            } else {
-                clientDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10,
-                    ProtocolVersion.SSL30
-                });
-            }
+            clientDefaultProtocols = getAvailableProtocols(
+                    new ProtocolVersion[] {
+                ProtocolVersion.TLS11,
+                ProtocolVersion.TLS10,
+                ProtocolVersion.SSL30
+            });
 
             clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
                     clientDefaultProtocols, true);
@@ -735,22 +669,13 @@
         private static final List<CipherSuite> clientDefaultCipherSuites;
 
         static {
-            if (SunJSSE.isFIPS()) {
-                clientDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10
-                });
-            } else {
-                clientDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10,
-                    ProtocolVersion.SSL30
-                });
-            }
+            clientDefaultProtocols = getAvailableProtocols(
+                    new ProtocolVersion[] {
+                ProtocolVersion.TLS12,
+                ProtocolVersion.TLS11,
+                ProtocolVersion.TLS10,
+                ProtocolVersion.SSL30
+            });
 
             clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
                     clientDefaultProtocols, true);
@@ -777,24 +702,14 @@
         private static final List<CipherSuite> clientDefaultCipherSuites;
 
         static {
-            if (SunJSSE.isFIPS()) {
-                clientDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS13,
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10
-                });
-            } else {
-                clientDefaultProtocols = getAvailableProtocols(
-                        new ProtocolVersion[] {
-                    ProtocolVersion.TLS13,
-                    ProtocolVersion.TLS12,
-                    ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS10,
-                    ProtocolVersion.SSL30
-                });
-            }
+            clientDefaultProtocols = getAvailableProtocols(
+                    new ProtocolVersion[] {
+                ProtocolVersion.TLS13,
+                ProtocolVersion.TLS12,
+                ProtocolVersion.TLS11,
+                ProtocolVersion.TLS10,
+                ProtocolVersion.SSL30
+            });
 
             clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
                     clientDefaultProtocols, true);
@@ -866,16 +781,6 @@
                             " is not a supported SSL protocol name");
                     }
 
-                    if (SunJSSE.isFIPS() &&
-                            ((pv == ProtocolVersion.SSL30) ||
-                             (pv == ProtocolVersion.SSL20Hello))) {
-                        reservedException = new IllegalArgumentException(
-                                propname + ": " + pv +
-                                " is not FIPS compliant");
-
-                        break;
-                    }
-
                     // ignore duplicated protocols
                     if (!arrayList.contains(pv)) {
                         arrayList.add(pv);
@@ -955,22 +860,13 @@
         }
 
         static ProtocolVersion[] getProtocols() {
-            if (SunJSSE.isFIPS()) {
-                return new ProtocolVersion[]{
-                        ProtocolVersion.TLS13,
-                        ProtocolVersion.TLS12,
-                        ProtocolVersion.TLS11,
-                        ProtocolVersion.TLS10
-                };
-            } else {
-                return new ProtocolVersion[]{
-                        ProtocolVersion.TLS13,
-                        ProtocolVersion.TLS12,
-                        ProtocolVersion.TLS11,
-                        ProtocolVersion.TLS10,
-                        ProtocolVersion.SSL30
-                };
-            }
+            return new ProtocolVersion[]{
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.SSL30
+            };
         }
 
         protected CustomizedTLSContext() {
--- a/src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -145,7 +145,7 @@
             }
 
             try {
-                KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
+                KeyGenerator kg = KeyGenerator.getInstance(masterAlg);
                 kg.init(spec);
                 return kg.generateKey();
             } catch (InvalidAlgorithmParameterException |
--- a/src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -280,7 +280,7 @@
                     hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
 
             try {
-                KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
+                KeyGenerator kg = KeyGenerator.getInstance(keyMaterialAlg);
                 kg.init(spec);
 
                 this.keyMaterialSpec = (TlsKeyMaterialSpec)kg.generateKey();
--- a/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -194,7 +194,7 @@
 
             boolean mediator = true;
             try {
-                Signature signer = JsseJce.getSignature("RSASSA-PSS");
+                Signature signer = Signature.getInstance("RSASSA-PSS");
                 signer.setParameter(pssParamSpec);
             } catch (InvalidAlgorithmParameterException |
                     NoSuchAlgorithmException exp) {
@@ -275,7 +275,7 @@
             mediator = signAlgParamSpec.isAvailable;
         } else {
             try {
-                JsseJce.getSignature(algorithm);
+                Signature.getInstance(algorithm);
             } catch (Exception e) {
                 mediator = false;
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -466,7 +466,7 @@
             return null;
         }
 
-        Signature signer = JsseJce.getSignature(algorithm);
+        Signature signer = Signature.getInstance(algorithm);
         if (key instanceof PublicKey) {
             signer.initVerify((PublicKey)(key));
         } else {
--- a/src/java.base/share/classes/sun/security/ssl/SunJSSE.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SunJSSE.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -66,97 +66,16 @@
         "(PKCS12, SunX509/PKIX key/trust factories, " +
         "SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)";
 
-    private static String fipsInfo =
-        "Sun JSSE provider (FIPS mode, crypto provider ";
-
-    // tri-valued flag:
-    // null  := no final decision made
-    // false := data structures initialized in non-FIPS mode
-    // true  := data structures initialized in FIPS mode
-    private static Boolean fips;
-
-    // the FIPS certificate crypto provider that we use to perform all crypto
-    // operations. null in non-FIPS mode
-    static java.security.Provider cryptoProvider;
-
-    protected static synchronized boolean isFIPS() {
-        if (fips == null) {
-            fips = false;
-        }
-        return fips;
-    }
-
-    // ensure we can use FIPS mode using the specified crypto provider.
-    // enable FIPS mode if not already enabled.
-    private static synchronized void ensureFIPS(java.security.Provider p) {
-        if (fips == null) {
-            fips = true;
-            cryptoProvider = p;
-        } else {
-            if (fips == false) {
-                throw new ProviderException
-                    ("SunJSSE already initialized in non-FIPS mode");
-            }
-            if (cryptoProvider != p) {
-                throw new ProviderException
-                    ("SunJSSE already initialized with FIPS crypto provider "
-                    + cryptoProvider);
-            }
-        }
-    }
-
-    // standard constructor
     protected SunJSSE() {
         super("SunJSSE", PROVIDER_VER, info);
         subclassCheck();
-        if (Boolean.TRUE.equals(fips)) {
-            throw new ProviderException
-                ("SunJSSE is already initialized in FIPS mode");
-        }
-        registerAlgorithms(false);
+        registerAlgorithms();
     }
 
-    // preferred constructor to enable FIPS mode at runtime
-    protected SunJSSE(java.security.Provider cryptoProvider){
-        this(checkNull(cryptoProvider), cryptoProvider.getName());
-    }
-
-    // constructor to enable FIPS mode from java.security file
-    protected SunJSSE(String cryptoProvider){
-        this(null, checkNull(cryptoProvider));
-    }
-
-    private static <T> T checkNull(T t) {
-        if (t == null) {
-            throw new ProviderException("cryptoProvider must not be null");
-        }
-        return t;
-    }
-
-    private SunJSSE(java.security.Provider cryptoProvider,
-            String providerName) {
-        super("SunJSSE", PROVIDER_VER, fipsInfo + providerName + ")");
-        subclassCheck();
-        if (cryptoProvider == null) {
-            // Calling Security.getProvider() will cause other providers to be
-            // loaded. That is not good but unavoidable here.
-            cryptoProvider = Security.getProvider(providerName);
-            if (cryptoProvider == null) {
-                throw new ProviderException
-                    ("Crypto provider not installed: " + providerName);
-            }
-        }
-        ensureFIPS(cryptoProvider);
-        registerAlgorithms(true);
-    }
-
-    private void registerAlgorithms(final boolean isfips) {
-        AccessController.doPrivileged(new PrivilegedAction<Object>() {
-            @Override
-            public Object run() {
-                doRegister(isfips);
-                return null;
-            }
+    private void registerAlgorithms() {
+        AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+            doRegister();
+            return null;
         });
     }
 
@@ -165,14 +84,13 @@
         putService(new Provider.Service(this, type, algo, cn, aliases, attrs));
     }
 
-    private void doRegister(boolean isfips) {
-        if (isfips == false) {
-            Iterator<Provider.Service> rsaIter =
-                new SunRsaSignEntries(this).iterator();
-            while (rsaIter.hasNext()) {
-                putService(rsaIter.next());
-            }
+    private void doRegister() {
+        Iterator<Provider.Service> rsaIter =
+            new SunRsaSignEntries(this).iterator();
+        while (rsaIter.hasNext()) {
+            putService(rsaIter.next());
         }
+
         ps("Signature", "MD5andSHA1withRSA",
             "sun.security.ssl.RSASignature", null, null);
 
@@ -183,14 +101,15 @@
             createAliases("PKIX"), null);
 
         ps("TrustManagerFactory", "SunX509",
-            "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory", null, null);
+            "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory",
+            null, null);
         ps("TrustManagerFactory", "PKIX",
             "sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory",
             createAliases("SunPKIX", "X509", "X.509"), null);
 
         ps("SSLContext", "TLSv1",
             "sun.security.ssl.SSLContextImpl$TLS10Context",
-            (isfips? null : createAliases("SSLv3")), null);
+            createAliases("SSLv3"), null);
         ps("SSLContext", "TLSv1.1",
             "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
         ps("SSLContext", "TLSv1.2",
@@ -199,7 +118,7 @@
             "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
         ps("SSLContext", "TLS",
             "sun.security.ssl.SSLContextImpl$TLSContext",
-            (isfips? null : createAliases("SSL")), null);
+            createAliases("SSL"), null);
 
         ps("SSLContext", "DTLSv1.0",
             "sun.security.ssl.SSLContextImpl$DTLS10Context", null, null);
@@ -225,12 +144,4 @@
             throw new AssertionError("Illegal subclass: " + getClass());
         }
     }
-
-    @Override
-    @SuppressWarnings("deprecation")
-    protected final void finalize() throws Throwable {
-        // empty
-        super.finalize();
-    }
-
 }
--- a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -52,6 +52,7 @@
 import sun.security.ssl.SSLExtension.ExtensionConsumer;
 import sun.security.ssl.SSLExtension.SSLExtensionSpec;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.util.ECUtil;
 
 /**
  * Pack of the "supported_groups" extensions [RFC 4492/7919].
@@ -158,15 +159,23 @@
     }
 
     static enum NamedGroupType {
-        NAMED_GROUP_ECDHE,          // Elliptic Curve Groups (ECDHE)
-        NAMED_GROUP_FFDHE,          // Finite Field Groups (DHE)
-        NAMED_GROUP_XDH,            // Finite Field Groups (XDH)
-        NAMED_GROUP_ARBITRARY,      // arbitrary prime and curves (ECDHE)
-        NAMED_GROUP_NONE;           // Not predefined named group
+        NAMED_GROUP_ECDHE     ("EC"),
+        NAMED_GROUP_FFDHE     ("DiffieHellman"),
+        NAMED_GROUP_X25519    ("x25519"),
+        NAMED_GROUP_X448      ("x448"),
+        NAMED_GROUP_ARBITRARY ("EC"),
+        NAMED_GROUP_NONE      ("");
+
+        private final String algorithm;
+
+        private NamedGroupType(String algorithm) {
+            this.algorithm = algorithm;
+        }
 
         boolean isSupported(List<CipherSuite> cipherSuites) {
             for (CipherSuite cs : cipherSuites) {
-                if (cs.keyExchange == null || cs.keyExchange.groupType == this) {
+                if (cs.keyExchange == null ||
+                        cs.keyExchange.groupType == this) {
                     return true;
                 }
             }
@@ -180,108 +189,142 @@
         //
         // See sun.security.util.CurveDB for the OIDs
         // NIST K-163
-        SECT163_K1  (0x0001, "sect163k1", "1.3.132.0.1", true,
+        SECT163_K1  (0x0001, "sect163k1", "1.3.132.0.1",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECT163_R1  (0x0002, "sect163r1", "1.3.132.0.2", false,
+        SECT163_R1  (0x0002, "sect163r1", "1.3.132.0.2",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST B-163
-        SECT163_R2  (0x0003, "sect163r2", "1.3.132.0.15", true,
+        SECT163_R2  (0x0003, "sect163r2", "1.3.132.0.15",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECT193_R1  (0x0004, "sect193r1", "1.3.132.0.24", false,
+        SECT193_R1  (0x0004, "sect193r1", "1.3.132.0.24",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECT193_R2  (0x0005, "sect193r2", "1.3.132.0.25", false,
+        SECT193_R2  (0x0005, "sect193r2", "1.3.132.0.25",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST K-233
-        SECT233_K1  (0x0006, "sect233k1", "1.3.132.0.26", true,
+        SECT233_K1  (0x0006, "sect233k1", "1.3.132.0.26",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST B-233
-        SECT233_R1  (0x0007, "sect233r1", "1.3.132.0.27", true,
+        SECT233_R1  (0x0007, "sect233r1", "1.3.132.0.27",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECT239_K1  (0x0008, "sect239k1", "1.3.132.0.3", false,
+        SECT239_K1  (0x0008, "sect239k1", "1.3.132.0.3",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST K-283
-        SECT283_K1  (0x0009, "sect283k1", "1.3.132.0.16", true,
+        SECT283_K1  (0x0009, "sect283k1", "1.3.132.0.16",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST B-283
-        SECT283_R1  (0x000A, "sect283r1", "1.3.132.0.17", true,
+        SECT283_R1  (0x000A, "sect283r1", "1.3.132.0.17",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST K-409
-        SECT409_K1  (0x000B, "sect409k1", "1.3.132.0.36", true,
+        SECT409_K1  (0x000B, "sect409k1", "1.3.132.0.36",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST B-409
-        SECT409_R1  (0x000C, "sect409r1", "1.3.132.0.37", true,
+        SECT409_R1  (0x000C, "sect409r1", "1.3.132.0.37",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST K-571
-        SECT571_K1  (0x000D, "sect571k1", "1.3.132.0.38", true,
+        SECT571_K1  (0x000D, "sect571k1", "1.3.132.0.38",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST B-571
-        SECT571_R1  (0x000E, "sect571r1", "1.3.132.0.39", true,
+        SECT571_R1  (0x000E, "sect571r1", "1.3.132.0.39",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECP160_K1  (0x000F, "secp160k1", "1.3.132.0.9", false,
+        SECP160_K1  (0x000F, "secp160k1", "1.3.132.0.9",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECP160_R1  (0x0010, "secp160r1", "1.3.132.0.8", false,
+        SECP160_R1  (0x0010, "secp160r1", "1.3.132.0.8",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECP160_R2  (0x0011, "secp160r2", "1.3.132.0.30", false,
+        SECP160_R2  (0x0011, "secp160r2", "1.3.132.0.30",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECP192_K1  (0x0012, "secp192k1", "1.3.132.0.31", false,
+        SECP192_K1  (0x0012, "secp192k1", "1.3.132.0.31",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST P-192
-        SECP192_R1  (0x0013, "secp192r1", "1.2.840.10045.3.1.1", true,
+        SECP192_R1  (0x0013, "secp192r1", "1.2.840.10045.3.1.1",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECP224_K1  (0x0014, "secp224k1", "1.3.132.0.32", false,
+        SECP224_K1  (0x0014, "secp224k1", "1.3.132.0.32",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
         // NIST P-224
-        SECP224_R1  (0x0015, "secp224r1", "1.3.132.0.33", true,
+        SECP224_R1  (0x0015, "secp224r1", "1.3.132.0.33",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        SECP256_K1  (0x0016, "secp256k1", "1.3.132.0.10", false,
+        SECP256_K1  (0x0016, "secp256k1", "1.3.132.0.10",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_12),
 
         // NIST P-256
-        SECP256_R1  (0x0017, "secp256r1", "1.2.840.10045.3.1.7", true,
+        SECP256_R1  (0x0017, "secp256r1", "1.2.840.10045.3.1.7",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_13),
 
         // NIST P-384
-        SECP384_R1  (0x0018, "secp384r1", "1.3.132.0.34", true,
+        SECP384_R1  (0x0018, "secp384r1", "1.3.132.0.34",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_13),
 
         // NIST P-521
-        SECP521_R1  (0x0019, "secp521r1", "1.3.132.0.35", true,
+        SECP521_R1  (0x0019, "secp521r1", "1.3.132.0.35",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
                             ProtocolVersion.PROTOCOLS_TO_13),
 
         // x25519 and x448
-        X25519      (0x001D, "x25519", true, "x25519",
+        X25519      (0x001D, "x25519", null,
+                            NamedGroupType.NAMED_GROUP_X25519,
                             ProtocolVersion.PROTOCOLS_TO_13),
-        X448        (0x001E, "x448", true, "x448",
+        X448        (0x001E, "x448", null,
+                            NamedGroupType.NAMED_GROUP_X448,
                             ProtocolVersion.PROTOCOLS_TO_13),
 
         // Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919)
-        FFDHE_2048  (0x0100, "ffdhe2048",  true,
+        FFDHE_2048  (0x0100, "ffdhe2048", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
                             ProtocolVersion.PROTOCOLS_TO_13),
-        FFDHE_3072  (0x0101, "ffdhe3072",  true,
+        FFDHE_3072  (0x0101, "ffdhe3072", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
                             ProtocolVersion.PROTOCOLS_TO_13),
-        FFDHE_4096  (0x0102, "ffdhe4096",  true,
+        FFDHE_4096  (0x0102, "ffdhe4096", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
                             ProtocolVersion.PROTOCOLS_TO_13),
-        FFDHE_6144  (0x0103, "ffdhe6144",  true,
+        FFDHE_6144  (0x0103, "ffdhe6144", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
                             ProtocolVersion.PROTOCOLS_TO_13),
-        FFDHE_8192  (0x0104, "ffdhe8192",  true,
+        FFDHE_8192  (0x0104, "ffdhe8192", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
                             ProtocolVersion.PROTOCOLS_TO_13),
 
         // Elliptic Curves (RFC 4492)
         //
         // arbitrary prime and characteristic-2 curves
-        ARBITRARY_PRIME  (0xFF01, "arbitrary_explicit_prime_curves",
+        ARBITRARY_PRIME  (0xFF01, "arbitrary_explicit_prime_curves", null,
+                            NamedGroupType.NAMED_GROUP_ARBITRARY,
                             ProtocolVersion.PROTOCOLS_TO_12),
-        ARBITRARY_CHAR2  (0xFF02, "arbitrary_explicit_char2_curves",
+        ARBITRARY_CHAR2  (0xFF02, "arbitrary_explicit_char2_curves", null,
+                            NamedGroupType.NAMED_GROUP_ARBITRARY,
                             ProtocolVersion.PROTOCOLS_TO_12);
 
         final int id;               // hash + signature
@@ -289,55 +332,16 @@
         final String name;          // literal name
         final String oid;           // object identifier of the named group
         final String algorithm;     // signature algorithm
-        final boolean isFips;       // can be used in FIPS mode?
         final ProtocolVersion[] supportedProtocols;
 
-        // Constructor used for Elliptic Curve Groups (ECDHE)
-        private NamedGroup(int id, String name, String oid, boolean isFips,
+        private NamedGroup(int id, String name, String oid,
+                NamedGroupType namedGroupType,
                 ProtocolVersion[] supportedProtocols) {
             this.id = id;
-            this.type = NamedGroupType.NAMED_GROUP_ECDHE;
+            this.type = namedGroupType;
             this.name = name;
             this.oid = oid;
-            this.algorithm = "EC";
-            this.isFips = isFips;
-            this.supportedProtocols = supportedProtocols;
-        }
-
-        // Constructor used for Elliptic Curve Groups (XDH)
-        private NamedGroup(int id, String name,
-                boolean isFips, String algorithm,
-                ProtocolVersion[] supportedProtocols) {
-            this.id = id;
-            this.type = NamedGroupType.NAMED_GROUP_XDH;
-            this.name = name;
-            this.oid = null;
-            this.algorithm = algorithm;
-            this.isFips = isFips;
-            this.supportedProtocols = supportedProtocols;
-        }
-
-        // Constructor used for Finite Field Diffie-Hellman Groups (FFDHE)
-        private NamedGroup(int id, String name, boolean isFips,
-                ProtocolVersion[] supportedProtocols) {
-            this.id = id;
-            this.type = NamedGroupType.NAMED_GROUP_FFDHE;
-            this.name = name;
-            this.oid = null;
-            this.algorithm = "DiffieHellman";
-            this.isFips = isFips;
-            this.supportedProtocols = supportedProtocols;
-        }
-
-        // Constructor used for arbitrary prime and curves (ECDHE)
-        private NamedGroup(int id, String name,
-                ProtocolVersion[] supportedProtocols) {
-            this.id = id;
-            this.type = NamedGroupType.NAMED_GROUP_ARBITRARY;
-            this.name = name;
-            this.oid = null;
-            this.algorithm = "EC";
-            this.isFips = false;
+            this.algorithm = namedGroupType.algorithm;
             this.supportedProtocols = supportedProtocols;
         }
 
@@ -352,7 +356,7 @@
         }
 
         static NamedGroup valueOf(ECParameterSpec params) {
-            String oid = JsseJce.getNamedCurveOid(params);
+            String oid = ECUtil.getCurveName(null, params);
             if ((oid != null) && (!oid.isEmpty())) {
                 for (NamedGroup group : NamedGroup.values()) {
                     if ((group.type == NamedGroupType.NAMED_GROUP_ECDHE) &&
@@ -472,8 +476,6 @@
         static final NamedGroup[] supportedNamedGroups;
 
         static {
-            boolean requireFips = SunJSSE.isFIPS();
-
             // The value of the System Property defines a list of enabled named
             // groups in preference order, separated with comma.  For example:
             //
@@ -499,8 +501,7 @@
                     group = group.trim();
                     if (!group.isEmpty()) {
                         NamedGroup namedGroup = NamedGroup.nameOf(group);
-                        if (namedGroup != null &&
-                                (!requireFips || namedGroup.isFips)) {
+                        if (namedGroup != null) {
                             if (isAvailableGroup(namedGroup)) {
                                 groupList.add(namedGroup);
                             }
@@ -514,29 +515,7 @@
                             property + ") contains no supported named groups");
                 }
             } else {        // default groups
-                NamedGroup[] groups;
-                if (requireFips) {
-                    groups = new NamedGroup[] {
-                        // only NIST curves in FIPS mode
-                        NamedGroup.SECP256_R1,
-                        NamedGroup.SECP384_R1,
-                        NamedGroup.SECP521_R1,
-                        NamedGroup.SECT283_K1,
-                        NamedGroup.SECT283_R1,
-                        NamedGroup.SECT409_K1,
-                        NamedGroup.SECT409_R1,
-                        NamedGroup.SECT571_K1,
-                        NamedGroup.SECT571_R1,
-
-                        // FFDHE 2048
-                        NamedGroup.FFDHE_2048,
-                        NamedGroup.FFDHE_3072,
-                        NamedGroup.FFDHE_4096,
-                        NamedGroup.FFDHE_6144,
-                        NamedGroup.FFDHE_8192,
-                    };
-                } else {
-                    groups = new NamedGroup[] {
+                NamedGroup[] groups = new NamedGroup[] {
                         // NIST curves first
                         NamedGroup.SECP256_R1,
                         NamedGroup.SECP384_R1,
@@ -558,7 +537,6 @@
                         NamedGroup.FFDHE_6144,
                         NamedGroup.FFDHE_8192,
                     };
-                }
 
                 groupList = new ArrayList<>(groups.length);
                 for (NamedGroup group : groups) {
@@ -587,7 +565,7 @@
             if (namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) {
                 if (namedGroup.oid != null) {
                     try {
-                        params = JsseJce.getAlgorithmParameters("EC");
+                        params = AlgorithmParameters.getInstance("EC");
                         spec = new ECGenParameterSpec(namedGroup.oid);
                     } catch (NoSuchAlgorithmException e) {
                         return false;
@@ -595,7 +573,7 @@
                 }
             } else if (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE) {
                 try {
-                    params = JsseJce.getAlgorithmParameters("DiffieHellman");
+                    params = AlgorithmParameters.getInstance("DiffieHellman");
                     spec = getFFDHEDHParameterSpec(namedGroup);
                 } catch (NoSuchAlgorithmException e) {
                     return false;
--- a/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java	Tue Feb 12 15:19:25 2019 -0500
+++ b/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java	Tue Feb 12 13:36:15 2019 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -218,7 +218,7 @@
                 responseList =
                         ((ExtendedSSLSession)session).getStatusResponses();
             }
-            trustedChain = validate(v, chain, responseList,
+            trustedChain = v.validate(chain, null, responseList,
                     constraints, isClient ? null : authType);
 
             // check if EE certificate chains to a public root CA (as
@@ -234,7 +234,7 @@
                         getRequestedServerNames(socket), chainsToPublicCA);
             }
         } else {
-            trustedChain = validate(v, chain, Collections.emptyList(),
+            trustedChain = v.validate(chain, null, Collections.emptyList(),
                     null, isClient ? null : authType);
         }
 
@@ -276,7 +276,7 @@
                 responseList =
                         ((ExtendedSSLSession)session).getStatusResponses();
             }
-            trustedChain = validate(v, chain, responseList,
+            trustedChain = v.validate(chain, null, responseList,
                     constraints, isClient ? null : authType);
 
             // check if EE certificate chains to a public root CA (as
@@ -292,7 +292,7 @@
                         getRequestedServerNames(engine), chainsToPublicCA);
             }
         } else {
-            trustedChain = validate(v, chain, Collections.emptyList(),
+            trustedChain = v.validate(chain, null, Collections.emptyList(),
                     null, isClient ? null : authType);
         }
 
@@ -312,18 +312,6 @@
         return v;
     }
 
-    private static X509Certificate[] validate(Validator v,
-            X509Certificate[] chain, List<byte[]> responseList,
-            AlgorithmConstraints constraints, String authType)
-            throws CertificateException {
-        Object o = JsseJce.beginFipsProvider();
-        try {
-            return v.validate(chain, null, responseList, constraints, authType);
-        } finally {
-            JsseJce.endFipsProvider(o);
-        }
-    }
-
     // Get string representation of HostName from a list of server names.
     //
     // We are only accepting host_name name type in the list.
--- a/test/jdk/sun/security/pkcs11/fips/CipherTest.java	Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,608 +0,0 @@
-/*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.*;
-import java.net.*;
-import java.util.*;
-import java.util.concurrent.*;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-import javax.net.ssl.*;
-
-/**
- * Test that all ciphersuites work in all versions and all client
- * authentication types. The way this is setup the server is stateless and
- * all checking is done on the client side.
- *
- * The test is multithreaded to speed it up, especially on multiprocessor
- * machines. To simplify debugging, run with -DnumThreads=1.
- *
- * @author Andreas Sterbenz
- */
-public class CipherTest {
-
-    // use any available port for the server socket
-    static int serverPort = 0;
-
-    final int THREADS;
-
-    // assume that if we do not read anything for 20 seconds, something
-    // has gone wrong
-    final static int TIMEOUT = 20 * 1000;
-
-    static KeyStore /* trustStore, */ keyStore;
-    static X509ExtendedKeyManager keyManager;
-    static X509TrustManager trustManager;
-    static SecureRandom secureRandom;
-
-    private static PeerFactory peerFactory;
-
-    static abstract class Server implements Runnable {
-
-        final CipherTest cipherTest;
-
-        Server(CipherTest cipherTest) throws Exception {
-            this.cipherTest = cipherTest;
-        }
-
-        public abstract void run();
-
-        void handleRequest(InputStream in, OutputStream out) throws IOException {
-            boolean newline = false;
-            StringBuilder sb = new StringBuilder();
-            while (true) {
-                int ch = in.read();
-                if (ch < 0) {
-                    throw new EOFException();
-                }
-                sb.append((char)ch);
-                if (ch == '\r') {
-                    // empty
-                } else if (ch == '\n') {
-                    if (newline) {
-                        // 2nd newline in a row, end of request
-                        break;
-                    }
-                    newline = true;
-                } else {
-                    newline = false;
-                }
-            }
-            String request = sb.toString();
-            if (request.startsWith("GET / HTTP/1.") == false) {
-                throw new IOException("Invalid request: " + request);
-            }
-            out.write("HTTP/1.0 200 OK\r\n\r\n".getBytes());
-        }
-
-    }
-
-    public static class TestParameters {
-
-        String cipherSuite;
-        String protocol;
-        String clientAuth;
-
-        TestParameters(String cipherSuite, String protocol,
-                String clientAuth) {
-            this.cipherSuite = cipherSuite;
-            this.protocol = protocol;
-            this.clientAuth = clientAuth;
-        }
-
-        boolean isEnabled() {
-            return TLSCipherStatus.isEnabled(cipherSuite, protocol);
-        }
-
-        public String toString() {
-            String s = cipherSuite + " in " + protocol + " mode";
-            if (clientAuth != null) {
-                s += " with " + clientAuth + " client authentication";
-            }
-            return s;
-        }
-
-        static enum TLSCipherStatus {
-            // cipher suites supported since TLS 1.2
-            CS_01("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
-            CS_02("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",   0x0303, 0xFFFF),
-            CS_03("TLS_RSA_WITH_AES_256_CBC_SHA256",         0x0303, 0xFFFF),
-            CS_04("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",  0x0303, 0xFFFF),
-            CS_05("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",    0x0303, 0xFFFF),
-            CS_06("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_07("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",     0x0303, 0xFFFF),
-
-            CS_08("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
-            CS_09("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",   0x0303, 0xFFFF),
-            CS_10("TLS_RSA_WITH_AES_128_CBC_SHA256",         0x0303, 0xFFFF),
-            CS_11("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",  0x0303, 0xFFFF),
-            CS_12("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",    0x0303, 0xFFFF),
-            CS_13("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_14("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",     0x0303, 0xFFFF),
-
-            CS_15("TLS_DH_anon_WITH_AES_256_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_16("TLS_DH_anon_WITH_AES_128_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_17("TLS_RSA_WITH_NULL_SHA256",                0x0303, 0xFFFF),
-
-            CS_20("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
-            CS_21("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
-            CS_22("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",   0x0303, 0xFFFF),
-            CS_23("TLS_RSA_WITH_AES_256_GCM_SHA384",         0x0303, 0xFFFF),
-            CS_24("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",  0x0303, 0xFFFF),
-            CS_25("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",    0x0303, 0xFFFF),
-            CS_26("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",     0x0303, 0xFFFF),
-            CS_27("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",     0x0303, 0xFFFF),
-
-            CS_28("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",   0x0303, 0xFFFF),
-            CS_29("TLS_RSA_WITH_AES_128_GCM_SHA256",         0x0303, 0xFFFF),
-            CS_30("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",  0x0303, 0xFFFF),
-            CS_31("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",    0x0303, 0xFFFF),
-            CS_32("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",     0x0303, 0xFFFF),
-            CS_33("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",     0x0303, 0xFFFF),
-
-            CS_34("TLS_DH_anon_WITH_AES_256_GCM_SHA384",     0x0303, 0xFFFF),
-            CS_35("TLS_DH_anon_WITH_AES_128_GCM_SHA256",     0x0303, 0xFFFF),
-
-            // cipher suites obsoleted since TLS 1.2
-            CS_50("SSL_RSA_WITH_DES_CBC_SHA",                0x0000, 0x0303),
-            CS_51("SSL_DHE_RSA_WITH_DES_CBC_SHA",            0x0000, 0x0303),
-            CS_52("SSL_DHE_DSS_WITH_DES_CBC_SHA",            0x0000, 0x0303),
-            CS_53("SSL_DH_anon_WITH_DES_CBC_SHA",            0x0000, 0x0303),
-            CS_54("TLS_KRB5_WITH_DES_CBC_SHA",               0x0000, 0x0303),
-            CS_55("TLS_KRB5_WITH_DES_CBC_MD5",               0x0000, 0x0303),
-
-            // cipher suites obsoleted since TLS 1.1
-            CS_60("SSL_RSA_EXPORT_WITH_RC4_40_MD5",          0x0000, 0x0302),
-            CS_61("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",      0x0000, 0x0302),
-            CS_62("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",       0x0000, 0x0302),
-            CS_63("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",   0x0000, 0x0302),
-            CS_64("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",   0x0000, 0x0302),
-            CS_65("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",   0x0000, 0x0302),
-            CS_66("TLS_KRB5_EXPORT_WITH_RC4_40_SHA",         0x0000, 0x0302),
-            CS_67("TLS_KRB5_EXPORT_WITH_RC4_40_MD5",         0x0000, 0x0302),
-            CS_68("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",     0x0000, 0x0302),
-            CS_69("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",     0x0000, 0x0302),
-
-            // ignore TLS_EMPTY_RENEGOTIATION_INFO_SCSV always
-            CS_99("TLS_EMPTY_RENEGOTIATION_INFO_SCSV",       0xFFFF, 0x0000);
-
-            // the cipher suite name
-            final String cipherSuite;
-
-            // supported since protocol version
-            final int supportedSince;
-
-            // obsoleted since protocol version
-            final int obsoletedSince;
-
-            TLSCipherStatus(String cipherSuite,
-                    int supportedSince, int obsoletedSince) {
-                this.cipherSuite = cipherSuite;
-                this.supportedSince = supportedSince;
-                this.obsoletedSince = obsoletedSince;
-            }
-
-            static boolean isEnabled(String cipherSuite, String protocol) {
-                int versionNumber = toVersionNumber(protocol);
-
-                if (versionNumber < 0) {
-                    return true;  // unlikely to happen
-                }
-
-                for (TLSCipherStatus status : TLSCipherStatus.values()) {
-                    if (cipherSuite.equals(status.cipherSuite)) {
-                        if ((versionNumber < status.supportedSince) ||
-                            (versionNumber >= status.obsoletedSince)) {
-                            return false;
-                        }
-
-                        return true;
-                    }
-                }
-
-                return true;
-            }
-
-            private static int toVersionNumber(String protocol) {
-                int versionNumber = -1;
-
-                switch (protocol) {
-                    case "SSLv2Hello":
-                        versionNumber = 0x0002;
-                        break;
-                    case "SSLv3":
-                        versionNumber = 0x0300;
-                        break;
-                    case "TLSv1":
-                        versionNumber = 0x0301;
-                        break;
-                    case "TLSv1.1":
-                        versionNumber = 0x0302;
-                        break;
-                    case "TLSv1.2":
-                        versionNumber = 0x0303;
-                        break;
-                    default:
-                        // unlikely to happen
-                }
-
-                return versionNumber;
-            }
-        }
-    }
-
-    private List<TestParameters> tests;
-    private Iterator<TestParameters> testIterator;
-    private SSLSocketFactory factory;
-    private boolean failed;
-
-    private CipherTest(PeerFactory peerFactory) throws IOException {
-        THREADS = Integer.parseInt(System.getProperty("numThreads", "4"));
-        factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
-        SSLSocket socket = (SSLSocket)factory.createSocket();
-        String[] cipherSuites = socket.getSupportedCipherSuites();
-        String[] protocols = socket.getSupportedProtocols();
-//      String[] clientAuths = {null, "RSA", "DSA"};
-        String[] clientAuths = {null};
-        tests = new ArrayList<TestParameters>(
-            cipherSuites.length * protocols.length * clientAuths.length);
-        for (int i = 0; i < cipherSuites.length; i++) {
-            String cipherSuite = cipherSuites[i];
-
-            for (int j = 0; j < protocols.length; j++) {
-                String protocol = protocols[j];
-
-                if (!peerFactory.isSupported(cipherSuite, protocol)) {
-                    continue;
-                }
-
-                for (int k = 0; k < clientAuths.length; k++) {
-                    String clientAuth = clientAuths[k];
-                    if ((clientAuth != null) &&
-                            (cipherSuite.indexOf("DH_anon") != -1)) {
-                        // no client with anonymous ciphersuites
-                        continue;
-                    }
-                    tests.add(new TestParameters(cipherSuite, protocol,
-                        clientAuth));
-                }
-            }
-        }
-        testIterator = tests.iterator();
-    }
-
-    synchronized void setFailed() {
-        failed = true;
-    }
-
-    public void run() throws Exception {
-        Thread[] threads = new Thread[THREADS];
-        for (int i = 0; i < THREADS; i++) {
-            try {
-                threads[i] = new Thread(peerFactory.newClient(this),
-                    "Client " + i);
-            } catch (Exception e) {
-                e.printStackTrace();
-                return;
-            }
-            threads[i].start();
-        }
-        try {
-            for (int i = 0; i < THREADS; i++) {
-                threads[i].join();
-            }
-        } catch (InterruptedException e) {
-            setFailed();
-            e.printStackTrace();
-        }
-        if (failed) {
-            throw new Exception("*** Test '" + peerFactory.getName() +
-                "' failed ***");
-        } else {
-            System.out.println("Test '" + peerFactory.getName() +
-                "' completed successfully");
-        }
-    }
-
-    synchronized TestParameters getTest() {
-        if (failed) {
-            return null;
-        }
-        if (testIterator.hasNext()) {
-            return (TestParameters)testIterator.next();
-        }
-        return null;
-    }
-
-    SSLSocketFactory getFactory() {
-        return factory;
-    }
-
-    static abstract class Client implements Runnable {
-
-        final CipherTest cipherTest;
-
-        Client(CipherTest cipherTest) throws Exception {
-            this.cipherTest = cipherTest;
-        }
-
-        public final void run() {
-            while (true) {
-                TestParameters params = cipherTest.getTest();
-                if (params == null) {
-                    // no more tests
-                    break;
-                }
-                if (params.isEnabled() == false) {
-                    System.out.println("Skipping disabled test " + params);
-                    continue;
-                }
-                try {
-                    runTest(params);
-                    System.out.println("Passed " + params);
-                } catch (Exception e) {
-                    cipherTest.setFailed();
-                    System.out.println("** Failed " + params + "**");
-                    e.printStackTrace();
-                }
-            }
-        }
-
-        abstract void runTest(TestParameters params) throws Exception;
-
-        void sendRequest(InputStream in, OutputStream out) throws IOException {
-            out.write("GET / HTTP/1.0\r\n\r\n".getBytes());
-            out.flush();
-            StringBuilder sb = new StringBuilder();
-            while (true) {
-                int ch = in.read();
-                if (ch < 0) {
-                    break;
-                }
-                sb.append((char)ch);
-            }
-            String response = sb.toString();
-            if (response.startsWith("HTTP/1.0 200 ") == false) {
-                throw new IOException("Invalid response: " + response);
-            }
-        }
-
-    }
-
-    // for some reason, ${test.src} has a different value when the
-    // test is called from the script and when it is called directly...
-    static String pathToStores = ".";
-    static String pathToStoresSH = ".";
-    static String keyStoreFile = "keystore";
-    static String trustStoreFile = "truststore";
-    static char[] passwd = "passphrase".toCharArray();
-
-    static File PATH;
-
-    private static KeyStore readKeyStore(String name) throws Exception {
-        File file = new File(PATH, name);
-        InputStream in = new FileInputStream(file);
-        KeyStore ks = KeyStore.getInstance("JKS");
-        ks.load(in, passwd);
-        in.close();
-        return ks;
-    }
-
-    public static void main(PeerFactory peerFactory, KeyStore keyStore,
-            String[] args) throws Exception {
-        long time = System.currentTimeMillis();
-        String relPath;
-        if ((args != null) && (args.length > 0) && args[0].equals("sh")) {
-            relPath = pathToStoresSH;
-        } else {
-            relPath = pathToStores;
-        }
-        PATH = new File(System.getProperty("test.src", "."), relPath);
-        CipherTest.peerFactory = peerFactory;
-        System.out.print(
-            "Initializing test '" + peerFactory.getName() + "'...");
-//      secureRandom = new SecureRandom();
-//      secureRandom.nextInt();
-//      trustStore = readKeyStore(trustStoreFile);
-        CipherTest.keyStore = keyStore;
-//      keyStore = readKeyStore(keyStoreFile);
-        KeyManagerFactory keyFactory =
-            KeyManagerFactory.getInstance(
-                KeyManagerFactory.getDefaultAlgorithm());
-        keyFactory.init(keyStore, "test12".toCharArray());
-        keyManager = (X509ExtendedKeyManager)keyFactory.getKeyManagers()[0];
-
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-        tmf.init(keyStore);
-        trustManager = (X509TrustManager)tmf.getTrustManagers()[0];
-
-//      trustManager = new AlwaysTrustManager();
-        SSLContext context = SSLContext.getInstance("TLS");
-        context.init(new KeyManager[] {keyManager},
-                new TrustManager[] {trustManager}, null);
-        SSLContext.setDefault(context);
-
-        CipherTest cipherTest = new CipherTest(peerFactory);
-        Thread serverThread = new Thread(peerFactory.newServer(cipherTest),
-            "Server");
-        serverThread.setDaemon(true);
-        serverThread.start();
-        System.out.println("Done");
-        cipherTest.run();
-        time = System.currentTimeMillis() - time;
-        System.out.println("Done. (" + time + " ms)");
-    }
-
-    static abstract class PeerFactory {
-
-        abstract String getName();
-
-        abstract Client newClient(CipherTest cipherTest) throws Exception;
-
-        abstract Server newServer(CipherTest cipherTest) throws Exception;
-
-        boolean isSupported(String cipherSuite, String protocol) {
-            // skip kerberos cipher suites
-            if (cipherSuite.startsWith("TLS_KRB5")) {
-                System.out.println("Skipping unsupported test for " +
-                                    cipherSuite + " of " + protocol);
-                return false;
-            }
-
-            // No ECDH-capable certificate in key store. May restructure
-            // this in the future.
-            if (cipherSuite.contains("ECDHE_ECDSA") ||
-                    cipherSuite.contains("ECDH_ECDSA") ||
-                    cipherSuite.contains("ECDH_RSA")) {
-                System.out.println("Skipping unsupported test for " +
-                                    cipherSuite + " of " + protocol);
-                return false;
-            }
-
-            // skip SSLv2Hello protocol
-            //
-            // skip TLSv1.2 protocol, we have not implement "SunTls12Prf" and
-            // SunTls12RsaPremasterSecret in SunPKCS11 provider
-            if (protocol.equals("SSLv2Hello") || protocol.equals("TLSv1.2")) {
-                System.out.println("Skipping unsupported test for " +
-                                    cipherSuite + " of " + protocol);
-                return false;
-            }
-
-            // ignore exportable cipher suite for TLSv1.1
-            if (protocol.equals("TLSv1.1")) {
-                if (cipherSuite.indexOf("_EXPORT_WITH") != -1) {
-                    System.out.println("Skipping obsoleted test for " +
-                                        cipherSuite + " of " + protocol);
-                    return false;
-                }
-            }
-
-            return true;
-        }
-    }
-
-}
-
-// we currently don't do any chain verification. we assume that works ok
-// and we can speed up the test. we could also just add a plain certificate
-// chain comparision with our trusted certificates.
-class AlwaysTrustManager implements X509TrustManager {
-
-    public AlwaysTrustManager() {
-
-    }
-
-    public void checkClientTrusted(X509Certificate[] chain, String authType)
-            throws CertificateException {
-        // empty
-    }
-
-    public void checkServerTrusted(X509Certificate[] chain, String authType)
-            throws CertificateException {
-        // empty
-    }
-
-    public X509Certificate[] getAcceptedIssuers() {
-        return new X509Certificate[0];
-    }
-}
-
-class MyX509KeyManager extends X509ExtendedKeyManager {
-
-    private final X509ExtendedKeyManager keyManager;
-    private String authType;
-
-    MyX509KeyManager(X509ExtendedKeyManager keyManager) {
-        this.keyManager = keyManager;
-    }
-
-    void setAuthType(String authType) {
-        this.authType = authType;
-    }
-
-    public String[] getClientAliases(String keyType, Principal[] issuers) {
-        if (authType == null) {
-            return null;
-        }
-        return keyManager.getClientAliases(authType, issuers);
-    }
-
-    public String chooseClientAlias(String[] keyType, Principal[] issuers,
-            Socket socket) {
-        if (authType == null) {
-            return null;
-        }
-        return keyManager.chooseClientAlias(new String[] {authType},
-            issuers, socket);
-    }
-
-    public String chooseEngineClientAlias(String[] keyType,
-            Principal[] issuers, SSLEngine engine) {
-        if (authType == null) {
-            return null;
-        }
-        return keyManager.chooseEngineClientAlias(new String[] {authType},
-            issuers, engine);
-    }
-
-    public String[] getServerAliases(String keyType, Principal[] issuers) {
-        throw new UnsupportedOperationException("Servers not supported");
-    }
-
-    public String chooseServerAlias(String keyType, Principal[] issuers,
-            Socket socket) {
-        throw new UnsupportedOperationException("Servers not supported");
-    }
-
-    public String chooseEngineServerAlias(String keyType, Principal[] issuers,
-            SSLEngine engine) {
-        throw new UnsupportedOperationException("Servers not supported");
-    }
-
-    public X509Certificate[] getCertificateChain(String alias) {
-        return keyManager.getCertificateChain(alias);
-    }
-
-    public PrivateKey getPrivateKey(String alias) {
-        return keyManager.getPrivateKey(alias);
-    }
-
-}
-
-class DaemonThreadFactory implements ThreadFactory {
-
-    final static ThreadFactory INSTANCE = new DaemonThreadFactory();
-
-    private final static ThreadFactory DEFAULT = Executors.defaultThreadFactory();
-
-    public Thread newThread(Runnable r) {
-        Thread t = DEFAULT.newThread(r);
-        t.setDaemon(true);
-        return t;
-    }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java	Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,92 +0,0 @@
-/*
- * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 6313675 6323647 8028192
- * @summary Verify that all ciphersuites work in FIPS mode
- * @library /test/lib ..
- * @author Andreas Sterbenz
- * @modules java.base/com.sun.net.ssl.internal.ssl
- * @run main/manual ClientJSSEServerJSSE
- */
-
-/*
- * JSSE supported cipher suites are changed with CR 6916074,
- * need to update this test case in JDK 7 soon
- */
-
-import java.security.*;
-
-// This test belongs more in JSSE than here, but the JSSE workspace does not
-// have the NSS test infrastructure. It will live here for the time being.
-
-public class ClientJSSEServerJSSE extends SecmodTest {
-
-    public static void main(String[] args) throws Exception {
-        if (initSecmod() == false) {
-            return;
-        }
-
-        String arch = System.getProperty("os.arch");
-        if (!("sparc".equals(arch) || "sparcv9".equals(arch))) {
-            // we have not updated other platforms with the proper NSS
-            // libraries yet
-            System.out.println(
-                    "Test currently works only on solaris-sparc " +
-                    "and solaris-sparcv9. Skipping on " + arch);
-            return;
-        }
-
-        String configName = BASE + SEP + "fips.cfg";
-        Provider p = getSunPKCS11(configName);
-
-        System.out.println(p);
-        Security.addProvider(p);
-
-        Security.removeProvider("SunJSSE");
-        Provider jsse = new com.sun.net.ssl.internal.ssl.Provider(p);
-        Security.addProvider(jsse);
-        System.out.println(jsse.getInfo());
-
-        KeyStore ks = KeyStore.getInstance("PKCS11", p);
-        ks.load(null, "test12".toCharArray());
-
-        CipherTest.main(new JSSEFactory(), ks, args);
-    }
-
-    private static class JSSEFactory extends CipherTest.PeerFactory {
-
-        String getName() {
-            return "Client JSSE - Server JSSE";
-        }
-
-        CipherTest.Client newClient(CipherTest cipherTest) throws Exception {
-            return new JSSEClient(cipherTest);
-        }
-
-        CipherTest.Server newServer(CipherTest cipherTest) throws Exception {
-            return new JSSEServer(cipherTest);
-        }
-    }
-}
--- a/test/jdk/sun/security/pkcs11/fips/ImportKeyStore.java	Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,90 +0,0 @@
-/*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.*;
-import java.util.*;
-
-import java.security.*;
-import java.security.KeyStore.*;
-import java.security.cert.*;
-
-/**
-
-This is an approximation of the process used to create the *.db files
-in this directory.
-
-setenv LD_LIBRARY_PATH $WS/test/sun/security/pkcs11/nss/lib/solaris-sparc
-modutil -create -dbdir .
-modutil -changepw "NSS Internal PKCS #11 Module" -dbdir .
-
-$JHOME/bin/keytool -list -storetype PKCS11 -addprovider SunPKCS11 -providerarg "--name=NSS\nnssSecmodDirectory=." -v -storepass test12
-
-modutil -fips true -dbdir .
-
-*/
-
-public class ImportKeyStore {
-
-    public static void main(String[] args) throws Exception {
-        String nssCfg = "--name=NSS\nnssSecmodDirectory=.\n ";
-//          "attributes(*,CKO_PRIVATE_KEY,CKK_DSA) = { CKA_NETSCAPE_DB = 0h00 }";
-        Provider p = Security.getProvider("SunPKCS11");
-        p.configure(nssCfg);
-
-        KeyStore ks = KeyStore.getInstance("PKCS11", p);
-        ks.load(null, "test12".toCharArray());
-        System.out.println("Aliases: " + Collections.list(ks.aliases()));
-        System.out.println();
-
-        char[] srcpw = "passphrase".toCharArray();
-//      importKeyStore("truststore", srcpw, ks);
-        importKeyStore("keystore", srcpw, ks);
-
-        System.out.println("OK.");
-    }
-
-    private static void importKeyStore(String filename, char[] passwd, KeyStore dstks) throws Exception {
-        System.out.println("Importing JKS KeyStore " + filename);
-        InputStream in = new FileInputStream(filename);
-        KeyStore srcks = KeyStore.getInstance("JKS");
-        srcks.load(in, passwd);
-        in.close();
-        List<String> aliases = Collections.list(srcks.aliases());
-        for (String alias : aliases) {
-            System.out.println("Alias: " + alias);
-            if (srcks.isCertificateEntry(alias)) {
-                X509Certificate cert = (X509Certificate)srcks.getCertificate(alias);
-                System.out.println("  Certificate: " + cert.getSubjectX500Principal());
-                dstks.setCertificateEntry(alias + "-cert", cert);
-            } else if (srcks.isKeyEntry(alias)) {
-                PrivateKeyEntry entry = (PrivateKeyEntry)srcks.getEntry(alias, new PasswordProtection(passwd));
-                System.out.println("  Key: " + entry.getPrivateKey().toString().split("\n")[0]);
-                dstks.setEntry(alias, entry, null);
-            } else {
-                System.out.println("  Unknown entry: " + alias);
-            }
-        }
-        System.out.println();
-    }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/JSSEClient.java	Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,93 +0,0 @@
-/*
- * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.*;
-import java.net.*;
-import java.util.*;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-import javax.net.ssl.*;
-
-class JSSEClient extends CipherTest.Client {
-
-    private final SSLContext sslContext;
-    private final MyX509KeyManager keyManager;
-
-    JSSEClient(CipherTest cipherTest) throws Exception {
-        super(cipherTest);
-        this.keyManager = new MyX509KeyManager(CipherTest.keyManager);
-        sslContext = SSLContext.getInstance("TLS");
-    }
-
-    void runTest(CipherTest.TestParameters params) throws Exception {
-        SSLSocket socket = null;
-        try {
-            keyManager.setAuthType(params.clientAuth);
-            sslContext.init(new KeyManager[] {CipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom);
-            SSLSocketFactory factory = (SSLSocketFactory)sslContext.getSocketFactory();
-            socket = (SSLSocket)factory.createSocket("127.0.0.1", cipherTest.serverPort);
-            socket.setSoTimeout(cipherTest.TIMEOUT);
-            socket.setEnabledCipherSuites(new String[] {params.cipherSuite});
-            socket.setEnabledProtocols(new String[] {params.protocol});
-            InputStream in = socket.getInputStream();
-            OutputStream out = socket.getOutputStream();
-            sendRequest(in, out);
-            socket.close();
-            SSLSession session = socket.getSession();
-            session.invalidate();
-            String cipherSuite = session.getCipherSuite();
-            if (params.cipherSuite.equals(cipherSuite) == false) {
-                throw new Exception("Negotiated ciphersuite mismatch: " + cipherSuite + " != " + params.cipherSuite);
-            }
-            String protocol = session.getProtocol();
-            if (params.protocol.equals(protocol) == false) {
-                throw new Exception("Negotiated protocol mismatch: " + protocol + " != " + params.protocol);
-            }
-            if (cipherSuite.indexOf("DH_anon") == -1) {
-                session.getPeerCertificates();
-            }
-            Certificate[] certificates = session.getLocalCertificates();
-            if (params.clientAuth == null) {
-                if (certificates != null) {
-                    throw new Exception("Local certificates should be null");
-                }
-            } else {
-                if ((certificates == null) || (certificates.length == 0)) {
-                    throw new Exception("Certificates missing");
-                }
-                String keyAlg = certificates[0].getPublicKey().getAlgorithm();
-                if (params.clientAuth != keyAlg) {
-                    throw new Exception("Certificate type mismatch: " + keyAlg + " != " + params.clientAuth);
-                }
-            }
-        } finally {
-            if (socket != null) {
-                socket.close();
-            }
-        }
-    }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/JSSEServer.java	Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,93 +0,0 @@
-/*
- * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.*;
-import java.net.*;
-import java.util.*;
-import java.util.concurrent.*;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-import javax.net.ssl.*;
-
-class JSSEServer extends CipherTest.Server {
-
-    SSLServerSocket serverSocket;
-
-    JSSEServer(CipherTest cipherTest) throws Exception {
-        super(cipherTest);
-        SSLContext serverContext = SSLContext.getInstance("TLS");
-        serverContext.init(new KeyManager[] {cipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom);
-
-        SSLServerSocketFactory factory = (SSLServerSocketFactory)serverContext.getServerSocketFactory();
-        serverSocket = (SSLServerSocket)factory.createServerSocket(cipherTest.serverPort);
-        cipherTest.serverPort = serverSocket.getLocalPort();
-        serverSocket.setEnabledCipherSuites(factory.getSupportedCipherSuites());
-//      serverSocket.setWantClientAuth(true);
-    }
-
-    public void run() {
-        System.out.println("JSSE Server listening on port " + cipherTest.serverPort);
-        Executor exec = Executors.newFixedThreadPool
-                            (cipherTest.THREADS, DaemonThreadFactory.INSTANCE);
-        try {
-            while (true) {
-                final SSLSocket socket = (SSLSocket)serverSocket.accept();
-                socket.setSoTimeout(cipherTest.TIMEOUT);
-                Runnable r = new Runnable() {
-                    public void run() {
-                        try {
-                            InputStream in = socket.getInputStream();
-                            OutputStream out = socket.getOutputStream();
-                            handleRequest(in, out);
-                            out.flush();
-                            socket.close();
-                            socket.getSession().invalidate();
-                        } catch (IOException e) {
-                            cipherTest.setFailed();
-                            e.printStackTrace();
-                        } finally {
-                            if (socket != null) {
-                                try {
-                                    socket.close();
-                                } catch (IOException e) {
-                                    cipherTest.setFailed();
-                                    System.out.println("Exception closing socket on server side:");
-                                    e.printStackTrace();
-                                }
-                            }
-                        }
-                    }
-                };
-                exec.execute(r);
-            }
-        } catch (IOException e) {
-            cipherTest.setFailed();
-            e.printStackTrace();
-            //
-        }
-    }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/TestTLS12.java	Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,453 +0,0 @@
-/*
- * Copyright (c) 2018, Red Hat, Inc.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 8029661
- * @summary Test TLS 1.2
- * @modules java.base/sun.security.internal.spec
- *          java.base/sun.security.util
- *          java.base/com.sun.net.ssl.internal.ssl
- *          java.base/com.sun.crypto.provider
- * @library /test/lib ..
- * @run main/othervm/timeout=120 TestTLS12
- */
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.InputStream;
-import java.nio.ByteBuffer;
-
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
-import java.security.KeyStore;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.SecureRandom;
-import java.security.Security;
-
-import java.util.Arrays;
-
-import javax.crypto.Cipher;
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLEngineResult;
-import javax.net.ssl.SSLEngineResult.HandshakeStatus;
-import javax.net.ssl.SSLParameters;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManagerFactory;
-
-import sun.security.internal.spec.TlsMasterSecretParameterSpec;
-import sun.security.internal.spec.TlsPrfParameterSpec;
-import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec;
-
-public final class TestTLS12 extends SecmodTest {
-
-    private static final boolean enableDebug = true;
-
-    private static Provider sunPKCS11NSSProvider;
-    private static Provider sunJCEProvider;
-    private static com.sun.net.ssl.internal.ssl.Provider jsseProvider;
-    private static KeyStore ks;
-    private static KeyStore ts;
-    private static char[] passphrase = "JAHshj131@@".toCharArray();
-    private static RSAPrivateKey privateKey;
-    private static RSAPublicKey publicKey;
-
-    public static void main(String[] args) throws Exception {
-        try {
-            initialize();
-        } catch (Exception e) {
-            System.out.println("Test skipped: failure during" +
-                    " initialization");
-            return;
-        }
-
-        if (shouldRun()) {
-            // Test against JCE
-            testTlsAuthenticationCodeGeneration();
-
-            // Self-integrity test (complete TLS 1.2 communication)
-            new testTLS12SunPKCS11Communication().run();
-
-            System.out.println("Test PASS - OK");
-        } else {
-            System.out.println("Test skipped: TLS 1.2 mechanisms" +
-                    " not supported by current SunPKCS11 back-end");
-        }
-    }
-
-    private static boolean shouldRun() {
-        if (sunPKCS11NSSProvider == null) {
-            return false;
-        }
-        try {
-            KeyGenerator.getInstance("SunTls12MasterSecret",
-                    sunPKCS11NSSProvider);
-            KeyGenerator.getInstance(
-                    "SunTls12RsaPremasterSecret", sunPKCS11NSSProvider);
-            KeyGenerator.getInstance("SunTls12Prf", sunPKCS11NSSProvider);
-        } catch (NoSuchAlgorithmException e) {
-            return false;
-        }
-        return true;
-    }
-
-    private static void testTlsAuthenticationCodeGeneration()
-            throws Exception {
-        // Generate RSA Pre-Master Secret in SunPKCS11 provider
-        SecretKey rsaPreMasterSecret = null;
-        @SuppressWarnings("deprecation")
-        TlsRsaPremasterSecretParameterSpec rsaPreMasterSecretSpec =
-                new TlsRsaPremasterSecretParameterSpec(0x0303, 0x0303);
-        {
-            KeyGenerator rsaPreMasterSecretKG = KeyGenerator.getInstance(
-                    "SunTls12RsaPremasterSecret", sunPKCS11NSSProvider);
-            rsaPreMasterSecretKG.init(rsaPreMasterSecretSpec, null);
-            rsaPreMasterSecret = rsaPreMasterSecretKG.generateKey();
-        }
-
-        // Get RSA Pre-Master Secret in plain (from SunPKCS11 provider)
-        byte[] rsaPlainPreMasterSecret = null;
-        {
-            Cipher rsaPreMasterSecretWrapperCipher =
-                    Cipher.getInstance("RSA/ECB/PKCS1Padding",
-                            sunPKCS11NSSProvider);
-            rsaPreMasterSecretWrapperCipher.init(Cipher.WRAP_MODE, publicKey,
-                    new SecureRandom());
-            byte[] rsaEncryptedPreMasterSecret =
-                    rsaPreMasterSecretWrapperCipher.wrap(rsaPreMasterSecret);
-            Cipher rsaPreMasterSecretUnwrapperCipher =
-                    Cipher.getInstance("RSA/ECB/PKCS1Padding", sunJCEProvider);
-            rsaPreMasterSecretUnwrapperCipher.init(Cipher.UNWRAP_MODE,
-                    privateKey, rsaPreMasterSecretSpec);
-            rsaPlainPreMasterSecret = rsaPreMasterSecretUnwrapperCipher.unwrap(
-                    rsaEncryptedPreMasterSecret, "TlsRsaPremasterSecret",
-                    Cipher.SECRET_KEY).getEncoded();
-
-            if (enableDebug) {
-                System.out.println("rsaPlainPreMasterSecret:");
-                for (byte b : rsaPlainPreMasterSecret) {
-                    System.out.printf("%02X, ", b);
-                }
-                System.out.println("");
-            }
-        }
-
-        // Generate Master Secret
-        SecretKey sunPKCS11MasterSecret = null;
-        SecretKey jceMasterSecret = null;
-        {
-            KeyGenerator sunPKCS11MasterSecretGenerator =
-                    KeyGenerator.getInstance("SunTls12MasterSecret",
-                            sunPKCS11NSSProvider);
-            KeyGenerator jceMasterSecretGenerator = KeyGenerator.getInstance(
-                    "SunTls12MasterSecret", sunJCEProvider);
-            @SuppressWarnings("deprecation")
-            TlsMasterSecretParameterSpec sunPKCS11MasterSecretSpec =
-                    new TlsMasterSecretParameterSpec(rsaPreMasterSecret, 3, 3,
-                            new byte[32], new byte[32], "SHA-256", 32, 64);
-            @SuppressWarnings("deprecation")
-            TlsMasterSecretParameterSpec jceMasterSecretSpec =
-                    new TlsMasterSecretParameterSpec(
-                            new SecretKeySpec(rsaPlainPreMasterSecret,
-                                    "Generic"), 3, 3, new byte[32],
-                            new byte[32], "SHA-256", 32, 64);
-            sunPKCS11MasterSecretGenerator.init(sunPKCS11MasterSecretSpec,
-                    null);
-            jceMasterSecretGenerator.init(jceMasterSecretSpec, null);
-            sunPKCS11MasterSecret =
-                    sunPKCS11MasterSecretGenerator.generateKey();
-            jceMasterSecret = jceMasterSecretGenerator.generateKey();
-            if (enableDebug) {
-                System.out.println("Master Secret (SunJCE):");
-                if (jceMasterSecret != null) {
-                    for (byte b : jceMasterSecret.getEncoded()) {
-                        System.out.printf("%02X, ", b);
-                    }
-                    System.out.println("");
-                }
-            }
-        }
-
-        // Generate authentication codes
-        byte[] sunPKCS11AuthenticationCode = null;
-        byte[] jceAuthenticationCode = null;
-        {
-            // Generate SunPKCS11 authentication code
-            {
-                @SuppressWarnings("deprecation")
-                TlsPrfParameterSpec sunPKCS11AuthenticationCodeSpec =
-                        new TlsPrfParameterSpec(sunPKCS11MasterSecret,
-                                "client finished", "a".getBytes(), 12,
-                                "SHA-256", 32, 64);
-                KeyGenerator sunPKCS11AuthCodeGenerator =
-                        KeyGenerator.getInstance("SunTls12Prf",
-                                sunPKCS11NSSProvider);
-                sunPKCS11AuthCodeGenerator.init(
-                        sunPKCS11AuthenticationCodeSpec);
-                sunPKCS11AuthenticationCode =
-                        sunPKCS11AuthCodeGenerator.generateKey().getEncoded();
-            }
-
-            // Generate SunJCE authentication code
-            {
-                @SuppressWarnings("deprecation")
-                TlsPrfParameterSpec jceAuthenticationCodeSpec =
-                        new TlsPrfParameterSpec(jceMasterSecret,
-                                "client finished", "a".getBytes(), 12,
-                                "SHA-256", 32, 64);
-                KeyGenerator jceAuthCodeGenerator =
-                        KeyGenerator.getInstance("SunTls12Prf",
-                                sunJCEProvider);
-                jceAuthCodeGenerator.init(jceAuthenticationCodeSpec);
-                jceAuthenticationCode =
-                        jceAuthCodeGenerator.generateKey().getEncoded();
-            }
-
-            if (enableDebug) {
-                System.out.println("SunPKCS11 Authentication Code: ");
-                for (byte b : sunPKCS11AuthenticationCode) {
-                    System.out.printf("%02X, ", b);
-                }
-                System.out.println("");
-                System.out.println("SunJCE Authentication Code: ");
-                for (byte b : jceAuthenticationCode) {
-                    System.out.printf("%02X, ", b);
-                }
-                System.out.println("");
-            }
-        }
-
-        if (sunPKCS11AuthenticationCode == null ||
-                jceAuthenticationCode == null ||
-                sunPKCS11AuthenticationCode.length == 0 ||
-                jceAuthenticationCode.length == 0 ||
-                !Arrays.equals(sunPKCS11AuthenticationCode,
-                        jceAuthenticationCode)) {
-            throw new Exception("Authentication codes from JCE" +
-                        " and SunPKCS11 differ.");
-        }
-    }
-
-    private static class testTLS12SunPKCS11Communication {
-        public static void run() throws Exception {
-            SSLEngine[][] enginesToTest = getSSLEnginesToTest();
-
-            for (SSLEngine[] engineToTest : enginesToTest) {
-
-                SSLEngine clientSSLEngine = engineToTest[0];
-                SSLEngine serverSSLEngine = engineToTest[1];
-
-                // SSLEngine code based on RedhandshakeFinished.java
-
-                boolean dataDone = false;
-
-                ByteBuffer clientOut = null;
-                ByteBuffer clientIn = null;
-                ByteBuffer serverOut = null;
-                ByteBuffer serverIn = null;
-                ByteBuffer cTOs;
-                ByteBuffer sTOc;
-
-                SSLSession session = clientSSLEngine.getSession();
-                int appBufferMax = session.getApplicationBufferSize();
-                int netBufferMax = session.getPacketBufferSize();
-
-                clientIn = ByteBuffer.allocate(appBufferMax + 50);
-                serverIn = ByteBuffer.allocate(appBufferMax + 50);
-
-                cTOs = ByteBuffer.allocateDirect(netBufferMax);
-                sTOc = ByteBuffer.allocateDirect(netBufferMax);
-
-                clientOut = ByteBuffer.wrap(
-                        "Hi Server, I'm Client".getBytes());
-                serverOut = ByteBuffer.wrap(
-                        "Hello Client, I'm Server".getBytes());
-
-                SSLEngineResult clientResult;
-                SSLEngineResult serverResult;
-
-                while (!dataDone) {
-                    clientResult = clientSSLEngine.wrap(clientOut, cTOs);
-                    runDelegatedTasks(clientResult, clientSSLEngine);
-                    serverResult = serverSSLEngine.wrap(serverOut, sTOc);
-                    runDelegatedTasks(serverResult, serverSSLEngine);
-                    cTOs.flip();
-                    sTOc.flip();
-
-                    if (enableDebug) {
-                        System.out.println("Client -> Network");
-                        printTlsNetworkPacket("", cTOs);
-                        System.out.println("");
-                        System.out.println("Server -> Network");
-                        printTlsNetworkPacket("", sTOc);
-                        System.out.println("");
-                    }
-
-                    clientResult = clientSSLEngine.unwrap(sTOc, clientIn);
-                    runDelegatedTasks(clientResult, clientSSLEngine);
-                    serverResult = serverSSLEngine.unwrap(cTOs, serverIn);
-                    runDelegatedTasks(serverResult, serverSSLEngine);
-
-                    cTOs.compact();
-                    sTOc.compact();
-
-                    if (!dataDone &&
-                            (clientOut.limit() == serverIn.position()) &&
-                            (serverOut.limit() == clientIn.position())) {
-                        checkTransfer(serverOut, clientIn);
-                        checkTransfer(clientOut, serverIn);
-                        dataDone = true;
-                    }
-                }
-            }
-        }
-
-        static void printTlsNetworkPacket(String prefix, ByteBuffer bb) {
-            ByteBuffer slice = bb.slice();
-            byte[] buffer = new byte[slice.remaining()];
-            slice.get(buffer);
-            for (int i = 0; i < buffer.length; i++) {
-                System.out.printf("%02X, ", (byte)(buffer[i] & (byte)0xFF));
-                if (i % 8 == 0 && i % 16 != 0) {
-                    System.out.print(" ");
-                }
-                if (i % 16 == 0) {
-                    System.out.println("");
-                }
-            }
-            System.out.flush();
-        }
-
-        private static void checkTransfer(ByteBuffer a, ByteBuffer b)
-                throws Exception {
-            a.flip();
-            b.flip();
-            if (!a.equals(b)) {
-                throw new Exception("Data didn't transfer cleanly");
-            }
-            a.position(a.limit());
-            b.position(b.limit());
-            a.limit(a.capacity());
-            b.limit(b.capacity());
-        }
-
-        private static void runDelegatedTasks(SSLEngineResult result,
-                SSLEngine engine) throws Exception {
-
-            if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
-                Runnable runnable;
-                while ((runnable = engine.getDelegatedTask()) != null) {
-                    runnable.run();
-                }
-                HandshakeStatus hsStatus = engine.getHandshakeStatus();
-                if (hsStatus == HandshakeStatus.NEED_TASK) {
-                    throw new Exception(
-                        "handshake shouldn't need additional tasks");
-                }
-            }
-        }
-
-        private static SSLEngine[][] getSSLEnginesToTest() throws Exception {
-            SSLEngine[][] enginesToTest = new SSLEngine[2][2];
-            String[][] preferredSuites = new String[][]{ new String[] {
-                    "TLS_RSA_WITH_AES_128_CBC_SHA256"
-            },  new String[] {
-                    "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
-            }};
-            for (int i = 0; i < enginesToTest.length; i++) {
-                enginesToTest[i][0] = createSSLEngine(true);
-                enginesToTest[i][1] = createSSLEngine(false);
-                enginesToTest[i][0].setEnabledCipherSuites(preferredSuites[i]);
-                enginesToTest[i][1].setEnabledCipherSuites(preferredSuites[i]);
-            }
-            return enginesToTest;
-        }
-
-        static private SSLEngine createSSLEngine(boolean client)
-                throws Exception {
-            SSLEngine ssle;
-            KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX",
-                    jsseProvider);
-            kmf.init(ks, passphrase);
-
-            TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX",
-                    jsseProvider);
-            tmf.init(ts);
-
-            SSLContext sslCtx = SSLContext.getInstance("TLSv1.2",
-                    jsseProvider);
-            sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
-            ssle = sslCtx.createSSLEngine("localhost", 443);
-            ssle.setUseClientMode(client);
-            SSLParameters sslParameters = ssle.getSSLParameters();
-            ssle.setSSLParameters(sslParameters);
-
-            return ssle;
-        }
-    }
-
-    private static void initialize() throws Exception {
-        if (initSecmod() == false) {
-            return;
-        }
-        String configName = BASE + SEP + "fips.cfg";
-        sunPKCS11NSSProvider = getSunPKCS11(configName);
-        System.out.println("SunPKCS11 provider: " + sunPKCS11NSSProvider);
-        Security.addProvider(sunPKCS11NSSProvider);
-
-        sunJCEProvider = new com.sun.crypto.provider.SunJCE();
-        Security.addProvider(sunJCEProvider);
-
-        Security.removeProvider("SunJSSE");
-        jsseProvider =new com.sun.net.ssl.internal.ssl.Provider(
-                sunPKCS11NSSProvider);
-        Security.addProvider(jsseProvider);
-        System.out.println(jsseProvider.getInfo());
-
-        ks = KeyStore.getInstance("PKCS11", sunPKCS11NSSProvider);
-        ks.load(null, "test12".toCharArray());
-        ts = ks;
-
-        KeyStore ksPlain = readTestKeyStore();
-        privateKey = (RSAPrivateKey)ksPlain.getKey("rh_rsa_sha256",
-                passphrase);
-        publicKey = (RSAPublicKey)ksPlain.getCertificate(
-                "rh_rsa_sha256").getPublicKey();
-    }
-
-    private static KeyStore readTestKeyStore() throws Exception {
-        File file = new File(System.getProperty("test.src", "."), "keystore");
-        InputStream in = new FileInputStream(file);
-        KeyStore ks = KeyStore.getInstance("JKS");
-        ks.load(in, "passphrase".toCharArray());
-        in.close();
-        return ks;
-    }
-}
\ No newline at end of file
--- a/test/jdk/sun/security/pkcs11/fips/TrustManagerTest.java	Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,111 +0,0 @@
-/*
- * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 6323647
- * @summary Verify that the SunJSSE trustmanager works correctly in FIPS mode
- * @author Andreas Sterbenz
- * @library /test/lib ..
- * @modules java.base/com.sun.net.ssl.internal.ssl
- * @run main/othervm TrustManagerTest
- * @run main/othervm TrustManagerTest sm TrustManagerTest.policy
- */
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.InputStream;
-import java.security.KeyStore;
-import java.security.Policy;
-import java.security.Provider;
-import java.security.Security;
-import java.security.URIParameter;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
-
-// This test belongs more in JSSE than here, but the JSSE workspace does not
-// have the NSS test infrastructure. It will live here for the time being.
-
-public class TrustManagerTest extends SecmodTest {
-
-    public static void main(String[] args) throws Exception {
-        if (initSecmod() == false) {
-            return;
-        }
-
-        if ("sparc".equals(System.getProperty("os.arch")) == false) {
-            // we have not updated other platforms with the proper NSS libraries yet
-            System.out.println("Test currently works only on solaris-sparc, skipping");
-            return;
-        }
-
-        String configName = BASE + SEP + "fips.cfg";
-        Provider p = getSunPKCS11(configName);
-
-        System.out.println(p);
-        Security.addProvider(p);
-
-        Security.removeProvider("SunJSSE");
-        Provider jsse = new com.sun.net.ssl.internal.ssl.Provider(p);
-        Security.addProvider(jsse);
-        System.out.println(jsse.getInfo());
-
-        KeyStore ks = KeyStore.getInstance("PKCS11", p);
-        ks.load(null, "test12".toCharArray());
-
-        X509Certificate server = loadCertificate("certs/server.cer");
-        X509Certificate ca = loadCertificate("certs/ca.cer");
-        X509Certificate anchor = loadCertificate("certs/anchor.cer");
-
-        if (args.length > 1 && "sm".equals(args[0])) {
-            Policy.setPolicy(Policy.getInstance("JavaPolicy",
-                    new URIParameter(new File(BASE, args[1]).toURI())));
-            System.setSecurityManager(new SecurityManager());
-        }
-
-        KeyStore trustStore = KeyStore.getInstance("JKS");
-        trustStore.load(null, null);
-        trustStore.setCertificateEntry("anchor", anchor);
-
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
-        tmf.init(trustStore);
-
-        X509TrustManager tm = (X509TrustManager)tmf.getTrustManagers()[0];
-
-        X509Certificate[] chain = {server, ca, anchor};
-
-        tm.checkServerTrusted(chain, "RSA");
-
-        System.out.println("OK");
-    }
-
-    private static X509Certificate loadCertificate(String name) throws Exception {
-        try (InputStream in = new FileInputStream(BASE + SEP + name)) {
-            return (X509Certificate) CertificateFactory.getInstance("X.509")
-                    .generateCertificate(in);
-        }
-    }
-
-}
--- a/test/jdk/sun/security/pkcs11/fips/TrustManagerTest.policy	Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,3 +0,0 @@
-grant {
-    
-};
\ No newline at end of file
Binary file test/jdk/sun/security/pkcs11/fips/cert8.db has changed
Binary file test/jdk/sun/security/pkcs11/fips/certs/anchor.cer has changed
Binary file test/jdk/sun/security/pkcs11/fips/certs/ca.cer has changed
Binary file test/jdk/sun/security/pkcs11/fips/certs/server.cer has changed
--- a/test/jdk/sun/security/pkcs11/fips/fips.cfg	Tue Feb 12 15:19:25 2019 -0500
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-
-name = NSSKeyStore
-
-nssSecmodDirectory = ${pkcs11test.nss.db}
-
-nssLibraryDirectory = ${pkcs11test.nss.libdir}
-
-nssModule = fips
-
-# NSS needs CKA_NETSCAPE_DB for DSA and DH private keys
-# just put an arbitrary value in there to make it happy
-
-attributes(*,CKO_PRIVATE_KEY,CKK_DSA) = {
-  CKA_NETSCAPE_DB = 0h00
-}
-
-attributes(*,CKO_PRIVATE_KEY,CKK_DH) = {
-  CKA_NETSCAPE_DB = 0h00
-}
Binary file test/jdk/sun/security/pkcs11/fips/key3.db has changed
Binary file test/jdk/sun/security/pkcs11/fips/keystore has changed
Binary file test/jdk/sun/security/pkcs11/fips/secmod.db has changed
Binary file test/jdk/sun/security/pkcs11/fips/truststore has changed