changeset 1549:82b66d0368ff

Merge
author dcubed
date Tue, 11 Aug 2009 20:06:52 -0600
parents 36e0f4e00f20 95ae810b66fb
children abac33c4bd67 1ff977b938e5 8c0c96a3f9f6
files src/share/classes/com/sun/crypto/provider/JarVerifier.java src/share/classes/javax/swing/plaf/basic/DesktopIconMover.java src/share/classes/sun/security/pkcs11/JarVerifier.java src/windows/classes/sun/security/mscapi/JarVerifier.java
diffstat 273 files changed, 25137 insertions(+), 1831 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Tue Aug 11 20:02:43 2009 -0600
+++ b/.hgtags	Tue Aug 11 20:06:52 2009 -0600
@@ -42,3 +42,4 @@
 382a27aa78d3236fa123c60577797a887fe93e09 jdk7-b65
 bd31b30a5b21f20e42965b1633f18a5c7946d398 jdk7-b66
 a952aafd5181af953b0ef3010dbd2fcc28460e8a jdk7-b67
+b23d905cb5d3b382295240d28ab0bfb266b4503c jdk7-b68
--- a/THIRD_PARTY_README	Tue Aug 11 20:02:43 2009 -0600
+++ b/THIRD_PARTY_README	Tue Aug 11 20:06:52 2009 -0600
@@ -32,7 +32,7 @@
 
 --- end of LICENSE file ---
 %% This notice is provided with respect to ASM, which may be included with this software: 
-Copyright (c) 2000-2005 INRIA, France Telecom
+Copyright (c) 2000-2007 INRIA, France Telecom
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
--- a/make/com/sun/crypto/provider/Makefile	Tue Aug 11 20:02:43 2009 -0600
+++ b/make/com/sun/crypto/provider/Makefile	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 #
-# Copyright 2007-2008 Sun Microsystems, Inc.  All Rights Reserved.
+# Copyright 2007-2009 Sun Microsystems, Inc.  All Rights Reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -45,54 +45,49 @@
 # For OpenJDK, the jar files built here are installed directly into the
 # OpenJDK.
 #
-# For JDK, the binaries use pre-built/pre-signed/pre-obfuscated binary
-# files stored in the closed workspace that are not shipped in the
-# OpenJDK workspaces.  We still build the JDK files here to verify the
-# files compile, and in preparation for possible signing and
-# obfuscation.  Developers working on JCE in JDK must sign the JCE files
-# before testing: obfuscation is optional during development.  The JCE
-# signing key is kept separate from the JDK workspace to prevent its
-# disclosure.  The obfuscation tool has not been licensed for general
-# usage.
-#
+# For JDK, the binaries use pre-built/pre-signed binary files stored in
+# the closed workspace that are not shipped in the OpenJDK workspaces.
+# We still build the JDK files here to verify the files compile, and in
+# preparation for possible signing.  Developers working on JCE in JDK
+# must sign the JCE files before testing.  The JCE signing key is kept
+# separate from the JDK workspace to prevent its disclosure.
+# 
 # SPECIAL NOTE TO JCE/JDK developers:  The source files must eventually
-# be built, obfuscated, signed, and then the resulting jar files MUST BE
-# CHECKED INTO THE CLOSED PART OF THE WORKSPACE*.  This separate step
-# *MUST NOT BE FORGOTTEN*, otherwise a bug fixed in the source code will
-# not be reflected in the shipped binaries.  The "release" target should be
+# be built and signed, and the resulting jar files MUST BE CHECKED INTO
+# THE CLOSED PART OF THE WORKSPACE*.  This separate step *MUST NOT BE
+# FORGOTTEN*, otherwise a bug fixed in the source code will not be
+# reflected in the shipped binaries.  The "release" target should be
 # used to generate the required files.
 #
 # There are a number of targets to help both JDK/OpenJDK developers.
 #
 # Main Targets (JDK/OPENJDK):
 #
-#     all/clobber/clean		The usual.
-#				    If OpenJDK, installs sunjce_provider.jar.
-#				    If JDK, installs prebuilt
-#				    sunjce_provider.jar.
+#     all/clobber/clean        The usual.
+#                                  If OpenJDK, installs sunjce_provider.jar.
+#                                  If JDK, installs prebuilt
+#                                      sunjce_provider.jar.
 #
-#     jar			Builds/installs sunjce_provider.jar
-#				    If OpenJDK, does not sign.
-#				    If JDK, tries to sign.
+#     jar                      Builds/installs sunjce_provider.jar
+#                                  If OpenJDK, does not sign.
+#                                  If JDK, tries to sign.
 #
 # Other lesser-used Targets (JDK/OPENJDK):
 #
-#     build-jar			Builds sunjce_provider.jar
-#				    (does not sign/install)
+#     build-jar                Builds sunjce_provider.jar
+#                                  (does not sign/install)
 #
-#     install-jar		Alias for "jar" above.
+#     install-jar              Alias for "jar" above.
 #
 # Other targets (JDK only):
 #
-#     sign			Alias for sign-jar
-#	  sign-jar		Builds/signs sunjce_provider.jar (no install)
+#     sign                     Alias for sign-jar
+#         sign-jar             Builds/signs sunjce_provider.jar (no install)
 #
-#     obfus			Builds/obfuscates/signs sunjce_provider.jar
+#     release                  Builds all targets in preparation
+#                              for workspace integration.
 #
-#     release			Builds all targets in preparation
-#				for workspace integration.
-#
-#     install-prebuilt		Installs the pre-built jar files
+#     install-prebuilt         Installs the pre-built jar files
 #
 # This makefile was written to support parallel target execution.
 #
@@ -103,7 +98,7 @@
 
 #
 # The following is for when we need to do postprocessing
-# (signing/obfuscation) against a read-only build.  If the OUTPUTDIR
+# (signing) against a read-only build.  If the OUTPUTDIR
 # isn't writable, the build currently crashes out.
 #
 ifndef OPENJDK
@@ -158,8 +153,8 @@
 #
 # We use a variety of subdirectories in the $(TEMPDIR) depending on what
 # part of the build we're doing.  Both OPENJDK/JDK builds are initially
-# done in the unsigned area.  When files are signed or obfuscated in JDK,
-# they will be placed in the appropriate areas.
+# done in the unsigned area.  When files are signed in JDK, they will be
+# placed in the appropriate areas.
 #
 UNSIGNED_DIR = $(TEMPDIR)/unsigned
 
@@ -223,62 +218,15 @@
 endif
 	$(call sign-file, $(UNSIGNED_DIR)/sunjce_provider.jar)
 
+
 # =====================================================
-# Obfuscate/sign/install the JDK build.  Not needed for OpenJDK.
+# Create the Release Engineering files.  Signed builds, etc.
 #
 
-OBFUS_DIR = $(JCE_BUILD_DIR)/obfus/sunjce
-
-CLOSED_DIR = $(BUILDDIR)/closed/com/sun/crypto/provider
-
-obfus: $(OBFUS_DIR)/sunjce_provider.jar
-	$(release-warning)
-
-ifndef ALT_JCE_BUILD_DIR
-$(OBFUS_DIR)/sunjce_provider.jar: build-jar $(JCE_MANIFEST_FILE) \
-	    $(OBFUS_DIR)/sunjce.dox
-else
-$(OBFUS_DIR)/sunjce_provider.jar: $(JCE_MANIFEST_FILE) $(OBFUS_DIR)/sunjce.dox
-	@if [ ! -d $(CLASSDESTDIR) ] ; then \
-	    $(ECHO) "Couldn't find $(CLASSDESTDIR)"; \
-	    exit 1; \
-	fi
-endif
-	@$(ECHO) ">>>Obfuscating SunJCE Provider..."
-	$(presign)
-	$(preobfus)
-	$(prep-target)
-	$(CD) $(OBFUS_DIR); \
-	$(OBFUSCATOR) -fv sunjce.dox
-	@$(CD) $(OBFUS_DIR); $(java-vm-cleanup)
-	$(BOOT_JAR_CMD) cmf $(JCE_MANIFEST_FILE) $@ \
-	    -C $(OBFUS_DIR)/build com \
-	    $(BOOT_JAR_JFLAGS)
-	$(sign-target)
-	@$(java-vm-cleanup)
-
-$(OBFUS_DIR)/sunjce.dox: $(CLOSED_DIR)/obfus/sunjce.dox
-	@$(ECHO) ">>>Creating sunjce.dox"
-	$(prep-target)
-	$(SED) "s:@@TEMPDIR@@:$(ABS_TEMPDIR):" $< > $@
-
-#
-# The current obfuscator has a limitation in that it currently only
-# supports up to v49 class file format.  Force v49 classfiles in our
-# builds for now.
-#
-SOURCE_LANGUAGE_VERSION = 5
-TARGET_CLASS_VERSION = 5
-
-
-# =====================================================
-# Create the Release Engineering files.  Obfuscated builds, etc.
-#
-
-release: $(OBFUS_DIR)/sunjce_provider.jar
+release: $(SIGNED_DIR)/sunjce_provider.jar
 	$(RM) $(JCE_BUILD_DIR)/release/sunjce_provider.jar
 	$(MKDIR) -p $(JCE_BUILD_DIR)/release
-	$(CP) $(OBFUS_DIR)/sunjce_provider.jar $(JCE_BUILD_DIR)/release
+	$(CP) $(SIGNED_DIR)/sunjce_provider.jar $(JCE_BUILD_DIR)/release
 	$(release-warning)
 
 endif # OPENJDK
@@ -320,5 +268,5 @@
 
 .PHONY: build-jar jar install-jar
 ifndef OPENJDK
-.PHONY: sign sign-jar obfus release install-prebuilt
+.PHONY: sign sign-jar release install-prebuilt
 endif
--- a/make/java/java/FILES_java.gmk	Tue Aug 11 20:02:43 2009 -0600
+++ b/make/java/java/FILES_java.gmk	Tue Aug 11 20:06:52 2009 -0600
@@ -77,6 +77,7 @@
     java/lang/Compiler.java \
     java/lang/Throwable.java \
         java/lang/Exception.java \
+	    java/lang/ReflectiveOperationException.java \
 	    java/lang/IllegalAccessException.java \
 	    java/lang/InstantiationException.java \
 	    java/lang/ClassNotFoundException.java \
--- a/make/javax/crypto/Defs-jce.gmk	Tue Aug 11 20:02:43 2009 -0600
+++ b/make/javax/crypto/Defs-jce.gmk	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 #
-# Copyright 2007-2008 Sun Microsystems, Inc.  All Rights Reserved.
+# Copyright 2007-2009 Sun Microsystems, Inc.  All Rights Reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -61,7 +61,7 @@
 SIGNING_ALIAS      = jce_rsa
 
 #
-# Defines for signing/obfuscating the various jar files.
+# Defines for signing the various jar files.
 #
 
 define presign
@@ -100,19 +100,4 @@
 	$(sign-target)
 endef
 
-#
-# Location for the Obfuscation product.  JDK currently has
-# the requirement that we obfuscate our JCE jars.
-#
-OBFUSCATOR = /security/tools/bin/obfus
-OBFUS_DIR = $(TEMPDIR)/obfus
-
-define preobfus
-    @if [ ! -f $(OBFUSCATOR) ]; then \
-	$(ECHO) "\n$(OBFUSCATOR): Obfuscator *NOT* available..." \
-	    $(README-MAKEFILE_WARNING); \
-	exit 2; \
-    fi
-endef
-
 endif  # !OPENJDK
--- a/make/javax/crypto/Makefile	Tue Aug 11 20:02:43 2009 -0600
+++ b/make/javax/crypto/Makefile	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 #
-# Copyright 2007-2008 Sun Microsystems, Inc.  All Rights Reserved.
+# Copyright 2007-2009 Sun Microsystems, Inc.  All Rights Reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -44,64 +44,65 @@
 # For OpenJDK, the jar files built here are installed directly into the
 # OpenJDK.
 #
-# For JDK, the binaries use pre-built/pre-signed/pre-obfuscated binary
-# files stored in the closed workspace that are not shipped in the
-# OpenJDK workspaces.  We still build the JDK files here to verify the
-# files compile, and in preparation for possible signing and
-# obfuscation.  Developers working on JCE in JDK must sign the JCE files
-# before testing: obfuscation is optional during development.  The JCE
-# signing key is kept separate from the JDK workspace to prevent its
-# disclosure.  The obfuscation tool has not been licensed for general
-# usage.
+# For JDK, the binaries use pre-built/pre-signed binary files stored in
+# the closed workspace that are not shipped in the OpenJDK workspaces.
+# We still build the JDK files here to verify the files compile, and in
+# preparation for possible signing.  Developers working on JCE in JDK
+# must sign the JCE files before testing.  The JCE signing key is kept
+# separate from the JDK workspace to prevent its disclosure.
 #
 # SPECIAL NOTE TO JCE/JDK developers:  The source files must eventually
-# be built, obfuscated, signed, and the resulting jar files *MUST BE
-# CHECKED INTO THE CLOSED PART OF THE WORKSPACE*.  This separate step
-# *MUST NOT BE FORGOTTEN*, otherwise a bug fixed in the source code will
-# not be reflected in the shipped binaries.  The "release" target should
-# be used to generate the required files.
+# be built and signed, and the resulting jar files *MUST BE CHECKED INTO
+# THE CLOSED PART OF THE WORKSPACE*.  This separate step *MUST NOT BE
+# FORGOTTEN*, otherwise a bug fixed in the source code will not be
+# reflected in the shipped binaries.  The "release" target should be
+# used to generate the required files.
 #
 # There are a number of targets to help both JDK/OpenJDK developers.
 #
 # Main Targets (JDK/OPENJDK):
 #
-#     all/clobber/clean		The usual.
-#				    If OpenJDK, installs
-#					jce.jar/limited policy files.
-#				    If JDK, installs prebuilt
-#					jce.jar/limited policy files.
+#     all/clobber/clean        The usual.
+#                                  If OpenJDK: builds/installs the
+#                                      jce.jar/limited policy files.
+#                                  If JDK: builds but does not install.
+#                                     During full tops-down builds,
+#                                     prebuilt/presigned jce.jar &
+#                                     limited policy files are copied
+#                                     in by make/java/redist/Makefile.
+#                                     If you are working in this directory
+#                                     and want to install the prebuilts,
+#                                     use the "install-prebuilt" target.
 #
-#     jar			Builds/installs jce.jar
-#				    If OpenJDK, does not sign
-#				    If JDK, tries to sign
+#     jar                      Builds/installs jce.jar
+#                                  If OpenJDK, does not sign
+#                                  If JDK, tries to sign
 #
 # Other lesser-used Targets (JDK/OPENJDK):
 #
-#     build-jar			Builds jce.jar (does not sign/install)
+#     build-jar                Builds jce.jar (does not sign/install)
 #
-#     build-policy		Builds policy files (does not sign/install)
+#     build-policy             Builds policy files (does not sign/install)
 #
-#     install-jar		Alias for "jar" above
+#     install-jar              Alias for "jar" above
 #
-#     install-limited		Builds/installs limited policy files
-#				    If OpenJDK, does not sign
-#				    If JDK, tries to sign
-#     install-unlimited		Builds/nstalls unlimited policy files
-#				    If OpenJDK, does not sign
-#				    If JDK, tries to sign
+#     install-limited          Builds/installs limited policy files
+#                                  If OpenJDK, does not sign
+#                                  If JDK, tries to sign
+#     install-unlimited        Builds/nstalls unlimited policy files
+#                                  If OpenJDK, does not sign
+#                                  If JDK, tries to sign
 #
 # Other targets (JDK only):
 #
-#     sign			Alias for sign-jar and sign-policy
-#	  sign-jar		Builds/signs jce.jar file (no install)
-#	  sign-policy		Builds/signs policy files (no install)
+#     sign                     Alias for sign-jar and sign-policy
+#          sign-jar            Builds/signs jce.jar file (no install)
+#          sign-policy         Builds/signs policy files (no install)
 #
-#     obfus			Builds/obfuscates/signs jce.jar
+#     release                  Builds all targets in preparation
+#                              for workspace integration.
 #
-#     release			Builds all targets in preparation
-#				for workspace integration.
-#
-#     install-prebuilt		Installs the pre-built jar files
+#     install-prebuilt         Installs the pre-built jar files
 #
 # This makefile was written to support parallel target execution.
 #
@@ -112,7 +113,7 @@
 
 #
 # The following is for when we need to do postprocessing
-# (signing/obfuscation) against a read-only build.  If the OUTPUTDIR
+# (signing) against a read-only build.  If the OUTPUTDIR
 # isn't writable, the build currently crashes out.
 #
 ifndef OPENJDK
@@ -169,8 +170,8 @@
 #
 # We use a variety of subdirectories in the $(TEMPDIR) depending on what
 # part of the build we're doing.  Both OPENJDK/JDK builds are initially
-# done in the unsigned area.  When files are signed or obfuscated in JDK,
-# they will be placed in the appropriate areas.
+# done in the unsigned area.  When files are signed in JDK, they will be
+# placed in the appropriate areas.
 #
 UNSIGNED_DIR = $(TEMPDIR)/unsigned
 
@@ -178,7 +179,7 @@
 
 
 # =====================================================
-# Build the unsigned jce.jar file.  Signing/obfuscation comes later.
+# Build the unsigned jce.jar file.  Signing comes later.
 #
 
 JAR_DESTFILE = $(LIBDIR)/jce.jar
@@ -363,69 +364,13 @@
 
 
 # =====================================================
-# Obfuscate/sign/install the JDK build.  Not needed for OpenJDK.
+# Create the Release Engineering files.  Signed builds,
+# unlimited policy file distribution, etc.
 #
 
-OBFUS_DIR = $(JCE_BUILD_DIR)/obfus/jce
-
 CLOSED_DIR = $(BUILDDIR)/closed/javax/crypto
 
-obfus: $(OBFUS_DIR)/jce.jar
-	$(release-warning)
-
-ifndef ALT_JCE_BUILD_DIR
-$(OBFUS_DIR)/jce.jar: build-jar $(JCE_MANIFEST_FILE) $(OBFUS_DIR)/framework.dox
-else
-#
-# We have to remove the build dependency, otherwise, we'll try to rebuild it
-# which we can't do on a read-only filesystem.
-#
-$(OBFUS_DIR)/jce.jar: $(JCE_MANIFEST_FILE) $(OBFUS_DIR)/framework.dox
-	@if [ ! -d $(CLASSDESTDIR) ] ; then \
-	    $(ECHO) "Couldn't find $(CLASSDESTDIR)"; \
-	    exit 1; \
-	fi
-endif
-	@$(ECHO) ">>>Obfuscating JCE framework..."
-	$(presign)
-	$(preobfus)
-	$(prep-target)
-	$(CD) $(OBFUS_DIR); \
-	$(OBFUSCATOR) -fv framework.dox
-	@$(CD) $(OBFUS_DIR); $(java-vm-cleanup)
-	@#
-	@# The sun.security.internal classes are currently not obfuscated
-	@# due to an obfus problem. Manually copy them to the build directory
-	@# so that they are included in the jce.jar file.
-	@#
-	$(CP) -r $(CLASSDESTDIR)/sun $(OBFUS_DIR)/build
-	$(BOOT_JAR_CMD) cmf $(JCE_MANIFEST_FILE) $@	\
-	    -C $(OBFUS_DIR)/build javax			\
-	    -C $(OBFUS_DIR)/build sun			\
-	    $(BOOT_JAR_JFLAGS)
-	$(sign-target)
-	@$(java-vm-cleanup)
-
-$(OBFUS_DIR)/framework.dox: $(CLOSED_DIR)/obfus/framework.dox
-	@$(ECHO) ">>>Creating framework.dox"
-	$(prep-target)
-	$(SED) "s:@@TEMPDIR@@:$(ABS_TEMPDIR):" $< > $@
-
-#
-# The current obfuscator has a limitation in that it currently only
-# supports up to v49 class file format.  Force v49 classfiles in our
-# builds for now.
-#
-SOURCE_LANGUAGE_VERSION = 5
-TARGET_CLASS_VERSION = 5
-
-
-# =====================================================
-# Create the Release Engineering files.  Obfuscated builds,
-# unlimited policy file distribution, etc.
-#
-
-release: $(OBFUS_DIR)/jce.jar sign-policy $(CLOSED_DIR)/doc/COPYRIGHT.html \
+release: $(SIGNED_DIR)/jce.jar sign-policy $(CLOSED_DIR)/doc/COPYRIGHT.html \
          $(CLOSED_DIR)/doc/README.txt
 	$(RM) -r \
 	    $(JCE_BUILD_DIR)/release/UnlimitedJCEPolicy              \
@@ -434,7 +379,7 @@
 	    $(JCE_BUILD_DIR)/release/local_policy.jar                \
 	    $(JCE_BUILD_DIR)/release/UnlimitedJCEPolicy.zip
 	$(MKDIR) -p $(JCE_BUILD_DIR)/release/UnlimitedJCEPolicy
-	$(CP) $(OBFUS_DIR)/jce.jar $(JCE_BUILD_DIR)/release
+	$(CP) $(SIGNED_DIR)/jce.jar $(JCE_BUILD_DIR)/release
 	$(CP) \
 	    $(SIGNED_POLICY_BUILDDIR)/limited/US_export_policy.jar   \
 	    $(SIGNED_POLICY_BUILDDIR)/limited/local_policy.jar       \
@@ -530,5 +475,5 @@
 .PHONY: build-jar jar build-policy unlimited limited install-jar \
 	install-limited install-unlimited
 ifndef OPENJDK
-.PHONY: sign sign-jar sign-policy obfus release install-prebuilt
+.PHONY: sign sign-jar sign-policy release install-prebuilt
 endif
--- a/make/sun/net/FILES_java.gmk	Tue Aug 11 20:02:43 2009 -0600
+++ b/make/sun/net/FILES_java.gmk	Tue Aug 11 20:06:52 2009 -0600
@@ -41,6 +41,7 @@
 	sun/net/NetProperties.java \
 	sun/net/NetHooks.java \
 	sun/net/util/IPAddressUtil.java \
+	sun/net/util/URLUtil.java \
 	sun/net/dns/ResolverConfiguration.java \
 	sun/net/dns/ResolverConfigurationImpl.java \
 	sun/net/ftp/FtpClient.java \
--- a/make/sun/security/Makefile	Tue Aug 11 20:02:43 2009 -0600
+++ b/make/sun/security/Makefile	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 #
-# Copyright 1996-2007 Sun Microsystems, Inc.  All Rights Reserved.
+# Copyright 1996-2009 Sun Microsystems, Inc.  All Rights Reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -60,7 +60,7 @@
   endif
 endif
 
-SUBDIRS = other action util tools jgss krb5 smartcardio $(PKCS11) \
+SUBDIRS = ec other action util tools jgss krb5 smartcardio $(PKCS11) \
           $(JGSS_WRAPPER) $(MSCAPI)
 
 all build clean clobber::
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make/sun/security/ec/FILES_c.gmk	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,54 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+FILES_c = \
+	ec.c \
+	ec2_163.c \
+	ec2_193.c \
+	ec2_233.c \
+	ec2_aff.c \
+	ec2_mont.c \
+	ecdecode.c \
+	ecl.c \
+	ecl_curve.c \
+	ecl_gf.c \
+	ecl_mult.c \
+	ec_naf.c \
+	ecp_192.c \
+	ecp_224.c \
+	ecp_256.c \
+	ecp_384.c \
+	ecp_521.c \
+	ecp_aff.c \
+	ecp_jac.c \
+	ecp_jm.c \
+	ecp_mont.c \
+	mp_gf2m.c \
+	mpi.c \
+	mplogic.c \
+	mpmontg.c \
+	oid.c \
+	secitem.c
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make/sun/security/ec/Makefile	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,319 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+#
+# Makefile for building sunec.jar and sunecc native library.
+#
+# This file was derived from make/com/sun/crypto/provider/Makefile.
+#
+
+#
+# (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Sun JDK builds
+# respectively.)
+#
+# JCE builds are very different between OpenJDK and JDK.  The OpenJDK JCE
+# jar files do not require signing, but those for JDK do.  If an unsigned
+# jar file is installed into JDK, things will break when the crypto
+# routines are called.
+#
+# This Makefile does the "real" build of the JCE files.  For OpenJDK,
+# the jar files built here are installed directly into the OpenJDK.
+#
+# For JDK, the binaries use pre-built/pre-signed binary files stored in
+# the closed workspace that are not shipped in the OpenJDK workspaces.
+# We still build the JDK files here to verify the files compile, and in
+# preparation for possible signing.  Developers working on JCE in JDK
+# must sign the JCE files before testing.  The JCE signing key is kept
+# separate from the JDK workspace to prevent its disclosure.
+#
+# SPECIAL NOTE TO JCE/JDK developers:  The source files must eventually
+# be built, signed, and then the resulting jar files MUST BE CHECKED
+# INTO THE CLOSED PART OF THE WORKSPACE*.  This separate step *MUST NOT
+# BE FORGOTTEN*, otherwise a bug fixed in the source code will not be
+# reflected in the shipped binaries.  The "release" target should be
+# used to generate the required files.
+#
+# There are a number of targets to help both JDK/OpenJDK developers.
+#
+# Main Targets (JDK/OPENJDK):
+#
+#     all/clobber/clean		The usual, plus the native libraries.
+#				    If OpenJDK, installs sunec.jar.
+#				    If JDK, installs prebuilt
+#				    sunec.jar.
+#
+#     jar			Builds/installs sunec.jar
+#				    If OpenJDK, does not sign.
+#				    If JDK, tries to sign.
+#
+# Other lesser-used Targets (JDK/OPENJDK):
+#
+#     build-jar			Builds sunec.jar
+#				    (does not sign/install)
+#
+#     install-jar		Alias for "jar" above.
+#
+# Other targets (JDK only):
+#
+#     sign			Alias for sign-jar
+#	  sign-jar		Builds/signs sunec.jar (no install)
+#
+#     release			Builds all targets in preparation
+#				for workspace integration.
+#
+#     install-prebuilt		Installs the pre-built jar files
+#
+# This makefile was written to support parallel target execution.
+#
+
+BUILDDIR = ../../..
+PACKAGE = sun.security.ec
+PRODUCT = sun
+
+#
+# The following is for when we need to do postprocessing
+# (signing) against a read-only build.  If the OUTPUTDIR
+# isn't writable, the build currently crashes out.
+#
+ifndef OPENJDK
+  ifdef ALT_JCE_BUILD_DIR
+    # =====================================================
+    # Where to place the output, in case we're building from a read-only
+    # build area.  (e.g. a release engineering build.)
+    JCE_BUILD_DIR=${ALT_JCE_BUILD_DIR}
+    IGNORE_WRITABLE_OUTPUTDIR_TEST=true
+  else
+    JCE_BUILD_DIR=${TEMPDIR}
+  endif
+endif
+
+include $(BUILDDIR)/common/Defs.gmk
+
+#
+# Location for the newly built classfiles.
+#
+CLASSDESTDIR = $(TEMPDIR)/classes
+
+#
+# Java files
+#
+AUTO_FILES_JAVA_DIRS = $(PKGDIR)
+
+include $(BUILDDIR)/common/Classes.gmk
+
+#
+# Some licensees do not get the native ECC sources, but we still need to
+# be able to build "all" for them.  Check here to see if the sources are
+# available.  If not, then skip them.
+#
+
+NATIVE_ECC_AVAILABLE := $(shell \
+    if [ -d $(SHARE_SRC)/native/$(PKGDIR) ] ; then \
+	$(ECHO) true; \
+    else \
+	$(ECHO) false; \
+    fi)
+
+ifeq ($(NATIVE_ECC_AVAILABLE), true)
+
+  LIBRARY = sunecc
+
+  #
+  # Java files that define native methods
+  #
+  FILES_export = \
+      $(PKGDIR)/ECDHKeyAgreement.java \
+      $(PKGDIR)/ECDSASignature.java \
+      $(PKGDIR)/ECKeyPairGenerator.java
+
+  JAVAHFLAGS += -classpath $(CLASSDESTDIR)
+
+  #
+  # C and C++ files
+  #
+  include FILES_c.gmk
+
+  FILES_cpp = ECC_JNI.cpp
+
+  CPLUSPLUSLIBRARY=true
+
+  FILES_m = mapfile-vers
+
+  #
+  # Find native code
+  #
+  vpath %.cpp $(SHARE_SRC)/native/$(PKGDIR)
+
+  vpath %.c $(SHARE_SRC)/native/$(PKGDIR)
+
+  #
+  # Find include files
+  #
+  OTHER_INCLUDES += -I$(SHARE_SRC)/native/$(PKGDIR)
+
+  #
+  # Compiler flags
+  #
+  OTHER_CFLAGS += -DMP_API_COMPATIBLE -DNSS_ECC_MORE_THAN_SUITE_B
+
+  #
+  # Libraries to link
+  #
+  ifeq ($(PLATFORM), windows)
+    OTHER_LDLIBS += $(JVMLIB)
+  else
+    OTHER_LDLIBS = -ldl $(JVMLIB) $(LIBCXX)
+  endif
+
+  include $(BUILDDIR)/common/Mapfile-vers.gmk
+
+  include $(BUILDDIR)/common/Library.gmk
+
+endif # NATIVE_ECC_AVAILABLE
+
+#
+# We use a variety of subdirectories in the $(TEMPDIR) depending on what
+# part of the build we're doing.  Both OPENJDK/JDK builds are initially
+# done in the unsigned area.  When files are signed in JDK,
+# they will be placed in the appropriate area.
+#
+UNSIGNED_DIR = $(TEMPDIR)/unsigned
+
+include $(BUILDDIR)/javax/crypto/Defs-jce.gmk
+
+#
+# Rules
+#
+
+ifdef OPENJDK
+all: build-jar install-jar
+else
+all: build-jar install-prebuilt
+	$(build-warning)
+endif
+
+
+# =====================================================
+# Build the unsigned sunec.jar file.
+#
+
+JAR_DESTFILE = $(EXTDIR)/sunec.jar
+
+#
+# Since the -C option to jar is used below, each directory entry must be
+# preceded with the appropriate directory to "cd" into.
+#
+JAR_DIRS = $(patsubst %, -C $(CLASSDESTDIR) %, $(AUTO_FILES_JAVA_DIRS))
+
+build-jar: $(UNSIGNED_DIR)/sunec.jar
+
+#
+# Build sunec.jar.
+#
+$(UNSIGNED_DIR)/sunec.jar: build
+	$(prep-target)
+	$(BOOT_JAR_CMD) cf $@ $(JAR_DIRS) \
+	    $(BOOT_JAR_JFLAGS)
+	@$(java-vm-cleanup)
+
+
+ifndef OPENJDK
+# =====================================================
+# Sign the provider jar file.  Not needed for OpenJDK.
+#
+
+SIGNED_DIR = $(JCE_BUILD_DIR)/signed
+
+sign: sign-jar
+
+sign-jar: $(SIGNED_DIR)/sunec.jar
+
+ifndef ALT_JCE_BUILD_DIR
+$(SIGNED_DIR)/sunec.jar: $(UNSIGNED_DIR)/sunec.jar
+else
+#
+# We have to remove the build dependency, otherwise, we'll try to rebuild it
+# which we can't do on a read-only filesystem.
+#
+$(SIGNED_DIR)/sunec.jar:
+	@if [ ! -r $(UNSIGNED_DIR)/sunec.jar ] ; then \
+	    $(ECHO) "Couldn't find $(UNSIGNED_DIR)/sunec.jar"; \
+	    exit 1; \
+	fi
+endif
+	$(call sign-file, $(UNSIGNED_DIR)/sunec.jar)
+
+
+# =====================================================
+# Create the Release Engineering files.  Signed builds, etc.
+#
+
+release: $(SIGNED_DIR)/sunec.jar
+	$(RM) $(JCE_BUILD_DIR)/release/sunec.jar
+	$(MKDIR) -p $(JCE_BUILD_DIR)/release
+	$(CP) $(SIGNED_DIR)/sunec.jar $(JCE_BUILD_DIR)/release
+	$(release-warning)
+
+endif # OPENJDK
+
+
+# =====================================================
+# Install routines.
+#
+
+#
+# Install sunec.jar, depending on which type is requested.
+#
+install-jar jar: $(JAR_DESTFILE)
+ifndef OPENJDK
+	$(release-warning)
+endif
+
+ifdef OPENJDK
+$(JAR_DESTFILE): $(UNSIGNED_DIR)/sunec.jar
+else
+$(JAR_DESTFILE): $(SIGNED_DIR)/sunec.jar
+endif
+	$(install-file)
+
+ifndef OPENJDK
+install-prebuilt:
+	@$(ECHO) "\n>>>Installing prebuilt SunEC provider..."
+	$(RM) $(JAR_DESTFILE)
+	$(CP) $(PREBUILT_DIR)/ec/sunec.jar $(JAR_DESTFILE)
+endif
+
+
+# =====================================================
+# Support routines.
+#
+
+clobber clean::
+	$(RM) -r $(JAR_DESTFILE) $(TEMPDIR) $(JCE_BUILD_DIR)
+
+.PHONY: build-jar jar install-jar
+ifndef OPENJDK
+.PHONY: sign sign-jar release install-prebuilt
+endif
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make/sun/security/ec/mapfile-vers	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,37 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# Define public interface.
+
+SUNWprivate_1.1 {
+        global:
+                Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair;
+                Java_sun_security_ec_ECKeyPairGenerator_getEncodedBytes;
+		Java_sun_security_ec_ECDSASignature_signDigest;
+		Java_sun_security_ec_ECDSASignature_verifySignedDigest;
+		Java_sun_security_ec_ECDHKeyAgreement_deriveKey;
+        local:
+                *;
+};
--- a/make/sun/security/mscapi/Makefile	Tue Aug 11 20:02:43 2009 -0600
+++ b/make/sun/security/mscapi/Makefile	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 #
-# Copyright 2005-2008 Sun Microsystems, Inc.  All Rights Reserved.
+# Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -59,31 +59,31 @@
 #
 # Main Targets (JDK/OPENJDK):
 #
-#     all/clobber/clean		The usual, plus the native libraries.
-#				    If OpenJDK, installs sunmscapi.jar.
-#				    If JDK, installs prebuilt
-#				    sunmscapi.jar.
+#     all/clobber/clean        The usual, plus the native libraries.
+#                                  If OpenJDK, installs sunmscapi.jar.
+#                                  If JDK, installs prebuilt
+#                                      sunmscapi.jar.
 #
-#     jar			Builds/installs sunmscapi.jar
-#				    If OpenJDK, does not sign.
-#				    If JDK, tries to sign.
+#     jar                      Builds/installs sunmscapi.jar
+#                                  If OpenJDK, does not sign.
+#                                  If JDK, tries to sign.
 #
 # Other lesser-used Targets (JDK/OPENJDK):
 #
-#     build-jar			Builds sunmscapi.jar
-#				    (does not sign/install)
+#     build-jar                Builds sunmscapi.jar
+#                                  (does not sign/install)
 #
-#     install-jar		Alias for "jar" above.
+#     install-jar              Alias for "jar" above.
 #
 # Other targets (JDK only):
 #
-#     sign			Alias for sign-jar
-#	  sign-jar		Builds/signs sunmscapi.jar (no install)
+#     sign                     Alias for sign-jar
+#          sign-jar            Builds/signs sunmscapi.jar (no install)
 #
-#     release			Builds all targets in preparation
-#				for workspace integration.
+#     release                  Builds all targets in preparation
+#                              for workspace integration.
 #
-#     install-prebuilt		Installs the pre-built jar files
+#     install-prebuilt         Installs the pre-built jar files
 #
 # This makefile was written to support parallel target execution.
 #
--- a/make/sun/security/other/Makefile	Tue Aug 11 20:02:43 2009 -0600
+++ b/make/sun/security/other/Makefile	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 #
-# Copyright 1996-2007 Sun Microsystems, Inc.  All Rights Reserved.
+# Copyright 1996-2009 Sun Microsystems, Inc.  All Rights Reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -33,7 +33,6 @@
 #
 AUTO_FILES_JAVA_DIRS = \
     sun/security/acl \
-    sun/security/ec \
     sun/security/jca \
     sun/security/pkcs \
     sun/security/pkcs12 \
--- a/make/sun/security/pkcs11/Makefile	Tue Aug 11 20:02:43 2009 -0600
+++ b/make/sun/security/pkcs11/Makefile	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 #
-# Copyright 2003-2008 Sun Microsystems, Inc.  All Rights Reserved.
+# Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -59,31 +59,31 @@
 #
 # Main Targets (JDK/OPENJDK):
 #
-#     all/clobber/clean		The usual, plus the native libraries.
-#				    If OpenJDK, installs sunpkcs11.jar.
-#				    If JDK, installs prebuilt
-#				    sunpkcs11.jar.
+#     all/clobber/clean        The usual, plus the native libraries.
+#                                  If OpenJDK, installs sunpkcs11.jar.
+#                                  If JDK, installs prebuilt
+#                                      sunpkcs11.jar.
 #
-#     jar			Builds/installs sunpkcs11.jar
-#				    If OpenJDK, does not sign.
-#				    If JDK, tries to sign.
+#     jar                      Builds/installs sunpkcs11.jar
+#                                  If OpenJDK, does not sign.
+#                                  If JDK, tries to sign.
 #
 # Other lesser-used Targets (JDK/OPENJDK):
 #
-#     build-jar			Builds sunpkcs11.jar
-#				    (does not sign/install)
+#     build-jar                Builds sunpkcs11.jar
+#                                  (does not sign/install)
 #
-#     install-jar		Alias for "jar" above.
+#     install-jar              Alias for "jar" above.
 #
 # Other targets (JDK only):
 #
-#     sign			Alias for sign-jar
-#	  sign-jar		Builds/signs sunpkcs11.jar (no install)
+#     sign                     Alias for sign-jar
+#          sign-jar            Builds/signs sunpkcs11.jar (no install)
 #
-#     release			Builds all targets in preparation
-#				for workspace integration.
+#     release                  Builds all targets in preparation
+#                              for workspace integration.
 #
-#     install-prebuilt		Installs the pre-built jar files
+#     install-prebuilt         Installs the pre-built jar files
 #
 # This makefile was written to support parallel target execution.
 #
--- a/src/share/classes/com/sun/crypto/provider/AESCipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/AESCipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -56,12 +56,8 @@
     /**
      * Creates an instance of AES cipher with default ECB mode and
      * PKCS5Padding.
-     *
-     * @exception SecurityException if this constructor fails to verify
-     * its own integrity
      */
     public AESCipher() {
-        SunJCE.ensureIntegrity(getClass());
         core = new CipherCore(new AESCrypt(), AESConstants.AES_BLOCK_SIZE);
     }
 
--- a/src/share/classes/com/sun/crypto/provider/AESKeyGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/AESKeyGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -48,16 +48,9 @@
     private int keySize = 16; // default keysize (in number of bytes)
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor.
      */
     public AESKeyGenerator() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2004-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -65,12 +65,8 @@
     /**
      * Creates an instance of AES KeyWrap cipher with default
      * mode, i.e. "ECB" and padding scheme, i.e. "NoPadding".
-     *
-     * @exception SecurityException if this constructor fails to verify
-     * its own integrity
      */
     public AESWrapCipher() {
-        SunJCE.ensureIntegrity(getClass());
         cipher = new AESCrypt();
     }
 
--- a/src/share/classes/com/sun/crypto/provider/ARCFOURCipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/ARCFOURCipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -62,7 +62,6 @@
 
     // called by the JCE framework
     public ARCFOURCipher() {
-        SunJCE.ensureIntegrity(getClass());
         S = new int[256];
     }
 
--- a/src/share/classes/com/sun/crypto/provider/BlowfishCipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/BlowfishCipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1998-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -60,12 +60,8 @@
     /**
      * Creates an instance of Blowfish cipher with default ECB mode and
      * PKCS5Padding.
-     *
-     * @exception SecurityException if this constructor fails to verify
-     * its own integrity
      */
     public BlowfishCipher() {
-        SunJCE.ensureIntegrity(getClass());
         core = new CipherCore(new BlowfishCrypt(),
                               BlowfishConstants.BLOWFISH_BLOCK_SIZE);
     }
--- a/src/share/classes/com/sun/crypto/provider/BlowfishKeyGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/BlowfishKeyGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1998-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,16 +46,9 @@
     private int keysize = 16; // default keysize (in number of bytes)
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public BlowfishKeyGenerator() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/DESCipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/DESCipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -56,12 +56,8 @@
     /**
      * Creates an instance of DES cipher with default ECB mode and
      * PKCS5Padding.
-     *
-     * @exception SecurityException if this constructor fails to verify
-     * its own integrity
      */
     public DESCipher() {
-        SunJCE.ensureIntegrity(getClass());
         core = new CipherCore(new DESCrypt(), DESConstants.DES_BLOCK_SIZE);
     }
 
--- a/src/share/classes/com/sun/crypto/provider/DESKeyFactory.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/DESKeyFactory.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,17 +42,11 @@
 public final class DESKeyFactory extends SecretKeyFactorySpi {
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public DESKeyFactory() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
     }
+
     /**
      * Generates a <code>SecretKey</code> object from the provided key
      * specification (key material).
--- a/src/share/classes/com/sun/crypto/provider/DESKeyGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/DESKeyGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,16 +46,9 @@
     private SecureRandom random = null;
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public DESKeyGenerator() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/DESedeCipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/DESedeCipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,12 +53,8 @@
     /**
      * Creates an instance of DESede cipher with default ECB mode and
      * PKCS5Padding.
-     *
-     * @exception SecurityException if this constructor fails to verify
-     * its own integrity
      */
     public DESedeCipher() {
-        SunJCE.ensureIntegrity(getClass());
         core = new CipherCore(new DESedeCrypt(), DESConstants.DES_BLOCK_SIZE);
     }
 
--- a/src/share/classes/com/sun/crypto/provider/DESedeKeyFactory.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/DESedeKeyFactory.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,16 +42,9 @@
 public final class DESedeKeyFactory extends SecretKeyFactorySpi {
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public DESedeKeyFactory() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have been " +
-                                        "tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/DESedeKeyGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/DESedeKeyGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -47,16 +47,9 @@
     private int keysize = 168;
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public DESedeKeyGenerator() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have been " +
-                                        "tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2004-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -74,12 +74,8 @@
     /**
      * Creates an instance of CMS DESede KeyWrap cipher with default
      * mode, i.e. "CBC" and padding scheme, i.e. "NoPadding".
-     *
-     * @exception SecurityException if this constructor fails to verify
-     * its own integrity.
      */
     public DESedeWrapCipher() {
-        SunJCE.ensureIntegrity(getClass());
         cipher = new CipherBlockChaining(new DESedeCrypt());
     }
 
--- a/src/share/classes/com/sun/crypto/provider/DHKeyAgreement.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/DHKeyAgreement.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -58,16 +58,9 @@
     private BigInteger y = BigInteger.ZERO;
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public DHKeyAgreement() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have been " +
-                                        "tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/DHKeyFactory.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/DHKeyFactory.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -49,16 +49,9 @@
 public final class DHKeyFactory extends KeyFactorySpi {
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public DHKeyFactory() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/HmacCore.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/HmacCore.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -241,7 +241,6 @@
     public static final class HmacSHA256 extends MacSpi implements Cloneable {
         private final HmacCore core;
         public HmacSHA256() throws NoSuchAlgorithmException {
-            SunJCE.ensureIntegrity(getClass());
             core = new HmacCore("SHA-256", 64);
         }
         private HmacSHA256(HmacSHA256 base) throws CloneNotSupportedException {
@@ -278,7 +277,6 @@
     public static final class HmacSHA384 extends MacSpi implements Cloneable {
         private final HmacCore core;
         public HmacSHA384() throws NoSuchAlgorithmException {
-            SunJCE.ensureIntegrity(getClass());
             core = new HmacCore("SHA-384", 128);
         }
         private HmacSHA384(HmacSHA384 base) throws CloneNotSupportedException {
@@ -315,7 +313,6 @@
     public static final class HmacSHA512 extends MacSpi implements Cloneable {
         private final HmacCore core;
         public HmacSHA512() throws NoSuchAlgorithmException {
-            SunJCE.ensureIntegrity(getClass());
             core = new HmacCore("SHA-512", 128);
         }
         private HmacSHA512(HmacSHA512 base) throws CloneNotSupportedException {
--- a/src/share/classes/com/sun/crypto/provider/HmacMD5.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/HmacMD5.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1998-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -44,16 +44,8 @@
 
     /**
      * Standard constructor, creates a new HmacMD5 instance.
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
      */
     public HmacMD5() throws NoSuchAlgorithmException {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
         hmac = new HmacCore(MessageDigest.getInstance("MD5"),
                             MD5_BLOCK_LENGTH);
     }
--- a/src/share/classes/com/sun/crypto/provider/HmacMD5KeyGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/HmacMD5KeyGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1999-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,16 +46,9 @@
     private int keysize = 64; // default keysize (in number of bytes)
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public HmacMD5KeyGenerator() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -48,13 +48,8 @@
 
     /**
      * Standard constructor, creates a new HmacSHA1 instance.
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
      */
     public HmacPKCS12PBESHA1() throws NoSuchAlgorithmException {
-        SunJCE.ensureIntegrity(this.getClass());
         this.hmac = new HmacCore(MessageDigest.getInstance("SHA1"),
                                  SHA1_BLOCK_LENGTH);
     }
--- a/src/share/classes/com/sun/crypto/provider/HmacSHA1.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/HmacSHA1.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1998-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -44,16 +44,8 @@
 
     /**
      * Standard constructor, creates a new HmacSHA1 instance.
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
      */
     public HmacSHA1() throws NoSuchAlgorithmException {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
         this.hmac = new HmacCore(MessageDigest.getInstance("SHA1"),
                                  SHA1_BLOCK_LENGTH);
     }
--- a/src/share/classes/com/sun/crypto/provider/HmacSHA1KeyGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/HmacSHA1KeyGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1999-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,16 +46,9 @@
     private int keysize = 64; // default keysize (in number of bytes)
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public HmacSHA1KeyGenerator() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/JarVerifier.java	Tue Aug 11 20:02:43 2009 -0600
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,72 +0,0 @@
-/*
- * Copyright 2007 Sun Microsystems, Inc.  All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package com.sun.crypto.provider;
-
-// NOTE: this class is duplicated amongst SunJCE, SunPKCS11, and SunMSCAPI.
-// All files should be kept in sync.
-
-import java.io.*;
-import java.util.*;
-import java.util.jar.*;
-import java.net.URL;
-import java.net.JarURLConnection;
-import java.net.MalformedURLException;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-/**
- * This class verifies JAR files (and any supporting JAR files), and
- * determines whether they may be used in this implementation.
- *
- * The JCE in OpenJDK has an open cryptographic interface, meaning it
- * does not restrict which providers can be used.  Compliance with
- * United States export controls and with local law governing the
- * import/export of products incorporating the JCE in the OpenJDK is
- * the responsibility of the licensee.
- *
- * @since 1.7
- */
-final class JarVerifier {
-
-    private static final boolean debug = false;
-
-    /**
-     * Verify the JAR file is signed by an entity which has a certificate
-     * issued by a trusted CA.
-     *
-     * Note: this is a temporary method and will change soon to use the
-     * exception chaining mechanism, which can provide more details
-     * as to why the verification failed.
-     *
-     * @param c the class to be verified.
-     * @return true if verification is successful.
-     */
-    static boolean verify(final Class c) {
-        return true;
-    }
-}
--- a/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -109,7 +109,6 @@
     public static final class HmacSHA256KG extends KeyGeneratorSpi {
         private final KeyGeneratorCore core;
         public HmacSHA256KG() {
-            SunJCE.ensureIntegrity(getClass());
             core = new KeyGeneratorCore("HmacSHA256", 256);
         }
         protected void engineInit(SecureRandom random) {
@@ -131,7 +130,6 @@
     public static final class HmacSHA384KG extends KeyGeneratorSpi {
         private final KeyGeneratorCore core;
         public HmacSHA384KG() {
-            SunJCE.ensureIntegrity(getClass());
             core = new KeyGeneratorCore("HmacSHA384", 384);
         }
         protected void engineInit(SecureRandom random) {
@@ -153,7 +151,6 @@
     public static final class HmacSHA512KG extends KeyGeneratorSpi {
         private final KeyGeneratorCore core;
         public HmacSHA512KG() {
-            SunJCE.ensureIntegrity(getClass());
             core = new KeyGeneratorCore("HmacSHA512", 512);
         }
         protected void engineInit(SecureRandom random) {
@@ -175,7 +172,6 @@
     public static final class RC2KeyGenerator extends KeyGeneratorSpi {
         private final KeyGeneratorCore core;
         public RC2KeyGenerator() {
-            SunJCE.ensureIntegrity(getClass());
             core = new KeyGeneratorCore("RC2", 128);
         }
         protected void engineInit(SecureRandom random) {
@@ -201,7 +197,6 @@
     public static final class ARCFOURKeyGenerator extends KeyGeneratorSpi {
         private final KeyGeneratorCore core;
         public ARCFOURKeyGenerator() {
-            SunJCE.ensureIntegrity(getClass());
             core = new KeyGeneratorCore("ARCFOUR", 128);
         }
         protected void engineInit(SecureRandom random) {
--- a/src/share/classes/com/sun/crypto/provider/PBEKeyFactory.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/PBEKeyFactory.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -49,16 +49,9 @@
     private static HashSet<String> validTypes;
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Simple constructor
      */
     private PBEKeyFactory(String keytype) {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
         type = keytype;
     }
 
--- a/src/share/classes/com/sun/crypto/provider/PBEWithMD5AndDESCipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/PBEWithMD5AndDESCipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -55,16 +55,9 @@
      * unavailable
      * @exception NoSuchPaddingException if the required padding mechanism
      * (PKCS5Padding) is unavailable
-     *
-     * @exception SecurityException if this constructor fails to verify
-     * its own integrity
      */
     public PBEWithMD5AndDESCipher()
         throws NoSuchAlgorithmException, NoSuchPaddingException {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
         core = new PBECipherCore("DES");
     }
 
--- a/src/share/classes/com/sun/crypto/provider/PBEWithMD5AndTripleDESCipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/PBEWithMD5AndTripleDESCipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1998-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -61,23 +61,14 @@
      * Creates an instance of this cipher, and initializes its mode (CBC) and
      * padding (PKCS5).
      *
-     * Verify the SunJCE provider in the constructor.
-     *
      * @exception NoSuchAlgorithmException if the required cipher mode (CBC) is
      * unavailable
      * @exception NoSuchPaddingException if the required padding mechanism
      * (PKCS5Padding) is unavailable
-     * @exception SecurityException if fails to verify
-     * its own integrity
      */
     public PBEWithMD5AndTripleDESCipher()
         throws NoSuchAlgorithmException, NoSuchPaddingException
     {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
-
         // set the encapsulated cipher to do triple DES
         core = new PBECipherCore("DESede");
     }
--- a/src/share/classes/com/sun/crypto/provider/PBKDF2HmacSHA1Factory.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/PBKDF2HmacSHA1Factory.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,16 +45,9 @@
 public final class PBKDF2HmacSHA1Factory extends SecretKeyFactorySpi {
 
     /**
-     * Verify the SunJCE provider in the constructor.
-     *
-     * @exception SecurityException if fails to verify
-     * its own integrity
+     * Empty constructor
      */
     public PBKDF2HmacSHA1Factory() {
-        if (!SunJCE.verifySelfIntegrity(this.getClass())) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
     }
 
     /**
--- a/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -370,7 +370,6 @@
     public static final class PBEWithSHA1AndDESede extends CipherSpi {
         private final PKCS12PBECipherCore core;
         public PBEWithSHA1AndDESede() throws NoSuchAlgorithmException {
-            SunJCE.ensureIntegrity(this.getClass());
             core = new PKCS12PBECipherCore("DESede", 24);
         }
         protected byte[] engineDoFinal(byte[] in, int inOff, int inLen)
@@ -446,7 +445,6 @@
     public static final class PBEWithSHA1AndRC2_40 extends CipherSpi {
         private final PKCS12PBECipherCore core;
         public PBEWithSHA1AndRC2_40() throws NoSuchAlgorithmException {
-            SunJCE.ensureIntegrity(this.getClass());
             core = new PKCS12PBECipherCore("RC2", 5);
         }
         protected byte[] engineDoFinal(byte[] in, int inOff, int inLen)
--- a/src/share/classes/com/sun/crypto/provider/RC2Cipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/RC2Cipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,7 +45,6 @@
     private final RC2Crypt embeddedCipher;
 
     public RC2Cipher() {
-        SunJCE.ensureIntegrity(getClass());
         embeddedCipher = new RC2Crypt();
         core = new CipherCore(embeddedCipher, 8);
     }
--- a/src/share/classes/com/sun/crypto/provider/RSACipher.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/RSACipher.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -111,7 +111,6 @@
     private String oaepHashAlgorithm = "SHA-1";
 
     public RSACipher() {
-        SunJCE.ensureIntegrity(getClass());
         paddingType = PAD_PKCS1;
     }
 
--- a/src/share/classes/com/sun/crypto/provider/SslMacCore.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/SslMacCore.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -226,9 +226,6 @@
 
         static final byte[] md5Pad1 = genPad((byte)0x36, 48);
         static final byte[] md5Pad2 = genPad((byte)0x5c, 48);
-        static {
-            SunJCE.ensureIntegrity(SslMacMD5.class);
-        }
     }
 
     // nested static class for the SslMacMD5 implementation
@@ -262,9 +259,6 @@
 
         static final byte[] shaPad1 = genPad((byte)0x36, 40);
         static final byte[] shaPad2 = genPad((byte)0x5c, 40);
-        static {
-            SunJCE.ensureIntegrity(SslMacSHA1.class);
-        }
     }
 
 }
--- a/src/share/classes/com/sun/crypto/provider/SunJCE.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/SunJCE.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -93,10 +93,6 @@
 
     static final SecureRandom RANDOM = new SecureRandom();
 
-    // After the SunJCE passed self-integrity checking,
-    // verifiedSelfIntegrity will be set to true.
-    private static boolean verifiedSelfIntegrity = false;
-
     public SunJCE() {
         /* We are the "SunJCE" provider */
         super("SunJCE", 1.7d, info);
@@ -441,21 +437,4 @@
             }
         });
     }
-
-    // set to true once self verification is complete
-    private static volatile boolean integrityVerified;
-
-    static void ensureIntegrity(Class c) {
-        if (verifySelfIntegrity(c) == false) {
-            throw new SecurityException("The SunJCE provider may have " +
-                                        "been tampered.");
-        }
-    }
-
-    static final boolean verifySelfIntegrity(Class c) {
-        if (verifiedSelfIntegrity) {
-            return true;
-        }
-        return (integrityVerified = JarVerifier.verify(c));
-    }
 }
--- a/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -52,7 +52,6 @@
     private int protocolVersion;
 
     public TlsKeyMaterialGenerator() {
-        SunJCE.ensureIntegrity(getClass());
     }
 
     protected void engineInit(SecureRandom random) {
--- a/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -51,7 +51,6 @@
     private int protocolVersion;
 
     public TlsMasterSecretGenerator() {
-        SunJCE.ensureIntegrity(getClass());
     }
 
     protected void engineInit(SecureRandom random) {
--- a/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -109,7 +109,6 @@
     private TlsPrfParameterSpec spec;
 
     public TlsPrfGenerator() {
-        SunJCE.ensureIntegrity(getClass());
     }
 
     protected void engineInit(SecureRandom random) {
--- a/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -48,7 +48,6 @@
     private SecureRandom random;
 
     public TlsRsaPremasterSecretGenerator() {
-        SunJCE.ensureIntegrity(getClass());
     }
 
     protected void engineInit(SecureRandom random) {
--- a/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReaderSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReaderSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -51,7 +51,7 @@
               entensions,
               mimeType,
               "com.sun.imageio.plugins.bmp.BMPImageReader",
-              STANDARD_INPUT_TYPE,
+              new Class[] { ImageInputStream.class },
               writerSpiNames,
               false,
               null, null, null, null,
--- a/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageWriterSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageWriterSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -32,6 +32,7 @@
 import javax.imageio.spi.ImageWriterSpi;
 import javax.imageio.spi.ServiceRegistry;
 import javax.imageio.spi.IIORegistry;
+import javax.imageio.stream.ImageOutputStream;
 import javax.imageio.ImageWriter;
 import javax.imageio.ImageTypeSpecifier;
 import javax.imageio.IIOException;
@@ -55,7 +56,7 @@
               entensions,
               mimeType,
               "com.sun.imageio.plugins.bmp.BMPImageWriter",
-              STANDARD_OUTPUT_TYPE,
+              new Class[] { ImageOutputStream.class },
               readerSpiNames,
               false,
               null, null, null, null,
--- a/src/share/classes/com/sun/imageio/plugins/gif/GIFImageReaderSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/gif/GIFImageReaderSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -60,7 +60,7 @@
               suffixes,
               MIMETypes,
               readerClassName,
-              STANDARD_INPUT_TYPE,
+              new Class[] { ImageInputStream.class },
               writerSpiNames,
               true,
               GIFStreamMetadata.nativeMetadataFormatName,
--- a/src/share/classes/com/sun/imageio/plugins/gif/GIFImageWriterSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/gif/GIFImageWriterSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -31,6 +31,7 @@
 import javax.imageio.ImageTypeSpecifier;
 import javax.imageio.ImageWriter;
 import javax.imageio.spi.ImageWriterSpi;
+import javax.imageio.stream.ImageOutputStream;
 import com.sun.imageio.plugins.common.PaletteBuilder;
 
 public class GIFImageWriterSpi extends ImageWriterSpi {
@@ -59,7 +60,7 @@
               suffixes,
               MIMETypes,
               writerClassName,
-              STANDARD_OUTPUT_TYPE,
+              new Class[] { ImageOutputStream.class },
               readerSpiNames,
               true,
               GIFWritableStreamMetadata.NATIVE_FORMAT_NAME,
--- a/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReaderSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReaderSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -46,7 +46,7 @@
               JPEG.suffixes,
               JPEG.MIMETypes,
               "com.sun.imageio.plugins.jpeg.JPEGImageReader",
-              STANDARD_INPUT_TYPE,
+              new Class[] { ImageInputStream.class },
               writerSpiNames,
               true,
               JPEG.nativeStreamMetadataFormatName,
--- a/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageWriterSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageWriterSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -28,6 +28,7 @@
 import javax.imageio.spi.ImageWriterSpi;
 import javax.imageio.spi.ServiceRegistry;
 import javax.imageio.spi.IIORegistry;
+import javax.imageio.stream.ImageOutputStream;
 import javax.imageio.ImageWriter;
 import javax.imageio.ImageTypeSpecifier;
 import javax.imageio.IIOException;
@@ -49,7 +50,7 @@
               JPEG.suffixes,
               JPEG.MIMETypes,
               "com.sun.imageio.plugins.jpeg.JPEGImageWriter",
-              STANDARD_OUTPUT_TYPE,
+              new Class[] { ImageOutputStream.class },
               readerSpiNames,
               true,
               JPEG.nativeStreamMetadataFormatName,
--- a/src/share/classes/com/sun/imageio/plugins/png/PNGImageReaderSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/png/PNGImageReaderSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -60,7 +60,7 @@
               suffixes,
               MIMETypes,
               readerClassName,
-              STANDARD_INPUT_TYPE,
+              new Class[] { ImageInputStream.class },
               writerSpiNames,
               false,
               null, null,
--- a/src/share/classes/com/sun/imageio/plugins/png/PNGImageWriterSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/png/PNGImageWriterSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -34,6 +34,7 @@
 import javax.imageio.metadata.IIOMetadataFormat;
 import javax.imageio.metadata.IIOMetadataFormatImpl;
 import javax.imageio.spi.ImageWriterSpi;
+import javax.imageio.stream.ImageOutputStream;
 
 public class PNGImageWriterSpi extends ImageWriterSpi {
 
@@ -61,7 +62,7 @@
                 suffixes,
                 MIMETypes,
                 writerClassName,
-                STANDARD_OUTPUT_TYPE,
+                new Class[] { ImageOutputStream.class },
                 readerSpiNames,
                 false,
                 null, null,
--- a/src/share/classes/com/sun/imageio/plugins/wbmp/WBMPImageReaderSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/wbmp/WBMPImageReaderSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -55,7 +55,7 @@
               entensions,
               mimeType,
               "com.sun.imageio.plugins.wbmp.WBMPImageReader",
-              STANDARD_INPUT_TYPE,
+              new Class[] { ImageInputStream.class },
               writerSpiNames,
               true,
               null, null, null, null,
--- a/src/share/classes/com/sun/imageio/plugins/wbmp/WBMPImageWriterSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/plugins/wbmp/WBMPImageWriterSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -28,6 +28,7 @@
 import javax.imageio.spi.ImageWriterSpi;
 import javax.imageio.spi.ServiceRegistry;
 import javax.imageio.spi.IIORegistry;
+import javax.imageio.stream.ImageOutputStream;
 import javax.imageio.ImageWriter;
 import javax.imageio.ImageTypeSpecifier;
 import javax.imageio.IIOException;
@@ -54,7 +55,7 @@
               entensions,
               mimeType,
               "com.sun.imageio.plugins.wbmp.WBMPImageWriter",
-              STANDARD_OUTPUT_TYPE,
+              new Class[] { ImageOutputStream.class },
               readerSpiNames,
               true,
               null, null, null, null,
--- a/src/share/classes/com/sun/imageio/stream/StreamCloser.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/imageio/stream/StreamCloser.java	Tue Aug 11 20:06:52 2009 -0600
@@ -43,35 +43,35 @@
  */
 public class StreamCloser {
 
-    private static WeakHashMap<ImageInputStream, Object> toCloseQueue;
+    private static WeakHashMap<CloseAction, Object> toCloseQueue;
     private static Thread streamCloser;
 
-    public static void addToQueue(ImageInputStream iis) {
+    public static void addToQueue(CloseAction ca) {
         synchronized (StreamCloser.class) {
             if (toCloseQueue == null) {
                 toCloseQueue =
-                    new WeakHashMap<ImageInputStream, Object>();
+                    new WeakHashMap<CloseAction, Object>();
             }
 
-            toCloseQueue.put(iis, null);
+            toCloseQueue.put(ca, null);
 
             if (streamCloser == null) {
                 final Runnable streamCloserRunnable = new Runnable() {
                     public void run() {
                         if (toCloseQueue != null) {
                             synchronized (StreamCloser.class) {
-                                Set<ImageInputStream> set =
+                                Set<CloseAction> set =
                                     toCloseQueue.keySet();
                                 // Make a copy of the set in order to avoid
                                 // concurrent modification (the is.close()
                                 // will in turn call removeFromQueue())
-                                ImageInputStream[] streams =
-                                    new ImageInputStream[set.size()];
-                                streams = set.toArray(streams);
-                                for (ImageInputStream is : streams) {
-                                    if (is != null) {
+                                CloseAction[] actions =
+                                    new CloseAction[set.size()];
+                                actions = set.toArray(actions);
+                                for (CloseAction ca : actions) {
+                                    if (ca != null) {
                                         try {
-                                            is.close();
+                                            ca.performAction();
                                         } catch (IOException e) {
                                         }
                                     }
@@ -106,10 +106,28 @@
         }
     }
 
-    public static void removeFromQueue(ImageInputStream iis) {
+    public static void removeFromQueue(CloseAction ca) {
         synchronized (StreamCloser.class) {
             if (toCloseQueue != null) {
-                toCloseQueue.remove(iis);
+                toCloseQueue.remove(ca);
+            }
+        }
+    }
+
+    public static CloseAction createCloseAction(ImageInputStream iis) {
+        return new CloseAction(iis);
+    }
+
+    public static final class CloseAction {
+        private ImageInputStream iis;
+
+        private CloseAction(ImageInputStream iis) {
+            this.iis = iis;
+        }
+
+        public void performAction() throws IOException {
+            if (iis != null) {
+                iis.close();
             }
         }
     }
--- a/src/share/classes/com/sun/jndi/dns/DnsContext.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/jndi/dns/DnsContext.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -922,7 +922,7 @@
 
     //---------- Debugging
 
-    public static boolean debug = false;
+    private static final boolean debug = false;
 
     private static final void dprint(String msg) {
         if (debug) {
@@ -972,14 +972,11 @@
     }
 
     /*
-     * ctx will be closed when no longer needed by the enumeration.
+     * ctx will be set to null when no longer needed by the enumeration.
      */
-    public void close () {
+    public void close() {
         nodes = null;
-        if (ctx != null) {
-            ctx.close();
-            ctx = null;
-        }
+        ctx = null;
     }
 
     public boolean hasMore() {
--- a/src/share/classes/com/sun/media/sound/JDK13Services.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/media/sound/JDK13Services.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1999-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -41,6 +41,15 @@
 import javax.sound.midi.spi.SoundbankReader;
 import javax.sound.midi.spi.MidiDeviceProvider;
 
+import javax.sound.midi.Receiver;
+import javax.sound.midi.Sequencer;
+import javax.sound.midi.Synthesizer;
+import javax.sound.midi.Transmitter;
+import javax.sound.sampled.Clip;
+import javax.sound.sampled.Port;
+import javax.sound.sampled.SourceDataLine;
+import javax.sound.sampled.TargetDataLine;
+
 
 /**
  * JDK13Services uses the Service class in JDK 1.3
@@ -186,6 +195,16 @@
         If the property is not set, null is returned.
      */
     private static synchronized String getDefaultProvider(Class typeClass) {
+        if (!SourceDataLine.class.equals(typeClass)
+                && !TargetDataLine.class.equals(typeClass)
+                && !Clip.class.equals(typeClass)
+                && !Port.class.equals(typeClass)
+                && !Receiver.class.equals(typeClass)
+                && !Transmitter.class.equals(typeClass)
+                && !Synthesizer.class.equals(typeClass)
+                && !Sequencer.class.equals(typeClass)) {
+            return null;
+        }
         String value;
         String propertyName = typeClass.getName();
         value = JSSecurityManager.getProperty(propertyName);
--- a/src/share/classes/com/sun/media/sound/JSSecurityManager.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/media/sound/JSSecurityManager.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1999-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -283,28 +283,37 @@
 
 
     static List getProviders(final Class providerClass) {
-        PrivilegedAction action = new PrivilegedAction() {
-                public Object run() {
-                    List p = new ArrayList();
-                    Iterator ps = Service.providers(providerClass);
-                    while (ps.hasNext()) {
-                        try {
-                            Object provider = ps.next();
-                            if (providerClass.isInstance(provider)) {
-                                // $$mp 2003-08-22
-                                // Always adding at the beginning reverses the
-                                // order of the providers. So we no longer have
-                                // to do this in AudioSystem and MidiSystem.
-                                p.add(0, provider);
-                            }
-                        } catch (Throwable t) {
-                            //$$fb 2002-11-07: do not fail on SPI not found
-                            if (Printer.err) t.printStackTrace();
-                        }                                                                  }
-                    return p;
+        List p = new ArrayList();
+        // Service.providers(Class) just creates "lazy" iterator instance,
+        // so it doesn't require do be called from privileged section
+        final Iterator ps = Service.providers(providerClass);
+
+        // the iterator's hasNext() method looks through classpath for
+        // the provider class names, so it requires read permissions
+        PrivilegedAction<Boolean> hasNextAction = new PrivilegedAction<Boolean>() {
+            public Boolean run() {
+                return ps.hasNext();
+            }
+        };
+
+        while (AccessController.doPrivileged(hasNextAction)) {
+            try {
+                // the iterator's next() method creates instances of the
+                // providers and it should be called in the current security
+                // context
+                Object provider = ps.next();
+                if (providerClass.isInstance(provider)) {
+                    // $$mp 2003-08-22
+                    // Always adding at the beginning reverses the
+                    // order of the providers. So we no longer have
+                    // to do this in AudioSystem and MidiSystem.
+                    p.add(0, provider);
                 }
-            };
-        List providers = (List) AccessController.doPrivileged(action);
-        return providers;
+            } catch (Throwable t) {
+                //$$fb 2002-11-07: do not fail on SPI not found
+                if (Printer.err) t.printStackTrace();
+            }
+        }
+        return p;
     }
 }
--- a/src/share/classes/com/sun/media/sound/StandardMidiFileWriter.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/media/sound/StandardMidiFileWriter.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1999-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -82,7 +82,7 @@
     /**
      * MIDI parser types
      */
-    public static final int types[] = {
+    private static final int types[] = {
         MIDI_TYPE_0,
         MIDI_TYPE_1
     };
--- a/src/share/classes/com/sun/org/apache/xml/internal/security/algorithms/implementations/IntegrityHmac.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/org/apache/xml/internal/security/algorithms/implementations/IntegrityHmac.java	Tue Aug 11 20:06:52 2009 -0600
@@ -60,8 +60,14 @@
     */
    public abstract String engineGetURI();
 
+   /**
+    * Returns the output length of the hash/digest.
+    */
+   abstract int getDigestLength();
+
    /** Field _macAlgorithm */
    private Mac _macAlgorithm = null;
+   private boolean _HMACOutputLengthSet = false;
 
    /** Field _HMACOutputLength */
    int _HMACOutputLength = 0;
@@ -100,7 +106,9 @@
    }
 
    public void reset() {
-           _HMACOutputLength=0;
+       _HMACOutputLength=0;
+       _HMACOutputLengthSet = false;
+       _macAlgorithm.reset();
    }
 
    /**
@@ -115,14 +123,16 @@
            throws XMLSignatureException {
 
       try {
-         byte[] completeResult = this._macAlgorithm.doFinal();
-
-         if ((this._HMACOutputLength == 0) || (this._HMACOutputLength >= 160)) {
+         if (this._HMACOutputLengthSet && this._HMACOutputLength < getDigestLength()) {
+            if (log.isLoggable(java.util.logging.Level.FINE)) {
+                log.log(java.util.logging.Level.FINE,
+                    "HMACOutputLength must not be less than " + getDigestLength());
+            }
+            throw new XMLSignatureException("errorMessages.XMLSignatureException");
+         } else {
+            byte[] completeResult = this._macAlgorithm.doFinal();
             return MessageDigestAlgorithm.isEqual(completeResult, signature);
          }
-         byte[] stripped = IntegrityHmac.reduceBitLength(completeResult,
-                                 this._HMACOutputLength);
-         return MessageDigestAlgorithm.isEqual(stripped, signature);
       } catch (IllegalStateException ex) {
          throw new XMLSignatureException("empty", ex);
       }
@@ -176,14 +186,15 @@
    protected byte[] engineSign() throws XMLSignatureException {
 
       try {
-         byte[] completeResult = this._macAlgorithm.doFinal();
-
-         if ((this._HMACOutputLength == 0) || (this._HMACOutputLength >= 160)) {
-            return completeResult;
+         if (this._HMACOutputLengthSet && this._HMACOutputLength < getDigestLength()) {
+            if (log.isLoggable(java.util.logging.Level.FINE)) {
+                log.log(java.util.logging.Level.FINE,
+                    "HMACOutputLength must not be less than " + getDigestLength());
+            }
+            throw new XMLSignatureException("errorMessages.XMLSignatureException");
+         } else {
+            return this._macAlgorithm.doFinal();
          }
-          return IntegrityHmac.reduceBitLength(completeResult,
-                                                 this._HMACOutputLength);
-
       } catch (IllegalStateException ex) {
          throw new XMLSignatureException("empty", ex);
       }
@@ -361,6 +372,7 @@
     */
    protected void engineSetHMACOutputLength(int HMACOutputLength) {
       this._HMACOutputLength = HMACOutputLength;
+      this._HMACOutputLengthSet = true;
    }
 
    /**
@@ -376,12 +388,13 @@
          throw new IllegalArgumentException("element null");
       }
 
-             Text hmaclength =XMLUtils.selectDsNodeText(element.getFirstChild(),
-                    Constants._TAG_HMACOUTPUTLENGTH,0);
+      Text hmaclength =XMLUtils.selectDsNodeText(element.getFirstChild(),
+         Constants._TAG_HMACOUTPUTLENGTH,0);
 
-            if (hmaclength != null) {
-               this._HMACOutputLength = Integer.parseInt(hmaclength.getData());
-            }
+      if (hmaclength != null) {
+         this._HMACOutputLength = Integer.parseInt(hmaclength.getData());
+         this._HMACOutputLengthSet = true;
+      }
 
    }
 
@@ -390,14 +403,13 @@
     *
     * @param element
     */
-   public void engineAddContextToElement(Element element)
-           {
+   public void engineAddContextToElement(Element element) {
 
       if (element == null) {
          throw new IllegalArgumentException("null element");
       }
 
-      if (this._HMACOutputLength != 0) {
+      if (this._HMACOutputLengthSet) {
          Document doc = element.getOwnerDocument();
          Element HMElem = XMLUtils.createElementInSignatureSpace(doc,
                              Constants._TAG_HMACOUTPUTLENGTH);
@@ -436,6 +448,10 @@
       public String engineGetURI() {
          return XMLSignature.ALGO_ID_MAC_HMAC_SHA1;
       }
+
+      int getDigestLength() {
+          return 160;
+      }
    }
 
    /**
@@ -463,6 +479,10 @@
       public String engineGetURI() {
          return XMLSignature.ALGO_ID_MAC_HMAC_SHA256;
       }
+
+      int getDigestLength() {
+          return 256;
+      }
    }
 
    /**
@@ -490,6 +510,10 @@
       public String engineGetURI() {
          return XMLSignature.ALGO_ID_MAC_HMAC_SHA384;
       }
+
+      int getDigestLength() {
+          return 384;
+      }
    }
 
    /**
@@ -517,6 +541,10 @@
       public String engineGetURI() {
          return XMLSignature.ALGO_ID_MAC_HMAC_SHA512;
       }
+
+      int getDigestLength() {
+          return 512;
+      }
    }
 
    /**
@@ -544,6 +572,10 @@
       public String engineGetURI() {
          return XMLSignature.ALGO_ID_MAC_HMAC_RIPEMD160;
       }
+
+      int getDigestLength() {
+          return 160;
+      }
    }
 
    /**
@@ -571,5 +603,9 @@
       public String engineGetURI() {
          return XMLSignature.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5;
       }
+
+      int getDigestLength() {
+          return 128;
+      }
    }
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/com/sun/security/jgss/AuthorizationDataEntry.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package com.sun.security.jgss;
+
+/**
+ * Kerberos 5 AuthorizationData entry.
+ */
+final public class AuthorizationDataEntry {
+
+    private final int type;
+    private final byte[] data;
+
+    /**
+     * Create an AuthorizationDataEntry object.
+     * @param type the ad-type
+     * @param data the ad-data, a copy of the data will be saved
+     * inside the object.
+     */
+    public AuthorizationDataEntry(int type, byte[] data) {
+        this.type = type;
+        this.data = data.clone();
+    }
+
+    /**
+     * Get the ad-type field.
+     * @return ad-type
+     */
+    public int getType() {
+        return type;
+    }
+
+    /**
+     * Get a copy of the ad-data field.
+     * @return ad-data
+     */
+    public byte[] getData() {
+        return data.clone();
+    }
+
+    public String toString() {
+        return "AuthorizationDataEntry: type="+type+", data=" +
+                data.length + " bytes:\n" +
+                new sun.misc.HexDumpEncoder().encode(data);
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,102 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package com.sun.security.jgss;
+
+import org.ietf.jgss.*;
+
+/**
+ * The extended GSSContext interface for supporting additional
+ * functionalities not defined by {@code org.ietf.jgss.GSSContext},
+ * such as querying context-specific attributes.
+ */
+public interface ExtendedGSSContext extends GSSContext {
+    /**
+     * Return the mechanism-specific attribute associated with {@code type}.
+     * <br><br>
+     * For each supported attribute type, the type for the output are
+     * defined below.
+     * <ol>
+     * <li>{@code KRB5_GET_TKT_FLAGS}:
+     * the returned object is a boolean array for the service ticket flags,
+     * which is long enough to contain all true bits. This means if
+     * the user wants to get the <em>n</em>'th bit but the length of the
+     * returned array is less than <em>n</em>, it is regarded as false.
+     * <li>{@code KRB5_GET_SESSION_KEY}:
+     * the returned object is an instance of {@link java.security.Key},
+     * which has the following properties:
+     *    <ul>
+     *    <li>Algorithm: enctype as a string, where
+     *        enctype is defined in RFC 3961, section 8.
+     *    <li>Format: "RAW"
+     *    <li>Encoded form: the raw key bytes, not in any ASN.1 encoding
+     *    </ul>
+     * <li>{@code KRB5_GET_AUTHZ_DATA}:
+     * the returned object is an array of
+     * {@link com.sun.security.jgss.AuthorizationDataEntry}, or null if the
+     * optional field is missing in the service ticket.
+     * <li>{@code KRB5_GET_AUTHTIME}:
+     * the returned object is a String object in the standard KerberosTime
+     * format defined in RFC 4120 5.2.3
+     * </ol>
+     *
+     * If there is a security manager, an {@link InquireSecContextPermission}
+     * with the name {@code type.mech} must be granted. Otherwise, this could
+     * result in a {@link SecurityException}.<p>
+     *
+     * Example:
+     * <pre>
+     *      GSSContext ctxt = m.createContext(...)
+     *      // Establishing the context
+     *      if (ctxt instanceof ExtendedGSSContext) {
+     *          ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
+     *          try {
+     *              Key key = (key)ex.inquireSecContext(
+     *                      InquireType.KRB5_GET_SESSION_KEY);
+     *              // read key info
+     *          } catch (GSSException gsse) {
+     *              // deal with exception
+     *          }
+     *      }
+     * </pre>
+     * @param type the type of the attribute requested
+     * @return the attribute, see the method documentation for details.
+     * @throws GSSException containing  the following
+     * major error codes:
+     *   {@link GSSException#BAD_MECH GSSException.BAD_MECH} if the mechanism
+     *   does not support this method,
+     *   {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE} if the
+     *   type specified is not supported,
+     *   {@link GSSException#NO_CONTEXT GSSException.NO_CONTEXT} if the
+     *   security context is invalid,
+     *   {@link GSSException#FAILURE GSSException.FAILURE} for other
+     *   unspecified failures.
+     * @throws SecurityException if a security manager exists and a proper
+     *   {@link InquireSecContextPermission} is not granted.
+     * @see InquireSecContextPermission
+     */
+    public Object inquireSecContext(InquireType type)
+            throws GSSException;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/com/sun/security/jgss/InquireSecContextPermission.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package com.sun.security.jgss;
+
+import java.security.BasicPermission;
+
+/**
+ * This class is used to protect various attributes of an established
+ * GSS security context that can be accessed using the
+ * {@link com.sun.security.jgss.ExtendedGSSContext#inquireSecContext}
+ * method.
+ *
+ * <p>The target name is the {@link InquireType} allowed.
+ */
+public final class InquireSecContextPermission extends BasicPermission {
+
+    /**
+     * Constructs a new {@code InquireSecContextPermission} object with
+     * the specified name. The name is the symbolic name of the
+     * {@link InquireType} allowed.
+     *
+     * @param name the {@link InquireType} allowed by this
+     * permission. "*" means all {@link InquireType}s are allowed.
+     *
+     * @throws NullPointerException if <code>name</code> is <code>null</code>.
+     * @throws IllegalArgumentException if <code>name</code> is empty.
+     */
+    public InquireSecContextPermission(String name) {
+        super(name);
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/com/sun/security/jgss/InquireType.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package com.sun.security.jgss;
+
+/**
+ * Attribute types that can be specified as an argument of
+ * {@link com.sun.security.jgss.ExtendedGSSContext#inquireSecContext}
+ */
+public enum InquireType {
+    /**
+     * Attribute type for retrieving the session key of an
+     * established Kerberos 5 security context.
+     */
+    KRB5_GET_SESSION_KEY,
+    /**
+     * Attribute type for retrieving the service ticket flags of an
+     * established Kerberos 5 security context.
+     */
+    KRB5_GET_TKT_FLAGS,
+    /**
+     * Attribute type for retrieving the authorization data in the
+     * service ticket of an established Kerberos 5 security context.
+     * Only supported on the acceptor side.
+     */
+    KRB5_GET_AUTHZ_DATA,
+    /**
+     * Attribute type for retrieving the authtime in the service ticket
+     * of an established Kerberos 5 security context.
+     */
+    KRB5_GET_AUTHTIME
+}
--- a/src/share/classes/com/sun/security/sasl/util/AbstractSaslImpl.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/com/sun/security/sasl/util/AbstractSaslImpl.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2003 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -48,10 +48,6 @@
  * @author Rosanna Lee
  */
 public abstract class AbstractSaslImpl {
-    /**
-     * Logger for debug messages
-     */
-    protected static Logger logger;  // set in initLogger(); lazily loads logger
 
     protected boolean completed = false;
     protected boolean privacy = false;
@@ -68,7 +64,6 @@
     protected String myClassName;
 
     protected AbstractSaslImpl(Map props, String className) throws SaslException {
-        initLogger();
         myClassName = className;
 
         // Parse properties  to set desired context options
@@ -325,19 +320,15 @@
         }
     }
 
-    /**
-     * Sets logger field.
-     */
-    private static synchronized void initLogger() {
-        if (logger == null) {
-            logger = Logger.getLogger(SASL_LOGGER_NAME);
-        }
-    }
-
     // ---------------- Constants  -----------------
     private static final String SASL_LOGGER_NAME = "javax.security.sasl";
     protected static final String MAX_SEND_BUF = "javax.security.sasl.sendmaxbuffer";
 
+    /**
+     * Logger for debug messages
+     */
+    protected static final Logger logger = Logger.getLogger(SASL_LOGGER_NAME);
+
     // default 0 (no protection); 1 (integrity only)
     protected static final byte NO_PROTECTION = (byte)1;
     protected static final byte INTEGRITY_ONLY_PROTECTION = (byte)2;
--- a/src/share/classes/java/awt/Cursor.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/awt/Cursor.java	Tue Aug 11 20:06:52 2009 -0600
@@ -118,8 +118,18 @@
      */
     public static final int     MOVE_CURSOR                     = 13;
 
+    /**
+      * @deprecated As of JDK version 1.7, the {@link #getPredefinedCursor()}
+      * method should be used instead.
+      */
+    @Deprecated
     protected static Cursor predefined[] = new Cursor[14];
 
+    /**
+     * This field is a private replacement for 'predefined' array.
+     */
+    private final static Cursor[] predefinedPrivate = new Cursor[14];
+
     /* Localization names and default values */
     static final String[][] cursorProperties = {
         { "AWT.DefaultCursor", "Default Cursor" },
@@ -253,10 +263,15 @@
         if (type < Cursor.DEFAULT_CURSOR || type > Cursor.MOVE_CURSOR) {
             throw new IllegalArgumentException("illegal cursor type");
         }
+        Cursor c = predefinedPrivate[type];
+        if (c == null) {
+            predefinedPrivate[type] = c = new Cursor(type);
+        }
+        // fill 'predefined' array for backwards compatibility.
         if (predefined[type] == null) {
-            predefined[type] = new Cursor(type);
+            predefined[type] = c;
         }
-        return predefined[type];
+        return c;
     }
 
     /**
--- a/src/share/classes/java/awt/Window.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/awt/Window.java	Tue Aug 11 20:06:52 2009 -0600
@@ -3743,16 +3743,58 @@
 
     // ****************** END OF MIXING CODE ********************************
 
-    // This method gets the window location/size as reported by the native
-    // system since the locally cached values may represent outdated data.
-    // NOTE: this method is invoked on the toolkit thread, and therefore
-    // is not supposed to become public/user-overridable.
+    /**
+     * Limit the given double value with the given range.
+     */
+    private static double limit(double value, double min, double max) {
+        value = Math.max(value, min);
+        value = Math.min(value, max);
+        return value;
+    }
+
+    /**
+     * Calculate the position of the security warning.
+     *
+     * This method gets the window location/size as reported by the native
+     * system since the locally cached values may represent outdated data.
+     *
+     * The method is used from the native code, or via AWTAccessor.
+     *
+     * NOTE: this method is invoked on the toolkit thread, and therefore is not
+     * supposed to become public/user-overridable.
+     */
     private Point2D calculateSecurityWarningPosition(double x, double y,
             double w, double h)
     {
-        return new Point2D.Double(
-                x + w * securityWarningAlignmentX + securityWarningPointX,
-                y + h * securityWarningAlignmentY + securityWarningPointY);
+        // The position according to the spec of SecurityWarning.setPosition()
+        double wx = x + w * securityWarningAlignmentX + securityWarningPointX;
+        double wy = y + h * securityWarningAlignmentY + securityWarningPointY;
+
+        // First, make sure the warning is not too far from the window bounds
+        wx = Window.limit(wx,
+                x - securityWarningWidth - 2,
+                x + w + 2);
+        wy = Window.limit(wy,
+                y - securityWarningHeight - 2,
+                y + h + 2);
+
+        // Now make sure the warning window is visible on the screen
+        GraphicsConfiguration graphicsConfig =
+            getGraphicsConfiguration_NoClientCode();
+        Rectangle screenBounds = graphicsConfig.getBounds();
+        Insets screenInsets =
+            Toolkit.getDefaultToolkit().getScreenInsets(graphicsConfig);
+
+        wx = Window.limit(wx,
+                screenBounds.x + screenInsets.left,
+                screenBounds.x + screenBounds.width - screenInsets.right
+                - securityWarningWidth);
+        wy = Window.limit(wy,
+                screenBounds.y + screenInsets.top,
+                screenBounds.y + screenBounds.height - screenInsets.bottom
+                - securityWarningHeight);
+
+        return new Point2D.Double(wx, wy);
     }
 
     static {
--- a/src/share/classes/java/beans/Introspector.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/beans/Introspector.java	Tue Aug 11 20:06:52 2009 -0600
@@ -114,8 +114,8 @@
     // Static Caches to speed up introspection.
     private static Map declaredMethodCache =
         Collections.synchronizedMap(new WeakHashMap());
-    private static Map beanInfoCache =
-        Collections.synchronizedMap(new WeakHashMap());
+
+    private static final Object BEANINFO_CACHE = new Object();
 
     private Class beanClass;
     private BeanInfo explicitBeanInfo;
@@ -174,10 +174,18 @@
         if (!ReflectUtil.isPackageAccessible(beanClass)) {
             return (new Introspector(beanClass, null, USE_ALL_BEANINFO)).getBeanInfo();
         }
-        BeanInfo bi = (BeanInfo)beanInfoCache.get(beanClass);
+        Map<Class<?>, BeanInfo> map;
+        synchronized (BEANINFO_CACHE) {
+            map = (Map<Class<?>, BeanInfo>) AppContext.getAppContext().get(BEANINFO_CACHE);
+            if (map == null) {
+                map = Collections.synchronizedMap(new WeakHashMap<Class<?>, BeanInfo>());
+                AppContext.getAppContext().put(BEANINFO_CACHE, map);
+            }
+        }
+        BeanInfo bi = map.get(beanClass);
         if (bi == null) {
             bi = (new Introspector(beanClass, null, USE_ALL_BEANINFO)).getBeanInfo();
-            beanInfoCache.put(beanClass, bi);
+            map.put(beanClass, bi);
         }
         return bi;
     }
@@ -351,7 +359,10 @@
      */
 
     public static void flushCaches() {
-        beanInfoCache.clear();
+        Map map = (Map) AppContext.getAppContext().get(BEANINFO_CACHE);
+        if (map != null) {
+            map.clear();
+        }
         declaredMethodCache.clear();
     }
 
@@ -374,7 +385,10 @@
         if (clz == null) {
             throw new NullPointerException();
         }
-        beanInfoCache.remove(clz);
+        Map map = (Map) AppContext.getAppContext().get(BEANINFO_CACHE);
+        if (map != null) {
+            map.remove(clz);
+        }
         declaredMethodCache.remove(clz);
     }
 
--- a/src/share/classes/java/beans/MetaData.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/beans/MetaData.java	Tue Aug 11 20:06:52 2009 -0600
@@ -335,31 +335,6 @@
         return (oldC.size() == newC.size()) && oldC.containsAll(newC);
     }
 
-    static Object getPrivateField(final Object instance, final String name) {
-        return AccessController.doPrivileged(
-                new PrivilegedAction() {
-                    public Object run() {
-                        Class type = instance.getClass();
-                        while ( true ) {
-                            try {
-                                Field field = type.getDeclaredField(name);
-                                field.setAccessible(true);
-                                return field.get( instance );
-                            }
-                            catch (NoSuchFieldException exception) {
-                                type = type.getSuperclass();
-                                if (type == null) {
-                                    throw new IllegalStateException("Could not find field " + name, exception);
-                                }
-                            }
-                            catch (Exception exception) {
-                                throw new IllegalStateException("Could not get value " + type.getName() + '.' + name, exception);
-                            }
-                        }
-                    }
-                } );
-    }
-
     static final class EmptyList_PersistenceDelegate extends java_util_Collections {
         protected Expression instantiate(Object oldInstance, Encoder out) {
             return new Expression(oldInstance, Collections.class, "emptyList", null);
@@ -500,7 +475,7 @@
 
     static final class CheckedCollection_PersistenceDelegate extends java_util_Collections {
         protected Expression instantiate(Object oldInstance, Encoder out) {
-            Object type = getPrivateField(oldInstance, "type");
+            Object type = MetaData.getPrivateFieldValue(oldInstance, "java.util.Collections$CheckedCollection.type");
             List list = new ArrayList((Collection) oldInstance);
             return new Expression(oldInstance, Collections.class, "checkedCollection", new Object[]{list, type});
         }
@@ -508,7 +483,7 @@
 
     static final class CheckedList_PersistenceDelegate extends java_util_Collections {
         protected Expression instantiate(Object oldInstance, Encoder out) {
-            Object type = getPrivateField(oldInstance, "type");
+            Object type = MetaData.getPrivateFieldValue(oldInstance, "java.util.Collections$CheckedCollection.type");
             List list = new LinkedList((Collection) oldInstance);
             return new Expression(oldInstance, Collections.class, "checkedList", new Object[]{list, type});
         }
@@ -516,7 +491,7 @@
 
     static final class CheckedRandomAccessList_PersistenceDelegate extends java_util_Collections {
         protected Expression instantiate(Object oldInstance, Encoder out) {
-            Object type = getPrivateField(oldInstance, "type");
+            Object type = MetaData.getPrivateFieldValue(oldInstance, "java.util.Collections$CheckedCollection.type");
             List list = new ArrayList((Collection) oldInstance);
             return new Expression(oldInstance, Collections.class, "checkedList", new Object[]{list, type});
         }
@@ -524,7 +499,7 @@
 
     static final class CheckedSet_PersistenceDelegate extends java_util_Collections {
         protected Expression instantiate(Object oldInstance, Encoder out) {
-            Object type = getPrivateField(oldInstance, "type");
+            Object type = MetaData.getPrivateFieldValue(oldInstance, "java.util.Collections$CheckedCollection.type");
             Set set = new HashSet((Set) oldInstance);
             return new Expression(oldInstance, Collections.class, "checkedSet", new Object[]{set, type});
         }
@@ -532,7 +507,7 @@
 
     static final class CheckedSortedSet_PersistenceDelegate extends java_util_Collections {
         protected Expression instantiate(Object oldInstance, Encoder out) {
-            Object type = getPrivateField(oldInstance, "type");
+            Object type = MetaData.getPrivateFieldValue(oldInstance, "java.util.Collections$CheckedCollection.type");
             SortedSet set = new TreeSet((SortedSet) oldInstance);
             return new Expression(oldInstance, Collections.class, "checkedSortedSet", new Object[]{set, type});
         }
@@ -540,8 +515,8 @@
 
     static final class CheckedMap_PersistenceDelegate extends java_util_Collections {
         protected Expression instantiate(Object oldInstance, Encoder out) {
-            Object keyType = getPrivateField(oldInstance, "keyType");
-            Object valueType = getPrivateField(oldInstance, "valueType");
+            Object keyType   = MetaData.getPrivateFieldValue(oldInstance, "java.util.Collections$CheckedMap.keyType");
+            Object valueType = MetaData.getPrivateFieldValue(oldInstance, "java.util.Collections$CheckedMap.valueType");
             Map map = new HashMap((Map) oldInstance);
             return new Expression(oldInstance, Collections.class, "checkedMap", new Object[]{map, keyType, valueType});
         }
@@ -549,8 +524,8 @@
 
     static final class CheckedSortedMap_PersistenceDelegate extends java_util_Collections {
         protected Expression instantiate(Object oldInstance, Encoder out) {
-            Object keyType = getPrivateField(oldInstance, "keyType");
-            Object valueType = getPrivateField(oldInstance, "valueType");
+            Object keyType   = MetaData.getPrivateFieldValue(oldInstance, "java.util.Collections$CheckedMap.keyType");
+            Object valueType = MetaData.getPrivateFieldValue(oldInstance, "java.util.Collections$CheckedMap.valueType");
             SortedMap map = new TreeMap((SortedMap) oldInstance);
             return new Expression(oldInstance, Collections.class, "checkedSortedMap", new Object[]{map, keyType, valueType});
         }
@@ -572,7 +547,7 @@
     }
 
     private static Object getType(Object instance) {
-        return java_util_Collections.getPrivateField(instance, "keyType");
+        return MetaData.getPrivateFieldValue(instance, "java.util.EnumMap.keyType");
     }
 }
 
@@ -591,7 +566,7 @@
     }
 
     private static Object getType(Object instance) {
-        return java_util_Collections.getPrivateField(instance, "elementType");
+        return MetaData.getPrivateFieldValue(instance, "java.util.EnumSet.elementType");
     }
 }
 
@@ -1282,7 +1257,7 @@
 
     private Integer getAxis(Object object) {
         Box box = (Box) object;
-        return (Integer) java_util_Collections.getPrivateField(box.getLayout(), "axis");
+        return (Integer) MetaData.getPrivateFieldValue(box.getLayout(), "javax.swing.BoxLayout.axis");
     }
 }
 
@@ -1365,6 +1340,7 @@
 }
 
 class MetaData {
+    private static final Map<String,Field> fields = Collections.synchronizedMap(new WeakHashMap<String, Field>());
     private static Hashtable internalPersistenceDelegates = new Hashtable();
 
     private static PersistenceDelegate nullPersistenceDelegate = new NullPersistenceDelegate();
@@ -1503,4 +1479,35 @@
             return null;
         }
     }
+
+    static Object getPrivateFieldValue(Object instance, String name) {
+        Field field = fields.get(name);
+        if (field == null) {
+            int index = name.lastIndexOf('.');
+            final String className = name.substring(0, index);
+            final String fieldName = name.substring(1 + index);
+            field = AccessController.doPrivileged(new PrivilegedAction<Field>() {
+                public Field run() {
+                    try {
+                        Field field = Class.forName(className).getDeclaredField(fieldName);
+                        field.setAccessible(true);
+                        return field;
+                    }
+                    catch (ClassNotFoundException exception) {
+                        throw new IllegalStateException("Could not find class", exception);
+                    }
+                    catch (NoSuchFieldException exception) {
+                        throw new IllegalStateException("Could not find field", exception);
+                    }
+                }
+            });
+            fields.put(name, field);
+        }
+        try {
+            return field.get(instance);
+        }
+        catch (IllegalAccessException exception) {
+            throw new IllegalStateException("Could not get value of the field", exception);
+        }
+    }
 }
--- a/src/share/classes/java/net/Socket.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/net/Socket.java	Tue Aug 11 20:06:52 2009 -0600
@@ -114,9 +114,14 @@
      * @since   1.5
      */
     public Socket(Proxy proxy) {
-        if (proxy != null && proxy.type() == Proxy.Type.SOCKS) {
+        // Create a copy of Proxy as a security measure
+        if (proxy == null) {
+            throw new IllegalArgumentException("Invalid Proxy");
+        }
+        Proxy p = proxy == Proxy.NO_PROXY ? Proxy.NO_PROXY : sun.net.ApplicationProxy.create(proxy);
+        if (p.type() == Proxy.Type.SOCKS) {
             SecurityManager security = System.getSecurityManager();
-            InetSocketAddress epoint = (InetSocketAddress) proxy.address();
+            InetSocketAddress epoint = (InetSocketAddress) p.address();
             if (security != null) {
                 if (epoint.isUnresolved())
                     security.checkConnect(epoint.getHostName(),
@@ -125,10 +130,10 @@
                     security.checkConnect(epoint.getAddress().getHostAddress(),
                                           epoint.getPort());
             }
-            impl = new SocksSocketImpl(proxy);
+            impl = new SocksSocketImpl(p);
             impl.setSocket(this);
         } else {
-            if (proxy == Proxy.NO_PROXY) {
+            if (p == Proxy.NO_PROXY) {
                 if (factory == null) {
                     impl = new PlainSocketImpl();
                     impl.setSocket(this);
--- a/src/share/classes/java/net/SocksSocketImpl.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/net/SocksSocketImpl.java	Tue Aug 11 20:06:52 2009 -0600
@@ -46,6 +46,9 @@
     private Socket cmdsock = null;
     private InputStream cmdIn = null;
     private OutputStream cmdOut = null;
+    /* true if the Proxy has been set programatically */
+    private boolean applicationSetProxy;  /* false */
+
 
     SocksSocketImpl() {
         // Nothing needed
@@ -237,8 +240,7 @@
         out.write((endpoint.getPort() >> 8) & 0xff);
         out.write((endpoint.getPort() >> 0) & 0xff);
         out.write(endpoint.getAddress().getAddress());
-        String userName = java.security.AccessController.doPrivileged(
-               new sun.security.action.GetPropertyAction("user.name"));
+        String userName = getUserName();
         try {
             out.write(userName.getBytes("ISO-8859-1"));
         } catch (java.io.UnsupportedEncodingException uee) {
@@ -554,8 +556,7 @@
         out.write((super.getLocalPort() >> 8) & 0xff);
         out.write((super.getLocalPort() >> 0) & 0xff);
         out.write(addr1);
-        String userName = java.security.AccessController.doPrivileged(
-               new sun.security.action.GetPropertyAction("user.name"));
+        String userName = getUserName();
         try {
             out.write(userName.getBytes("ISO-8859-1"));
         } catch (java.io.UnsupportedEncodingException uee) {
@@ -1022,4 +1023,16 @@
         super.close();
     }
 
+    private String getUserName() {
+        String userName = "";
+        if (applicationSetProxy) {
+            try {
+                userName = System.getProperty("user.name");
+            } catch (SecurityException se) { /* swallow Exception */ }
+        } else {
+            userName = java.security.AccessController.doPrivileged(
+                new sun.security.action.GetPropertyAction("user.name"));
+        }
+        return userName;
+    }
 }
--- a/src/share/classes/java/net/URL.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/net/URL.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1004,16 +1004,18 @@
             throw new IllegalArgumentException("proxy can not be null");
         }
 
+        // Create a copy of Proxy as a security measure
+        Proxy p = proxy == Proxy.NO_PROXY ? Proxy.NO_PROXY : sun.net.ApplicationProxy.create(proxy);
         SecurityManager sm = System.getSecurityManager();
-        if (proxy.type() != Proxy.Type.DIRECT && sm != null) {
-            InetSocketAddress epoint = (InetSocketAddress) proxy.address();
+        if (p.type() != Proxy.Type.DIRECT && sm != null) {
+            InetSocketAddress epoint = (InetSocketAddress) p.address();
             if (epoint.isUnresolved())
                 sm.checkConnect(epoint.getHostName(), epoint.getPort());
             else
                 sm.checkConnect(epoint.getAddress().getHostAddress(),
                                 epoint.getPort());
         }
-        return handler.openConnection(this, proxy);
+        return handler.openConnection(this, p);
     }
 
     /**
--- a/src/share/classes/java/nio/file/SimpleFileVisitor.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/nio/file/SimpleFileVisitor.java	Tue Aug 11 20:06:52 2009 -0600
@@ -48,6 +48,14 @@
     }
 
     /**
+     * Throws NullPointerException if obj is null.
+     */
+    private static void checkNotNull(Object obj) {
+        if (obj == null)
+            throw new NullPointerException();
+    }
+
+    /**
      * Invoked for a directory before entries in the directory are visited.
      *
      * <p> Unless overridden, this method returns {@link FileVisitResult#CONTINUE
@@ -55,6 +63,7 @@
      */
     @Override
     public FileVisitResult preVisitDirectory(T dir) {
+        checkNotNull(dir);
         return FileVisitResult.CONTINUE;
     }
 
@@ -70,6 +79,8 @@
      */
     @Override
     public FileVisitResult preVisitDirectoryFailed(T dir, IOException exc) {
+        checkNotNull(dir);
+        checkNotNull(exc);
         throw new IOError(exc);
     }
 
@@ -81,6 +92,8 @@
      */
     @Override
     public FileVisitResult visitFile(T file, BasicFileAttributes attrs) {
+        checkNotNull(file);
+        checkNotNull(attrs);
         return FileVisitResult.CONTINUE;
     }
 
@@ -96,6 +109,8 @@
      */
     @Override
     public FileVisitResult visitFileFailed(T file, IOException exc) {
+        checkNotNull(file);
+        checkNotNull(exc);
         throw new IOError(exc);
     }
 
@@ -114,6 +129,7 @@
      */
     @Override
     public FileVisitResult postVisitDirectory(T dir, IOException exc) {
+        checkNotNull(dir);
         if (exc != null)
             throw new IOError(exc);
         return FileVisitResult.CONTINUE;
--- a/src/share/classes/java/nio/file/attribute/AclFileAttributeView.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/nio/file/attribute/AclFileAttributeView.java	Tue Aug 11 20:06:52 2009 -0600
@@ -75,7 +75,7 @@
  *         .lookupPrincipalByName("joe");
  *
  *     // get view
- *     AclFileAttributeView view = file.newFileAttributeView(AclFileAttributeView.class);
+ *     AclFileAttributeView view = file.getFileAttributeView(AclFileAttributeView.class);
  *
  *     // create ACE to give "joe" read access
  *     AclEntry entry = AclEntry.newBuilder()
--- a/src/share/classes/java/nio/file/attribute/PosixFileAttributeView.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/java/nio/file/attribute/PosixFileAttributeView.java	Tue Aug 11 20:06:52 2009 -0600
@@ -61,7 +61,7 @@
  * Suppose we need to print out the owner and access permissions of a file:
  * <pre>
  *     FileRef file = ...
- *     PosixFileAttributes attrs = file.newFileAttributeView(PosixFileAttributeView.class)
+ *     PosixFileAttributes attrs = file.getFileAttributeView(PosixFileAttributeView.class)
  *         .readAttributes();
  *     System.out.format("%s %s%n",
  *         attrs.owner().getName(),
--- a/src/share/classes/javax/accessibility/AccessibleResourceBundle.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/accessibility/AccessibleResourceBundle.java	Tue Aug 11 20:06:52 2009 -0600
@@ -44,15 +44,11 @@
      * localized display strings.
      */
     public Object[][] getContents() {
-        return contents;
-    }
+        // The table holding the mapping between the programmatic keys
+        // and the display strings for the en_US locale.
+        return new Object[][] {
 
-    /**
-     * The table holding the mapping between the programmatic keys
-     * and the display strings for the en_US locale.
-     */
-    static final Object[][] contents = {
-    // LOCALIZE THIS
+        // LOCALIZE THIS
         // Role names
 //        { "application","application" },
 //        { "border","border" },
@@ -151,5 +147,6 @@
         { "vertical","vertical" },
         { "horizontal","horizontal" }
     // END OF MATERIAL TO LOCALIZE
-    };
+        };
+    }
 }
--- a/src/share/classes/javax/crypto/JarVerifier.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/crypto/JarVerifier.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2007-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,9 +28,7 @@
 import java.io.*;
 import java.net.*;
 import java.security.*;
-import java.util.*;
 import java.util.jar.*;
-import javax.crypto.CryptoPolicyParser.ParsingException;
 
 /**
  * This class verifies JAR files (and any supporting JAR files), and
@@ -135,17 +133,6 @@
     }
 
     /**
-     * Verify that the provided JarEntry was indeed signed by the
-     * framework signing certificate.
-     *
-     * @param je the URL of the jar entry to be checked.
-     * @throws Exception if the jar entry was not signed by
-     *          the proper certificate
-     */
-    static void verifyFrameworkSigned(URL je) throws Exception {
-    }
-
-    /**
      * Verify that the provided certs include the
      * framework signing certificate.
      *
--- a/src/share/classes/javax/crypto/JceSecurity.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/crypto/JceSecurity.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,7 +25,6 @@
 
 package javax.crypto;
 
-import java.lang.ref.*;
 import java.util.*;
 import java.util.jar.*;
 import java.io.*;
@@ -256,11 +255,6 @@
                                 ("Cannot locate policy or framework files!");
         }
 
-        // Enforce the signer restraint, i.e. signer of JCE framework
-        // jar should also be the signer of the two jurisdiction policy
-        // jar files.
-        JarVerifier.verifyFrameworkSigned(jceCipherURL);
-
         // Read jurisdiction policies.
         CryptoPermissions defaultExport = new CryptoPermissions();
         CryptoPermissions exemptExport = new CryptoPermissions();
--- a/src/share/classes/javax/imageio/plugins/bmp/BMPImageWriteParam.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/imageio/plugins/bmp/BMPImageWriteParam.java	Tue Aug 11 20:06:52 2009 -0600
@@ -78,7 +78,7 @@
         super(locale);
 
         // Set compression types ("BI_RGB" denotes uncompressed).
-        compressionTypes = BMPConstants.compressionTypeNames;
+        compressionTypes = BMPConstants.compressionTypeNames.clone();
 
         // Set compression flag.
         canWriteCompressed = true;
--- a/src/share/classes/javax/imageio/spi/ImageReaderSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/imageio/spi/ImageReaderSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -77,7 +77,10 @@
      * A single-element array, initially containing
      * <code>ImageInputStream.class</code>, to be returned from
      * <code>getInputTypes</code>.
+     * @deprecated Instead of using this field, directly create
+     * the equivalent array <code>{ ImageInputStream.class }<code>.
      */
+    @Deprecated
     public static final Class[] STANDARD_INPUT_TYPE =
         { ImageInputStream.class };
 
@@ -227,7 +230,11 @@
             throw new IllegalArgumentException
                 ("inputTypes.length == 0!");
         }
-        this.inputTypes = (Class[])inputTypes.clone();
+
+        this.inputTypes = (inputTypes == STANDARD_INPUT_TYPE) ?
+            new Class<?>[] { ImageInputStream.class } :
+            inputTypes.clone();
+
         // If length == 0, leave it null
         if (writerSpiNames != null && writerSpiNames.length > 0) {
             this.writerSpiNames = (String[])writerSpiNames.clone();
--- a/src/share/classes/javax/imageio/spi/ImageWriterSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/imageio/spi/ImageWriterSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -77,9 +77,12 @@
 
     /**
      * A single-element array, initially containing
-     * <code>ImageInputStream.class</code>, to be returned from
-     * <code>getInputTypes</code>.
+     * <code>ImageOutputStream.class</code>, to be returned from
+     * <code>getOutputTypes</code>.
+     * @deprecated Instead of using this field, directly create
+     * the equivalent array <code>{ ImageOutputStream.class }<code>.
      */
+    @Deprecated
     public static final Class[] STANDARD_OUTPUT_TYPE =
         { ImageOutputStream.class };
 
@@ -228,7 +231,11 @@
             throw new IllegalArgumentException
                 ("outputTypes.length == 0!");
         }
-        this.outputTypes = (Class[])outputTypes.clone();
+
+        this.outputTypes = (outputTypes == STANDARD_OUTPUT_TYPE) ?
+            new Class<?>[] { ImageOutputStream.class } :
+            outputTypes.clone();
+
         // If length == 0, leave it null
         if (readerSpiNames != null && readerSpiNames.length > 0) {
             this.readerSpiNames = (String[])readerSpiNames.clone();
--- a/src/share/classes/javax/imageio/stream/FileCacheImageInputStream.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/imageio/stream/FileCacheImageInputStream.java	Tue Aug 11 20:06:52 2009 -0600
@@ -62,6 +62,10 @@
     /** The DisposerRecord that closes the underlying cache. */
     private final DisposerRecord disposerRecord;
 
+    /** The CloseAction that closes the stream in
+     *  the StreamCloser's shutdown hook                     */
+    private final StreamCloser.CloseAction closeAction;
+
     /**
      * Constructs a <code>FileCacheImageInputStream</code> that will read
      * from a given <code>InputStream</code>.
@@ -96,7 +100,9 @@
         this.cacheFile =
             File.createTempFile("imageio", ".tmp", cacheDir);
         this.cache = new RandomAccessFile(cacheFile, "rw");
-        StreamCloser.addToQueue(this);
+
+        this.closeAction = StreamCloser.createCloseAction(this);
+        StreamCloser.addToQueue(closeAction);
 
         disposerRecord = new StreamDisposerRecord(cacheFile, cache);
         if (getClass() == FileCacheImageInputStream.class) {
@@ -242,7 +248,7 @@
         stream = null;
         cache = null;
         cacheFile = null;
-        StreamCloser.removeFromQueue(this);
+        StreamCloser.removeFromQueue(closeAction);
     }
 
     /**
--- a/src/share/classes/javax/imageio/stream/FileCacheImageOutputStream.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/imageio/stream/FileCacheImageOutputStream.java	Tue Aug 11 20:06:52 2009 -0600
@@ -48,6 +48,10 @@
     // Pos after last (rightmost) byte written
     private long maxStreamPos = 0L;
 
+    /** The CloseAction that closes the stream in
+     *  the StreamCloser's shutdown hook                     */
+    private final StreamCloser.CloseAction closeAction;
+
     /**
      * Constructs a <code>FileCacheImageOutputStream</code> that will write
      * to a given <code>outputStream</code>.
@@ -82,7 +86,9 @@
         this.cacheFile =
             File.createTempFile("imageio", ".tmp", cacheDir);
         this.cache = new RandomAccessFile(cacheFile, "rw");
-        StreamCloser.addToQueue(this);
+
+        this.closeAction = StreamCloser.createCloseAction(this);
+        StreamCloser.addToQueue(closeAction);
     }
 
     public int read() throws IOException {
@@ -227,7 +233,7 @@
         cacheFile = null;
         stream.flush();
         stream = null;
-        StreamCloser.removeFromQueue(this);
+        StreamCloser.removeFromQueue(closeAction);
     }
 
     public void flushBefore(long pos) throws IOException {
--- a/src/share/classes/javax/management/openmbean/OpenMBeanAttributeInfoSupport.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/management/openmbean/OpenMBeanAttributeInfoSupport.java	Tue Aug 11 20:06:52 2009 -0600
@@ -690,7 +690,7 @@
     private static <T> T convertFromString(String s, OpenType<T> openType) {
         Class<T> c;
         try {
-            c = cast(Class.forName(openType.getClassName()));
+            c = cast(Class.forName(openType.safeGetClassName()));
         } catch (ClassNotFoundException e) {
             throw new NoClassDefFoundError(e.toString());  // can't happen
         }
@@ -711,7 +711,7 @@
             } catch (Exception e) {
                 final String msg =
                     "Could not convert \"" + s + "\" using method: " + valueOf;
-                throw new IllegalArgumentException(msg);
+                throw new IllegalArgumentException(msg, e);
             }
         }
 
@@ -728,7 +728,7 @@
             } catch (Exception e) {
                 final String msg =
                     "Could not convert \"" + s + "\" using constructor: " + con;
-                throw new IllegalArgumentException(msg);
+                throw new IllegalArgumentException(msg, e);
             }
         }
 
@@ -757,7 +757,7 @@
             stringArrayClass =
                 Class.forName(squareBrackets + "Ljava.lang.String;");
             targetArrayClass =
-                Class.forName(squareBrackets + "L" + baseType.getClassName() +
+                Class.forName(squareBrackets + "L" + baseType.safeGetClassName() +
                               ";");
         } catch (ClassNotFoundException e) {
             throw new NoClassDefFoundError(e.toString());  // can't happen
--- a/src/share/classes/javax/management/openmbean/OpenType.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/management/openmbean/OpenType.java	Tue Aug 11 20:06:52 2009 -0600
@@ -304,7 +304,12 @@
      * @return the class name.
      */
     public String getClassName() {
+        return className;
+    }
 
+    // A version of getClassName() that can only be called from within this
+    // package and that cannot be overridden.
+    String safeGetClassName() {
         return className;
     }
 
--- a/src/share/classes/javax/swing/JFileChooser.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/JFileChooser.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -739,6 +739,11 @@
 
         dialog.show();
         firePropertyChange("JFileChooserDialogIsClosingProperty", dialog, null);
+
+        // Remove all components from dialog. The MetalFileChooserUI.installUI() method (and other LAFs)
+        // registers AWT listener for dialogs and produces memory leaks. It happens when
+        // installUI invoked after the showDialog method.
+        dialog.getContentPane().removeAll();
         dialog.dispose();
         dialog = null;
         return returnValue;
--- a/src/share/classes/javax/swing/JInternalFrame.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/JInternalFrame.java	Tue Aug 11 20:06:52 2009 -0600
@@ -26,13 +26,10 @@
 package javax.swing;
 
 import java.awt.*;
-import java.awt.event.*;
 
 import java.beans.PropertyVetoException;
 import java.beans.PropertyChangeEvent;
-import java.util.EventListener;
 
-import javax.swing.border.Border;
 import javax.swing.event.InternalFrameEvent;
 import javax.swing.event.InternalFrameListener;
 import javax.swing.plaf.*;
@@ -40,7 +37,6 @@
 import javax.accessibility.*;
 
 import java.io.ObjectOutputStream;
-import java.io.ObjectInputStream;
 import java.io.IOException;
 import java.lang.StringBuilder;
 import java.beans.PropertyChangeListener;
@@ -1459,19 +1455,22 @@
             SwingUtilities2.compositeRequestFocus(getDesktopIcon());
         }
         else {
-            // FocusPropertyChangeListener will eventually update
-            // lastFocusOwner. As focus requests are asynchronous
-            // lastFocusOwner may be accessed before it has been correctly
-            // updated. To avoid any problems, lastFocusOwner is immediately
-            // set, assuming the request will succeed.
-            lastFocusOwner = getMostRecentFocusOwner();
-            if (lastFocusOwner == null) {
-                // Make sure focus is restored somewhere, so that
-                // we don't leave a focused component in another frame while
-                // this frame is selected.
-                lastFocusOwner = getContentPane();
+            Component component = KeyboardFocusManager.getCurrentKeyboardFocusManager().getPermanentFocusOwner();
+            if ((component == null) || !SwingUtilities.isDescendingFrom(component, this)) {
+                // FocusPropertyChangeListener will eventually update
+                // lastFocusOwner. As focus requests are asynchronous
+                // lastFocusOwner may be accessed before it has been correctly
+                // updated. To avoid any problems, lastFocusOwner is immediately
+                // set, assuming the request will succeed.
+                setLastFocusOwner(getMostRecentFocusOwner());
+                if (lastFocusOwner == null) {
+                    // Make sure focus is restored somewhere, so that
+                    // we don't leave a focused component in another frame while
+                    // this frame is selected.
+                    setLastFocusOwner(getContentPane());
+                }
+                lastFocusOwner.requestFocus();
             }
-            lastFocusOwner.requestFocus();
         }
     }
 
--- a/src/share/classes/javax/swing/plaf/basic/BasicDesktopIconUI.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/plaf/basic/BasicDesktopIconUI.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,9 +32,6 @@
 import javax.swing.border.*;
 import javax.swing.plaf.*;
 import java.beans.*;
-import java.util.EventListener;
-import java.io.Serializable;
-
 
 /**
  * Basic L&F for a minimized window on a desktop.
@@ -47,7 +44,6 @@
 
     protected JInternalFrame.JDesktopIcon desktopIcon;
     protected JInternalFrame frame;
-    private DesktopIconMover desktopIconMover;
 
     /**
      * The title pane component used in the desktop icon.
@@ -128,21 +124,12 @@
         mouseInputListener = createMouseInputListener();
         desktopIcon.addMouseMotionListener(mouseInputListener);
         desktopIcon.addMouseListener(mouseInputListener);
-         getDesktopIconMover().installListeners();
     }
 
     protected void uninstallListeners() {
         desktopIcon.removeMouseMotionListener(mouseInputListener);
         desktopIcon.removeMouseListener(mouseInputListener);
         mouseInputListener = null;
-         getDesktopIconMover().uninstallListeners();
-    }
-
-    private DesktopIconMover getDesktopIconMover() {
-        if (desktopIconMover == null) {
-            desktopIconMover = new DesktopIconMover(desktopIcon);
-        }
-        return desktopIconMover;
     }
 
     protected void installDefaults() {
--- a/src/share/classes/javax/swing/plaf/basic/BasicDirectoryModel.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/plaf/basic/BasicDirectoryModel.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1998-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -232,6 +232,10 @@
         public void run0() {
             FileSystemView fileSystem = filechooser.getFileSystemView();
 
+            if (isInterrupted()) {
+                return;
+            }
+
             File[] list = fileSystem.getFiles(currentDirectory, filechooser.isFileHidingEnabled());
 
             if (isInterrupted()) {
@@ -268,8 +272,8 @@
 
             // To avoid loads of synchronizations with Invoker and improve performance we
             // execute the whole block on the COM thread
-            DoChangeContents doChangeContents = ShellFolder.getInvoker().invoke(new Callable<DoChangeContents>() {
-                public DoChangeContents call() throws Exception {
+            DoChangeContents doChangeContents = ShellFolder.invoke(new Callable<DoChangeContents>() {
+                public DoChangeContents call() {
                     int newSize = newFileCache.size();
                     int oldSize = fileCache.size();
 
--- a/src/share/classes/javax/swing/plaf/basic/BasicInternalFrameUI.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/plaf/basic/BasicInternalFrameUI.java	Tue Aug 11 20:06:52 2009 -0600
@@ -27,16 +27,10 @@
 
 import java.awt.*;
 import java.awt.event.*;
-import java.awt.peer.LightweightPeer;
-
 import javax.swing.*;
-import javax.swing.border.*;
 import javax.swing.plaf.*;
 import javax.swing.event.*;
-
 import java.beans.*;
-import java.io.Serializable;
-
 import sun.swing.DefaultLookup;
 import sun.swing.UIAction;
 
@@ -55,6 +49,7 @@
     protected MouseInputAdapter          borderListener;
     protected PropertyChangeListener     propertyChangeListener;
     protected LayoutManager              internalFrameLayout;
+    protected ComponentListener          componentListener;
     protected MouseInputListener         glassPaneDispatcher;
     private InternalFrameListener        internalFrameListener;
 
@@ -66,9 +61,9 @@
     protected BasicInternalFrameTitlePane titlePane; // access needs this
 
     private static DesktopManager sharedDesktopManager;
+    private boolean componentListenerAdded = false;
 
     private Rectangle parentBounds;
-    private DesktopIconMover desktopIconMover;
 
     private boolean dragging = false;
     private boolean resizing = false;
@@ -209,17 +204,14 @@
             frame.getGlassPane().addMouseListener(glassPaneDispatcher);
             frame.getGlassPane().addMouseMotionListener(glassPaneDispatcher);
         }
+        componentListener =  createComponentListener();
         if (frame.getParent() != null) {
           parentBounds = frame.getParent().getBounds();
         }
-        getDesktopIconMover().installListeners();
-    }
-
-    private DesktopIconMover getDesktopIconMover() {
-        if (desktopIconMover == null) {
-            desktopIconMover = new DesktopIconMover(frame);
+        if ((frame.getParent() != null) && !componentListenerAdded) {
+            frame.getParent().addComponentListener(componentListener);
+            componentListenerAdded = true;
         }
-        return desktopIconMover;
     }
 
     // Provide a FocusListener to listen for a WINDOW_LOST_FOCUS event,
@@ -290,7 +282,11 @@
      * @since 1.3
      */
     protected void uninstallListeners() {
-      getDesktopIconMover().uninstallListeners();
+        if ((frame.getParent() != null) && componentListenerAdded) {
+            frame.getParent().removeComponentListener(componentListener);
+            componentListenerAdded = false;
+        }
+        componentListener = null;
       if (glassPaneDispatcher != null) {
           frame.getGlassPane().removeMouseListener(glassPaneDispatcher);
           frame.getGlassPane().removeMouseMotionListener(glassPaneDispatcher);
@@ -1228,6 +1224,15 @@
                 }
             }
 
+            // Relocate the icon base on the new parent bounds.
+            if (icon != null) {
+                Rectangle iconBounds = icon.getBounds();
+                int y = iconBounds.y +
+                        (parentNewBounds.height - parentBounds.height);
+                icon.setBounds(iconBounds.x, y,
+                        iconBounds.width, iconBounds.height);
+            }
+
             // Update the new parent bounds for next resize.
             if (!parentBounds.equals(parentNewBounds)) {
                 parentBounds = parentNewBounds;
@@ -1399,6 +1404,9 @@
                     // Cancel a resize in progress if the internal frame
                     // gets a setClosed(true) or dispose().
                     cancelResize();
+                    if ((frame.getParent() != null) && componentListenerAdded) {
+                        frame.getParent().removeComponentListener(componentListener);
+                    }
                     closeFrame(f);
                 }
             } else if (JInternalFrame.IS_MAXIMUM_PROPERTY == prop) {
@@ -1431,6 +1439,10 @@
                 } else {
                     parentBounds = null;
                 }
+                if ((frame.getParent() != null) && !componentListenerAdded) {
+                    f.getParent().addComponentListener(componentListener);
+                    componentListenerAdded = true;
+                }
             } else if (JInternalFrame.TITLE_PROPERTY == prop ||
                     prop == "closable" || prop == "iconable" ||
                     prop == "maximizable") {
--- a/src/share/classes/javax/swing/plaf/basic/BasicScrollPaneUI.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/plaf/basic/BasicScrollPaneUI.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2005 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -37,17 +37,12 @@
 import java.beans.PropertyChangeEvent;
 
 import java.awt.Component;
-import java.awt.Container;
-import java.awt.LayoutManager;
 import java.awt.Rectangle;
 import java.awt.Dimension;
 import java.awt.Point;
 import java.awt.Insets;
 import java.awt.Graphics;
 import java.awt.event.*;
-import java.io.Serializable;
-import java.awt.Toolkit;
-import java.awt.ComponentOrientation;
 
 /**
  * A default L&F implementation of ScrollPaneUI.
@@ -63,6 +58,7 @@
     protected ChangeListener viewportChangeListener;
     protected PropertyChangeListener spPropertyChangeListener;
     private MouseWheelListener mouseScrollListener;
+    private int oldExtent = Integer.MIN_VALUE;
 
     /**
      * PropertyChangeListener installed on the vertical scrollbar.
@@ -327,9 +323,13 @@
                             * leave it until someone claims.
                             */
                             value = Math.max(0, Math.min(max - extent, max - extent - viewPosition.x));
+                            if (oldExtent > extent) {
+                                value -= oldExtent - extent;
+                            }
                         }
                     }
                 }
+                oldExtent = extent;
                 hsb.setValues(value, extent, 0, max);
             }
 
@@ -1020,7 +1020,7 @@
 
             if (viewport != null) {
                 if (e.getSource() == viewport) {
-                    viewportStateChanged(e);
+                    syncScrollPaneWithViewport();
                 }
                 else {
                     JScrollBar hsb = scrollpane.getHorizontalScrollBar();
@@ -1077,11 +1077,6 @@
             viewport.setViewPosition(p);
         }
 
-        private void viewportStateChanged(ChangeEvent e) {
-            syncScrollPaneWithViewport();
-        }
-
-
         //
         // PropertyChangeListener: This is installed on both the JScrollPane
         // and the horizontal/vertical scrollbars.
--- a/src/share/classes/javax/swing/plaf/basic/DesktopIconMover.java	Tue Aug 11 20:02:43 2009 -0600
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,168 +0,0 @@
-/*
- * Copyright 1997-2008 Sun Microsystems, Inc.  All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package javax.swing.plaf.basic;
-
-import javax.swing.*;
-import java.awt.*;
-import java.awt.event.*;
-import java.beans.*;
-
-/**
- * DesktopIconMover is intended to move desktop icon
- * when parent window is resized.
- */
-class DesktopIconMover implements ComponentListener, PropertyChangeListener {
-    private Component parent;
-    private JInternalFrame frame; // if not null, DesktopIconMover(frame)
-                                  // constructor was used
-    private JInternalFrame.JDesktopIcon icon;
-    private Rectangle parentBounds;
-    private boolean componentListenerAdded = false;
-
-    public DesktopIconMover(JInternalFrame frame) {
-        if (frame == null) {
-            throw new NullPointerException("Frame cannot be null");
-        }
-        this.frame = frame;
-        this.icon = frame.getDesktopIcon();
-        if (icon == null) {
-            throw new NullPointerException(
-                    "frame.getDesktopIcon() cannot be null");
-        }
-        this.parent = frame.getParent();
-        if (this.parent != null) {
-            parentBounds = this.parent.getBounds();
-        }
-    }
-
-    public DesktopIconMover(JInternalFrame.JDesktopIcon icon) {
-        if (icon == null) {
-            throw new NullPointerException("Icon cannot be null");
-        }
-        this.icon = icon;
-        this.parent = icon.getParent();
-        if (this.parent != null) {
-            parentBounds = this.parent.getBounds();
-        }
-    }
-
-    public void installListeners() {
-        if (frame != null) {
-            frame.addPropertyChangeListener(this);
-        } else {
-            icon.addPropertyChangeListener(this);
-        }
-        addComponentListener();
-    }
-
-    public void uninstallListeners() {
-        if (frame != null) {
-            frame.removePropertyChangeListener(this);
-        } else {
-            icon.removePropertyChangeListener(this);
-        }
-        removeComponentListener();
-    }
-
-    public void propertyChange(PropertyChangeEvent evt) {
-        String propName = evt.getPropertyName();
-        if ("ancestor".equals(propName)) {
-            Component newAncestor = (Component) evt.getNewValue();
-
-            // Remove component listener if parent is changing
-            Component probablyNewParent = getCurrentParent();
-            if ((probablyNewParent != null) &&
-                    (!probablyNewParent.equals(parent))) {
-                removeComponentListener();
-                parent = probablyNewParent;
-            }
-
-            if (newAncestor == null) {
-                removeComponentListener();
-            } else {
-                addComponentListener();
-            }
-
-            // Update parentBounds
-            if (parent != null) {
-                parentBounds = parent.getBounds();
-            } else {
-                parentBounds = null;
-            }
-        } else if (JInternalFrame.IS_CLOSED_PROPERTY.equals(propName)) {
-            removeComponentListener();
-        }
-    }
-
-    private void addComponentListener() {
-        if (!componentListenerAdded && (parent != null)) {
-            parent.addComponentListener(this);
-            componentListenerAdded = true;
-        }
-    }
-
-    private void removeComponentListener() {
-        if ((parent != null) && componentListenerAdded) {
-            parent.removeComponentListener(this);
-            componentListenerAdded = false;
-        }
-    }
-
-    private Component getCurrentParent() {
-        if (frame != null) {
-            return frame.getParent();
-        } else {
-            return icon.getParent();
-        }
-    }
-
-    public void componentResized(ComponentEvent e) {
-        if ((parent == null) || (parentBounds == null)) {
-            return;
-        }
-
-        Rectangle parentNewBounds = parent.getBounds();
-        if ((parentNewBounds == null) || parentNewBounds.equals(parentBounds)) {
-            return;
-        }
-
-        // Move desktop icon only in up-down direction
-        int newIconY = icon.getLocation().y +
-                (parentNewBounds.height - parentBounds.height);
-        icon.setLocation(icon.getLocation().x, newIconY);
-
-        parentBounds = parentNewBounds;
-    }
-
-    public void componentMoved(ComponentEvent e) {
-    }
-
-    public void componentShown(ComponentEvent e) {
-    }
-
-    public void componentHidden(ComponentEvent e) {
-    }
-}
--- a/src/share/classes/javax/swing/plaf/nimbus/AbstractRegionPainter.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/plaf/nimbus/AbstractRegionPainter.java	Tue Aug 11 20:06:52 2009 -0600
@@ -227,10 +227,10 @@
      *
      * @param x an encoded x value (0...1, or 1...2, or 2...3)
      * @return the decoded x value
+     * @throws IllegalArgumentException
+     *      if {@code x < 0} or {@code x > 3}
      */
     protected final float decodeX(float x) {
-        if (ctx.canvasSize == null) return x;
-
         if (x >= 0 && x <= 1) {
             return x * leftWidth;
         } else if (x > 1 && x < 2) {
@@ -238,7 +238,7 @@
         } else if (x >= 2 && x <= 3) {
             return ((x-2) * rightWidth) + leftWidth + centerWidth;
         } else {
-            throw new AssertionError("Invalid x");
+            throw new IllegalArgumentException("Invalid x");
         }
     }
 
@@ -248,10 +248,10 @@
      *
      * @param y an encoded y value (0...1, or 1...2, or 2...3)
      * @return the decoded y value
+     * @throws IllegalArgumentException
+     *      if {@code y < 0} or {@code y > 3}
      */
     protected final float decodeY(float y) {
-        if (ctx.canvasSize == null) return y;
-
         if (y >= 0 && y <= 1) {
             return y * topHeight;
         } else if (y > 1 && y < 2) {
@@ -259,7 +259,7 @@
         } else if (y >= 2 && y <= 3) {
             return ((y-2) * bottomHeight) + topHeight + centerHeight;
         } else {
-            throw new AssertionError("Invalid y");
+            throw new IllegalArgumentException("Invalid y");
         }
     }
 
@@ -271,10 +271,10 @@
      * @param x an encoded x value of the bezier control point (0...1, or 1...2, or 2...3)
      * @param dx the offset distance to the anchor from the control point x
      * @return the decoded x location of the control point
+     * @throws IllegalArgumentException
+     *      if {@code x < 0} or {@code x > 3}
      */
     protected final float decodeAnchorX(float x, float dx) {
-        if (ctx.canvasSize == null) return x + dx;
-
         if (x >= 0 && x <= 1) {
             return decodeX(x) + (dx * leftScale);
         } else if (x > 1 && x < 2) {
@@ -282,7 +282,7 @@
         } else if (x >= 2 && x <= 3) {
             return decodeX(x) + (dx * rightScale);
         } else {
-            throw new AssertionError("Invalid x");
+            throw new IllegalArgumentException("Invalid x");
         }
     }
 
@@ -294,10 +294,10 @@
      * @param y an encoded y value of the bezier control point (0...1, or 1...2, or 2...3)
      * @param dy the offset distance to the anchor from the control point y
      * @return the decoded y position of the control point
+     * @throws IllegalArgumentException
+     *      if {@code y < 0} or {@code y > 3}
      */
     protected final float decodeAnchorY(float y, float dy) {
-        if (ctx.canvasSize == null) return y + dy;
-
         if (y >= 0 && y <= 1) {
             return decodeY(y) + (dy * topScale);
         } else if (y > 1 && y < 2) {
@@ -305,7 +305,7 @@
         } else if (y >= 2 && y <= 3) {
             return decodeY(y) + (dy * bottomScale);
         } else {
-            throw new AssertionError("Invalid y");
+            throw new IllegalArgumentException("Invalid y");
         }
     }
 
@@ -363,6 +363,15 @@
      * @param midpoints
      * @param colors
      * @return a valid LinearGradientPaint. This method never returns null.
+     * @throws NullPointerException
+     *      if {@code midpoints} array is null,
+     *      or {@code colors} array is null,
+     * @throws IllegalArgumentException
+     *      if start and end points are the same points,
+     *      or {@code midpoints.length != colors.length},
+     *      or {@code colors} is less than 2 in size,
+     *      or a {@code midpoints} value is less than 0.0 or greater than 1.0,
+     *      or the {@code midpoints} are not provided in strictly increasing order
      */
     protected final LinearGradientPaint decodeGradient(float x1, float y1, float x2, float y2, float[] midpoints, Color[] colors) {
         if (x1 == x2 && y1 == y2) {
@@ -384,6 +393,15 @@
      * @param midpoints
      * @param colors
      * @return a valid RadialGradientPaint. This method never returns null.
+     * @throws NullPointerException
+     *      if {@code midpoints} array is null,
+     *      or {@code colors} array is null
+     * @throws IllegalArgumentException
+     *      if {@code r} is non-positive,
+     *      or {@code midpoints.length != colors.length},
+     *      or {@code colors} is less than 2 in size,
+     *      or a {@code midpoints} value is less than 0.0 or greater than 1.0,
+     *      or the {@code midpoints} are not provided in strictly increasing order
      */
     protected final RadialGradientPaint decodeRadialGradient(float x, float y, float r, float[] midpoints, Color[] colors) {
         if (r == 0f) {
@@ -537,10 +555,10 @@
             this.maxVerticalScaleFactor = maxV;
 
             if (canvasSize != null) {
-                a = insets.left;
-                b = canvasSize.width - insets.right;
-                c = insets.top;
-                d = canvasSize.height - insets.bottom;
+                a = stretchingInsets.left;
+                b = canvasSize.width - stretchingInsets.right;
+                c = stretchingInsets.top;
+                d = canvasSize.height - stretchingInsets.bottom;
                 this.canvasSize = canvasSize;
                 this.inverted = inverted;
                 if (inverted) {
--- a/src/share/classes/javax/swing/plaf/nimbus/NimbusIcon.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/plaf/nimbus/NimbusIcon.java	Tue Aug 11 20:06:52 2009 -0600
@@ -84,6 +84,8 @@
                         translatex = 1;
                     }
                 }
+            } else if (c instanceof JMenu) {
+                flip = ! c.getComponentOrientation().isLeftToRight();
             }
             if (g instanceof Graphics2D){
                 Graphics2D gfx = (Graphics2D)g;
--- a/src/share/classes/javax/swing/plaf/synth/Region.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/plaf/synth/Region.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,8 +24,13 @@
  */
 package javax.swing.plaf.synth;
 
-import javax.swing.*;
-import java.util.*;
+import sun.awt.AppContext;
+
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+import javax.swing.JComponent;
+import javax.swing.UIDefaults;
 
 /**
  * A distinct rendering area of a Swing component.  A component may
@@ -67,8 +72,8 @@
  * @author Scott Violet
  */
 public class Region {
-    private static final Map<String, Region> uiToRegionMap = new HashMap<String, Region>();
-    private static final Map<Region, String> lowerCaseNameMap = new HashMap<Region, String>();
+    private static final Object UI_TO_REGION_MAP_KEY = new Object();
+    private static final Object LOWER_CASE_NAME_MAP_KEY = new Object();
 
     /**
      * ArrowButton's are special types of buttons that also render a
@@ -77,396 +82,433 @@
      * To bind a style to this <code>Region</code> use the name
      * <code>ArrowButton</code>.
      */
-    public static final Region ARROW_BUTTON = new Region("ArrowButton",
-                                                         "ArrowButtonUI");
+    public static final Region ARROW_BUTTON = new Region("ArrowButton", false);
 
     /**
      * Button region. To bind a style to this <code>Region</code> use the name
      * <code>Button</code>.
      */
-    public static final Region BUTTON = new Region("Button",
-                                                   "ButtonUI");
+    public static final Region BUTTON = new Region("Button", false);
 
     /**
      * CheckBox region. To bind a style to this <code>Region</code> use the name
      * <code>CheckBox</code>.
      */
-    public static final Region CHECK_BOX = new Region("CheckBox",
-                                                   "CheckBoxUI");
+    public static final Region CHECK_BOX = new Region("CheckBox", false);
 
     /**
      * CheckBoxMenuItem region. To bind a style to this <code>Region</code> use
      * the name <code>CheckBoxMenuItem</code>.
      */
-    public static final Region CHECK_BOX_MENU_ITEM = new Region(
-                                     "CheckBoxMenuItem", "CheckBoxMenuItemUI");
+    public static final Region CHECK_BOX_MENU_ITEM = new Region("CheckBoxMenuItem", false);
 
     /**
      * ColorChooser region. To bind a style to this <code>Region</code> use
      * the name <code>ColorChooser</code>.
      */
-    public static final Region COLOR_CHOOSER = new Region(
-                                     "ColorChooser", "ColorChooserUI");
+    public static final Region COLOR_CHOOSER = new Region("ColorChooser", false);
 
     /**
      * ComboBox region. To bind a style to this <code>Region</code> use
      * the name <code>ComboBox</code>.
      */
-    public static final Region COMBO_BOX = new Region(
-                                     "ComboBox", "ComboBoxUI");
+    public static final Region COMBO_BOX = new Region("ComboBox", false);
 
     /**
      * DesktopPane region. To bind a style to this <code>Region</code> use
      * the name <code>DesktopPane</code>.
      */
-    public static final Region DESKTOP_PANE = new Region("DesktopPane",
-                                                         "DesktopPaneUI");
+    public static final Region DESKTOP_PANE = new Region("DesktopPane", false);
+
     /**
      * DesktopIcon region. To bind a style to this <code>Region</code> use
      * the name <code>DesktopIcon</code>.
      */
-    public static final Region DESKTOP_ICON = new Region("DesktopIcon",
-                                                         "DesktopIconUI");
+    public static final Region DESKTOP_ICON = new Region("DesktopIcon", false);
 
     /**
      * EditorPane region. To bind a style to this <code>Region</code> use
      * the name <code>EditorPane</code>.
      */
-    public static final Region EDITOR_PANE = new Region("EditorPane",
-                                                        "EditorPaneUI");
+    public static final Region EDITOR_PANE = new Region("EditorPane", false);
 
     /**
      * FileChooser region. To bind a style to this <code>Region</code> use
      * the name <code>FileChooser</code>.
      */
-    public static final Region FILE_CHOOSER = new Region("FileChooser",
-                                                         "FileChooserUI");
+    public static final Region FILE_CHOOSER = new Region("FileChooser", false);
 
     /**
      * FormattedTextField region. To bind a style to this <code>Region</code> use
      * the name <code>FormattedTextField</code>.
      */
-    public static final Region FORMATTED_TEXT_FIELD = new Region(
-                            "FormattedTextField", "FormattedTextFieldUI");
+    public static final Region FORMATTED_TEXT_FIELD = new Region("FormattedTextField", false);
 
     /**
      * InternalFrame region. To bind a style to this <code>Region</code> use
      * the name <code>InternalFrame</code>.
      */
-    public static final Region INTERNAL_FRAME = new Region("InternalFrame",
-                                                           "InternalFrameUI");
+    public static final Region INTERNAL_FRAME = new Region("InternalFrame", false);
+
     /**
      * TitlePane of an InternalFrame. The TitlePane typically
      * shows a menu, title, widgets to manipulate the internal frame.
      * To bind a style to this <code>Region</code> use the name
      * <code>InternalFrameTitlePane</code>.
      */
-    public static final Region INTERNAL_FRAME_TITLE_PANE =
-                         new Region("InternalFrameTitlePane",
-                                    "InternalFrameTitlePaneUI");
+    public static final Region INTERNAL_FRAME_TITLE_PANE = new Region("InternalFrameTitlePane", false);
 
     /**
      * Label region. To bind a style to this <code>Region</code> use the name
      * <code>Label</code>.
      */
-    public static final Region LABEL = new Region("Label", "LabelUI");
+    public static final Region LABEL = new Region("Label", false);
 
     /**
      * List region. To bind a style to this <code>Region</code> use the name
      * <code>List</code>.
      */
-    public static final Region LIST = new Region("List", "ListUI");
+    public static final Region LIST = new Region("List", false);
 
     /**
      * Menu region. To bind a style to this <code>Region</code> use the name
      * <code>Menu</code>.
      */
-    public static final Region MENU = new Region("Menu", "MenuUI");
+    public static final Region MENU = new Region("Menu", false);
 
     /**
      * MenuBar region. To bind a style to this <code>Region</code> use the name
      * <code>MenuBar</code>.
      */
-    public static final Region MENU_BAR = new Region("MenuBar", "MenuBarUI");
+    public static final Region MENU_BAR = new Region("MenuBar", false);
 
     /**
      * MenuItem region. To bind a style to this <code>Region</code> use the name
      * <code>MenuItem</code>.
      */
-    public static final Region MENU_ITEM = new Region("MenuItem","MenuItemUI");
+    public static final Region MENU_ITEM = new Region("MenuItem", false);
 
     /**
      * Accelerator region of a MenuItem. To bind a style to this
      * <code>Region</code> use the name <code>MenuItemAccelerator</code>.
      */
-    public static final Region MENU_ITEM_ACCELERATOR = new Region(
-                                         "MenuItemAccelerator");
+    public static final Region MENU_ITEM_ACCELERATOR = new Region("MenuItemAccelerator", true);
 
     /**
      * OptionPane region. To bind a style to this <code>Region</code> use
      * the name <code>OptionPane</code>.
      */
-    public static final Region OPTION_PANE = new Region("OptionPane",
-                                                        "OptionPaneUI");
+    public static final Region OPTION_PANE = new Region("OptionPane", false);
 
     /**
      * Panel region. To bind a style to this <code>Region</code> use the name
      * <code>Panel</code>.
      */
-    public static final Region PANEL = new Region("Panel", "PanelUI");
+    public static final Region PANEL = new Region("Panel", false);
 
     /**
      * PasswordField region. To bind a style to this <code>Region</code> use
      * the name <code>PasswordField</code>.
      */
-    public static final Region PASSWORD_FIELD = new Region("PasswordField",
-                                                           "PasswordFieldUI");
+    public static final Region PASSWORD_FIELD = new Region("PasswordField", false);
 
     /**
      * PopupMenu region. To bind a style to this <code>Region</code> use
      * the name <code>PopupMenu</code>.
      */
-    public static final Region POPUP_MENU = new Region("PopupMenu",
-                                                       "PopupMenuUI");
+    public static final Region POPUP_MENU = new Region("PopupMenu", false);
 
     /**
      * PopupMenuSeparator region. To bind a style to this <code>Region</code>
      * use the name <code>PopupMenuSeparator</code>.
      */
-    public static final Region POPUP_MENU_SEPARATOR = new Region(
-                           "PopupMenuSeparator", "PopupMenuSeparatorUI");
+    public static final Region POPUP_MENU_SEPARATOR = new Region("PopupMenuSeparator", false);
 
     /**
      * ProgressBar region. To bind a style to this <code>Region</code>
      * use the name <code>ProgressBar</code>.
      */
-    public static final Region PROGRESS_BAR = new Region("ProgressBar",
-                                                         "ProgressBarUI");
+    public static final Region PROGRESS_BAR = new Region("ProgressBar", false);
 
     /**
      * RadioButton region. To bind a style to this <code>Region</code>
      * use the name <code>RadioButton</code>.
      */
-    public static final Region RADIO_BUTTON = new Region(
-                               "RadioButton", "RadioButtonUI");
+    public static final Region RADIO_BUTTON = new Region("RadioButton", false);
 
     /**
      * RegionButtonMenuItem region. To bind a style to this <code>Region</code>
      * use the name <code>RadioButtonMenuItem</code>.
      */
-    public static final Region RADIO_BUTTON_MENU_ITEM = new Region(
-                               "RadioButtonMenuItem", "RadioButtonMenuItemUI");
+    public static final Region RADIO_BUTTON_MENU_ITEM = new Region("RadioButtonMenuItem", false);
 
     /**
      * RootPane region. To bind a style to this <code>Region</code> use
      * the name <code>RootPane</code>.
      */
-    public static final Region ROOT_PANE = new Region("RootPane",
-                                                      "RootPaneUI");
+    public static final Region ROOT_PANE = new Region("RootPane", false);
 
     /**
      * ScrollBar region. To bind a style to this <code>Region</code> use
      * the name <code>ScrollBar</code>.
      */
-    public static final Region SCROLL_BAR = new Region("ScrollBar",
-                                                       "ScrollBarUI");
+    public static final Region SCROLL_BAR = new Region("ScrollBar", false);
+
     /**
      * Track of the ScrollBar. To bind a style to this <code>Region</code> use
      * the name <code>ScrollBarTrack</code>.
      */
-    public static final Region SCROLL_BAR_TRACK = new Region("ScrollBarTrack");
+    public static final Region SCROLL_BAR_TRACK = new Region("ScrollBarTrack", true);
+
     /**
      * Thumb of the ScrollBar. The thumb is the region of the ScrollBar
      * that gives a graphical depiction of what percentage of the View is
      * currently visible. To bind a style to this <code>Region</code> use
      * the name <code>ScrollBarThumb</code>.
      */
-    public static final Region SCROLL_BAR_THUMB = new Region("ScrollBarThumb");
+    public static final Region SCROLL_BAR_THUMB = new Region("ScrollBarThumb", true);
 
     /**
      * ScrollPane region. To bind a style to this <code>Region</code> use
      * the name <code>ScrollPane</code>.
      */
-    public static final Region SCROLL_PANE = new Region("ScrollPane",
-                                                        "ScrollPaneUI");
+    public static final Region SCROLL_PANE = new Region("ScrollPane", false);
 
     /**
      * Separator region. To bind a style to this <code>Region</code> use
      * the name <code>Separator</code>.
      */
-    public static final Region SEPARATOR = new Region("Separator",
-                                                      "SeparatorUI");
+    public static final Region SEPARATOR = new Region("Separator", false);
 
     /**
      * Slider region. To bind a style to this <code>Region</code> use
      * the name <code>Slider</code>.
      */
-    public static final Region SLIDER = new Region("Slider", "SliderUI");
+    public static final Region SLIDER = new Region("Slider", false);
+
     /**
      * Track of the Slider. To bind a style to this <code>Region</code> use
      * the name <code>SliderTrack</code>.
      */
-    public static final Region SLIDER_TRACK = new Region("SliderTrack");
+    public static final Region SLIDER_TRACK = new Region("SliderTrack", true);
+
     /**
      * Thumb of the Slider. The thumb of the Slider identifies the current
      * value. To bind a style to this <code>Region</code> use the name
      * <code>SliderThumb</code>.
      */
-    public static final Region SLIDER_THUMB = new Region("SliderThumb");
+    public static final Region SLIDER_THUMB = new Region("SliderThumb", true);
 
     /**
      * Spinner region. To bind a style to this <code>Region</code> use the name
      * <code>Spinner</code>.
      */
-    public static final Region SPINNER = new Region("Spinner", "SpinnerUI");
+    public static final Region SPINNER = new Region("Spinner", false);
 
     /**
      * SplitPane region. To bind a style to this <code>Region</code> use the name
      * <code>SplitPane</code>.
      */
-    public static final Region SPLIT_PANE = new Region("SplitPane",
-                                                      "SplitPaneUI");
+    public static final Region SPLIT_PANE = new Region("SplitPane", false);
 
     /**
      * Divider of the SplitPane. To bind a style to this <code>Region</code>
      * use the name <code>SplitPaneDivider</code>.
      */
-    public static final Region SPLIT_PANE_DIVIDER = new Region(
-                                        "SplitPaneDivider");
+    public static final Region SPLIT_PANE_DIVIDER = new Region("SplitPaneDivider", true);
 
     /**
      * TabbedPane region. To bind a style to this <code>Region</code> use
      * the name <code>TabbedPane</code>.
      */
-    public static final Region TABBED_PANE = new Region("TabbedPane",
-                                                        "TabbedPaneUI");
+    public static final Region TABBED_PANE = new Region("TabbedPane", false);
+
     /**
      * Region of a TabbedPane for one tab. To bind a style to this
      * <code>Region</code> use the name <code>TabbedPaneTab</code>.
      */
-    public static final Region TABBED_PANE_TAB = new Region("TabbedPaneTab");
+    public static final Region TABBED_PANE_TAB = new Region("TabbedPaneTab", true);
+
     /**
      * Region of a TabbedPane containing the tabs. To bind a style to this
      * <code>Region</code> use the name <code>TabbedPaneTabArea</code>.
      */
-    public static final Region TABBED_PANE_TAB_AREA =
-                                 new Region("TabbedPaneTabArea");
+    public static final Region TABBED_PANE_TAB_AREA = new Region("TabbedPaneTabArea", true);
+
     /**
      * Region of a TabbedPane containing the content. To bind a style to this
      * <code>Region</code> use the name <code>TabbedPaneContent</code>.
      */
-    public static final Region TABBED_PANE_CONTENT =
-                                 new Region("TabbedPaneContent");
+    public static final Region TABBED_PANE_CONTENT = new Region("TabbedPaneContent", true);
 
     /**
      * Table region. To bind a style to this <code>Region</code> use
      * the name <code>Table</code>.
      */
-    public static final Region TABLE = new Region("Table", "TableUI");
+    public static final Region TABLE = new Region("Table", false);
 
     /**
      * TableHeader region. To bind a style to this <code>Region</code> use
      * the name <code>TableHeader</code>.
      */
-    public static final Region TABLE_HEADER = new Region("TableHeader",
-                                                         "TableHeaderUI");
+    public static final Region TABLE_HEADER = new Region("TableHeader", false);
+
     /**
      * TextArea region. To bind a style to this <code>Region</code> use
      * the name <code>TextArea</code>.
      */
-    public static final Region TEXT_AREA = new Region("TextArea",
-                                                      "TextAreaUI");
+    public static final Region TEXT_AREA = new Region("TextArea", false);
 
     /**
      * TextField region. To bind a style to this <code>Region</code> use
      * the name <code>TextField</code>.
      */
-    public static final Region TEXT_FIELD = new Region("TextField",
-                                                       "TextFieldUI");
+    public static final Region TEXT_FIELD = new Region("TextField", false);
 
     /**
      * TextPane region. To bind a style to this <code>Region</code> use
      * the name <code>TextPane</code>.
      */
-    public static final Region TEXT_PANE = new Region("TextPane",
-                                                      "TextPaneUI");
+    public static final Region TEXT_PANE = new Region("TextPane", false);
 
     /**
      * ToggleButton region. To bind a style to this <code>Region</code> use
      * the name <code>ToggleButton</code>.
      */
-    public static final Region TOGGLE_BUTTON = new Region("ToggleButton",
-                                                          "ToggleButtonUI");
+    public static final Region TOGGLE_BUTTON = new Region("ToggleButton", false);
 
     /**
      * ToolBar region. To bind a style to this <code>Region</code> use
      * the name <code>ToolBar</code>.
      */
-    public static final Region TOOL_BAR = new Region("ToolBar", "ToolBarUI");
+    public static final Region TOOL_BAR = new Region("ToolBar", false);
+
     /**
      * Region of the ToolBar containing the content. To bind a style to this
      * <code>Region</code> use the name <code>ToolBarContent</code>.
      */
-    public static final Region TOOL_BAR_CONTENT = new Region("ToolBarContent");
+    public static final Region TOOL_BAR_CONTENT = new Region("ToolBarContent", true);
+
     /**
      * Region for the Window containing the ToolBar. To bind a style to this
      * <code>Region</code> use the name <code>ToolBarDragWindow</code>.
      */
-    public static final Region TOOL_BAR_DRAG_WINDOW = new Region(
-                                        "ToolBarDragWindow", null, false);
+    public static final Region TOOL_BAR_DRAG_WINDOW = new Region("ToolBarDragWindow", false);
 
     /**
      * ToolTip region. To bind a style to this <code>Region</code> use
      * the name <code>ToolTip</code>.
      */
-    public static final Region TOOL_TIP = new Region("ToolTip", "ToolTipUI");
+    public static final Region TOOL_TIP = new Region("ToolTip", false);
 
     /**
      * ToolBar separator region. To bind a style to this <code>Region</code> use
      * the name <code>ToolBarSeparator</code>.
      */
-    public static final Region TOOL_BAR_SEPARATOR = new Region(
-                          "ToolBarSeparator", "ToolBarSeparatorUI");
+    public static final Region TOOL_BAR_SEPARATOR = new Region("ToolBarSeparator", false);
 
     /**
      * Tree region. To bind a style to this <code>Region</code> use the name
      * <code>Tree</code>.
      */
-    public static final Region TREE = new Region("Tree", "TreeUI");
+    public static final Region TREE = new Region("Tree", false);
+
     /**
      * Region of the Tree for one cell. To bind a style to this
      * <code>Region</code> use the name <code>TreeCell</code>.
      */
-    public static final Region TREE_CELL = new Region("TreeCell");
+    public static final Region TREE_CELL = new Region("TreeCell", true);
 
     /**
      * Viewport region. To bind a style to this <code>Region</code> use
      * the name <code>Viewport</code>.
      */
-    public static final Region VIEWPORT = new Region("Viewport", "ViewportUI");
+    public static final Region VIEWPORT = new Region("Viewport", false);
 
+    private static Map<String, Region> getUItoRegionMap() {
+        AppContext context = AppContext.getAppContext();
+        Map<String, Region> map = (Map<String, Region>) context.get(UI_TO_REGION_MAP_KEY);
+        if (map == null) {
+            map = new HashMap<String, Region>();
+            map.put("ArrowButtonUI", ARROW_BUTTON);
+            map.put("ButtonUI", BUTTON);
+            map.put("CheckBoxUI", CHECK_BOX);
+            map.put("CheckBoxMenuItemUI", CHECK_BOX_MENU_ITEM);
+            map.put("ColorChooserUI", COLOR_CHOOSER);
+            map.put("ComboBoxUI", COMBO_BOX);
+            map.put("DesktopPaneUI", DESKTOP_PANE);
+            map.put("DesktopIconUI", DESKTOP_ICON);
+            map.put("EditorPaneUI", EDITOR_PANE);
+            map.put("FileChooserUI", FILE_CHOOSER);
+            map.put("FormattedTextFieldUI", FORMATTED_TEXT_FIELD);
+            map.put("InternalFrameUI", INTERNAL_FRAME);
+            map.put("InternalFrameTitlePaneUI", INTERNAL_FRAME_TITLE_PANE);
+            map.put("LabelUI", LABEL);
+            map.put("ListUI", LIST);
+            map.put("MenuUI", MENU);
+            map.put("MenuBarUI", MENU_BAR);
+            map.put("MenuItemUI", MENU_ITEM);
+            map.put("OptionPaneUI", OPTION_PANE);
+            map.put("PanelUI", PANEL);
+            map.put("PasswordFieldUI", PASSWORD_FIELD);
+            map.put("PopupMenuUI", POPUP_MENU);
+            map.put("PopupMenuSeparatorUI", POPUP_MENU_SEPARATOR);
+            map.put("ProgressBarUI", PROGRESS_BAR);
+            map.put("RadioButtonUI", RADIO_BUTTON);
+            map.put("RadioButtonMenuItemUI", RADIO_BUTTON_MENU_ITEM);
+            map.put("RootPaneUI", ROOT_PANE);
+            map.put("ScrollBarUI", SCROLL_BAR);
+            map.put("ScrollPaneUI", SCROLL_PANE);
+            map.put("SeparatorUI", SEPARATOR);
+            map.put("SliderUI", SLIDER);
+            map.put("SpinnerUI", SPINNER);
+            map.put("SplitPaneUI", SPLIT_PANE);
+            map.put("TabbedPaneUI", TABBED_PANE);
+            map.put("TableUI", TABLE);
+            map.put("TableHeaderUI", TABLE_HEADER);
+            map.put("TextAreaUI", TEXT_AREA);
+            map.put("TextFieldUI", TEXT_FIELD);
+            map.put("TextPaneUI", TEXT_PANE);
+            map.put("ToggleButtonUI", TOGGLE_BUTTON);
+            map.put("ToolBarUI", TOOL_BAR);
+            map.put("ToolTipUI", TOOL_TIP);
+            map.put("ToolBarSeparatorUI", TOOL_BAR_SEPARATOR);
+            map.put("TreeUI", TREE);
+            map.put("ViewportUI", VIEWPORT);
+            context.put(UI_TO_REGION_MAP_KEY, map);
+        }
+        return map;
+    }
 
-    private String name;
-    private boolean subregion;
-
+    private static Map<Region, String> getLowerCaseNameMap() {
+        AppContext context = AppContext.getAppContext();
+        Map<Region, String> map = (Map<Region, String>) context.get(LOWER_CASE_NAME_MAP_KEY);
+        if (map == null) {
+            map = new HashMap<Region, String>();
+            context.put(LOWER_CASE_NAME_MAP_KEY, map);
+        }
+        return map;
+    }
 
     static Region getRegion(JComponent c) {
-        return uiToRegionMap.get(c.getUIClassID());
+        return getUItoRegionMap().get(c.getUIClassID());
     }
 
     static void registerUIs(UIDefaults table) {
-        for (String key : uiToRegionMap.keySet()) {
+        for (Object key : getUItoRegionMap().keySet()) {
             table.put(key, "javax.swing.plaf.synth.SynthLookAndFeel");
         }
     }
 
+    private final String name;
+    private final boolean subregion;
 
-    Region(String name) {
-        this(name, null, true);
-    }
-
-    Region(String name, String ui) {
-        this(name, ui, false);
+    private Region(String name, boolean subregion) {
+        if (name == null) {
+            throw new NullPointerException("You must specify a non-null name");
+        }
+        this.name = name;
+        this.subregion = subregion;
     }
 
     /**
@@ -481,14 +523,10 @@
      * @param subregion Whether or not this is a subregion.
      */
     protected Region(String name, String ui, boolean subregion) {
-        if (name == null) {
-            throw new NullPointerException("You must specify a non-null name");
+        this(name, subregion);
+        if (ui != null) {
+            getUItoRegionMap().put(ui, this);
         }
-        this.name = name;
-        if (ui != null) {
-            uiToRegionMap.put(ui, this);
-        }
-        this.subregion = subregion;
     }
 
     /**
@@ -514,16 +552,17 @@
 
     /**
      * Returns the name, in lowercase.
+     *
+     * @return lower case representation of the name of the Region
      */
     String getLowerCaseName() {
-        synchronized(lowerCaseNameMap) {
-            String lowerCaseName = lowerCaseNameMap.get(this);
-            if (lowerCaseName == null) {
-                lowerCaseName = getName().toLowerCase();
-                lowerCaseNameMap.put(this, lowerCaseName);
-            }
-            return lowerCaseName;
+        Map<Region, String> lowerCaseNameMap = getLowerCaseNameMap();
+        String lowerCaseName = lowerCaseNameMap.get(this);
+        if (lowerCaseName == null) {
+            lowerCaseName = name.toLowerCase(Locale.ENGLISH);
+            lowerCaseNameMap.put(this, lowerCaseName);
         }
+        return lowerCaseName;
     }
 
     /**
@@ -531,6 +570,7 @@
      *
      * @return name of the Region.
      */
+    @Override
     public String toString() {
         return name;
     }
--- a/src/share/classes/javax/swing/text/GlyphView.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/text/GlyphView.java	Tue Aug 11 20:06:52 2009 -0600
@@ -719,8 +719,9 @@
             checkPainter();
             int p0 = getStartOffset();
             int p1 = painter.getBoundedPosition(this, p0, pos, len);
-            return ((p1 > p0) && (getBreakSpot(p0, p1) != BreakIterator.DONE)) ?
-                    View.ExcellentBreakWeight : View.BadBreakWeight;
+            return p1 == p0 ? View.BadBreakWeight :
+                   getBreakSpot(p0, p1) != BreakIterator.DONE ?
+                            View.ExcellentBreakWeight : View.GoodBreakWeight;
         }
         return super.getBreakWeight(axis, pos, len);
     }
--- a/src/share/classes/javax/swing/text/LayoutQueue.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/text/LayoutQueue.java	Tue Aug 11 20:06:52 2009 -0600
@@ -25,6 +25,7 @@
 package javax.swing.text;
 
 import java.util.Vector;
+import sun.awt.AppContext;
 
 /**
  * A queue of text layout tasks.
@@ -35,10 +36,10 @@
  */
 public class LayoutQueue {
 
-    Vector<Runnable> tasks;
-    Thread worker;
+    private static final Object DEFAULT_QUEUE = new Object();
 
-    static LayoutQueue defaultQueue;
+    private Vector<Runnable> tasks;
+    private Thread worker;
 
     /**
      * Construct a layout queue.
@@ -51,10 +52,15 @@
      * Fetch the default layout queue.
      */
     public static LayoutQueue getDefaultQueue() {
-        if (defaultQueue == null) {
-            defaultQueue = new LayoutQueue();
+        AppContext ac = AppContext.getAppContext();
+        synchronized (DEFAULT_QUEUE) {
+            LayoutQueue defaultQueue = (LayoutQueue) ac.get(DEFAULT_QUEUE);
+            if (defaultQueue == null) {
+                defaultQueue = new LayoutQueue();
+                ac.put(DEFAULT_QUEUE, defaultQueue);
+            }
+            return defaultQueue;
         }
-        return defaultQueue;
     }
 
     /**
@@ -63,7 +69,9 @@
      * @param q the new queue.
      */
     public static void setDefaultQueue(LayoutQueue q) {
-        defaultQueue = q;
+        synchronized (DEFAULT_QUEUE) {
+            AppContext.getAppContext().put(DEFAULT_QUEUE, q);
+        }
     }
 
     /**
--- a/src/share/classes/javax/swing/text/ParagraphView.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/javax/swing/text/ParagraphView.java	Tue Aug 11 20:06:52 2009 -0600
@@ -175,23 +175,6 @@
     }
 
     /**
-     * Adjusts the given row if possible to fit within the
-     * layout span.  By default this will try to find the
-     * highest break weight possible nearest the end of
-     * the row.  If a forced break is encountered, the
-     * break will be positioned there.
-     * <p>
-     * This is meant for internal usage, and should not be used directly.
-     *
-     * @param r the row to adjust to the current layout
-     *          span
-     * @param desiredSpan the current layout span >= 0
-     * @param x the location r starts at
-     */
-    protected void adjustRow(Row r, int desiredSpan, int x) {
-    }
-
-    /**
      * Returns the next visual position for the cursor, in
      * either the east or west direction.
      * Overridden from <code>CompositeView</code>.
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMHMACSignatureMethod.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMHMACSignatureMethod.java	Tue Aug 11 20:06:52 2009 -0600
@@ -19,7 +19,7 @@
  *
  */
 /*
- * Copyright 2005-2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc. All rights reserved.
  */
 /*
  * $Id: DOMHMACSignatureMethod.java,v 1.2 2008/07/24 15:20:32 mullan Exp $
@@ -58,6 +58,7 @@
         Logger.getLogger("org.jcp.xml.dsig.internal.dom");
     private Mac hmac;
     private int outputLength;
+    private boolean outputLengthSet;
 
     /**
      * Creates a <code>DOMHMACSignatureMethod</code> with the specified params
@@ -87,6 +88,7 @@
                     ("params must be of type HMACParameterSpec");
             }
             outputLength = ((HMACParameterSpec) params).getOutputLength();
+            outputLengthSet = true;
             if (log.isLoggable(Level.FINE)) {
                 log.log(Level.FINE,
                     "Setting outputLength from HMACParameterSpec to: "
@@ -101,6 +103,7 @@
         throws MarshalException {
         outputLength = new Integer
             (paramsElem.getFirstChild().getNodeValue()).intValue();
+        outputLengthSet = true;
         if (log.isLoggable(Level.FINE)) {
             log.log(Level.FINE, "unmarshalled outputLength: " + outputLength);
         }
@@ -135,23 +138,13 @@
                 throw new XMLSignatureException(nsae);
             }
         }
-        if (log.isLoggable(Level.FINE)) {
-            log.log(Level.FINE, "outputLength = " + outputLength);
+        if (outputLengthSet && outputLength < getDigestLength()) {
+            throw new XMLSignatureException
+                ("HMACOutputLength must not be less than " + getDigestLength());
         }
         hmac.init((SecretKey) key);
         si.canonicalize(context, new MacOutputStream(hmac));
         byte[] result = hmac.doFinal();
-        if (log.isLoggable(Level.FINE)) {
-            log.log(Level.FINE, "resultLength = " + result.length);
-        }
-        if (outputLength != -1) {
-            int byteLength = outputLength/8;
-            if (result.length > byteLength) {
-                byte[] truncated = new byte[byteLength];
-                System.arraycopy(result, 0, truncated, 0, byteLength);
-                result = truncated;
-            }
-        }
 
         return MessageDigest.isEqual(sig, result);
     }
@@ -171,18 +164,13 @@
                 throw new XMLSignatureException(nsae);
             }
         }
+        if (outputLengthSet && outputLength < getDigestLength()) {
+            throw new XMLSignatureException
+                ("HMACOutputLength must not be less than " + getDigestLength());
+        }
         hmac.init((SecretKey) key);
         si.canonicalize(context, new MacOutputStream(hmac));
-        byte[] result = hmac.doFinal();
-        if (outputLength != -1) {
-            int byteLength = outputLength/8;
-            if (result.length > byteLength) {
-                byte[] truncated = new byte[byteLength];
-                System.arraycopy(result, 0, truncated, 0, byteLength);
-                result = truncated;
-            }
-        }
-        return result;
+        return hmac.doFinal();
     }
 
     boolean paramsEqual(AlgorithmParameterSpec spec) {
@@ -197,6 +185,11 @@
         return (outputLength == ospec.getOutputLength());
     }
 
+    /**
+     * Returns the output length of the hash/digest.
+     */
+    abstract int getDigestLength();
+
     static final class SHA1 extends DOMHMACSignatureMethod {
         SHA1(AlgorithmParameterSpec params)
             throws InvalidAlgorithmParameterException {
@@ -211,6 +204,9 @@
         String getSignatureAlgorithm() {
             return "HmacSHA1";
         }
+        int getDigestLength() {
+            return 160;
+        }
     }
 
     static final class SHA256 extends DOMHMACSignatureMethod {
@@ -227,6 +223,9 @@
         String getSignatureAlgorithm() {
             return "HmacSHA256";
         }
+        int getDigestLength() {
+            return 256;
+        }
     }
 
     static final class SHA384 extends DOMHMACSignatureMethod {
@@ -243,6 +242,9 @@
         String getSignatureAlgorithm() {
             return "HmacSHA384";
         }
+        int getDigestLength() {
+            return 384;
+        }
     }
 
     static final class SHA512 extends DOMHMACSignatureMethod {
@@ -259,5 +261,8 @@
         String getSignatureAlgorithm() {
             return "HmacSHA512";
         }
+        int getDigestLength() {
+            return 512;
+        }
     }
 }
--- a/src/share/classes/sun/awt/shell/ShellFolder.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/awt/shell/ShellFolder.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -289,8 +289,8 @@
 
         // To avoid loads of synchronizations with Invoker and improve performance we
         // synchronize the whole code of the sort method once
-        getInvoker().invoke(new Callable<Void>() {
-            public Void call() throws Exception {
+        invoke(new Callable<Void>() {
+            public Void call() {
                 // Check that we can use the ShellFolder.sortChildren() method:
                 //   1. All files have the same non-null parent
                 //   2. All files is ShellFolders
@@ -330,8 +330,8 @@
     public void sortChildren(final List<? extends File> files) {
         // To avoid loads of synchronizations with Invoker and improve performance we
         // synchronize the whole code of the sort method once
-        getInvoker().invoke(new Callable<Void>() {
-            public Void call() throws Exception {
+        invoke(new Callable<Void>() {
+            public Void call() {
                 Collections.sort(files, FILE_COMPARATOR);
 
                 return null;
@@ -502,17 +502,61 @@
     }
 
     /**
+     * Invokes the {@code task} which doesn't throw checked exceptions
+     * from its {@code call} method. If invokation is interrupted then Thread.currentThread().isInterrupted() will
+     * be set and result will be {@code null}
+     */
+    public static <T> T invoke(Callable<T> task) {
+        try {
+            return invoke(task, RuntimeException.class);
+        } catch (InterruptedException e) {
+            return null;
+        }
+    }
+
+    /**
+     * Invokes the {@code task} which throws checked exceptions from its {@code call} method.
+     * If invokation is interrupted then Thread.currentThread().isInterrupted() will
+     * be set and InterruptedException will be thrown as well.
+     */
+    public static <T, E extends Throwable> T invoke(Callable<T> task, Class<E> exceptionClass)
+            throws InterruptedException, E {
+        try {
+            return getInvoker().invoke(task);
+        } catch (Exception e) {
+            if (e instanceof RuntimeException) {
+                // Rethrow unchecked exceptions
+                throw (RuntimeException) e;
+            }
+
+            if (e instanceof InterruptedException) {
+                // Set isInterrupted flag for current thread
+                Thread.currentThread().interrupt();
+
+                // Rethrow InterruptedException
+                throw (InterruptedException) e;
+            }
+
+            if (exceptionClass.isInstance(e)) {
+                throw exceptionClass.cast(e);
+            }
+
+            throw new RuntimeException("Unexpected error", e);
+        }
+    }
+
+    /**
      * Interface allowing to invoke tasks in different environments on different platforms.
      */
     public static interface Invoker {
         /**
-         * Invokes a callable task. If the {@code task} throws a checked exception,
-         * it will be wrapped into a {@link RuntimeException}
+         * Invokes a callable task.
          *
          * @param task a task to invoke
+         * @throws Exception {@code InterruptedException} or an exception that was thrown from the {@code task}
          * @return the result of {@code task}'s invokation
          */
-        <T> T invoke(Callable<T> task);
+        <T> T invoke(Callable<T> task) throws Exception;
     }
 
     /**
--- a/src/share/classes/sun/awt/shell/ShellFolderManager.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/awt/shell/ShellFolderManager.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -108,12 +108,8 @@
     }
 
     private static class DirectInvoker implements ShellFolder.Invoker {
-        public <T> T invoke(Callable<T> task) {
-            try {
-                return task.call();
-            } catch (Exception e) {
-                throw new RuntimeException(e);
-            }
+        public <T> T invoke(Callable<T> task) throws Exception {
+            return task.call();
         }
     }
 }
--- a/src/share/classes/sun/dyn/FilterGeneric.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/dyn/FilterGeneric.java	Tue Aug 11 20:06:52 2009 -0600
@@ -16,7 +16,7 @@
  *
  * You should have received a copy of the GNU General Public License version
  * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Sf, tifth Floor, Boston, MA 02110-1301 USA.
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  *
  * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
  * CA 95054 USA or visit www.sun.com if you need additional information or
--- a/src/share/classes/sun/misc/URLClassPath.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/misc/URLClassPath.java	Tue Aug 11 20:06:52 2009 -0600
@@ -51,6 +51,7 @@
 import java.security.PrivilegedExceptionAction;
 import java.security.cert.Certificate;
 import sun.misc.FileURLMapper;
+import sun.net.util.URLUtil;
 
 /**
  * This class is used to maintain a search path of URLs for loading classes
@@ -80,7 +81,7 @@
     ArrayList<Loader> loaders = new ArrayList<Loader>();
 
     /* Map of each URL opened to its corresponding Loader */
-    HashMap<URL, Loader> lmap = new HashMap<URL, Loader>();
+    HashMap<String, Loader> lmap = new HashMap<String, Loader>();
 
     /* The jar protocol handler to use when creating new URLs */
     private URLStreamHandler jarHandler;
@@ -317,7 +318,8 @@
             // Skip this URL if it already has a Loader. (Loader
             // may be null in the case where URL has not been opened
             // but is referenced by a JAR index.)
-            if (lmap.containsKey(url)) {
+            String urlNoFragString = URLUtil.urlNoFragString(url);
+            if (lmap.containsKey(urlNoFragString)) {
                 continue;
             }
             // Otherwise, create a new Loader for the URL.
@@ -336,7 +338,7 @@
             }
             // Finally, add the Loader to the search path.
             loaders.add(loader);
-            lmap.put(url, loader);
+            lmap.put(urlNoFragString, loader);
         }
         return loaders.get(index);
     }
@@ -576,7 +578,7 @@
         private JarIndex index;
         private MetaIndex metaIndex;
         private URLStreamHandler handler;
-        private HashMap<URL, Loader> lmap;
+        private HashMap<String, Loader> lmap;
         private boolean closed = false;
 
         /*
@@ -584,7 +586,7 @@
          * a JAR file.
          */
         JarLoader(URL url, URLStreamHandler jarHandler,
-                  HashMap<URL, Loader> loaderMap)
+                  HashMap<String, Loader> loaderMap)
             throws IOException
         {
             super(new URL("jar", "", -1, url + "!/", jarHandler));
@@ -663,8 +665,9 @@
                                         try {
                                             URL jarURL = new URL(csu, jarfiles[i]);
                                             // If a non-null loader already exists, leave it alone.
-                                            if (!lmap.containsKey(jarURL)) {
-                                                lmap.put(jarURL, null);
+                                            String urlNoFragString = URLUtil.urlNoFragString(jarURL);
+                                            if (!lmap.containsKey(urlNoFragString)) {
+                                                lmap.put(urlNoFragString, null);
                                             }
                                         } catch (MalformedURLException e) {
                                             continue;
@@ -806,7 +809,7 @@
             if (index == null)
                 return null;
 
-            HashSet<URL> visited = new HashSet<URL>();
+            HashSet<String> visited = new HashSet<String>();
             return getResource(name, check, visited);
         }
 
@@ -818,7 +821,7 @@
          * non-existent resource
          */
         Resource getResource(final String name, boolean check,
-                             Set<URL> visited) {
+                             Set<String> visited) {
 
             Resource res;
             Object[] jarFiles;
@@ -843,7 +846,8 @@
 
                     try{
                         url = new URL(csu, jarName);
-                        if ((newLoader = (JarLoader)lmap.get(url)) == null) {
+                        String urlNoFragString = URLUtil.urlNoFragString(url);
+                        if ((newLoader = (JarLoader)lmap.get(urlNoFragString)) == null) {
                             /* no loader has been set up for this jar file
                              * before
                              */
@@ -867,7 +871,7 @@
                             }
 
                             /* put it in the global hashtable */
-                            lmap.put(url, newLoader);
+                            lmap.put(urlNoFragString, newLoader);
                         }
                     } catch (java.security.PrivilegedActionException pae) {
                         continue;
@@ -879,7 +883,7 @@
                     /* Note that the addition of the url to the list of visited
                      * jars incorporates a check for presence in the hashmap
                      */
-                    boolean visitedURL = !visited.add(url);
+                    boolean visitedURL = !visited.add(URLUtil.urlNoFragString(url));
                     if (!visitedURL) {
                         try {
                             newLoader.ensureOpen();
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/net/ApplicationProxy.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.net;
+
+import java.net.Proxy;
+import java.net.SocketAddress;
+
+/**
+ * Proxy wrapper class so that we can determine application set
+ * proxies by type.
+ */
+public final class ApplicationProxy extends Proxy {
+    private ApplicationProxy(Proxy proxy) {
+        super(proxy.type(), proxy.address());
+    }
+
+    public static ApplicationProxy create(Proxy proxy) {
+        return new ApplicationProxy(proxy);
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/net/util/URLUtil.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.net.util;
+
+import java.net.URL;
+
+/**
+ * URL Utility class.
+ */
+public class URLUtil {
+    /**
+     * Returns a string form of the url suitable for use as a key in HashMap/Sets.
+     *
+     * The string form should be behave in the same manner as the URL when
+     * compared for equality in a HashMap/Set, except that no nameservice
+     * lookup is done on the hostname (only string comparison), and the fragment
+     * is not considered.
+     *
+     * @see java.net.URLStreamHandler.sameFile(java.net.URL)
+     */
+    public static String urlNoFragString(URL url) {
+        StringBuilder strForm = new StringBuilder();
+
+        String protocol = url.getProtocol();
+        if (protocol != null) {
+            /* protocol is compared case-insensitive, so convert to lowercase */
+            protocol = protocol.toLowerCase();
+            strForm.append(protocol);
+            strForm.append("://");
+        }
+
+        String host = url.getHost();
+        if (host != null) {
+            /* host is compared case-insensitive, so convert to lowercase */
+            host = host.toLowerCase();
+            strForm.append(host);
+
+            int port = url.getPort();
+            if (port == -1) {
+                /* if no port is specificed then use the protocols
+                 * default, if there is one */
+                port = url.getDefaultPort();
+            }
+            if (port != -1) {
+                strForm.append(":").append(port);
+            }
+        }
+
+        String file = url.getFile();
+        if (file != null) {
+            strForm.append(file);
+        }
+
+        return strForm.toString();
+    }
+}
+
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Tue Aug 11 20:06:52 2009 -0600
@@ -578,12 +578,20 @@
         responses = new MessageHeader();
         this.handler = handler;
         instProxy = p;
-        cookieHandler = java.security.AccessController.doPrivileged(
-            new java.security.PrivilegedAction<CookieHandler>() {
+        if (instProxy instanceof sun.net.ApplicationProxy) {
+            /* Application set Proxies should not have access to cookies
+             * in a secure environment unless explicitly allowed. */
+            try {
+                cookieHandler = CookieHandler.getDefault();
+            } catch (SecurityException se) { /* swallow exception */ }
+        } else {
+            cookieHandler = java.security.AccessController.doPrivileged(
+                new java.security.PrivilegedAction<CookieHandler>() {
                 public CookieHandler run() {
-                return CookieHandler.getDefault();
-            }
-        });
+                    return CookieHandler.getDefault();
+                }
+            });
+        }
         cacheHandler = java.security.AccessController.doPrivileged(
             new java.security.PrivilegedAction<ResponseCache>() {
                 public ResponseCache run() {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/ec/ECDHKeyAgreement.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,189 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.security.ec;
+
+import java.security.*;
+import java.security.interfaces.*;
+import java.security.spec.*;
+
+import javax.crypto.*;
+import javax.crypto.spec.*;
+
+/**
+ * KeyAgreement implementation for ECDH.
+ *
+ * @since   1.7
+ */
+public final class ECDHKeyAgreement extends KeyAgreementSpi {
+
+    // flag indicating whether the native ECC implementation is present
+    private static boolean implementationPresent = true;
+    static {
+        try {
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    System.loadLibrary("sunecc");
+                    return null;
+                }
+            });
+        } catch (UnsatisfiedLinkError e) {
+            implementationPresent = false;
+        }
+    }
+
+    // private key, if initialized
+    private ECPrivateKey privateKey;
+
+    // encoded public point, non-null between doPhase() & generateSecret() only
+    private byte[] publicValue;
+
+    // length of the secret to be derived
+    private int secretLen;
+
+    /**
+     * Constructs a new ECDHKeyAgreement.
+     *
+     * @exception ProviderException if the native ECC library is unavailable.
+     */
+    public ECDHKeyAgreement() {
+        if (!implementationPresent) {
+            throw new ProviderException("ECDH implementation is not available");
+        }
+    }
+
+    // see JCE spec
+    protected void engineInit(Key key, SecureRandom random)
+            throws InvalidKeyException {
+        if (!(key instanceof PrivateKey)) {
+            throw new InvalidKeyException
+                        ("Key must be instance of PrivateKey");
+        }
+        privateKey = (ECPrivateKey) ECKeyFactory.toECKey(key);
+        publicValue = null;
+    }
+
+    // see JCE spec
+    protected void engineInit(Key key, AlgorithmParameterSpec params,
+            SecureRandom random) throws InvalidKeyException,
+            InvalidAlgorithmParameterException {
+        if (params != null) {
+            throw new InvalidAlgorithmParameterException
+                        ("Parameters not supported");
+        }
+        engineInit(key, random);
+    }
+
+    // see JCE spec
+    protected Key engineDoPhase(Key key, boolean lastPhase)
+            throws InvalidKeyException, IllegalStateException {
+        if (privateKey == null) {
+            throw new IllegalStateException("Not initialized");
+        }
+        if (publicValue != null) {
+            throw new IllegalStateException("Phase already executed");
+        }
+        if (!lastPhase) {
+            throw new IllegalStateException
+                ("Only two party agreement supported, lastPhase must be true");
+        }
+        if (!(key instanceof ECPublicKey)) {
+            throw new InvalidKeyException
+                ("Key must be a PublicKey with algorithm EC");
+        }
+
+        ECPublicKey ecKey = (ECPublicKey)key;
+        ECParameterSpec params = ecKey.getParams();
+
+        if (ecKey instanceof ECPublicKeyImpl) {
+            publicValue = ((ECPublicKeyImpl)ecKey).getEncodedPublicValue();
+        } else { // instanceof ECPublicKey
+            publicValue =
+                ECParameters.encodePoint(ecKey.getW(), params.getCurve());
+        }
+        int keyLenBits = params.getCurve().getField().getFieldSize();
+        secretLen = (keyLenBits + 7) >> 3;
+
+        return null;
+    }
+
+    // see JCE spec
+    protected byte[] engineGenerateSecret() throws IllegalStateException {
+        if ((privateKey == null) || (publicValue == null)) {
+            throw new IllegalStateException("Not initialized correctly");
+        }
+
+        byte[] s = privateKey.getS().toByteArray();
+        byte[] encodedParams =
+            ECParameters.encodeParameters(privateKey.getParams()); // DER OID
+
+        try {
+
+            return deriveKey(s, publicValue, encodedParams);
+
+        } catch (GeneralSecurityException e) {
+            throw new ProviderException("Could not derive key", e);
+        }
+
+    }
+
+    // see JCE spec
+    protected int engineGenerateSecret(byte[] sharedSecret, int
+            offset) throws IllegalStateException, ShortBufferException {
+        if (offset + secretLen > sharedSecret.length) {
+            throw new ShortBufferException("Need " + secretLen
+                + " bytes, only " + (sharedSecret.length - offset) + " available");
+        }
+        byte[] secret = engineGenerateSecret();
+        System.arraycopy(secret, 0, sharedSecret, offset, secret.length);
+        return secret.length;
+    }
+
+    // see JCE spec
+    protected SecretKey engineGenerateSecret(String algorithm)
+            throws IllegalStateException, NoSuchAlgorithmException,
+            InvalidKeyException {
+        if (algorithm == null) {
+            throw new NoSuchAlgorithmException("Algorithm must not be null");
+        }
+        if (!(algorithm.equals("TlsPremasterSecret"))) {
+            throw new NoSuchAlgorithmException
+                ("Only supported for algorithm TlsPremasterSecret");
+        }
+        return new SecretKeySpec(engineGenerateSecret(), "TlsPremasterSecret");
+    }
+
+    /**
+     * Generates a secret key using the public and private keys.
+     *
+     * @param s the private key's S value.
+     * @param w the public key's W point (in uncompressed form).
+     * @param encodedParams the curve's DER encoded object identifier.
+     *
+     * @return byte[] the secret key.
+     */
+    private static native byte[] deriveKey(byte[] s, byte[] w,
+        byte[] encodedParams) throws GeneralSecurityException;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/ec/ECDSASignature.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,447 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.security.ec;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.math.BigInteger;
+import java.util.Arrays;
+
+import java.security.*;
+import java.security.interfaces.*;
+import java.security.spec.*;
+
+import sun.security.jca.JCAUtil;
+import sun.security.util.*;
+import sun.security.x509.AlgorithmId;
+
+/**
+ * ECDSA signature implementation. This class currently supports the
+ * following algorithm names:
+ *
+ *   . "NONEwithECDSA"
+ *   . "SHA1withECDSA"
+ *   . "SHA256withECDSA"
+ *   . "SHA384withECDSA"
+ *   . "SHA512withECDSA"
+ *
+ * @since   1.7
+ */
+abstract class ECDSASignature extends SignatureSpi {
+
+    // flag indicating whether the native ECC implementation is present
+    private static boolean implementationPresent = true;
+    static {
+        try {
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    System.loadLibrary("sunecc");
+                    return null;
+                }
+            });
+        } catch (UnsatisfiedLinkError e) {
+            implementationPresent = false;
+        }
+    }
+
+    // message digest implementation we use
+    private final MessageDigest messageDigest;
+
+    // supplied entropy
+    private SecureRandom random;
+
+    // flag indicating whether the digest has been reset
+    private boolean needsReset;
+
+    // private key, if initialized for signing
+    private ECPrivateKey privateKey;
+
+    // public key, if initialized for verifying
+    private ECPublicKey publicKey;
+
+    /**
+     * Constructs a new ECDSASignature. Used by Raw subclass.
+     *
+     * @exception ProviderException if the native ECC library is unavailable.
+     */
+    ECDSASignature() {
+        if (!implementationPresent) {
+            throw new
+                ProviderException("ECDSA implementation is not available");
+        }
+        messageDigest = null;
+    }
+
+    /**
+     * Constructs a new ECDSASignature. Used by subclasses.
+     *
+     * @exception ProviderException if the native ECC library is unavailable.
+     */
+    ECDSASignature(String digestName) {
+        if (!implementationPresent) {
+            throw new
+                ProviderException("ECDSA implementation is not available");
+        }
+
+        try {
+            messageDigest = MessageDigest.getInstance(digestName);
+        } catch (NoSuchAlgorithmException e) {
+            throw new ProviderException(e);
+        }
+        needsReset = false;
+    }
+
+    // Nested class for NONEwithECDSA signatures
+    public static final class Raw extends ECDSASignature {
+
+        // the longest supported digest is 512 bits (SHA-512)
+        private static final int RAW_ECDSA_MAX = 64;
+
+        private final byte[] precomputedDigest;
+        private int offset = 0;
+
+        public Raw() {
+            precomputedDigest = new byte[RAW_ECDSA_MAX];
+        }
+
+        // Stores the precomputed message digest value.
+        @Override
+        protected void engineUpdate(byte b) throws SignatureException {
+            if (offset >= precomputedDigest.length) {
+                offset = RAW_ECDSA_MAX + 1;
+                return;
+            }
+            precomputedDigest[offset++] = b;
+        }
+
+        // Stores the precomputed message digest value.
+        @Override
+        protected void engineUpdate(byte[] b, int off, int len)
+                throws SignatureException {
+            if (offset >= precomputedDigest.length) {
+                offset = RAW_ECDSA_MAX + 1;
+                return;
+            }
+            System.arraycopy(b, off, precomputedDigest, offset, len);
+            offset += len;
+        }
+
+        // Stores the precomputed message digest value.
+        @Override
+        protected void engineUpdate(ByteBuffer byteBuffer) {
+            int len = byteBuffer.remaining();
+            if (len <= 0) {
+                return;
+            }
+            if (offset + len >= precomputedDigest.length) {
+                offset = RAW_ECDSA_MAX + 1;
+                return;
+            }
+            byteBuffer.get(precomputedDigest, offset, len);
+            offset += len;
+        }
+
+        @Override
+        protected void resetDigest(){
+            offset = 0;
+        }
+
+        // Returns the precomputed message digest value.
+        @Override
+        protected byte[] getDigestValue() throws SignatureException {
+            if (offset > RAW_ECDSA_MAX) {
+                throw new SignatureException("Message digest is too long");
+
+            }
+            byte[] result = new byte[offset];
+            System.arraycopy(precomputedDigest, 0, result, 0, offset);
+            offset = 0;
+
+            return result;
+        }
+    }
+
+    // Nested class for SHA1withECDSA signatures
+    public static final class SHA1 extends ECDSASignature {
+        public SHA1() {
+            super("SHA1");
+        }
+    }
+
+    // Nested class for SHA256withECDSA signatures
+    public static final class SHA256 extends ECDSASignature {
+        public SHA256() {
+            super("SHA-256");
+        }
+    }
+
+    // Nested class for SHA384withECDSA signatures
+    public static final class SHA384 extends ECDSASignature {
+        public SHA384() {
+            super("SHA-384");
+        }
+    }
+
+    // Nested class for SHA512withECDSA signatures
+    public static final class SHA512 extends ECDSASignature {
+        public SHA512() {
+            super("SHA-512");
+        }
+    }
+
+    // initialize for verification. See JCA doc
+    @Override
+    protected void engineInitVerify(PublicKey publicKey)
+            throws InvalidKeyException {
+        this.publicKey = (ECPublicKey) ECKeyFactory.toECKey(publicKey);
+
+        // Should check that the supplied key is appropriate for signature
+        // algorithm (e.g. P-256 for SHA256withECDSA)
+        this.privateKey = null;
+        resetDigest();
+    }
+
+    // initialize for signing. See JCA doc
+    @Override
+    protected void engineInitSign(PrivateKey privateKey)
+            throws InvalidKeyException {
+        engineInitSign(privateKey, null);
+    }
+
+    // initialize for signing. See JCA doc
+    @Override
+    protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
+            throws InvalidKeyException {
+        this.privateKey = (ECPrivateKey) ECKeyFactory.toECKey(privateKey);
+
+        // Should check that the supplied key is appropriate for signature
+        // algorithm (e.g. P-256 for SHA256withECDSA)
+        this.publicKey = null;
+        this.random = random;
+        resetDigest();
+    }
+
+    /**
+     * Resets the message digest if needed.
+     */
+    protected void resetDigest() {
+        if (needsReset) {
+            if (messageDigest != null) {
+                messageDigest.reset();
+            }
+            needsReset = false;
+        }
+    }
+
+    /**
+     * Returns the message digest value.
+     */
+    protected byte[] getDigestValue() throws SignatureException {
+        needsReset = false;
+        return messageDigest.digest();
+    }
+
+    // update the signature with the plaintext data. See JCA doc
+    @Override
+    protected void engineUpdate(byte b) throws SignatureException {
+        messageDigest.update(b);
+        needsReset = true;
+    }
+
+    // update the signature with the plaintext data. See JCA doc
+    @Override
+    protected void engineUpdate(byte[] b, int off, int len)
+            throws SignatureException {
+        messageDigest.update(b, off, len);
+        needsReset = true;
+    }
+
+    // update the signature with the plaintext data. See JCA doc
+    @Override
+    protected void engineUpdate(ByteBuffer byteBuffer) {
+        int len = byteBuffer.remaining();
+        if (len <= 0) {
+            return;
+        }
+
+        messageDigest.update(byteBuffer);
+        needsReset = true;
+    }
+
+    // sign the data and return the signature. See JCA doc
+    @Override
+    protected byte[] engineSign() throws SignatureException {
+        byte[] s = privateKey.getS().toByteArray();
+        ECParameterSpec params = privateKey.getParams();
+        byte[] encodedParams = ECParameters.encodeParameters(params); // DER OID
+        int keySize = params.getCurve().getField().getFieldSize();
+
+        // seed is twice the key size (in bytes)
+        byte[] seed = new byte[((keySize + 7) >> 3) * 2];
+        if (random == null) {
+            random = JCAUtil.getSecureRandom();
+        }
+        random.nextBytes(seed);
+
+        try {
+
+            return encodeSignature(
+                signDigest(getDigestValue(), s, encodedParams, seed));
+
+        } catch (GeneralSecurityException e) {
+            throw new SignatureException("Could not sign data", e);
+        }
+    }
+
+    // verify the data and return the result. See JCA doc
+    @Override
+    protected boolean engineVerify(byte[] signature) throws SignatureException {
+
+        byte[] w;
+        ECParameterSpec params = publicKey.getParams();
+        byte[] encodedParams = ECParameters.encodeParameters(params); // DER OID
+
+        if (publicKey instanceof ECPublicKeyImpl) {
+            w = ((ECPublicKeyImpl)publicKey).getEncodedPublicValue();
+        } else { // instanceof ECPublicKey
+            w = ECParameters.encodePoint(publicKey.getW(), params.getCurve());
+        }
+
+        try {
+
+            return verifySignedDigest(
+                decodeSignature(signature), getDigestValue(), w, encodedParams);
+
+        } catch (GeneralSecurityException e) {
+            throw new SignatureException("Could not verify signature", e);
+        }
+    }
+
+    // set parameter, not supported. See JCA doc
+    @Override
+    protected void engineSetParameter(String param, Object value)
+            throws InvalidParameterException {
+        throw new UnsupportedOperationException("setParameter() not supported");
+    }
+
+    // get parameter, not supported. See JCA doc
+    @Override
+    protected Object engineGetParameter(String param)
+            throws InvalidParameterException {
+        throw new UnsupportedOperationException("getParameter() not supported");
+    }
+
+    // Convert the concatenation of R and S into their DER encoding
+    private byte[] encodeSignature(byte[] signature) throws SignatureException {
+        try {
+
+            int n = signature.length >> 1;
+            byte[] bytes = new byte[n];
+            System.arraycopy(signature, 0, bytes, 0, n);
+            BigInteger r = new BigInteger(1, bytes);
+            System.arraycopy(signature, n, bytes, 0, n);
+            BigInteger s = new BigInteger(1, bytes);
+
+            DerOutputStream out = new DerOutputStream(signature.length + 10);
+            out.putInteger(r);
+            out.putInteger(s);
+            DerValue result =
+                new DerValue(DerValue.tag_Sequence, out.toByteArray());
+
+            return result.toByteArray();
+
+        } catch (Exception e) {
+            throw new SignatureException("Could not encode signature", e);
+        }
+    }
+
+    // Convert the DER encoding of R and S into a concatenation of R and S
+    private byte[] decodeSignature(byte[] signature) throws SignatureException {
+
+        try {
+            DerInputStream in = new DerInputStream(signature);
+            DerValue[] values = in.getSequence(2);
+            BigInteger r = values[0].getPositiveBigInteger();
+            BigInteger s = values[1].getPositiveBigInteger();
+            // trim leading zeroes
+            byte[] rBytes = trimZeroes(r.toByteArray());
+            byte[] sBytes = trimZeroes(s.toByteArray());
+            int k = Math.max(rBytes.length, sBytes.length);
+            // r and s each occupy half the array
+            byte[] result = new byte[k << 1];
+            System.arraycopy(rBytes, 0, result, k - rBytes.length,
+                rBytes.length);
+            System.arraycopy(sBytes, 0, result, result.length - sBytes.length,
+                sBytes.length);
+            return result;
+
+        } catch (Exception e) {
+            throw new SignatureException("Could not decode signature", e);
+        }
+    }
+
+    // trim leading (most significant) zeroes from the result
+    private static byte[] trimZeroes(byte[] b) {
+        int i = 0;
+        while ((i < b.length - 1) && (b[i] == 0)) {
+            i++;
+        }
+        if (i == 0) {
+            return b;
+        }
+        byte[] t = new byte[b.length - i];
+        System.arraycopy(b, i, t, 0, t.length);
+        return t;
+    }
+
+    /**
+     * Signs the digest using the private key.
+     *
+     * @param digest the digest to be signed.
+     * @param s the private key's S value.
+     * @param encodedParams the curve's DER encoded object identifier.
+     * @param seed the random seed.
+     *
+     * @return byte[] the signature.
+     */
+    private static native byte[] signDigest(byte[] digest, byte[] s,
+        byte[] encodedParams, byte[] seed) throws GeneralSecurityException;
+
+    /**
+     * Verifies the signed digest using the public key.
+     *
+     * @param signedDigest the signature to be verified. It is encoded
+     *        as a concatenation of the key's R and S values.
+     * @param digest the digest to be used.
+     * @param w the public key's W point (in uncompressed form).
+     * @param encodedParams the curve's DER encoded object identifier.
+     *
+     * @return boolean true if the signature is successfully verified.
+     */
+    private static native boolean verifySignedDigest(byte[] signature,
+        byte[] digest, byte[] w, byte[] encodedParams)
+            throws GeneralSecurityException;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/ec/ECKeyPairGenerator.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,191 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.security.ec;
+
+import java.math.BigInteger;
+import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.ECGenParameterSpec;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPoint;
+
+import sun.security.ec.NamedCurve;
+import sun.security.ec.ECParameters;
+import sun.security.ec.ECPrivateKeyImpl;
+import sun.security.ec.ECPublicKeyImpl;
+import sun.security.jca.JCAUtil;
+
+/**
+ * EC keypair generator.
+ * Standard algorithm, minimum key length is 112 bits, maximum is 571 bits.
+ *
+ * @since 1.7
+ */
+public final class ECKeyPairGenerator extends KeyPairGeneratorSpi {
+
+    // flag indicating whether the native ECC implementation is present
+    private static boolean implementationPresent = true;
+    static {
+        try {
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    System.loadLibrary("sunecc");
+                    return null;
+                }
+            });
+        } catch (UnsatisfiedLinkError e) {
+            implementationPresent = false;
+        }
+    }
+    private static final int KEY_SIZE_MIN = 112; // min bits (see ecc_impl.h)
+    private static final int KEY_SIZE_MAX = 571; // max bits (see ecc_impl.h)
+    private static final int KEY_SIZE_DEFAULT = 256;
+
+    // used to seed the keypair generator
+    private SecureRandom random;
+
+    // size of the key to generate, KEY_SIZE_MIN <= keySize <= KEY_SIZE_MAX
+    private int keySize;
+
+    // parameters specified via init, if any
+    private AlgorithmParameterSpec params = null;
+
+    /**
+     * Constructs a new ECKeyPairGenerator.
+     *
+     * @exception ProviderException if the native ECC library is unavailable.
+     */
+    public ECKeyPairGenerator() {
+        if (!implementationPresent) {
+            throw new ProviderException("EC implementation is not available");
+        }
+        // initialize to default in case the app does not call initialize()
+        initialize(KEY_SIZE_DEFAULT, null);
+    }
+
+    // initialize the generator. See JCA doc
+    @Override
+    public void initialize(int keySize, SecureRandom random) {
+
+        checkKeySize(keySize);
+        this.params = NamedCurve.getECParameterSpec(keySize);
+        if (params == null) {
+            throw new InvalidParameterException(
+                "No EC parameters available for key size " + keySize + " bits");
+        }
+        this.random = random;
+    }
+
+    // second initialize method. See JCA doc
+    @Override
+    public void initialize(AlgorithmParameterSpec params, SecureRandom random)
+            throws InvalidAlgorithmParameterException {
+
+        if (params instanceof ECParameterSpec) {
+            this.params = ECParameters.getNamedCurve((ECParameterSpec)params);
+            if (this.params == null) {
+                throw new InvalidAlgorithmParameterException(
+                    "Unsupported curve: " + params);
+            }
+        } else if (params instanceof ECGenParameterSpec) {
+            String name = ((ECGenParameterSpec)params).getName();
+            this.params = NamedCurve.getECParameterSpec(name);
+            if (this.params == null) {
+                throw new InvalidAlgorithmParameterException(
+                    "Unknown curve name: " + name);
+            }
+        } else {
+            throw new InvalidAlgorithmParameterException(
+                "ECParameterSpec or ECGenParameterSpec required for EC");
+        }
+        this.keySize =
+            ((ECParameterSpec)this.params).getCurve().getField().getFieldSize();
+        this.random = random;
+    }
+
+    // generate the keypair. See JCA doc
+    @Override
+    public KeyPair generateKeyPair() {
+
+        byte[] encodedParams =
+            ECParameters.encodeParameters((ECParameterSpec)params);
+
+        // seed is twice the key size (in bytes)
+        byte[] seed = new byte[2 * ((keySize + 7) >> 3)];
+        if (random == null) {
+            random = JCAUtil.getSecureRandom();
+        }
+        random.nextBytes(seed);
+
+        long[] handles = generateECKeyPair(keySize, encodedParams, seed);
+
+        // The 'params' object supplied above is equivalent to the native one
+        // so there is no need to fetch it.
+
+        // handles[0] points to the native private key
+        BigInteger s = new BigInteger(1, getEncodedBytes(handles[0]));
+
+        try {
+            PrivateKey privateKey =
+                new ECPrivateKeyImpl(s, (ECParameterSpec)params);
+
+            // handles[1] points to the native public key
+            ECPoint w = ECParameters.decodePoint(getEncodedBytes(handles[1]),
+                ((ECParameterSpec)params).getCurve());
+            PublicKey publicKey =
+                new ECPublicKeyImpl(w, (ECParameterSpec)params);
+
+            return new KeyPair(publicKey, privateKey);
+
+        } catch (Exception e) {
+            throw new ProviderException(e);
+        }
+    }
+
+    private void checkKeySize(int keySize) throws InvalidParameterException {
+        if (keySize < KEY_SIZE_MIN) {
+            throw new InvalidParameterException
+                ("Key size must be at least " + KEY_SIZE_MIN + " bits");
+        }
+        if (keySize > KEY_SIZE_MAX) {
+            throw new InvalidParameterException
+                ("Key size must be at most " + KEY_SIZE_MAX + " bits");
+        }
+        this.keySize = keySize;
+    }
+
+    /*
+     * Generates the keypair and returns a 2-element array of handles.
+     * The first handle points to the private key, the second to the public key.
+     */
+    private static native long[] generateECKeyPair(int keySize,
+        byte[] encodedParams, byte[] seed);
+
+    /*
+     * Extracts the encoded key data using the supplied handle.
+     */
+    private static native byte[] getEncodedBytes(long handle);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/ec/SunEC.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,65 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.security.ec;
+
+import java.util.*;
+import java.security.*;
+import sun.security.action.PutAllAction;
+
+/**
+ * Provider class for the Elliptic Curve provider.
+ * Supports EC keypair and parameter generation, ECDSA signing and
+ * ECDH key agreement.
+ *
+ * IMPLEMENTATION NOTE:
+ * The Java classes in this provider access a native ECC implementation
+ * via JNI to a C++ wrapper class which in turn calls C functions.
+ * The Java classes are packaged into the signed sunec.jar in the JRE
+ * extensions directory and the C++ and C functions are packaged into
+ * libsunecc.so or sunecc.dll in the JRE native libraries directory.
+ *
+ * @since   1.7
+ */
+public final class SunEC extends Provider {
+
+    private static final long serialVersionUID = -2279741672933606418L;
+
+    public SunEC() {
+        super("SunEC", 1.7d, "Sun Elliptic Curve provider (EC, ECDSA, ECDH)");
+
+        // if there is no security manager installed, put directly into
+        // the provider. Otherwise, create a temporary map and use a
+        // doPrivileged() call at the end to transfer the contents
+        if (System.getSecurityManager() == null) {
+            SunECEntries.putEntries(this);
+        } else {
+            Map<Object, Object> map = new HashMap<Object, Object>();
+            SunECEntries.putEntries(map);
+            AccessController.doPrivileged(new PutAllAction(this, map));
+        }
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/ec/SunECEntries.java	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,109 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.security.ec;
+
+import java.util.Map;
+
+/**
+ * Defines the entries of the SunEC provider.
+ *
+ * @since 1.7
+ */
+final class SunECEntries {
+
+    private SunECEntries() {
+        // empty
+    }
+
+    static void putEntries(Map<Object, Object> map) {
+
+        /*
+         * Signature engines
+         */
+        map.put("Signature.NONEwithECDSA",
+            "sun.security.ec.ECDSASignature$Raw");
+        map.put("Signature.SHA1withECDSA",
+            "sun.security.ec.ECDSASignature$SHA1");
+        map.put("Signature.SHA256withECDSA",
+            "sun.security.ec.ECDSASignature$SHA256");
+        map.put("Signature.SHA384withECDSA",
+            "sun.security.ec.ECDSASignature$SHA384");
+        map.put("Signature.SHA512withECDSA",
+            "sun.security.ec.ECDSASignature$SHA512");
+
+        String ecKeyClasses = "java.security.interfaces.ECPublicKey" +
+                "|java.security.interfaces.ECPrivateKey";
+        map.put("Signature.NONEwithECDSA SupportedKeyClasses", ecKeyClasses);
+        map.put("Signature.SHA1withECDSA SupportedKeyClasses", ecKeyClasses);
+        map.put("Signature.SHA256withECDSA SupportedKeyClasses", ecKeyClasses);
+        map.put("Signature.SHA384withECDSA SupportedKeyClasses", ecKeyClasses);
+        map.put("Signature.SHA512withECDSA SupportedKeyClasses", ecKeyClasses);
+
+        /*
+         *  Key Pair Generator engine
+         */
+        map.put("KeyPairGenerator.EC", "sun.security.ec.ECKeyPairGenerator");
+        map.put("Alg.Alias.KeyPairGenerator.EllipticCurve", "EC");
+
+        /*
+         *  Key Factory engine
+         */
+        map.put("KeyFactory.EC", "sun.security.ec.ECKeyFactory");
+        map.put("Alg.Alias.KeyFactory.EllipticCurve", "EC");
+
+        /*
+         * Algorithm Parameter engine
+         */
+        map.put("AlgorithmParameters.EC", "sun.security.ec.ECParameters");
+        map.put("Alg.Alias.AlgorithmParameters.EllipticCurve", "EC");
+
+        /*
+         * Key Agreement engine
+         */
+        map.put("KeyAgreement.ECDH", "sun.security.ec.ECDHKeyAgreement");
+        map.put("KeyAgreement.ECDH SupportedKeyClasses", ecKeyClasses);
+
+        /*
+         * Key sizes
+         */
+        map.put("Signature.SHA1withECDSA KeySize", "256");
+        map.put("KeyPairGenerator.EC KeySize", "256");
+        map.put("AlgorithmParameterGenerator.ECDSA KeySize", "256");
+
+        /*
+         * Implementation type: software or hardware
+         */
+        map.put("Signature.NONEwithECDSA ImplementedIn", "Software");
+        map.put("Signature.SHA1withECDSA ImplementedIn", "Software");
+        map.put("Signature.SHA256withECDSA ImplementedIn", "Software");
+        map.put("Signature.SHA384withECDSA ImplementedIn", "Software");
+        map.put("Signature.SHA512withECDSA ImplementedIn", "Software");
+        map.put("KeyPairGenerator.EC ImplementedIn", "Software");
+        map.put("KeyFactory.EC ImplementedIn", "Software");
+        map.put("KeyAgreement.ECDH ImplementedIn", "Software");
+        map.put("AlgorithmParameters.EC ImplementedIn", "Software");
+    }
+}
--- a/src/share/classes/sun/security/jgss/GSSContextImpl.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/jgss/GSSContextImpl.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,14 +27,13 @@
 
 import org.ietf.jgss.*;
 import sun.security.jgss.spi.*;
-import sun.security.jgss.*;
 import sun.security.util.ObjectIdentifier;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-
+import com.sun.security.jgss.*;
 
 /**
  * This class represents the JGSS security context and its associated
@@ -88,7 +87,7 @@
  * per-message operations are returned in an instance of the MessageProp
  * class, which is used as an argument in these calls.</dl>
  */
-class GSSContextImpl implements GSSContext {
+class GSSContextImpl implements ExtendedGSSContext {
 
     private GSSManagerImpl gssManager = null;
 
@@ -630,4 +629,16 @@
         srcName = null;
         targName = null;
     }
+
+    @Override
+    public Object inquireSecContext(InquireType type) throws GSSException {
+        SecurityManager security = System.getSecurityManager();
+        if (security != null) {
+            security.checkPermission(new InquireSecContextPermission(type.toString()));
+        }
+        if (mechCtxt == null) {
+            throw new GSSException(GSSException.NO_CONTEXT);
+        }
+        return mechCtxt.inquireSecContext(type);
+    }
 }
--- a/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,12 +25,14 @@
 
 package sun.security.jgss.krb5;
 
+import com.sun.security.jgss.AuthorizationDataEntry;
 import org.ietf.jgss.*;
 import java.io.InputStream;
-import java.io.OutputStream;
 import java.io.IOException;
 import sun.security.krb5.*;
 import java.net.InetAddress;
+import sun.security.krb5.internal.AuthorizationData;
+import sun.security.krb5.internal.KerberosTime;
 
 class InitSecContextToken extends InitialToken {
 
@@ -59,6 +61,9 @@
 
         Checksum checksum = gssChecksum.getChecksum();
 
+        context.setTktFlags(serviceTicket.getFlags());
+        context.setAuthTime(
+                new KerberosTime(serviceTicket.getAuthTime()).toString());
         apReq = new KrbApReq(serviceTicket,
                              mutualRequired,
                              useSubkey,
@@ -143,6 +148,21 @@
             // Use the same sequence number as the peer
             // (Behaviour exhibited by the Windows SSPI server)
             context.resetMySequenceNumber(peerSeqNumber);
+        context.setAuthTime(
+                new KerberosTime(apReq.getCreds().getAuthTime()).toString());
+        context.setTktFlags(apReq.getCreds().getFlags());
+        AuthorizationData ad = apReq.getCreds().getAuthzData();
+        if (ad == null) {
+            context.setAuthzData(null);
+        } else {
+            AuthorizationDataEntry[] authzData =
+                    new AuthorizationDataEntry[ad.count()];
+            for (int i=0; i<ad.count(); i++) {
+                authzData[i] = new AuthorizationDataEntry(
+                        ad.item(i).adType, ad.item(i).adData);
+            }
+            context.setAuthzData(authzData);
+        }
     }
 
     public final KrbApReq getKrbApReq() {
--- a/src/share/classes/sun/security/jgss/krb5/Krb5Context.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/jgss/krb5/Krb5Context.java	Tue Aug 11 20:06:52 2009 -0600
@@ -25,6 +25,7 @@
 
 package sun.security.jgss.krb5;
 
+import com.sun.security.jgss.InquireType;
 import org.ietf.jgss.*;
 import sun.misc.HexDumpEncoder;
 import sun.security.jgss.GSSUtil;
@@ -38,6 +39,7 @@
 import java.security.Provider;
 import java.security.AccessController;
 import java.security.AccessControlContext;
+import java.security.Key;
 import java.security.PrivilegedExceptionAction;
 import java.security.PrivilegedActionException;
 import javax.crypto.Cipher;
@@ -1283,4 +1285,81 @@
         // Currently used by InitialToken only
         return caller;
     }
+
+    /**
+     * The session key returned by inquireSecContext(KRB5_INQ_SSPI_SESSION_KEY)
+     */
+    static class KerberosSessionKey implements Key {
+        private final EncryptionKey key;
+
+        KerberosSessionKey(EncryptionKey key) {
+            this.key = key;
+        }
+
+        @Override
+        public String getAlgorithm() {
+            return Integer.toString(key.getEType());
+        }
+
+        @Override
+        public String getFormat() {
+            return "RAW";
+        }
+
+        @Override
+        public byte[] getEncoded() {
+            return key.getBytes().clone();
+        }
+
+        @Override
+        public String toString() {
+            return "Kerberos session key: etype: " + key.getEType() + "\n" +
+                    new sun.misc.HexDumpEncoder().encodeBuffer(key.getBytes());
+        }
+    }
+
+    /**
+     * Return the mechanism-specific attribute associated with {@code type}.
+     */
+    public Object inquireSecContext(InquireType type)
+            throws GSSException {
+        if (!isEstablished()) {
+             throw new GSSException(GSSException.NO_CONTEXT, -1,
+                     "Security context not established.");
+        }
+        switch (type) {
+            case KRB5_GET_SESSION_KEY:
+                return new KerberosSessionKey(key);
+            case KRB5_GET_TKT_FLAGS:
+                return tktFlags.clone();
+            case KRB5_GET_AUTHZ_DATA:
+                if (isInitiator()) {
+                    throw new GSSException(GSSException.UNAVAILABLE, -1,
+                            "AuthzData not available on initiator side.");
+                } else {
+                    return (authzData==null)?null:authzData.clone();
+                }
+            case KRB5_GET_AUTHTIME:
+                return authTime;
+        }
+        throw new GSSException(GSSException.UNAVAILABLE, -1,
+                "Inquire type not supported.");
+    }
+
+    // Helpers for inquireSecContext
+    private boolean[] tktFlags;
+    private String authTime;
+    private com.sun.security.jgss.AuthorizationDataEntry[] authzData;
+
+    public void setTktFlags(boolean[] tktFlags) {
+        this.tktFlags = tktFlags;
+    }
+
+    public void setAuthTime(String authTime) {
+        this.authTime = authTime;
+    }
+
+    public void setAuthzData(com.sun.security.jgss.AuthorizationDataEntry[] authzData) {
+        this.authzData = authzData;
+    }
 }
--- a/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright 2000-2005 Sun Microsystems, Inc.  All Rights Reserved.
+ * Portions Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,6 +46,7 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.security.Provider;
+import com.sun.security.jgss.*;
 
 /**
  * This interface is implemented by a mechanism specific instance of a GSS
@@ -265,7 +266,6 @@
      * @param msgPro on input it contains the requested qop and
      *    confidentiality state, on output, the applied values
      * @exception GSSException may be thrown
-     * @see MessageInfo
      * @see unwrap
      */
     public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
@@ -315,7 +315,6 @@
      * @param msgProp will contain the applied qop and confidentiality
      *    of the input token and any informatory status values
      * @exception GSSException may be thrown
-     * @see MessageInfo
      * @see wrap
      */
     public void unwrap(InputStream is, OutputStream os,
@@ -403,4 +402,15 @@
      * @exception GSSException may be thrown
      */
     public void dispose() throws GSSException;
+
+    /**
+     * Return the mechanism-specific attribute associated with (@code type}.
+     *
+     * @param type the type of the attribute requested
+     * @return the attribute
+     * @throws GSSException see {@link ExtendedGSSContext#inquireSecContext}
+     * for details
+     */
+    public Object inquireSecContext(InquireType type)
+            throws GSSException;
 }
--- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java	Tue Aug 11 20:06:52 2009 -0600
@@ -25,10 +25,10 @@
 
 package sun.security.jgss.spnego;
 
+import com.sun.security.jgss.ExtendedGSSContext;
+import com.sun.security.jgss.InquireType;
 import java.io.*;
 import java.security.Provider;
-import java.util.List;
-import java.util.ArrayList;
 import org.ietf.jgss.*;
 import sun.security.jgss.*;
 import sun.security.jgss.spi.*;
@@ -1185,4 +1185,22 @@
                 return ("Unknown state " + state);
         }
     }
+
+    /**
+     * Retrieve attribute of the context for {@code type}.
+     */
+    public Object inquireSecContext(InquireType type)
+            throws GSSException {
+        if (mechContext == null) {
+            throw new GSSException(GSSException.NO_CONTEXT, -1,
+                    "Underlying mech not established.");
+        }
+        if (mechContext instanceof ExtendedGSSContext) {
+            return ((ExtendedGSSContext)mechContext).inquireSecContext(type);
+        } else {
+            throw new GSSException(GSSException.BAD_MECH, -1,
+                    "inquireSecContext not supported by underlying mech.");
+        }
+    }
+
 }
--- a/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -36,6 +36,7 @@
 import sun.security.jgss.spnego.NegTokenInit;
 import sun.security.jgss.spnego.NegTokenTarg;
 import javax.security.auth.kerberos.DelegationPermission;
+import com.sun.security.jgss.InquireType;
 import java.io.*;
 
 
@@ -615,4 +616,10 @@
     protected void finalize() throws Throwable {
         dispose();
     }
+
+    public Object inquireSecContext(InquireType type)
+            throws GSSException {
+        throw new GSSException(GSSException.UNAVAILABLE, -1,
+                "Inquire type not supported.");
+    }
 }
--- a/src/share/classes/sun/security/krb5/Credentials.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/krb5/Credentials.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Portions Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -63,6 +63,7 @@
     KerberosTime renewTill;
     HostAddresses cAddr;
     EncryptionKey serviceKey;
+    AuthorizationData authzData;
     private static boolean DEBUG = Krb5.DEBUG;
     private static CredentialsCache cache;
     static boolean alreadyLoaded = false;
@@ -78,6 +79,22 @@
                        KerberosTime new_startTime,
                        KerberosTime new_endTime,
                        KerberosTime renewTill,
+                       HostAddresses cAddr,
+                       AuthorizationData authzData) {
+        this(new_ticket, new_client, new_server, new_key, new_flags,
+                authTime, new_startTime, new_endTime, renewTill, cAddr);
+        this.authzData = authzData;
+    }
+
+    public Credentials(Ticket new_ticket,
+                       PrincipalName new_client,
+                       PrincipalName new_server,
+                       EncryptionKey new_key,
+                       TicketFlags new_flags,
+                       KerberosTime authTime,
+                       KerberosTime new_startTime,
+                       KerberosTime new_endTime,
+                       KerberosTime renewTill,
                        HostAddresses cAddr) {
         ticket = new_ticket;
         client = new_client;
@@ -213,6 +230,9 @@
         return flags;
     }
 
+    public AuthorizationData getAuthzData() {
+        return authzData;
+    }
     /**
      * Checks if the service ticket returned by the KDC has the OK-AS-DELEGATE
      * flag set
--- a/src/share/classes/sun/security/krb5/KrbApReq.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/krb5/KrbApReq.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Portions Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -356,12 +356,13 @@
                                 authenticator.cname,
                                 apReqMessg.ticket.sname,
                                 enc_ticketPart.key,
-                                null,
+                                enc_ticketPart.flags,
                                 enc_ticketPart.authtime,
                                 enc_ticketPart.starttime,
                                 enc_ticketPart.endtime,
                                 enc_ticketPart.renewTill,
-                                enc_ticketPart.caddr);
+                                enc_ticketPart.caddr,
+                                enc_ticketPart.authorizationData);
         if (DEBUG) {
             System.out.println(">>> KrbApReq: authenticate succeed.");
         }
--- a/src/share/classes/sun/security/krb5/internal/AuthorizationData.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/krb5/internal/AuthorizationData.java	Tue Aug 11 20:06:52 2009 -0600
@@ -174,4 +174,12 @@
         }
         return retVal;
     }
+
+    public int count() {
+        return entry.length;
+    }
+
+    public AuthorizationDataEntry item(int i) {
+        return (AuthorizationDataEntry)entry[i].clone();
+    }
 }
--- a/src/share/classes/sun/security/pkcs11/JarVerifier.java	Tue Aug 11 20:02:43 2009 -0600
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,72 +0,0 @@
-/*
- * Copyright 2007 Sun Microsystems, Inc.  All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.pkcs11;
-
-// NOTE: this class is duplicated amongst SunJCE, SunPKCS11, and SunMSCAPI.
-// All files should be kept in sync.
-
-import java.io.*;
-import java.util.*;
-import java.util.jar.*;
-import java.net.URL;
-import java.net.JarURLConnection;
-import java.net.MalformedURLException;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-/**
- * This class verifies JAR files (and any supporting JAR files), and
- * determines whether they may be used in this implementation.
- *
- * The JCE in OpenJDK has an open cryptographic interface, meaning it
- * does not restrict which providers can be used.  Compliance with
- * United States export controls and with local law governing the
- * import/export of products incorporating the JCE in the OpenJDK is
- * the responsibility of the licensee.
- *
- * @since 1.7
- */
-final class JarVerifier {
-
-    private static final boolean debug = false;
-
-    /**
-     * Verify the JAR file is signed by an entity which has a certificate
-     * issued by a trusted CA.
-     *
-     * Note: this is a temporary method and will change soon to use the
-     * exception chaining mechanism, which can provide more details
-     * as to why the verification failed.
-     *
-     * @param c the class to be verified.
-     * @return true if verification is successful.
-     */
-    static boolean verify(final Class c) {
-        return true;
-    }
-}
--- a/src/share/classes/sun/security/pkcs11/SunPKCS11.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/pkcs11/SunPKCS11.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -390,24 +390,6 @@
         return sb.toString();
     }
 
-    // set to true once self verification is complete
-    private static volatile boolean integrityVerified;
-
-    static void verifySelfIntegrity(Class c) {
-        if (integrityVerified) {
-            return;
-        }
-        doVerifySelfIntegrity(c);
-    }
-
-    private static synchronized void doVerifySelfIntegrity(Class c) {
-        integrityVerified = JarVerifier.verify(c);
-        if (integrityVerified == false) {
-            throw new ProviderException
-                ("The SunPKCS11 provider may have been tampered with.");
-        }
-    }
-
     public boolean equals(Object obj) {
         return this == obj;
     }
@@ -923,7 +905,6 @@
             if (type == MD) {
                 return new P11Digest(token, algorithm, mechanism);
             } else if (type == CIP) {
-                verifySelfIntegrity(getClass());
                 if (algorithm.startsWith("RSA")) {
                     return new P11RSACipher(token, algorithm, mechanism);
                 } else {
@@ -932,12 +913,10 @@
             } else if (type == SIG) {
                 return new P11Signature(token, algorithm, mechanism);
             } else if (type == MAC) {
-                verifySelfIntegrity(getClass());
                 return new P11Mac(token, algorithm, mechanism);
             } else if (type == KPG) {
                 return new P11KeyPairGenerator(token, algorithm, mechanism);
             } else if (type == KA) {
-                verifySelfIntegrity(getClass());
                 if (algorithm.equals("ECDH")) {
                     return new P11ECDHKeyAgreement(token, algorithm, mechanism);
                 } else {
@@ -946,11 +925,8 @@
             } else if (type == KF) {
                 return token.getKeyFactory(algorithm);
             } else if (type == SKF) {
-                verifySelfIntegrity(getClass());
                 return new P11SecretKeyFactory(token, algorithm);
             } else if (type == KG) {
-                verifySelfIntegrity(getClass());
-
                 // reference equality
                 if (algorithm == "SunTlsRsaPremasterSecret") {
                     return new P11TlsRsaPremasterSecretGenerator(
--- a/src/share/classes/sun/security/tools/JarSigner.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/tools/JarSigner.java	Tue Aug 11 20:06:52 2009 -0600
@@ -412,6 +412,16 @@
         }
         storetype = KeyStoreUtil.niceStoreTypeName(storetype);
 
+        try {
+            if (signedjar != null && new File(signedjar).getCanonicalPath().equals(
+                    new File(jarfile).getCanonicalPath())) {
+                signedjar = null;
+            }
+        } catch (IOException ioe) {
+            // File system error?
+            // Just ignore it.
+        }
+
         if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
                 KeyStoreUtil.isWindowsKeyStore(storetype)) {
             token = true;
--- a/src/share/classes/sun/security/tools/KeyTool.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/tools/KeyTool.java	Tue Aug 11 20:06:52 2009 -0600
@@ -880,41 +880,41 @@
             // might not work properly, since -gencert is slow
             // and there's no data in the pipe at the beginning.
             ByteArrayOutputStream bout = new ByteArrayOutputStream();
-            byte[] b = new byte[4096];
-            while (true) {
-                int len = inStream.read(b);
-                if (len < 0) break;
-                bout.write(b, 0, len);
-            }
-            inStream = new ByteArrayInputStream(bout.toByteArray());
             try {
-                String importAlias = (alias!=null)?alias:keyAlias;
-                if (keyStore.entryInstanceOf(importAlias, KeyStore.PrivateKeyEntry.class)) {
-                    kssave = installReply(importAlias, inStream);
-                    if (kssave) {
-                        System.err.println(rb.getString
-                            ("Certificate reply was installed in keystore"));
-                    } else {
-                        System.err.println(rb.getString
-                            ("Certificate reply was not installed in keystore"));
-                    }
-                } else if (!keyStore.containsAlias(importAlias) ||
-                        keyStore.entryInstanceOf(importAlias,
-                            KeyStore.TrustedCertificateEntry.class)) {
-                    kssave = addTrustedCert(importAlias, inStream);
-                    if (kssave) {
-                        System.err.println(rb.getString
-                            ("Certificate was added to keystore"));
-                    } else {
-                        System.err.println(rb.getString
-                            ("Certificate was not added to keystore"));
-                    }
+                byte[] b = new byte[4096];
+                while (true) {
+                    int len = inStream.read(b);
+                    if (len < 0) break;
+                    bout.write(b, 0, len);
                 }
             } finally {
                 if (inStream != System.in) {
                     inStream.close();
                 }
             }
+            inStream = new ByteArrayInputStream(bout.toByteArray());
+            String importAlias = (alias!=null)?alias:keyAlias;
+            if (keyStore.entryInstanceOf(importAlias, KeyStore.PrivateKeyEntry.class)) {
+                kssave = installReply(importAlias, inStream);
+                if (kssave) {
+                    System.err.println(rb.getString
+                        ("Certificate reply was installed in keystore"));
+                } else {
+                    System.err.println(rb.getString
+                        ("Certificate reply was not installed in keystore"));
+                }
+            } else if (!keyStore.containsAlias(importAlias) ||
+                    keyStore.entryInstanceOf(importAlias,
+                        KeyStore.TrustedCertificateEntry.class)) {
+                kssave = addTrustedCert(importAlias, inStream);
+                if (kssave) {
+                    System.err.println(rb.getString
+                        ("Certificate was added to keystore"));
+                } else {
+                    System.err.println(rb.getString
+                        ("Certificate was not added to keystore"));
+                }
+            }
         } else if (command == IMPORTKEYSTORE) {
             doImportKeyStore();
             kssave = true;
--- a/src/share/classes/sun/security/tools/PolicyTool.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/security/tools/PolicyTool.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -35,21 +35,16 @@
 import java.lang.reflect.*;
 import java.text.Collator;
 import java.text.MessageFormat;
-import sun.misc.BASE64Decoder;
-import sun.security.provider.PolicyParser.PermissionEntry;
 import sun.security.util.PropertyExpander;
 import sun.security.util.PropertyExpander.ExpandException;
 import java.awt.*;
 import java.awt.event.*;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
 import java.security.*;
 import sun.security.provider.*;
 import sun.security.util.PolicyUtil;
 import javax.security.auth.x500.X500Principal;
-import java.util.HashSet;
 
 /**
  * PolicyTool may be used by users and administrators to configure the
@@ -1459,6 +1454,7 @@
         PERM_ARRAY.add(new AWTPerm());
         PERM_ARRAY.add(new DelegationPerm());
         PERM_ARRAY.add(new FilePerm());
+        PERM_ARRAY.add(new InqSecContextPerm());
         PERM_ARRAY.add(new LogPerm());
         PERM_ARRAY.add(new MgmtPerm());
         PERM_ARRAY.add(new MBeanPerm());
@@ -3961,6 +3957,20 @@
     }
 }
 
+class InqSecContextPerm extends Perm {
+    public InqSecContextPerm() {
+    super("InquireSecContextPermission",
+        "com.sun.security.jgss.InquireSecContextPermission",
+        new String[]    {
+                "KRB5_GET_SESSION_KEY",
+                "KRB5_GET_TKT_FLAGS",
+                "KRB5_GET_AUTHZ_DATA",
+                "KRB5_GET_AUTHTIME"
+                },
+        null);
+    }
+}
+
 class LogPerm extends Perm {
     public LogPerm() {
     super("LoggingPermission",
--- a/src/share/classes/sun/swing/FilePane.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/swing/FilePane.java	Tue Aug 11 20:06:52 2009 -0600
@@ -1,6 +1,5 @@
-
 /*
- * Copyright 2003-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -905,8 +904,8 @@
 
         @Override
         public void sort() {
-            ShellFolder.getInvoker().invoke(new Callable<Void>() {
-                public Void call() throws Exception {
+            ShellFolder.invoke(new Callable<Void>() {
+                public Void call() {
                     DetailsTableRowSorter.super.sort();
                     return null;
                 }
--- a/src/share/classes/sun/swing/MenuItemLayoutHelper.java	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/classes/sun/swing/MenuItemLayoutHelper.java	Tue Aug 11 20:06:52 2009 -0600
@@ -718,10 +718,10 @@
     }
 
     private void alignRect(Rectangle rect, int alignment, int origWidth) {
-        if (alignment != SwingUtilities.LEFT) {
+        if (alignment == SwingConstants.RIGHT) {
             rect.x = rect.x + rect.width - origWidth;
-            rect.width = origWidth;
         }
+        rect.width = origWidth;
     }
 
     protected void layoutIconAndTextInLabelRect(LayoutResult lr) {
--- a/src/share/lib/security/java.security	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/lib/security/java.security	Tue Aug 11 20:06:52 2009 -0600
@@ -45,12 +45,13 @@
 #
 security.provider.1=sun.security.provider.Sun
 security.provider.2=sun.security.rsa.SunRsaSign
-security.provider.3=com.sun.net.ssl.internal.ssl.Provider
-security.provider.4=com.sun.crypto.provider.SunJCE
-security.provider.5=sun.security.jgss.SunProvider
-security.provider.6=com.sun.security.sasl.Provider
-security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
-security.provider.8=sun.security.smartcardio.SunPCSC
+security.provider.3=sun.security.ec.SunEC
+security.provider.4=com.sun.net.ssl.internal.ssl.Provider
+security.provider.5=com.sun.crypto.provider.SunJCE
+security.provider.6=sun.security.jgss.SunProvider
+security.provider.7=com.sun.security.sasl.Provider
+security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+security.provider.9=sun.security.smartcardio.SunPCSC
 
 #
 # Select the source of seed data for SecureRandom. By default an
@@ -127,7 +128,7 @@
 # passed to checkPackageAccess unless the
 # corresponding RuntimePermission ("accessClassInPackage."+package) has
 # been granted.
-package.access=sun.
+package.access=sun.,com.sun.imageio.
 
 #
 # List of comma-separated packages that start with or equal this string
--- a/src/share/lib/security/java.security-solaris	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/lib/security/java.security-solaris	Tue Aug 11 20:06:52 2009 -0600
@@ -46,12 +46,13 @@
 security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg
 security.provider.2=sun.security.provider.Sun
 security.provider.3=sun.security.rsa.SunRsaSign
-security.provider.4=com.sun.net.ssl.internal.ssl.Provider
-security.provider.5=com.sun.crypto.provider.SunJCE
-security.provider.6=sun.security.jgss.SunProvider
-security.provider.7=com.sun.security.sasl.Provider
-security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
-security.provider.9=sun.security.smartcardio.SunPCSC
+security.provider.4=sun.security.ec.SunEC
+security.provider.5=com.sun.net.ssl.internal.ssl.Provider
+security.provider.6=com.sun.crypto.provider.SunJCE
+security.provider.7=sun.security.jgss.SunProvider
+security.provider.8=com.sun.security.sasl.Provider
+security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+security.provider.10=sun.security.smartcardio.SunPCSC
 
 #
 # Select the source of seed data for SecureRandom. By default an
@@ -128,7 +129,7 @@
 # passed to checkPackageAccess unless the
 # corresponding RuntimePermission ("accessClassInPackage."+package) has
 # been granted.
-package.access=sun.
+package.access=sun.,com.sun.imageio.
 
 #
 # List of comma-separated packages that start with or equal this string
--- a/src/share/lib/security/java.security-windows	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/lib/security/java.security-windows	Tue Aug 11 20:06:52 2009 -0600
@@ -45,13 +45,14 @@
 #
 security.provider.1=sun.security.provider.Sun
 security.provider.2=sun.security.rsa.SunRsaSign
-security.provider.3=com.sun.net.ssl.internal.ssl.Provider
-security.provider.4=com.sun.crypto.provider.SunJCE
-security.provider.5=sun.security.jgss.SunProvider
-security.provider.6=com.sun.security.sasl.Provider
-security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
-security.provider.8=sun.security.smartcardio.SunPCSC
-security.provider.9=sun.security.mscapi.SunMSCAPI
+security.provider.3=sun.security.ec.SunEC
+security.provider.4=com.sun.net.ssl.internal.ssl.Provider
+security.provider.5=com.sun.crypto.provider.SunJCE
+security.provider.6=sun.security.jgss.SunProvider
+security.provider.7=com.sun.security.sasl.Provider
+security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+security.provider.9=sun.security.smartcardio.SunPCSC
+security.provider.10=sun.security.mscapi.SunMSCAPI
 
 #
 # Select the source of seed data for SecureRandom. By default an
@@ -128,7 +129,7 @@
 # passed to checkPackageAccess unless the
 # corresponding RuntimePermission ("accessClassInPackage."+package) has
 # been granted.
-package.access=sun.
+package.access=sun.,com.sun.imageio.
 
 #
 # List of comma-separated packages that start with or equal this string
--- a/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	Tue Aug 11 20:06:52 2009 -0600
@@ -908,10 +908,12 @@
 
   // place a limit on future CP growth:
   int generous = 0;
-  generous += u->ic_count*3; // implicit name, outer, outer.utf8
-  generous += 40;  // WKUs, misc
-  generous += u->class_count;  // implicit SourceFile strings
-  maxentries = nentries + generous;
+  generous = add_size(generous, u->ic_count); // implicit name
+  generous = add_size(generous, u->ic_count); // outer
+  generous = add_size(generous, u->ic_count); // outer.utf8
+  generous = add_size(generous, 40); // WKUs, misc
+  generous = add_size(generous, u->class_count); // implicit SourceFile strings
+  maxentries = add_size(nentries, generous);
 
   // Note that this CP does not include "empty" entries
   // for longs and doubles.  Those are introduced when
--- a/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c	Tue Aug 11 20:02:43 2009 -0600
+++ b/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c	Tue Aug 11 20:06:52 2009 -0600
@@ -139,21 +139,45 @@
 
     splash->width = cinfo->output_width;
     splash->height = cinfo->output_height;
+
+    if (!SAFE_TO_ALLOC(splash->imageFormat.depthBytes, splash->width)) {
+        return 0;
+    }
     stride = splash->width * splash->imageFormat.depthBytes;
 
+    if (!SAFE_TO_ALLOC(stride, splash->height)) {
+        return 0;
+    }
+    if (!SAFE_TO_ALLOC(cinfo->output_width, cinfo->output_components)) {
+        return 0;
+    }
+
     splash->frameCount = 1;
     splash->frames = (SplashImage *) malloc(sizeof(SplashImage) *
         splash->frameCount);
+    if (splash->frames == NULL) {
+        return 0;
+    }
     memset(splash->frames, 0, sizeof(SplashImage) *
         splash->frameCount);
+
     splash->loopCount = 1;
+    splash->frames[0].delay = 0;
     splash->frames[0].bitmapBits = malloc(stride * splash->height);
-    splash->frames[0].delay = 0;
+    if (splash->frames[0].bitmapBits == NULL) {
+        free(splash->frames);
+        return 0;
+    }
 
     rowStride = cinfo->output_width * cinfo->output_components;
 
     buffer = (*cinfo->mem->alloc_sarray)
         ((j_common_ptr) cinfo, JPOOL_IMAGE, rowStride, 1);
+    if (buffer == NULL) {
+        free(splash->frames[0].bitmapBits);
+        free(splash->frames);
+        return 0;
+    }
 
     initFormat(&srcFormat, 0x00FF0000, 0x0000FF00, 0x000000FF, 0x00000000);
     srcFormat.byteOrder = BYTE_ORDER_LSBFIRST;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/native/sun/security/ec/ECC_JNI.cpp	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,418 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+#include <jni.h>
+#include "ecc_impl.h"
+
+#define ILLEGAL_STATE_EXCEPTION "java/lang/IllegalStateException"
+#define INVALID_ALGORITHM_PARAMETER_EXCEPTION \
+        "java/security/InvalidAlgorithmParameterException"
+#define INVALID_PARAMETER_EXCEPTION \
+        "java/security/InvalidParameterException"
+#define KEY_EXCEPTION   "java/security/KeyException"
+
+extern "C" {
+
+/*
+ * Throws an arbitrary Java exception.
+ */
+void ThrowException(JNIEnv *env, char *exceptionName)
+{
+    jclass exceptionClazz = env->FindClass(exceptionName);
+    env->ThrowNew(exceptionClazz, NULL);
+}
+
+/*
+ * Deep free of the ECParams struct
+ */
+void FreeECParams(ECParams *ecparams, jboolean freeStruct)
+{
+    // Use B_FALSE to free the SECItem->data element, but not the SECItem itself
+    // Use B_TRUE to free both
+
+    SECITEM_FreeItem(&ecparams->fieldID.u.prime, B_FALSE);
+    SECITEM_FreeItem(&ecparams->curve.a, B_FALSE);
+    SECITEM_FreeItem(&ecparams->curve.b, B_FALSE);
+    SECITEM_FreeItem(&ecparams->curve.seed, B_FALSE);
+    SECITEM_FreeItem(&ecparams->base, B_FALSE);
+    SECITEM_FreeItem(&ecparams->order, B_FALSE);
+    SECITEM_FreeItem(&ecparams->DEREncoding, B_FALSE);
+    SECITEM_FreeItem(&ecparams->curveOID, B_FALSE);
+    if (freeStruct)
+        free(ecparams);
+}
+
+/*
+ * Class:     sun_security_ec_ECKeyPairGenerator
+ * Method:    generateECKeyPair
+ * Signature: (I[B[B)[J
+ */
+JNIEXPORT jlongArray
+JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair
+  (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed)
+{
+    ECPrivateKey *privKey;      /* contains both public and private values */
+    ECParams *ecparams = NULL;
+    SECKEYECParams params_item;
+    jint jSeedLength;
+    jbyte* pSeedBuffer = NULL;
+    jlongArray result = NULL;
+    jlong* resultElements = NULL;
+
+    // Initialize the ECParams struct
+    params_item.len = env->GetArrayLength(encodedParams);
+    params_item.data =
+        (unsigned char *) env->GetByteArrayElements(encodedParams, 0);
+
+    // Fill a new ECParams using the supplied OID
+    if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+        /* bad curve OID */
+        ThrowException(env, INVALID_ALGORITHM_PARAMETER_EXCEPTION);
+        goto cleanup;
+    }
+
+    // Copy seed from Java to native buffer
+    jSeedLength = env->GetArrayLength(seed);
+    pSeedBuffer = new jbyte[jSeedLength];
+    env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
+
+    // Generate the new keypair (using the supplied seed)
+    if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer,
+        jSeedLength, 0) != SECSuccess) {
+        ThrowException(env, KEY_EXCEPTION);
+        goto cleanup;
+    }
+
+    jboolean isCopy;
+    result = env->NewLongArray(2);
+    resultElements = env->GetLongArrayElements(result, &isCopy);
+
+    resultElements[0] = (jlong) &(privKey->privateValue); // private big integer
+    resultElements[1] = (jlong) &(privKey->publicValue); // encoded ec point
+
+    // If the array is a copy then we must write back our changes
+    if (isCopy == JNI_TRUE) {
+        env->ReleaseLongArrayElements(result, resultElements, 0);
+    }
+
+cleanup:
+    {
+        if (params_item.data)
+            env->ReleaseByteArrayElements(encodedParams,
+                (jbyte *) params_item.data, JNI_ABORT);
+
+        if (ecparams)
+            FreeECParams(ecparams, true);
+
+        if (privKey) {
+            FreeECParams(&privKey->ecParams, false);
+            SECITEM_FreeItem(&privKey->version, B_FALSE);
+            // Don't free privKey->privateValue and privKey->publicValue
+        }
+
+        if (pSeedBuffer)
+            delete [] pSeedBuffer;
+    }
+
+    return result;
+}
+
+/*
+ * Class:     sun_security_ec_ECKeyPairGenerator
+ * Method:    getEncodedBytes
+ * Signature: (J)[B
+ */
+JNIEXPORT jbyteArray
+JNICALL Java_sun_security_ec_ECKeyPairGenerator_getEncodedBytes
+  (JNIEnv *env, jclass clazz, jlong hSECItem)
+{
+    SECItem *s = (SECItem *)hSECItem;
+    jbyteArray jEncodedBytes = env->NewByteArray(s->len);
+
+    // Copy bytes from a native SECItem buffer to Java byte array
+    env->SetByteArrayRegion(jEncodedBytes, 0, s->len, (jbyte *)s->data);
+
+    // Use B_FALSE to free only the SECItem->data
+    SECITEM_FreeItem(s, B_FALSE);
+
+    return jEncodedBytes;
+}
+
+/*
+ * Class:     sun_security_ec_ECDSASignature
+ * Method:    signDigest
+ * Signature: ([B[B[B[B)[B
+ */
+JNIEXPORT jbyteArray
+JNICALL Java_sun_security_ec_ECDSASignature_signDigest
+  (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed)
+{
+    jbyte* pDigestBuffer = NULL;
+    jint jDigestLength = env->GetArrayLength(digest);
+    jbyteArray jSignedDigest = NULL;
+
+    SECItem signature_item;
+    jbyte* pSignedDigestBuffer = NULL;
+    jbyteArray temp;
+
+    jint jSeedLength = env->GetArrayLength(seed);
+    jbyte* pSeedBuffer = NULL;
+
+    // Copy digest from Java to native buffer
+    pDigestBuffer = new jbyte[jDigestLength];
+    env->GetByteArrayRegion(digest, 0, jDigestLength, pDigestBuffer);
+    SECItem digest_item;
+    digest_item.data = (unsigned char *) pDigestBuffer;
+    digest_item.len = jDigestLength;
+
+    ECPrivateKey privKey;
+
+    // Initialize the ECParams struct
+    ECParams *ecparams = NULL;
+    SECKEYECParams params_item;
+    params_item.len = env->GetArrayLength(encodedParams);
+    params_item.data =
+        (unsigned char *) env->GetByteArrayElements(encodedParams, 0);
+
+    // Fill a new ECParams using the supplied OID
+    if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+        /* bad curve OID */
+        ThrowException(env, INVALID_ALGORITHM_PARAMETER_EXCEPTION);
+        goto cleanup;
+    }
+
+    // Extract private key data
+    privKey.ecParams = *ecparams; // struct assignment
+    privKey.privateValue.len = env->GetArrayLength(privateKey);
+    privKey.privateValue.data =
+        (unsigned char *) env->GetByteArrayElements(privateKey, 0);
+
+    // Prepare a buffer for the signature (twice the key length)
+    pSignedDigestBuffer = new jbyte[ecparams->order.len * 2];
+    signature_item.data = (unsigned char *) pSignedDigestBuffer;
+    signature_item.len = ecparams->order.len * 2;
+
+    // Copy seed from Java to native buffer
+    pSeedBuffer = new jbyte[jSeedLength];
+    env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
+
+    // Sign the digest (using the supplied seed)
+    if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
+        (unsigned char *) pSeedBuffer, jSeedLength, 0) != SECSuccess) {
+        ThrowException(env, KEY_EXCEPTION);
+        goto cleanup;
+    }
+
+    // Create new byte array
+    temp = env->NewByteArray(signature_item.len);
+
+    // Copy data from native buffer
+    env->SetByteArrayRegion(temp, 0, signature_item.len, pSignedDigestBuffer);
+    jSignedDigest = temp;
+
+cleanup:
+    {
+        if (params_item.data)
+            env->ReleaseByteArrayElements(encodedParams,
+                (jbyte *) params_item.data, JNI_ABORT);
+
+        if (pDigestBuffer)
+            delete [] pDigestBuffer;
+
+        if (pSignedDigestBuffer)
+            delete [] pSignedDigestBuffer;
+
+        if (pSeedBuffer)
+            delete [] pSeedBuffer;
+
+        if (ecparams)
+            FreeECParams(ecparams, true);
+    }
+
+    return jSignedDigest;
+}
+
+/*
+ * Class:     sun_security_ec_ECDSASignature
+ * Method:    verifySignedDigest
+ * Signature: ([B[B[B[B)Z
+ */
+JNIEXPORT jboolean
+JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest
+  (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
+{
+    jboolean isValid = false;
+
+    // Copy signedDigest from Java to native buffer
+    jbyte* pSignedDigestBuffer = NULL;
+    jint jSignedDigestLength = env->GetArrayLength(signedDigest);
+    pSignedDigestBuffer = new jbyte[jSignedDigestLength];
+    env->GetByteArrayRegion(signedDigest, 0, jSignedDigestLength,
+        pSignedDigestBuffer);
+    SECItem signature_item;
+    signature_item.data = (unsigned char *) pSignedDigestBuffer;
+    signature_item.len = jSignedDigestLength;
+
+    // Copy digest from Java to native buffer
+    jbyte* pDigestBuffer = NULL;
+    jint jDigestLength = env->GetArrayLength(digest);
+    pDigestBuffer = new jbyte[jDigestLength];
+    env->GetByteArrayRegion(digest, 0, jDigestLength, pDigestBuffer);
+    SECItem digest_item;
+    digest_item.data = (unsigned char *) pDigestBuffer;
+    digest_item.len = jDigestLength;
+
+    // Extract public key data
+    ECPublicKey pubKey;
+    pubKey.publicValue.data = NULL;
+    ECParams *ecparams = NULL;
+    SECKEYECParams params_item;
+
+    // Initialize the ECParams struct
+    params_item.len = env->GetArrayLength(encodedParams);
+    params_item.data =
+        (unsigned char *) env->GetByteArrayElements(encodedParams, 0);
+
+    // Fill a new ECParams using the supplied OID
+    if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+        /* bad curve OID */
+        ThrowException(env, INVALID_ALGORITHM_PARAMETER_EXCEPTION);
+        goto cleanup;
+    }
+    pubKey.ecParams = *ecparams; // struct assignment
+    pubKey.publicValue.len = env->GetArrayLength(publicKey);
+    pubKey.publicValue.data =
+        (unsigned char *) env->GetByteArrayElements(publicKey, 0);
+
+    if (ECDSA_VerifyDigest(&pubKey, &signature_item, &digest_item, 0)
+            != SECSuccess) {
+        goto cleanup;
+    }
+
+    isValid = true;
+
+cleanup:
+    {
+        if (params_item.data)
+            env->ReleaseByteArrayElements(encodedParams,
+                (jbyte *) params_item.data, JNI_ABORT);
+
+        if (pubKey.publicValue.data)
+            env->ReleaseByteArrayElements(publicKey,
+                (jbyte *) pubKey.publicValue.data, JNI_ABORT);
+
+        if (ecparams)
+            FreeECParams(ecparams, true);
+
+        if (pSignedDigestBuffer)
+            delete [] pSignedDigestBuffer;
+
+        if (pDigestBuffer)
+            delete [] pDigestBuffer;
+    }
+
+    return isValid;
+}
+
+/*
+ * Class:     sun_security_ec_ECDHKeyAgreement
+ * Method:    deriveKey
+ * Signature: ([B[B[B)[B
+ */
+JNIEXPORT jbyteArray
+JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey
+  (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
+{
+    jbyteArray jSecret = NULL;
+
+    // Extract private key value
+    SECItem privateValue_item;
+    privateValue_item.len = env->GetArrayLength(privateKey);
+    privateValue_item.data =
+            (unsigned char *) env->GetByteArrayElements(privateKey, 0);
+
+    // Extract public key value
+    SECItem publicValue_item;
+    publicValue_item.len = env->GetArrayLength(publicKey);
+    publicValue_item.data =
+        (unsigned char *) env->GetByteArrayElements(publicKey, 0);
+
+    // Initialize the ECParams struct
+    ECParams *ecparams = NULL;
+    SECKEYECParams params_item;
+    params_item.len = env->GetArrayLength(encodedParams);
+    params_item.data =
+        (unsigned char *) env->GetByteArrayElements(encodedParams, 0);
+
+    // Fill a new ECParams using the supplied OID
+    if (EC_DecodeParams(&params_item, &ecparams, 0) != SECSuccess) {
+        /* bad curve OID */
+        ThrowException(env, INVALID_ALGORITHM_PARAMETER_EXCEPTION);
+        goto cleanup;
+    }
+
+    // Prepare a buffer for the secret
+    SECItem secret_item;
+    secret_item.data = NULL;
+    secret_item.len = ecparams->order.len * 2;
+
+    if (ECDH_Derive(&publicValue_item, ecparams, &privateValue_item, B_FALSE,
+        &secret_item, 0) != SECSuccess) {
+        ThrowException(env, ILLEGAL_STATE_EXCEPTION);
+        goto cleanup;
+    }
+
+    // Create new byte array
+    jSecret = env->NewByteArray(secret_item.len);
+
+    // Copy bytes from the SECItem buffer to a Java byte array
+    env->SetByteArrayRegion(jSecret, 0, secret_item.len,
+        (jbyte *)secret_item.data);
+
+    // Free the SECItem data buffer
+    SECITEM_FreeItem(&secret_item, B_FALSE);
+
+cleanup:
+    {
+        if (privateValue_item.data)
+            env->ReleaseByteArrayElements(privateKey,
+                (jbyte *) privateValue_item.data, JNI_ABORT);
+
+        if (publicValue_item.data)
+            env->ReleaseByteArrayElements(publicKey,
+                (jbyte *) publicValue_item.data, JNI_ABORT);
+
+        if (params_item.data)
+            env->ReleaseByteArrayElements(encodedParams,
+                (jbyte *) params_item.data, JNI_ABORT);
+
+        if (ecparams)
+            FreeECParams(ecparams, true);
+    }
+
+    return jSecret;
+}
+
+} /* extern "C" */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/native/sun/security/ec/ec.c	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,1099 @@
+/* *********************************************************************
+ *
+ * Sun elects to have this file available under and governed by the
+ * Mozilla Public License Version 1.1 ("MPL") (see
+ * http://www.mozilla.org/MPL/ for full license text). For the avoidance
+ * of doubt and subject to the following, Sun also elects to allow
+ * licensees to use this file under the MPL, the GNU General Public
+ * License version 2 only or the Lesser General Public License version
+ * 2.1 only. Any references to the "GNU General Public License version 2
+ * or later" or "GPL" in the following shall be construed to mean the
+ * GNU General Public License version 2 only. Any references to the "GNU
+ * Lesser General Public License version 2.1 or later" or "LGPL" in the
+ * following shall be construed to mean the GNU Lesser General Public
+ * License version 2.1 only. However, the following notice accompanied
+ * the original version of this file:
+ *
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Elliptic Curve Cryptography library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ *********************************************************************** */
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident   "%Z%%M% %I%     %E% SMI"
+
+#include "mplogic.h"
+#include "ec.h"
+#include "ecl.h"
+
+#include <sys/types.h>
+#ifndef _KERNEL
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef _WIN32
+#include <strings.h>
+#endif /* _WIN32 */
+
+#endif
+#include "ecl-exp.h"
+#include "mpi.h"
+#include "ecc_impl.h"
+
+#ifdef _KERNEL
+#define PORT_ZFree(p, l)                bzero((p), (l)); kmem_free((p), (l))
+#else
+#ifndef _WIN32
+#define PORT_ZFree(p, l)                bzero((p), (l)); free((p))
+#else
+#define PORT_ZFree(p, l)                memset((p), 0, (l)); free((p))
+#endif /* _WIN32 */
+#endif
+
+/*
+ * Returns true if pointP is the point at infinity, false otherwise
+ */
+PRBool
+ec_point_at_infinity(SECItem *pointP)
+{
+    unsigned int i;
+
+    for (i = 1; i < pointP->len; i++) {
+        if (pointP->data[i] != 0x00) return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
+/*
+ * Computes scalar point multiplication pointQ = k1 * G + k2 * pointP for
+ * the curve whose parameters are encoded in params with base point G.
+ */
+SECStatus
+ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2,
+             const SECItem *pointP, SECItem *pointQ, int kmflag)
+{
+    mp_int Px, Py, Qx, Qy;
+    mp_int Gx, Gy, order, irreducible, a, b;
+#if 0 /* currently don't support non-named curves */
+    unsigned int irr_arr[5];
+#endif
+    ECGroup *group = NULL;
+    SECStatus rv = SECFailure;
+    mp_err err = MP_OKAY;
+    int len;
+
+#if EC_DEBUG
+    int i;
+    char mpstr[256];
+
+    printf("ec_points_mul: params [len=%d]:", params->DEREncoding.len);
+    for (i = 0; i < params->DEREncoding.len; i++)
+            printf("%02x:", params->DEREncoding.data[i]);
+    printf("\n");
+
+        if (k1 != NULL) {
+                mp_tohex(k1, mpstr);
+                printf("ec_points_mul: scalar k1: %s\n", mpstr);
+                mp_todecimal(k1, mpstr);
+                printf("ec_points_mul: scalar k1: %s (dec)\n", mpstr);
+        }
+
+        if (k2 != NULL) {
+                mp_tohex(k2, mpstr);
+                printf("ec_points_mul: scalar k2: %s\n", mpstr);
+                mp_todecimal(k2, mpstr);
+                printf("ec_points_mul: scalar k2: %s (dec)\n", mpstr);
+        }
+
+        if (pointP != NULL) {
+                printf("ec_points_mul: pointP [len=%d]:", pointP->len);
+                for (i = 0; i < pointP->len; i++)
+                        printf("%02x:", pointP->data[i]);
+                printf("\n");
+        }
+#endif
+
+        /* NOTE: We only support uncompressed points for now */
+        len = (params->fieldID.size + 7) >> 3;
+        if (pointP != NULL) {
+                if ((pointP->data[0] != EC_POINT_FORM_UNCOMPRESSED) ||
+                        (pointP->len != (2 * len + 1))) {
+                        return SECFailure;
+                };
+        }
+
+        MP_DIGITS(&Px) = 0;
+        MP_DIGITS(&Py) = 0;
+        MP_DIGITS(&Qx) = 0;
+        MP_DIGITS(&Qy) = 0;
+        MP_DIGITS(&Gx) = 0;
+        MP_DIGITS(&Gy) = 0;
+        MP_DIGITS(&order) = 0;
+        MP_DIGITS(&irreducible) = 0;
+        MP_DIGITS(&a) = 0;
+        MP_DIGITS(&b) = 0;
+        CHECK_MPI_OK( mp_init(&Px, kmflag) );
+        CHECK_MPI_OK( mp_init(&Py, kmflag) );
+        CHECK_MPI_OK( mp_init(&Qx, kmflag) );
+        CHECK_MPI_OK( mp_init(&Qy, kmflag) );
+        CHECK_MPI_OK( mp_init(&Gx, kmflag) );
+        CHECK_MPI_OK( mp_init(&Gy, kmflag) );
+        CHECK_MPI_OK( mp_init(&order, kmflag) );
+        CHECK_MPI_OK( mp_init(&irreducible, kmflag) );
+        CHECK_MPI_OK( mp_init(&a, kmflag) );
+        CHECK_MPI_OK( mp_init(&b, kmflag) );
+
+        if ((k2 != NULL) && (pointP != NULL)) {
+                /* Initialize Px and Py */
+                CHECK_MPI_OK( mp_read_unsigned_octets(&Px, pointP->data + 1, (mp_size) len) );
+                CHECK_MPI_OK( mp_read_unsigned_octets(&Py, pointP->data + 1 + len, (mp_size) len) );
+        }
+
+        /* construct from named params, if possible */
+        if (params->name != ECCurve_noName) {
+                group = ECGroup_fromName(params->name, kmflag);
+        }
+
+#if 0 /* currently don't support non-named curves */
+        if (group == NULL) {
+                /* Set up mp_ints containing the curve coefficients */
+                CHECK_MPI_OK( mp_read_unsigned_octets(&Gx, params->base.data + 1,
+                                                                                  (mp_size) len) );
+                CHECK_MPI_OK( mp_read_unsigned_octets(&Gy, params->base.data + 1 + len,
+                                                                                  (mp_size) len) );
+                SECITEM_TO_MPINT( params->order, &order );
+                SECITEM_TO_MPINT( params->curve.a, &a );
+                SECITEM_TO_MPINT( params->curve.b, &b );
+                if (params->fieldID.type == ec_field_GFp) {
+                        SECITEM_TO_MPINT( params->fieldID.u.prime, &irreducible );
+                        group = ECGroup_consGFp(&irreducible, &a, &b, &Gx, &Gy, &order, params->cofactor);
+                } else {
+                        SECITEM_TO_MPINT( params->fieldID.u.poly, &irreducible );
+                        irr_arr[0] = params->fieldID.size;
+                        irr_arr[1] = params->fieldID.k1;
+                        irr_arr[2] = params->fieldID.k2;
+                        irr_arr[3] = params->fieldID.k3;
+                        irr_arr[4] = 0;
+                        group = ECGroup_consGF2m(&irreducible, irr_arr, &a, &b, &Gx, &Gy, &order, params->cofactor);
+                }
+        }
+#endif
+        if (group == NULL)
+                goto cleanup;
+
+        if ((k2 != NULL) && (pointP != NULL)) {
+                CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy) );
+        } else {
+                CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy) );
+    }
+
+    /* Construct the SECItem representation of point Q */
+    pointQ->data[0] = EC_POINT_FORM_UNCOMPRESSED;
+    CHECK_MPI_OK( mp_to_fixlen_octets(&Qx, pointQ->data + 1,
+                                      (mp_size) len) );
+    CHECK_MPI_OK( mp_to_fixlen_octets(&Qy, pointQ->data + 1 + len,
+                                      (mp_size) len) );
+
+    rv = SECSuccess;
+
+#if EC_DEBUG
+    printf("ec_points_mul: pointQ [len=%d]:", pointQ->len);
+    for (i = 0; i < pointQ->len; i++)
+            printf("%02x:", pointQ->data[i]);
+    printf("\n");
+#endif
+
+cleanup:
+    ECGroup_free(group);
+    mp_clear(&Px);
+    mp_clear(&Py);
+    mp_clear(&Qx);
+    mp_clear(&Qy);
+    mp_clear(&Gx);
+    mp_clear(&Gy);
+    mp_clear(&order);
+    mp_clear(&irreducible);
+    mp_clear(&a);
+    mp_clear(&b);
+    if (err) {
+        MP_TO_SEC_ERROR(err);
+        rv = SECFailure;
+    }
+
+    return rv;
+}
+
+/* Generates a new EC key pair. The private key is a supplied
+ * value and the public key is the result of performing a scalar
+ * point multiplication of that value with the curve's base point.
+ */
+SECStatus
+ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
+    const unsigned char *privKeyBytes, int privKeyLen, int kmflag)
+{
+    SECStatus rv = SECFailure;
+    PRArenaPool *arena;
+    ECPrivateKey *key;
+    mp_int k;
+    mp_err err = MP_OKAY;
+    int len;
+
+#if EC_DEBUG
+    printf("ec_NewKey called\n");
+#endif
+
+#ifndef _WIN32
+int printf();
+#endif /* _WIN32 */
+
+    if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* Initialize an arena for the EC key. */
+    if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)))
+        return SECFailure;
+
+    key = (ECPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(ECPrivateKey),
+        kmflag);
+    if (!key) {
+        PORT_FreeArena(arena, PR_TRUE);
+        return SECFailure;
+    }
+
+    /* Set the version number (SEC 1 section C.4 says it should be 1) */
+    SECITEM_AllocItem(arena, &key->version, 1, kmflag);
+    key->version.data[0] = 1;
+
+    /* Copy all of the fields from the ECParams argument to the
+     * ECParams structure within the private key.
+     */
+    key->ecParams.arena = arena;
+    key->ecParams.type = ecParams->type;
+    key->ecParams.fieldID.size = ecParams->fieldID.size;
+    key->ecParams.fieldID.type = ecParams->fieldID.type;
+    if (ecParams->fieldID.type == ec_field_GFp) {
+        CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.prime,
+            &ecParams->fieldID.u.prime, kmflag));
+    } else {
+        CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.fieldID.u.poly,
+            &ecParams->fieldID.u.poly, kmflag));
+    }
+    key->ecParams.fieldID.k1 = ecParams->fieldID.k1;
+    key->ecParams.fieldID.k2 = ecParams->fieldID.k2;
+    key->ecParams.fieldID.k3 = ecParams->fieldID.k3;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.a,
+        &ecParams->curve.a, kmflag));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.b,
+        &ecParams->curve.b, kmflag));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curve.seed,
+        &ecParams->curve.seed, kmflag));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.base,
+        &ecParams->base, kmflag));
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.order,
+        &ecParams->order, kmflag));
+    key->ecParams.cofactor = ecParams->cofactor;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.DEREncoding,
+        &ecParams->DEREncoding, kmflag));
+    key->ecParams.name = ecParams->name;
+    CHECK_SEC_OK(SECITEM_CopyItem(arena, &key->ecParams.curveOID,
+        &ecParams->curveOID, kmflag));
+
+    len = (ecParams->fieldID.size + 7) >> 3;
+    SECITEM_AllocItem(arena, &key->publicValue, 2*len + 1, kmflag);
+    len = ecParams->order.len;
+    SECITEM_AllocItem(arena, &key->privateValue, len, kmflag);
+
+    /* Copy private key */
+    if (privKeyLen >= len) {
+        memcpy(key->privateValue.data, privKeyBytes, len);
+    } else {
+        memset(key->privateValue.data, 0, (len - privKeyLen));
+        memcpy(key->privateValue.data + (len - privKeyLen), privKeyBytes, privKeyLen);
+    }
+
+    /* Compute corresponding public key */
+    MP_DIGITS(&k) = 0;
+    CHECK_MPI_OK( mp_init(&k, kmflag) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data,
+        (mp_size) len) );
+
+    rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue), kmflag);
+    if (rv != SECSuccess) goto cleanup;
+    *privKey = key;
+
+cleanup:
+    mp_clear(&k);
+    if (rv)
+        PORT_FreeArena(arena, PR_TRUE);
+
+#if EC_DEBUG
+    printf("ec_NewKey returning %s\n",
+        (rv == SECSuccess) ? "success" : "failure");
+#endif
+
+    return rv;
+
+}
+
+/* Generates a new EC key pair. The private key is a supplied
+ * random value (in seed) and the public key is the result of
+ * performing a scalar point multiplication of that value with
+ * the curve's base point.
+ */
+SECStatus
+EC_NewKeyFromSeed(ECParams *ecParams, ECPrivateKey **privKey,
+    const unsigned char *seed, int seedlen, int kmflag)
+{
+    SECStatus rv = SECFailure;
+    rv = ec_NewKey(ecParams, privKey, seed, seedlen, kmflag);
+    return rv;
+}
+
+/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62,
+ * modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the
+ * random number generator.
+ *
+ * Parameters
+ * - order: a buffer that holds the curve's group order
+ * - len: the length in octets of the order buffer
+ * - random: a buffer of 2 * len random bytes
+ * - randomlen: the length in octets of the random buffer
+ *
+ * Return Value
+ * Returns a buffer of len octets that holds the private key. The caller
+ * is responsible for freeing the buffer with PORT_ZFree.
+ */
+static unsigned char *
+ec_GenerateRandomPrivateKey(const unsigned char *order, int len,
+    const unsigned char *random, int randomlen, int kmflag)
+{
+    SECStatus rv = SECSuccess;
+    mp_err err;
+    unsigned char *privKeyBytes = NULL;
+    mp_int privKeyVal, order_1, one;
+
+    MP_DIGITS(&privKeyVal) = 0;
+    MP_DIGITS(&order_1) = 0;
+    MP_DIGITS(&one) = 0;
+    CHECK_MPI_OK( mp_init(&privKeyVal, kmflag) );
+    CHECK_MPI_OK( mp_init(&order_1, kmflag) );
+    CHECK_MPI_OK( mp_init(&one, kmflag) );
+
+    /*
+     * Reduces the 2*len buffer of random bytes modulo the group order.
+     */
+    if ((privKeyBytes = PORT_Alloc(2*len, kmflag)) == NULL) goto cleanup;
+    if (randomlen != 2 * len) {
+        goto cleanup;
+    }
+    /* No need to generate - random bytes are now supplied */
+    /* CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(privKeyBytes, 2*len) );*/
+    memcpy(privKeyBytes, random, randomlen);
+
+    CHECK_MPI_OK( mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2*len) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&order_1, order, len) );
+    CHECK_MPI_OK( mp_set_int(&one, 1) );
+    CHECK_MPI_OK( mp_sub(&order_1, &one, &order_1) );
+    CHECK_MPI_OK( mp_mod(&privKeyVal, &order_1, &privKeyVal) );
+    CHECK_MPI_OK( mp_add(&privKeyVal, &one, &privKeyVal) );
+    CHECK_MPI_OK( mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len) );
+    memset(privKeyBytes+len, 0, len);
+cleanup:
+    mp_clear(&privKeyVal);
+    mp_clear(&order_1);
+    mp_clear(&one);
+    if (err < MP_OKAY) {
+        MP_TO_SEC_ERROR(err);
+        rv = SECFailure;
+    }
+    if (rv != SECSuccess && privKeyBytes) {
+#ifdef _KERNEL
+        kmem_free(privKeyBytes, 2*len);
+#else
+        free(privKeyBytes);
+#endif
+        privKeyBytes = NULL;
+    }
+    return privKeyBytes;
+}
+
+/* Generates a new EC key pair. The private key is a random value and
+ * the public key is the result of performing a scalar point multiplication
+ * of that value with the curve's base point.
+ */
+SECStatus
+EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
+    const unsigned char* random, int randomlen, int kmflag)
+{
+    SECStatus rv = SECFailure;
+    int len;
+    unsigned char *privKeyBytes = NULL;
+
+    if (!ecParams) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    len = ecParams->order.len;
+    privKeyBytes = ec_GenerateRandomPrivateKey(ecParams->order.data, len,
+        random, randomlen, kmflag);
+    if (privKeyBytes == NULL) goto cleanup;
+    /* generate public key */
+    CHECK_SEC_OK( ec_NewKey(ecParams, privKey, privKeyBytes, len, kmflag) );
+
+cleanup:
+    if (privKeyBytes) {
+        PORT_ZFree(privKeyBytes, len * 2);
+    }
+#if EC_DEBUG
+    printf("EC_NewKey returning %s\n",
+        (rv == SECSuccess) ? "success" : "failure");
+#endif
+
+    return rv;
+}
+
+/* Validates an EC public key as described in Section 5.2.2 of
+ * X9.62. The ECDH primitive when used without the cofactor does
+ * not address small subgroup attacks, which may occur when the
+ * public key is not valid. These attacks can be prevented by
+ * validating the public key before using ECDH.
+ */
+SECStatus
+EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue, int kmflag)
+{
+    mp_int Px, Py;
+    ECGroup *group = NULL;
+    SECStatus rv = SECFailure;
+    mp_err err = MP_OKAY;
+    int len;
+
+    if (!ecParams || !publicValue) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* NOTE: We only support uncompressed points for now */
+    len = (ecParams->fieldID.size + 7) >> 3;
+    if (publicValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+        PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);
+        return SECFailure;
+    } else if (publicValue->len != (2 * len + 1)) {
+        PORT_SetError(SEC_ERROR_BAD_KEY);
+        return SECFailure;
+    }
+
+    MP_DIGITS(&Px) = 0;
+    MP_DIGITS(&Py) = 0;
+    CHECK_MPI_OK( mp_init(&Px, kmflag) );
+    CHECK_MPI_OK( mp_init(&Py, kmflag) );
+
+    /* Initialize Px and Py */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&Px, publicValue->data + 1, (mp_size) len) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&Py, publicValue->data + 1 + len, (mp_size) len) );
+
+    /* construct from named params */
+    group = ECGroup_fromName(ecParams->name, kmflag);
+    if (group == NULL) {
+        /*
+         * ECGroup_fromName fails if ecParams->name is not a valid
+         * ECCurveName value, or if we run out of memory, or perhaps
+         * for other reasons.  Unfortunately if ecParams->name is a
+         * valid ECCurveName value, we don't know what the right error
+         * code should be because ECGroup_fromName doesn't return an
+         * error code to the caller.  Set err to MP_UNDEF because
+         * that's what ECGroup_fromName uses internally.
+         */
+        if ((ecParams->name <= ECCurve_noName) ||
+            (ecParams->name >= ECCurve_pastLastCurve)) {
+            err = MP_BADARG;
+        } else {
+            err = MP_UNDEF;
+        }
+        goto cleanup;
+    }
+
+    /* validate public point */
+    if ((err = ECPoint_validate(group, &Px, &Py)) < MP_YES) {
+        if (err == MP_NO) {
+            PORT_SetError(SEC_ERROR_BAD_KEY);
+            rv = SECFailure;
+            err = MP_OKAY;  /* don't change the error code */
+        }
+        goto cleanup;
+    }
+
+    rv = SECSuccess;
+
+cleanup:
+    ECGroup_free(group);
+    mp_clear(&Px);
+    mp_clear(&Py);
+    if (err) {
+        MP_TO_SEC_ERROR(err);
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+** Performs an ECDH key derivation by computing the scalar point
+** multiplication of privateValue and publicValue (with or without the
+** cofactor) and returns the x-coordinate of the resulting elliptic
+** curve point in derived secret.  If successful, derivedSecret->data
+** is set to the address of the newly allocated buffer containing the
+** derived secret, and derivedSecret->len is the size of the secret
+** produced. It is the caller's responsibility to free the allocated
+** buffer containing the derived secret.
+*/
+SECStatus
+ECDH_Derive(SECItem  *publicValue,
+            ECParams *ecParams,
+            SECItem  *privateValue,
+            PRBool    withCofactor,
+            SECItem  *derivedSecret,
+            int kmflag)
+{
+    SECStatus rv = SECFailure;
+    unsigned int len = 0;
+    SECItem pointQ = {siBuffer, NULL, 0};
+    mp_int k; /* to hold the private value */
+    mp_int cofactor;
+    mp_err err = MP_OKAY;
+#if EC_DEBUG
+    int i;
+#endif
+
+    if (!publicValue || !ecParams || !privateValue ||
+        !derivedSecret) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    memset(derivedSecret, 0, sizeof *derivedSecret);
+    len = (ecParams->fieldID.size + 7) >> 3;
+    pointQ.len = 2*len + 1;
+    if ((pointQ.data = PORT_Alloc(2*len + 1, kmflag)) == NULL) goto cleanup;
+
+    MP_DIGITS(&k) = 0;
+    CHECK_MPI_OK( mp_init(&k, kmflag) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&k, privateValue->data,
+                                          (mp_size) privateValue->len) );
+
+    if (withCofactor && (ecParams->cofactor != 1)) {
+            /* multiply k with the cofactor */
+            MP_DIGITS(&cofactor) = 0;
+            CHECK_MPI_OK( mp_init(&cofactor, kmflag) );
+            mp_set(&cofactor, ecParams->cofactor);
+            CHECK_MPI_OK( mp_mul(&k, &cofactor, &k) );
+    }
+
+    /* Multiply our private key and peer's public point */
+    if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ, kmflag) != SECSuccess) ||
+        ec_point_at_infinity(&pointQ))
+        goto cleanup;
+
+    /* Allocate memory for the derived secret and copy
+     * the x co-ordinate of pointQ into it.
+     */
+    SECITEM_AllocItem(NULL, derivedSecret, len, kmflag);
+    memcpy(derivedSecret->data, pointQ.data + 1, len);
+
+    rv = SECSuccess;
+
+#if EC_DEBUG
+    printf("derived_secret:\n");
+    for (i = 0; i < derivedSecret->len; i++)
+        printf("%02x:", derivedSecret->data[i]);
+    printf("\n");
+#endif
+
+cleanup:
+    mp_clear(&k);
+
+    if (pointQ.data) {
+        PORT_ZFree(pointQ.data, 2*len + 1);
+    }
+
+    return rv;
+}
+
+/* Computes the ECDSA signature (a concatenation of two values r and s)
+ * on the digest using the given key and the random value kb (used in
+ * computing s).
+ */
+SECStatus
+ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
+    const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag)
+{
+    SECStatus rv = SECFailure;
+    mp_int x1;
+    mp_int d, k;     /* private key, random integer */
+    mp_int r, s;     /* tuple (r, s) is the signature */
+    mp_int n;
+    mp_err err = MP_OKAY;
+    ECParams *ecParams = NULL;
+    SECItem kGpoint = { siBuffer, NULL, 0};
+    int flen = 0;    /* length in bytes of the field size */
+    unsigned olen;   /* length in bytes of the base point order */
+
+#if EC_DEBUG
+    char mpstr[256];
+#endif
+
+    /* Initialize MPI integers. */
+    /* must happen before the first potential call to cleanup */
+    MP_DIGITS(&x1) = 0;
+    MP_DIGITS(&d) = 0;
+    MP_DIGITS(&k) = 0;
+    MP_DIGITS(&r) = 0;
+    MP_DIGITS(&s) = 0;
+    MP_DIGITS(&n) = 0;
+
+    /* Check args */
+    if (!key || !signature || !digest || !kb || (kblen < 0)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto cleanup;
+    }
+
+    ecParams = &(key->ecParams);
+    flen = (ecParams->fieldID.size + 7) >> 3;
+    olen = ecParams->order.len;
+    if (signature->data == NULL) {
+        /* a call to get the signature length only */
+        goto finish;
+    }
+    if (signature->len < 2*olen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        rv = SECBufferTooSmall;
+        goto cleanup;
+    }
+
+
+    CHECK_MPI_OK( mp_init(&x1, kmflag) );
+    CHECK_MPI_OK( mp_init(&d, kmflag) );
+    CHECK_MPI_OK( mp_init(&k, kmflag) );
+    CHECK_MPI_OK( mp_init(&r, kmflag) );
+    CHECK_MPI_OK( mp_init(&s, kmflag) );
+    CHECK_MPI_OK( mp_init(&n, kmflag) );
+
+    SECITEM_TO_MPINT( ecParams->order, &n );
+    SECITEM_TO_MPINT( key->privateValue, &d );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) );
+    /* Make sure k is in the interval [1, n-1] */
+    if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) {
+#if EC_DEBUG
+        printf("k is outside [1, n-1]\n");
+        mp_tohex(&k, mpstr);
+        printf("k : %s \n", mpstr);
+        mp_tohex(&n, mpstr);
+        printf("n : %s \n", mpstr);
+#endif
+        PORT_SetError(SEC_ERROR_NEED_RANDOM);
+        goto cleanup;
+    }
+
+    /*
+    ** ANSI X9.62, Section 5.3.2, Step 2
+    **
+    ** Compute kG
+    */
+    kGpoint.len = 2*flen + 1;
+    kGpoint.data = PORT_Alloc(2*flen + 1, kmflag);
+    if ((kGpoint.data == NULL) ||
+        (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag)
+            != SECSuccess))
+        goto cleanup;
+
+    /*
+    ** ANSI X9.62, Section 5.3.3, Step 1
+    **
+    ** Extract the x co-ordinate of kG into x1
+    */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&x1, kGpoint.data + 1,
+                                          (mp_size) flen) );
+
+    /*
+    ** ANSI X9.62, Section 5.3.3, Step 2
+    **
+    ** r = x1 mod n  NOTE: n is the order of the curve
+    */
+    CHECK_MPI_OK( mp_mod(&x1, &n, &r) );
+
+    /*
+    ** ANSI X9.62, Section 5.3.3, Step 3
+    **
+    ** verify r != 0
+    */
+    if (mp_cmp_z(&r) == 0) {
+        PORT_SetError(SEC_ERROR_NEED_RANDOM);
+        goto cleanup;
+    }
+
+    /*
+    ** ANSI X9.62, Section 5.3.3, Step 4
+    **
+    ** s = (k**-1 * (HASH(M) + d*r)) mod n
+    */
+    SECITEM_TO_MPINT(*digest, &s);        /* s = HASH(M)     */
+
+    /* In the definition of EC signing, digests are truncated
+     * to the length of n in bits.
+     * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
+    if (digest->len*8 > ecParams->fieldID.size) {
+        mpl_rsh(&s,&s,digest->len*8 - ecParams->fieldID.size);
+    }
+
+#if EC_DEBUG
+    mp_todecimal(&n, mpstr);
+    printf("n : %s (dec)\n", mpstr);
+    mp_todecimal(&d, mpstr);
+    printf("d : %s (dec)\n", mpstr);
+    mp_tohex(&x1, mpstr);
+    printf("x1: %s\n", mpstr);
+    mp_todecimal(&s, mpstr);
+    printf("digest: %s (decimal)\n", mpstr);
+    mp_todecimal(&r, mpstr);
+    printf("r : %s (dec)\n", mpstr);
+    mp_tohex(&r, mpstr);
+    printf("r : %s\n", mpstr);
+#endif
+
+    CHECK_MPI_OK( mp_invmod(&k, &n, &k) );      /* k = k**-1 mod n */
+    CHECK_MPI_OK( mp_mulmod(&d, &r, &n, &d) );  /* d = d * r mod n */
+    CHECK_MPI_OK( mp_addmod(&s, &d, &n, &s) );  /* s = s + d mod n */
+    CHECK_MPI_OK( mp_mulmod(&s, &k, &n, &s) );  /* s = s * k mod n */
+
+#if EC_DEBUG
+    mp_todecimal(&s, mpstr);
+    printf("s : %s (dec)\n", mpstr);
+    mp_tohex(&s, mpstr);
+    printf("s : %s\n", mpstr);
+#endif
+
+    /*
+    ** ANSI X9.62, Section 5.3.3, Step 5
+    **
+    ** verify s != 0
+    */
+    if (mp_cmp_z(&s) == 0) {
+        PORT_SetError(SEC_ERROR_NEED_RANDOM);
+        goto cleanup;
+    }
+
+   /*
+    **
+    ** Signature is tuple (r, s)
+    */
+    CHECK_MPI_OK( mp_to_fixlen_octets(&r, signature->data, olen) );
+    CHECK_MPI_OK( mp_to_fixlen_octets(&s, signature->data + olen, olen) );
+finish:
+    signature->len = 2*olen;
+
+    rv = SECSuccess;
+    err = MP_OKAY;
+cleanup:
+    mp_clear(&x1);
+    mp_clear(&d);
+    mp_clear(&k);
+    mp_clear(&r);
+    mp_clear(&s);
+    mp_clear(&n);
+
+    if (kGpoint.data) {
+        PORT_ZFree(kGpoint.data, 2*flen + 1);
+    }
+
+    if (err) {
+        MP_TO_SEC_ERROR(err);
+        rv = SECFailure;
+    }
+
+#if EC_DEBUG
+    printf("ECDSA signing with seed %s\n",
+        (rv == SECSuccess) ? "succeeded" : "failed");
+#endif
+
+   return rv;
+}
+
+/*
+** Computes the ECDSA signature on the digest using the given key
+** and a random seed.
+*/
+SECStatus
+ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest,
+    const unsigned char* random, int randomLen, int kmflag)
+{
+    SECStatus rv = SECFailure;
+    int len;
+    unsigned char *kBytes= NULL;
+
+    if (!key) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    /* Generate random value k */
+    len = key->ecParams.order.len;
+    kBytes = ec_GenerateRandomPrivateKey(key->ecParams.order.data, len,
+        random, randomLen, kmflag);
+    if (kBytes == NULL) goto cleanup;
+
+    /* Generate ECDSA signature with the specified k value */
+    rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len, kmflag);
+
+cleanup:
+    if (kBytes) {
+        PORT_ZFree(kBytes, len * 2);
+    }
+
+#if EC_DEBUG
+    printf("ECDSA signing %s\n",
+        (rv == SECSuccess) ? "succeeded" : "failed");
+#endif
+
+    return rv;
+}
+
+/*
+** Checks the signature on the given digest using the key provided.
+*/
+SECStatus
+ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,
+                 const SECItem *digest, int kmflag)
+{
+    SECStatus rv = SECFailure;
+    mp_int r_, s_;           /* tuple (r', s') is received signature) */
+    mp_int c, u1, u2, v;     /* intermediate values used in verification */
+    mp_int x1;
+    mp_int n;
+    mp_err err = MP_OKAY;
+    ECParams *ecParams = NULL;
+    SECItem pointC = { siBuffer, NULL, 0 };
+    int slen;       /* length in bytes of a half signature (r or s) */
+    int flen;       /* length in bytes of the field size */
+    unsigned olen;  /* length in bytes of the base point order */
+
+#if EC_DEBUG
+    char mpstr[256];
+    printf("ECDSA verification called\n");
+#endif
+
+    /* Initialize MPI integers. */
+    /* must happen before the first potential call to cleanup */
+    MP_DIGITS(&r_) = 0;
+    MP_DIGITS(&s_) = 0;
+    MP_DIGITS(&c) = 0;
+    MP_DIGITS(&u1) = 0;
+    MP_DIGITS(&u2) = 0;
+    MP_DIGITS(&x1) = 0;
+    MP_DIGITS(&v)  = 0;
+    MP_DIGITS(&n)  = 0;
+
+    /* Check args */
+    if (!key || !signature || !digest) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto cleanup;
+    }
+
+    ecParams = &(key->ecParams);
+    flen = (ecParams->fieldID.size + 7) >> 3;
+    olen = ecParams->order.len;
+    if (signature->len == 0 || signature->len%2 != 0 ||
+        signature->len > 2*olen) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        goto cleanup;
+    }
+    slen = signature->len/2;
+
+    SECITEM_AllocItem(NULL, &pointC, 2*flen + 1, kmflag);
+    if (pointC.data == NULL)
+        goto cleanup;
+
+    CHECK_MPI_OK( mp_init(&r_, kmflag) );
+    CHECK_MPI_OK( mp_init(&s_, kmflag) );
+    CHECK_MPI_OK( mp_init(&c, kmflag)  );
+    CHECK_MPI_OK( mp_init(&u1, kmflag) );
+    CHECK_MPI_OK( mp_init(&u2, kmflag) );
+    CHECK_MPI_OK( mp_init(&x1, kmflag)  );
+    CHECK_MPI_OK( mp_init(&v, kmflag)  );
+    CHECK_MPI_OK( mp_init(&n, kmflag)  );
+
+    /*
+    ** Convert received signature (r', s') into MPI integers.
+    */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&r_, signature->data, slen) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&s_, signature->data + slen, slen) );
+
+    /*
+    ** ANSI X9.62, Section 5.4.2, Steps 1 and 2
+    **
+    ** Verify that 0 < r' < n and 0 < s' < n
+    */
+    SECITEM_TO_MPINT(ecParams->order, &n);
+    if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||
+        mp_cmp(&r_, &n) >= 0 || mp_cmp(&s_, &n) >= 0) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        goto cleanup; /* will return rv == SECFailure */
+    }
+
+    /*
+    ** ANSI X9.62, Section 5.4.2, Step 3
+    **
+    ** c = (s')**-1 mod n
+    */
+    CHECK_MPI_OK( mp_invmod(&s_, &n, &c) );      /* c = (s')**-1 mod n */
+
+    /*
+    ** ANSI X9.62, Section 5.4.2, Step 4
+    **
+    ** u1 = ((HASH(M')) * c) mod n
+    */
+    SECITEM_TO_MPINT(*digest, &u1);                  /* u1 = HASH(M)     */
+
+    /* In the definition of EC signing, digests are truncated
+     * to the length of n in bits.
+     * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
+    if (digest->len*8 > ecParams->fieldID.size) {  /* u1 = HASH(M')     */
+        mpl_rsh(&u1,&u1,digest->len*8- ecParams->fieldID.size);
+    }
+
+#if EC_DEBUG
+    mp_todecimal(&r_, mpstr);
+    printf("r_: %s (dec)\n", mpstr);
+    mp_todecimal(&s_, mpstr);
+    printf("s_: %s (dec)\n", mpstr);
+    mp_todecimal(&c, mpstr);
+    printf("c : %s (dec)\n", mpstr);
+    mp_todecimal(&u1, mpstr);
+    printf("digest: %s (dec)\n", mpstr);
+#endif
+
+    CHECK_MPI_OK( mp_mulmod(&u1, &c, &n, &u1) );  /* u1 = u1 * c mod n */
+
+    /*
+    ** ANSI X9.62, Section 5.4.2, Step 4
+    **
+    ** u2 = ((r') * c) mod n
+    */
+    CHECK_MPI_OK( mp_mulmod(&r_, &c, &n, &u2) );
+
+    /*
+    ** ANSI X9.62, Section 5.4.3, Step 1
+    **
+    ** Compute u1*G + u2*Q
+    ** Here, A = u1.G     B = u2.Q    and   C = A + B
+    ** If the result, C, is the point at infinity, reject the signature
+    */
+    if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC, kmflag)
+        != SECSuccess) {
+        rv = SECFailure;
+        goto cleanup;
+    }
+    if (ec_point_at_infinity(&pointC)) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        rv = SECFailure;
+        goto cleanup;
+    }
+
+    CHECK_MPI_OK( mp_read_unsigned_octets(&x1, pointC.data + 1, flen) );
+
+    /*
+    ** ANSI X9.62, Section 5.4.4, Step 2
+    **
+    ** v = x1 mod n
+    */
+    CHECK_MPI_OK( mp_mod(&x1, &n, &v) );
+
+#if EC_DEBUG
+    mp_todecimal(&r_, mpstr);
+    printf("r_: %s (dec)\n", mpstr);
+    mp_todecimal(&v, mpstr);
+    printf("v : %s (dec)\n", mpstr);
+#endif
+
+    /*
+    ** ANSI X9.62, Section 5.4.4, Step 3
+    **
+    ** Verification:  v == r'
+    */
+    if (mp_cmp(&v, &r_)) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        rv = SECFailure; /* Signature failed to verify. */
+    } else {
+        rv = SECSuccess; /* Signature verified. */
+    }
+
+#if EC_DEBUG
+    mp_todecimal(&u1, mpstr);
+    printf("u1: %s (dec)\n", mpstr);
+    mp_todecimal(&u2, mpstr);
+    printf("u2: %s (dec)\n", mpstr);
+    mp_tohex(&x1, mpstr);
+    printf("x1: %s\n", mpstr);
+    mp_todecimal(&v, mpstr);
+    printf("v : %s (dec)\n", mpstr);
+#endif
+
+cleanup:
+    mp_clear(&r_);
+    mp_clear(&s_);
+    mp_clear(&c);
+    mp_clear(&u1);
+    mp_clear(&u2);
+    mp_clear(&x1);
+    mp_clear(&v);
+    mp_clear(&n);
+
+    if (pointC.data) SECITEM_FreeItem(&pointC, PR_FALSE);
+    if (err) {
+        MP_TO_SEC_ERROR(err);
+        rv = SECFailure;
+    }
+
+#if EC_DEBUG
+    printf("ECDSA verification %s\n",
+        (rv == SECSuccess) ? "succeeded" : "failed");
+#endif
+
+    return rv;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/native/sun/security/ec/ec.h	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,72 @@
+/* *********************************************************************
+ *
+ * Sun elects to have this file available under and governed by the
+ * Mozilla Public License Version 1.1 ("MPL") (see
+ * http://www.mozilla.org/MPL/ for full license text). For the avoidance
+ * of doubt and subject to the following, Sun also elects to allow
+ * licensees to use this file under the MPL, the GNU General Public
+ * License version 2 only or the Lesser General Public License version
+ * 2.1 only. Any references to the "GNU General Public License version 2
+ * or later" or "GPL" in the following shall be construed to mean the
+ * GNU General Public License version 2 only. Any references to the "GNU
+ * Lesser General Public License version 2.1 or later" or "LGPL" in the
+ * following shall be construed to mean the GNU Lesser General Public
+ * License version 2.1 only. However, the following notice accompanied
+ * the original version of this file:
+ *
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Elliptic Curve Cryptography library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ *********************************************************************** */
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef __ec_h_
+#define __ec_h_
+
+#pragma ident   "%Z%%M% %I%     %E% SMI"
+
+#define EC_DEBUG                          0
+#define EC_POINT_FORM_COMPRESSED_Y0    0x02
+#define EC_POINT_FORM_COMPRESSED_Y1    0x03
+#define EC_POINT_FORM_UNCOMPRESSED     0x04
+#define EC_POINT_FORM_HYBRID_Y0        0x06
+#define EC_POINT_FORM_HYBRID_Y1        0x07
+
+#define ANSI_X962_CURVE_OID_TOTAL_LEN    10
+#define SECG_CURVE_OID_TOTAL_LEN          7
+
+#endif /* __ec_h_ */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/native/sun/security/ec/ec2.h	Tue Aug 11 20:06:52 2009 -0600
@@ -0,0 +1,146 @@
+/* *********************************************************************
+ *
+ * Sun elects to have this file available under and governed by the
+ * Mozilla Public License Version 1.1 ("MPL") (see
+ * http://www.mozilla.org/MPL/ for full license text). For the avoidance
+ * of doubt and subject to the following, Sun also elects to allow
+ * licensees to use this file under the MPL, the GNU General Public
+ * License version 2 only or the Lesser General Public License version
+ * 2.1 only. Any references to the "GNU General Public License version 2
+ * or later" or "GPL" in the following shall be construed to mean the
+ * GNU General Public License version 2 only. Any references to the "GNU
+ * Lesser General Public License version 2.1 or later" or "LGPL" in the
+ * following shall be construed to mean the GNU Lesser General Public
+ * License version 2.1 only. However, the following notice accompanied
+ * the original version of this file:
+ *
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the elliptic curve math library for binary polynomial field curves.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2003
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ *********************************************************************** */
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef _EC2_H
+#define _EC2_H
+
+#pragma ident   "%Z%%M% %I%     %E% SMI"
+
+#include "ecl-priv.h"
+
+/* Checks if point P(px, py) is at infinity.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_is_inf_aff(const mp_int *px, const mp_int *py);
+
+/* Sets P(px, py) to be the point at infinity.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_set_inf_aff(mp_int *px, mp_int *py);
+
+/* Computes R = P + Q where R is (rx, ry), P is (px, py) and Q is (qx,
+ * qy). Uses affine coordinates. */
+mp_err ec_GF2m_pt_add_aff(const mp_int *px, const mp_int *py,
+                                                  const mp_int *qx, const mp_int *qy, mp_int *rx,
+                                                  mp_int *ry, const ECGroup *group);
+
+/* Computes R = P - Q.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_sub_aff(const mp_int *px, const mp_int *py,
+                                                  const mp_int *qx, const mp_int *qy, mp_int *rx,
+                                                  mp_int *ry, const ECGroup *group);
+
+/* Computes R = 2P.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
+                                                  mp_int *ry, const ECGroup *group);
+
+/* Validates a point on a GF2m curve. */
+mp_err ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group);
+
+/* by default, this routine is unused and thus doesn't need to be compiled */
+#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the irreducible that
+ * determines the field GF2m.  Uses affine coordinates. */
+mp_err ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px,
+                                                  const mp_int *py, mp_int *rx, mp_int *ry,
+                                                  const ECGroup *group);
+#endif
+
+/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
+ * a, b and p are the elliptic curve coefficients and the irreducible that
+ * determines the field GF2m.  Uses Montgomery projective coordinates. */