changeset 3181:4bfe9244ede4

Merge
author lana
date Fri, 03 Dec 2010 11:30:28 -0800
parents df99592ad34f d4eda9a6328e
children df3aeffb636e
files src/share/classes/sun/security/krb5/KrbKdcReq.java src/share/classes/sun/security/krb5/internal/TCPClient.java src/share/classes/sun/security/krb5/internal/UDPClient.java src/solaris/classes/sun/net/www/protocol/http/NTLMAuthentication.java
diffstat 153 files changed, 6838 insertions(+), 4546 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Thu Dec 02 19:53:51 2010 +0300
+++ b/.hgtags	Fri Dec 03 11:30:28 2010 -0800
@@ -93,3 +93,4 @@
 1657ed4e1d86c8aa2028ab5a41f9da1ac4a369f8 jdk7-b116
 3e6726bbf80a4254ecd01051c8ed77ee19325e46 jdk7-b117
 b357910aa04aead2a16b6d6ff395a8df4b51d1dd jdk7-b118
+37d74e29687cf07c2bf9411af58c7e42440855c3 jdk7-b120
--- a/make/Makefile	Thu Dec 02 19:53:51 2010 +0300
+++ b/make/Makefile	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1995, 2007, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1995, 2010, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -243,6 +243,11 @@
 SUBDIRS_tools = launchers
 SUBDIRS_misc  = org sunw jpda mkdemo mksample
 
+# Alternate classes implementation
+ifndef OPENJDK
+  SUBDIRS_misc += altclasses
+endif
+
 include $(BUILDDIR)/common/Subdirs.gmk
 
 all build::
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make/altclasses/Makefile	Fri Dec 03 11:30:28 2010 -0800
@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+#
+# Makefile for building alternate runtime classes (not used by default)
+#
+
+BUILDDIR = ..
+
+PRODUCT = altclasses
+
+include $(BUILDDIR)/common/Defs.gmk
+
+# Root of alternate class sources
+
+ALTCLASSES_SRCDIR = $(CLOSED_SRC)/share/altclasses
+
+# Alternate runtime classes
+
+ALTRT_JAR_FILE = $(LIBDIR)/alt-rt.jar
+ALTRT_JAR_SOURCE_FILE = $(TEMPDIR)/alt-rt.jarsrclist
+ALTRT_JAR_SOURCES = $(wildcard $(ALTCLASSES_SRCDIR)/java/*/*.java)
+
+# Use a special file suffix for the file that holds the source list
+
+.SUFFIXES: .jarsrclist
+
+# Build rules
+
+all build: 
+	@if [ -d $(ALTCLASSES_SRCDIR) ] ; then \
+	   $(MAKE) $(ALTRT_JAR_FILE); \
+	fi
+
+# Source list file creation
+
+$(ALTRT_JAR_SOURCE_FILE): $(ALTRT_JAR_SOURCES) FRC
+	$(prep-target)
+	$(ECHO) $(ALTRT_JAR_SOURCES) > $@
+
+clean clobber::
+	$(RM) $(ALTRT_JAR_FILE) $(ALTRT_JAR_SOURCE_FILE) 
+	$(RM) -r $(ALTRT_JAR_SOURCE_FILE).classes
+
+include $(BUILDDIR)/common/Classes.gmk
+
+# Pattern rule to turn a source list file into a jar file
+$(LIBDIR)/%.jar : $(TEMPDIR)/%.jarsrclist
+	$(prep-target)
+	$(RM) -r $(<).classes
+	$(MKDIR) -p $(<).classes
+	$(JAVAC_CMD) -implicit:none -d $(<).classes @$<
+	$(BOOT_JAR_CMD) cf $@ -C $(<).classes . $(BOOT_JAR_JFLAGS)
+
+# Force target
+
+FRC:
+
+# Non file targets
+
+.PHONY: all build clean clobber
+
--- a/make/mkdemo/nio/zipfs/Makefile	Thu Dec 02 19:53:51 2010 +0300
+++ b/make/mkdemo/nio/zipfs/Makefile	Fri Dec 03 11:30:28 2010 -0800
@@ -42,3 +42,10 @@
 #
 include $(BUILDDIR)/common/Demo.gmk
 
+#EXTJAR = $(EXTDIR)/$(DEMONAME).jar
+#
+#all : build $(EXTJAR)
+#
+#$(EXTJAR) : $(DEMO_JAR)
+#	$(prep-target)
+#	$(CP) $(DEMO_JAR) $(EXTJAR)
--- a/src/share/classes/com/sun/java/util/jar/pack/AdaptiveCoding.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/AdaptiveCoding.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,8 +25,10 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.util.*;
-import java.io.*;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
 
 /**
  * Adaptive coding.
--- a/src/share/classes/com/sun/java/util/jar/pack/Attribute.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/Attribute.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,9 +25,17 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
-import java.util.*;
-import com.sun.java.util.jar.pack.ConstantPool.*;
+import com.sun.java.util.jar.pack.ConstantPool.Entry;
+import com.sun.java.util.jar.pack.ConstantPool.Index;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 /**
  * Represents an attribute in a class-file.
--- a/src/share/classes/com/sun/java/util/jar/pack/BandStructure.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/BandStructure.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,12 +25,28 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
-import java.util.*;
-import java.util.jar.*;
-import com.sun.java.util.jar.pack.Package.Class;
-import com.sun.java.util.jar.pack.Package.InnerClass;
-import com.sun.java.util.jar.pack.ConstantPool.*;
+import com.sun.java.util.jar.pack.ConstantPool.Entry;
+import com.sun.java.util.jar.pack.ConstantPool.Index;
+import com.sun.java.util.jar.pack.Package.Class.Field;
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.EOFException;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.FilterInputStream;
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.jar.Pack200;
 
 /**
  * Define the structure and ordering of "bands" in a packed file.
@@ -1629,7 +1645,7 @@
         }
     }
 
-    protected void setConstantValueIndex(Class.Field f) {
+    protected void setConstantValueIndex(com.sun.java.util.jar.pack.Package.Class.Field f) {
         Index ix = null;
         if (f != null) {
             byte tag = f.getLiteralTag();
--- a/src/share/classes/com/sun/java/util/jar/pack/ClassReader.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/ClassReader.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,12 +25,19 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
-import java.util.*;
+import com.sun.java.util.jar.pack.ConstantPool.ClassEntry;
+import com.sun.java.util.jar.pack.ConstantPool.DescriptorEntry;
+import com.sun.java.util.jar.pack.ConstantPool.Entry;
+import com.sun.java.util.jar.pack.ConstantPool.SignatureEntry;
+import com.sun.java.util.jar.pack.ConstantPool.Utf8Entry;
 import com.sun.java.util.jar.pack.Package.Class;
 import com.sun.java.util.jar.pack.Package.InnerClass;
-import com.sun.java.util.jar.pack.ConstantPool.*;
-import com.sun.tools.classfile.AttributeException;
+import java.io.DataInputStream;
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.Map;
 
 /**
  * Reader for a class file that is being incorporated into a package.
@@ -422,7 +429,7 @@
                         readCode(m.code);
                     } catch (Instruction.FormatException iie) {
                         String message = iie.getMessage() + " in " + h;
-                        throw new ClassReader.ClassFormatException(message);
+                        throw new ClassReader.ClassFormatException(message, iie);
                     }
                 } else {
                     assert(h == cls);
@@ -477,9 +484,13 @@
         // (Later, ics may be transferred to the pkg.)
     }
 
-    class ClassFormatException extends IOException {
+    static class ClassFormatException extends IOException {
         public ClassFormatException(String message) {
             super(message);
         }
+
+        public ClassFormatException(String message, Throwable cause) {
+            super(message, cause);
+        }
     }
 }
--- a/src/share/classes/com/sun/java/util/jar/pack/ClassWriter.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/ClassWriter.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,11 +25,19 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
-import java.util.*;
+
+import com.sun.java.util.jar.pack.ConstantPool.Entry;
+import com.sun.java.util.jar.pack.ConstantPool.Index;
+import com.sun.java.util.jar.pack.ConstantPool.NumberEntry;
 import com.sun.java.util.jar.pack.Package.Class;
 import com.sun.java.util.jar.pack.Package.InnerClass;
-import com.sun.java.util.jar.pack.ConstantPool.*;
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.Iterator;
+import java.util.List;
 
 /**
  * Writer for a class file that is incorporated into a package.
--- a/src/share/classes/com/sun/java/util/jar/pack/Code.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/Code.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,10 +25,10 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
-import java.util.*;
 import com.sun.java.util.jar.pack.Package.Class;
 import java.lang.reflect.Modifier;
+import java.util.Arrays;
+import java.util.Collection;
 
 /**
  * Represents a chunk of bytecodes.
--- a/src/share/classes/com/sun/java/util/jar/pack/Coding.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/Coding.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,8 +25,10 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
-import java.util.*;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.HashMap;
 
 /**
  * Define the conversions between sequences of small integers and raw bytes.
--- a/src/share/classes/com/sun/java/util/jar/pack/CodingChooser.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/CodingChooser.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,9 +25,17 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
-import java.util.*;
-import java.util.zip.*;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Random;
+import java.util.zip.Deflater;
+import java.util.zip.DeflaterOutputStream;
 
 /**
  * Heuristic chooser of basic encodings.
--- a/src/share/classes/com/sun/java/util/jar/pack/CodingMethod.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/CodingMethod.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,7 +25,9 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
 
 /**
  * Interface for encoding and decoding int arrays using bytewise codes.
--- a/src/share/classes/com/sun/java/util/jar/pack/ConstantPool.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/ConstantPool.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,7 +25,14 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.util.*;
+import java.util.AbstractList;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Map;
+import java.util.Set;
 
 /**
  * Representation of constant pool entries and indexes.
--- a/src/share/classes/com/sun/java/util/jar/pack/Constants.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/Constants.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,7 +25,8 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.util.*;
+import java.util.Arrays;
+import java.util.List;
 
 /**
  * Shared constants
--- a/src/share/classes/com/sun/java/util/jar/pack/Driver.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/Driver.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,11 +25,32 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
 import java.text.MessageFormat;
-import java.util.*;
-import java.util.jar.*;
-import java.util.zip.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Map;
+import java.util.Properties;
+import java.util.ResourceBundle;
+import java.util.SortedMap;
+import java.util.TreeMap;
+import java.util.jar.JarFile;
+import java.util.jar.JarOutputStream;
+import java.util.jar.Pack200;
+import java.util.zip.GZIPInputStream;
+import java.util.zip.GZIPOutputStream;
 
 /** Command line interface for Pack200.
  */
--- a/src/share/classes/com/sun/java/util/jar/pack/Fixups.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/Fixups.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,9 +25,11 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
-import java.util.*;
-import com.sun.java.util.jar.pack.ConstantPool.*;
+import com.sun.java.util.jar.pack.ConstantPool.Entry;
+import java.util.AbstractCollection;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
 
 /**
  * Collection of relocatable constant pool references.
--- a/src/share/classes/com/sun/java/util/jar/pack/Histogram.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/Histogram.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,8 +25,10 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.util.*;
-import java.io.*;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintStream;
+import java.util.Arrays;
 
 /**
  * Histogram derived from an integer array of events (int[]).
--- a/src/share/classes/com/sun/java/util/jar/pack/NativeUnpack.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/NativeUnpack.java	Fri Dec 03 11:30:28 2010 -0800
@@ -26,10 +26,18 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.nio.*;
-import java.io.*;
-import java.util.jar.*;
-import java.util.zip.*;
+import java.io.BufferedInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.ByteBuffer;
+import java.util.jar.JarOutputStream;
+import java.util.jar.Pack200;
+import java.util.zip.CRC32;
+import java.util.zip.Deflater;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
 
 class NativeUnpack {
     // Pointer to the native unpacker obj
--- a/src/share/classes/com/sun/java/util/jar/pack/Package.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/Package.java	Fri Dec 03 11:30:28 2010 -0800
@@ -26,11 +26,32 @@
 package com.sun.java.util.jar.pack;
 
 import com.sun.java.util.jar.pack.Attribute.Layout;
+import com.sun.java.util.jar.pack.ConstantPool.ClassEntry;
+import com.sun.java.util.jar.pack.ConstantPool.DescriptorEntry;
+import com.sun.java.util.jar.pack.ConstantPool.Index;
+import com.sun.java.util.jar.pack.ConstantPool.LiteralEntry;
+import com.sun.java.util.jar.pack.ConstantPool.Utf8Entry;
+import com.sun.java.util.jar.pack.ConstantPool.Entry;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.SequenceInputStream;
 import java.lang.reflect.Modifier;
-import java.util.*;
-import java.util.jar.*;
-import java.io.*;
-import com.sun.java.util.jar.pack.ConstantPool.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Map;
+import java.util.Set;
+import java.util.jar.JarFile;
 
 /**
  * Define the main data structure transmitted by pack/unpack.
--- a/src/share/classes/com/sun/java/util/jar/pack/PackageReader.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/PackageReader.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,12 +25,18 @@
 
 package com.sun.java.util.jar.pack;
 
+import com.sun.java.util.jar.pack.ConstantPool.ClassEntry;
+import com.sun.java.util.jar.pack.ConstantPool.DescriptorEntry;
+import com.sun.java.util.jar.pack.ConstantPool.Entry;
+import com.sun.java.util.jar.pack.ConstantPool.Index;
+import com.sun.java.util.jar.pack.ConstantPool.MemberEntry;
+import com.sun.java.util.jar.pack.ConstantPool.SignatureEntry;
+import com.sun.java.util.jar.pack.ConstantPool.Utf8Entry;
 import java.io.*;
 import java.util.*;
 import com.sun.java.util.jar.pack.Package.Class;
 import com.sun.java.util.jar.pack.Package.File;
 import com.sun.java.util.jar.pack.Package.InnerClass;
-import com.sun.java.util.jar.pack.ConstantPool.*;
 
 /**
  * Reader for a package file.
--- a/src/share/classes/com/sun/java/util/jar/pack/PackageWriter.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/PackageWriter.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,12 +25,30 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.io.*;
-import java.util.*;
+import com.sun.java.util.jar.pack.ConstantPool.ClassEntry;
+import com.sun.java.util.jar.pack.ConstantPool.DescriptorEntry;
+import com.sun.java.util.jar.pack.ConstantPool.Entry;
+import com.sun.java.util.jar.pack.ConstantPool.Index;
+import com.sun.java.util.jar.pack.ConstantPool.IndexGroup;
+import com.sun.java.util.jar.pack.ConstantPool.MemberEntry;
+import com.sun.java.util.jar.pack.ConstantPool.NumberEntry;
+import com.sun.java.util.jar.pack.ConstantPool.SignatureEntry;
+import com.sun.java.util.jar.pack.ConstantPool.StringEntry;
 import com.sun.java.util.jar.pack.Package.Class;
 import com.sun.java.util.jar.pack.Package.File;
 import com.sun.java.util.jar.pack.Package.InnerClass;
-import com.sun.java.util.jar.pack.ConstantPool.*;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Map;
 
 /**
  * Writer for a package file.
--- a/src/share/classes/com/sun/java/util/jar/pack/PackerImpl.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/PackerImpl.java	Fri Dec 03 11:30:28 2010 -0800
@@ -26,10 +26,27 @@
 package com.sun.java.util.jar.pack;
 
 import com.sun.java.util.jar.pack.Attribute.Layout;
-import java.util.*;
-import java.util.jar.*;
-import java.io.*;
 import java.beans.PropertyChangeListener;
+import java.io.BufferedInputStream;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Map;
+import java.util.SortedMap;
+import java.util.TimeZone;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.jar.JarInputStream;
+import java.util.jar.Pack200;
 
 
 /*
@@ -614,10 +631,14 @@
         List<InFile> scanJar(JarFile jf) throws IOException {
             // Collect jar entries, preserving order.
             List<InFile> inFiles = new ArrayList<>();
-            for (JarEntry je : Collections.list(jf.entries())) {
-                InFile inFile = new InFile(jf, je);
-                assert(je.isDirectory() == inFile.name.endsWith("/"));
-                inFiles.add(inFile);
+            try {
+                for (JarEntry je : Collections.list(jf.entries())) {
+                    InFile inFile = new InFile(jf, je);
+                    assert(je.isDirectory() == inFile.name.endsWith("/"));
+                    inFiles.add(inFile);
+                }
+            } catch (IllegalStateException ise) {
+                throw new IOException(ise.getLocalizedMessage(), ise);
             }
             return inFiles;
         }
--- a/src/share/classes/com/sun/java/util/jar/pack/PopulationCoding.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/PopulationCoding.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,8 +25,12 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.util.*;
-import java.io.*;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Arrays;
+import java.util.HashSet;
 
 /**
  * Population-based coding.
--- a/src/share/classes/com/sun/java/util/jar/pack/PropMap.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/PropMap.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,13 +25,24 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.util.*;
-import java.util.jar.*;
-import java.util.jar.Pack200;
-import java.util.zip.*;
-import java.io.*;
 import java.beans.PropertyChangeListener;
 import java.beans.PropertyChangeEvent;
+import java.io.BufferedInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.SortedMap;
+import java.util.TreeMap;
+import java.util.jar.Pack200;
 /**
  * Control block for publishing Pack200 options to the other classes.
  */
--- a/src/share/classes/com/sun/java/util/jar/pack/UnpackerImpl.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/UnpackerImpl.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,11 +25,25 @@
 
 package com.sun.java.util.jar.pack;
 
-import java.util.*;
-import java.util.jar.*;
-import java.util.zip.*;
-import java.io.*;
 import java.beans.PropertyChangeListener;
+import java.io.BufferedInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.SortedMap;
+import java.util.TimeZone;
+import java.util.jar.JarEntry;
+import java.util.jar.JarInputStream;
+import java.util.jar.JarOutputStream;
+import java.util.jar.Pack200;
+import java.util.zip.CRC32;
+import java.util.zip.CheckedOutputStream;
+import java.util.zip.ZipEntry;
 
 /*
  * Implementation of the Pack provider.
@@ -92,7 +106,13 @@
      * @param out a JarOutputStream.
      * @exception IOException if an error is encountered.
      */
-    public void unpack(InputStream in0, JarOutputStream out) throws IOException {
+    public void unpack(InputStream in, JarOutputStream out) throws IOException {
+        if (in == null) {
+            throw new NullPointerException("null input");
+        }
+        if (out == null) {
+            throw new NullPointerException("null output");
+        }
         assert(Utils.currentInstance.get() == null);
         TimeZone tz = (props.getBoolean(Utils.PACK_DEFAULT_TIMEZONE))
                       ? null
@@ -102,18 +122,18 @@
             Utils.currentInstance.set(this);
             if (tz != null) TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
             final int verbose = props.getInteger(Utils.DEBUG_VERBOSE);
-            BufferedInputStream in = new BufferedInputStream(in0);
-            if (Utils.isJarMagic(Utils.readMagic(in))) {
+            BufferedInputStream in0 = new BufferedInputStream(in);
+            if (Utils.isJarMagic(Utils.readMagic(in0))) {
                 if (verbose > 0)
                     Utils.log.info("Copying unpacked JAR file...");
-                Utils.copyJarFile(new JarInputStream(in), out);
+                Utils.copyJarFile(new JarInputStream(in0), out);
             } else if (props.getBoolean(Utils.DEBUG_DISABLE_NATIVE)) {
-                (new DoUnpack()).run(in, out);
-                in.close();
+                (new DoUnpack()).run(in0, out);
+                in0.close();
                 Utils.markJarFile(out);
             } else {
-                (new NativeUnpack(this)).run(in, out);
-                in.close();
+                (new NativeUnpack(this)).run(in0, out);
+                in0.close();
                 Utils.markJarFile(out);
             }
         } finally {
@@ -132,6 +152,12 @@
      * @exception IOException if an error is encountered.
      */
     public void unpack(File in, JarOutputStream out) throws IOException {
+        if (in == null) {
+            throw new NullPointerException("null input");
+        }
+        if (out == null) {
+            throw new NullPointerException("null output");
+        }
         // Use the stream-based implementation.
         // %%% Reconsider if native unpacker learns to memory-map the file.
         FileInputStream instr = new FileInputStream(in);
--- a/src/share/classes/com/sun/java/util/jar/pack/Utils.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/java/util/jar/pack/Utils.java	Fri Dec 03 11:30:28 2010 -0800
@@ -25,18 +25,27 @@
 
 package com.sun.java.util.jar.pack;
 
-import com.sun.java.util.jar.pack.Attribute.Layout;
 import com.sun.java.util.jar.pack.ConstantPool.ClassEntry;
 import com.sun.java.util.jar.pack.ConstantPool.DescriptorEntry;
 import com.sun.java.util.jar.pack.ConstantPool.LiteralEntry;
 import com.sun.java.util.jar.pack.ConstantPool.MemberEntry;
 import com.sun.java.util.jar.pack.ConstantPool.SignatureEntry;
 import com.sun.java.util.jar.pack.ConstantPool.Utf8Entry;
-import java.util.*;
-import java.util.jar.*;
-import java.util.zip.*;
-import java.io.*;
-
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.Map;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.jar.JarInputStream;
+import java.util.jar.JarOutputStream;
+import java.util.zip.ZipEntry;
 import sun.util.logging.PlatformLogger;
 
 class Utils {
--- a/src/share/classes/com/sun/jmx/remote/internal/ServerNotifForwarder.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/jmx/remote/internal/ServerNotifForwarder.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,6 +45,8 @@
 import javax.management.ListenerNotFoundException;
 import javax.management.MBeanPermission;
 import javax.management.MBeanServer;
+import javax.management.MBeanServerDelegate;
+import javax.management.MBeanServerNotification;
 import javax.management.Notification;
 import javax.management.NotificationBroadcaster;
 import javax.management.NotificationFilter;
@@ -272,6 +274,7 @@
             nr = notifBuffer.fetchNotifications(bufferFilter,
                 startSequenceNumber,
                 t, maxNotifications);
+            snoopOnUnregister(nr);
         } catch (InterruptedException ire) {
             nr = new NotificationResult(0L, 0L, new TargetedNotification[0]);
         }
@@ -283,6 +286,34 @@
         return nr;
     }
 
+    // The standard RMI connector client will register a listener on the MBeanServerDelegate
+    // in order to be told when MBeans are unregistered.  We snoop on fetched notifications
+    // so that we can know too, and remove the corresponding entry from the listenerMap.
+    // See 6957378.
+    private void snoopOnUnregister(NotificationResult nr) {
+        Set<IdAndFilter> delegateSet = listenerMap.get(MBeanServerDelegate.DELEGATE_NAME);
+        if (delegateSet == null || delegateSet.isEmpty()) {
+            return;
+        }
+        for (TargetedNotification tn : nr.getTargetedNotifications()) {
+            Integer id = tn.getListenerID();
+            for (IdAndFilter idaf : delegateSet) {
+                if (idaf.id == id) {
+                    // This is a notification from the MBeanServerDelegate.
+                    Notification n = tn.getNotification();
+                    if (n instanceof MBeanServerNotification &&
+                            n.getType().equals(MBeanServerNotification.UNREGISTRATION_NOTIFICATION)) {
+                        MBeanServerNotification mbsn = (MBeanServerNotification) n;
+                        ObjectName gone = mbsn.getMBeanName();
+                        synchronized (listenerMap) {
+                            listenerMap.remove(gone);
+                        }
+                    }
+                }
+            }
+        }
+    }
+
     public void terminate() {
         if (logger.traceOn()) {
             logger.trace("terminate", "Be called.");
@@ -418,10 +449,12 @@
             return this.filter;
         }
 
+        @Override
         public int hashCode() {
             return id.hashCode();
         }
 
+        @Override
         public boolean equals(Object o) {
             return ((o instanceof IdAndFilter) &&
                     ((IdAndFilter) o).getId().equals(getId()));
--- a/src/share/classes/com/sun/rowset/JdbcRowSetResourceBundle.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/rowset/JdbcRowSetResourceBundle.java	Fri Dec 03 11:30:28 2010 -0800
@@ -27,7 +27,6 @@
 
 import java.io.*;
 import java.util.*;
-import java.lang.*;
 
 /**
  * This class is used to help in localization of resources,
@@ -42,28 +41,28 @@
      * This <code>String</code> variable stores the location
      * of the resource bundle location.
      */
-    static String fileName;
+    private static String fileName;
 
     /**
      * This variable will hold the <code>PropertyResourceBundle</code>
      * of the text to be internationalized.
      */
-    transient PropertyResourceBundle propResBundle;
+    private transient PropertyResourceBundle propResBundle;
 
     /**
      * The constructor initializes to this object
      *
      */
-    static JdbcRowSetResourceBundle jpResBundle;
+    private static volatile JdbcRowSetResourceBundle jpResBundle;
 
     /**
-     * The varible which will represent the properties
+     * The variable which will represent the properties
      * the suffix or extension of the resource bundle.
      **/
     private static final String PROPERTIES = "properties";
 
     /**
-     * The varibale to represent underscore
+     * The variable to represent underscore
      **/
     private static final String UNDERSCORE = "_";
 
--- a/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2001, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -68,7 +68,7 @@
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -99,7 +99,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTDomainPrincipal: name",
+                        ("NTDomainPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {name};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/NTNumericCredential.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/NTNumericCredential.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2002, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -70,7 +70,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTNumericCredential: name",
+                        ("NTNumericCredential.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {Long.toString(impersonationToken)};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/NTSid.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/NTSid.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -73,7 +73,7 @@
         if (stringSid == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"stringSid"};
             throw new NullPointerException(form.format(source));
@@ -81,7 +81,7 @@
         if (stringSid.length() == 0) {
             throw new IllegalArgumentException
                 (sun.security.util.ResourcesMgr.getString
-                        ("Invalid NTSid value",
+                        ("Invalid.NTSid.value",
                         "sun.security.util.AuthResources"));
         }
         sid = new String(stringSid);
@@ -108,7 +108,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSid: name",
+                        ("NTSid.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {sid};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/NTSidDomainPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/NTSidDomainPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -73,7 +73,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSidDomainPrincipal: name",
+                        ("NTSidDomainPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {getName()};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/NTSidGroupPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/NTSidGroupPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -68,7 +68,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSidGroupPrincipal: name",
+                        ("NTSidGroupPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {getName()};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/NTSidPrimaryGroupPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/NTSidPrimaryGroupPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -70,7 +70,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSidPrimaryGroupPrincipal: name",
+                        ("NTSidPrimaryGroupPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {getName()};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/NTSidUserPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/NTSidUserPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -67,7 +67,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSidUserPrincipal: name",
+                        ("NTSidUserPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {getName()};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/NTUserPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/NTUserPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2001, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -64,7 +64,7 @@
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -93,7 +93,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTUserPrincipal: name",
+                        ("NTUserPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {name};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/PolicyFile.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/PolicyFile.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -490,9 +490,9 @@
             }
         } catch (PolicyParser.ParsingException pe) {
             System.err.println(AUTH_POLICY +
-                                rb.getString(": error parsing ") + policy);
+                                rb.getString(".error.parsing.") + policy);
             System.err.println(AUTH_POLICY +
-                                rb.getString(": ") +
+                                rb.getString("COLON") +
                                 pe.getMessage());
             if (debug != null)
                 pe.printStackTrace();
@@ -635,16 +635,16 @@
                 } catch (java.lang.reflect.InvocationTargetException ite) {
                     System.err.println
                         (AUTH_POLICY +
-                        rb.getString(": error adding Permission ") +
+                        rb.getString(".error.adding.Permission.") +
                         pe.permission +
-                        rb.getString(" ") +
+                        rb.getString("SPACE") +
                         ite.getTargetException());
                 } catch (Exception e) {
                     System.err.println
                         (AUTH_POLICY +
-                        rb.getString(": error adding Permission ") +
+                        rb.getString(".error.adding.Permission.") +
                         pe.permission +
-                        rb.getString(" ") +
+                        rb.getString("SPACE") +
                         e);
                 }
             }
@@ -652,9 +652,9 @@
         } catch (Exception e) {
             System.err.println
                 (AUTH_POLICY +
-                rb.getString(": error adding Entry ") +
+                rb.getString(".error.adding.Entry.") +
                 ge +
-                rb.getString(" ") +
+                rb.getString("SPACE") +
                 e);
         }
 
@@ -1373,18 +1373,18 @@
 
         public String toString(){
             StringBuffer sb = new StringBuffer();
-            sb.append(rb.getString("("));
+            sb.append(rb.getString("LPARAM"));
             sb.append(getCodeSource());
             sb.append("\n");
             for (int j = 0; j < permissions.size(); j++) {
                 Permission p = permissions.elementAt(j);
-                sb.append(rb.getString(" "));
-                sb.append(rb.getString(" "));
+                sb.append(rb.getString("SPACE"));
+                sb.append(rb.getString("SPACE"));
                 sb.append(p);
-                sb.append(rb.getString("\n"));
+                sb.append(rb.getString("NEWLINE"));
             }
-            sb.append(rb.getString(")"));
-            sb.append(rb.getString("\n"));
+            sb.append(rb.getString("RPARAM"));
+            sb.append(rb.getString("NEWLINE"));
             return sb.toString();
         }
 
@@ -1415,7 +1415,7 @@
         if (isReadOnly())
             throw new SecurityException
             (PolicyFile.rb.getString
-            ("attempt to add a Permission to a readonly PermissionCollection"));
+            ("attempt.to.add.a.Permission.to.a.readonly.PermissionCollection"));
 
         if (perms == null) {
             if (additionalPerms == null)
--- a/src/share/classes/com/sun/security/auth/PolicyParser.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/PolicyParser.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -300,7 +300,7 @@
             keyStoreType = match("quoted string");
         } else {
             throw new ParsingException(st.lineno(),
-                        rb.getString("expected keystore type"));
+                        rb.getString("expected.keystore.type"));
         }
     }
 
@@ -368,8 +368,8 @@
                                 "WILDCARD class but no WILDCARD name");
                     throw new ParsingException
                         (st.lineno(),
-                        rb.getString("can not specify Principal with a ") +
-                        rb.getString("wildcard class without a wildcard name"));
+                        rb.getString("can.not.specify.Principal.with.a.") +
+                        rb.getString("wildcard.class.without.a.wildcard.name"));
                 }
 
                 try {
@@ -389,7 +389,7 @@
             } else {
                 throw new
                  ParsingException(st.lineno(),
-                        rb.getString("expected codeBase or SignedBy"));
+                        rb.getString("expected.codeBase.or.SignedBy"));
             }
         }
 
@@ -397,7 +397,7 @@
         if (principals == null) {
             throw new ParsingException
                 (st.lineno(),
-                rb.getString("only Principal-based grant entries permitted"));
+                rb.getString("only.Principal.based.grant.entries.permitted"));
         }
 
         e.principals = principals;
@@ -416,7 +416,7 @@
             } else {
                 throw new
                     ParsingException(st.lineno(),
-                    rb.getString("expected permission entry"));
+                    rb.getString("expected.permission.entry"));
             }
         }
         match("}");
@@ -522,12 +522,12 @@
         switch (lookahead) {
         case StreamTokenizer.TT_NUMBER:
             throw new ParsingException(st.lineno(), expect,
-                                        rb.getString("number ") +
+                                        rb.getString("number.") +
                                         String.valueOf(st.nval));
         case StreamTokenizer.TT_EOF:
            throw new ParsingException
-                (rb.getString("expected ") + expect +
-                rb.getString(", read end of file"));
+                (rb.getString("expected.") + expect +
+                rb.getString(".read.end.of.file"));
         case StreamTokenizer.TT_WORD:
             if (expect.equalsIgnoreCase(st.sval)) {
                 lookahead = st.nextToken();
@@ -603,11 +603,11 @@
         switch (lookahead) {
         case StreamTokenizer.TT_NUMBER:
             throw new ParsingException(st.lineno(), ";",
-                                       rb.getString("number ") +
+                                       rb.getString("number.") +
                                         String.valueOf(st.nval));
         case StreamTokenizer.TT_EOF:
           throw new ParsingException
-                (rb.getString("expected ';', read end of file"));
+                (rb.getString("expected.read.end.of.file"));
         default:
           lookahead = st.nextToken();
         }
@@ -942,13 +942,13 @@
         }
 
         public ParsingException(int line, String msg) {
-            super(rb.getString("line ") + line + rb.getString(": ") + msg);
+            super(rb.getString("line.") + line + rb.getString("COLON") + msg);
         }
 
         public ParsingException(int line, String expect, String actual) {
-            super(rb.getString("line ") + line + rb.getString(": expected '") +
-                expect + rb.getString("', found '") + actual +
-                rb.getString("'"));
+            super(rb.getString("line.") + line + rb.getString(".expected.") +
+                expect + rb.getString(".found.") + actual +
+                rb.getString("QUOTE"));
         }
     }
 
--- a/src/share/classes/com/sun/security/auth/SolarisNumericGroupPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/SolarisNumericGroupPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -89,7 +89,7 @@
      */
     public SolarisNumericGroupPrincipal(String name, boolean primaryGroup) {
         if (name == null)
-            throw new NullPointerException(rb.getString("provided null name"));
+            throw new NullPointerException(rb.getString("provided.null.name"));
 
         this.name = name;
         this.primaryGroup = primaryGroup;
@@ -165,9 +165,9 @@
     public String toString() {
         return((primaryGroup ?
             rb.getString
-            ("SolarisNumericGroupPrincipal [Primary Group]: ") + name :
+            ("SolarisNumericGroupPrincipal.Primary.Group.") + name :
             rb.getString
-            ("SolarisNumericGroupPrincipal [Supplementary Group]: ") + name));
+            ("SolarisNumericGroupPrincipal.Supplementary.Group.") + name));
     }
 
     /**
--- a/src/share/classes/com/sun/security/auth/SolarisNumericUserPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/SolarisNumericUserPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -80,7 +80,7 @@
      */
     public SolarisNumericUserPrincipal(String name) {
         if (name == null)
-            throw new NullPointerException(rb.getString("provided null name"));
+            throw new NullPointerException(rb.getString("provided.null.name"));
 
         this.name = name;
     }
@@ -134,7 +134,7 @@
      *          <code>SolarisNumericUserPrincipal</code>.
      */
     public String toString() {
-        return(rb.getString("SolarisNumericUserPrincipal: ") + name);
+        return(rb.getString("SolarisNumericUserPrincipal.") + name);
     }
 
     /**
--- a/src/share/classes/com/sun/security/auth/SolarisPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/SolarisPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -76,7 +76,7 @@
      */
     public SolarisPrincipal(String name) {
         if (name == null)
-            throw new NullPointerException(rb.getString("provided null name"));
+            throw new NullPointerException(rb.getString("provided.null.name"));
 
         this.name = name;
     }
@@ -100,7 +100,7 @@
      * @return a string representation of this <code>SolarisPrincipal</code>.
      */
     public String toString() {
-        return(rb.getString("SolarisPrincipal: ") + name);
+        return(rb.getString("SolarisPrincipal.") + name);
     }
 
     /**
--- a/src/share/classes/com/sun/security/auth/SubjectCodeSource.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/SubjectCodeSource.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -395,7 +395,7 @@
                                         principals.listIterator();
             while (li.hasNext()) {
                 PolicyParser.PrincipalEntry pppe = li.next();
-                returnMe = returnMe + rb.getString("\n") +
+                returnMe = returnMe + rb.getString("NEWLINE") +
                         pppe.principalClass + " " +
                         pppe.principalName;
             }
--- a/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -77,7 +77,7 @@
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -159,14 +159,14 @@
         if (primaryGroup) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("UnixNumericGroupPrincipal [Primary Group]: name",
+                        ("UnixNumericGroupPrincipal.Primary.Group.name",
                         "sun.security.util.AuthResources"));
             Object[] source = {name};
             return form.format(source);
         } else {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                    ("UnixNumericGroupPrincipal [Supplementary Group]: name",
+                    ("UnixNumericGroupPrincipal.Supplementary.Group.name",
                     "sun.security.util.AuthResources"));
             Object[] source = {name};
             return form.format(source);
--- a/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -67,7 +67,7 @@
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -127,7 +127,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("UnixNumericUserPrincipal: name",
+                        ("UnixNumericUserPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {name};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/UnixPrincipal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/UnixPrincipal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -64,7 +64,7 @@
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -94,7 +94,7 @@
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("UnixPrincipal: name",
+                        ("UnixPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {name};
         return form.format(source);
--- a/src/share/classes/com/sun/security/auth/X500Principal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/X500Principal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -87,7 +87,7 @@
      */
     public X500Principal(String name) {
         if (name == null)
-            throw new NullPointerException(rb.getString("provided null name"));
+            throw new NullPointerException(rb.getString("provided.null.name"));
 
         try {
             thisX500Name = new X500Name(name);
--- a/src/share/classes/com/sun/security/auth/login/ConfigFile.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/login/ConfigFile.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -190,7 +190,7 @@
                 } catch (PropertyExpander.ExpandException peee) {
                     MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
-                                ("Unable to properly expand config",
+                                ("Unable.to.properly.expand.config",
                                 "sun.security.util.AuthResources"));
                     Object[] source = {extra_config};
                     throw new IOException(form.format(source));
@@ -206,7 +206,7 @@
                     } else {
                         MessageFormat form = new MessageFormat
                             (ResourcesMgr.getString
-                                ("extra_config (No such file or directory)",
+                                ("extra.config.No.such.file.or.directory.",
                                 "sun.security.util.AuthResources"));
                         Object[] source = {extra_config};
                         throw new IOException(form.format(source));
@@ -243,7 +243,7 @@
             } catch (PropertyExpander.ExpandException peee) {
                 MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
-                                ("Unable to properly expand config",
+                                ("Unable.to.properly.expand.config",
                                 "sun.security.util.AuthResources"));
                 Object[] source = {config_url};
                 throw new IOException(form.format(source));
@@ -286,7 +286,7 @@
                 debugConfig.println(fnfe.toString());
             }
             throw new IOException(ResourcesMgr.getString
-                    ("Configuration Error:\n\tNo such file or directory",
+                    ("Configuration.Error.No.such.file.or.directory",
                     "sun.security.util.AuthResources"));
         } finally {
             if (isr != null) {
@@ -426,7 +426,7 @@
                         AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL;
             else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tInvalid control flag, flag",
+                        ("Configuration.Error.Invalid.control.flag.flag",
                         "sun.security.util.AuthResources"));
                 Object[] source = {sflag};
                 throw new IOException(form.format(source));
@@ -474,8 +474,7 @@
         // add this configuration entry
         if (newConfig.containsKey(appName)) {
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                ("Configuration Error:\n\t" +
-                        "Can not specify multiple entries for appName",
+                ("Configuration.Error.Can.not.specify.multiple.entries.for.appName",
                 "sun.security.util.AuthResources"));
             Object[] source = {appName};
             throw new IOException(form.format(source));
@@ -491,8 +490,7 @@
         case StreamTokenizer.TT_EOF:
 
             MessageFormat form1 = new MessageFormat(ResourcesMgr.getString
-                ("Configuration Error:\n\texpected [expect], " +
-                        "read [end of file]",
+                ("Configuration.Error.expected.expect.read.end.of.file.",
                 "sun.security.util.AuthResources"));
             Object[] source1 = {expect};
             throw new IOException(form1.format(source1));
@@ -508,8 +506,7 @@
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: " +
-                                "expected [expect], found [value]",
+                        ("Configuration.Error.Line.line.expected.expect.found.value.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -522,7 +519,7 @@
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: expected [expect]",
+                        ("Configuration.Error.Line.line.expected.expect.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -535,7 +532,7 @@
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: expected [expect]",
+                        ("Configuration.Error.Line.line.expected.expect.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -548,7 +545,7 @@
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: expected [expect]",
+                        ("Configuration.Error.Line.line.expected.expect.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -561,7 +558,7 @@
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: expected [expect]",
+                        ("Configuration.Error.Line.line.expected.expect.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -570,8 +567,7 @@
 
         default:
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: " +
-                                "expected [expect], found [value]",
+                        ("Configuration.Error.Line.line.expected.expect.found.value.",
                         "sun.security.util.AuthResources"));
             Object[] source = {new Integer(linenum), expect, st.sval};
             throw new IOException(form.format(source));
@@ -667,8 +663,7 @@
 
             if (s == null || s.length() == 0) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: " +
-                        "system property [value] expanded to empty value",
+                        ("Configuration.Error.Line.line.system.property.value.expanded.to.empty.value",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), value};
                 throw new IOException(form.format(source));
--- a/src/share/classes/com/sun/security/auth/module/JndiLoginModule.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/module/JndiLoginModule.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -686,9 +686,9 @@
 
         Callback[] callbacks = new Callback[2];
         callbacks[0] = new NameCallback(protocol + " "
-                                            + rb.getString("username: "));
+                                            + rb.getString("username."));
         callbacks[1] = new PasswordCallback(protocol + " " +
-                                                rb.getString("password: "),
+                                                rb.getString("password."),
                                             false);
 
         try {
--- a/src/share/classes/com/sun/security/auth/module/KeyStoreLoginModule.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/module/KeyStoreLoginModule.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -150,7 +150,7 @@
     private static final TextOutputCallback bannerCallback =
                 new TextOutputCallback
                         (TextOutputCallback.INFORMATION,
-                        rb.getString("Please enter keystore information"));
+                        rb.getString("Please.enter.keystore.information"));
     private final ConfirmationCallback confirmationCallback =
                 new ConfirmationCallback
                         (ConfirmationCallback.INFORMATION,
@@ -364,10 +364,10 @@
             NameCallback aliasCallback;
             if (keyStoreAlias == null || keyStoreAlias.length() == 0) {
                 aliasCallback = new NameCallback(
-                                        rb.getString("Keystore alias: "));
+                                        rb.getString("Keystore.alias."));
             } else {
                 aliasCallback =
-                    new NameCallback(rb.getString("Keystore alias: "),
+                    new NameCallback(rb.getString("Keystore.alias."),
                                      keyStoreAlias);
             }
 
@@ -379,11 +379,11 @@
                 break;
             case NORMAL:
                 keyPassCallback = new PasswordCallback
-                    (rb.getString("Private key password (optional): "), false);
+                    (rb.getString("Private.key.password.optional."), false);
                 // fall thru
             case TOKEN:
                 storePassCallback = new PasswordCallback
-                    (rb.getString("Keystore password: "), false);
+                    (rb.getString("Keystore.password."), false);
                 break;
             }
             prompt(aliasCallback, storePassCallback, keyPassCallback);
--- a/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Fri Dec 03 11:30:28 2010 -0800
@@ -27,7 +27,6 @@
 package com.sun.security.auth.module;
 
 import java.io.*;
-import java.net.*;
 import java.text.MessageFormat;
 import java.util.*;
 
@@ -38,9 +37,6 @@
 import javax.security.auth.spi.*;
 
 import sun.security.krb5.*;
-import sun.security.krb5.Config;
-import sun.security.krb5.RealmException;
-import sun.security.util.AuthResources;
 import sun.security.jgss.krb5.Krb5Util;
 import sun.security.krb5.Credentials;
 import sun.misc.HexDumpEncoder;
@@ -685,32 +681,27 @@
                     }
 
                 }
+
+                KrbAsReqBuilder builder;
                 // We can't get the key from the keytab so prompt
                 if (encKeys == null) {
                     promptForPass(getPasswdFromSharedState);
-
-                    encKeys = EncryptionKey.acquireSecretKeys(
-                        password, principal.getSalt());
-
+                    builder = new KrbAsReqBuilder(principal, password);
                     if (isInitiator) {
-                        if (debug)
-                            System.out.println("Acquire TGT using AS Exchange");
-                        cred = Credentials.acquireTGT(principal,
-                                                encKeys, password);
-                        // update keys after pre-auth
-                        encKeys = EncryptionKey.acquireSecretKeys(password,
-                                                        principal.getSalt());
+                        // XXX Even if isInitiator=false, it might be
+                        // better to do an AS-REQ so that keys can be
+                        // updated with PA info
+                        cred = builder.action().getCreds();
                     }
+                    encKeys = builder.getKeys();
                 } else {
+                    builder = new KrbAsReqBuilder(principal, encKeys);
                     if (isInitiator) {
-                        if (debug)
-                            System.out.println("Acquire TGT using AS Exchange");
-                        cred = Credentials.acquireTGT(principal,
-                                                encKeys, password);
+                        cred = builder.action().getCreds();
                     }
                 }
+                builder.destroy();
 
-                // Get the TGT using AS Exchange
                 if (debug) {
                     System.out.println("principal is " + principal);
                     HexDumpEncoder hd = new HexDumpEncoder();
@@ -780,7 +771,7 @@
                 Callback[] callbacks = new Callback[1];
                 MessageFormat form = new MessageFormat(
                                        rb.getString(
-                                       "Kerberos username [[defUsername]]: "));
+                                       "Kerberos.username.defUsername."));
                 Object[] source =  {defUsername};
                 callbacks[0] = new NameCallback(form.format(source));
                 callbackHandler.handle(callbacks);
@@ -835,7 +826,7 @@
                 String userName = krb5PrincName.toString();
                 MessageFormat form = new MessageFormat(
                                          rb.getString(
-                                         "Kerberos password for [username]: "));
+                                         "Kerberos.password.for.username."));
                 Object[] source = {userName};
                 callbacks[0] = new PasswordCallback(
                                                     form.format(source),
--- a/src/share/classes/com/sun/security/auth/module/LdapLoginModule.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/security/auth/module/LdapLoginModule.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -969,8 +969,8 @@
                 "to acquire authentication information from the user");
 
         Callback[] callbacks = new Callback[2];
-        callbacks[0] = new NameCallback(rb.getString("username: "));
-        callbacks[1] = new PasswordCallback(rb.getString("password: "), false);
+        callbacks[0] = new NameCallback(rb.getString("username."));
+        callbacks[1] = new PasswordCallback(rb.getString("password."), false);
 
         try {
             callbackHandler.handle(callbacks);
--- a/src/share/classes/com/sun/servicetag/SunConnection.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/servicetag/SunConnection.java	Fri Dec 03 11:30:28 2010 -0800
@@ -51,8 +51,8 @@
  */
 class SunConnection {
 
-    private static String JDK_REGISTRATION_URL = "https://inventory.sun.com/";
-    private static String SANDBOX_TESTING_URL = "https://inventory-beta.sun.com/";
+    private static String JDK_REGISTRATION_URL = "https://hs-ws1.oracle.com/";
+    private static String SANDBOX_TESTING_URL = "https://hs-ws1-tst.oracle.com/";
     private static String REGISTRATION_WEB_PATH = "RegistrationWeb/register";
 
     // System properties for testing
--- a/src/share/classes/com/sun/servicetag/resources/register.html	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/servicetag/resources/register.html	Fri Dec 03 11:30:28 2010 -0800
@@ -64,7 +64,7 @@
         </ul>
         <p class="style1">Product registration is FREE, quick and easy!</p>
         <blockquote>
-          <p class="style1">All you need is a Sun Developer Network or other Sun Online account. If you don't already have one, you will be prompted to create one. </p>
+          <p class="style1">All you need is an Oracle.com account. If you don't already have one, you will be prompted to create one. </p>
           <table width="708" border="0" cellspacing="0" cellpadding="3">
             <tr valign="top">
               <td width="126" height="35">
@@ -83,9 +83,9 @@
        <td bgcolor="#f1f7df">
        <p class="style3">Oracle Corporation respects your privacy. 
     We will use your personal information for communications 
-    and management of your Sun Online Account, the services 
-    and applications you access using your Sun Online Account, 
-    and the products and systems you register with your Sun Online Account.</p>
+    and management of your Oracle.com account, the services 
+    and applications you access using your Oracle.com account, 
+    and the products and systems you register with your Oracle.com account.</p>
                 <p class="style3">For more information on the data that will be collected as 
           part of the registration process and how it will be managed <br>
           see <a href="http://java.sun.com/javase/registration/JDKRegistrationPrivacy.html">http://java.sun.com/javase/registration/JDKRegistrationPrivacy.html</a>. <br>      
--- a/src/share/classes/com/sun/servicetag/resources/register_ja.html	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/servicetag/resources/register_ja.html	Fri Dec 03 11:30:28 2010 -0800
@@ -59,7 +59,7 @@
         </ul>
         <p class="style1">製品登録は無料であり、迅速で簡単です。</p>
         <blockquote>
-          <p class="style1">必要になるのは、Sun 開発者向けネットワークアカウントまたはその他の Sun オンラインアカウントだけです。 まだアカウントがない場合は、アカウントの作成が求められます。 </p>
+          <p class="style1">必要になるのは、Oracle.com アカウントだけです。 まだアカウントがない場合は、アカウントの作成が求められます。 </p>
           <table width="708" border="0" cellspacing="0" cellpadding="3">
             <tr valign="top">
               <td width="126" height="35"><form name="form1" method="post" action="@@REGISTRATION_URL@@" enctype="text/xml">
@@ -75,7 +75,7 @@
    <tr>
        <td>&nbsp;</td>
 	<td bgcolor="#f1f7df">
-        <p class="style3">Oracle Corporation は、お客様のプライバシーを尊重します。 お客様の個人情報は、お客様の Sun オンラインアカウント、お客様が Sun オンラインアカウントを使用してアクセスするサービスとアプリケーション、およびお客様が Sun オンラインアカウントで登録する製品とシステムの通信と管理に使用します。</p>
+        <p class="style3">Oracle Corporation は、お客様のプライバシーを尊重します。 お客様の個人情報は、お客様の Oracle.com アカウント、お客様が Oracle.com アカウントを使用してアクセスするサービスとアプリケーション、およびお客様が Oracle.com アカウントで登録する製品とシステムの通信と管理に使用します。</p>
                 <p class="style3">登録の際に収集されるデータや、それらがどのように管理されるかについての詳細は、<br><a href="http://java.sun.com/javase/ja/registration/JDKRegistrationPrivacy.html">http://java.sun.com/javase/ja/registration/JDKRegistrationPrivacy.html</a> を参照してください。 <br> <br> Oracle のプライバシーポリシーについての詳細は、<a href="http://www.oracle.com/html/privacy.html">http://www.oracle.com/html/privacy.html</a> を参照するか、<a class="moz-txt-link-rfc2396E" href="mailto:privacy_ww@oracle.com">お問い合わせフォーム</a>からお問い合わせください。</p></td>
   </tr>
   <tr>
--- a/src/share/classes/com/sun/servicetag/resources/register_zh_CN.html	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/com/sun/servicetag/resources/register_zh_CN.html	Fri Dec 03 11:30:28 2010 -0800
@@ -60,7 +60,7 @@
         </ul>
 <p class="style1">产品注册是免费的,即快速又轻松!</p>
         <blockquote>
-<p class="style1">您需要具有 Sun 开发者网络或其他 Sun 联机帐户。如果您没有,系统将提示您创建一个。 </p>
+<p class="style1">您需要具有 Oracle.com 帐户。如果您没有,系统将提示您创建一个。 </p>
           <table width="708" border="0" cellspacing="0" cellpadding="3">
             <tr valign="top">
               <td width="126" height="35"><form name="form1" method="post" action="@@REGISTRATION_URL@@" enctype="text/xml">
@@ -76,7 +76,7 @@
     <tr>
        <td>&nbsp;</td>
 	<td bgcolor="#f1f7df">
-        <p class="style3">Oracle 尊重您的隐私。我们会将您的个人信息用于通信和 Sun 联机帐户的管理、Sun 联机帐户访问的服务和应用程序以及用于使用 Sun 联机帐户注册的产品和系统。</p>
+        <p class="style3">Oracle 尊重您的隐私。我们会将您的个人信息用于通信和 Oracle.com 帐户的管理、Oracle.com 帐户访问的服务和应用程序以及用于使用 Oracle.com 帐户注册的产品和系统。</p>
 <p class="style3">有关注册过程中收集的数据以及这些数据的管理方式的更多信息,<br>请访问 <a href="http://java.sun.com/javase/registration/JDKRegistrationPrivacy.html">http://java.sun.com/javase/registration/JDKRegistrationPrivacy.html</a>。<br> <br>有关 Oracle 隐私政策的更多信息,请访问 <a href="http://www.oracle.com/html/privacy.html">http://www.oracle.com/html/privacy.html</a> 或与 <a class="moz-txt-link-rfc2396E" href="mailto:privacy_ww@oracle.com">privacy_ww@oracle.com</a> 联系。</p></td>
   </tr>
   <tr>
--- a/src/share/classes/java/io/ByteArrayInputStream.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/io/ByteArrayInputStream.java	Fri Dec 03 11:30:28 2010 -0800
@@ -179,11 +179,14 @@
         } else if (off < 0 || len < 0 || len > b.length - off) {
             throw new IndexOutOfBoundsException();
         }
+
         if (pos >= count) {
             return -1;
         }
-        if (pos + len > count) {
-            len = count - pos;
+
+        int avail = count - pos;
+        if (len > avail) {
+            len = avail;
         }
         if (len <= 0) {
             return 0;
@@ -206,14 +209,13 @@
      * @return  the actual number of bytes skipped.
      */
     public synchronized long skip(long n) {
-        if (pos + n > count) {
-            n = count - pos;
+        long k = count - pos;
+        if (n < k) {
+            k = n < 0 ? 0 : n;
         }
-        if (n < 0) {
-            return 0;
-        }
-        pos += n;
-        return n;
+
+        pos += k;
+        return k;
     }
 
     /**
--- a/src/share/classes/java/lang/StackTraceElement.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/lang/StackTraceElement.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
 
 package java.lang;
 
+import java.util.Objects;
+
 /**
  * An element in a stack trace, as returned by {@link
  * Throwable#getStackTrace()}.  Each element represents a single stack frame.
@@ -53,26 +55,21 @@
      * @param methodName the name of the method containing the execution point
      *        represented by the stack trace element
      * @param fileName the name of the file containing the execution point
-     *         represented by the stack trace element, or <tt>null</tt> if
+     *         represented by the stack trace element, or {@code null} if
      *         this information is unavailable
      * @param lineNumber the line number of the source line containing the
      *         execution point represented by this stack trace element, or
      *         a negative number if this information is unavailable. A value
      *         of -2 indicates that the method containing the execution point
      *         is a native method
-     * @throws NullPointerException if <tt>declaringClass</tt> or
-     *         <tt>methodName</tt> is null
+     * @throws NullPointerException if {@code declaringClass} or
+     *         {@code methodName} is null
      * @since 1.5
      */
     public StackTraceElement(String declaringClass, String methodName,
                              String fileName, int lineNumber) {
-        if (declaringClass == null)
-            throw new NullPointerException("Declaring class is null");
-        if (methodName == null)
-            throw new NullPointerException("Method name is null");
-
-        this.declaringClass = declaringClass;
-        this.methodName     = methodName;
+        this.declaringClass = Objects.nonNull(declaringClass, "Declaring class is null");
+        this.methodName     = Objects.nonNull(methodName, "Method name is null");
         this.fileName       = fileName;
         this.lineNumber     = lineNumber;
     }
@@ -80,13 +77,13 @@
     /**
      * Returns the name of the source file containing the execution point
      * represented by this stack trace element.  Generally, this corresponds
-     * to the <tt>SourceFile</tt> attribute of the relevant <tt>class</tt>
+     * to the {@code SourceFile} attribute of the relevant {@code class}
      * file (as per <i>The Java Virtual Machine Specification</i>, Section
      * 4.7.7).  In some systems, the name may refer to some source code unit
      * other than a file, such as an entry in source repository.
      *
      * @return the name of the file containing the execution point
-     *         represented by this stack trace element, or <tt>null</tt> if
+     *         represented by this stack trace element, or {@code null} if
      *         this information is unavailable.
      */
     public String getFileName() {
@@ -96,8 +93,8 @@
     /**
      * Returns the line number of the source line containing the execution
      * point represented by this stack trace element.  Generally, this is
-     * derived from the <tt>LineNumberTable</tt> attribute of the relevant
-     * <tt>class</tt> file (as per <i>The Java Virtual Machine
+     * derived from the {@code LineNumberTable} attribute of the relevant
+     * {@code class} file (as per <i>The Java Virtual Machine
      * Specification</i>, Section 4.7.8).
      *
      * @return the line number of the source line containing the execution
@@ -112,7 +109,7 @@
      * Returns the fully qualified name of the class containing the
      * execution point represented by this stack trace element.
      *
-     * @return the fully qualified name of the <tt>Class</tt> containing
+     * @return the fully qualified name of the {@code Class} containing
      *         the execution point represented by this stack trace element.
      */
     public String getClassName() {
@@ -123,8 +120,8 @@
      * Returns the name of the method containing the execution point
      * represented by this stack trace element.  If the execution point is
      * contained in an instance or class initializer, this method will return
-     * the appropriate <i>special method name</i>, <tt>&lt;init&gt;</tt> or
-     * <tt>&lt;clinit&gt;</tt>, as per Section 3.9 of <i>The Java Virtual
+     * the appropriate <i>special method name</i>, {@code <init>} or
+     * {@code <clinit>}, as per Section 3.9 of <i>The Java Virtual
      * Machine Specification</i>.
      *
      * @return the name of the method containing the execution point
@@ -138,7 +135,7 @@
      * Returns true if the method containing the execution point
      * represented by this stack trace element is a native method.
      *
-     * @return <tt>true</tt> if the method containing the execution point
+     * @return {@code true} if the method containing the execution point
      *         represented by this stack trace element is a native method.
      */
     public boolean isNativeMethod() {
@@ -151,21 +148,21 @@
      * examples may be regarded as typical:
      * <ul>
      * <li>
-     *   <tt>"MyClass.mash(MyClass.java:9)"</tt> - Here, <tt>"MyClass"</tt>
+     *   {@code "MyClass.mash(MyClass.java:9)"} - Here, {@code "MyClass"}
      *   is the <i>fully-qualified name</i> of the class containing the
      *   execution point represented by this stack trace element,
-     *   <tt>"mash"</tt> is the name of the method containing the execution
-     *   point, <tt>"MyClass.java"</tt> is the source file containing the
-     *   execution point, and <tt>"9"</tt> is the line number of the source
+     *   {@code "mash"} is the name of the method containing the execution
+     *   point, {@code "MyClass.java"} is the source file containing the
+     *   execution point, and {@code "9"} is the line number of the source
      *   line containing the execution point.
      * <li>
-     *   <tt>"MyClass.mash(MyClass.java)"</tt> - As above, but the line
+     *   {@code "MyClass.mash(MyClass.java)"} - As above, but the line
      *   number is unavailable.
      * <li>
-     *   <tt>"MyClass.mash(Unknown Source)"</tt> - As above, but neither
+     *   {@code "MyClass.mash(Unknown Source)"} - As above, but neither
      *   the file name nor the line  number are available.
      * <li>
-     *   <tt>"MyClass.mash(Native Method)"</tt> - As above, but neither
+     *   {@code "MyClass.mash(Native Method)"} - As above, but neither
      *   the file name nor the line  number are available, and the method
      *   containing the execution point is known to be a native method.
      * </ul>
@@ -181,25 +178,21 @@
 
     /**
      * Returns true if the specified object is another
-     * <tt>StackTraceElement</tt> instance representing the same execution
-     * point as this instance.  Two stack trace elements <tt>a</tt> and
-     * <tt>b</tt> are equal if and only if:
+     * {@code StackTraceElement} instance representing the same execution
+     * point as this instance.  Two stack trace elements {@code a} and
+     * {@code b} are equal if and only if:
      * <pre>
      *     equals(a.getFileName(), b.getFileName()) &&
      *     a.getLineNumber() == b.getLineNumber()) &&
      *     equals(a.getClassName(), b.getClassName()) &&
      *     equals(a.getMethodName(), b.getMethodName())
      * </pre>
-     * where <tt>equals</tt> is defined as:
-     * <pre>
-     *     static boolean equals(Object a, Object b) {
-     *         return a==b || (a != null && a.equals(b));
-     *     }
-     * </pre>
+     * where {@code equals} has the semantics of {@link
+     * java.util.Objects#equals(Object, Object) Objects.equals}.
      *
      * @param  obj the object to be compared with this stack trace element.
      * @return true if the specified object is another
-     *         <tt>StackTraceElement</tt> instance representing the same
+     *         {@code StackTraceElement} instance representing the same
      *         execution point as this instance.
      */
     public boolean equals(Object obj) {
@@ -208,12 +201,10 @@
         if (!(obj instanceof StackTraceElement))
             return false;
         StackTraceElement e = (StackTraceElement)obj;
-        return e.declaringClass.equals(declaringClass) && e.lineNumber == lineNumber
-            && eq(methodName, e.methodName) && eq(fileName, e.fileName);
-    }
-
-    private static boolean eq(Object a, Object b) {
-        return a==b || (a != null && a.equals(b));
+        return e.declaringClass.equals(declaringClass) &&
+            e.lineNumber == lineNumber &&
+            Objects.equals(methodName, e.methodName) &&
+            Objects.equals(fileName, e.fileName);
     }
 
     /**
@@ -221,7 +212,7 @@
      */
     public int hashCode() {
         int result = 31*declaringClass.hashCode() + methodName.hashCode();
-        result = 31*result + (fileName == null ?   0 : fileName.hashCode());
+        result = 31*result + Objects.hashCode(fileName);
         result = 31*result + lineNumber;
         return result;
     }
--- a/src/share/classes/java/lang/Thread.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/lang/Thread.java	Fri Dec 03 11:30:28 2010 -0800
@@ -229,7 +229,7 @@
      * after setting this thread's interrupt status.
      */
     private volatile Interruptible blocker;
-    private Object blockerLock = new Object();
+    private final Object blockerLock = new Object();
 
     /* Set the blocker field; invoked via sun.misc.SharedSecrets from java.nio code
      */
@@ -688,16 +688,19 @@
             throw new IllegalThreadStateException();
 
         /* Notify the group that this thread is about to be started
-         * so that it can be added to the group's list of threads. */
+         * so that it can be added to the group's list of threads
+         * and the group's unstarted count can be decremented. */
         group.threadStarting(this);
 
-        boolean failed = true;
+        boolean started = false;
         try {
             start0();
-            failed = false;
+            started = true;
         } finally {
             try {
-                group.threadStarted(this, failed);
+                if (!started) {
+                    group.threadStartFailed(this);
+                }
             } catch (Throwable ignore) {
                 /* do nothing. If start0 threw a Throwable then
                   it will be passed up the call stack */
@@ -955,7 +958,7 @@
             Interruptible b = blocker;
             if (b != null) {
                 interrupt0();           // Just to set the interrupt flag
-                b.interrupt();
+                b.interrupt(this);
                 return;
             }
         }
--- a/src/share/classes/java/lang/ThreadGroup.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/lang/ThreadGroup.java	Fri Dec 03 11:30:28 2010 -0800
@@ -870,9 +870,16 @@
     /**
      * Notifies the group that the thread {@code t} is about to be
      * started and adds the thread to this thread group.
+     *
+     * The thread is now a fully fledged member of the group, even though
+     * it hasn't been started yet. It will prevent the group from being
+     * destroyed so the unstarted Threads count is decremented.
      */
     void threadStarting(Thread t) {
-        add(t);
+        synchronized (this) {
+            add(t);
+            nUnstartedThreads--;
+        }
     }
 
     /**
@@ -907,12 +914,10 @@
     }
 
     /**
-     * Notifies the group that the thread {@code t} has completed
+     * Notifies the group that the thread {@code t} has failed
      * an attempt to start.
      *
-     * <p> If the thread has been started successfully
-     * then the group has its unstarted Threads count decremented.
-     * Otherwise the state of this thread group is rolled back as if the
+     * <p> The state of this thread group is rolled back as if the
      * attempt to start the thread has never occurred. The thread is again
      * considered an unstarted member of the thread group, and a subsequent
      * attempt to start the thread is permitted.
@@ -923,16 +928,10 @@
      * @param  failed
      *         true if the thread could not be started successfully
      */
-    void threadStarted(Thread t, boolean failed) {
+    void threadStartFailed(Thread t) {
         synchronized(this) {
-            if (failed) {
-                remove(t);
-            } else {
-                if (destroyed) {
-                    return;
-                }
-                nUnstartedThreads--;
-            }
+            remove(t);
+            nUnstartedThreads++;
         }
     }
 
--- a/src/share/classes/java/lang/Throwable.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/lang/Throwable.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1994, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -170,6 +170,36 @@
     private String detailMessage;
 
     /**
+     * A shared value for an empty stack.
+     */
+    private static final StackTraceElement[] EMPTY_STACK = new StackTraceElement[0];
+
+    /*
+     * To allow Throwable objects to be made immutable and safely
+     * reused by the JVM, such as OutOfMemoryErrors, fields of
+     * Throwable that are writable in response to user actions, cause
+     * and suppressedExceptions obey the following protocol:
+     *
+     * 1) The fields are initialized to a non-null sentinel value
+     * which indicates the value has logically not been set.
+     *
+     * 2) Writing a null to the field indicates further writes
+     * are forbidden
+     *
+     * 3) The sentinel value may be replaced with another non-null
+     * value.
+     *
+     * For example, implementations of the HotSpot JVM have
+     * preallocated OutOfMemoryError objects to provide for better
+     * diagnosability of that situation.  These objects are created
+     * without calling the constructor for that class and the fields
+     * in question are initialized to null.  To support this
+     * capability, any new fields added to Throwable that require
+     * being initialized to a non-null value require a coordinated JVM
+     * change.
+     */
+
+    /**
      * The throwable that caused this throwable to get thrown, or null if this
      * throwable was not caused by another throwable, or if the causative
      * throwable is unknown.  If this field is equal to this throwable itself,
@@ -188,32 +218,30 @@
      * @since 1.4
      */
     private StackTraceElement[] stackTrace;
-    /*
-     * This field is lazily initialized on first use or serialization and
-     * nulled out when fillInStackTrace is called.
-     */
+
+    // Setting this static field introduces an acceptable
+    // initialization dependency on a few java.util classes.
+    private static final List<Throwable> SUPPRESSED_SENTINEL =
+        Collections.unmodifiableList(new ArrayList<Throwable>(0));
 
     /**
-     * The list of suppressed exceptions, as returned by
-     * {@link #getSuppressedExceptions()}.
+     * The list of suppressed exceptions, as returned by {@link
+     * #getSuppressed()}.  The list is initialized to a zero-element
+     * unmodifiable sentinel list.  When a serialized Throwable is
+     * read in, if the {@code suppressedExceptions} field points to a
+     * zero-element list, the field is reset to the sentinel value.
      *
      * @serial
      * @since 1.7
      */
-    private List<Throwable> suppressedExceptions = null;
-    /*
-     * This field is lazily initialized when the first suppressed
-     * exception is added.
-     *
-     * OutOfMemoryError is preallocated in the VM for better OOM
-     * diagnosability during VM initialization. Constructor can't
-     * be not invoked. If a new field to be added in the future must
-     * be initialized to non-null, it requires a synchronized VM change.
-     */
+    private List<Throwable> suppressedExceptions = SUPPRESSED_SENTINEL;
 
     /** Message for trying to suppress a null exception. */
     private static final String NULL_CAUSE_MESSAGE = "Cannot suppress a null exception.";
 
+    /** Message for trying to suppress oneself. */
+    private static final String SELF_SUPPRESSION_MESSAGE = "Self-suppression not permitted";
+
     /** Caption  for labeling causative exception stack traces */
     private static final String CAUSE_CAPTION = "Caused by: ";
 
@@ -572,7 +600,7 @@
                 s.println("\tat " + traceElement);
 
             // Print suppressed exceptions, if any
-            for (Throwable se : getSuppressedExceptions())
+            for (Throwable se : getSuppressed())
                 se.printEnclosedStackTrace(s, trace, SUPPRESSED_CAPTION, "\t", dejaVu);
 
             // Print cause, if any
@@ -613,7 +641,7 @@
                 s.println(prefix + "\t... " + framesInCommon + " more");
 
             // Print suppressed exceptions, if any
-            for (Throwable se : getSuppressedExceptions())
+            for (Throwable se : getSuppressed())
                 se.printEnclosedStackTrace(s, trace, SUPPRESSED_CAPTION,
                                            prefix +"\t", dejaVu);
 
@@ -780,25 +808,58 @@
      */
     native StackTraceElement getStackTraceElement(int index);
 
+    /**
+     * Read a {@code Throwable} from a stream, enforcing
+     * well-formedness constraints on fields.  Null entries and
+     * self-pointers are not allowed in the list of {@code
+     * suppressedExceptions}.  Null entries are not allowed for stack
+     * trace elements.
+     *
+     * Note that there are no constraints on the value the {@code
+     * cause} field can hold; both {@code null} and {@code this} are
+     * valid values for the field.
+     */
     private void readObject(ObjectInputStream s)
         throws IOException, ClassNotFoundException {
         s.defaultReadObject();     // read in all fields
-        List<Throwable> suppressed = null;
-        if (suppressedExceptions != null &&
-            !suppressedExceptions.isEmpty()) { // Copy Throwables to new list
-            suppressed = new ArrayList<Throwable>();
-            for (Throwable t : suppressedExceptions) {
-                if (t == null)
-                    throw new NullPointerException(NULL_CAUSE_MESSAGE);
-                suppressed.add(t);
+        if (suppressedExceptions != null) {
+            List<Throwable> suppressed = null;
+            if (suppressedExceptions.isEmpty()) {
+                // Use the sentinel for a zero-length list
+                suppressed = SUPPRESSED_SENTINEL;
+            } else { // Copy Throwables to new list
+                suppressed = new ArrayList<Throwable>(1);
+                for (Throwable t : suppressedExceptions) {
+                    // Enforce constraints on suppressed exceptions in
+                    // case of corrupt or malicious stream.
+                    if (t == null)
+                        throw new NullPointerException(NULL_CAUSE_MESSAGE);
+                    if (t == this)
+                        throw new IllegalArgumentException(SELF_SUPPRESSION_MESSAGE);
+                    suppressed.add(t);
+                }
             }
+            suppressedExceptions = suppressed;
+        } // else a null suppressedExceptions field remains null
+
+        if (stackTrace != null) {
+            for (StackTraceElement ste : stackTrace) {
+                if (ste == null)
+                    throw new NullPointerException("null StackTraceElement in serial stream. ");
+            }
+        } else {
+            // A null stackTrace field in the serial form can result from
+            // an exception serialized without that field in older JDK releases.
+            stackTrace = EMPTY_STACK;
         }
-        suppressedExceptions = suppressed;
+
     }
 
+    /**
+     * Write a {@code Throwable} object to a stream.
+     */
     private synchronized void writeObject(ObjectOutputStream s)
-        throws IOException
-    {
+        throws IOException {
         getOurStackTrace();  // Ensure that stackTrace field is initialized.
         s.defaultWriteObject();
     }
@@ -808,6 +869,14 @@
      * were suppressed, typically by the {@code try}-with-resources
      * statement, in order to deliver this exception.
      *
+     * If the first exception to be suppressed is {@code null}, that
+     * indicates suppressed exception information will <em>not</em> be
+     * recorded for this exception.  Subsequent calls to this method
+     * will not record any suppressed exceptions.  Otherwise,
+     * attempting to suppress {@code null} after an exception has
+     * already been successfully suppressed results in a {@code
+     * NullPointerException}.
+     *
      * <p>Note that when one exception {@linkplain
      * #initCause(Throwable) causes} another exception, the first
      * exception is usually caught and then the second exception is
@@ -819,20 +888,35 @@
      *
      * @param exception the exception to be added to the list of
      *        suppressed exceptions
-     * @throws NullPointerException if {@code exception} is null
      * @throws IllegalArgumentException if {@code exception} is this
      *         throwable; a throwable cannot suppress itself.
+     * @throws NullPointerException if {@code exception} is null and
+     *         an exception has already been suppressed by this exception
      * @since 1.7
      */
-    public synchronized void addSuppressedException(Throwable exception) {
-        if (exception == null)
-            throw new NullPointerException(NULL_CAUSE_MESSAGE);
+    public final synchronized void addSuppressed(Throwable exception) {
         if (exception == this)
-            throw new IllegalArgumentException("Self-suppression not permitted");
+            throw new IllegalArgumentException(SELF_SUPPRESSION_MESSAGE);
 
-        if (suppressedExceptions == null)
-            suppressedExceptions = new ArrayList<Throwable>();
-        suppressedExceptions.add(exception);
+        if (exception == null) {
+            if (suppressedExceptions == SUPPRESSED_SENTINEL) {
+                suppressedExceptions = null; // No suppression information recorded
+                return;
+            } else
+                throw new NullPointerException(NULL_CAUSE_MESSAGE);
+        } else {
+            assert exception != null && exception != this;
+
+            if (suppressedExceptions == null) // Suppressed exceptions not recorded
+                return;
+
+            if (suppressedExceptions == SUPPRESSED_SENTINEL)
+                suppressedExceptions = new ArrayList<Throwable>(1);
+
+            assert suppressedExceptions != SUPPRESSED_SENTINEL;
+
+            suppressedExceptions.add(exception);
+        }
     }
 
     private static final Throwable[] EMPTY_THROWABLE_ARRAY = new Throwable[0];
@@ -842,12 +926,15 @@
      * suppressed, typically by the {@code try}-with-resources
      * statement, in order to deliver this exception.
      *
+     * If no exceptions were suppressed, an empty array is returned.
+     *
      * @return an array containing all of the exceptions that were
      *         suppressed to deliver this exception.
      * @since 1.7
      */
-    public synchronized Throwable[] getSuppressedExceptions() {
-        if (suppressedExceptions == null)
+    public final synchronized Throwable[] getSuppressed() {
+        if (suppressedExceptions == SUPPRESSED_SENTINEL ||
+            suppressedExceptions == null)
             return EMPTY_THROWABLE_ARRAY;
         else
             return suppressedExceptions.toArray(EMPTY_THROWABLE_ARRAY);
--- a/src/share/classes/java/nio/channels/spi/AbstractInterruptibleChannel.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/nio/channels/spi/AbstractInterruptibleChannel.java	Fri Dec 03 11:30:28 2010 -0800
@@ -88,7 +88,7 @@
     implements Channel, InterruptibleChannel
 {
 
-    private Object closeLock = new Object();
+    private final Object closeLock = new Object();
     private volatile boolean open = true;
 
     /**
@@ -142,7 +142,7 @@
     // -- Interruption machinery --
 
     private Interruptible interruptor;
-    private volatile boolean interrupted = false;
+    private volatile Thread interrupted;
 
     /**
      * Marks the beginning of an I/O operation that might block indefinitely.
@@ -155,12 +155,12 @@
     protected final void begin() {
         if (interruptor == null) {
             interruptor = new Interruptible() {
-                    public void interrupt() {
+                    public void interrupt(Thread target) {
                         synchronized (closeLock) {
                             if (!open)
                                 return;
-                            interrupted = true;
                             open = false;
+                            interrupted = target;
                             try {
                                 AbstractInterruptibleChannel.this.implCloseChannel();
                             } catch (IOException x) { }
@@ -168,8 +168,9 @@
                     }};
         }
         blockedOn(interruptor);
-        if (Thread.currentThread().isInterrupted())
-            interruptor.interrupt();
+        Thread me = Thread.currentThread();
+        if (me.isInterrupted())
+            interruptor.interrupt(me);
     }
 
     /**
@@ -195,12 +196,13 @@
         throws AsynchronousCloseException
     {
         blockedOn(null);
-        if (completed) {
-            interrupted = false;
-            return;
+        Thread interrupted = this.interrupted;
+        if (interrupted != null && interrupted == Thread.currentThread()) {
+            interrupted = null;
+            throw new ClosedByInterruptException();
         }
-        if (interrupted) throw new ClosedByInterruptException();
-        if (!open) throw new AsynchronousCloseException();
+        if (!completed && !open)
+            throw new AsynchronousCloseException();
     }
 
 
--- a/src/share/classes/java/nio/channels/spi/AbstractSelector.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/nio/channels/spi/AbstractSelector.java	Fri Dec 03 11:30:28 2010 -0800
@@ -206,13 +206,14 @@
     protected final void begin() {
         if (interruptor == null) {
             interruptor = new Interruptible() {
-                    public void interrupt() {
+                    public void interrupt(Thread ignore) {
                         AbstractSelector.this.wakeup();
                     }};
         }
         AbstractInterruptibleChannel.blockedOn(interruptor);
-        if (Thread.currentThread().isInterrupted())
-            interruptor.interrupt();
+        Thread me = Thread.currentThread();
+        if (me.isInterrupted())
+            interruptor.interrupt(me);
     }
 
     /**
--- a/src/share/classes/java/util/TreeMap.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/util/TreeMap.java	Fri Dec 03 11:30:28 2010 -0800
@@ -32,25 +32,26 @@
  * creation time, depending on which constructor is used.
  *
  * <p>This implementation provides guaranteed log(n) time cost for the
- * <tt>containsKey</tt>, <tt>get</tt>, <tt>put</tt> and <tt>remove</tt>
+ * {@code containsKey}, {@code get}, {@code put} and {@code remove}
  * operations.  Algorithms are adaptations of those in Cormen, Leiserson, and
- * Rivest's <I>Introduction to Algorithms</I>.
+ * Rivest's <em>Introduction to Algorithms</em>.
  *
- * <p>Note that the ordering maintained by a sorted map (whether or not an
- * explicit comparator is provided) must be <i>consistent with equals</i> if
- * this sorted map is to correctly implement the <tt>Map</tt> interface.  (See
- * <tt>Comparable</tt> or <tt>Comparator</tt> for a precise definition of
- * <i>consistent with equals</i>.)  This is so because the <tt>Map</tt>
- * interface is defined in terms of the equals operation, but a map performs
- * all key comparisons using its <tt>compareTo</tt> (or <tt>compare</tt>)
- * method, so two keys that are deemed equal by this method are, from the
- * standpoint of the sorted map, equal.  The behavior of a sorted map
- * <i>is</i> well-defined even if its ordering is inconsistent with equals; it
- * just fails to obey the general contract of the <tt>Map</tt> interface.
+ * <p>Note that the ordering maintained by a tree map, like any sorted map, and
+ * whether or not an explicit comparator is provided, must be <em>consistent
+ * with {@code equals}</em> if this sorted map is to correctly implement the
+ * {@code Map} interface.  (See {@code Comparable} or {@code Comparator} for a
+ * precise definition of <em>consistent with equals</em>.)  This is so because
+ * the {@code Map} interface is defined in terms of the {@code equals}
+ * operation, but a sorted map performs all key comparisons using its {@code
+ * compareTo} (or {@code compare}) method, so two keys that are deemed equal by
+ * this method are, from the standpoint of the sorted map, equal.  The behavior
+ * of a sorted map <em>is</em> well-defined even if its ordering is
+ * inconsistent with {@code equals}; it just fails to obey the general contract
+ * of the {@code Map} interface.
  *
  * <p><strong>Note that this implementation is not synchronized.</strong>
  * If multiple threads access a map concurrently, and at least one of the
- * threads modifies the map structurally, it <i>must</i> be synchronized
+ * threads modifies the map structurally, it <em>must</em> be synchronized
  * externally.  (A structural modification is any operation that adds or
  * deletes one or more mappings; merely changing the value associated
  * with an existing key is not a structural modification.)  This is
@@ -62,11 +63,11 @@
  * unsynchronized access to the map: <pre>
  *   SortedMap m = Collections.synchronizedSortedMap(new TreeMap(...));</pre>
  *
- * <p>The iterators returned by the <tt>iterator</tt> method of the collections
+ * <p>The iterators returned by the {@code iterator} method of the collections
  * returned by all of this class's "collection view methods" are
- * <i>fail-fast</i>: if the map is structurally modified at any time after the
- * iterator is created, in any way except through the iterator's own
- * <tt>remove</tt> method, the iterator will throw a {@link
+ * <em>fail-fast</em>: if the map is structurally modified at any time after
+ * the iterator is created, in any way except through the iterator's own
+ * {@code remove} method, the iterator will throw a {@link
  * ConcurrentModificationException}.  Thus, in the face of concurrent
  * modification, the iterator fails quickly and cleanly, rather than risking
  * arbitrary, non-deterministic behavior at an undetermined time in the future.
@@ -74,16 +75,16 @@
  * <p>Note that the fail-fast behavior of an iterator cannot be guaranteed
  * as it is, generally speaking, impossible to make any hard guarantees in the
  * presence of unsynchronized concurrent modification.  Fail-fast iterators
- * throw <tt>ConcurrentModificationException</tt> on a best-effort basis.
+ * throw {@code ConcurrentModificationException} on a best-effort basis.
  * Therefore, it would be wrong to write a program that depended on this
- * exception for its correctness:   <i>the fail-fast behavior of iterators
- * should be used only to detect bugs.</i>
+ * exception for its correctness:   <em>the fail-fast behavior of iterators
+ * should be used only to detect bugs.</em>
  *
- * <p>All <tt>Map.Entry</tt> pairs returned by methods in this class
+ * <p>All {@code Map.Entry} pairs returned by methods in this class
  * and its views represent snapshots of mappings at the time they were
- * produced. They do <em>not</em> support the <tt>Entry.setValue</tt>
+ * produced. They do <strong>not</strong> support the {@code Entry.setValue}
  * method. (Note however that it is possible to change mappings in the
- * associated map using <tt>put</tt>.)
+ * associated map using {@code put}.)
  *
  * <p>This class is a member of the
  * <a href="{@docRoot}/../technotes/guides/collections/index.html">
@@ -130,13 +131,13 @@
      * Constructs a new, empty tree map, using the natural ordering of its
      * keys.  All keys inserted into the map must implement the {@link
      * Comparable} interface.  Furthermore, all such keys must be
-     * <i>mutually comparable</i>: <tt>k1.compareTo(k2)</tt> must not throw
-     * a <tt>ClassCastException</tt> for any keys <tt>k1</tt> and
-     * <tt>k2</tt> in the map.  If the user attempts to put a key into the
+     * <em>mutually comparable</em>: {@code k1.compareTo(k2)} must not throw
+     * a {@code ClassCastException} for any keys {@code k1} and
+     * {@code k2} in the map.  If the user attempts to put a key into the
      * map that violates this constraint (for example, the user attempts to
      * put a string key into a map whose keys are integers), the
-     * <tt>put(Object key, Object value)</tt> call will throw a
-     * <tt>ClassCastException</tt>.
+     * {@code put(Object key, Object value)} call will throw a
+     * {@code ClassCastException}.
      */
     public TreeMap() {
         comparator = null;
@@ -144,16 +145,16 @@
 
     /**
      * Constructs a new, empty tree map, ordered according to the given
-     * comparator.  All keys inserted into the map must be <i>mutually
-     * comparable</i> by the given comparator: <tt>comparator.compare(k1,
-     * k2)</tt> must not throw a <tt>ClassCastException</tt> for any keys
-     * <tt>k1</tt> and <tt>k2</tt> in the map.  If the user attempts to put
-     * a key into the map that violates this constraint, the <tt>put(Object
-     * key, Object value)</tt> call will throw a
-     * <tt>ClassCastException</tt>.
+     * comparator.  All keys inserted into the map must be <em>mutually
+     * comparable</em> by the given comparator: {@code comparator.compare(k1,
+     * k2)} must not throw a {@code ClassCastException} for any keys
+     * {@code k1} and {@code k2} in the map.  If the user attempts to put
+     * a key into the map that violates this constraint, the {@code put(Object
+     * key, Object value)} call will throw a
+     * {@code ClassCastException}.
      *
      * @param comparator the comparator that will be used to order this map.
-     *        If <tt>null</tt>, the {@linkplain Comparable natural
+     *        If {@code null}, the {@linkplain Comparable natural
      *        ordering} of the keys will be used.
      */
     public TreeMap(Comparator<? super K> comparator) {
@@ -162,12 +163,12 @@
 
     /**
      * Constructs a new tree map containing the same mappings as the given
-     * map, ordered according to the <i>natural ordering</i> of its keys.
+     * map, ordered according to the <em>natural ordering</em> of its keys.
      * All keys inserted into the new map must implement the {@link
      * Comparable} interface.  Furthermore, all such keys must be
-     * <i>mutually comparable</i>: <tt>k1.compareTo(k2)</tt> must not throw
-     * a <tt>ClassCastException</tt> for any keys <tt>k1</tt> and
-     * <tt>k2</tt> in the map.  This method runs in n*log(n) time.
+     * <em>mutually comparable</em>: {@code k1.compareTo(k2)} must not throw
+     * a {@code ClassCastException} for any keys {@code k1} and
+     * {@code k2} in the map.  This method runs in n*log(n) time.
      *
      * @param  m the map whose mappings are to be placed in this map
      * @throws ClassCastException if the keys in m are not {@link Comparable},
@@ -210,11 +211,11 @@
     }
 
     /**
-     * Returns <tt>true</tt> if this map contains a mapping for the specified
+     * Returns {@code true} if this map contains a mapping for the specified
      * key.
      *
      * @param key key whose presence in this map is to be tested
-     * @return <tt>true</tt> if this map contains a mapping for the
+     * @return {@code true} if this map contains a mapping for the
      *         specified key
      * @throws ClassCastException if the specified key cannot be compared
      *         with the keys currently in the map
@@ -227,16 +228,16 @@
     }
 
     /**
-     * Returns <tt>true</tt> if this map maps one or more keys to the
-     * specified value.  More formally, returns <tt>true</tt> if and only if
-     * this map contains at least one mapping to a value <tt>v</tt> such
-     * that <tt>(value==null ? v==null : value.equals(v))</tt>.  This
+     * Returns {@code true} if this map maps one or more keys to the
+     * specified value.  More formally, returns {@code true} if and only if
+     * this map contains at least one mapping to a value {@code v} such
+     * that {@code (value==null ? v==null : value.equals(v))}.  This
      * operation will probably require time linear in the map size for
      * most implementations.
      *
      * @param value value whose presence in this map is to be tested
-     * @return <tt>true</tt> if a mapping to <tt>value</tt> exists;
-     *         <tt>false</tt> otherwise
+     * @return {@code true} if a mapping to {@code value} exists;
+     *         {@code false} otherwise
      * @since 1.2
      */
     public boolean containsValue(Object value) {
@@ -256,7 +257,7 @@
      * method returns {@code v}; otherwise it returns {@code null}.
      * (There can be at most one such mapping.)
      *
-     * <p>A return value of {@code null} does not <i>necessarily</i>
+     * <p>A return value of {@code null} does not <em>necessarily</em>
      * indicate that the map contains no mapping for the key; it's also
      * possible that the map explicitly maps the key to {@code null}.
      * The {@link #containsKey containsKey} operation may be used to
@@ -322,10 +323,10 @@
     }
 
     /**
-     * Returns this map's entry for the given key, or <tt>null</tt> if the map
+     * Returns this map's entry for the given key, or {@code null} if the map
      * does not contain an entry for the key.
      *
-     * @return this map's entry for the given key, or <tt>null</tt> if the map
+     * @return this map's entry for the given key, or {@code null} if the map
      *         does not contain an entry for the key
      * @throws ClassCastException if the specified key cannot be compared
      *         with the keys currently in the map
@@ -381,7 +382,7 @@
      * Gets the entry corresponding to the specified key; if no such entry
      * exists, returns the entry for the least key greater than the specified
      * key; if no such entry exists (i.e., the greatest key in the Tree is less
-     * than the specified key), returns <tt>null</tt>.
+     * than the specified key), returns {@code null}.
      */
     final Entry<K,V> getCeilingEntry(K key) {
         Entry<K,V> p = root;
@@ -413,7 +414,7 @@
     /**
      * Gets the entry corresponding to the specified key; if no such entry
      * exists, returns the entry for the greatest key less than the specified
-     * key; if no such entry exists, returns <tt>null</tt>.
+     * key; if no such entry exists, returns {@code null}.
      */
     final Entry<K,V> getFloorEntry(K key) {
         Entry<K,V> p = root;
@@ -447,7 +448,7 @@
      * Gets the entry for the least key greater than the specified
      * key; if no such entry exists, returns the entry for the least
      * key greater than the specified key; if no such entry exists
-     * returns <tt>null</tt>.
+     * returns {@code null}.
      */
     final Entry<K,V> getHigherEntry(K key) {
         Entry<K,V> p = root;
@@ -478,7 +479,7 @@
     /**
      * Returns the entry for the greatest key less than the specified key; if
      * no such entry exists (i.e., the least key in the Tree is greater than
-     * the specified key), returns <tt>null</tt>.
+     * the specified key), returns {@code null}.
      */
     final Entry<K,V> getLowerEntry(K key) {
         Entry<K,V> p = root;
@@ -514,10 +515,10 @@
      * @param key key with which the specified value is to be associated
      * @param value value to be associated with the specified key
      *
-     * @return the previous value associated with <tt>key</tt>, or
-     *         <tt>null</tt> if there was no mapping for <tt>key</tt>.
-     *         (A <tt>null</tt> return can also indicate that the map
-     *         previously associated <tt>null</tt> with <tt>key</tt>.)
+     * @return the previous value associated with {@code key}, or
+     *         {@code null} if there was no mapping for {@code key}.
+     *         (A {@code null} return can also indicate that the map
+     *         previously associated {@code null} with {@code key}.)
      * @throws ClassCastException if the specified key cannot be compared
      *         with the keys currently in the map
      * @throws NullPointerException if the specified key is null
@@ -583,10 +584,10 @@
      * Removes the mapping for this key from this TreeMap if present.
      *
      * @param  key key for which mapping should be removed
-     * @return the previous value associated with <tt>key</tt>, or
-     *         <tt>null</tt> if there was no mapping for <tt>key</tt>.
-     *         (A <tt>null</tt> return can also indicate that the map
-     *         previously associated <tt>null</tt> with <tt>key</tt>.)
+     * @return the previous value associated with {@code key}, or
+     *         {@code null} if there was no mapping for {@code key}.
+     *         (A {@code null} return can also indicate that the map
+     *         previously associated {@code null} with {@code key}.)
      * @throws ClassCastException if the specified key cannot be compared
      *         with the keys currently in the map
      * @throws NullPointerException if the specified key is null
@@ -614,7 +615,7 @@
     }
 
     /**
-     * Returns a shallow copy of this <tt>TreeMap</tt> instance. (The keys and
+     * Returns a shallow copy of this {@code TreeMap} instance. (The keys and
      * values themselves are not cloned.)
      *
      * @return a shallow copy of this map
@@ -788,12 +789,12 @@
      * The set is backed by the map, so changes to the map are
      * reflected in the set, and vice-versa.  If the map is modified
      * while an iteration over the set is in progress (except through
-     * the iterator's own <tt>remove</tt> operation), the results of
+     * the iterator's own {@code remove} operation), the results of
      * the iteration are undefined.  The set supports element removal,
      * which removes the corresponding mapping from the map, via the
-     * <tt>Iterator.remove</tt>, <tt>Set.remove</tt>,
-     * <tt>removeAll</tt>, <tt>retainAll</tt>, and <tt>clear</tt>
-     * operations.  It does not support the <tt>add</tt> or <tt>addAll</tt>
+     * {@code Iterator.remove}, {@code Set.remove},
+     * {@code removeAll}, {@code retainAll}, and {@code clear}
+     * operations.  It does not support the {@code add} or {@code addAll}
      * operations.
      */
     public Set<K> keySet() {
@@ -822,13 +823,13 @@
      * The collection is backed by the map, so changes to the map are
      * reflected in the collection, and vice-versa.  If the map is
      * modified while an iteration over the collection is in progress
-     * (except through the iterator's own <tt>remove</tt> operation),
+     * (except through the iterator's own {@code remove} operation),
      * the results of the iteration are undefined.  The collection
      * supports element removal, which removes the corresponding
-     * mapping from the map, via the <tt>Iterator.remove</tt>,
-     * <tt>Collection.remove</tt>, <tt>removeAll</tt>,
-     * <tt>retainAll</tt> and <tt>clear</tt> operations.  It does not
-     * support the <tt>add</tt> or <tt>addAll</tt> operations.
+     * mapping from the map, via the {@code Iterator.remove},
+     * {@code Collection.remove}, {@code removeAll},
+     * {@code retainAll} and {@code clear} operations.  It does not
+     * support the {@code add} or {@code addAll} operations.
      */
     public Collection<V> values() {
         Collection<V> vs = values;
@@ -841,14 +842,14 @@
      * The set is backed by the map, so changes to the map are
      * reflected in the set, and vice-versa.  If the map is modified
      * while an iteration over the set is in progress (except through
-     * the iterator's own <tt>remove</tt> operation, or through the
-     * <tt>setValue</tt> operation on a map entry returned by the
+     * the iterator's own {@code remove} operation, or through the
+     * {@code setValue} operation on a map entry returned by the
      * iterator) the results of the iteration are undefined.  The set
      * supports element removal, which removes the corresponding
-     * mapping from the map, via the <tt>Iterator.remove</tt>,
-     * <tt>Set.remove</tt>, <tt>removeAll</tt>, <tt>retainAll</tt> and
-     * <tt>clear</tt> operations.  It does not support the
-     * <tt>add</tt> or <tt>addAll</tt> operations.
+     * mapping from the map, via the {@code Iterator.remove},
+     * {@code Set.remove}, {@code removeAll}, {@code retainAll} and
+     * {@code clear} operations.  It does not support the
+     * {@code add} or {@code addAll} operations.
      */
     public Set<Map.Entry<K,V>> entrySet() {
         EntrySet es = entrySet;
@@ -868,7 +869,7 @@
 
     /**
      * @throws ClassCastException       {@inheritDoc}
-     * @throws NullPointerException if <tt>fromKey</tt> or <tt>toKey</tt> is
+     * @throws NullPointerException if {@code fromKey} or {@code toKey} is
      *         null and this map uses natural ordering, or its comparator
      *         does not permit null keys
      * @throws IllegalArgumentException {@inheritDoc}
@@ -883,7 +884,7 @@
 
     /**
      * @throws ClassCastException       {@inheritDoc}
-     * @throws NullPointerException if <tt>toKey</tt> is null
+     * @throws NullPointerException if {@code toKey} is null
      *         and this map uses natural ordering, or its comparator
      *         does not permit null keys
      * @throws IllegalArgumentException {@inheritDoc}
@@ -897,7 +898,7 @@
 
     /**
      * @throws ClassCastException       {@inheritDoc}
-     * @throws NullPointerException if <tt>fromKey</tt> is null
+     * @throws NullPointerException if {@code fromKey} is null
      *         and this map uses natural ordering, or its comparator
      *         does not permit null keys
      * @throws IllegalArgumentException {@inheritDoc}
@@ -911,7 +912,7 @@
 
     /**
      * @throws ClassCastException       {@inheritDoc}
-     * @throws NullPointerException if <tt>fromKey</tt> or <tt>toKey</tt> is
+     * @throws NullPointerException if {@code fromKey} or {@code toKey} is
      *         null and this map uses natural ordering, or its comparator
      *         does not permit null keys
      * @throws IllegalArgumentException {@inheritDoc}
@@ -922,7 +923,7 @@
 
     /**
      * @throws ClassCastException       {@inheritDoc}
-     * @throws NullPointerException if <tt>toKey</tt> is null
+     * @throws NullPointerException if {@code toKey} is null
      *         and this map uses natural ordering, or its comparator
      *         does not permit null keys
      * @throws IllegalArgumentException {@inheritDoc}
@@ -933,7 +934,7 @@
 
     /**
      * @throws ClassCastException       {@inheritDoc}
-     * @throws NullPointerException if <tt>fromKey</tt> is null
+     * @throws NullPointerException if {@code fromKey} is null
      *         and this map uses natural ordering, or its comparator
      *         does not permit null keys
      * @throws IllegalArgumentException {@inheritDoc}
@@ -1193,7 +1194,7 @@
 
     /**
      * Test two values for equality.  Differs from o1.equals(o2) only in
-     * that it copes with <tt>null</tt> o1 properly.
+     * that it copes with {@code null} o1 properly.
      */
     final static boolean valEquals(Object o1, Object o2) {
         return (o1==null ? o2==null : o1.equals(o2));
@@ -1897,7 +1898,7 @@
 
         /**
          * Make a new cell with given key, value, and parent, and with
-         * <tt>null</tt> child links, and BLACK color.
+         * {@code null} child links, and BLACK color.
          */
         Entry(K key, V value, Entry<K,V> parent) {
             this.key = key;
@@ -2249,10 +2250,10 @@
     private static final long serialVersionUID = 919286545866124006L;
 
     /**
-     * Save the state of the <tt>TreeMap</tt> instance to a stream (i.e.,
+     * Save the state of the {@code TreeMap} instance to a stream (i.e.,
      * serialize it).
      *
-     * @serialData The <i>size</i> of the TreeMap (the number of key-value
+     * @serialData The <em>size</em> of the TreeMap (the number of key-value
      *             mappings) is emitted (int), followed by the key (Object)
      *             and value (Object) for each key-value mapping represented
      *             by the TreeMap. The key-value mappings are emitted in
@@ -2277,7 +2278,7 @@
     }
 
     /**
-     * Reconstitute the <tt>TreeMap</tt> instance from a stream (i.e.,
+     * Reconstitute the {@code TreeMap} instance from a stream (i.e.,
      * deserialize it).
      */
     private void readObject(final java.io.ObjectInputStream s)
--- a/src/share/classes/java/util/concurrent/LinkedBlockingDeque.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/util/concurrent/LinkedBlockingDeque.java	Fri Dec 03 11:30:28 2010 -0800
@@ -126,10 +126,8 @@
          */
         Node<E> next;
 
-        Node(E x, Node<E> p, Node<E> n) {
+        Node(E x) {
             item = x;
-            prev = p;
-            next = n;
         }
     }
 
@@ -199,7 +197,7 @@
             for (E e : c) {
                 if (e == null)
                     throw new NullPointerException();
-                if (!linkLast(e))
+                if (!linkLast(new Node<E>(e)))
                     throw new IllegalStateException("Deque full");
             }
         } finally {
@@ -211,38 +209,38 @@
     // Basic linking and unlinking operations, called only while holding lock
 
     /**
-     * Links e as first element, or returns false if full.
+     * Links node as first element, or returns false if full.
      */
-    private boolean linkFirst(E e) {
+    private boolean linkFirst(Node<E> node) {
         // assert lock.isHeldByCurrentThread();
         if (count >= capacity)
             return false;
         Node<E> f = first;
-        Node<E> x = new Node<E>(e, null, f);
-        first = x;
+        node.next = f;
+        first = node;
         if (last == null)
-            last = x;
+            last = node;
         else
-            f.prev = x;
+            f.prev = node;
         ++count;
         notEmpty.signal();
         return true;
     }
 
     /**
-     * Links e as last element, or returns false if full.
+     * Links node as last element, or returns false if full.
      */
-    private boolean linkLast(E e) {
+    private boolean linkLast(Node<E> node) {
         // assert lock.isHeldByCurrentThread();
         if (count >= capacity)
             return false;
         Node<E> l = last;
-        Node<E> x = new Node<E>(e, l, null);
-        last = x;
+        node.prev = l;
+        last = node;
         if (first == null)
-            first = x;
+            first = node;
         else
-            l.next = x;
+            l.next = node;
         ++count;
         notEmpty.signal();
         return true;
@@ -339,10 +337,11 @@
      */
     public boolean offerFirst(E e) {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            return linkFirst(e);
+            return linkFirst(node);
         } finally {
             lock.unlock();
         }
@@ -353,10 +352,11 @@
      */
     public boolean offerLast(E e) {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            return linkLast(e);
+            return linkLast(node);
         } finally {
             lock.unlock();
         }
@@ -368,10 +368,11 @@
      */
     public void putFirst(E e) throws InterruptedException {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            while (!linkFirst(e))
+            while (!linkFirst(node))
                 notFull.await();
         } finally {
             lock.unlock();
@@ -384,10 +385,11 @@
      */
     public void putLast(E e) throws InterruptedException {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            while (!linkLast(e))
+            while (!linkLast(node))
                 notFull.await();
         } finally {
             lock.unlock();
@@ -401,11 +403,12 @@
     public boolean offerFirst(E e, long timeout, TimeUnit unit)
         throws InterruptedException {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         long nanos = unit.toNanos(timeout);
         final ReentrantLock lock = this.lock;
         lock.lockInterruptibly();
         try {
-            while (!linkFirst(e)) {
+            while (!linkFirst(node)) {
                 if (nanos <= 0)
                     return false;
                 nanos = notFull.awaitNanos(nanos);
@@ -423,11 +426,12 @@
     public boolean offerLast(E e, long timeout, TimeUnit unit)
         throws InterruptedException {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         long nanos = unit.toNanos(timeout);
         final ReentrantLock lock = this.lock;
         lock.lockInterruptibly();
         try {
-            while (!linkLast(e)) {
+            while (!linkLast(node)) {
                 if (nanos <= 0)
                     return false;
                 nanos = notFull.awaitNanos(nanos);
@@ -955,7 +959,20 @@
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            return super.toString();
+            Node<E> p = first;
+            if (p == null)
+                return "[]";
+
+            StringBuilder sb = new StringBuilder();
+            sb.append('[');
+            for (;;) {
+                E e = p.item;
+                sb.append(e == this ? "(this Collection)" : e);
+                p = p.next;
+                if (p == null)
+                    return sb.append(']').toString();
+                sb.append(',').append(' ');
+            }
         } finally {
             lock.unlock();
         }
@@ -1054,6 +1071,26 @@
         }
 
         /**
+         * Returns the successor node of the given non-null, but
+         * possibly previously deleted, node.
+         */
+        private Node<E> succ(Node<E> n) {
+            // Chains of deleted nodes ending in null or self-links
+            // are possible if multiple interior nodes are removed.
+            for (;;) {
+                Node<E> s = nextNode(n);
+                if (s == null)
+                    return null;
+                else if (s.item != null)
+                    return s;
+                else if (s == n)
+                    return firstNode();
+                else
+                    n = s;
+            }
+        }
+
+        /**
          * Advances next.
          */
         void advance() {
@@ -1061,16 +1098,7 @@
             lock.lock();
             try {
                 // assert next != null;
-                Node<E> s = nextNode(next);
-                if (s == next) {
-                    next = firstNode();
-                } else {
-                    // Skip over removed nodes.
-                    // May be necessary if multiple interior Nodes are removed.
-                    while (s != null && s.item == null)
-                        s = nextNode(s);
-                    next = s;
-                }
+                next = succ(next);
                 nextItem = (next == null) ? null : next.item;
             } finally {
                 lock.unlock();
--- a/src/share/classes/java/util/jar/JarInputStream.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/util/jar/JarInputStream.java	Fri Dec 03 11:30:28 2010 -0800
@@ -28,6 +28,7 @@
 import java.util.zip.*;
 import java.io.*;
 import sun.security.util.ManifestEntryVerifier;
+import sun.misc.JarIndex;
 
 /**
  * The <code>JarInputStream</code> class is used to read the contents of
@@ -47,7 +48,8 @@
     private JarEntry first;
     private JarVerifier jv;
     private ManifestEntryVerifier mev;
-
+    private final boolean doVerify;
+    private boolean tryManifest;
 
     /**
      * Creates a new <code>JarInputStream</code> and reads the optional
@@ -72,25 +74,33 @@
      */
     public JarInputStream(InputStream in, boolean verify) throws IOException {
         super(in);
+        this.doVerify = verify;
+
+        // This implementation assumes the META-INF/MANIFEST.MF entry
+        // should be either the first or the second entry (when preceded
+        // by the dir META-INF/). It skips the META-INF/ and then
+        // "consumes" the MANIFEST.MF to initialize the Manifest object.
         JarEntry e = (JarEntry)super.getNextEntry();
-
         if (e != null && e.getName().equalsIgnoreCase("META-INF/"))
             e = (JarEntry)super.getNextEntry();
+        first = checkManifest(e);
+    }
 
+    private JarEntry checkManifest(JarEntry e)
+        throws IOException
+    {
         if (e != null && JarFile.MANIFEST_NAME.equalsIgnoreCase(e.getName())) {
             man = new Manifest();
             byte bytes[] = getBytes(new BufferedInputStream(this));
             man.read(new ByteArrayInputStream(bytes));
-            //man.read(new BufferedInputStream(this));
             closeEntry();
-            if (verify) {
+            if (doVerify) {
                 jv = new JarVerifier(bytes);
                 mev = new ManifestEntryVerifier(man);
             }
-            first = getNextJarEntry();
-        } else {
-            first = e;
+            return (JarEntry)super.getNextEntry();
         }
+        return e;
     }
 
     private byte[] getBytes(InputStream is)
@@ -98,10 +108,7 @@
     {
         byte[] buffer = new byte[8192];
         ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
-
         int n;
-
-        baos.reset();
         while ((n = is.read(buffer, 0, buffer.length)) != -1) {
             baos.write(buffer, 0, n);
         }
@@ -133,8 +140,14 @@
         JarEntry e;
         if (first == null) {
             e = (JarEntry)super.getNextEntry();
+            if (tryManifest) {
+                e = checkManifest(e);
+                tryManifest = false;
+            }
         } else {
             e = first;
+            if (first.getName().equalsIgnoreCase(JarIndex.INDEX_NAME))
+                tryManifest = true;
             first = null;
         }
         if (jv != null && e != null) {
--- a/src/share/classes/java/util/jar/Pack200.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/java/util/jar/Pack200.java	Fri Dec 03 11:30:28 2010 -0800
@@ -30,9 +30,6 @@
 import java.io.File;
 import java.io.IOException;
 import java.beans.PropertyChangeListener;
-import java.beans.PropertyChangeEvent;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 
 
 
@@ -225,6 +222,10 @@
      *    If the input JAR-files contains a 1.6 class file, then the pack file
      * version will be set to 1.6.
      * <p>
+     * Note: Unless otherwise noted, passing a <tt>null</tt> argument to a
+     * constructor or method in this class will cause a {@link NullPointerException}
+     * to be thrown.
+     * <p>
      * @since 1.5
      */
     public interface Packer {
@@ -599,6 +600,10 @@
      * "<tt>PACK200</tt>" as a zip file comment.
      * This allows a deployer to detect if a JAR archive was packed and unpacked.
      * <p>
+     * Note: Unless otherwise noted, passing a <tt>null</tt> argument to a
+     * constructor or method in this class will cause a {@link NullPointerException}
+     * to be thrown.
+     * <p>
      * This version of the unpacker is compatible with all previous versions.
      * @since 1.5
      */
--- a/src/share/classes/javax/management/remote/rmi/RMIConnector.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/management/remote/rmi/RMIConnector.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -291,7 +291,24 @@
             if (tracing)
                 logger.trace("connect",idstr + " getting connection...");
             Object credentials = usemap.get(CREDENTIALS);
-            connection = getConnection(stub, credentials, checkStub);
+
+            try {
+                connection = getConnection(stub, credentials, checkStub);
+            } catch (java.rmi.RemoteException re) {
+                if (jmxServiceURL != null) {
+                    final String pro = jmxServiceURL.getProtocol();
+                    final String path = jmxServiceURL.getURLPath();
+
+                    if ("rmi".equals(pro) &&
+                        path.startsWith("/jndi/iiop:")) {
+                        MalformedURLException mfe = new MalformedURLException(
+                              "Protocol is rmi but JNDI scheme is iiop: " + jmxServiceURL);
+                        mfe.initCause(re);
+                        throw mfe;
+                    }
+                }
+                throw re;
+            }
 
             // Always use one of:
             //   ClassLoader provided in Map at connect time,
--- a/src/share/classes/javax/security/auth/Policy.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/security/auth/Policy.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -237,7 +237,7 @@
                     } catch (Exception e) {
                         throw new SecurityException
                                 (sun.security.util.ResourcesMgr.getString
-                                ("unable to instantiate Subject-based policy"));
+                                ("unable.to.instantiate.Subject.based.policy"));
                     }
                 }
             }
--- a/src/share/classes/javax/security/auth/PrivateCredentialPermission.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/security/auth/PrivateCredentialPermission.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -172,7 +172,7 @@
 
         if (!"read".equalsIgnoreCase(actions))
             throw new IllegalArgumentException
-                (ResourcesMgr.getString("actions can only be 'read'"));
+                (ResourcesMgr.getString("actions.can.only.be.read."));
         init(name);
     }
 
@@ -344,12 +344,11 @@
 
         if (tokenizer.hasMoreTokens() == false) {
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                ("permission name [name] syntax invalid: "));
+                ("permission.name.name.syntax.invalid."));
             Object[] source = {name};
             throw new IllegalArgumentException
                 (form.format(source) + ResourcesMgr.getString
-                        ("Credential Class not followed by a " +
-                        "Principal Class and Name"));
+                        ("Credential.Class.not.followed.by.a.Principal.Class.and.Name"));
         }
 
         while (tokenizer.hasMoreTokens()) {
@@ -364,11 +363,11 @@
 
             if (tokenizer.hasMoreTokens() == false) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("permission name [name] syntax invalid: "));
+                        ("permission.name.name.syntax.invalid."));
                 Object[] source = {name};
                 throw new IllegalArgumentException
                         (form.format(source) + ResourcesMgr.getString
-                        ("Principal Class not followed by a Principal Name"));
+                        ("Principal.Class.not.followed.by.a.Principal.Name"));
             }
 
             // skip delimiter
@@ -379,11 +378,11 @@
 
             if (!principalName.startsWith("\"")) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("permission name [name] syntax invalid: "));
+                        ("permission.name.name.syntax.invalid."));
                 Object[] source = {name};
                 throw new IllegalArgumentException
                         (form.format(source) + ResourcesMgr.getString
-                        ("Principal Name must be surrounded by quotes"));
+                        ("Principal.Name.must.be.surrounded.by.quotes"));
             }
 
             if (!principalName.endsWith("\"")) {
@@ -401,11 +400,11 @@
                 if (!principalName.endsWith("\"")) {
                     MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
-                        ("permission name [name] syntax invalid: "));
+                        ("permission.name.name.syntax.invalid."));
                     Object[] source = {name};
                     throw new IllegalArgumentException
                         (form.format(source) + ResourcesMgr.getString
-                                ("Principal Name missing end quote"));
+                                ("Principal.Name.missing.end.quote"));
                 }
             }
 
@@ -418,9 +417,7 @@
             if (principalClass.equals("*") &&
                 !principalName.equals("*")) {
                     throw new IllegalArgumentException(ResourcesMgr.getString
-                        ("PrivateCredentialPermission Principal Class " +
-                        "can not be a wildcard (*) value if Principal Name " +
-                        "is not a wildcard (*) value"));
+                        ("PrivateCredentialPermission.Principal.Class.can.not.be.a.wildcard.value.if.Principal.Name.is.not.a.wildcard.value"));
             }
 
             if (testing)
@@ -556,8 +553,7 @@
 
         public String toString() {
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                ("CredOwner:\n\tPrincipal Class = class\n\t" +
-                        "Principal Name = name"));
+                ("CredOwner.Principal.Class.class.Principal.Name.name"));
             Object[] source = {principalClass, principalName};
             return (form.format(source));
         }
--- a/src/share/classes/javax/security/auth/Subject.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/security/auth/Subject.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -204,7 +204,7 @@
             pubCredentials == null ||
             privCredentials == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null input(s)"));
+                (ResourcesMgr.getString("invalid.null.input.s."));
 
         this.principals = Collections.synchronizedSet(new SecureSet<Principal>
                                 (this, PRINCIPAL_SET, principals));
@@ -289,7 +289,7 @@
 
         if (acc == null) {
             throw new NullPointerException(ResourcesMgr.getString
-                ("invalid null AccessControlContext provided"));
+                ("invalid.null.AccessControlContext.provided"));
         }
 
         // return the Subject from the DomainCombiner of the provided context
@@ -346,7 +346,7 @@
         }
         if (action == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null action provided"));
+                (ResourcesMgr.getString("invalid.null.action.provided"));
 
         // set up the new Subject-based AccessControlContext
         // for doPrivileged
@@ -406,7 +406,7 @@
 
         if (action == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null action provided"));
+                (ResourcesMgr.getString("invalid.null.action.provided"));
 
         // set up the new Subject-based AccessControlContext for doPrivileged
         final AccessControlContext currentAcc = AccessController.getContext();
@@ -460,7 +460,7 @@
 
         if (action == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null action provided"));
+                (ResourcesMgr.getString("invalid.null.action.provided"));
 
         // set up the new Subject-based AccessControlContext
         // for doPrivileged
@@ -524,7 +524,7 @@
 
         if (action == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null action provided"));
+                (ResourcesMgr.getString("invalid.null.action.provided"));
 
         // set up the new Subject-based AccessControlContext for doPrivileged
         final AccessControlContext callerAcc =
@@ -603,7 +603,7 @@
 
         if (c == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null Class provided"));
+                (ResourcesMgr.getString("invalid.null.Class.provided"));
 
         // always return an empty Set instead of null
         // so LoginModules can add to the Set if necessary
@@ -697,7 +697,7 @@
 
         if (c == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null Class provided"));
+                (ResourcesMgr.getString("invalid.null.Class.provided"));
 
         // always return an empty Set instead of null
         // so LoginModules can add to the Set if necessary
@@ -742,7 +742,7 @@
 
         if (c == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null Class provided"));
+                (ResourcesMgr.getString("invalid.null.Class.provided"));
 
         // always return an empty Set instead of null
         // so LoginModules can add to the Set if necessary
@@ -832,15 +832,15 @@
      */
     String toString(boolean includePrivateCredentials) {
 
-        String s = ResourcesMgr.getString("Subject:\n");
+        String s = ResourcesMgr.getString("Subject.");
         String suffix = "";
 
         synchronized(principals) {
             Iterator<Principal> pI = principals.iterator();
             while (pI.hasNext()) {
                 Principal p = pI.next();
-                suffix = suffix + ResourcesMgr.getString("\tPrincipal: ") +
-                        p.toString() + ResourcesMgr.getString("\n");
+                suffix = suffix + ResourcesMgr.getString(".Principal.") +
+                        p.toString() + ResourcesMgr.getString("NEWLINE");
             }
         }
 
@@ -849,8 +849,8 @@
             while (pI.hasNext()) {
                 Object o = pI.next();
                 suffix = suffix +
-                        ResourcesMgr.getString("\tPublic Credential: ") +
-                        o.toString() + ResourcesMgr.getString("\n");
+                        ResourcesMgr.getString(".Public.Credential.") +
+                        o.toString() + ResourcesMgr.getString("NEWLINE");
             }
         }
 
@@ -861,12 +861,12 @@
                     try {
                         Object o = pI.next();
                         suffix += ResourcesMgr.getString
-                                        ("\tPrivate Credential: ") +
+                                        (".Private.Credential.") +
                                         o.toString() +
-                                        ResourcesMgr.getString("\n");
+                                        ResourcesMgr.getString("NEWLINE");
                     } catch (SecurityException se) {
                         suffix += ResourcesMgr.getString
-                                ("\tPrivate Credential inaccessible\n");
+                                (".Private.Credential.inaccessible.");
                         break;
                     }
                 }
@@ -1036,7 +1036,7 @@
 
                     if (subject.isReadOnly()) {
                         throw new IllegalStateException(ResourcesMgr.getString
-                                ("Subject is read-only"));
+                                ("Subject.is.read.only"));
                     }
 
                     java.lang.SecurityManager sm = System.getSecurityManager();
@@ -1062,7 +1062,7 @@
 
             if (subject.isReadOnly()) {
                 throw new IllegalStateException
-                        (ResourcesMgr.getString("Subject is read-only"));
+                        (ResourcesMgr.getString("Subject.is.read.only"));
             }
 
             java.lang.SecurityManager sm = System.getSecurityManager();
@@ -1084,9 +1084,7 @@
             case Subject.PRINCIPAL_SET:
                 if (!(o instanceof Principal)) {
                     throw new SecurityException(ResourcesMgr.getString
-                        ("attempting to add an object which is not an " +
-                        "instance of java.security.Principal to a " +
-                        "Subject's Principal Set"));
+                        ("attempting.to.add.an.object.which.is.not.an.instance.of.java.security.Principal.to.a.Subject.s.Principal.Set"));
                 }
                 break;
             default:
@@ -1389,8 +1387,7 @@
 
             if (!o.getClass().isAssignableFrom(c)) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("attempting to add an object which is not an " +
-                        "instance of class"));
+                        ("attempting.to.add.an.object.which.is.not.an.instance.of.class"));
                 Object[] source = {c.toString()};
                 throw new SecurityException(form.format(source));
             }
--- a/src/share/classes/javax/security/auth/login/AppConfigurationEntry.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/security/auth/login/AppConfigurationEntry.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -167,7 +167,7 @@
          */
         public String toString() {
             return (sun.security.util.ResourcesMgr.getString
-                ("LoginModuleControlFlag: ") + controlFlag);
+                ("LoginModuleControlFlag.") + controlFlag);
         }
     }
 }
--- a/src/share/classes/javax/security/auth/login/LoginContext.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/security/auth/login/LoginContext.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -244,7 +244,7 @@
 
         if (name == null)
             throw new LoginException
-                (ResourcesMgr.getString("Invalid null input: name"));
+                (ResourcesMgr.getString("Invalid.null.input.name"));
 
         // get the Configuration
         if (config == null) {
@@ -268,7 +268,7 @@
             entries = config.getAppConfigurationEntry(OTHER);
             if (entries == null) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("No LoginModules configured for name"));
+                        ("No.LoginModules.configured.for.name"));
                 Object[] source = {name};
                 throw new LoginException(form.format(source));
             }
@@ -382,7 +382,7 @@
         init(name);
         if (subject == null)
             throw new LoginException
-                (ResourcesMgr.getString("invalid null Subject provided"));
+                (ResourcesMgr.getString("invalid.null.Subject.provided"));
         this.subject = subject;
         subjectProvided = true;
         loadDefaultCallbackHandler();
@@ -418,7 +418,7 @@
         init(name);
         if (callbackHandler == null)
             throw new LoginException(ResourcesMgr.getString
-                                ("invalid null CallbackHandler provided"));
+                                ("invalid.null.CallbackHandler.provided"));
         this.callbackHandler = new SecureCallbackHandler
                                 (java.security.AccessController.getContext(),
                                 callbackHandler);
@@ -459,7 +459,7 @@
         this(name, subject);
         if (callbackHandler == null)
             throw new LoginException(ResourcesMgr.getString
-                                ("invalid null CallbackHandler provided"));
+                                ("invalid.null.CallbackHandler.provided"));
         this.callbackHandler = new SecureCallbackHandler
                                 (java.security.AccessController.getContext(),
                                 callbackHandler);
@@ -633,7 +633,7 @@
     public void logout() throws LoginException {
         if (subject == null) {
             throw new LoginException(ResourcesMgr.getString
-                ("null subject - logout called before login"));
+                ("null.subject.logout.called.before.login"));
         }
 
         if (configProvided) {
@@ -811,21 +811,20 @@
 
             } catch (NoSuchMethodException nsme) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("unable to instantiate LoginModule, module, because " +
-                        "it does not provide a no-argument constructor"));
+                        ("unable.to.instantiate.LoginModule.module.because.it.does.not.provide.a.no.argument.constructor"));
                 Object[] source = {moduleStack[i].entry.getLoginModuleName()};
                 throwException(null, new LoginException(form.format(source)));
             } catch (InstantiationException ie) {
                 throwException(null, new LoginException(ResourcesMgr.getString
-                        ("unable to instantiate LoginModule: ") +
+                        ("unable.to.instantiate.LoginModule.") +
                         ie.getMessage()));
             } catch (ClassNotFoundException cnfe) {
                 throwException(null, new LoginException(ResourcesMgr.getString
-                        ("unable to find LoginModule class: ") +
+                        ("unable.to.find.LoginModule.class.") +
                         cnfe.getMessage()));
             } catch (IllegalAccessException iae) {
                 throwException(null, new LoginException(ResourcesMgr.getString
-                        ("unable to access LoginModule: ") +
+                        ("unable.to.access.LoginModule.") +
                         iae.getMessage()));
             } catch (InvocationTargetException ite) {
 
@@ -934,7 +933,7 @@
         } else if (success == false) {
             // no module succeeded -- all modules were IGNORED
             throwException(new LoginException
-                (ResourcesMgr.getString("Login Failure: all modules ignored")),
+                (ResourcesMgr.getString("Login.Failure.all.modules.ignored")),
                 null);
         } else {
             // success
--- a/src/share/classes/javax/security/auth/x500/X500Principal.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/security/auth/x500/X500Principal.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -155,12 +155,12 @@
         if (name == null) {
             throw new NullPointerException
                 (sun.security.util.ResourcesMgr.getString
-                ("provided null name"));
+                ("provided.null.name"));
         }
         if (keywordMap == null) {
             throw new NullPointerException
                 (sun.security.util.ResourcesMgr.getString
-                ("provided null keyword map"));
+                ("provided.null.keyword.map"));
         }
 
         try {
@@ -391,7 +391,7 @@
         if (oidMap == null) {
             throw new NullPointerException
                 (sun.security.util.ResourcesMgr.getString
-                ("provided null OID map"));
+                ("provided.null.OID.map"));
         }
         if (format != null) {
             if (format.equalsIgnoreCase(RFC1779)) {
--- a/src/share/classes/javax/sql/rowset/spi/SyncFactory.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/sql/rowset/spi/SyncFactory.java	Fri Dec 03 11:30:28 2010 -0800
@@ -197,12 +197,6 @@
  */
 public class SyncFactory {
 
-    /*
-     * The variable that represents the singleton instance
-     * of the <code>SyncFactory</code> class.
-     */
-    private static SyncFactory syncFactory = null;
-
     /**
      * Creates a new <code>SyncFactory</code> object, which is the singleton
      * instance.
@@ -252,7 +246,7 @@
     /**
      * The <code>Logger</code> object to be used by the <code>SyncFactory</code>.
      */
-    private static Logger rsLogger;
+    private static volatile Logger rsLogger;
     /**
      *
      */
@@ -315,27 +309,12 @@
      * @return the <code>SyncFactory</code> instance
      */
     public static SyncFactory getSyncFactory() {
-
-        // This method uses the Singleton Design Pattern
-        // with Double-Checked Locking Pattern for
-        // 1. Creating single instance of the SyncFactory
-        // 2. Make the class thread safe, so that at one time
-        //    only one thread enters the synchronized block
-        //    to instantiate.
-
-        // if syncFactory object is already there
-        // don't go into synchronized block and return
-        // that object.
-        // else go into synchronized block
-
-        if (syncFactory == null) {
-            synchronized (SyncFactory.class) {
-                if (syncFactory == null) {
-                    syncFactory = new SyncFactory();
-                } //end if
-            } //end synchronized block
-        } //end if
-        return syncFactory;
+        /*
+         * Using Initialization on Demand Holder idiom as
+         * Effective Java 2nd Edition,ITEM 71, indicates it is more performant
+         * than the Double-Check Locking idiom.
+         */
+        return SyncFactoryHolder.factory;
     }
 
     /**
@@ -435,11 +414,7 @@
             }
         }
     }
-    /**
-     * The internal boolean switch that indicates whether a JNDI
-     * context has been established or not.
-     */
-    private static boolean jndiCtxEstablished = false;
+
     /**
      * The internal debug switch.
      */
@@ -621,6 +596,7 @@
      * @param logger A Logger object instance
      * @throws java.lang.SecurityException if a security manager exists and its
      *   {@code checkPermission} method denies calling {@code setLogger}
+     * @throws NullPointerException if the logger is null
      * @see SecurityManager#checkPermission
      */
     public static void setLogger(Logger logger) {
@@ -629,6 +605,10 @@
         if (sec != null) {
             sec.checkPermission(SET_SYNCFACTORY_PERMISSION);
         }
+
+        if(logger == null){
+            throw new NullPointerException("You must provide a Logger");
+        }
         rsLogger = logger;
     }
 
@@ -654,6 +634,7 @@
      *   {@code checkPermission} method denies calling {@code setLogger}
      * @throws java.util.logging.LoggingPermission if a security manager exists and its
      *   {@code checkPermission} method denies calling {@code setLevel}
+     * @throws NullPointerException if the logger is null
      * @see SecurityManager#checkPermission
      * @see LoggingPermission
      */
@@ -663,8 +644,12 @@
         if (sec != null) {
             sec.checkPermission(SET_SYNCFACTORY_PERMISSION);
         }
+
+        if(logger == null){
+            throw new NullPointerException("You must provide a Logger");
+        }
+        logger.setLevel(level);
         rsLogger = logger;
-        rsLogger.setLevel(level);
     }
 
     /**
@@ -674,11 +659,14 @@
      * @throws SyncFactoryException if no logging object has been set.
      */
     public static Logger getLogger() throws SyncFactoryException {
+
+        Logger result = rsLogger;
         // only one logger per session
-        if (rsLogger == null) {
+        if (result == null) {
             throw new SyncFactoryException("(SyncFactory) : No logger has been set");
         }
-        return rsLogger;
+
+        return result;
     }
 
     /**
@@ -699,7 +687,7 @@
      *  {@code checkPermission} method denies calling {@code setJNDIContext}
      * @see SecurityManager#checkPermission
      */
-    public static void setJNDIContext(javax.naming.Context ctx)
+    public static synchronized void setJNDIContext(javax.naming.Context ctx)
             throws SyncFactoryException {
         SecurityManager sec = System.getSecurityManager();
         if (sec != null) {
@@ -709,17 +697,16 @@
             throw new SyncFactoryException("Invalid JNDI context supplied");
         }
         ic = ctx;
-        jndiCtxEstablished = true;
     }
 
     /**
-     * Controls JNDI context intialization.
+     * Controls JNDI context initialization.
      *
      * @throws SyncFactoryException if an error occurs parsing the JNDI context
      */
-    private static void initJNDIContext() throws SyncFactoryException {
+    private static synchronized void initJNDIContext() throws SyncFactoryException {
 
-        if (jndiCtxEstablished && (ic != null) && (lazyJNDICtxRefresh == false)) {
+        if ((ic != null) && (lazyJNDICtxRefresh == false)) {
             try {
                 parseProperties(parseJNDIContext());
                 lazyJNDICtxRefresh = true; // touch JNDI namespace once.
@@ -793,6 +780,13 @@
             enumerateBindings(bindings, properties);
         }
     }
+
+    /**
+     * Lazy initialization Holder class used by {@code getSyncFactory}
+     */
+    private static class SyncFactoryHolder {
+        static final SyncFactory factory = new SyncFactory();
+    }
 }
 
 /**
--- a/src/share/classes/javax/swing/GroupLayout.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/swing/GroupLayout.java	Fri Dec 03 11:30:28 2010 -0800
@@ -653,6 +653,10 @@
      */
     public ParallelGroup createParallelGroup(Alignment alignment,
             boolean resizable){
+        if (alignment == null) {
+            throw new IllegalArgumentException("alignment must be non null");
+        }
+
         if (alignment == Alignment.BASELINE) {
             return new BaselineGroup(resizable);
         }
--- a/src/share/classes/javax/swing/JComponent.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/swing/JComponent.java	Fri Dec 03 11:30:28 2010 -0800
@@ -4734,6 +4734,8 @@
      * Notifies this component that it now has a parent component.
      * When this method is invoked, the chain of parent components is
      * set up with <code>KeyboardAction</code> event listeners.
+     * This method is called by the toolkit internally and should
+     * not be called directly by programs.
      *
      * @see #registerKeyboardAction
      */
@@ -4750,6 +4752,8 @@
      * Notifies this component that it no longer has a parent component.
      * When this method is invoked, any <code>KeyboardAction</code>s
      * set up in the the chain of parent components are removed.
+     * This method is called by the toolkit internally and should
+     * not be called directly by programs.
      *
      * @see #registerKeyboardAction
      */
--- a/src/share/classes/javax/swing/Popup.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/swing/Popup.java	Fri Dec 03 11:30:28 2010 -0800
@@ -156,7 +156,8 @@
 
             component.setLocation(ownerX, ownerY);
             component.getContentPane().add(contents, BorderLayout.CENTER);
-            contents.invalidate();
+            component.invalidate();
+            component.validate();
             if(component.isVisible()) {
                 // Do not call pack() if window is not visible to
                 // avoid early native peer creation
--- a/src/share/classes/javax/swing/text/DefaultHighlighter.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/javax/swing/text/DefaultHighlighter.java	Fri Dec 03 11:30:28 2010 -0800
@@ -113,6 +113,14 @@
      * @exception BadLocationException if the specified location is invalid
      */
     public Object addHighlight(int p0, int p1, Highlighter.HighlightPainter p) throws BadLocationException {
+        if (p0 < 0) {
+            throw new BadLocationException("Invalid start offset", p0);
+        }
+
+        if (p1 < p0) {
+            throw new BadLocationException("Invalid end offset", p1);
+        }
+
         Document doc = component.getDocument();
         HighlightInfo i = (getDrawsLayeredHighlights() &&
                            (p instanceof LayeredHighlighter.LayerPainter)) ?
@@ -217,6 +225,14 @@
      * @exception BadLocationException if the specified location is invalid
      */
     public void changeHighlight(Object tag, int p0, int p1) throws BadLocationException {
+        if (p0 < 0) {
+            throw new BadLocationException("Invalid beginning of the range", p0);
+        }
+
+        if (p1 < p0) {
+            throw new BadLocationException("Invalid end of the range", p1);
+        }
+
         Document doc = component.getDocument();
         if (tag instanceof LayeredHighlightInfo) {
             LayeredHighlightInfo lhi = (LayeredHighlightInfo)tag;
--- a/src/share/classes/sun/nio/ch/FileChannelImpl.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/nio/ch/FileChannelImpl.java	Fri Dec 03 11:30:28 2010 -0800
@@ -460,6 +460,16 @@
                 } finally {
                     unmap(dbb);
                 }
+            } catch (ClosedByInterruptException e) {
+                // target closed by interrupt as ClosedByInterruptException needs
+                // to be thrown after closing this channel.
+                assert !target.isOpen();
+                try {
+                    close();
+                } catch (IOException ignore) {
+                    // nothing we can do
+                }
+                throw e;
             } catch (IOException ioe) {
                 // Only throw exception if no bytes have been written
                 if (remaining == count)
--- a/src/share/classes/sun/nio/ch/Interruptible.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/nio/ch/Interruptible.java	Fri Dec 03 11:30:28 2010 -0800
@@ -23,14 +23,14 @@
  * questions.
  */
 
-/*
+/**
+ * An object that interrupts a thread blocked in an I/O operation.
  */
 
 package sun.nio.ch;
 
-
 public interface Interruptible {
 
-    public void interrupt();
+    public void interrupt(Thread t);
 
 }
--- a/src/share/classes/sun/security/krb5/Config.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/Config.java	Fri Dec 03 11:30:28 2010 -0800
@@ -111,7 +111,7 @@
     public static synchronized void refresh() throws KrbException {
         singleton = new Config();
         KeyTab.refresh();
-        KrbKdcReq.initStatic();
+        KdcComm.initStatic();
     }
 
 
--- a/src/share/classes/sun/security/krb5/Credentials.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/Credentials.java	Fri Dec 03 11:30:28 2010 -0800
@@ -348,94 +348,6 @@
     }
 
     /**
-     * Returns a TGT for the given client principal via an AS-Exchange.
-     * This method causes pre-authentication data to be sent in the
-     * AS-REQ.
-     *
-     * @param princ the client principal. This value cannot be null.
-     * @param secretKey the secret key of the client principal.This value
-     * cannot be null.
-     * @returns the TGT credentials
-     */
-    public static Credentials acquireTGT(PrincipalName princ,
-                                         EncryptionKey[] secretKeys,
-                                         char[] password)
-        throws KrbException, IOException {
-
-        if (princ == null)
-            throw new IllegalArgumentException(
-                        "Cannot have null principal to do AS-Exchange");
-
-        if (secretKeys == null)
-            throw new IllegalArgumentException(
-                        "Cannot have null secretKey to do AS-Exchange");
-
-        KrbAsRep asRep = null;
-        try {
-            asRep = sendASRequest(princ, secretKeys, null);
-        } catch (KrbException ke) {
-            if ((ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) ||
-                (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED)) {
-                // process pre-auth info
-                if (DEBUG) {
-                    System.out.println("AcquireTGT: PREAUTH FAILED/REQUIRED," +
-                                " re-send AS-REQ");
-                }
-
-                KRBError error = ke.getError();
-                // update salt in PrincipalName
-                String newSalt = error.getSalt();
-                if (newSalt != null && newSalt.length() > 0) {
-                    princ.setSalt(newSalt);
-                }
-
-                // refresh keys
-                if (password != null) {
-                    secretKeys = EncryptionKey.acquireSecretKeys(password,
-                                princ.getSalt(), true,
-                                error.getEType(), error.getParams());
-                }
-                asRep = sendASRequest(princ, secretKeys, ke.getError());
-            } else {
-                throw ke;
-            }
-        }
-        return asRep.getCreds();
-    }
-
-    /**
-     * Sends the AS-REQ
-     */
-    private static KrbAsRep sendASRequest(PrincipalName princ,
-        EncryptionKey[] secretKeys, KRBError error)
-        throws KrbException, IOException {
-
-        // %%%
-        KrbAsReq asReq = null;
-        if (error == null) {
-            asReq = new KrbAsReq(princ, secretKeys);
-        } else {
-            asReq = new KrbAsReq(princ, secretKeys, true,
-                        error.getEType(), error.getSalt(), error.getParams());
-        }
-
-        String kdc = null;
-        KrbAsRep asRep  = null;
-        try {
-            kdc = asReq.send();
-            asRep =  asReq.getReply(secretKeys);
-        } catch (KrbException ke) {
-                if (ke.returnCode() == Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
-                    asReq.send(princ.getRealmString(), kdc, true);
-                    asRep =  asReq.getReply(secretKeys);
-                } else {
-                    throw ke;
-                }
-        }
-        return asRep;
-    }
-
-    /**
      * Acquires default credentials.
      * <br>The possible locations for default credentials cache is searched in
      * the following order:
@@ -529,29 +441,6 @@
         return CredentialsUtil.acquireServiceCreds(service, ccreds);
     }
 
-
-    /*
-     * This method does the real job to request the service credential.
-     */
-
-    private static Credentials serviceCreds(ServiceName service,
-                                            Credentials ccreds)
-        throws KrbException, IOException {
-        return new KrbTgsReq(
-                new KDCOptions(),
-                ccreds,
-                service,
-                null, // KerberosTime from
-                null, // KerberosTime till
-                null, // KerberosTime rtime
-                null, // int[] eTypes
-                null, // HostAddresses addresses
-                null, // AuthorizationData
-                null, // Ticket[] additionalTickets
-                null  // EncryptionKey subSessionKey
-                ).sendAndGetCreds();
-    }
-
     public CredentialsCache getCache() {
         return cache;
     }
--- a/src/share/classes/sun/security/krb5/EncryptionKey.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/EncryptionKey.java	Fri Dec 03 11:30:28 2010 -0800
@@ -157,6 +157,22 @@
     }
 
     /**
+     * Obtains a key for a given etype with salt and optional s2kparams
+     * @param password NOT null
+     * @param salt NOT null
+     * @param etype
+     * @param s2kparams can be NULL
+     */
+    public static EncryptionKey acquireSecretKey(char[] password,
+            String salt, int etype, byte[] s2kparams)
+            throws KrbException {
+
+        return new EncryptionKey(
+                        stringToKey(password, salt, s2kparams, etype),
+                        etype, null);
+    }
+
+    /**
      * Generate a list of keys using the given principal and password.
      * Construct a key for each configured etype.
      * Caller is responsible for clearing password.
@@ -169,19 +185,8 @@
      * as the default in that case. If default_tkt_enctypes was set in
      * the libdefaults of krb5.conf, then use that sequence.
      */
-         // Used in Krb5LoginModule
     public static EncryptionKey[] acquireSecretKeys(char[] password,
-        String salt) throws KrbException {
-        return (acquireSecretKeys(password, salt, false, 0, null));
-    }
-
-    /**
-     * Generates a list of keys using the given principal, password,
-     * and the pre-authentication values.
-     */
-    public static EncryptionKey[] acquireSecretKeys(char[] password,
-        String salt, boolean pa_exists, int pa_etype, byte[] pa_s2kparams)
-        throws KrbException {
+            String salt) throws KrbException {
 
         int[] etypes = EType.getDefaults("default_tkt_enctypes");
         if (etypes == null) {
@@ -191,10 +196,8 @@
         EncryptionKey[] encKeys = new EncryptionKey[etypes.length];
         for (int i = 0; i < etypes.length; i++) {
             if (EType.isSupported(etypes[i])) {
-                byte[] s2kparams = (pa_exists && etypes[i] == pa_etype)
-                        ? pa_s2kparams : null;
                 encKeys[i] = new EncryptionKey(
-                        stringToKey(password, salt, s2kparams, etypes[i]),
+                        stringToKey(password, salt, null, etypes[i]),
                         etypes[i], null);
             } else {
                 if (DEBUG) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/krb5/KdcComm.java	Fri Dec 03 11:30:28 2010 -0800
@@ -0,0 +1,516 @@
+/*
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ *
+ *  (C) Copyright IBM Corp. 1999 All Rights Reserved.
+ *  Copyright 1997 The Open Group Research Institute.  All rights reserved.
+ */
+
+package sun.security.krb5;
+
+import java.security.PrivilegedAction;
+import java.security.Security;
+import java.util.Locale;
+import sun.security.krb5.internal.Krb5;
+import sun.security.krb5.internal.NetClient;
+import java.io.IOException;
+import java.net.SocketTimeoutException;
+import java.util.StringTokenizer;
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
+import java.security.PrivilegedActionException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.HashSet;
+import sun.security.krb5.internal.KRBError;
+
+/**
+ * KDC-REQ/KDC-REP communication. No more base class for KrbAsReq and
+ * KrbTgsReq. This class is now communication only.
+ */
+public final class KdcComm {
+
+    // The following settings can be configured in [libdefaults]
+    // section of krb5.conf, which are global for all realms. Each of
+    // them can also be defined in a realm, which overrides value here.
+
+    /**
+     * max retry time for a single KDC, default Krb5.KDC_RETRY_LIMIT (3)
+     */
+    private static int defaultKdcRetryLimit;
+    /**
+     * timeout requesting a ticket from KDC, in millisec, default 30 sec
+     */
+    private static int defaultKdcTimeout;
+    /**
+     * max UDP packet size, default unlimited (-1)
+     */
+    private static int defaultUdpPrefLimit;
+
+    private static final boolean DEBUG = Krb5.DEBUG;
+
+    private static final String BAD_POLICY_KEY = "krb5.kdc.bad.policy";
+
+    /**
+     * What to do when a KDC is unavailable, specified in the
+     * java.security file with key krb5.kdc.bad.policy.
+     * Possible values can be TRY_LAST or TRY_LESS. Reloaded when refreshed.
+     */
+    private enum BpType {
+        NONE, TRY_LAST, TRY_LESS
+    }
+    private static int tryLessMaxRetries = 1;
+    private static int tryLessTimeout = 5000;
+
+    private static BpType badPolicy;
+
+    static {
+        initStatic();
+    }
+
+    /**
+     * Read global settings
+     */
+    public static void initStatic() {
+        String value = AccessController.doPrivileged(
+        new PrivilegedAction<String>() {
+            public String run() {
+                return Security.getProperty(BAD_POLICY_KEY);
+            }
+        });
+        if (value != null) {
+            value = value.toLowerCase(Locale.ENGLISH);
+            String[] ss = value.split(":");
+            if ("tryless".equals(ss[0])) {
+                if (ss.length > 1) {
+                    String[] params = ss[1].split(",");
+                    try {
+                        int tmp0 = Integer.parseInt(params[0]);
+                        if (params.length > 1) {
+                            tryLessTimeout = Integer.parseInt(params[1]);
+                        }
+                        // Assign here in case of exception at params[1]
+                        tryLessMaxRetries = tmp0;
+                    } catch (NumberFormatException nfe) {
+                        // Ignored. Please note that tryLess is recognized and
+                        // used, parameters using default values
+                        if (DEBUG) {
+                            System.out.println("Invalid " + BAD_POLICY_KEY +
+                                    " parameter for tryLess: " +
+                                    value + ", use default");
+                        }
+                    }
+                }
+                badPolicy = BpType.TRY_LESS;
+            } else if ("trylast".equals(ss[0])) {
+                badPolicy = BpType.TRY_LAST;
+            } else {
+                badPolicy = BpType.NONE;
+            }
+        } else {
+            badPolicy = BpType.NONE;
+        }
+
+
+        int timeout = -1;
+        int max_retries = -1;
+        int udf_pref_limit = -1;
+
+        try {
+            Config cfg = Config.getInstance();
+            String temp = cfg.getDefault("kdc_timeout", "libdefaults");
+            timeout = parsePositiveIntString(temp);
+            temp = cfg.getDefault("max_retries", "libdefaults");
+            max_retries = parsePositiveIntString(temp);
+            temp = cfg.getDefault("udp_preference_limit", "libdefaults");
+            udf_pref_limit = parsePositiveIntString(temp);
+        } catch (Exception exc) {
+           // ignore any exceptions; use default values
+           if (DEBUG) {
+                System.out.println ("Exception in getting KDC communication " +
+                                    "settings, using default value " +
+                                    exc.getMessage());
+           }
+        }
+        defaultKdcTimeout = timeout > 0 ? timeout : 30*1000; // 30 seconds
+        defaultKdcRetryLimit =
+                max_retries > 0 ? max_retries : Krb5.KDC_RETRY_LIMIT;
+        defaultUdpPrefLimit = udf_pref_limit;
+
+        KdcAccessibility.reset();
+    }
+
+    /**
+     * The instance fields
+     */
+    private String realm;
+
+    public KdcComm(String realm) throws KrbException {
+        if (realm == null) {
+           realm = Config.getInstance().getDefaultRealm();
+            if (realm == null) {
+                throw new KrbException(Krb5.KRB_ERR_GENERIC,
+                                       "Cannot find default realm");
+            }
+        }
+        this.realm = realm;
+    }
+
+    public byte[] send(byte[] obuf)
+        throws IOException, KrbException {
+        int udpPrefLimit = getRealmSpecificValue(
+                realm, "udp_preference_limit", defaultUdpPrefLimit);
+
+        boolean useTCP = (udpPrefLimit > 0 &&
+             (obuf != null && obuf.length > udpPrefLimit));
+
+        return send(obuf, useTCP);
+    }
+
+    private byte[] send(byte[] obuf, boolean useTCP)
+        throws IOException, KrbException {
+
+        if (obuf == null)
+            return null;
+        Exception savedException = null;
+        Config cfg = Config.getInstance();
+
+        if (realm == null) {
+            realm = cfg.getDefaultRealm();
+            if (realm == null) {
+                throw new KrbException(Krb5.KRB_ERR_GENERIC,
+                                       "Cannot find default realm");
+            }
+        }
+
+        String kdcList = cfg.getKDCList(realm);
+        if (kdcList == null) {
+            throw new KrbException("Cannot get kdc for realm " + realm);
+        }
+        String tempKdc = null; // may include the port number also
+        byte[] ibuf = null;
+        for (String tmp: KdcAccessibility.list(kdcList)) {
+            tempKdc = tmp;
+            try {
+                ibuf = send(obuf,tempKdc,useTCP);
+                KRBError ke = null;
+                try {
+                    ke = new KRBError(ibuf);
+                } catch (Exception e) {
+                    // OK
+                }
+                if (ke != null && ke.getErrorCode() ==
+                        Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
+                    ibuf = send(obuf, tempKdc, true);
+                }
+                KdcAccessibility.removeBad(tempKdc);
+                break;
+            } catch (Exception e) {
+                if (DEBUG) {
+                    System.out.println(">>> KrbKdcReq send: error trying " +
+                            tempKdc);
+                    e.printStackTrace(System.out);
+                }
+                KdcAccessibility.addBad(tempKdc);
+                savedException = e;
+            }
+        }
+        if (ibuf == null && savedException != null) {
+            if (savedException instanceof IOException) {
+                throw (IOException) savedException;
+            } else {
+                throw (KrbException) savedException;
+            }
+        }
+        return ibuf;
+    }
+
+    // send the AS Request to the specified KDC
+
+    private byte[] send(byte[] obuf, String tempKdc, boolean useTCP)
+        throws IOException, KrbException {
+
+        if (obuf == null)
+            return null;
+
+        int port = Krb5.KDC_INET_DEFAULT_PORT;
+        int retries = getRealmSpecificValue(
+                realm, "max_retries", defaultKdcRetryLimit);
+        int timeout = getRealmSpecificValue(
+                realm, "kdc_timeout", defaultKdcTimeout);
+        if (badPolicy == BpType.TRY_LESS &&
+                KdcAccessibility.isBad(tempKdc)) {
+            if (retries > tryLessMaxRetries) {
+                retries = tryLessMaxRetries; // less retries
+            }
+            if (timeout > tryLessTimeout) {
+                timeout = tryLessTimeout; // less time
+            }
+        }
+
+        String kdc = null;
+        String portStr = null;
+
+        if (tempKdc.charAt(0) == '[') {     // Explicit IPv6 in []
+            int pos = tempKdc.indexOf(']', 1);
+            if (pos == -1) {
+                throw new IOException("Illegal KDC: " + tempKdc);
+            }
+            kdc = tempKdc.substring(1, pos);
+            if (pos != tempKdc.length() - 1) {  // with port number
+                if (tempKdc.charAt(pos+1) != ':') {
+                    throw new IOException("Illegal KDC: " + tempKdc);
+                }
+                portStr = tempKdc.substring(pos+2);
+            }
+        } else {
+            int colon = tempKdc.indexOf(':');
+            if (colon == -1) {      // Hostname or IPv4 host only
+                kdc = tempKdc;
+            } else {
+                int nextColon = tempKdc.indexOf(':', colon+1);
+                if (nextColon > 0) {    // >=2 ":", IPv6 with no port
+                    kdc = tempKdc;
+                } else {                // 1 ":", hostname or IPv4 with port
+                    kdc = tempKdc.substring(0, colon);
+                    portStr = tempKdc.substring(colon+1);
+                }
+            }
+        }
+        if (portStr != null) {
+            int tempPort = parsePositiveIntString(portStr);
+            if (tempPort > 0)
+                port = tempPort;
+        }
+
+        if (DEBUG) {
+            System.out.println(">>> KrbKdcReq send: kdc=" + kdc
+                               + (useTCP ? " TCP:":" UDP:")
+                               +  port +  ", timeout="
+                               + timeout
+                               + ", number of retries ="
+                               + retries
+                               + ", #bytes=" + obuf.length);
+        }
+
+        KdcCommunication kdcCommunication =
+            new KdcCommunication(kdc, port, useTCP, timeout, retries, obuf);
+        try {
+            byte[] ibuf = AccessController.doPrivileged(kdcCommunication);
+            if (DEBUG) {
+                System.out.println(">>> KrbKdcReq send: #bytes read="
+                        + (ibuf != null ? ibuf.length : 0));
+            }
+            return ibuf;
+        } catch (PrivilegedActionException e) {
+            Exception wrappedException = e.getException();
+            if (wrappedException instanceof IOException) {
+                throw (IOException) wrappedException;
+            } else {
+                throw (KrbException) wrappedException;
+            }
+        }
+    }
+
+    private static class KdcCommunication
+        implements PrivilegedExceptionAction<byte[]> {
+
+        private String kdc;
+        private int port;
+        private boolean useTCP;
+        private int timeout;
+        private int retries;
+        private byte[] obuf;
+
+        public KdcCommunication(String kdc, int port, boolean useTCP,
+                                int timeout, int retries, byte[] obuf) {
+            this.kdc = kdc;
+            this.port = port;
+            this.useTCP = useTCP;
+            this.timeout = timeout;
+            this.retries = retries;
+            this.obuf = obuf;
+        }
+
+        // The caller only casts IOException and KrbException so don't
+        // add any new ones!
+
+        public byte[] run() throws IOException, KrbException {
+
+            byte[] ibuf = null;
+
+            for (int i=1; i <= retries; i++) {
+                String proto = useTCP?"TCP":"UDP";
+                NetClient kdcClient = NetClient.getInstance(
+                        proto, kdc, port, timeout);
+                if (DEBUG) {
+                    System.out.println(">>> KDCCommunication: kdc=" + kdc
+                           + " " + proto + ":"
+                           +  port +  ", timeout="
+                           + timeout
+                           + ",Attempt =" + i
+                           + ", #bytes=" + obuf.length);
+                }
+                try {
+                    /*
+                     * Send the data to the kdc.
+                     */
+                    kdcClient.send(obuf);
+                    /*
+                     * And get a response.
+                     */
+                    ibuf = kdcClient.receive();
+                    break;
+                } catch (SocketTimeoutException se) {
+                    if (DEBUG) {
+                        System.out.println ("SocketTimeOutException with " +
+                                            "attempt: " + i);
+                    }
+                    if (i == retries) {
+                        ibuf = null;
+                        throw se;
+                    }
+                } finally {
+                    kdcClient.close();
+                }
+            }
+            return ibuf;
+        }
+    }
+
+    /**
+     * Returns krb5.conf setting of {@code key} for a specfic realm,
+     * which can be:
+     * 1. defined in the sub-stanza for the given realm inside [realms], or
+     * 2. defined in [libdefaults], or
+     * 3. defValue
+     * @param realm the given realm in which the setting is requested. Returns
+     * the global setting if null
+     * @param key the key for the setting
+     * @param defValue default value
+     * @return a value for the key
+     */
+    private int getRealmSpecificValue(String realm, String key, int defValue) {
+        int v = defValue;
+
+        if (realm == null) return v;
+
+        int temp = -1;
+        try {
+            String value =
+               Config.getInstance().getDefault(key, realm);
+            temp = parsePositiveIntString(value);
+        } catch (Exception exc) {
+            // Ignored, defValue will be picked up
+        }
+
+        if (temp > 0) v = temp;
+
+        return v;
+    }
+
+    private static int parsePositiveIntString(String intString) {
+        if (intString == null)
+            return -1;
+
+        int ret = -1;
+
+        try {
+            ret = Integer.parseInt(intString);
+        } catch (Exception exc) {
+            return -1;
+        }
+
+        if (ret >= 0)
+            return ret;
+
+        return -1;
+    }
+
+    /**
+     * Maintains a KDC accessible list. Unavailable KDCs are put into a
+     * blacklist, when a KDC in the blacklist is available, it's removed
+     * from there. No insertion order in the blacklist.
+     *
+     * There are two methods to deal with KDCs in the blacklist. 1. Only try
+     * them when there's no KDC not on the blacklist. 2. Still try them, but
+     * with lesser number of retries and smaller timeout value.
+     */
+    static class KdcAccessibility {
+        // Known bad KDCs
+        private static Set<String> bads = new HashSet<String>();
+
+        private static synchronized void addBad(String kdc) {
+            if (DEBUG) {
+                System.out.println(">>> KdcAccessibility: add " + kdc);
+            }
+            bads.add(kdc);
+        }
+
+        private static synchronized void removeBad(String kdc) {
+            if (DEBUG) {
+                System.out.println(">>> KdcAccessibility: remove " + kdc);
+            }
+            bads.remove(kdc);
+        }
+
+        private static synchronized boolean isBad(String kdc) {
+            return bads.contains(kdc);
+        }
+
+        private static synchronized void reset() {
+            if (DEBUG) {
+                System.out.println(">>> KdcAccessibility: reset");
+            }
+            bads.clear();
+        }
+
+        // Returns a preferred KDC list by putting the bad ones at the end
+        private static synchronized String[] list(String kdcList) {
+            StringTokenizer st = new StringTokenizer(kdcList);
+            List<String> list = new ArrayList<String>();
+            if (badPolicy == BpType.TRY_LAST) {
+                List<String> badkdcs = new ArrayList<String>();
+                while (st.hasMoreTokens()) {
+                    String t = st.nextToken();
+                    if (bads.contains(t)) badkdcs.add(t);
+                    else list.add(t);
+                }
+                // Bad KDCs are put at last
+                list.addAll(badkdcs);
+            } else {
+                // All KDCs are returned in their original order,
+                // This include TRY_LESS and NONE
+                while (st.hasMoreTokens()) {
+                    list.add(st.nextToken());
+                }
+            }
+            return list.toArray(new String[list.size()]);
+        }
+    }
+}
+
--- a/src/share/classes/sun/security/krb5/KrbAsRep.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/KrbAsRep.java	Fri Dec 03 11:30:28 2010 -0800
@@ -36,25 +36,24 @@
 import sun.security.krb5.internal.crypto.EType;
 import sun.security.util.*;
 import java.io.IOException;
+import java.util.Objects;
 
 /**
  * This class encapsulates a AS-REP message that the KDC sends to the
  * client.
  */
-public class KrbAsRep extends KrbKdcRep {
+class KrbAsRep extends KrbKdcRep {
 
-    private ASRep rep;
-    private Credentials creds;
+    private ASRep rep;  // The AS-REP message
+    private Credentials creds;  // The Credentials provide by the AS-REP
+                                // message, created by initiator after calling
+                                // the decrypt() method
 
     private boolean DEBUG = Krb5.DEBUG;
 
-    KrbAsRep(byte[] ibuf, EncryptionKey[] keys, KrbAsReq asReq) throws
-    KrbException, Asn1Exception, IOException {
-        if (keys == null)
-            throw new KrbException(Krb5.API_INVALID_ARG);
+    KrbAsRep(byte[] ibuf) throws
+            KrbException, Asn1Exception, IOException {
         DerValue encoding = new DerValue(ibuf);
-        ASReq req = asReq.getMessage();
-        ASRep rep = null;
         try {
             rep = new ASRep(encoding);
         } catch (Asn1Exception e) {
@@ -83,25 +82,77 @@
             ke.initCause(e);
             throw ke;
         }
+    }
 
+    // KrbAsReqBuilder need to read back the PA for key generation
+    PAData[] getPA() {
+        return rep.pAData;
+    }
+
+    /**
+     * Called by KrbAsReqBuilder to resolve a AS-REP message using keys.
+     * @param keys user provided keys, not null
+     * @param asReq the original AS-REQ sent, used to validate AS-REP
+     */
+    void decryptUsingKeys(EncryptionKey[] keys, KrbAsReq asReq)
+            throws KrbException, Asn1Exception, IOException {
+        EncryptionKey dkey = null;
         int encPartKeyType = rep.encPart.getEType();
-        EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, keys);
-
+        Integer encPartKvno = rep.encPart.kvno;
+        try {
+            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno, keys);
+        } catch (KrbException ke) {
+            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
+                // Fallback to no kvno. In some cases, keytab is generated
+                // not by sysadmin but Java's ktab command
+                dkey = EncryptionKey.findKey(encPartKeyType, keys);
+            }
+        }
         if (dkey == null) {
             throw new KrbException(Krb5.API_INVALID_ARG,
-                "Cannot find key of appropriate type to decrypt AS REP - " +
-                EType.toString(encPartKeyType));
+                "Cannot find key for type/kvno to decrypt AS REP - " +
+                EType.toString(encPartKeyType) + "/" + encPartKvno);
         }
+        decrypt(dkey, asReq);
+    }
 
+    /**
+     * Called by KrbAsReqBuilder to resolve a AS-REP message using a password.
+     * @param password user provided password. not null
+     * @param asReq the original AS-REQ sent, used to validate AS-REP
+     * @param cname the user principal name, used to provide salt
+     */
+    void decryptUsingPassword(char[] password,
+            KrbAsReq asReq, PrincipalName cname)
+            throws KrbException, Asn1Exception, IOException {
+        int encPartKeyType = rep.encPart.getEType();
+        PAData.SaltAndParams snp =
+                PAData.getSaltAndParams(encPartKeyType, rep.pAData);
+        EncryptionKey dkey = null;
+        dkey = EncryptionKey.acquireSecretKey(password,
+                snp.salt == null ? cname.getSalt() : snp.salt,
+                encPartKeyType,
+                snp.params);
+        decrypt(dkey, asReq);
+    }
+
+    /**
+     * Decrypts encrypted content inside AS-REP. Called by initiator.
+     * @param dkey the decryption key to use
+     * @param asReq the original AS-REQ sent, used to validate AS-REP
+     */
+    private void decrypt(EncryptionKey dkey, KrbAsReq asReq)
+            throws KrbException, Asn1Exception, IOException {
         byte[] enc_as_rep_bytes = rep.encPart.decrypt(dkey,
             KeyUsage.KU_ENC_AS_REP_PART);
         byte[] enc_as_rep_part = rep.encPart.reset(enc_as_rep_bytes);
 
-        encoding = new DerValue(enc_as_rep_part);
+        DerValue encoding = new DerValue(enc_as_rep_part);
         EncASRepPart enc_part = new EncASRepPart(encoding);
         rep.ticket.sname.setRealm(rep.ticket.realm);
         rep.encKDCRepPart = enc_part;
 
+        ASReq req = asReq.getMessage();
         check(req, rep);
 
         creds = new Credentials(
@@ -119,17 +170,13 @@
             System.out.println(">>> KrbAsRep cons in KrbAsReq.getReply " +
                                req.reqBody.cname.getNameString());
         }
-
-        this.rep = rep;
-        this.creds = creds;
     }
 
-    public Credentials getCreds() {
-        return creds;
+    Credentials getCreds() {
+        return Objects.nonNull(creds, "Creds not available yet.");
     }
 
-    // made public for Kinit
-    public sun.security.krb5.internal.ccache.Credentials setCredentials() {
+    sun.security.krb5.internal.ccache.Credentials getCCreds() {
         return new sun.security.krb5.internal.ccache.Credentials(rep);
     }
 }
--- a/src/share/classes/sun/security/krb5/KrbAsReq.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/KrbAsReq.java	Fri Dec 03 11:30:28 2010 -0800
@@ -32,290 +32,38 @@
 package sun.security.krb5;
 
 import sun.security.krb5.internal.*;
-import sun.security.krb5.internal.crypto.EType;
 import sun.security.krb5.internal.crypto.Nonce;
 import sun.security.krb5.internal.crypto.KeyUsage;
-import sun.security.util.*;
 import java.io.IOException;
-import java.io.ByteArrayInputStream;
-import java.net.UnknownHostException;
-import java.util.StringTokenizer;
 
 /**
  * This class encapsulates the KRB-AS-REQ message that the client
  * sends to the KDC.
  */
-public class KrbAsReq extends KrbKdcReq {
-    private PrincipalName princName;
+public class KrbAsReq {
     private ASReq asReqMessg;
 
     private boolean DEBUG = Krb5.DEBUG;
-    private static KDCOptions defaultKDCOptions = new KDCOptions();
-
-    // pre-auth info
-    private boolean PA_ENC_TIMESTAMP_REQUIRED = false;
-    private boolean pa_exists = false;
-    private int pa_etype = 0;
-    private String pa_salt = null;
-    private byte[] pa_s2kparams = null;
-
-    // default is address-less tickets
-    private boolean KDC_EMPTY_ADDRESSES_ALLOWED = true;
 
     /**
-     * Creates a KRB-AS-REQ to send to the default KDC
-     * @throws KrbException
-     * @throws IOException
+     * Constructs an AS-REQ message.
      */
-     // Called by Credentials
-    KrbAsReq(PrincipalName principal, EncryptionKey[] keys)
-        throws KrbException, IOException {
-        this(keys, // for pre-authentication
-             false, 0, null, null, // pre-auth values
-             defaultKDCOptions,
-             principal,
-             null, // PrincipalName sname
-             null, // KerberosTime from
-             null, // KerberosTime till
-             null, // KerberosTime rtime
-             null, // int[] eTypes
-             null, // HostAddresses addresses
-             null); // Ticket[] additionalTickets
-    }
+                                                // Can be null? has default?
+    public KrbAsReq(EncryptionKey pakey,        // ok
+                      KDCOptions options,       // ok, new KDCOptions()
+                      PrincipalName cname,      // NO and must have realm
+                      PrincipalName sname,      // ok, krgtgt@CREALM
+                      KerberosTime from,        // ok
+                      KerberosTime till,        // ok, will use
+                      KerberosTime rtime,       // ok
+                      int[] eTypes,             // NO
+                      HostAddresses addresses   // ok
+                      )
+            throws KrbException, IOException {
 
-    /**
-     * Creates a KRB-AS-REQ to send to the default KDC
-     * with pre-authentication values
-     */
-    KrbAsReq(PrincipalName principal, EncryptionKey[] keys,
-        boolean pa_exists, int etype, String salt, byte[] s2kparams)
-        throws KrbException, IOException {
-        this(keys, // for pre-authentication
-             pa_exists, etype, salt, s2kparams, // pre-auth values
-             defaultKDCOptions,
-             principal,
-             null, // PrincipalName sname
-             null, // KerberosTime from
-             null, // KerberosTime till
-             null, // KerberosTime rtime
-             null, // int[] eTypes
-             null, // HostAddresses addresses
-             null); // Ticket[] additionalTickets
-    }
-
-     private static int[] getETypesFromKeys(EncryptionKey[] keys) {
-         int[] types = new int[keys.length];
-         for (int i = 0; i < keys.length; i++) {
-             types[i] = keys[i].getEType();
-         }
-         return types;
-     }
-
-    // update with pre-auth info
-    public void updatePA(int etype, String salt, byte[] params, PrincipalName name) {
-        // set the pre-auth values
-        pa_exists = true;
-        pa_etype = etype;
-        pa_salt = salt;
-        pa_s2kparams = params;
-
-        // update salt in PrincipalName
-        if (salt != null && salt.length() > 0) {
-            name.setSalt(salt);
-            if (DEBUG) {
-                System.out.println("Updated salt from pre-auth = " + name.getSalt());
-            }
+        if (options == null) {
+            options = new KDCOptions();
         }
-        PA_ENC_TIMESTAMP_REQUIRED = true;
-    }
-
-     // Used by Kinit
-    public KrbAsReq(
-                    char[] password,
-                    KDCOptions options,
-                    PrincipalName cname,
-                    PrincipalName sname,
-                    KerberosTime from,
-                    KerberosTime till,
-                    KerberosTime rtime,
-                    int[] eTypes,
-                    HostAddresses addresses,
-                    Ticket[] additionalTickets)
-        throws KrbException, IOException {
-        this(password,
-             false, 0, null, null, // pre-auth values
-             options,
-             cname,
-             sname, // PrincipalName sname
-             from,  // KerberosTime from
-             till,  // KerberosTime till
-             rtime, // KerberosTime rtime
-             eTypes, // int[] eTypes
-             addresses, // HostAddresses addresses
-             additionalTickets); // Ticket[] additionalTickets
-    }
-
-     // Used by Kinit
-    public KrbAsReq(
-                    char[] password,
-                    boolean pa_exists,
-                    int etype,
-                    String salt,
-                    byte[] s2kparams,
-                    KDCOptions options,
-                    PrincipalName cname,
-                    PrincipalName sname,
-                    KerberosTime from,
-                    KerberosTime till,
-                    KerberosTime rtime,
-                    int[] eTypes,
-                    HostAddresses addresses,
-                    Ticket[] additionalTickets)
-        throws KrbException, IOException {
-
-        EncryptionKey[] keys = null;
-
-        // update with preauth info
-        if (pa_exists) {
-            updatePA(etype, salt, s2kparams, cname);
-        }
-
-        if (password != null) {
-            keys = EncryptionKey.acquireSecretKeys(password, cname.getSalt(), pa_exists,
-                                                        pa_etype, pa_s2kparams);
-        }
-        if (DEBUG) {
-            System.out.println(">>>KrbAsReq salt is " + cname.getSalt());
-        }
-
-        try {
-            init(
-                 keys,
-                 options,
-                 cname,
-                 sname,
-                 from,
-                 till,
-                 rtime,
-                 eTypes,
-                 addresses,
-                 additionalTickets);
-        }
-        finally {
-            /*
-             * Its ok to destroy the key here because we created it and are
-             * now done with it.
-             */
-             if (keys != null) {
-                 for (int i = 0; i < keys.length; i++) {
-                     keys[i].destroy();
-                 }
-             }
-        }
-    }
-
-     // Used in Kinit
-    public KrbAsReq(
-                    EncryptionKey[] keys,
-                    KDCOptions options,
-                    PrincipalName cname,
-                    PrincipalName sname,
-                    KerberosTime from,
-                    KerberosTime till,
-                    KerberosTime rtime,
-                    int[] eTypes,
-                    HostAddresses addresses,
-                    Ticket[] additionalTickets)
-        throws KrbException, IOException {
-        this(keys,
-             false, 0, null, null, // pre-auth values
-             options,
-             cname,
-             sname, // PrincipalName sname
-             from,  // KerberosTime from
-             till,  // KerberosTime till
-             rtime, // KerberosTime rtime
-             eTypes, // int[] eTypes
-             addresses, // HostAddresses addresses
-             additionalTickets); // Ticket[] additionalTickets
-    }
-
-    // Used by Kinit
-    public KrbAsReq(
-                    EncryptionKey[] keys,
-                    boolean pa_exists,
-                    int etype,
-                    String salt,
-                    byte[] s2kparams,
-                    KDCOptions options,
-                    PrincipalName cname,
-                    PrincipalName sname,
-                    KerberosTime from,
-                    KerberosTime till,
-                    KerberosTime rtime,
-                    int[] eTypes,
-                    HostAddresses addresses,
-                    Ticket[] additionalTickets)
-        throws KrbException, IOException {
-
-        // update with preauth info
-        if (pa_exists) {
-            // update pre-auth info
-            updatePA(etype, salt, s2kparams, cname);
-
-            if (DEBUG) {
-                System.out.println(">>>KrbAsReq salt is " + cname.getSalt());
-            }
-        }
-
-        init(
-             keys,
-             options,
-             cname,
-             sname,
-             from,
-             till,
-             rtime,
-             eTypes,
-             addresses,
-             additionalTickets);
-    }
-
-     /*
-    private KrbAsReq(KDCOptions options,
-             PrincipalName cname,
-             PrincipalName sname,
-             KerberosTime from,
-             KerberosTime till,
-             KerberosTime rtime,
-             int[] eTypes,
-             HostAddresses addresses,
-             Ticket[] additionalTickets)
-        throws KrbException, IOException {
-        init(null,
-             options,
-             cname,
-             sname,
-             from,
-             till,
-             rtime,
-             eTypes,
-             addresses,
-             additionalTickets);
-    }
-*/
-
-    private void init(EncryptionKey[] keys,
-                      KDCOptions options,
-                      PrincipalName cname,
-                      PrincipalName sname,
-                      KerberosTime from,
-                      KerberosTime till,
-                      KerberosTime rtime,
-                      int[] eTypes,
-                      HostAddresses addresses,
-                      Ticket[] additionalTickets )
-        throws KrbException, IOException {
 
         // check if they are valid arguments. The optional fields should be
         // consistent with settings in KDCOptions. Mar 17 2000
@@ -341,189 +89,66 @@
             if (rtime != null)  rtime = null;
         }
 
-        princName = cname;
-        int[] tktETypes = EType.getDefaults("default_tkt_enctypes", keys);
         PAData[] paData = null;
-        if (PA_ENC_TIMESTAMP_REQUIRED) {
-            EncryptionKey key = null;
-            if (pa_etype != EncryptedData.ETYPE_NULL) {
-                if (DEBUG) {
-                    System.out.println("Pre-Authenticaton: find key for etype = " + pa_etype);
-                }
-                key = EncryptionKey.findKey(pa_etype, keys);
-            } else {
-                if (tktETypes.length > 0) {
-                    key = EncryptionKey.findKey(tktETypes[0], keys);
-                }
-            }
-            if (DEBUG) {
-                System.out.println("AS-REQ: Add PA_ENC_TIMESTAMP now");
-            }
+        if (pakey != null) {
             PAEncTSEnc ts = new PAEncTSEnc();
             byte[] temp = ts.asn1Encode();
-            if (key != null) {
-                // Use first key in list
-                EncryptedData encTs = new EncryptedData(key, temp,
-                    KeyUsage.KU_PA_ENC_TS);
-                paData = new PAData[1];
-                paData[0] = new PAData( Krb5.PA_ENC_TIMESTAMP,
-                                        encTs.asn1Encode());
-            }
+            EncryptedData encTs = new EncryptedData(pakey, temp,
+                KeyUsage.KU_PA_ENC_TS);
+            paData = new PAData[1];
+            paData[0] = new PAData( Krb5.PA_ENC_TIMESTAMP,
+                                    encTs.asn1Encode());
+        }
+
+        if (cname.getRealm() == null) {
+            throw new RealmException(Krb5.REALM_NULL,
+                                     "default realm not specified ");
         }
 
         if (DEBUG) {
-            System.out.println(">>> KrbAsReq calling createMessage");
-        }
-
-        if (eTypes == null) {
-            eTypes = tktETypes;
+            System.out.println(">>> KrbAsReq creating message");
         }
 
         // check to use addresses in tickets
-        if (Config.getInstance().useAddresses()) {
-            KDC_EMPTY_ADDRESSES_ALLOWED = false;
-        }
-        // get the local InetAddress if required
-        if (addresses == null && !KDC_EMPTY_ADDRESSES_ALLOWED) {
+        if (addresses == null && Config.getInstance().useAddresses()) {
             addresses = HostAddresses.getLocalAddresses();
         }
 
-        asReqMessg = createMessage(
-                                   paData,
-                                   options,
-                                   cname,
-                                   cname.getRealm(),
-                                   sname,
-                                   from,
-                                   till,
-                                   rtime,
-                                   eTypes,
-                                   addresses,
-                                   additionalTickets);
-        obuf = asReqMessg.asn1Encode();
-    }
-
-    /**
-     * Returns an AS-REP message corresponding to the AS-REQ that
-     * was sent.
-     * @param password The password that will be used to derive the
-     * secret key that will decrypt the AS-REP from  the KDC.
-     * @exception KrbException if an error occurs while reading the data.
-     * @exception IOException if an I/O error occurs while reading encoded data.
-     */
-    public KrbAsRep getReply(char[] password)
-        throws KrbException, IOException {
-
-        if (password == null)
-            throw new KrbException(Krb5.API_INVALID_ARG);
-        KrbAsRep temp = null;
-        EncryptionKey[] keys = null;
-        try {
-            keys = EncryptionKey.acquireSecretKeys(password,
-                princName.getSalt(), pa_exists, pa_etype, pa_s2kparams);
-            temp = getReply(keys);
-        } finally {
-            /*
-             * Its ok to destroy the key here because we created it and are
-             * now done with it.
-             */
-             if (keys != null) {
-                for (int i = 0; i < keys.length; i++) {
-                    keys[i].destroy();
-                }
-             }
-        }
-        return temp;
-    }
-
-    /**
-     * Sends an AS request to the realm of the client.
-     * returns the KDC hostname that the request was sent to
-     */
-
-    public String send()
-        throws IOException, KrbException
-    {
-        String realmStr = null;
-        if (princName != null)
-            realmStr = princName.getRealmString();
-
-        return (send(realmStr));
-    }
-
-    /**
-     * Returns an AS-REP message corresponding to the AS-REQ that
-     * was sent.
-     * @param keys The secret keys that will decrypt the AS-REP from
-     * the KDC; key selected depends on etype used to encrypt data.
-     * @exception KrbException if an error occurs while reading the data.
-     * @exception IOException if an I/O error occurs while reading encoded
-     * data.
-     *
-     */
-    public KrbAsRep getReply(EncryptionKey[] keys)
-        throws KrbException,IOException {
-        return new KrbAsRep(ibuf, keys, this);
-    }
-
-    private ASReq createMessage(
-                        PAData[] paData,
-                        KDCOptions kdc_options,
-                        PrincipalName cname,
-                        Realm crealm,
-                        PrincipalName sname,
-                        KerberosTime from,
-                        KerberosTime till,
-                        KerberosTime rtime,
-                        int[] eTypes,
-                        HostAddresses addresses,
-                        Ticket[] additionalTickets
-                        ) throws Asn1Exception, KrbApErrException,
-                        RealmException, UnknownHostException, IOException {
-
-        if (DEBUG) {
-            System.out.println(">>> KrbAsReq in createMessage");
+        if (sname == null) {
+            sname = new PrincipalName("krbtgt" +
+                                      PrincipalName.NAME_COMPONENT_SEPARATOR +
+                                      cname.getRealmAsString(),
+                            PrincipalName.KRB_NT_SRV_INST);
         }
 
-        PrincipalName req_sname = null;
-        if (sname == null) {
-            if (crealm == null) {
-                throw new RealmException(Krb5.REALM_NULL,
-                                         "default realm not specified ");
-            }
-            req_sname = new PrincipalName(
-                                          "krbtgt" +
-                                          PrincipalName.NAME_COMPONENT_SEPARATOR +
-                                          crealm.toString(),
-                                          PrincipalName.KRB_NT_SRV_INST);
-        } else
-            req_sname = sname;
-
-        KerberosTime req_till = null;
         if (till == null) {
-            req_till = new KerberosTime();
-        } else {
-            req_till = till;
+            till = new KerberosTime(0); // Choose KDC maximum allowed
         }
 
-        KDCReqBody kdc_req_body = new KDCReqBody(kdc_options,
+        // enc-authorization-data and additional-tickets never in AS-REQ
+        KDCReqBody kdc_req_body = new KDCReqBody(options,
                                                  cname,
-                                                 crealm,
-                                                 req_sname,
+                                                 cname.getRealm(),
+                                                 sname,
                                                  from,
-                                                 req_till,
+                                                 till,
                                                  rtime,
                                                  Nonce.value(),
                                                  eTypes,
                                                  addresses,
                                                  null,
-                                                 additionalTickets);
+                                                 null);
 
-        return new ASReq(
+        asReqMessg = new ASReq(
                          paData,
                          kdc_req_body);
     }
 
+    byte[] encoding() throws IOException, Asn1Exception {
+        return asReqMessg.asn1Encode();
+    }
+
+    // Used by KrbAsRep to validate AS-REP
     ASReq getMessage() {
         return asReqMessg;
     }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java	Fri Dec 03 11:30:28 2010 -0800
@@ -0,0 +1,395 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.krb5;
+
+import java.io.IOException;
+import java.util.Arrays;
+import sun.security.krb5.internal.HostAddresses;
+import sun.security.krb5.internal.KDCOptions;
+import sun.security.krb5.internal.KRBError;
+import sun.security.krb5.internal.KerberosTime;
+import sun.security.krb5.internal.Krb5;
+import sun.security.krb5.internal.PAData;
+import sun.security.krb5.internal.crypto.EType;
+
+/**
+ * A manager class for AS-REQ communications.
+ *
+ * This class does:
+ * 1. Gather information to create AS-REQ
+ * 2. Create and send AS-REQ
+ * 3. Receive AS-REP and KRB-ERROR (-KRB_ERR_RESPONSE_TOO_BIG) and parse them
+ * 4. Emit credentials and secret keys (for JAAS storeKey=true)
+ *
+ * This class does not:
+ * 1. Deal with real communications (KdcComm does it, and TGS-REQ)
+ *    a. Name of KDCs for a realm
+ *    b. Server availability, timeout, UDP or TCP
+ *    d. KRB_ERR_RESPONSE_TOO_BIG
+ *
+ * With this class:
+ * 1. KrbAsReq has only one constructor
+ * 2. Krb5LoginModule and Kinit call a single builder
+ * 3. Better handling of sensitive info
+ *
+ * @since 1.7
+ */
+
+public final class KrbAsReqBuilder {
+
+    // Common data for AS-REQ fields
+    private KDCOptions options;
+    private PrincipalName cname;
+    private PrincipalName sname;
+    private KerberosTime from;
+    private KerberosTime till;
+    private KerberosTime rtime;
+    private HostAddresses addresses;
+
+    // Secret source: can't be changed once assigned, only one (of the two
+    // sources) can be set and should be non-null
+    private EncryptionKey[] keys;
+    private char[] password;
+
+    // Used to create a ENC-TIMESTAMP in the 2nd AS-REQ
+    private EncryptionKey pakey;
+    private PAData[] paList;        // PA-DATA from both KRB-ERROR and AS-REP.
+                                    // Used by getKeys() only.
+                                    // Only AS-REP should be enough per RFC,
+                                    // combined in case etypes are different.
+
+    // The generated and received:
+    int[] eTypes;
+    private KrbAsReq req;
+    private KrbAsRep rep;
+
+    private static enum State {
+        INIT,       // Initialized, can still add more initialization info
+        REQ_OK,     // AS-REQ performed
+        DESTROYED,  // Destroyed, not usable anymore
+    }
+    private State state;
+
+    // Called by other constructors
+    private KrbAsReqBuilder(PrincipalName cname)
+            throws KrbException {
+        if (cname.getRealm() == null) {
+            cname.setRealm(Config.getInstance().getDefaultRealm());
+        }
+        this.cname = cname;
+        state = State.INIT;
+    }
+
+    /**
+     * Creates a builder to be used by {@code cname} with existing keys.
+     *
+     * @param cname the client of the AS-REQ. Must not be null. Might have no
+     * realm, where default realm will be used. This realm will be the target
+     * realm for AS-REQ. I believe a client should only get initial TGT from
+     * its own realm.
+     * @param keys must not be null. if empty, might be quite useless.
+     * This argument will neither be modified nor stored by the method.
+     * @throws KrbException
+     */
+    public KrbAsReqBuilder(PrincipalName cname, EncryptionKey[] keys)
+            throws KrbException {
+        this(cname);
+        this.keys = new EncryptionKey[keys.length];
+        for (int i=0; i<keys.length; i++) {
+            this.keys[i] = (EncryptionKey)keys[i].clone();
+        }
+        eTypes = EType.getDefaults("default_tkt_enctypes", keys);
+    }
+
+    /**
+     * Creates a builder to be used by {@code cname} with a known password.
+     *
+     * @param cname the client of the AS-REQ. Must not be null. Might have no
+     * realm, where default realm will be used. This realm will be the target
+     * realm for AS-REQ. I believe a client should only get initial TGT from
+     * its own realm.
+     * @param pass must not be null. This argument will neither be modified
+     * nor stored by the method.
+     * @throws KrbException
+     */
+    public KrbAsReqBuilder(PrincipalName cname, char[] pass)
+            throws KrbException {
+        this(cname);
+        this.password = pass.clone();
+        eTypes = EType.getDefaults("default_tkt_enctypes");
+    }
+
+    /**
+     * Retrieves an array of secret keys for the client. This is useful if
+     * the client supplies password but need keys to act as an acceptor
+     * (in JAAS words, isInitiator=true and storeKey=true)
+     * @return original keys if initiated with keys, or generated keys if
+     * password. In latter case, PA-DATA from server might be used to
+     * generate keys. All "default_tkt_enctypes" keys will be generated,
+     * Never null.
+     * @throws KrbException
+     */
+    public EncryptionKey[] getKeys() throws KrbException {
+        checkState(State.REQ_OK, "Cannot get keys");
+        if (keys != null) {
+            EncryptionKey[] result = new EncryptionKey[keys.length];
+            for (int i=0; i<keys.length; i++) {
+                result[i] = (EncryptionKey)keys[i].clone();
+            }
+            return result;
+        } else {
+            EncryptionKey[] result = new EncryptionKey[eTypes.length];
+
+            /*
+             * Returns an array of keys. Before KrbAsReqBuilder, all etypes
+             * use the same salt which is either the default one or a new salt
+             * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
+             * own new salt from PA-DATA. For an etype with no PA-DATA new salt
+             * at all, what salt should it use?
+             *
+             * Commonly, the stored keys are only to be used by an acceptor to
+             * decrypt service ticket in AP-REQ. Most impls only allow keys
+             * from a keytab on acceptor, but unfortunately (?) Java supports
+             * acceptor using password. In this case, if the service ticket is
+             * encrypted using an etype which we don't have PA-DATA new salt,
+             * using the default salt is normally wrong (say, case-insensitive
+             * user name). Instead, we would use the new salt of another etype.
+             */
+
+            String salt = null;     // the saved new salt
+            for (int i=0; i<eTypes.length; i++) {
+                PAData.SaltAndParams snp =
+                        PAData.getSaltAndParams(eTypes[i], paList);
+                // First round, only calculate those with new salt
+                if (snp.salt != null) {
+                    salt = snp.salt;
+                    result[i] = EncryptionKey.acquireSecretKey(password,
+                            snp.salt,
+                            eTypes[i],
+                            snp.params);
+                }
+            }
+            if (salt == null) salt = cname.getSalt();
+            for (int i=0; i<eTypes.length; i++) {
+                // Second round, calculate those with no new salt
+                if (result[i] == null) {
+                    PAData.SaltAndParams snp =
+                            PAData.getSaltAndParams(eTypes[i], paList);
+                    result[i] = EncryptionKey.acquireSecretKey(password,
+                            salt,
+                            eTypes[i],
+                            snp.params);
+                }
+            }
+            return result;
+        }
+    }
+
+    /**
+     * Sets or clears options. If cleared, default options will be used
+     * at creation time.
+     * @param options
+     */
+    public void setOptions(KDCOptions options) {
+        checkState(State.INIT, "Cannot specify options");
+        this.options = options;
+    }
+
+    /**
+     * Sets or clears target. If cleared, KrbAsReq might choose krbtgt
+     * for cname realm
+     * @param sname
+     */
+    public void setTarget(PrincipalName sname) {
+        checkState(State.INIT, "Cannot specify target");
+        this.sname = sname;
+    }
+
+    /**
+     * Adds or clears addresses. KrbAsReq might add some if empty
+     * field not allowed
+     * @param addresses
+     */
+    public void setAddresses(HostAddresses addresses) {
+        checkState(State.INIT, "Cannot specify addresses");
+        this.addresses = addresses;
+    }
+
+    /**
+     * Build a KrbAsReq object from all info fed above. Normally this method
+     * will be called twice: initial AS-REQ and second with pakey
+     * @return the KrbAsReq object
+     * @throws KrbException
+     * @throws IOException
+     */
+    private KrbAsReq build() throws KrbException, IOException {
+        return new KrbAsReq(pakey,
+            options,
+            cname,
+            sname,
+            from,
+            till,
+            rtime,
+            eTypes,
+            addresses);
+    }
+
+    /**
+     * Parses AS-REP, decrypts enc-part, retrieves ticket and session key
+     * @throws KrbException
+     * @throws Asn1Exception
+     * @throws IOException
+     */
+    private KrbAsReqBuilder resolve() throws KrbException, Asn1Exception, IOException {
+        if (keys != null) {
+            rep.decryptUsingKeys(keys, req);
+        } else {
+            rep.decryptUsingPassword(password, req, cname);
+        }
+        if (rep.getPA() != null) {
+            if (paList == null || paList.length == 0) {
+                paList = rep.getPA();
+            } else {
+                int extraLen = rep.getPA().length;
+                if (extraLen > 0) {
+                    int oldLen = paList.length;
+                    paList = Arrays.copyOf(paList, paList.length + extraLen);
+                    System.arraycopy(rep.getPA(), 0, paList, oldLen, extraLen);
+                }
+            }
+        }
+        return this;
+    }
+
+    /**
+     * Communication until AS-REP or non preauth-related KRB-ERROR received
+     * @throws KrbException
+     * @throws IOException
+     */
+    private KrbAsReqBuilder send() throws KrbException, IOException {
+        boolean preAuthFailedOnce = false;
+        KdcComm comm = new KdcComm(cname.getRealmAsString());
+        while (true) {
+            try {
+                req = build();
+                rep = new KrbAsRep(comm.send(req.encoding()));
+                return this;
+            } catch (KrbException ke) {
+                if (!preAuthFailedOnce && (
+                        ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED ||
+                        ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED)) {
+                    if (Krb5.DEBUG) {
+                        System.out.println("KrbAsReqBuilder: " +
+                                "PREAUTH FAILED/REQ, re-send AS-REQ");
+                    }
+                    preAuthFailedOnce = true;
+                    KRBError kerr = ke.getError();
+                    if (password == null) {
+                        pakey = EncryptionKey.findKey(kerr.getEType(), keys);
+                    } else {
+                        PAData.SaltAndParams snp = PAData.getSaltAndParams(
+                                kerr.getEType(), kerr.getPA());
+                        if (kerr.getEType() == 0) {
+                            // Possible if PA-PW-SALT is in KRB-ERROR. RFC
+                            // does not recommend this
+                            pakey = EncryptionKey.acquireSecretKey(password,
+                                    snp.salt == null ? cname.getSalt() : snp.salt,
+                                    eTypes[0],
+                                    null);
+                        } else {
+                            pakey = EncryptionKey.acquireSecretKey(password,
+                                    snp.salt == null ? cname.getSalt() : snp.salt,
+                                    kerr.getEType(),
+                                    snp.params);
+                        }
+                    }
+                    paList = kerr.getPA();  // Update current paList
+                } else {
+                    throw ke;
+                }
+            }
+        }
+    }
+
+    /**
+     * Performs AS-REQ send and AS-REP receive.
+     * Maybe a state is needed here, to divide prepare process and getCreds.
+     * @throws KrbException
+     * @throws Asn1Exception
+     * @throws IOException
+     */
+    public KrbAsReqBuilder action()
+            throws KrbException, Asn1Exception, IOException {
+        checkState(State.INIT, "Cannot call action");
+        state = State.REQ_OK;
+        return send().resolve();
+    }
+
+    /**
+     * Gets Credentials object after action
+     */
+    public Credentials getCreds() {
+        checkState(State.REQ_OK, "Cannot retrieve creds");
+        return rep.getCreds();
+    }
+
+    /**
+     * Gets another type of Credentials after action
+     */
+    public sun.security.krb5.internal.ccache.Credentials getCCreds() {
+        checkState(State.REQ_OK, "Cannot retrieve CCreds");
+        return rep.getCCreds();
+    }
+
+    /**
+     * Destroys the object and clears keys and password info.
+     */
+    public void destroy() {
+        state = State.DESTROYED;
+        if (keys != null) {
+            for (EncryptionKey k: keys) {
+                k.destroy();
+            }
+            keys = null;
+        }
+        if (password != null) {
+            Arrays.fill(password, (char)0);
+            password = null;
+        }
+    }
+
+    /**
+     * Checks if the current state is the specified one.
+     * @param st the expected state
+     * @param msg error message if state is not correct
+     * @throws IllegalStateException if state is not correct
+     */
+    private void checkState(State st, String msg) {
+        if (state != st) {
+            throw new IllegalStateException(msg + " at " + st + " state");
+        }
+    }
+}
--- a/src/share/classes/sun/security/krb5/KrbKdcReq.java	Thu Dec 02 19:53:51 2010 +0300
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,530 +0,0 @@
-/*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- *
- *  (C) Copyright IBM Corp. 1999 All Rights Reserved.
- *  Copyright 1997 The Open Group Research Institute.  All rights reserved.
- */
-
-package sun.security.krb5;
-
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-import java.security.Security;
-import java.util.Locale;
-import sun.security.krb5.internal.Krb5;
-import sun.security.krb5.internal.UDPClient;
-import sun.security.krb5.internal.TCPClient;
-import java.io.IOException;
-import java.net.SocketTimeoutException;
-import java.util.StringTokenizer;
-import java.security.AccessController;
-import java.security.PrivilegedExceptionAction;
-import java.security.PrivilegedActionException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.HashSet;
-
-public abstract class KrbKdcReq {
-
-    // The following settings can be configured in [libdefaults]
-    // section of krb5.conf, which are global for all realms. Each of
-    // them can also be defined in a realm, which overrides value here.
-
-    /**
-     * max retry time for a single KDC, default Krb5.KDC_RETRY_LIMIT (3)
-     */
-    private static int defaultKdcRetryLimit;
-    /**
-     * timeout requesting a ticket from KDC, in millisec, default 30 sec
-     */
-    private static int defaultKdcTimeout;
-    /**
-     * max UDP packet size, default unlimited (-1)
-     */
-    private static int defaultUdpPrefLimit;
-
-    private static final boolean DEBUG = Krb5.DEBUG;
-
-    private static final String BAD_POLICY_KEY = "krb5.kdc.bad.policy";
-
-    /**
-     * What to do when a KDC is unavailable, specified in the
-     * java.security file with key krb5.kdc.bad.policy.
-     * Possible values can be TRY_LAST or TRY_LESS. Reloaded when refreshed.
-     */
-    private enum BpType {
-        NONE, TRY_LAST, TRY_LESS
-    }
-    private static int tryLessMaxRetries = 1;
-    private static int tryLessTimeout = 5000;
-
-    private static BpType badPolicy;
-
-    static {
-        initStatic();
-    }
-
-    /**
-     * Read global settings
-     */
-    public static void initStatic() {
-        String value = AccessController.doPrivileged(
-        new PrivilegedAction<String>() {
-            public String run() {
-                return Security.getProperty(BAD_POLICY_KEY);
-            }
-        });
-        if (value != null) {
-            value = value.toLowerCase(Locale.ENGLISH);
-            String[] ss = value.split(":");
-            if ("tryless".equals(ss[0])) {
-                if (ss.length > 1) {
-                    String[] params = ss[1].split(",");
-                    try {
-                        int tmp0 = Integer.parseInt(params[0]);
-                        if (params.length > 1) {
-                            tryLessTimeout = Integer.parseInt(params[1]);
-                        }
-                        // Assign here in case of exception at params[1]
-                        tryLessMaxRetries = tmp0;
-                    } catch (NumberFormatException nfe) {
-                        // Ignored. Please note that tryLess is recognized and
-                        // used, parameters using default values
-                        if (DEBUG) {
-                            System.out.println("Invalid " + BAD_POLICY_KEY +
-                                    " parameter for tryLess: " +
-                                    value + ", use default");
-                        }
-                    }
-                }
-                badPolicy = BpType.TRY_LESS;
-            } else if ("trylast".equals(ss[0])) {
-                badPolicy = BpType.TRY_LAST;
-            } else {
-                badPolicy = BpType.NONE;
-            }
-        } else {
-            badPolicy = BpType.NONE;
-        }
-
-
-        int timeout = -1;
-        int max_retries = -1;
-        int udf_pref_limit = -1;
-
-        try {
-            Config cfg = Config.getInstance();
-            String temp = cfg.getDefault("kdc_timeout", "libdefaults");
-            timeout = parsePositiveIntString(temp);
-            temp = cfg.getDefault("max_retries", "libdefaults");
-            max_retries = parsePositiveIntString(temp);
-            temp = cfg.getDefault("udp_preference_limit", "libdefaults");
-            udf_pref_limit = parsePositiveIntString(temp);
-        } catch (Exception exc) {
-           // ignore any exceptions; use default values
-           if (DEBUG) {
-                System.out.println ("Exception in getting KDC communication " +
-                                    "settings, using default value " +
-                                    exc.getMessage());
-           }
-        }
-        defaultKdcTimeout = timeout > 0 ? timeout : 30*1000; // 30 seconds
-        defaultKdcRetryLimit =
-                max_retries > 0 ? max_retries : Krb5.KDC_RETRY_LIMIT;
-        defaultUdpPrefLimit = udf_pref_limit;
-
-        KdcAccessibility.reset();
-    }
-
-    protected byte[] obuf;
-    protected byte[] ibuf;
-
-    /**
-     * Sends the provided data to the KDC of the specified realm.
-     * Returns the response from the KDC.
-     * Default realm/KDC is used if realm is null.
-     * @param realm the realm of the KDC where data is to be sent.
-     * @returns the kdc to which the AS request was sent to
-     * @exception InterruptedIOException if timeout expires
-     * @exception KrbException
-     */
-
-    public String send(String realm)
-        throws IOException, KrbException {
-        int udpPrefLimit = getRealmSpecificValue(
-                realm, "udp_preference_limit", defaultUdpPrefLimit);
-
-        boolean useTCP = (udpPrefLimit > 0 &&
-             (obuf != null && obuf.length > udpPrefLimit));
-
-        return (send(realm, useTCP));
-    }
-
-    public String send(String realm, boolean useTCP)
-        throws IOException, KrbException {
-
-        if (obuf == null)
-            return null;
-        Exception savedException = null;
-        Config cfg = Config.getInstance();
-
-        if (realm == null) {
-            realm = cfg.getDefaultRealm();
-            if (realm == null) {
-                throw new KrbException(Krb5.KRB_ERR_GENERIC,
-                                       "Cannot find default realm");
-            }
-        }
-
-        String kdcList = cfg.getKDCList(realm);
-        if (kdcList == null) {
-            throw new KrbException("Cannot get kdc for realm " + realm);
-        }
-        String tempKdc = null; // may include the port number also
-        for (String tmp: KdcAccessibility.list(kdcList)) {
-            tempKdc = tmp;
-            try {
-                send(realm,tempKdc,useTCP);
-                KdcAccessibility.removeBad(tempKdc);
-                break;
-            } catch (Exception e) {
-                if (DEBUG) {
-                    System.out.println(">>> KrbKdcReq send: error trying " +
-                            tempKdc);
-                    e.printStackTrace(System.out);
-                }
-                KdcAccessibility.addBad(tempKdc);
-                savedException = e;
-            }
-        }
-        if (ibuf == null && savedException != null) {
-            if (savedException instanceof IOException) {
-                throw (IOException) savedException;
-            } else {
-                throw (KrbException) savedException;
-            }
-        }
-        return tempKdc;
-    }
-
-    // send the AS Request to the specified KDC
-
-    public void send(String realm, String tempKdc, boolean useTCP)
-        throws IOException, KrbException {
-
-        if (obuf == null)
-            return;
-
-        int port = Krb5.KDC_INET_DEFAULT_PORT;
-        int retries = getRealmSpecificValue(
-                realm, "max_retries", defaultKdcRetryLimit);
-        int timeout = getRealmSpecificValue(
-                realm, "kdc_timeout", defaultKdcTimeout);
-        if (badPolicy == BpType.TRY_LESS &&
-                KdcAccessibility.isBad(tempKdc)) {
-            if (retries > tryLessMaxRetries) {
-                retries = tryLessMaxRetries; // less retries
-            }
-            if (timeout > tryLessTimeout) {
-                timeout = tryLessTimeout; // less time
-            }
-        }
-
-        String kdc = null;
-        String portStr = null;
-
-        if (tempKdc.charAt(0) == '[') {     // Explicit IPv6 in []
-            int pos = tempKdc.indexOf(']', 1);
-            if (pos == -1) {
-                throw new IOException("Illegal KDC: " + tempKdc);
-            }
-            kdc = tempKdc.substring(1, pos);
-            if (pos != tempKdc.length() - 1) {  // with port number
-                if (tempKdc.charAt(pos+1) != ':') {
-                    throw new IOException("Illegal KDC: " + tempKdc);
-                }
-                portStr = tempKdc.substring(pos+2);
-            }
-        } else {
-            int colon = tempKdc.indexOf(':');
-            if (colon == -1) {      // Hostname or IPv4 host only
-                kdc = tempKdc;
-            } else {
-                int nextColon = tempKdc.indexOf(':', colon+1);
-                if (nextColon > 0) {    // >=2 ":", IPv6 with no port
-                    kdc = tempKdc;
-                } else {                // 1 ":", hostname or IPv4 with port
-                    kdc = tempKdc.substring(0, colon);
-                    portStr = tempKdc.substring(colon+1);
-                }
-            }
-        }
-        if (portStr != null) {
-            int tempPort = parsePositiveIntString(portStr);
-            if (tempPort > 0)
-                port = tempPort;
-        }
-
-        if (DEBUG) {
-            System.out.println(">>> KrbKdcReq send: kdc=" + kdc
-                               + (useTCP ? " TCP:":" UDP:")
-                               +  port +  ", timeout="
-                               + timeout
-                               + ", number of retries ="
-                               + retries
-                               + ", #bytes=" + obuf.length);
-        }
-
-        KdcCommunication kdcCommunication =
-            new KdcCommunication(kdc, port, useTCP, timeout, retries, obuf);
-        try {
-            ibuf = AccessController.doPrivileged(kdcCommunication);
-            if (DEBUG) {
-                System.out.println(">>> KrbKdcReq send: #bytes read="
-                        + (ibuf != null ? ibuf.length : 0));
-            }
-        } catch (PrivilegedActionException e) {
-            Exception wrappedException = e.getException();
-            if (wrappedException instanceof IOException) {
-                throw (IOException) wrappedException;
-            } else {
-                throw (KrbException) wrappedException;
-            }
-        }
-        if (DEBUG) {
-            System.out.println(">>> KrbKdcReq send: #bytes read="
-                               + (ibuf != null ? ibuf.length : 0));
-        }
-    }
-
-    private static class KdcCommunication
-        implements PrivilegedExceptionAction<byte[]> {
-
-        private String kdc;
-        private int port;
-        private boolean useTCP;
-        private int timeout;
-        private int retries;
-        private byte[] obuf;
-
-        public KdcCommunication(String kdc, int port, boolean useTCP,
-                                int timeout, int retries, byte[] obuf) {
-            this.kdc = kdc;
-            this.port = port;
-            this.useTCP = useTCP;
-            this.timeout = timeout;
-            this.retries = retries;
-            this.obuf = obuf;
-        }
-
-        // The caller only casts IOException and KrbException so don't
-        // add any new ones!
-
-        public byte[] run() throws IOException, KrbException {
-
-            byte[] ibuf = null;
-
-            if (useTCP) {
-                TCPClient kdcClient = new TCPClient(kdc, port);
-                if (DEBUG) {
-                    System.out.println(">>> KDCCommunication: kdc=" + kdc
-                           + " TCP:"
-                           +  port
-                           + ", #bytes=" + obuf.length);
-                }
-                try {
-                    /*
-                     * Send the data to the kdc.
-                     */
-                    kdcClient.send(obuf);
-                    /*
-                     * And get a response.
-                     */
-                    ibuf = kdcClient.receive();
-                } finally {
-                    kdcClient.close();
-                }
-
-            } else {
-                // For each KDC we try defaultKdcRetryLimit times to
-                // get the response
-                for (int i=1; i <= retries; i++) {
-                    UDPClient kdcClient = new UDPClient(kdc, port, timeout);
-
-                    if (DEBUG) {
-                        System.out.println(">>> KDCCommunication: kdc=" + kdc
-                               + (useTCP ? " TCP:":" UDP:")
-                               +  port +  ", timeout="
-                               + timeout
-                               + ",Attempt =" + i
-                               + ", #bytes=" + obuf.length);
-                    }
-                    try {
-                        /*
-                         * Send the data to the kdc.
-                         */
-
-                        kdcClient.send(obuf);
-
-                        /*
-                         * And get a response.
-                         */
-                        try {
-                            ibuf = kdcClient.receive();
-                            break;
-                        } catch (SocketTimeoutException se) {
-                            if (DEBUG) {
-                                System.out.println ("SocketTimeOutException with " +
-                                                    "attempt: " + i);
-                            }
-                            if (i == retries) {
-                                ibuf = null;
-                                throw se;
-                            }
-                        }
-                    } finally {
-                        kdcClient.close();
-                    }
-                }
-            }
-            return ibuf;
-        }
-    }
-
-    /**
-     * Returns krb5.conf setting of {@code key} for a specfic realm,
-     * which can be:
-     * 1. defined in the sub-stanza for the given realm inside [realms], or
-     * 2. defined in [libdefaults], or
-     * 3. defValue
-     * @param realm the given realm in which the setting is requested. Returns
-     * the global setting if null
-     * @param key the key for the setting
-     * @param defValue default value
-     * @return a value for the key
-     */
-    private int getRealmSpecificValue(String realm, String key, int defValue) {
-        int v = defValue;
-
-        if (realm == null) return v;
-
-        int temp = -1;
-        try {
-            String value =
-               Config.getInstance().getDefault(key, realm);
-            temp = parsePositiveIntString(value);
-        } catch (Exception exc) {
-            // Ignored, defValue will be picked up
-        }
-
-        if (temp > 0) v = temp;
-
-        return v;
-    }
-
-    private static int parsePositiveIntString(String intString) {
-        if (intString == null)
-            return -1;
-
-        int ret = -1;
-
-        try {
-            ret = Integer.parseInt(intString);
-        } catch (Exception exc) {
-            return -1;
-        }
-
-        if (ret >= 0)
-            return ret;
-
-        return -1;
-    }
-
-    /**
-     * Maintains a KDC accessible list. Unavailable KDCs are put into a
-     * blacklist, when a KDC in the blacklist is available, it's removed
-     * from there. No insertion order in the blacklist.
-     *
-     * There are two methods to deal with KDCs in the blacklist. 1. Only try
-     * them when there's no KDC not on the blacklist. 2. Still try them, but
-     * with lesser number of retries and smaller timeout value.
-     */
-    static class KdcAccessibility {
-        // Known bad KDCs
-        private static Set<String> bads = new HashSet<String>();
-
-        private static synchronized void addBad(String kdc) {
-            if (DEBUG) {
-                System.out.println(">>> KdcAccessibility: add " + kdc);
-            }
-            bads.add(kdc);
-        }
-
-        private static synchronized void removeBad(String kdc) {
-            if (DEBUG) {
-                System.out.println(">>> KdcAccessibility: remove " + kdc);
-            }
-            bads.remove(kdc);
-        }
-
-        private static synchronized boolean isBad(String kdc) {
-            return bads.contains(kdc);
-        }
-
-        private static synchronized void reset() {
-            if (DEBUG) {
-                System.out.println(">>> KdcAccessibility: reset");
-            }
-            bads.clear();
-        }
-
-        // Returns a preferred KDC list by putting the bad ones at the end
-        private static synchronized String[] list(String kdcList) {
-            StringTokenizer st = new StringTokenizer(kdcList);
-            List<String> list = new ArrayList<String>();
-            if (badPolicy == BpType.TRY_LAST) {
-                List<String> badkdcs = new ArrayList<String>();
-                while (st.hasMoreTokens()) {
-                    String t = st.nextToken();
-                    if (bads.contains(t)) badkdcs.add(t);
-                    else list.add(t);
-                }
-                // Bad KDCs are put at last
-                list.addAll(badkdcs);
-            } else {
-                // All KDCs are returned in their original order,
-                // This include TRY_LESS and NONE
-                while (st.hasMoreTokens()) {
-                    list.add(st.nextToken());
-                }
-            }
-            return list.toArray(new String[list.size()]);
-        }
-    }
-}
-
--- a/src/share/classes/sun/security/krb5/KrbTgsReq.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/KrbTgsReq.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,20 +31,16 @@
 
 package sun.security.krb5;
 
-import sun.security.util.*;
-import sun.security.krb5.EncryptionKey;
 import sun.security.krb5.internal.*;
 import sun.security.krb5.internal.crypto.*;
 import java.io.IOException;
 import java.net.UnknownHostException;
-import java.util.StringTokenizer;
-import java.io.InterruptedIOException;
 
 /**
  * This class encapsulates a Kerberos TGS-REQ that is sent from the
  * client to the KDC.
  */
-public class KrbTgsReq extends KrbKdcReq {
+public class KrbTgsReq {
 
     private PrincipalName princName;
     private PrincipalName servName;
@@ -56,7 +52,8 @@
 
     private static final boolean DEBUG = Krb5.DEBUG;
 
-    private int defaultTimeout = 30*1000; // 30 seconds
+    private byte[] obuf;
+    private byte[] ibuf;
 
      // Used in CredentialsUtil
     public KrbTgsReq(Credentials asCreds,
@@ -182,11 +179,12 @@
      * @throws KrbException
      * @throws IOException
      */
-    public String send() throws IOException, KrbException {
+    public void send() throws IOException, KrbException {
         String realmStr = null;
         if (servName != null)
             realmStr = servName.getRealmString();
-        return (send(realmStr));
+        KdcComm comm = new KdcComm(realmStr);
+        ibuf = comm.send(obuf);
     }
 
     public KrbTgsRep getReply()
@@ -201,18 +199,8 @@
     public Credentials sendAndGetCreds() throws IOException, KrbException {
         KrbTgsRep tgs_rep = null;
         String kdc = null;
-        try {
-            kdc = send();
-            tgs_rep = getReply();
-        } catch (KrbException ke) {
-            if (ke.returnCode() == Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
-                // set useTCP and retry
-                send(servName.getRealmString(), kdc, true);
-                tgs_rep = getReply();
-            } else {
-                throw ke;
-            }
-        }
+        send();
+        tgs_rep = getReply();
         return tgs_rep.getCreds();
     }
 
@@ -240,7 +228,7 @@
                UnknownHostException, KrbCryptoException {
         KerberosTime req_till = null;
         if (till == null) {
-            req_till = new KerberosTime();
+            req_till = new KerberosTime(0);
         } else {
             req_till = till;
         }
--- a/src/share/classes/sun/security/krb5/PrincipalName.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/PrincipalName.java	Fri Dec 03 11:30:28 2010 -0800
@@ -511,10 +511,6 @@
         return salt;
     }
 
-    public void setSalt(String salt) {
-        this.salt = salt;
-    }
-
     public String toString() {
         StringBuffer str = new StringBuffer();
         for (int i = 0; i < nameStrings.length; i++) {
--- a/src/share/classes/sun/security/krb5/internal/KDCRep.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/internal/KDCRep.java	Fri Dec 03 11:30:28 2010 -0800
@@ -32,7 +32,6 @@
 
 import sun.security.krb5.*;
 import sun.security.util.*;
-import java.util.Vector;
 import java.io.IOException;
 import java.math.BigInteger;
 
@@ -69,7 +68,7 @@
     public EncKDCRepPart encKDCRepPart; //not part of ASN.1 encoding
     private int pvno;
     private int msgType;
-    private PAData[] pAData = null; //optional
+    public PAData[] pAData = null; //optional
     private boolean DEBUG = Krb5.DEBUG;
 
     public KDCRep(
--- a/src/share/classes/sun/security/krb5/internal/KRBError.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/internal/KRBError.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -41,7 +41,9 @@
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.math.BigInteger;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 import sun.security.krb5.internal.util.KerberosString;
 /**
  * Implements the ASN.1 KRBError type.
@@ -96,10 +98,8 @@
     private byte[] eData; //optional
     private Checksum eCksum; //optional
 
-    // pre-auth info
-    private int etype = 0;
-    private String salt = null;
-    private byte[] s2kparams = null;
+    private PAData[] pa;    // PA-DATA in eData
+    private int pa_eType;   // The 1st etype appeared in salt-related PAData
 
     private static boolean DEBUG = Krb5.DEBUG;
 
@@ -260,10 +260,12 @@
     private void parsePAData(byte[] data)
             throws IOException, Asn1Exception {
         DerValue derPA = new DerValue(data);
+        List<PAData> paList = new ArrayList<PAData>();
         while (derPA.data.available() > 0) {
             // read the PA-DATA
             DerValue tmp = derPA.data.getDerValue();
             PAData pa_data = new PAData(tmp);
+            paList.add(pa_data);
             int pa_type = pa_data.getType();
             byte[] pa_value = pa_data.getValue();
             if (DEBUG) {
@@ -280,24 +282,13 @@
                 case Krb5.PA_ETYPE_INFO:
                     if (pa_value != null) {
                         DerValue der = new DerValue(pa_value);
-                        DerValue value = der.data.getDerValue();
-                        ETypeInfo info = new ETypeInfo(value);
-                        etype = info.getEType();
-                        salt = info.getSalt();
-                        if (DEBUG) {
-                            System.out.println("\t PA-ETYPE-INFO etype = " + etype);
-                            System.out.println("\t PA-ETYPE-INFO salt = " + salt);
-                        }
                         while (der.data.available() > 0) {
-                            value = der.data.getDerValue();
-                            info = new ETypeInfo(value);
+                            DerValue value = der.data.getDerValue();
+                            ETypeInfo info = new ETypeInfo(value);
+                            if (pa_eType == 0) pa_eType = info.getEType();
                             if (DEBUG) {
-                                etype = info.getEType();
-                                System.out.println("\t salt for " + etype
-                                        + " is " + info.getSalt());
-                            }
-                            if (salt == null || salt.isEmpty()) {
-                                salt = info.getSalt();
+                                System.out.println("\t PA-ETYPE-INFO etype = " + info.getEType());
+                                System.out.println("\t PA-ETYPE-INFO salt = " + info.getSalt());
                             }
                         }
                     }
@@ -305,25 +296,13 @@
                 case Krb5.PA_ETYPE_INFO2:
                     if (pa_value != null) {
                         DerValue der = new DerValue(pa_value);
-                        DerValue value = der.data.getDerValue();
-                        ETypeInfo2 info2 = new ETypeInfo2(value);
-                        etype = info2.getEType();
-                        salt = info2.getSalt();
-                        s2kparams = info2.getParams();
-                        if (DEBUG) {
-                            System.out.println("\t PA-ETYPE-INFO2 etype = " + etype);
-                            System.out.println("\t PA-ETYPE-INFO salt = " + salt);
-                        }
                         while (der.data.available() > 0) {
-                            value = der.data.getDerValue();
-                            info2 = new ETypeInfo2(value);
+                            DerValue value = der.data.getDerValue();
+                            ETypeInfo2 info2 = new ETypeInfo2(value);
+                            if (pa_eType == 0) pa_eType = info2.getEType();
                             if (DEBUG) {
-                                etype = info2.getEType();
-                                System.out.println("\t salt for " + etype
-                                        + " is " + info2.getSalt());
-                            }
-                            if (salt == null || salt.isEmpty()) {
-                                salt = info2.getSalt();
+                                System.out.println("\t PA-ETYPE-INFO2 etype = " + info2.getEType());
+                                System.out.println("\t PA-ETYPE-INFO2 salt = " + info2.getSalt());
                             }
                         }
                     }
@@ -333,6 +312,7 @@
                     break;
             }
         }
+        pa = paList.toArray(new PAData[paList.size()]);
     }
 
     public final KerberosTime getServerTime() {
@@ -356,18 +336,12 @@
     }
 
     // access pre-auth info
-    public final int getEType() {
-        return etype;
+    public final PAData[] getPA() {
+        return pa;
     }
 
-    // access pre-auth info
-    public final String getSalt() {
-        return salt;
-    }
-
-    // access pre-auth info
-    public final byte[] getParams() {
-        return ((s2kparams == null) ? null : s2kparams.clone());
+    public final int getEType() {
+        return pa_eType;
     }
 
     public final String getErrorString() {
--- a/src/share/classes/sun/security/krb5/internal/KerberosTime.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/internal/KerberosTime.java	Fri Dec 03 11:30:28 2010 -0800
@@ -77,11 +77,6 @@
     public static final boolean NOW = true;
     public static final boolean UNADJUSTED_NOW = false;
 
-    //defaults to zero instead of now; use setNow() for current time
-    public KerberosTime() {
-        kerberosTime = 0;
-    }
-
     public KerberosTime(long time) {
         kerberosTime = time;
     }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/krb5/internal/NetClient.java	Fri Dec 03 11:30:28 2010 -0800
@@ -0,0 +1,221 @@
+/*
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ *
+ *  (C) Copyright IBM Corp. 1999 All Rights Reserved.
+ *  Copyright 1997 The Open Group Research Institute.  All rights reserved.
+ */
+
+package sun.security.krb5.internal;
+
+import java.io.*;
+import java.net.*;
+
+public abstract class NetClient {
+    public static NetClient getInstance(String protocol, String hostname, int port,
+            int timeout) throws IOException {
+        if (protocol.equals("TCP")) {
+            return new TCPClient(hostname, port, timeout);
+        } else {
+            return new UDPClient(hostname, port, timeout);
+        }
+    }
+
+    abstract public void send(byte[] data) throws IOException;
+
+    abstract public byte[] receive() throws IOException;
+
+    abstract public void close() throws IOException;
+}
+
+class TCPClient extends NetClient {
+
+    private Socket tcpSocket;
+    private BufferedOutputStream out;
+    private BufferedInputStream in;
+
+    TCPClient(String hostname, int port, int timeout)
+            throws IOException {
+        tcpSocket = new Socket(hostname, port);
+        out = new BufferedOutputStream(tcpSocket.getOutputStream());
+        in = new BufferedInputStream(tcpSocket.getInputStream());
+        tcpSocket.setSoTimeout(timeout);
+    }
+
+    @Override
+    public void send(byte[] data) throws IOException {
+        byte[] lenField = new byte[4];
+        intToNetworkByteOrder(data.length, lenField, 0, 4);
+        out.write(lenField);
+
+        out.write(data);
+        out.flush();
+    }
+
+    @Override
+    public byte[] receive() throws IOException {
+        byte[] lenField = new byte[4];
+        int count = readFully(lenField, 4);
+
+        if (count != 4) {
+            if (Krb5.DEBUG) {
+                System.out.println(
+                    ">>>DEBUG: TCPClient could not read length field");
+            }
+            return null;
+        }
+
+        int len = networkByteOrderToInt(lenField, 0, 4);
+        if (Krb5.DEBUG) {
+            System.out.println(
+                ">>>DEBUG: TCPClient reading " + len + " bytes");
+        }
+        if (len <= 0) {
+            if (Krb5.DEBUG) {
+                System.out.println(
+                    ">>>DEBUG: TCPClient zero or negative length field: "+len);
+            }
+            return null;
+        }
+
+        byte data[] = new byte[len];
+        count = readFully(data, len);
+        if (count != len) {
+            if (Krb5.DEBUG) {
+                System.out.println(
+                    ">>>DEBUG: TCPClient could not read complete packet (" +
+                    len + "/" + count + ")");
+            }
+            return null;
+        } else {
+            return data;
+        }
+    }
+
+    @Override
+    public void close() throws IOException {
+        tcpSocket.close();
+    }
+
+    /**
+     * Read requested number of bytes before returning.
+     * @return The number of bytes actually read; -1 if none read
+     */
+    private int readFully(byte[] inBuf, int total) throws IOException {
+        int count, pos = 0;
+
+        while (total > 0) {
+            count = in.read(inBuf, pos, total);
+
+            if (count == -1) {
+                return (pos == 0? -1 : pos);
+            }
+            pos += count;
+            total -= count;
+        }
+        return pos;
+    }
+
+    /**
+     * Returns the integer represented by 4 bytes in network byte order.
+     */
+    private static int networkByteOrderToInt(byte[] buf, int start,
+        int count) {
+        if (count > 4) {
+            throw new IllegalArgumentException(
+                "Cannot handle more than 4 bytes");
+        }
+
+        int answer = 0;
+
+        for (int i = 0; i < count; i++) {
+            answer <<= 8;
+            answer |= ((int)buf[start+i] & 0xff);
+        }
+        return answer;
+    }
+
+    /**
+     * Encodes an integer into 4 bytes in network byte order in the buffer
+     * supplied.
+     */
+    private static void intToNetworkByteOrder(int num, byte[] buf,
+        int start, int count) {
+        if (count > 4) {
+            throw new IllegalArgumentException(
+                "Cannot handle more than 4 bytes");
+        }
+
+        for (int i = count-1; i >= 0; i--) {
+            buf[start+i] = (byte)(num & 0xff);
+            num >>>= 8;
+        }
+    }
+}
+
+class UDPClient extends NetClient {
+    InetAddress iaddr;
+    int iport;
+    int bufSize = 65507;
+    DatagramSocket dgSocket;
+    DatagramPacket dgPacketIn;
+
+    UDPClient(String hostname, int port, int timeout)
+        throws UnknownHostException, SocketException {
+        iaddr = InetAddress.getByName(hostname);
+        iport = port;
+        dgSocket = new DatagramSocket();
+        dgSocket.setSoTimeout(timeout);
+    }
+
+    @Override
+    public void send(byte[] data) throws IOException {
+        DatagramPacket dgPacketOut = new DatagramPacket(data, data.length,
+                                                        iaddr, iport);
+        dgSocket.send(dgPacketOut);
+    }
+
+    @Override
+    public byte[] receive() throws IOException {
+        byte ibuf[] = new byte[bufSize];
+        dgPacketIn = new DatagramPacket(ibuf, ibuf.length);
+        try {
+            dgSocket.receive(dgPacketIn);
+        }
+        catch (SocketException e) {
+            dgSocket.receive(dgPacketIn);
+        }
+        byte[] data = new byte[dgPacketIn.getLength()];
+        System.arraycopy(dgPacketIn.getData(), 0, data, 0,
+                         dgPacketIn.getLength());
+        return data;
+    }
+
+    @Override
+    public void close() {
+        dgSocket.close();
+    }
+}
--- a/src/share/classes/sun/security/krb5/internal/PAData.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/krb5/internal/PAData.java	Fri Dec 03 11:30:28 2010 -0800
@@ -30,9 +30,11 @@
 
 package sun.security.krb5.internal;
 
+import sun.security.krb5.KrbException;
 import sun.security.util.*;
 import sun.security.krb5.Asn1Exception;
 import java.io.IOException;
+import sun.security.krb5.internal.util.KerberosString;
 
 /**
  * Implements the ASN.1 PA-DATA type.
@@ -135,4 +137,75 @@
     public byte[] getValue() {
         return ((pADataValue == null) ? null : pADataValue.clone());
     }
+
+    /**
+     * A place to store a pair of salt and s2kparams.
+     * An empty salt is changed to null, to be interopable
+     * with Windows 2000 server.
+     */
+    public static class SaltAndParams {
+        public final String salt;
+        public final byte[] params;
+        public SaltAndParams(String s, byte[] p) {
+            if (s != null && s.isEmpty()) s = null;
+            this.salt = s;
+            this.params = p;
+        }
+    }
+
+    /**
+     * Fetches salt and s2kparams value for eType in a series of PA-DATAs.
+     * The preference order is PA-ETYPE-INFO2 > PA-ETYPE-INFO > PA-PW-SALT.
+     * If multiple PA-DATA for the same etype appears, use the last one.
+     * (This is useful when PA-DATAs from KRB-ERROR and AS-REP are combined).
+     * @return salt and s2kparams. never null, its field might be null.
+     */
+    public static SaltAndParams getSaltAndParams(int eType, PAData[] pas)
+            throws Asn1Exception, KrbException {
+
+        if (pas == null || pas.length == 0) {
+            return new SaltAndParams(null, null);
+        }
+
+        String paPwSalt = null;
+        ETypeInfo2 info2 = null;
+        ETypeInfo info = null;
+
+        for (PAData p: pas) {
+            if (p.getValue() != null) {
+                try {
+                    switch (p.getType()) {
+                        case Krb5.PA_PW_SALT:
+                            paPwSalt = new String(p.getValue(),
+                                    KerberosString.MSNAME?"UTF8":"8859_1");
+                            break;
+                        case Krb5.PA_ETYPE_INFO:
+                            DerValue der = new DerValue(p.getValue());
+                            while (der.data.available() > 0) {
+                                DerValue value = der.data.getDerValue();
+                                ETypeInfo tmp = new ETypeInfo(value);
+                                if (tmp.getEType() == eType) info = tmp;
+                            }
+                            break;
+                        case Krb5.PA_ETYPE_INFO2:
+                            der = new DerValue(p.getValue());
+                            while (der.data.available() > 0) {
+                                DerValue value = der.data.getDerValue();
+                                ETypeInfo2 tmp = new ETypeInfo2(value);
+                                if (tmp.getEType() == eType) info2 = tmp;
+                            }
+                            break;
+                    }
+                } catch (IOException ioe) {
+                    // Ignored
+                }
+            }
+        }
+        if (info2 != null) {
+            return new SaltAndParams(info2.getSalt(), info2.getParams());
+        } else if (info != null) {
+            return new SaltAndParams(info.getSalt(), null);
+        }
+        return new SaltAndParams(paPwSalt, null);
+    }
 }
--- a/src/share/classes/sun/security/krb5/internal/TCPClient.java	Thu Dec 02 19:53:51 2010 +0300
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,155 +0,0 @@
-/*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- *
- *  (C) Copyright IBM Corp. 1999 All Rights Reserved.
- *  Copyright 1997 The Open Group Research Institute.  All rights reserved.
- */
-
-package sun.security.krb5.internal;
-
-import java.io.*;
-import java.net.*;
-
-public class TCPClient {
-
-    private Socket tcpSocket;
-    private BufferedOutputStream out;
-    private BufferedInputStream in;
-
-    public TCPClient(String hostname, int port) throws IOException {
-        tcpSocket = new Socket(hostname, port);
-        out = new BufferedOutputStream(tcpSocket.getOutputStream());
-        in = new BufferedInputStream(tcpSocket.getInputStream());
-    }
-
-    public void send(byte[] data) throws IOException {
-        byte[] lenField = new byte[4];
-        intToNetworkByteOrder(data.length, lenField, 0, 4);
-        out.write(lenField);
-
-        out.write(data);
-        out.flush();
-    }
-
-    public byte[] receive() throws IOException {
-        byte[] lenField = new byte[4];
-        int count = readFully(lenField, 4);
-
-        if (count != 4) {
-            if (Krb5.DEBUG) {
-                System.out.println(
-                    ">>>DEBUG: TCPClient could not read length field");
-            }
-            return null;
-        }
-
-        int len = networkByteOrderToInt(lenField, 0, 4);
-        if (Krb5.DEBUG) {
-            System.out.println(
-                ">>>DEBUG: TCPClient reading " + len + " bytes");
-        }
-        if (len <= 0) {
-            if (Krb5.DEBUG) {
-                System.out.println(
-                    ">>>DEBUG: TCPClient zero or negative length field: "+len);
-            }
-            return null;
-        }
-
-        byte data[] = new byte[len];
-        count = readFully(data, len);
-        if (count != len) {
-            if (Krb5.DEBUG) {
-                System.out.println(
-                    ">>>DEBUG: TCPClient could not read complete packet (" +
-                    len + "/" + count + ")");
-            }
-            return null;
-        } else {
-            return data;
-        }
-    }
-
-    public void close() throws IOException {
-        tcpSocket.close();
-    }
-
-    /**
-     * Read requested number of bytes before returning.
-     * @return The number of bytes actually read; -1 if none read
-     */
-    private int readFully(byte[] inBuf, int total) throws IOException {
-        int count, pos = 0;
-
-        while (total > 0) {
-            count = in.read(inBuf, pos, total);
-
-            if (count == -1) {
-                return (pos == 0? -1 : pos);
-            }
-            pos += count;
-            total -= count;
-        }
-        return pos;
-    }
-
-    /**
-     * Returns the integer represented by 4 bytes in network byte order.
-     */
-    private static final int networkByteOrderToInt(byte[] buf, int start,
-        int count) {
-        if (count > 4) {
-            throw new IllegalArgumentException(
-                "Cannot handle more than 4 bytes");
-        }
-
-        int answer = 0;
-
-        for (int i = 0; i < count; i++) {
-            answer <<= 8;
-            answer |= ((int)buf[start+i] & 0xff);
-        }
-        return answer;
-    }
-
-    /**
-     * Encodes an integer into 4 bytes in network byte order in the buffer
-     * supplied.
-     */
-    private static final void intToNetworkByteOrder(int num, byte[] buf,
-        int start, int count) {
-        if (count > 4) {
-            throw new IllegalArgumentException(
-                "Cannot handle more than 4 bytes");
-        }
-
-        for (int i = count-1; i >= 0; i--) {
-            buf[start+i] = (byte)(num & 0xff);
-            num >>>= 8;
-        }
-    }
-}
--- a/src/share/classes/sun/security/krb5/internal/UDPClient.java	Thu Dec 02 19:53:51 2010 +0300
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,99 +0,0 @@
-/*
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- *
- *  (C) Copyright IBM Corp. 1999 All Rights Reserved.
- *  Copyright 1997 The Open Group Research Institute.  All rights reserved.
- */
-
-package sun.security.krb5.internal;
-
-import java.io.*;
-import java.net.*;
-
-public class UDPClient {
-    InetAddress iaddr;
-    int iport;
-    int bufSize = 65507;
-    DatagramSocket dgSocket;
-    DatagramPacket dgPacketIn;
-
-    public UDPClient(InetAddress newIAddr, int port)
-        throws SocketException {
-        iaddr = newIAddr;
-        iport = port;
-        dgSocket = new DatagramSocket();
-    }
-
-    public UDPClient(String hostname, int port)
-        throws UnknownHostException, SocketException {
-        iaddr = InetAddress.getByName(hostname);
-        iport = port;
-        dgSocket = new DatagramSocket();
-    }
-
-    public UDPClient(String hostname, int port, int timeout)
-        throws UnknownHostException, SocketException {
-        iaddr = InetAddress.getByName(hostname);
-        iport = port;
-        dgSocket = new DatagramSocket();
-        dgSocket.setSoTimeout(timeout);
-    }
-
-    public void setBufSize(int newBufSize) {
-        bufSize = newBufSize;
-    }
-
-    public InetAddress getInetAddress() {
-        if (dgPacketIn != null)
-            return dgPacketIn.getAddress();
-        return null;
-    }
-
-    public void send(byte[] data) throws IOException {
-        DatagramPacket dgPacketOut = new DatagramPacket(data, data.length,
-                                                        iaddr, iport);
-        dgSocket.send(dgPacketOut);
-    }
-
-    public byte[] receive() throws IOException {
-        byte ibuf[] = new byte[bufSize];
-        dgPacketIn = new DatagramPacket(ibuf, ibuf.length);
-        try {
-            dgSocket.receive(dgPacketIn);
-        }
-        catch (SocketException e) {
-            dgSocket.receive(dgPacketIn);
-        }
-        byte[] data = new byte[dgPacketIn.getLength()];
-        System.arraycopy(dgPacketIn.getData(), 0, data, 0,
-                         dgPacketIn.getLength());
-        return data;
-    }
-
-    public void close() {
-        dgSocket.close();
-    }
-}
--- a/src/share/classes/sun/security/pkcs11/SunPKCS11.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/pkcs11/SunPKCS11.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1123,7 +1123,7 @@
 
             java.text.MessageFormat form = new java.text.MessageFormat
                         (ResourcesMgr.getString
-                        ("PKCS11 Token [providerName] Password: "));
+                        ("PKCS11.Token.providerName.Password."));
             Object[] source = { getName() };
 
             PasswordCallback pcall = new PasswordCallback(form.format(source),
--- a/src/share/classes/sun/security/provider/PolicyFile.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/provider/PolicyFile.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -653,7 +653,7 @@
             }
         } catch (PolicyParser.ParsingException pe) {
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                (POLICY + ": error parsing policy:\n\tmessage"));
+                (POLICY + ".error.parsing.policy.message"));
             Object[] source = {policy, pe.getLocalizedMessage()};
             System.err.println(form.format(source));
             if (debug != null)
@@ -895,7 +895,7 @@
                     MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
                          (POLICY +
-                          ": error adding Permission, perm:\n\tmessage"));
+                          ".error.adding.Permission.perm.message"));
                     Object[] source = {pe.permission,
                                        ite.getTargetException().toString()};
                     System.err.println(form.format(source));
@@ -903,7 +903,7 @@
                     MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
                          (POLICY +
-                          ": error adding Permission, perm:\n\tmessage"));
+                          ".error.adding.Permission.perm.message"));
                     Object[] source = {pe.permission,
                                        e.toString()};
                     System.err.println(form.format(source));
@@ -915,7 +915,7 @@
         } catch (Exception e) {
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
                                          (POLICY
-                                         + ": error adding Entry:\n\tmessage"));
+                                         + ".error.adding.Entry.message"));
             Object[] source = {e.toString()};
             System.err.println(form.format(source));
         }
@@ -1950,7 +1950,7 @@
                 if (colonIndex == -1) {
                     MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
-                        ("alias name not provided (pe.name)"));
+                        ("alias.name.not.provided.pe.name."));
                     Object[] source = {pe.name};
                     throw new Exception(form.format(source));
                 }
@@ -1958,7 +1958,7 @@
                 if ((suffix = getDN(suffix, keystore)) == null) {
                     MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
-                        ("unable to perform substitution on alias, suffix"));
+                        ("unable.to.perform.substitution.on.alias.suffix"));
                     Object[] source = {value.substring(colonIndex+1)};
                     throw new Exception(form.format(source));
                 }
@@ -1968,7 +1968,7 @@
             } else {
                 MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
-                        ("substitution value, prefix, unsupported"));
+                        ("substitution.value.prefix.unsupported"));
                 Object[] source = {prefix};
                 throw new Exception(form.format(source));
             }
@@ -2127,18 +2127,18 @@
 
         @Override public String toString(){
             StringBuilder sb = new StringBuilder();
-            sb.append(ResourcesMgr.getString("("));
+            sb.append(ResourcesMgr.getString("LPARAM"));
             sb.append(getCodeSource());
             sb.append("\n");
             for (int j = 0; j < permissions.size(); j++) {
                 Permission p = permissions.get(j);
-                sb.append(ResourcesMgr.getString(" "));
-                sb.append(ResourcesMgr.getString(" "));
+                sb.append(ResourcesMgr.getString("SPACE"));
+                sb.append(ResourcesMgr.getString("SPACE"));
                 sb.append(p);
-                sb.append(ResourcesMgr.getString("\n"));
+                sb.append(ResourcesMgr.getString("NEWLINE"));
             }
-            sb.append(ResourcesMgr.getString(")"));
-            sb.append(ResourcesMgr.getString("\n"));
+            sb.append(ResourcesMgr.getString("RPARAM"));
+            sb.append(ResourcesMgr.getString("NEWLINE"));
             return sb.toString();
         }
     }
@@ -2195,7 +2195,7 @@
             super(type);
             if (type == null) {
                 throw new NullPointerException
-                    (ResourcesMgr.getString("type can't be null"));
+                    (ResourcesMgr.getString("type.can.t.be.null"));
             }
             this.type = type;
             this.name = name;
--- a/src/share/classes/sun/security/provider/PolicyParser.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/provider/PolicyParser.java	Fri Dec 03 11:30:28 2010 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -219,8 +219,7 @@
 
         if (keyStoreUrlString == null && storePassURL != null) {
             throw new ParsingException(ResourcesMgr.getString
-                ("keystorePasswordURL can not be specified without also " +
-                "specifying keystore"));
+                ("keystorePasswordURL.can.not.be.specified.without.also.specifying.keystore"));
         }
     }
 
@@ -357,7 +356,7 @@
             keyStoreType = match("quoted string");
         } else {
             throw new ParsingException(st.lineno(),
-                        ResourcesMgr.getString("expected keystore type"));
+                        ResourcesMgr.getString("expected.keystore.type"));
         }
 
         // parse keystore provider
@@ -370,7 +369,7 @@
             keyStoreProvider = match("quoted string");
         } else {
             throw new ParsingException(st.lineno(),
-                        ResourcesMgr.getString("expected keystore provider"));
+                        ResourcesMgr.getString("expected.keystore.provider"));
         }
     }
 
@@ -421,7 +420,7 @@
                     throw new ParsingException(
                             st.lineno(),
                             ResourcesMgr.getString
-                                ("multiple Codebase expressions"));
+                                ("multiple.Codebase.expressions"));
                 e.codeBase = match("quoted string");
                 peekAndMatch(",");
             } else if (peekAndMatch("SignedBy")) {
@@ -429,7 +428,7 @@
                     throw new ParsingException(
                             st.lineno(),
                             ResourcesMgr.getString(
-                                "multiple SignedBy expressions"));
+                                "multiple.SignedBy.expressions"));
                 e.signedBy = match("quoted string");
 
                 // verify syntax of the aliases
@@ -448,7 +447,7 @@
                     throw new ParsingException(
                             st.lineno(),
                             ResourcesMgr.getString(
-                                "SignedBy has empty alias"));
+                                "SignedBy.has.empty.alias"));
 
                 peekAndMatch(",");
             } else if (peekAndMatch("Principal")) {
@@ -491,8 +490,7 @@
                         throw new ParsingException
                                 (st.lineno(),
                                  ResourcesMgr.getString
-                                    ("can not specify Principal with a " +
-                                     "wildcard class without a wildcard name"));
+                                    ("can.not.specify.Principal.with.a.wildcard.class.without.a.wildcard.name"));
                     }
                 }
 
@@ -529,8 +527,7 @@
             } else {
                 throw new ParsingException(st.lineno(),
                                   ResourcesMgr.getString(
-                                      "expected codeBase or SignedBy or " +
-                                      "Principal"));
+                                      "expected.codeBase.or.SignedBy.or.Principal"));
             }
         }
 
@@ -554,7 +551,7 @@
                 throw new
                     ParsingException(st.lineno(),
                                      ResourcesMgr.getString(
-                                        "expected permission entry"));
+                                        "expected.permission.entry"));
             }
         }
         match("}");
@@ -727,12 +724,12 @@
         switch (lookahead) {
         case StreamTokenizer.TT_NUMBER:
             throw new ParsingException(st.lineno(), expect,
-                                       ResourcesMgr.getString("number ") +
+                                       ResourcesMgr.getString("number.") +
                                        String.valueOf(st.nval));
         case StreamTokenizer.TT_EOF:
             MessageFormat form = new MessageFormat(
                     ResourcesMgr.getString
-                            ("expected [expect], read [end of file]"));
+                            ("expected.expect.read.end.of.file."));
             Object[] source = {expect};
             throw new ParsingException(form.format(source));
         case StreamTokenizer.TT_WORD:
@@ -809,11 +806,11 @@
             switch (lookahead) {
             case StreamTokenizer.TT_NUMBER:
                 throw new ParsingException(st.lineno(), ";",
-                                          ResourcesMgr.getString("number ") +
+                                          ResourcesMgr.getString("number.") +
                                           String.valueOf(st.nval));
             case StreamTokenizer.TT_EOF:
                 throw new ParsingException(ResourcesMgr.getString
-                        ("expected [;], read [end of file]"));
+                        ("expected.read.end.of.file."));
             default:
                 lookahead = st.nextToken();
             }
@@ -973,7 +970,7 @@
         public PrincipalEntry(String principalClass, String principalName) {
             if (principalClass == null || principalName == null)
                 throw new NullPointerException(ResourcesMgr.getString(
-                                  "null principalClass or principalName"));
+                                  "null.principalClass.or.principalName"));
             this.principalClass = principalClass;
             this.principalName = principalName;
         }
@@ -1199,7 +1196,7 @@
         public ParsingException(int line, String msg) {
             super("line " + line + ": " + msg);
             MessageFormat form = new MessageFormat
-                (ResourcesMgr.getString("line number: msg"));
+                (ResourcesMgr.getString("line.number.msg"));
             Object[] source = {new Integer(line), msg};
             i18nMessage = form.format(source);
         }
@@ -1208,7 +1205,7 @@
             super("line " + line + ": expected [" + expect +
                 "], found [" + actual + "]");
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                ("line number: expected [expect], found [actual]"));
+                ("line.number.expected.expect.found.actual."));
             Object[] source = {new Integer(line), expect, actual};
             i18nMessage = form.format(source);
         }
--- a/src/share/classes/sun/security/tools/JarSigner.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/tools/JarSigner.java	Fri Dec 03 11:30:28 2010 -0800
@@ -205,7 +205,7 @@
 
                     if (!(obj instanceof Provider)) {
                         MessageFormat form = new MessageFormat(rb.getString
-                            ("provName not a provider"));
+                            ("provName.not.a.provider"));
                         Object[] source = {provName};
                         throw new Exception(form.format(source));
                     }
@@ -218,7 +218,7 @@
                     loadKeyStore(keystore, false);
                 } catch (Exception e) {
                     if ((keystore != null) || (storepass != null)) {
-                        System.out.println(rb.getString("jarsigner error: ") +
+                        System.out.println(rb.getString("jarsigner.error.") +
                                         e.getMessage());
                         System.exit(1);
                     }
@@ -264,7 +264,7 @@
                 signJar(jarfile, alias, args);
             }
         } catch (Exception e) {
-            System.out.println(rb.getString("jarsigner error: ") + e);
+            System.out.println(rb.getString("jarsigner.error.") + e);
             if (debug) {
                 e.printStackTrace();
             }
@@ -420,7 +420,7 @@
                     }
                 } else {
                     System.err.println(
-                            rb.getString("Illegal option: ") + flags);
+                            rb.getString("Illegal.option.") + flags);
                     usage();
                 }
             }
@@ -430,15 +430,15 @@
         if (verbose == null) showcerts = false;
 
         if (jarfile == null) {
-            System.err.println(rb.getString("Please specify jarfile name"));
+            System.err.println(rb.getString("Please.specify.jarfile.name"));
             usage();
         }
         if (!verify && alias == null) {
-            System.err.println(rb.getString("Please specify alias name"));
+            System.err.println(rb.getString("Please.specify.alias.name"));
             usage();
         }
         if (!verify && ckaliases.size() > 1) {
-            System.err.println(rb.getString("Only one alias can be specified"));
+            System.err.println(rb.getString("Only.one.alias.can.be.specified"));
             usage();
         }
 
@@ -471,30 +471,27 @@
 
         if (token && !nullStream) {
             System.err.println(MessageFormat.format(rb.getString
-                ("-keystore must be NONE if -storetype is {0}"), storetype));
+                (".keystore.must.be.NONE.if.storetype.is.{0}"), storetype));
             usage();
         }
 
         if (token && keypass != null) {
             System.err.println(MessageFormat.format(rb.getString
-                ("-keypass can not be specified " +
-                "if -storetype is {0}"), storetype));
+                (".keypass.can.not.be.specified.if.storetype.is.{0}"), storetype));
             usage();
         }
 
         if (protectedPath) {
             if (storepass != null || keypass != null) {
                 System.err.println(rb.getString
-                        ("If -protected is specified, " +
-                        "then -storepass and -keypass must not be specified"));
+                        ("If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified"));
                 usage();
             }
         }
         if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
             if (storepass != null || keypass != null) {
                 System.err.println(rb.getString
-                        ("If keystore is not password protected, " +
-                        "then -storepass and -keypass must not be specified"));
+                        ("If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified"));
                 usage();
             }
         }
@@ -508,94 +505,94 @@
     }
 
     static void usageNoArg() {
-        System.out.println(rb.getString("Option lacks argument"));
+        System.out.println(rb.getString("Option.lacks.argument"));
         usage();
     }
 
     static void usage() {
         System.out.println();
-        System.out.println(rb.getString("Please type jarsigner -help for usage"));
+        System.out.println(rb.getString("Please.type.jarsigner.help.for.usage"));
         System.exit(1);
     }
 
     static void fullusage() {
         System.out.println(rb.getString
-                ("Usage: jarsigner [options] jar-file alias"));
+                ("Usage.jarsigner.options.jar.file.alias"));
         System.out.println(rb.getString
-                ("       jarsigner -verify [options] jar-file [alias...]"));
+                (".jarsigner.verify.options.jar.file.alias."));
         System.out.println();
         System.out.println(rb.getString
-                ("[-keystore <url>]           keystore location"));
+                (".keystore.url.keystore.location"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-storepass <password>]     password for keystore integrity"));
+                (".storepass.password.password.for.keystore.integrity"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-storetype <type>]         keystore type"));
+                (".storetype.type.keystore.type"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-keypass <password>]       password for private key (if different)"));
+                (".keypass.password.password.for.private.key.if.different."));
         System.out.println();
         System.out.println(rb.getString
-                ("[-certchain <file>]         name of alternative certchain file"));
+                (".certchain.file.name.of.alternative.certchain.file"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-sigfile <file>]           name of .SF/.DSA file"));
+                (".sigfile.file.name.of.SF.DSA.file"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-signedjar <file>]         name of signed JAR file"));
+                (".signedjar.file.name.of.signed.JAR.file"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-digestalg <algorithm>]    name of digest algorithm"));
+                (".digestalg.algorithm.name.of.digest.algorithm"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-sigalg <algorithm>]       name of signature algorithm"));
+                (".sigalg.algorithm.name.of.signature.algorithm"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-crl[:auto| <file>]        include CRL in signed jar"));
+                (".crl.auto.file.include.CRL.in.signed.jar"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-verify]                   verify a signed JAR file"));
+                (".verify.verify.a.signed.JAR.file"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-verbose[:suboptions]]     verbose output when signing/verifying."));
+                (".verbose.suboptions.verbose.output.when.signing.verifying."));
         System.out.println(rb.getString
-                ("                            suboptions can be all, grouped or summary"));
+                (".suboptions.can.be.all.grouped.or.summary"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-certs]                    display certificates when verbose and verifying"));
+                (".certs.display.certificates.when.verbose.and.verifying"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-tsa <url>]                location of the Timestamping Authority"));
+                (".tsa.url.location.of.the.Timestamping.Authority"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-tsacert <alias>]          public key certificate for Timestamping Authority"));
+                (".tsacert.alias.public.key.certificate.for.Timestamping.Authority"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-altsigner <class>]        class name of an alternative signing mechanism"));
+                (".altsigner.class.class.name.of.an.alternative.signing.mechanism"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-altsignerpath <pathlist>] location of an alternative signing mechanism"));
+                (".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-internalsf]               include the .SF file inside the signature block"));
+                (".internalsf.include.the.SF.file.inside.the.signature.block"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-sectionsonly]             don't compute hash of entire manifest"));
+                (".sectionsonly.don.t.compute.hash.of.entire.manifest"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-protected]                keystore has protected authentication path"));
+                (".protected.keystore.has.protected.authentication.path"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-providerName <name>]      provider name"));
+                (".providerName.name.provider.name"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-providerClass <class>     name of cryptographic service provider's"));
+                (".providerClass.class.name.of.cryptographic.service.provider.s"));
         System.out.println(rb.getString
-                ("  [-providerArg <arg>]] ... master class file and constructor argument"));
+                (".providerArg.arg.master.class.file.and.constructor.argument"));
         System.out.println();
         System.out.println(rb.getString
-                ("[-strict]                   treat warnings as errors"));
+                (".strict.treat.warnings.as.errors"));
         System.out.println();
 
         System.exit(0);
@@ -644,7 +641,7 @@
                 Enumeration<JarEntry> e = entriesVec.elements();
 
                 long now = System.currentTimeMillis();
-                String tab = rb.getString("      ");
+                String tab = rb.getString("6SPACE");
 
                 while (e.hasMoreElements()) {
                     JarEntry je = e.nextElement();
@@ -672,12 +669,12 @@
                              (man.getAttributes("./"+name) != null) ||
                              (man.getAttributes("/"+name) != null));
                         sb.append(
-                          (isSigned ? rb.getString("s") : rb.getString(" ")) +
-                          (inManifest ? rb.getString("m") : rb.getString(" ")) +
-                          (inStore ? rb.getString("k") : rb.getString(" ")) +
-                          (inScope ? rb.getString("i") : rb.getString(" ")) +
+                          (isSigned ? rb.getString("s") : rb.getString("SPACE")) +
+                          (inManifest ? rb.getString("m") : rb.getString("SPACE")) +
+                          (inStore ? rb.getString("k") : rb.getString("SPACE")) +
+                          (inScope ? rb.getString("i") : rb.getString("SPACE")) +
                           ((inStoreOrScope & NOT_ALIAS) != 0 ?"X":" ") +
-                          rb.getString(" "));
+                          rb.getString("SPACE"));
                         sb.append("|");
                     }
 
@@ -701,7 +698,7 @@
                                         if (crl instanceof X509CRLImpl) {
                                             sb.append(tab).append("[");
                                             sb.append(String.format(
-                                                    rb.getString("with a CRL including %d entries"),
+                                                    rb.getString("with.a.CRL.including.d.entries"),
                                                     ((X509CRLImpl)crl).getRevokedCertificates().size()))
                                                 .append("]\n");
                                         }
@@ -714,10 +711,10 @@
                         // to be consistent with old behavior.
                         if (signatureRelated(name)) {
                             sb.append("\n" + tab + rb.getString(
-                                    "(Signature related entries)") + "\n\n");
+                                    ".Signature.related.entries.") + "\n\n");
                         } else {
                             sb.append("\n" + tab + rb.getString(
-                                    "(Unsigned entries)") + "\n\n");
+                                    ".Unsigned.entries.") + "\n\n");
                         }
                     }
 
@@ -773,7 +770,7 @@
                             if (files.size() > 1) {
                                 System.out.println(files.get(0) + " " +
                                         String.format(rb.getString(
-                                        "(and %d more)"), files.size()-1));
+                                        ".and.d.more."), files.size()-1));
                             } else {
                                 System.out.println(files.get(0));
                             }
@@ -783,89 +780,89 @@
                 }
                 System.out.println();
                 System.out.println(rb.getString(
-                    "  s = signature was verified "));
+                    ".s.signature.was.verified."));
                 System.out.println(rb.getString(
-                    "  m = entry is listed in manifest"));
+                    ".m.entry.is.listed.in.manifest"));
                 System.out.println(rb.getString(
-                    "  k = at least one certificate was found in keystore"));
+                    ".k.at.least.one.certificate.was.found.in.keystore"));
                 System.out.println(rb.getString(
-                    "  i = at least one certificate was found in identity scope"));
+                    ".i.at.least.one.certificate.was.found.in.identity.scope"));
                 if (ckaliases.size() > 0) {
-                    System.out.println((
-                        "  X = not signed by specified alias(es)"));
+                    System.out.println(rb.getString(
+                        ".X.not.signed.by.specified.alias.es."));
                 }
                 System.out.println();
             }
             if (man == null)
-                System.out.println(rb.getString("no manifest."));
+                System.out.println(rb.getString("no.manifest."));
 
             if (!anySigned) {
                 System.out.println(rb.getString(
-                      "jar is unsigned. (signatures missing or not parsable)"));
+                      "jar.is.unsigned.signatures.missing.or.not.parsable."));
             } else {
-                System.out.println(rb.getString("jar verified."));
+                System.out.println(rb.getString("jar.verified."));
                 if (hasUnsignedEntry || hasExpiredCert || hasExpiringCert ||
                     badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
                     notYetValidCert || chainNotValidated ||
                     aliasNotInStore || notSignedByAlias) {
 
                     System.out.println();
-                    System.out.println(rb.getString("Warning: "));
+                    System.out.println(rb.getString("Warning."));
                     if (badKeyUsage) {
                         System.out.println(
-                            rb.getString("This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."));
+                            rb.getString("This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
                     }
 
                     if (badExtendedKeyUsage) {
                         System.out.println(
-                            rb.getString("This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."));
+                            rb.getString("This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
                     }
 
                     if (badNetscapeCertType) {
                         System.out.println(
-                            rb.getString("This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."));
+                            rb.getString("This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
                     }
 
                     if (hasUnsignedEntry) {
                         System.out.println(rb.getString(
-                            "This jar contains unsigned entries which have not been integrity-checked. "));
+                            "This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked."));
                     }
                     if (hasExpiredCert) {
                         System.out.println(rb.getString(
-                            "This jar contains entries whose signer certificate has expired. "));
+                            "This.jar.contains.entries.whose.signer.certificate.has.expired."));
                     }
                     if (hasExpiringCert) {
                         System.out.println(rb.getString(
-                            "This jar contains entries whose signer certificate will expire within six months. "));
+                            "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
                     }
                     if (notYetValidCert) {
                         System.out.println(rb.getString(
-                            "This jar contains entries whose signer certificate is not yet valid. "));
+                            "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid."));
                     }
 
                     if (chainNotValidated) {
                         System.out.println(
-                                rb.getString("This jar contains entries whose certificate chain is not validated."));
+                                rb.getString("This.jar.contains.entries.whose.certificate.chain.is.not.validated."));
                     }
 
                     if (notSignedByAlias) {
                         System.out.println(
-                                rb.getString("This jar contains signed entries which is not signed by the specified alias(es)."));
+                                rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es."));
                     }
 
                     if (aliasNotInStore) {
-                        System.out.println(rb.getString("This jar contains signed entries that's not signed by alias in this keystore."));
+                        System.out.println(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
                     }
                     if (! (verbose != null && showcerts)) {
                         System.out.println();
                         System.out.println(rb.getString(
-                            "Re-run with the -verbose and -certs options for more details."));
+                            "Re.run.with.the.verbose.and.certs.options.for.more.details."));
                     }
                 }
             }
             return;
         } catch (Exception e) {
-            System.out.println(rb.getString("jarsigner: ") + e);
+            System.out.println(rb.getString("jarsigner.") + e);
             if (debug) {
                 e.printStackTrace();
             }
@@ -895,13 +892,13 @@
         long now) {
 
         StringBuilder certStr = new StringBuilder();
-        String space = rb.getString(" ");
+        String space = rb.getString("SPACE");
         X509Certificate x509Cert = null;
 
         if (c instanceof X509Certificate) {
             x509Cert = (X509Certificate) c;
             certStr.append(tab).append(x509Cert.getType())
-                .append(rb.getString(", "))
+                .append(rb.getString("COMMA"))
                 .append(x509Cert.getSubjectDN().getName());
         } else {
             certStr.append(tab).append(c.getType());
@@ -927,7 +924,7 @@
 
                     if (expiringTimeForm == null) {
                         expiringTimeForm = new MessageFormat(
-                            rb.getString("certificate will expire on"));
+                            rb.getString("certificate.will.expire.on"));
                     }
                     Object[] source = { notAfter };
                     certStr.append(expiringTimeForm.format(source));
@@ -935,7 +932,7 @@
                 } else {
                     if (validityTimeForm == null) {
                         validityTimeForm = new MessageFormat(
-                            rb.getString("certificate is valid from"));
+                            rb.getString("certificate.is.valid.from"));
                     }
                     Object[] source = { x509Cert.getNotBefore(), notAfter };
                     certStr.append(validityTimeForm.format(source));
@@ -945,7 +942,7 @@
 
                 if (expiredTimeForm == null) {
                     expiredTimeForm = new MessageFormat(
-                        rb.getString("certificate expired on"));
+                        rb.getString("certificate.expired.on"));
                 }
                 Object[] source = { notAfter };
                 certStr.append(expiredTimeForm.format(source));
@@ -955,7 +952,7 @@
 
                 if (notYetTimeForm == null) {
                     notYetTimeForm = new MessageFormat(
-                        rb.getString("certificate is not valid until"));
+                        rb.getString("certificate.is.not.valid.until"));
                 }
                 Object[] source = { x509Cert.getNotBefore() };
                 certStr.append(notYetTimeForm.format(source));
@@ -979,7 +976,7 @@
                 }
                 certStr.append("\n").append(tab)
                         .append(MessageFormat.format(rb.getString(
-                        "[{0} extension does not support code signing]"), x));
+                        ".{0}.extension.does.not.support.code.signing."), x));
             }
         }
         return certStr.toString();
@@ -991,7 +988,7 @@
 
         if (signTimeForm == null) {
             signTimeForm =
-                new MessageFormat(rb.getString("entry was signed on"));
+                new MessageFormat(rb.getString("entry.was.signed.on"));
         }
         Object[] source = { timestamp.getTimestamp() };
 
@@ -1093,7 +1090,7 @@
                 } else {
                  throw new
                    RuntimeException(rb.getString
-                        ("signature filename must consist of the following characters: A-Z, 0-9, _ or -"));
+                        ("signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or."));
                 }
             }
             tmpSigFile.append(c);
@@ -1112,14 +1109,14 @@
         try {
             zipFile = new ZipFile(jarName);
         } catch (IOException ioe) {
-            error(rb.getString("unable to open jar file: ")+jarName, ioe);
+            error(rb.getString("unable.to.open.jar.file.")+jarName, ioe);
         }
 
         FileOutputStream fos = null;
         try {
             fos = new FileOutputStream(signedJarFile);
         } catch (IOException ioe) {
-            error(rb.getString("unable to create: ")+tmpJarName, ioe);
+            error(rb.getString("unable.to.create.")+tmpJarName, ioe);
         }
 
         PrintStream ps = new PrintStream(fos);
@@ -1263,10 +1260,10 @@
             }
             if (verbose != null) {
                 if (mfCreated) {
-                    System.out.println(rb.getString("   adding: ") +
+                    System.out.println(rb.getString(".adding.") +
                                         mfFile.getName());
                 } else if (mfModified) {
-                    System.out.println(rb.getString(" updating: ") +
+                    System.out.println(rb.getString(".updating.") +
                                         mfFile.getName());
                 }
             }
@@ -1291,10 +1288,10 @@
                         zipFile);
             } catch (SocketTimeoutException e) {
                 // Provide a helpful message when TSA is beyond a firewall
-                error(rb.getString("unable to sign jar: ") +
-                rb.getString("no response from the Timestamping Authority. ") +
-                rb.getString("When connecting from behind a firewall then an HTTP proxy may need to be specified. ") +
-                rb.getString("Supply the following options to jarsigner: ") +
+                error(rb.getString("unable.to.sign.jar.") +
+                rb.getString("no.response.from.the.Timestamping.Authority.") +
+                rb.getString("When.connecting.from.behind.a.firewall.then.an.HTTP.proxy.may.need.to.be.specified.") +
+                rb.getString("Supply.the.following.options.to.jarsigner.") +
                 "\n  -J-Dhttp.proxyHost=<hostname> " +
                 "\n  -J-Dhttp.proxyPort=<portnumber> ", e);
             }
@@ -1314,10 +1311,10 @@
             sf.write(zos);
             if (verbose != null) {
                 if (zipFile.getEntry(sfFilename) != null) {
-                    System.out.println(rb.getString(" updating: ") +
+                    System.out.println(rb.getString(".updating.") +
                                 sfFilename);
                 } else {
-                    System.out.println(rb.getString("   adding: ") +
+                    System.out.println(rb.getString(".adding.") +
                                 sfFilename);
                 }
             }
@@ -1325,24 +1322,24 @@
             if (verbose != null) {
                 if (tsaUrl != null || tsaCert != null) {
                     System.out.println(
-                        rb.getString("requesting a signature timestamp"));
+                        rb.getString("requesting.a.signature.timestamp"));
                 }
                 if (tsaUrl != null) {
-                    System.out.println(rb.getString("TSA location: ") + tsaUrl);
+                    System.out.println(rb.getString("TSA.location.") + tsaUrl);
                 }
                 if (tsaCert != null) {
                     String certUrl =
                         TimestampedSigner.getTimestampingUrl(tsaCert);
                     if (certUrl != null) {
-                        System.out.println(rb.getString("TSA location: ") +
+                        System.out.println(rb.getString("TSA.location.") +
                             certUrl);
                     }
-                    System.out.println(rb.getString("TSA certificate: ") +
+                    System.out.println(rb.getString("TSA.certificate.") +
                         printCert("", tsaCert, false, 0));
                 }
                 if (signingMechanism != null) {
                     System.out.println(
-                        rb.getString("using an alternative signing mechanism"));
+                        rb.getString("using.an.alternative.signing.mechanism"));
                 }
             }
 
@@ -1351,10 +1348,10 @@
             block.write(zos);
             if (verbose != null) {
                 if (zipFile.getEntry(bkFilename) != null) {
-                    System.out.println(rb.getString(" updating: ") +
+                    System.out.println(rb.getString(".updating.") +
                         bkFilename);
                 } else {
-                    System.out.println(rb.getString("   adding: ") +
+                    System.out.println(rb.getString(".adding.") +
                         bkFilename);
                 }
             }
@@ -1378,17 +1375,17 @@
                 if (!ze.getName().startsWith(META_INF)) {
                     if (verbose != null) {
                         if (manifest.getAttributes(ze.getName()) != null)
-                          System.out.println(rb.getString("  signing: ") +
+                          System.out.println(rb.getString(".signing.") +
                                 ze.getName());
                         else
-                          System.out.println(rb.getString("   adding: ") +
+                          System.out.println(rb.getString(".adding.") +
                                 ze.getName());
                     }
                     writeEntry(zipFile, zos, ze);
                 }
             }
         } catch(IOException ioe) {
-            error(rb.getString("unable to sign jar: ")+ioe, ioe);
+            error(rb.getString("unable.to.sign.jar.")+ioe, ioe);
         } finally {
             // close the resouces
             if (zipFile != null) {
@@ -1416,13 +1413,13 @@
                             origJar.delete();
                         } else {
                             MessageFormat form = new MessageFormat(rb.getString
-                        ("attempt to rename signedJarFile to jarFile failed"));
+                        ("attempt.to.rename.signedJarFile.to.jarFile.failed"));
                             Object[] source = {signedJarFile, jarFile};
                             error(form.format(source));
                         }
                     } else {
                         MessageFormat form = new MessageFormat(rb.getString
-                            ("attempt to rename jarFile to origJar failed"));
+                            ("attempt.to.rename.jarFile.to.origJar.failed"));
                         Object[] source = {jarFile, origJar};
                         error(form.format(source));
                     }
@@ -1434,43 +1431,43 @@
                     || badNetscapeCertType || chainNotValidated) {
                 System.out.println();
 
-                System.out.println(rb.getString("Warning: "));
+                System.out.println(rb.getString("Warning."));
                 if (badKeyUsage) {
                     System.out.println(
-                        rb.getString("The signer certificate's KeyUsage extension doesn't allow code signing."));
+                        rb.getString("The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
                 }
 
                 if (badExtendedKeyUsage) {
                     System.out.println(
-                        rb.getString("The signer certificate's ExtendedKeyUsage extension doesn't allow code signing."));
+                        rb.getString("The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
                 }
 
                 if (badNetscapeCertType) {
                     System.out.println(
-                        rb.getString("The signer certificate's NetscapeCertType extension doesn't allow code signing."));
+                        rb.getString("The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
                 }
 
                 if (hasExpiredCert) {
                     System.out.println(
-                        rb.getString("The signer certificate has expired."));
+                        rb.getString("The.signer.certificate.has.expired."));
                 } else if (hasExpiringCert) {
                     System.out.println(
-                        rb.getString("The signer certificate will expire within six months."));
+                        rb.getString("The.signer.certificate.will.expire.within.six.months."));
                 } else if (notYetValidCert) {
                     System.out.println(
-                        rb.getString("The signer certificate is not yet valid."));
+                        rb.getString("The.signer.certificate.is.not.yet.valid."));
                 }
 
                 if (chainNotValidated) {
                     System.out.println(
-                            rb.getString("The signer's certificate chain is not validated."));
+                            rb.getString("The.signer.s.certificate.chain.is.not.validated."));
                 }
             }
 
         // no IOException thrown in the above try clause, so disable
         // the catch clause.
         // } catch(IOException ioe) {
-        //     error(rb.getString("unable to sign jar: ")+ioe, ioe);
+        //     error(rb.getString("unable.to.sign.jar.")+ioe, ioe);
         // }
     }
 
@@ -1557,7 +1554,7 @@
             validator.validate(cp, pkixParameters);
         } catch (Exception e) {
             chainNotValidated = true;
-            s.append(tab + rb.getString("[CertPath not validated: ") +
+            s.append(tab + rb.getString(".CertPath.not.validated.") +
                     e.getLocalizedMessage() + "]\n");   // TODO
         }
         String result = s.toString();
@@ -1624,10 +1621,10 @@
             if (token && storepass == null && !protectedPath
                     && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
                 storepass = getPass
-                        (rb.getString("Enter Passphrase for keystore: "));
+                        (rb.getString("Enter.Passphrase.for.keystore."));
             } else if (!token && storepass == null && prompt) {
                 storepass = getPass
-                        (rb.getString("Enter Passphrase for keystore: "));
+                        (rb.getString("Enter.Passphrase.for.keystore."));
             }
 
             if (nullStream) {
@@ -1694,20 +1691,20 @@
                 // Only if tas is empty
             }
         } catch (IOException ioe) {
-            throw new RuntimeException(rb.getString("keystore load: ") +
+            throw new RuntimeException(rb.getString("keystore.load.") +
                                         ioe.getMessage());
         } catch (java.security.cert.CertificateException ce) {
-            throw new RuntimeException(rb.getString("certificate exception: ") +
+            throw new RuntimeException(rb.getString("certificate.exception.") +
                                         ce.getMessage());
         } catch (NoSuchProviderException pe) {
-            throw new RuntimeException(rb.getString("keystore load: ") +
+            throw new RuntimeException(rb.getString("keystore.load.") +
                                         pe.getMessage());
         } catch (NoSuchAlgorithmException nsae) {
-            throw new RuntimeException(rb.getString("keystore load: ") +
+            throw new RuntimeException(rb.getString("keystore.load.") +
                                         nsae.getMessage());
         } catch (KeyStoreException kse) {
             throw new RuntimeException
-                (rb.getString("unable to instantiate keystore class: ") +
+                (rb.getString("unable.to.instantiate.keystore.class.") +
                 kse.getMessage());
         }
     }
@@ -1723,7 +1720,7 @@
         }
         if (cs == null || (!(cs instanceof X509Certificate))) {
             MessageFormat form = new MessageFormat(rb.getString
-                ("Certificate not found for: alias.  alias must reference a valid KeyStore entry containing an X.509 public key certificate for the Timestamping Authority."));
+                ("Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the"));
             Object[] source = {alias, alias};
             error(form.format(source));
         }
@@ -1816,9 +1813,9 @@
                             generateCertificates(new FileInputStream(altCertChain)).
                             toArray(new Certificate[0]);
                 } catch (CertificateException ex) {
-                    error(rb.getString("Cannot restore certchain from file specified"));
+                    error(rb.getString("Cannot.restore.certchain.from.file.specified"));
                 } catch (FileNotFoundException ex) {
-                    error(rb.getString("File specified by -certchain does not exist"));
+                    error(rb.getString("File.specified.by.certchain.does.not.exist"));
                 }
             } else {
                 try {
@@ -1830,12 +1827,10 @@
             if (cs == null || cs.length == 0) {
                 if (altCertChain != null) {
                     error(rb.getString
-                            ("Certificate chain not found in the file specified."));
+                            ("Certificate.chain.not.found.in.the.file.specified."));
                 } else {
                     MessageFormat form = new MessageFormat(rb.getString
-                        ("Certificate chain not found for: alias.  alias must" +
-                        " reference a valid KeyStore key entry containing a" +
-                        " private key and corresponding public key certificate chain."));
+                        ("Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and"));
                     Object[] source = {alias, alias};
                     error(form.format(source));
                 }
@@ -1845,7 +1840,7 @@
             for (int i=0; i<cs.length; i++) {
                 if (!(cs[i] instanceof X509Certificate)) {
                     error(rb.getString
-                        ("found non-X.509 certificate in signer's chain"));
+                        ("found.non.X.509.certificate.in.signer.s.chain"));
                 }
                 certChain[i] = (X509Certificate)cs[i];
             }
@@ -1872,7 +1867,7 @@
                 } else if (keypass == null) {
                     // Did not work out, so prompt user for key password
                     MessageFormat form = new MessageFormat(rb.getString
-                        ("Enter key password for alias: "));
+                        ("Enter.key.password.for.alias."));
                     Object[] source = {alias};
                     keypass = getPass(form.format(source));
                     key = store.getKey(alias, keypass);
@@ -1881,14 +1876,14 @@
         } catch (NoSuchAlgorithmException e) {
             error(e.getMessage());
         } catch (UnrecoverableKeyException e) {
-            error(rb.getString("unable to recover key from keystore"));
+            error(rb.getString("unable.to.recover.key.from.keystore"));
         } catch (KeyStoreException kse) {
             // this never happens, because keystore has been loaded
         }
 
         if (!(key instanceof PrivateKey)) {
             MessageFormat form = new MessageFormat(rb.getString
-                ("key associated with alias not a private key"));
+                ("key.associated.with.alias.not.a.private.key"));
             Object[] source = {alias};
             error(form.format(source));
         } else {
@@ -1898,14 +1893,14 @@
 
     void error(String message)
     {
-        System.out.println(rb.getString("jarsigner: ")+message);
+        System.out.println(rb.getString("jarsigner.")+message);
         System.exit(1);
     }
 
 
     void error(String message, Exception e)
     {
-        System.out.println(rb.getString("jarsigner: ")+message);
+        System.out.println(rb.getString("jarsigner.")+message);
         if (debug) {
             e.printStackTrace();
         }
@@ -1920,12 +1915,12 @@
             char[] pass = Password.readPassword(System.in);
 
             if (pass == null) {
-                error(rb.getString("you must enter key password"));
+                error(rb.getString("you.must.enter.key.password"));
             } else {
                 return pass;
             }
         } catch (IOException ioe) {
-            error(rb.getString("unable to read password: ")+ioe.getMessage());
+            error(rb.getString("unable.to.read.password.")+ioe.getMessage());
         }
         // this shouldn't happen
         return null;
@@ -2113,7 +2108,7 @@
         Object signer = signerClass.newInstance();
         if (!(signer instanceof ContentSigner)) {
             MessageFormat form = new MessageFormat(
-                rb.getString("signerClass is not a signing mechanism"));
+                rb.getString("signerClass.is.not.a.signing.mechanism"));
             Object[] source = {signerClass.getName()};
             throw new IllegalArgumentException(form.format(source));
         }
--- a/src/share/classes/sun/security/tools/JarSignerResources.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/tools/JarSignerResources.java	Fri Dec 03 11:30:28 2010 -0800
@@ -35,201 +35,201 @@
     private static final Object[][] contents = {
 
         // shared (from jarsigner)
-        {" ", " "},
-        {"  ", "  "},
-        {"      ", "      "},
-        {", ", ", "},
+        {"SPACE", " "},
+        {"2SPACE", "  "},
+        {"6SPACE", "      "},
+        {"COMMA", ", "},
 
-        {"provName not a provider", "{0} not a provider"},
-        {"signerClass is not a signing mechanism", "{0} is not a signing mechanism"},
-        {"jarsigner error: ", "jarsigner error: "},
-        {"Illegal option: ", "Illegal option: "},
-        {"-keystore must be NONE if -storetype is {0}",
+        {"provName.not.a.provider", "{0} not a provider"},
+        {"signerClass.is.not.a.signing.mechanism", "{0} is not a signing mechanism"},
+        {"jarsigner.error.", "jarsigner error: "},
+        {"Illegal.option.", "Illegal option: "},
+        {".keystore.must.be.NONE.if.storetype.is.{0}",
                 "-keystore must be NONE if -storetype is {0}"},
-        {"-keypass can not be specified if -storetype is {0}",
+        {".keypass.can.not.be.specified.if.storetype.is.{0}",
                 "-keypass can not be specified if -storetype is {0}"},
-        {"If -protected is specified, then -storepass and -keypass must not be specified",
+        {"If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified",
                 "If -protected is specified, then -storepass and -keypass must not be specified"},
-        {"If keystore is not password protected, then -storepass and -keypass must not be specified",
+        {"If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified",
                  "If keystore is not password protected, then -storepass and -keypass must not be specified"},
-        {"Usage: jarsigner [options] jar-file alias",
+        {"Usage.jarsigner.options.jar.file.alias",
                 "Usage: jarsigner [options] jar-file alias"},
-        {"       jarsigner -verify [options] jar-file [alias...]",
+        {".jarsigner.verify.options.jar.file.alias.",
                 "       jarsigner -verify [options] jar-file [alias...]"},
-        {"[-keystore <url>]           keystore location",
+        {".keystore.url.keystore.location",
                 "[-keystore <url>]           keystore location"},
-        {"[-storepass <password>]     password for keystore integrity",
+        {".storepass.password.password.for.keystore.integrity",
             "[-storepass <password>]     password for keystore integrity"},
-        {"[-storetype <type>]         keystore type",
+        {".storetype.type.keystore.type",
                 "[-storetype <type>]         keystore type"},
-        {"[-keypass <password>]       password for private key (if different)",
+        {".keypass.password.password.for.private.key.if.different.",
                 "[-keypass <password>]       password for private key (if different)"},
-        {"[-certchain <file>]         name of alternative certchain file",
+        {".certchain.file.name.of.alternative.certchain.file",
                 "[-certchain <file>]         name of alternative certchain file"},
-        {"[-sigfile <file>]           name of .SF/.DSA file",
+        {".sigfile.file.name.of.SF.DSA.file",
                 "[-sigfile <file>]           name of .SF/.DSA file"},
-        {"[-signedjar <file>]         name of signed JAR file",
+        {".signedjar.file.name.of.signed.JAR.file",
                 "[-signedjar <file>]         name of signed JAR file"},
-        {"[-digestalg <algorithm>]    name of digest algorithm",
+        {".digestalg.algorithm.name.of.digest.algorithm",
                 "[-digestalg <algorithm>]    name of digest algorithm"},
-        {"[-sigalg <algorithm>]       name of signature algorithm",
+        {".sigalg.algorithm.name.of.signature.algorithm",
                 "[-sigalg <algorithm>]       name of signature algorithm"},
-        {"[-crl[:auto| <file>]        include CRL in signed jar",
+        {".crl.auto.file.include.CRL.in.signed.jar",
                 "[-crl[:auto| <file>]        include CRL in signed jar"},
-        {"[-verify]                   verify a signed JAR file",
+        {".verify.verify.a.signed.JAR.file",
                 "[-verify]                   verify a signed JAR file"},
-        {"[-verbose[:suboptions]]     verbose output when signing/verifying.",
+        {".verbose.suboptions.verbose.output.when.signing.verifying.",
                 "[-verbose[:suboptions]]     verbose output when signing/verifying."},
-        {"                            suboptions can be all, grouped or summary",
+        {".suboptions.can.be.all.grouped.or.summary",
                 "                            suboptions can be all, grouped or summary"},
-        {"[-certs]                    display certificates when verbose and verifying",
+        {".certs.display.certificates.when.verbose.and.verifying",
                 "[-certs]                    display certificates when verbose and verifying"},
-        {"[-tsa <url>]                location of the Timestamping Authority",
+        {".tsa.url.location.of.the.Timestamping.Authority",
                 "[-tsa <url>]                location of the Timestamping Authority"},
-        {"[-tsacert <alias>]          public key certificate for Timestamping Authority",
+        {".tsacert.alias.public.key.certificate.for.Timestamping.Authority",
                 "[-tsacert <alias>]          public key certificate for Timestamping Authority"},
-        {"[-altsigner <class>]        class name of an alternative signing mechanism",
+        {".altsigner.class.class.name.of.an.alternative.signing.mechanism",
                 "[-altsigner <class>]        class name of an alternative signing mechanism"},
-        {"[-altsignerpath <pathlist>] location of an alternative signing mechanism",
+        {".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism",
                 "[-altsignerpath <pathlist>] location of an alternative signing mechanism"},
-        {"[-internalsf]               include the .SF file inside the signature block",
+        {".internalsf.include.the.SF.file.inside.the.signature.block",
                 "[-internalsf]               include the .SF file inside the signature block"},
-        {"[-sectionsonly]             don't compute hash of entire manifest",
+        {".sectionsonly.don.t.compute.hash.of.entire.manifest",
                 "[-sectionsonly]             don't compute hash of entire manifest"},
-        {"[-protected]                keystore has protected authentication path",
+        {".protected.keystore.has.protected.authentication.path",
                 "[-protected]                keystore has protected authentication path"},
-        {"[-providerName <name>]      provider name",
+        {".providerName.name.provider.name",
                 "[-providerName <name>]      provider name"},
-        {"[-providerClass <class>     name of cryptographic service provider's",
+        {".providerClass.class.name.of.cryptographic.service.provider.s",
                 "[-providerClass <class>     name of cryptographic service provider's"},
-        {"  [-providerArg <arg>]] ... master class file and constructor argument",
+        {".providerArg.arg.master.class.file.and.constructor.argument",
                 "  [-providerArg <arg>]] ... master class file and constructor argument"},
-        {"[-strict]                   treat warnings as errors",
+        {".strict.treat.warnings.as.errors",
                 "[-strict]                   treat warnings as errors"},
-        {"Option lacks argument", "Option lacks argument"},
-        {"Please type jarsigner -help for usage", "Please type jarsigner -help for usage"},
-        {"Please specify jarfile name", "Please specify jarfile name"},
-        {"Please specify alias name", "Please specify alias name"},
-        {"Only one alias can be specified", "Only one alias can be specified"},
-        {"This jar contains signed entries which is not signed by the specified alias(es).",
+        {"Option.lacks.argument", "Option lacks argument"},
+        {"Please.type.jarsigner.help.for.usage", "Please type jarsigner -help for usage"},
+        {"Please.specify.jarfile.name", "Please specify jarfile name"},
+        {"Please.specify.alias.name", "Please specify alias name"},
+        {"Only.one.alias.can.be.specified", "Only one alias can be specified"},
+        {"This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es.",
                  "This jar contains signed entries which is not signed by the specified alias(es)."},
-        {"This jar contains signed entries that's not signed by alias in this keystore.",
+        {"This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore.",
                   "This jar contains signed entries that's not signed by alias in this keystore."},
         {"s", "s"},
         {"m", "m"},
         {"k", "k"},
         {"i", "i"},
-        {"(and %d more)", "(and %d more)"},
-        {"  s = signature was verified ",
+        {".and.d.more.", "(and %d more)"},
+        {".s.signature.was.verified.",
                 "  s = signature was verified "},
-        {"  m = entry is listed in manifest",
+        {".m.entry.is.listed.in.manifest",
                 "  m = entry is listed in manifest"},
-        {"  k = at least one certificate was found in keystore",
+        {".k.at.least.one.certificate.was.found.in.keystore",
                 "  k = at least one certificate was found in keystore"},
-        {"  i = at least one certificate was found in identity scope",
+        {".i.at.least.one.certificate.was.found.in.identity.scope",
                 "  i = at least one certificate was found in identity scope"},
-        {"  X = not signed by specified alias(es)",
+        {".X.not.signed.by.specified.alias.es.",
                 "  X = not signed by specified alias(es)"},
-        {"no manifest.", "no manifest."},
-        {"(Signature related entries)","(Signature related entries)"},
-        {"(Unsigned entries)", "(Unsigned entries)"},
-        {"jar is unsigned. (signatures missing or not parsable)",
+        {"no.manifest.", "no manifest."},
+        {".Signature.related.entries.","(Signature related entries)"},
+        {".Unsigned.entries.", "(Unsigned entries)"},
+        {"jar.is.unsigned.signatures.missing.or.not.parsable.",
                 "jar is unsigned. (signatures missing or not parsable)"},
-        {"jar verified.", "jar verified."},
-        {"jarsigner: ", "jarsigner: "},
-        {"signature filename must consist of the following characters: A-Z, 0-9, _ or -",
+        {"jar.verified.", "jar verified."},
+        {"jarsigner.", "jarsigner: "},
+        {"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
                 "signature filename must consist of the following characters: A-Z, 0-9, _ or -"},
-        {"unable to open jar file: ", "unable to open jar file: "},
-        {"unable to create: ", "unable to create: "},
-        {"   adding: ", "   adding: "},
-        {" updating: ", " updating: "},
-        {"  signing: ", "  signing: "},
-        {"attempt to rename signedJarFile to jarFile failed",
+        {"unable.to.open.jar.file.", "unable to open jar file: "},
+        {"unable.to.create.", "unable to create: "},
+        {".adding.", "   adding: "},
+        {".updating.", " updating: "},
+        {".signing.", "  signing: "},
+        {"attempt.to.rename.signedJarFile.to.jarFile.failed",
                 "attempt to rename {0} to {1} failed"},
-        {"attempt to rename jarFile to origJar failed",
+        {"attempt.to.rename.jarFile.to.origJar.failed",
                 "attempt to rename {0} to {1} failed"},
-        {"unable to sign jar: ", "unable to sign jar: "},
-        {"Enter Passphrase for keystore: ", "Enter Passphrase for keystore: "},
-        {"keystore load: ", "keystore load: "},
-        {"certificate exception: ", "certificate exception: "},
-        {"unable to instantiate keystore class: ",
+        {"unable.to.sign.jar.", "unable to sign jar: "},
+        {"Enter.Passphrase.for.keystore.", "Enter Passphrase for keystore: "},
+        {"keystore.load.", "keystore load: "},
+        {"certificate.exception.", "certificate exception: "},
+        {"unable.to.instantiate.keystore.class.",
                 "unable to instantiate keystore class: "},
-        {"Certificate chain not found for: alias.  alias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.",
+        {"Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and",
                 "Certificate chain not found for: {0}.  {1} must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."},
-        {"File specified by -certchain does not exist",
+        {"File.specified.by.certchain.does.not.exist",
                 "File specified by -certchain does not exist"},
-        {"Cannot restore certchain from file specified",
+        {"Cannot.restore.certchain.from.file.specified",
                 "Cannot restore certchain from file specified"},
-        {"Certificate chain not found in the file specified.",
+        {"Certificate.chain.not.found.in.the.file.specified.",
                 "Certificate chain not found in the file specified."},
-        {"found non-X.509 certificate in signer's chain",
+        {"found.non.X.509.certificate.in.signer.s.chain",
                 "found non-X.509 certificate in signer's chain"},
-        {"incomplete certificate chain", "incomplete certificate chain"},
-        {"Enter key password for alias: ", "Enter key password for {0}: "},
-        {"unable to recover key from keystore",
+        {"incomplete.certificate.chain", "incomplete certificate chain"},
+        {"Enter.key.password.for.alias.", "Enter key password for {0}: "},
+        {"unable.to.recover.key.from.keystore",
                 "unable to recover key from keystore"},
-        {"key associated with alias not a private key",
+        {"key.associated.with.alias.not.a.private.key",
                 "key associated with {0} not a private key"},
-        {"you must enter key password", "you must enter key password"},
-        {"unable to read password: ", "unable to read password: "},
-        {"certificate is valid from", "certificate is valid from {0} to {1}"},
-        {"certificate expired on", "certificate expired on {0}"},
-        {"certificate is not valid until",
+        {"you.must.enter.key.password", "you must enter key password"},
+        {"unable.to.read.password.", "unable to read password: "},
+        {"certificate.is.valid.from", "certificate is valid from {0} to {1}"},
+        {"certificate.expired.on", "certificate expired on {0}"},
+        {"certificate.is.not.valid.until",
                 "certificate is not valid until {0}"},
-        {"certificate will expire on", "certificate will expire on {0}"},
-        {"[CertPath not validated: ", "[CertPath not validated: "},
-        {"requesting a signature timestamp",
+        {"certificate.will.expire.on", "certificate will expire on {0}"},
+        {".CertPath.not.validated.", "[CertPath not validated: "},
+        {"requesting.a.signature.timestamp",
                 "requesting a signature timestamp"},
-        {"TSA location: ", "TSA location: "},
-        {"TSA certificate: ", "TSA certificate: "},
-        {"no response from the Timestamping Authority. ",
+        {"TSA.location.", "TSA location: "},
+        {"TSA.certificate.", "TSA certificate: "},
+        {"no.response.from.the.Timestamping.Authority.",
                 "no response from the Timestamping Authority. "},
-        {"When connecting from behind a firewall then an HTTP proxy may need to be specified. ",
+        {"When.connecting.from.behind.a.firewall.then.an.HTTP.proxy.may.need.to.be.specified.",
                 "When connecting from behind a firewall then an HTTP proxy may need to be specified. "},
-        {"Supply the following options to jarsigner: ",
+        {"Supply.the.following.options.to.jarsigner.",
                 "Supply the following options to jarsigner: "},
-        {"Certificate not found for: alias.  alias must reference a valid KeyStore entry containing an X.509 public key certificate for the Timestamping Authority.",
+        {"Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the",
                 "Certificate not found for: {0}.  {1} must reference a valid KeyStore entry containing an X.509 public key certificate for the Timestamping Authority."},
-        {"using an alternative signing mechanism",
+        {"using.an.alternative.signing.mechanism",
                 "using an alternative signing mechanism"},
-        {"entry was signed on", "entry was signed on {0}"},
-        {"with a CRL including %d entries", "with a CRL including %d entries"},
-        {"Warning: ", "Warning: "},
-        {"This jar contains unsigned entries which have not been integrity-checked. ",
+        {"entry.was.signed.on", "entry was signed on {0}"},
+        {"with.a.CRL.including.d.entries", "with a CRL including %d entries"},
+        {"Warning.", "Warning: "},
+        {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
                 "This jar contains unsigned entries which have not been integrity-checked. "},
-        {"This jar contains entries whose signer certificate has expired. ",
+        {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
                 "This jar contains entries whose signer certificate has expired. "},
-        {"This jar contains entries whose signer certificate will expire within six months. ",
+        {"This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months.",
                 "This jar contains entries whose signer certificate will expire within six months. "},
-        {"This jar contains entries whose signer certificate is not yet valid. ",
+        {"This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.",
                 "This jar contains entries whose signer certificate is not yet valid. "},
-        {"Re-run with the -verbose option for more details.",
+        {"Re.run.with.the.verbose.option.for.more.details.",
                 "Re-run with the -verbose option for more details."},
-        {"Re-run with the -verbose and -certs options for more details.",
+        {"Re.run.with.the.verbose.and.certs.options.for.more.details.",
                 "Re-run with the -verbose and -certs options for more details."},
-        {"The signer certificate has expired.",
+        {"The.signer.certificate.has.expired.",
                 "The signer certificate has expired."},
-        {"The signer certificate will expire within six months.",
+        {"The.signer.certificate.will.expire.within.six.months.",
                 "The signer certificate will expire within six months."},
-        {"The signer certificate is not yet valid.",
+        {"The.signer.certificate.is.not.yet.valid.",
                 "The signer certificate is not yet valid."},
-        {"The signer certificate's KeyUsage extension doesn't allow code signing.",
+        {"The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
                  "The signer certificate's KeyUsage extension doesn't allow code signing."},
-        {"The signer certificate's ExtendedKeyUsage extension doesn't allow code signing.",
+        {"The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.",
                  "The signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
-        {"The signer certificate's NetscapeCertType extension doesn't allow code signing.",
+        {"The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.",
                  "The signer certificate's NetscapeCertType extension doesn't allow code signing."},
-        {"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.",
+        {"This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
                  "This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."},
-        {"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.",
+        {"This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.",
                  "This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
-        {"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.",
+        {"This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.",
                  "This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."},
-        {"[{0} extension does not support code signing]",
+        {".{0}.extension.does.not.support.code.signing.",
                  "[{0} extension does not support code signing]"},
-        {"The signer's certificate chain is not validated.",
+        {"The.signer.s.certificate.chain.is.not.validated.",
                 "The signer's certificate chain is not validated."},
-        {"This jar contains entries whose certificate chain is not validated.",
+        {"This.jar.contains.entries.whose.certificate.chain.is.not.validated.",
                  "This jar contains entries whose certificate chain is not validated."},
     };
 
--- a/src/share/classes/sun/security/tools/KeyTool.java	Thu Dec 02 19:53:51 2010 +0300
+++ b/src/share/classes/sun/security/tools/KeyTool.java	Fri Dec 03 11:30:28 2010 -0800
@@ -160,82 +160,82 @@
     private List <String> v3ext = new ArrayList <String> ();
 
     enum Command {
-        CERTREQ("Generates a certificate request",
+        CERTREQ("Generates.a.certificate.request",
             ALIAS, SIGALG, FILEOUT, KEYPASS, KEYSTORE, DNAME,
             STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
             PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        CHANGEALIAS("Changes an entry's alias",
+        CHANGEALIAS("Changes.an.entry.s.alias",
             ALIAS, DESTALIAS, KEYPASS, KEYSTORE, STOREPASS,
             STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
             PROVIDERPATH, V, PROTECTED),
-        DELETE("Deletes an entry",
+        DELETE("Deletes.an.entry",
             ALIAS, KEYSTORE, STOREPASS, STORETYPE,
             PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
             PROVIDERPATH, V, PROTECTED),
-        EXPORTCERT("Exports certificate",
+        EXPORTCERT("Exports.certificate",
             RFC, ALIAS, FILEOUT, KEYSTORE, STOREPASS,
             STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
             PROVIDERPATH, V, PROTECTED),
-        GENKEYPAIR("Generates a key pair",
+        GENKEYPAIR("Generates.a.key.pair",
             ALIAS, KEYALG, KEYSIZE, SIGALG, DESTALIAS, DNAME,
             STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,
             STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
             PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        GENSECKEY("Generates a secret key",
+        GENSECKEY("Generates.a.secret.key",
             ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE,
             STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
             PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        GENCERT("Generates certificate from a certificate request",
+        GENCERT("Generates.certificate.from.a.certificate.request",
             RFC, INFILE, OUTFILE, ALIAS, SIGALG, DNAME,
             STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,
             STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
             PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        IMPORTCERT("Imports a certificate or a certificate chain",
+        IMPORTCERT("Imports.a.certificate.or.a.certificate.chain",
             NOPROMPT, TRUSTCACERTS, PROTECTED, ALIAS, FILEIN,
             KEYPASS, KEYSTORE, STOREPASS, STORETYPE,
             PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
             PROVIDERPATH, V),
-        IMPORTKEYSTORE("Imports one or all entries from another keystore",
+        IMPORTKEYSTORE("Imports.one.or.all.entries.from.another.keystore",
             SRCKEYSTORE, DESTKEYSTORE, SRCSTORETYPE,
             DESTSTORETYPE, SRCSTOREPASS, DESTSTOREPASS,
             SRCPROTECTED, SRCPROVIDERNAME, DESTPROVIDERNAME,
             SRCALIAS, DESTALIAS, SRCKEYPASS, DESTKEYPASS,
             NOPROMPT, PROVIDERCLASS, PROVIDERARG, PROVIDERPATH,
             V),
-        KEYPASSWD("Changes the key password of an entry",
+        KEYPASSWD("Changes.the.key.password.of.an.entry",
             ALIAS, KEYPASS, NEW, KEYSTORE, STOREPASS,
             STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
             PROVIDERPATH, V),
-        LIST("Lists entries in a keystore",
+        LIST("Lists.entries.in.a.keystore",
             RFC, ALIAS, KEYSTORE, STOREPASS, STORETYPE,
             PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
             PROVIDERPATH, V, PROTECTED),
-        PRINTCERT("Prints the content of a certificate",
+        PRINTCERT("Prints.the.content.of.a.certificate",
             RFC, FILEIN, SSLSERVER, JARFILE, V),
-        PRINTCERTREQ("Prints the content of a certificate request",
+        PRINTCERTREQ("Prints.the.content.of.a.certificate.request",
             FILEIN, V),
-        PRINTCRL("Prints the content of a CRL file",
+        PRINTCRL("Prints.the.content.of.a.CRL.file",
             FILEIN, V),
-        STOREPASSWD("Changes the store password of a keystore",
+        STOREPASSWD("Changes.the.store.password.of.a.keystore",
             NEW, KEYSTORE, STOREPASS, STORETYPE, PROVIDERNAME,
             PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V),
 
         // Undocumented start here, KEYCLONE is used a marker in -help;
 
-        KEYCLONE("Clones a key entry",
+        KEYCLONE("Clones.a.key.entry",
             ALIAS, DESTALIAS, KEYPASS, NEW, STORETYPE,
             KEYSTORE, STOREPASS, PROVIDERNAME, PROVIDERCLASS,
             PROVIDERARG, PROVIDERPATH, V),
-        SELFCERT("Generates a self-signed certificate",
+        SELFCERT("Generates.a.self.signed.certificate",
             ALIAS, SIGALG, DNAME, STARTDATE, VALIDITY, KEYPASS,
             STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME,
             PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V),
-        GENCRL("Generates CRL",
+        GENCRL("Generates.CRL",
             RFC, FILEOUT, ID,
             ALIAS, SIGALG, EXT, KEYPASS, KEYSTORE,
             STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
             PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        IDENTITYDB("Imports entries from a JDK 1.1.x-style identity database",
+        IDENTITYDB("Imports.entries.from.a.JDK.1.1.x.style.identity.database",
             FILEIN, STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME,
             PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V);
 
@@ -252,49 +252,49 @@
     };
 
     enum Option {
-        ALIAS("alias", "<alias>", "alias name of the entry to process"),
-        DESTALIAS("destalias", "<destalias>", "destination alias"),
-        DESTKEYPASS("destkeypass", "<arg>", "destination key password"),
-        DESTKEYSTORE("destkeystore", "<destkeystore>", "destination keystore name"),
-        DESTPROTECTED("destprotected", null, "destination keystore password protected"),
-        DESTPROVIDERNAME("destprovidername", "<destprovidername>", "destination keystore provider name"),
-        DESTSTOREPASS("deststorepass", "<arg>", "destination keystore password"),
-        DESTSTORETYPE("deststoretype", "<deststoretype>", "destination keystore type"),
-        DNAME("dname", "<dname>", "distinguished name"),
-        EXT("ext", "<value>", "X.509 extension"),
-        FILEOUT("file", "<filename>", "output file name"),
-        FILEIN("file", "<filename>", "input file name"),
-        ID("id", "<id:reason>", "Serial ID of cert to revoke"),
-        INFILE("infile", "<filename>", "input file name"),
-        KEYALG("keyalg", "<keyalg>", "key algorithm name"),
-        KEYPASS("keypass", "<arg>", "key password"),
-        KEYSIZE("keysize", "<keysize>", "key bit size"),
-        KEYSTORE("keystore", "<keystore>", "keystore name"),
-        NEW("new", "<arg>", "new password"),
-        NOPROMPT("noprompt", null, "do not prompt"),
-        OUTFILE("outfile", "<filename>", "output file name"),
-        PROTECTED("protected", null, "password through protected mechanism"),
-        PROVIDERARG("providerarg", "<arg>", "provider argument"),
-        PROVIDERCLASS("providerclass", "<providerclass>", "provider class name"),
-        PROVIDERNAME("providername", "<providername>", "provider name"),
-        PROVIDERPATH("providerpath", "<pathlist>", "provider classpath"),
-        RFC("rfc", null, "output in RFC style"),
-        SIGALG("sigalg", "<sigalg>", "signature algorithm name"),
-        SRCALIAS("srcalias", "<srcalias>", "source alias"),
-        SRCKEYPASS("srckeypass", "<arg>", "source key password"),
-        SRCKEYSTORE("srckeystore", "<srckeystore>", "source keystore name"),
-        SRCPROTECTED("srcprotected", null, "source keystore password protected"),
-        SRCPROVIDERNAME("srcprovidername", "<srcprovidername>", "source keystore provider name"),
-        SRCSTOREPASS("srcstorepass", "<arg>", "source keystore password"),
-        SRCSTORETYPE("srcstoretype", "<srcstoretype>", "source keystore type"),
-        SSLSERVER("sslserver", "<server[:port]>", "SSL server host and port"),
-        JARFILE("jarfile", "<filename>", "signed jar file"),
-        STARTDATE("startdate", "<startdate>", "certificate validity start date/time"),
-        STOREPASS("storepass", "<arg>", "keystore password"),
-        STORETYPE("storetype", "<storetype>", "keystore type"),
-        TRUSTCACERTS("trustcacerts", null, "trust certificates from cacerts"),
-        V("v", null, "verbose output"),
-        VALIDITY("validity", "<valDays>", "validity number of days");
+        ALIAS("alias", "<alias>", "alias.name.of.the.entry.to.process"),
+        DESTALIAS("destalias", "<destalias>", "destination.alias"),
+        DESTKEYPASS("destkeypass", "<arg>", "destination.key.password"),
+        DESTKEYSTORE("destkeystore", "<destkeystore>", "destination.keystore.name"),
+        DESTPROTECTED("destprotected", null, "destination.keystore.password.protected"),
+        DESTPROVIDERNAME("destprovidername", "<destprovidername>", "destination.keystore.provider.name"),
+        DESTSTOREPASS("deststorepass", "<arg>", "destination.keystore.password"),
+        DESTSTORETYPE("deststoretype", "<deststoretype>", "destination.keystore.type"),
+        DNAME("dname", "<dname>", "distinguished.name"),
+        EXT("ext", "<value>", "X.509.extension"),
+        FILEOUT("file", "<filename>", "output.file.name"),
+        FILEIN("file", "<filename>", "input.file.name"),
+        ID("id", "<id:reason>", "Serial.ID.of.cert.to.revoke"),
+        INFILE("infile", "<filename>", "input.file.name"),
+        KEYALG("keyalg", "<keyalg>", "key.algorithm.name"),
+        KEYPASS("keypass", "<arg>", "key.password"),
+        KEYSIZE("keysize", "<keysize>", "key.bit.size"),
+        KEYSTORE("keystore", "<keystore>", "keystore.name"),
+        NEW("new", "<arg>", "new.password"),
+        NOPROMPT("noprompt", null, "do.not.prompt"),
+        OUTFILE("outfile", "<filename>", "output.file.name"),
+        PROTECTED("protected", null, "password.through.protected.mechanism"),
+        PROVIDERARG("providerarg", "<arg>", "provider.argument"),
+        PROVIDERCLASS("providerclass", "<providerclass>", "provider.class.name"),
+        PROVIDERNAME("providername", "<providername>", "provider.name"),
+        PROVIDERPATH("providerpath", "<pathlist>", "provider.classpath"),
+        RFC("rfc", null, "output.in.RFC.style"),
+        SIGALG("sigalg", "<sigalg>", "signature.algorithm.name"),
+        SRCALIAS("srcalias", "<srcalias>", "source.alias"),
+        SRCKEYPASS("srckeypass", "<arg>", "source.key.password"),
+        SRCKEYSTORE("srckeystore", "<srckeystore>", "source.keystore.name"),
+        SRCPROTECTED("srcprotected", null, "source.keystore.password.protected"),
+        SRCPROVIDERNAME("srcprovidername", "<srcprovidername>", "source.keystore.provider.name"),
+        SRCSTOREPASS("srcstorepass", "<arg>", "source.keystore.password"),
+        SRCSTORETYPE("srcstoretype", "<srcstoretype>", "source.keystore.type"),
+        SSLSERVER("sslserver", "<server[:port]>", "SSL.server.host.and.port"),
+        JARFILE("jarfile", "<filename>", "signed.jar.file"),
+        STARTDATE("startdate", "<startdate>", "certificate.validity.start.date.time"),
+        STOREPASS("storepass", "<arg>", "keystore.password"),
+        STORETYPE("storetype", "<storetype>", "keystore.type"),
+        TRUSTCACERTS("trustcacerts", null, "trust.certificates.from.cacerts"),
+        V("v", null, "verbose.output"),
+        VALIDITY("validity", "<valDays>", "validity.number.of.days");
 
         final String name, arg, description;
         Option(String name, String arg, String description) {
@@ -339,7 +339,7 @@
                 doCommands(out);
             }
         } catch (Exception e) {
-            System.out.println(rb.getString("keytool error: ") + e);
+            System.out.println(rb.getString("keytool.error.") + e);
             if (verbose) {
                 e.printStackTrace(System.out);
             }
@@ -532,13 +532,13 @@
             } else if (collator.compare(flags, "-srcprotected") == 0) {
                 srcprotectedPath = true;
             } else  {
-                System.err.println(rb.getString("Illegal option:  ") + flags);
+                System.err.println(rb.getString("Illegal.option.") + flags);
                 tinyHelp();
             }
         }
 
         if (i<args.length) {
-            System.err.println(rb.getString("Illegal option:  ") + args[i]);
+            System.err.println(rb.getString("Illegal.option.") + args[i]);
             tinyHelp();
         }
 
@@ -546,7 +546,7 @@
             if (help) {
                 usage();
             } else {
-                System.err.println(rb.getString("Usage error: no command provided"));
+                System.err.println(rb.getString("Usage.error.no.command.provided"));
                 tinyHelp();
             }
         } else if (help) {
@@ -587,7 +587,7 @@
 
         if (token && !nullStream) {
             System.err.println(MessageFormat.format(rb.getString
-                ("-keystore must be NONE if -storetype is {0}"), storetype));
+                (".keystore.must.be.NONE.if.storetype.is.{0}"), storetype));
             System.err.println();
             tinyHelp();
         }
@@ -595,38 +595,31 @@
         if (token &&
             (command == KEYPASSWD || command == STOREPASSWD)) {
             throw new UnsupportedOperationException(MessageFormat.format(rb.getString
-                        ("-storepasswd and -keypasswd commands not supported " +
-                        "if -storetype is {0}"), storetype));
+                        (".storepasswd.and.keypasswd.commands.not.supported.if.storetype.is.{0}"), storetype));
         }
 
         if (P12KEYSTORE.equalsIgnoreCase(storetype) && command == KEYPASSWD) {
             throw new UnsupportedOperationException(rb.getString
-                        ("-keypasswd commands not supported " +
-                        "if -storetype is PKCS12"));
+                        (".keypasswd.commands.not.supported.if.storetype.is.PKCS12"));
         }
 
         if (token && (keyPass != null || newPass != null || destKeyPass != null)) {
             throw new IllegalArgumentException(MessageFormat.format(rb.getString
-                ("-keypass and -new " +
-                "can not be specified if -storetype is {0}"), storetype));
+                (".keypass.and.new.can.not.be.specified.if.storetype.is.{0}"), storetype));
         }
 
         if (protectedPath) {
             if (storePass != null || keyPass != null ||
                     newPass != null || destKeyPass != null) {
                 throw new IllegalArgumentException(rb.getString
-                        ("if -protected is specified, " +
-                        "then -storepass, -keypass, and -new " +
-                        "must not be specified"));
+                        ("if.protected.is.specified.then.storepass.keypass.and.new.must.not.be.specified"));
             }
         }
 
         if (srcprotectedPath) {
             if (srcstorePass != null || srckeyPass != null) {
                 throw new IllegalArgumentException(rb.getString
-                        ("if -srcprotected is specified, " +
-                        "then -srcstorepass and -srckeypass " +
-                        "must not be specified"));
+                        ("if.srcprotected.is.specified.then.srcstorepass.and.srckeypass.must.not.be.specified"));
             }
         }
 
@@ -634,24 +627,20 @@
             if (storePass != null || keyPass != null ||
                     newPass != null || destKeyPass != null) {
                 throw new IllegalArgumentException(rb.getString
-                        ("if keystore is not password protected, " +
-                        "then -storepass, -keypass, and -new " +
-                        "must not be specified"));
+                        ("if.keystore.is.not.password.protected.then.storepass.keypass.and.new.must.not.be.specified"));
             }
         }
 
         if (KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
             if (srcstorePass != null || srckeyPass != null) {
                 throw new IllegalArgumentException(rb.getString
-                        ("if source keystore is not password protected, " +
-                        "then -srcstorepass and -srckeypass " +
-                        "must not be specified"));
+                        ("if.source.keystore.is.not.password.protected.then.srcstorepass.and.srckeypass.must.not.be.specified"));
             }
         }
 
         if (validity <= (long)0) {
             throw new Exception
-                (rb.getString("Validity must be greater than zero"));
+                (rb.getString("Validity.must.be.greater.than.zero"));
         }
 
         // Try to load and install specified provider
@@ -690,7 +679,7 @@
                 }
                 if (!(obj instanceof Provider)) {
                     MessageFormat form = new MessageFormat
-                        (rb.getString("provName not a provider"));
+                        (rb.getString("provName.not.a.provider"));
                     Object[] source = {provName};
                     throw new Exception(form.format(source));
                 }
@@ -700,22 +689,22 @@
 
         if (command == LIST && verbose && rfc) {
             System.err.println(rb.getString
-                ("Must not specify both -v and -rfc with 'list' command"));
+                ("Must.not.specify.both.v.and.rfc.with.list.command"));
             tinyHelp();
         }
 
         // Make sure provided passwords are at least 6 characters long
         if (command == GENKEYPAIR && keyPass!=null && keyPass.length < 6) {
             throw new Exception(rb.getString
-                ("Key password must be at least 6 characters"));
+                ("Key.password.must.be.at.least.6.characters"));
         }
         if (newPass != null && newPass.length < 6) {
             throw new Exception(rb.getString
-                ("New password must be at least 6 characters"));
+                ("New.password.must.be.at.least.6.characters"));
         }
         if (destKeyPass != null && destKeyPass.length < 6) {
             throw new Exception(rb.getString
-                ("New password must be at least 6 characters"));
+                ("New.password.must.be.at.least.6.characters"));
         }
 
         // Check if keystore exists.
@@ -735,7 +724,7 @@
                     // Check if keystore file is empty
                     if (ksfile.exists() && ksfile.length() == 0) {
                         throw new Exception(rb.getString
-                        ("Keystore file exists, but is empty: ") + ksfname);
+                        ("Keystore.file.exists.but.is.empty.") + ksfname);
                     }
                     ksStream = new FileInputStream(ksfile);
                 } catch (FileNotFoundException e) {
@@ -746,7 +735,7 @@
                         command != IMPORTKEYSTORE &&
                         command != PRINTCRL) {
                         throw new Exception(rb.getString
-                                ("Keystore file does not exist: ") + ksfname);
+                                ("Keystore.file.does.not.exist.") + ksfname);
                     }
                 }
             }
@@ -757,14 +746,14 @@
             dest = getAlias("destination");
             if ("".equals(dest)) {
                 throw new Exception(rb.getString
-                        ("Must specify destination alias"));
+                        ("Must.specify.destination.alias"));
             }
         }
 
         if (command == DELETE && alias == null) {
             alias = getAlias(null);
             if ("".equals(alias)) {
-                throw new Exception(rb.getString("Must specify alias"));
+                throw new Exception(rb.getString("Must.specify.alias"));
             }
         }
 
@@ -812,7 +801,7 @@
             // insist that the password be at least 6 characters
             if (ksStream == null && storePass.length < 6) {
                 throw new Exception(rb.getString
-                        ("Keystore password must be at least 6 characters"));
+                        ("Keystore.password.must.be.at.least.6.characters"));
             }
         } else if (storePass == null) {
 
@@ -835,10 +824,10 @@
                 do {
                     if (command == IMPORTKEYSTORE) {
                         System.err.print
-                                (rb.getString("Enter destination keystore password:  "));
+                                (rb.getString("Enter.destination.keystore.password."));
                     } else {
                         System.err.print
-                                (rb.getString("Enter keystore password:  "));
+                                (rb.getString("Enter.keystore.password."));
                     }
                     System.err.flush();
                     storePass = Password.readPassword(System.in);
@@ -848,20 +837,19 @@
                     // insist that the password be at least 6 characters
                     if (!nullStream && (storePass == null || storePass.length < 6)) {
                         System.err.println(rb.getString
-                                ("Keystore password is too short - " +
-                                "must be at least 6 characters"));
+                                ("Keystore.password.is.too.short.must.be.at.least.6.characters"));
                         storePass = null;
                     }
 
                     // If the keystore file does not exist and needs to be
                     // created, the storepass should be prompted twice.
                     if (storePass != null && !nullStream && ksStream == null) {
-                        System.err.print(rb.getString("Re-enter new password: "));
+                        System.err.print(rb.getString("Re.enter.new.password."));
                         char[] storePassAgain = Password.readPassword(System.in);
                         passwords.add(storePassAgain);
                         if (!Arrays.equals(storePass, storePassAgain)) {
                             System.err.println
-                                (rb.getString("They don't match. Try again"));
+                                (rb.getString("They.don.t.match.Try.again"));
                             storePass = null;
                         }
                     }
@@ -872,7 +860,7 @@
 
                 if (storePass == null) {
                     System.err.println
-                        (rb.getString("Too many failures - try later"));
+                        (rb.getString("Too.many.failures.try.later"));
                     return;
                 }
             } else if (!protectedPath
@@ -880,7 +868,7 @@
                     && isKeyStoreRelated(command)) {
                 // here we have EXPORTCERT and LIST (info valid until STOREPASSWD)
                 if (command != PRINTCRL) {
-                    System.err.print(rb.getString("Enter keystore password:  "));
+                    System.err.print(rb.getString("Enter.keystore.password."));
                     System.err.flush();
                     storePass = Password.readPassword(System.in);
                     passwords.add(storePass);
@@ -900,8 +888,7 @@
 
         if (storePass != null && P12KEYSTORE.equalsIgnoreCase(storetype)) {
             MessageFormat form = new MessageFormat(rb.getString(
-                "Warning:  Different store and key passwords not supported " +
-                "for PKCS12 KeyStores. Ignoring user-specified <command> value."));
+                "Warning.Different.store.and.key.passwords.not.supported.for.PKCS12.KeyStores.Ignoring.user.specified.command.value."));
             if (keyPass != null && !Arrays.equals(storePass, keyPass)) {
                 Object[] source = {"-keypass"};
                 System.err.println(form.format(source));
@@ -946,10 +933,10 @@
             }
             if (verbose && filename != null) {
                 MessageFormat form = new MessageFormat(rb.getString
-                        ("Certification request stored in file <filename>"));
+                        ("Certification.request.stored.in.file.filename."));
                 Object[] source = {filename};
                 System.err.println(form.format(source));
-                System.err.println(rb.getString("Submit this to your CA"));
+                System.err.println(rb.getString("Submit.this.to.your.CA"));
             }
         } else if (command == DELETE) {
             doDeleteEntry(alias);
@@ -970,7 +957,7 @@
             }
             if (filename != null) {
                 MessageFormat form = new MessageFormat(rb.getString
-                        ("Certificate stored in file <filename>"));
+                        ("Certificate.stored.in.file.filename."));
                 Object[] source = {filename};
                 System.err.println(form.format(source));
             }
@@ -1010,10 +997,10 @@
                     kssave = installReply(importAlias, inStream);
                     if (kssave) {
                         System.err.println(rb.getString
-                            ("Certificate reply was installed in keystore"));
+                            ("Certificate.reply.was.installed.in.keystore"));
                     } else {
                         System.err.println(rb.getString
-                            ("Certificate reply was not installed in keystore"));
+                            ("Certificate.reply.was.not.installed.in.keystore"));
                     }
                 } else if (!keyStore.containsAlias(importAlias) ||
                         keyStore.entryInstanceOf(importAlias,
@@ -1021,10 +1008,10 @@
                     kssave = addTrustedCert(importAlias, inStream);
                     if (kssave) {
                         System.err.println(rb.getString
-                            ("Certificate was added to keystore"));
+                            ("Certificate.was.added.to.keystore"));
                     } else {
                         System.err.println(rb.getString
-                            ("Certificate was not added to keystore"));
+                            ("Certificate.was.not.added.to.keystore"));
                     }
                 }
             } finally {
@@ -1044,14 +1031,13 @@
             }
             if (keyStore.containsAlias(alias) == false) {
                 MessageFormat form = new MessageFormat
-                    (rb.getString("Alias <alias> does not exist"));
+                    (rb.getString("Alias.alias.does.not.exist"));
                 Object[] source = {alias};
                 throw new Exception(form.format(source));
             }
             if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
                 MessageFormat form = new MessageFormat(rb.getString(
-                        "Alias <alias> references an entry type that is not a private key entry.  " +
-                        "The -keyclone command only supports cloning of private key entries"));
+                        "Alias.alias.references.an.entry.type.that.is.not.a.private.key.entry.The.keyclone.command.only.supports.cloning.of.private.key"));
                 Object[] source = {alias};
                 throw new Exception(form.format(source));
             }
@@ -1148,7 +1134,7 @@
         if (kssave) {
             if (verbose) {
                 MessageFormat form = new MessageFormat
-                        (rb.getString("[Storing ksfname]"));
+                        (rb.getString(".Storing.ksfname."));
                 Object[] source = {nullStream ? "keystore" : ksfname};
                 System.err.println(form.format(source));
             }
@@ -1336,7 +1322,7 @@
         Certificate cert = keyStore.getCertificate(alias);
         if (cert == null) {
             MessageFormat form = new MessageFormat
-                (rb.getString("alias has no public key (certificate)"));
+                (rb.getString("alias.has.no.public.key.certificate."));
             Object[] source = {alias};
             throw new Exception(form.format(source));
         }
@@ -1368,7 +1354,7 @@
     private void doDeleteEntry(String alias) throws Exception {
         if (keyStore.containsAlias(alias) == false) {
             MessageFormat form = new MessageFormat
-                (rb.getString("Alias <alias> does not exist"));
+                (rb.getString("Alias.alias.does.not.exist"));
             Object[] source = {alias};
             throw new Exception(form.format(source));
         }
@@ -1390,7 +1376,7 @@
         }
         if (keyStore.containsAlias(alias) == false) {
             MessageFormat form = new MessageFormat
-                (rb.getString("Alias <alias> does not exist"));
+                (rb.getString("Alias.alias.does.not.exist"));
             Object[] source = {alias};
             throw new Exception(form.format(source));
         }
@@ -1398,7 +1384,7 @@
         X509Certificate cert = (X509Certificate)keyStore.getCertificate(alias);
         if (cert == null) {
             MessageFormat form = new MessageFormat
-                (rb.getString("Alias <alias> has no certificate"));
+                (rb.getString("Alias.alias.has.no.certificate"));
             Object[] source = {alias};
             throw new Exception(form.format(source));
         }
@@ -1419,15 +1405,15 @@
             int count;
             for (count = 0; count < 3; count++) {
                 MessageFormat form = new MessageFormat(rb.getString
-                        ("Enter key password for <alias>"));
+                        ("Enter.key.password.for.alias."));
                 Object[] source = {alias};
                 System.err.println(form.format(source));
                 if (orig == null) {
                     System.err.print(rb.getString
-                            ("\t(RETURN if same as keystore password):  "));
+                            (".RETURN.if.same.as.keystore.password."));
                 } else {
                     form = new MessageFormat(rb.getString
-                            ("\t(RETURN if same as for <otherAlias>)"));
+                            (".RETURN.if.same.as.for.otherAlias."));
                     Object[] src = {orig};
                     System.err.print(form.format(src));
                 }
@@ -1437,27 +1423,27 @@
                 if (entered == null) {
                     return origPass;
                 } else if (entered.length >= 6) {
-                    System.err.print(rb.getString("Re-enter new password: "));
+                    System.err.print(rb.getString("Re.enter.new.password."));
                     char[] passAgain = Password.readPassword(System.in);
                     passwords.add(passAgain);
                     if (!Arrays.equals(entered, passAgain)) {
                         System.err.println
-                            (rb.getString("They don't match. Try again"));
+                            (rb.getString("They.don.t.match.Try.again"));
                         continue;
                     }
                     return entered;
                 } else {
                     System.err.println(rb.getString
-                        ("Key password is too short - must be at least 6 characters"));
+                        ("Key.password.is.too.short.must.be.at.least.6.characters"));
                 }
             }
             if (count == 3) {
                 if (command == KEYCLONE) {
                     throw new Exception(rb.getString
-                        ("Too many failures. Key entry not cloned"));
+                        ("Too.many.failures.Key.entry.not.cloned"));
                 } else {
                     throw new Exception(rb.getString
-                            ("Too many failures - key not added to keystore"));
+                            ("Too.many.failures.key.not.added.to.keystore"));
                 }
             }
         }
@@ -1475,7 +1461,7 @@
         }
         if (keyStore.containsAlias(alias)) {
             MessageFormat form = new MessageFormat(rb.getString
-                ("Secret key not generated, alias <alias> already exists"));
+                ("Secret.key.not.generated.alias.alias.already.exists"));
             Object[] source = {alias};
             throw new Exception(form.format(source));
         }
@@ -1490,7 +1476,7 @@
             keygen.init(168);
         } else {
             throw new Exception(rb.getString
-                ("Please provide -keysize for secret key generation"));
+                ("Please.provide.keysize.for.secret.key.generation"));
         }
 
         secKey = keygen.generateKey();
@@ -1514,7 +1500,7 @@
             return "SHA256withECDSA";
         } else {
             throw new Exception(rb.getString
-                    ("Cannot derive signature algorithm"));
+                    ("Cannot.derive.signature.algorithm"));
         }
     }
     /**
@@ -1540,7 +1526,7 @@
 
         if (keyStore.containsAlias(alias)) {
             MessageFormat form = new MessageFormat(rb.getString
-                ("Key pair not generated, alias <alias> already exists"));
+                ("Key.pair.not.generated.alias.alias.already.exists"));
             Object[] source = {alias};
             throw new Exception(form.format(source));
         }
@@ -1569,8 +1555,7 @@
 
         if (verbose) {
             MessageFormat form = new MessageFormat(rb.getString
-                ("Generating keysize bit keyAlgName key pair and self-signed certificate " +
-                    "(sigAlgName) with a validity of validality days\n\tfor: x500Name"));
+                ("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
             Object[] source = {new Integer(keysize),
                                 privKey.getAlgorithm(),
                                 chain[0].getSigAlgName(),
@@ -1603,7 +1588,7 @@
 
         if (keyStore.containsAlias(dest)) {
             MessageFormat form = new MessageFormat
-                (rb.getString("Destination alias <dest> already exists"));
+                (rb.getString("Destination.alias.dest.already.exists"));
             Object[] source = {dest};
             throw new Exception(form.format(source));
         }
@@ -1644,7 +1629,7 @@
 
         if (keyPassNew == null) {
             MessageFormat form = new MessageFormat
-                (rb.getString("key password for <alias>"));
+                (rb.getString("key.password.for.alias."));
             Object[] source = {alias};
             keyPassNew = getNewPasswd(form.format(source), keyPass);
         }
@@ -1661,7 +1646,7 @@
         throws Exception
     {
         System.err.println(rb.getString