changeset 11131:075b7f37ec28

Merge
author asaha
date Thu, 16 Jul 2015 16:54:12 -0700
parents eb78b3fdf14e c00bcb8d4596
children 9743f2e62694
files .hgtags
diffstat 59 files changed, 1298 insertions(+), 302 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Thu Jul 16 14:23:13 2015 -0700
+++ b/.hgtags	Thu Jul 16 16:54:12 2015 -0700
@@ -406,6 +406,11 @@
 7087623dfa7033f8738d537864e4bac6b8528172 jdk8u45-b15
 c7fbbf6133c339fb56f03241de28666774023d5d jdk8u45-b31
 ea547c5a1217fe7916f366950d0e3156e4225aa5 jdk8u45-b32
+27836976c3157a90a9504eb2ec0de54b769b68b4 jdk8u45-b33
+98c0901da96579e1819e591c95d19066e0dad9b6 jdk8u45-b34
+c292ff6412c8d6a9fb258b72fcffada39aa556b1 jdk8u45-b35
+8027bdc8f3d28a0d734fc45a3b7b329c3632ea70 jdk8u45-b36
+a6665011c99f04656f827c883d96857ca2c17bee jdk8u45-b37
 ac97b69b88e37c18c1b077be8b1f100b6803fea5 jdk8u51-b00
 2e0732282470f7a02d57af5fc8542efa9db7b3e4 jdk8u51-b01
 cc75137936f9a8e97017e7e18b1064b76238116f jdk8u51-b02
@@ -423,6 +428,7 @@
 b7403e15864dc0c1f9740d66af91bddb3e2215e8 jdk8u51-b14
 192bda44c0c463104c96058bb815a546b282ca43 jdk8u51-b15
 ee86422973691bb7efae58d201e5a382ea0bb150 jdk8u51-b16
+f94ea276f608b22d78281d70361092ba4864038e jdk8u51-b31
 5c31204d19e5976f025026db3d5c17331e8c44db jdk8u60-b00
 c46daef6edb5385d11876ed40f292a4b62e96867 jdk8u60-b01
 c10fd784956cc7099657181029ac3e790267b678 jdk8u60-b02
@@ -448,5 +454,11 @@
 e9f82302d5fdef8a0976640e09363895e9dcde3c jdk8u60-b22
 c4b37246b92736adf5f40c785aabb67a7d227245 jdk8u60-b23
 d433f5fd8910bee1f2c295b65cf03977034fe0ea jdk8u60-b24
+286b9a885fcc6245fdf2b20697473ec3b35f2538 jdk8u65-b00
+80a796d0db958f49a4b0713818227eda8e5efbb9 jdk8u65-b01
+77d48e6d111faec236c8678997ae4311151cfee4 jdk8u65-b02
+3e3a22acc5be4eb4b860b4b4c0080473f5605988 jdk8u65-b03
+2a5f20c49ad1de765a8c26aab1e13aee8e53b5c6 jdk8u65-b04
+fe1c420a8982e58f6d49c50b729732d93f9682dd jdk8u65-b05
 e9f82302d5fdef8a0976640e09363895e9dcde3c jdk8u66-b00
 64d7bd4e98150447916f210e3bfd6875a4c2728a jdk8u66-b01
--- a/make/lib/Awt2dLibraries.gmk	Thu Jul 16 14:23:13 2015 -0700
+++ b/make/lib/Awt2dLibraries.gmk	Thu Jul 16 16:54:12 2015 -0700
@@ -674,6 +674,7 @@
     LANG := C, \
     OPTIMIZATION := HIGHEST, \
     CFLAGS := $(filter-out -xc99=%none, $(CFLAGS_JDKLIB)) \
+        -DCMS_DONT_USE_FAST_FLOOR \
         $(SHARED_LIBRARY_FLAGS) \
         -I$(JDK_TOPDIR)/src/share/native/sun/java2d \
         -I$(JDK_TOPDIR)/src/share/native/sun/awt/debug, \
--- a/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java	Thu Jul 16 16:54:12 2015 -0700
@@ -74,11 +74,14 @@
                 "TlsRsaPremasterSecretGenerator must be initialized");
         }
 
-        if (random == null) {
-            random = new SecureRandom();
+        byte[] b = spec.getEncodedSecret();
+        if (b == null) {
+            if (random == null) {
+                random = new SecureRandom();
+            }
+            b = new byte[48];
+            random.nextBytes(b);
         }
-        byte[] b = new byte[48];
-        random.nextBytes(b);
         b[0] = (byte)spec.getMajorVersion();
         b[1] = (byte)spec.getMinorVersion();
 
--- a/src/share/classes/java/beans/PropertyDescriptor.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/java/beans/PropertyDescriptor.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@
 import java.lang.ref.Reference;
 import java.lang.reflect.Method;
 import java.lang.reflect.Constructor;
+import sun.reflect.misc.ReflectUtil;
 
 /**
  * A PropertyDescriptor describes one property that a Java Bean
@@ -426,8 +427,9 @@
     public PropertyEditor createPropertyEditor(Object bean) {
         Object editor = null;
 
-        Class<?> cls = getPropertyEditorClass();
-        if (cls != null) {
+        final Class<?> cls = getPropertyEditorClass();
+        if (cls != null && PropertyEditor.class.isAssignableFrom(cls)
+                && ReflectUtil.isPackageAccessible(cls)) {
             Constructor<?> ctor = null;
             if (bean != null) {
                 try {
--- a/src/share/classes/java/io/ObjectStreamClass.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/java/io/ObjectStreamClass.java	Thu Jul 16 16:54:12 2015 -0700
@@ -189,6 +189,9 @@
     /** superclass descriptor appearing in stream */
     private ObjectStreamClass superDesc;
 
+    /** true if, and only if, the object has been correctly initialized */
+    private boolean initialized;
+
     /**
      * Initializes native code.
      */
@@ -266,6 +269,7 @@
         if (cl == null) {
             return null;
         }
+        requireInitialized();
         if (System.getSecurityManager() != null) {
             Class<?> caller = Reflection.getCallerClass();
             if (ReflectUtil.needsPackageAccessCheck(caller.getClassLoader(), cl.getClassLoader())) {
@@ -533,6 +537,7 @@
                     name, "unmatched serializable field(s) declared");
             }
         }
+        initialized = true;
     }
 
     /**
@@ -550,6 +555,14 @@
                    ObjectStreamClass superDesc)
         throws InvalidClassException
     {
+        ObjectStreamClass osc = null;
+        if (cl != null) {
+            osc = lookup(cl, true);
+            if (!osc.isProxy) {
+                throw new InvalidClassException(
+                    "cannot bind proxy descriptor to a non-proxy class");
+            }
+        }
         this.cl = cl;
         this.resolveEx = resolveEx;
         this.superDesc = superDesc;
@@ -557,21 +570,17 @@
         serializable = true;
         suid = Long.valueOf(0);
         fields = NO_FIELDS;
-
-        if (cl != null) {
-            localDesc = lookup(cl, true);
-            if (!localDesc.isProxy) {
-                throw new InvalidClassException(
-                    "cannot bind proxy descriptor to a non-proxy class");
-            }
+        if (osc != null) {
+            localDesc = osc;
             name = localDesc.name;
             externalizable = localDesc.externalizable;
-            cons = localDesc.cons;
             writeReplaceMethod = localDesc.writeReplaceMethod;
             readResolveMethod = localDesc.readResolveMethod;
             deserializeEx = localDesc.deserializeEx;
+            cons = localDesc.cons;
         }
         fieldRefl = getReflector(fields, localDesc);
+        initialized = true;
     }
 
     /**
@@ -583,11 +592,57 @@
                       ObjectStreamClass superDesc)
         throws InvalidClassException
     {
+        long suid = Long.valueOf(model.getSerialVersionUID());
+        ObjectStreamClass osc = null;
+        if (cl != null) {
+            osc = lookup(cl, true);
+            if (osc.isProxy) {
+                throw new InvalidClassException(
+                        "cannot bind non-proxy descriptor to a proxy class");
+            }
+            if (model.isEnum != osc.isEnum) {
+                throw new InvalidClassException(model.isEnum ?
+                        "cannot bind enum descriptor to a non-enum class" :
+                        "cannot bind non-enum descriptor to an enum class");
+            }
+
+            if (model.serializable == osc.serializable &&
+                    !cl.isArray() &&
+                    suid != osc.getSerialVersionUID()) {
+                throw new InvalidClassException(osc.name,
+                        "local class incompatible: " +
+                                "stream classdesc serialVersionUID = " + suid +
+                                ", local class serialVersionUID = " +
+                                osc.getSerialVersionUID());
+            }
+
+            if (!classNamesEqual(model.name, osc.name)) {
+                throw new InvalidClassException(osc.name,
+                        "local class name incompatible with stream class " +
+                                "name \"" + model.name + "\"");
+            }
+
+            if (!model.isEnum) {
+                if ((model.serializable == osc.serializable) &&
+                        (model.externalizable != osc.externalizable)) {
+                    throw new InvalidClassException(osc.name,
+                            "Serializable incompatible with Externalizable");
+                }
+
+                if ((model.serializable != osc.serializable) ||
+                        (model.externalizable != osc.externalizable) ||
+                        !(model.serializable || model.externalizable)) {
+                    deserializeEx = new ExceptionInfo(
+                            osc.name, "class invalid for deserialization");
+                }
+            }
+        }
+
         this.cl = cl;
         this.resolveEx = resolveEx;
         this.superDesc = superDesc;
         name = model.name;
-        suid = Long.valueOf(model.getSerialVersionUID());
+        this.suid = suid;
         isProxy = false;
         isEnum = model.isEnum;
         serializable = model.serializable;
@@ -598,53 +653,8 @@
         primDataSize = model.primDataSize;
         numObjFields = model.numObjFields;
 
-        if (cl != null) {
-            localDesc = lookup(cl, true);
-            if (localDesc.isProxy) {
-                throw new InvalidClassException(
-                    "cannot bind non-proxy descriptor to a proxy class");
-            }
-            if (isEnum != localDesc.isEnum) {
-                throw new InvalidClassException(isEnum ?
-                    "cannot bind enum descriptor to a non-enum class" :
-                    "cannot bind non-enum descriptor to an enum class");
-            }
-
-            if (serializable == localDesc.serializable &&
-                !cl.isArray() &&
-                suid.longValue() != localDesc.getSerialVersionUID())
-            {
-                throw new InvalidClassException(localDesc.name,
-                    "local class incompatible: " +
-                    "stream classdesc serialVersionUID = " + suid +
-                    ", local class serialVersionUID = " +
-                    localDesc.getSerialVersionUID());
-            }
-
-            if (!classNamesEqual(name, localDesc.name)) {
-                throw new InvalidClassException(localDesc.name,
-                    "local class name incompatible with stream class " +
-                    "name \"" + name + "\"");
-            }
-
-            if (!isEnum) {
-                if ((serializable == localDesc.serializable) &&
-                    (externalizable != localDesc.externalizable))
-                {
-                    throw new InvalidClassException(localDesc.name,
-                        "Serializable incompatible with Externalizable");
-                }
-
-                if ((serializable != localDesc.serializable) ||
-                    (externalizable != localDesc.externalizable) ||
-                    !(serializable || externalizable))
-                {
-                    deserializeEx = new ExceptionInfo(
-                        localDesc.name, "class invalid for deserialization");
-                }
-            }
-
-            cons = localDesc.cons;
+        if (osc != null) {
+            localDesc = osc;
             writeObjectMethod = localDesc.writeObjectMethod;
             readObjectMethod = localDesc.readObjectMethod;
             readObjectNoDataMethod = localDesc.readObjectNoDataMethod;
@@ -653,10 +663,13 @@
             if (deserializeEx == null) {
                 deserializeEx = localDesc.deserializeEx;
             }
+            cons = localDesc.cons;
         }
+
         fieldRefl = getReflector(fields, localDesc);
         // reassign to matched fields so as to reflect local unshared settings
         fields = fieldRefl.getFields();
+        initialized = true;
     }
 
     /**
@@ -759,11 +772,20 @@
     }
 
     /**
+     * Throws InternalError if not initialized.
+     */
+    private final void requireInitialized() {
+        if (!initialized)
+            throw new InternalError("Unexpected call when not initialized");
+    }
+
+    /**
      * Throws an InvalidClassException if object instances referencing this
      * class descriptor should not be allowed to deserialize.  This method does
      * not apply to deserialization of enum constants.
      */
     void checkDeserialize() throws InvalidClassException {
+        requireInitialized();
         if (deserializeEx != null) {
             throw deserializeEx.newInvalidClassException();
         }
@@ -775,6 +797,7 @@
      * not apply to serialization of enum constants.
      */
     void checkSerialize() throws InvalidClassException {
+        requireInitialized();
         if (serializeEx != null) {
             throw serializeEx.newInvalidClassException();
         }
@@ -788,6 +811,7 @@
      * does not apply to deserialization of enum constants.
      */
     void checkDefaultSerialize() throws InvalidClassException {
+        requireInitialized();
         if (defaultSerializeEx != null) {
             throw defaultSerializeEx.newInvalidClassException();
         }
@@ -799,6 +823,7 @@
      * of the subclass descriptor's bound class.
      */
     ObjectStreamClass getSuperDesc() {
+        requireInitialized();
         return superDesc;
     }
 
@@ -809,6 +834,7 @@
      * associated with this descriptor.
      */
     ObjectStreamClass getLocalDesc() {
+        requireInitialized();
         return localDesc;
     }
 
@@ -829,6 +855,7 @@
      * types only.  Returns matching field, or null if no match found.
      */
     ObjectStreamField getField(String name, Class<?> type) {
+        requireInitialized();
         for (int i = 0; i < fields.length; i++) {
             ObjectStreamField f = fields[i];
             if (f.getName().equals(name)) {
@@ -851,6 +878,7 @@
      * otherwise.
      */
     boolean isProxy() {
+        requireInitialized();
         return isProxy;
     }
 
@@ -859,6 +887,7 @@
      * otherwise.
      */
     boolean isEnum() {
+        requireInitialized();
         return isEnum;
     }
 
@@ -867,6 +896,7 @@
      * otherwise.
      */
     boolean isExternalizable() {
+        requireInitialized();
         return externalizable;
     }
 
@@ -875,6 +905,7 @@
      * otherwise.
      */
     boolean isSerializable() {
+        requireInitialized();
         return serializable;
     }
 
@@ -883,6 +914,7 @@
      * has written its data in 1.2 (block data) format, false otherwise.
      */
     boolean hasBlockExternalData() {
+        requireInitialized();
         return hasBlockExternalData;
     }
 
@@ -892,6 +924,7 @@
      * writeObject() method, false otherwise.
      */
     boolean hasWriteObjectData() {
+        requireInitialized();
         return hasWriteObjectData;
     }
 
@@ -903,6 +936,7 @@
      * accessible no-arg constructor.  Otherwise, returns false.
      */
     boolean isInstantiable() {
+        requireInitialized();
         return (cons != null);
     }
 
@@ -912,6 +946,7 @@
      * returns false.
      */
     boolean hasWriteObjectMethod() {
+        requireInitialized();
         return (writeObjectMethod != null);
     }
 
@@ -921,6 +956,7 @@
      * returns false.
      */
     boolean hasReadObjectMethod() {
+        requireInitialized();
         return (readObjectMethod != null);
     }
 
@@ -930,6 +966,7 @@
      * Otherwise, returns false.
      */
     boolean hasReadObjectNoDataMethod() {
+        requireInitialized();
         return (readObjectNoDataMethod != null);
     }
 
@@ -938,6 +975,7 @@
      * defines a conformant writeReplace method.  Otherwise, returns false.
      */
     boolean hasWriteReplaceMethod() {
+        requireInitialized();
         return (writeReplaceMethod != null);
     }
 
@@ -946,6 +984,7 @@
      * defines a conformant readResolve method.  Otherwise, returns false.
      */
     boolean hasReadResolveMethod() {
+        requireInitialized();
         return (readResolveMethod != null);
     }
 
@@ -962,6 +1001,7 @@
         throws InstantiationException, InvocationTargetException,
                UnsupportedOperationException
     {
+        requireInitialized();
         if (cons != null) {
             try {
                 return cons.newInstance();
@@ -983,6 +1023,7 @@
     void invokeWriteObject(Object obj, ObjectOutputStream out)
         throws IOException, UnsupportedOperationException
     {
+        requireInitialized();
         if (writeObjectMethod != null) {
             try {
                 writeObjectMethod.invoke(obj, new Object[]{ out });
@@ -1012,6 +1053,7 @@
         throws ClassNotFoundException, IOException,
                UnsupportedOperationException
     {
+        requireInitialized();
         if (readObjectMethod != null) {
             try {
                 readObjectMethod.invoke(obj, new Object[]{ in });
@@ -1042,6 +1084,7 @@
     void invokeReadObjectNoData(Object obj)
         throws IOException, UnsupportedOperationException
     {
+        requireInitialized();
         if (readObjectNoDataMethod != null) {
             try {
                 readObjectNoDataMethod.invoke(obj, (Object[]) null);
@@ -1070,6 +1113,7 @@
     Object invokeWriteReplace(Object obj)
         throws IOException, UnsupportedOperationException
     {
+        requireInitialized();
         if (writeReplaceMethod != null) {
             try {
                 return writeReplaceMethod.invoke(obj, (Object[]) null);
@@ -1099,6 +1143,7 @@
     Object invokeReadResolve(Object obj)
         throws IOException, UnsupportedOperationException
     {
+        requireInitialized();
         if (readResolveMethod != null) {
             try {
                 return readResolveMethod.invoke(obj, (Object[]) null);
--- a/src/share/classes/javax/management/openmbean/OpenMBeanAttributeInfoSupport.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/javax/management/openmbean/OpenMBeanAttributeInfoSupport.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,7 +45,6 @@
 import javax.management.ImmutableDescriptor;
 import javax.management.MBeanAttributeInfo;
 import com.sun.jmx.remote.util.EnvHelp;
-import sun.reflect.misc.ConstructorUtil;
 import sun.reflect.misc.MethodUtil;
 import sun.reflect.misc.ReflectUtil;
 
@@ -692,8 +691,9 @@
     private static <T> T convertFromString(String s, OpenType<T> openType) {
         Class<T> c;
         try {
-            ReflectUtil.checkPackageAccess(openType.safeGetClassName());
-            c = cast(Class.forName(openType.safeGetClassName()));
+            String className = openType.safeGetClassName();
+            ReflectUtil.checkPackageAccess(className);
+            c = cast(Class.forName(className));
         } catch (ClassNotFoundException e) {
             throw new NoClassDefFoundError(e.toString());  // can't happen
         }
--- a/src/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java	Thu Jul 16 16:54:12 2015 -0700
@@ -112,18 +112,7 @@
      * java.security.krb5.realm system property.
      */
     public KerberosPrincipal(String name) {
-
-        PrincipalName krb5Principal = null;
-
-        try {
-            // Appends the default realm if it is missing
-            krb5Principal = new PrincipalName(name, KRB_NT_PRINCIPAL);
-        } catch (KrbException e) {
-            throw new IllegalArgumentException(e.getMessage());
-        }
-        nameType = KRB_NT_PRINCIPAL;  // default name type
-        fullName = krb5Principal.toString();
-        realm = krb5Principal.getRealmString();
+        this(name, KRB_NT_PRINCIPAL);
     }
 
     /**
@@ -165,6 +154,20 @@
             throw new IllegalArgumentException(e.getMessage());
         }
 
+        // A ServicePermission with a principal in the deduced realm and
+        // any action must be granted if no realm is provided by caller.
+        if (krb5Principal.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                try {
+                    sm.checkPermission(new ServicePermission(
+                            "@" + krb5Principal.getRealmAsString(), "-"));
+                } catch (SecurityException se) {
+                    // Swallow the actual exception to hide info
+                    throw new SecurityException("Cannot read realm info");
+                }
+            }
+        }
         this.nameType = nameType;
         fullName = krb5Principal.toString();
         realm = krb5Principal.getRealmString();
--- a/src/share/classes/javax/security/auth/kerberos/ServicePermission.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/javax/security/auth/kerberos/ServicePermission.java	Thu Jul 16 16:54:12 2015 -0700
@@ -50,7 +50,7 @@
  * used within.
  * <p>
  * The service principal name is the canonical name of the
- * {@code KereberosPrincipal} supplying the service, that is
+ * {@code KerberosPrincipal} supplying the service, that is
  * the KerberosPrincipal represents a Kerberos service
  * principal. This name is treated in a case sensitive manner.
  * An asterisk may appear by itself, to signify any service principal.
@@ -145,6 +145,9 @@
      * @param action the action string
      */
     public ServicePermission(String servicePrincipal, String action) {
+        // Note: servicePrincipal can be "@REALM" which means any principal in
+        // this realm implies it. action can be "-" which means any
+        // action implies it.
         super(servicePrincipal);
         init(servicePrincipal, getMask(action));
     }
@@ -188,7 +191,9 @@
 
     boolean impliesIgnoreMask(ServicePermission p) {
         return ((this.getName().equals("*")) ||
-                this.getName().equals(p.getName()));
+                this.getName().equals(p.getName()) ||
+                (p.getName().startsWith("@") &&
+                        this.getName().endsWith(p.getName())));
     }
 
     /**
@@ -295,7 +300,10 @@
     /**
      * Convert an action string to an integer actions mask.
      *
-     * @param action the action string
+     * Note: if action is "-", action will be NONE, which means any
+     * action implies it.
+     *
+     * @param action the action string.
      * @return the action mask
      */
     private static int getMask(String action) {
@@ -312,9 +320,11 @@
 
         char[] a = action.toCharArray();
 
+        if (a.length == 1 && a[0] == '-') {
+            return mask;
+        }
+
         int i = a.length - 1;
-        if (i < 0)
-            return mask;
 
         while (i != -1) {
             char c;
@@ -475,6 +485,17 @@
 
         ServicePermission np = (ServicePermission) permission;
         int desired = np.getMask();
+
+        if (desired == 0) {
+            for (Permission p: perms) {
+                ServicePermission sp = (ServicePermission)p;
+                if (sp.impliesIgnoreMask(np)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
         int effective = 0;
         int needed = desired;
 
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Thu Jul 16 16:54:12 2015 -0700
@@ -484,7 +484,8 @@
     private void checkMessageHeader(String key, String value) {
         char LF = '\n';
         int index = key.indexOf(LF);
-        if (index != -1) {
+        int index1 = key.indexOf(':');
+        if (index != -1 || index1 != -1) {
             throw new IllegalArgumentException(
                 "Illegal character(s) in message header field: " + key);
         }
--- a/src/share/classes/sun/rmi/transport/DGCClient.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/rmi/transport/DGCClient.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 
 import java.lang.ref.PhantomReference;
 import java.lang.ref.ReferenceQueue;
+import java.net.SocketPermission;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.HashMap;
@@ -46,6 +47,10 @@
 import sun.rmi.server.Util;
 import sun.security.action.GetLongAction;
 
+import java.security.AccessControlContext;
+import java.security.Permissions;
+import java.security.ProtectionDomain;
+
 /**
  * DGCClient implements the client-side of the RMI distributed garbage
  * collection system.
@@ -113,6 +118,18 @@
     /** ObjID for server-side DGC object */
     private static final ObjID dgcID = new ObjID(ObjID.DGC_ID);
 
+    /**
+     * An AccessControlContext with only socket permissions,
+     * suitable for an RMIClientSocketFactory.
+     */
+    private static final AccessControlContext SOCKET_ACC;
+    static {
+        Permissions perms = new Permissions();
+        perms.add(new SocketPermission("*", "connect,resolve"));
+        ProtectionDomain[] pd = { new ProtectionDomain(null, perms) };
+        SOCKET_ACC = new AccessControlContext(pd);
+    }
+
     /*
      * Disallow anyone from creating one of these.
      */
@@ -570,13 +587,20 @@
                         }
                     }
 
-                    if (needRenewal) {
-                        makeDirtyCall(refsToDirty, sequenceNum);
-                    }
+                    boolean needRenewal_ = needRenewal;
+                    Set<RefEntry> refsToDirty_ = refsToDirty;
+                    long sequenceNum_ = sequenceNum;
+                    AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                        public Void run() {
+                            if (needRenewal_) {
+                                makeDirtyCall(refsToDirty_, sequenceNum_);
+                            }
 
-                    if (!pendingCleans.isEmpty()) {
-                        makeCleanCalls();
-                    }
+                            if (!pendingCleans.isEmpty()) {
+                                makeCleanCalls();
+                            }
+                            return null;
+                        }}, SOCKET_ACC);
                 } while (!removed || !pendingCleans.isEmpty());
             }
         }
--- a/src/share/classes/sun/rmi/transport/DGCImpl.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/rmi/transport/DGCImpl.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
  */
 package sun.rmi.transport;
 
+import java.net.SocketPermission;
 import java.rmi.Remote;
 import java.rmi.RemoteException;
 import java.rmi.dgc.DGC;
@@ -33,8 +34,11 @@
 import java.rmi.server.ObjID;
 import java.rmi.server.RemoteServer;
 import java.rmi.server.ServerNotActiveException;
+import java.security.AccessControlContext;
 import java.security.AccessController;
+import java.security.Permissions;
 import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.HashMap;
@@ -296,8 +300,19 @@
                             Util.createProxy(DGCImpl.class,
                                              new UnicastRef(ref), true);
                         disp.setSkeleton(dgc);
-                        Target target =
-                            new Target(dgc, disp, stub, dgcID, true);
+
+                        Permissions perms = new Permissions();
+                        perms.add(new SocketPermission("*", "accept,resolve"));
+                        ProtectionDomain[] pd = { new ProtectionDomain(null, perms) };
+                        AccessControlContext acceptAcc = new AccessControlContext(pd);
+
+                        Target target = AccessController.doPrivileged(
+                            new PrivilegedAction<Target>() {
+                                public Target run() {
+                                    return new Target(dgc, disp, stub, dgcID, true);
+                                }
+                            }, acceptAcc);
+
                         ObjectTable.putTarget(target);
                     } catch (RemoteException e) {
                         throw new Error(
--- a/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java	Thu Jul 16 16:54:12 2015 -0700
@@ -43,6 +43,8 @@
 public class TlsRsaPremasterSecretParameterSpec
         implements AlgorithmParameterSpec {
 
+    private final byte[] encodedSecret;
+
     /*
      * The TLS spec says that the version in the RSA premaster secret must
      * be the maximum version supported by the client (i.e. the version it
@@ -89,6 +91,33 @@
 
         this.clientVersion = checkVersion(clientVersion);
         this.serverVersion = checkVersion(serverVersion);
+        this.encodedSecret = null;
+    }
+
+    /**
+     * Constructs a new TlsRsaPremasterSecretParameterSpec.
+     *
+     * @param clientVersion the version of the TLS protocol by which the
+     *        client wishes to communicate during this session
+     * @param serverVersion the negotiated version of the TLS protocol which
+     *        contains the lower of that suggested by the client in the client
+     *        hello and the highest supported by the server.
+     * @param encodedSecret the encoded secret key
+     *
+     * @throws IllegalArgumentException if clientVersion or serverVersion are
+     *   negative or larger than (2^16 - 1) or if encodedSecret is not
+     *   exactly 48 bytes
+     */
+    public TlsRsaPremasterSecretParameterSpec(
+            int clientVersion, int serverVersion, byte[] encodedSecret) {
+
+        this.clientVersion = checkVersion(clientVersion);
+        this.serverVersion = checkVersion(serverVersion);
+        if (encodedSecret == null || encodedSecret.length != 48) {
+            throw new IllegalArgumentException(
+                        "Encoded secret is not exactly 48 bytes");
+        }
+        this.encodedSecret = encodedSecret.clone();
     }
 
     /**
@@ -147,4 +176,13 @@
         }
         return version;
     }
+
+    /**
+     * Returns the encoded secret.
+     *
+     * @return the encoded secret, may be null if no encoded secret.
+     */
+    public byte[] getEncodedSecret() {
+        return encodedSecret == null ? null : encodedSecret.clone();
+    }
 }
--- a/src/share/classes/sun/security/jgss/krb5/Krb5NameElement.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/jgss/krb5/Krb5NameElement.java	Thu Jul 16 16:54:12 2015 -0700
@@ -28,7 +28,10 @@
 import org.ietf.jgss.*;
 import sun.security.jgss.spi.*;
 import sun.security.krb5.PrincipalName;
+import sun.security.krb5.Realm;
 import sun.security.krb5.KrbException;
+
+import javax.security.auth.kerberos.ServicePermission;
 import java.io.UnsupportedEncodingException;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
@@ -126,6 +129,18 @@
             throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
         }
 
+        if (principalName.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                try {
+                    sm.checkPermission(new ServicePermission(
+                            "@" + principalName.getRealmAsString(), "-"));
+                } catch (SecurityException se) {
+                    // Do not chain the actual exception to hide info
+                    throw new GSSException(GSSException.FAILURE);
+                }
+            }
+        }
         return new Krb5NameElement(principalName, gssNameStr, gssNameType);
     }
 
@@ -198,7 +213,7 @@
      * If either name denotes an anonymous principal, the call should
      * return false.
      *
-     * @param name to be compared with
+     * @param other to be compared with
      * @returns true if they both refer to the same entity, else false
      * @exception GSSException with major codes of BAD_NAMETYPE,
      *  BAD_NAME, FAILURE
--- a/src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/jgss/wrapper/GSSNameElement.java	Thu Jul 16 16:54:12 2015 -0700
@@ -30,6 +30,7 @@
 import java.security.Security;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import sun.security.krb5.Realm;
 import sun.security.jgss.GSSUtil;
 import sun.security.util.ObjectIdentifier;
 import sun.security.util.DerInputStream;
@@ -38,6 +39,8 @@
 import sun.security.jgss.GSSExceptionImpl;
 import sun.security.jgss.spi.GSSNameSpi;
 
+import javax.security.auth.kerberos.ServicePermission;
+
 /**
  * This class is essentially a wrapper class for the gss_name_t
  * structure of the native GSS library.
@@ -150,6 +153,26 @@
         pName = cStub.importName(name, nameType);
         setPrintables();
 
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null && !Realm.AUTODEDUCEREALM) {
+            String krbName = getKrbName();
+            int atPos = krbName.lastIndexOf('@');
+            if (atPos != -1) {
+                String atRealm = krbName.substring(atPos);
+                if (nameType.equals(GSSUtil.NT_GSS_KRB5_PRINCIPAL)
+                        && new String(nameBytes).endsWith(atRealm)) {
+                    // Created from Kerberos name with realm, no need to check
+                } else {
+                    try {
+                        sm.checkPermission(new ServicePermission(atRealm, "-"));
+                    } catch (SecurityException se) {
+                        // Do not chain the actual exception to hide info
+                        throw new GSSException(GSSException.FAILURE);
+                    }
+                }
+            }
+        }
+
         SunNativeProvider.debug("Imported " + printableName + " w/ type " +
                                 printableType);
     }
--- a/src/share/classes/sun/security/krb5/KrbServiceLocator.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/krb5/KrbServiceLocator.java	Thu Jul 16 16:54:12 2015 -0700
@@ -25,6 +25,11 @@
 
 package sun.security.krb5;
 
+import sun.security.krb5.internal.Krb5;
+
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
 import java.util.Hashtable;
 import java.util.Random;
@@ -52,6 +57,8 @@
 
     private static final Random random = new Random();
 
+    private static final boolean DEBUG = Krb5.DEBUG;
+
     private KrbServiceLocator() {
     }
 
@@ -62,8 +69,7 @@
      * Information on the mapping of DNS hostnames and domain names
      * to Kerberos realms is stored using DNS TXT records
      *
-     * @param domainName A string domain name.
-     * @param environment The possibly null environment of the context.
+     * @param realmName A string realm name.
      * @return An ordered list of hostports for the Kerberos service or null if
      *          the service has not been located.
      */
@@ -81,8 +87,18 @@
             if (!(ctx instanceof DirContext)) {
                 return null; // cannot create a DNS context
             }
-            Attributes attrs =
-                ((DirContext)ctx).getAttributes(dnsUrl, SRV_TXT_ATTR);
+            Attributes attrs = null;
+            try {
+                // both connect and accept are needed since DNS is thru UDP
+                attrs = AccessController.doPrivileged(
+                        (PrivilegedExceptionAction<Attributes>)
+                                () -> ((DirContext)ctx).getAttributes(
+                                        dnsUrl, SRV_TXT_ATTR),
+                        null,
+                        new java.net.SocketPermission("*", "connect,accept"));
+            } catch (PrivilegedActionException e) {
+                throw (NamingException)e.getCause();
+            }
             Attribute attr;
 
             if (attrs != null && ((attr = attrs.get(SRV_TXT)) != null)) {
@@ -124,7 +140,8 @@
      * Queries DNS for a list of KERBEROS Service Location Records (SRV) for a
      * given domain name.
      *
-     * @param domainName A string domain name.
+     * @param realmName A string realm name.
+     * @param protocol the protocol string, can be "_udp" or "_tcp"
      * @return An ordered list of hostports for the Kerberos service or null if
      *          the service has not been located.
      */
@@ -142,8 +159,20 @@
             if (!(ctx instanceof DirContext)) {
                 return null; // cannot create a DNS context
             }
-            Attributes attrs =
-                ((DirContext)ctx).getAttributes(dnsUrl, SRV_RR_ATTR);
+
+            Attributes attrs = null;
+            try {
+                // both connect and accept are needed since DNS is thru UDP
+                attrs = AccessController.doPrivileged(
+                        (PrivilegedExceptionAction<Attributes>)
+                                () -> ((DirContext)ctx).getAttributes(
+                                        dnsUrl, SRV_RR_ATTR),
+                        null,
+                        new java.net.SocketPermission("*", "connect,accept"));
+            } catch (PrivilegedActionException e) {
+                throw (NamingException)e.getCause();
+            }
+
             Attribute attr;
 
             if (attrs != null && ((attr = attrs.get(SRV_RR)) != null)) {
--- a/src/share/classes/sun/security/krb5/PrincipalName.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/krb5/PrincipalName.java	Thu Jul 16 16:54:12 2015 -0700
@@ -123,6 +123,13 @@
      */
     private final Realm nameRealm;      // not null
 
+
+    /**
+     * When constructing a PrincipalName, whether the realm is included in
+     * the input, or deduced from default realm or domain-realm mapping.
+     */
+    private final boolean realmDeduced;
+
     // cached default salt, not used in clone
     private transient String salt = null;
 
@@ -143,6 +150,7 @@
         this.nameType = nameType;
         this.nameStrings = nameStrings.clone();
         this.nameRealm = nameRealm;
+        this.realmDeduced = false;
     }
 
     // This method is called by Windows NativeCred.c
@@ -150,11 +158,6 @@
         this(KRB_NT_UNKNOWN, nameParts, new Realm(realm));
     }
 
-    public PrincipalName(String[] nameParts, int type)
-            throws IllegalArgumentException, RealmException {
-        this(type, nameParts, Realm.getDefault());
-    }
-
     // Validate a nameStrings argument
     private static void validateNameStrings(String[] ns) {
         if (ns == null) {
@@ -226,7 +229,7 @@
      * <a href="http://www.ietf.org/rfc/rfc4120.txt">
      * http://www.ietf.org/rfc/rfc4120.txt</a>.
      *
-     * @param encoding a Der-encoded data.
+     * @param encoding DER-encoded PrincipalName (without Realm)
      * @param realm the realm for this name
      * @exception Asn1Exception if an error occurs while decoding
      * an ASN1 encoded data.
@@ -240,6 +243,7 @@
         if (realm == null) {
             throw new IllegalArgumentException("Null realm not allowed");
         }
+        realmDeduced = false;
         nameRealm = realm;
         DerValue der;
         if (encoding == null) {
@@ -394,6 +398,10 @@
         if (realm == null) {
             realm = Realm.parseRealmAtSeparator(name);
         }
+
+        // No realm info from parameter and string, must deduce later
+        realmDeduced = realm == null;
+
         switch (type) {
         case KRB_NT_SRV_HST:
             if (nameParts.length >= 2) {
@@ -413,8 +421,8 @@
                                 hostName.toLowerCase(Locale.ENGLISH)+".")) {
                         hostName = canonicalized;
                     }
-                } catch (UnknownHostException e) {
-                    // no canonicalization, use old
+                } catch (UnknownHostException | SecurityException e) {
+                    // not canonicalized or no permission to do so, use old
                 }
                 nameParts[1] = hostName.toLowerCase(Locale.ENGLISH);
             }
@@ -680,4 +688,7 @@
         return result;
     }
 
+    public boolean isRealmDeduced() {
+        return realmDeduced;
+    }
 }
--- a/src/share/classes/sun/security/krb5/Realm.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/krb5/Realm.java	Thu Jul 16 16:54:12 2015 -0700
@@ -47,6 +47,12 @@
  * This class is immutable.
  */
 public class Realm implements Cloneable {
+
+    public static final boolean AUTODEDUCEREALM =
+        java.security.AccessController.doPrivileged(
+                new sun.security.action.GetBooleanAction(
+                        "sun.security.krb5.autodeducerealm"));
+
     private final String realm; // not null nor empty
 
     public Realm(String name) throws RealmException {
--- a/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java	Thu Jul 16 16:54:12 2015 -0700
@@ -146,8 +146,9 @@
         }
         try {
             return new PrincipalName(
+                    type,
                     result.toArray(new String[result.size()]),
-                    type);
+                    Realm.getDefault());
         } catch (RealmException re) {
             return null;
         }
--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1041,20 +1041,17 @@
                 boolean signFlag = true;
                 List<? extends Certificate> cpList =
                     cpbr.getCertPath().getCertificates();
-                if (cpList.isEmpty()) {
-                    return;
-                }
                 try {
-                    for (int i = cpList.size()-1; i >= 0; i-- ) {
-                        X509Certificate cert = (X509Certificate)cpList.get(i);
+                    for (int i = cpList.size() - 1; i >= 0; i--) {
+                        X509Certificate cert = (X509Certificate) cpList.get(i);
 
                         if (debug != null) {
                             debug.println("RevocationChecker.buildToNewKey()"
-                                          + " index " + i + " checking "
-                                          + cert);
+                                    + " index " + i + " checking "
+                                    + cert);
                         }
                         checkCRLs(cert, prevKey2, null, signFlag, true,
-                                  stackedCerts, newAnchors);
+                                stackedCerts, newAnchors);
                         signFlag = certCanSignCrl(cert);
                         prevKey2 = cert.getPublicKey();
                     }
@@ -1073,8 +1070,10 @@
                 // If it doesn't check out, try to find a different key.
                 // And if we can't find a key, then return false.
                 PublicKey newKey = cpbr.getPublicKey();
+                X509Certificate newCert = cpList.isEmpty() ?
+                    null : (X509Certificate) cpList.get(0);
                 try {
-                    checkCRLs(currCert, newKey, (X509Certificate) cpList.get(0),
+                    checkCRLs(currCert, newKey, newCert,
                               true, false, null, params.trustAnchors());
                     // If that passed, the cert is OK!
                     return;
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java	Thu Jul 16 16:54:12 2015 -0700
@@ -620,6 +620,9 @@
                 }
             } else {
                 // we wanted to resume, but the server refused
+                //
+                // Invalidate the session in case of reusing next time.
+                session.invalidate();
                 session = null;
                 if (!enableNewSession) {
                     throw new SSLException("New session creation is disabled");
--- a/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Thu Jul 16 16:54:12 2015 -0700
@@ -111,14 +111,41 @@
             }
         }
 
+        boolean needFailover = false;
+        byte[] encoded = null;
         try {
             Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
-            cipher.init(Cipher.UNWRAP_MODE, privateKey,
-                    new TlsRsaPremasterSecretParameterSpec(
-                            maxVersion.v, currentVersion.v),
-                    generator);
-            preMaster = (SecretKey)cipher.unwrap(encrypted,
-                                "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
+            needFailover = !KeyUtil.isOracleJCEProvider(
+                                        cipher.getProvider().getName());
+            if (needFailover) {
+                cipher.init(Cipher.DECRYPT_MODE, privateKey);
+                encoded = cipher.doFinal(encrypted);
+                encoded = KeyUtil.checkTlsPreMasterSecretKey(
+                                maxVersion.v, currentVersion.v,
+                                generator, encoded, false);
+                preMaster = generatePreMasterSecret(
+                                maxVersion.v, currentVersion.v,
+                                encoded, generator);
+            } else {
+                cipher.init(Cipher.UNWRAP_MODE, privateKey,
+                        new TlsRsaPremasterSecretParameterSpec(
+                                maxVersion.v, currentVersion.v),
+                        generator);
+                preMaster = (SecretKey)cipher.unwrap(encrypted,
+                        "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
+            }
+        } catch (BadPaddingException bpe) {
+            if (needFailover) {
+                encoded = KeyUtil.checkTlsPreMasterSecretKey(
+                                maxVersion.v, currentVersion.v,
+                                generator, null, false);
+                preMaster = generatePreMasterSecret(
+                                maxVersion.v, currentVersion.v,
+                                encoded, generator);
+            } else {
+                //  Otherwise, unlikely to happen
+                throw new RuntimeException("Unexpected exception", bpe);
+            }
         } catch (InvalidKeyException ibk) {
             // the message is too big to process with RSA
             throw new SSLProtocolException(
@@ -133,6 +160,35 @@
         }
     }
 
+    // generate a premaster secret with the specified version number
+    @SuppressWarnings("deprecation")
+    private static SecretKey generatePreMasterSecret(
+            int clientVersion, int serverVersion,
+            byte[] encodedSecret, SecureRandom generator) {
+
+        if (debug != null && Debug.isOn("handshake")) {
+            System.out.println("Generating a premaster secret");
+        }
+
+        try {
+            String s = ((clientVersion >= ProtocolVersion.TLS12.v) ?
+                "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
+            KeyGenerator kg = JsseJce.getKeyGenerator(s);
+            kg.init(new TlsRsaPremasterSecretParameterSpec(
+                    clientVersion, serverVersion, encodedSecret),
+                    generator);
+            return kg.generateKey();
+        } catch (InvalidAlgorithmParameterException |
+                NoSuchAlgorithmException iae) {
+            // unlikely to happen, otherwise, must be a provider exception
+            if (debug != null && Debug.isOn("handshake")) {
+                System.out.println("RSA premaster secret generation error:");
+                iae.printStackTrace(System.out);
+            }
+            throw new RuntimeException("Could not generate premaster secret", iae);
+        }
+    }
+
     @Override
     int messageType() {
         return ht_client_key_exchange;
--- a/src/share/classes/sun/security/util/KeyUtil.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/classes/sun/security/util/KeyUtil.java	Thu Jul 16 16:54:12 2015 -0700
@@ -144,8 +144,6 @@
 
     /**
      * Returns whether the specified provider is Oracle provider or not.
-     * <P>
-     * Note that this method is only apply to SunJCE and SunPKCS11 at present.
      *
      * @param  providerName
      *         the provider name
@@ -153,8 +151,11 @@
      *         {@code providerName} is Oracle provider
      */
     public static final boolean isOracleJCEProvider(String providerName) {
-        return providerName != null && (providerName.equals("SunJCE") ||
-                                        providerName.startsWith("SunPKCS11"));
+        return providerName != null &&
+                (providerName.equals("SunJCE") ||
+                    providerName.equals("SunMSCAPI") ||
+                    providerName.equals("OracleUcrypto") ||
+                    providerName.startsWith("SunPKCS11"));
     }
 
     /**
--- a/src/share/lib/security/java.security-linux	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/lib/security/java.security-linux	Thu Jul 16 16:54:12 2015 -0700
@@ -481,7 +481,7 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
--- a/src/share/lib/security/java.security-macosx	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/lib/security/java.security-macosx	Thu Jul 16 16:54:12 2015 -0700
@@ -484,7 +484,7 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
--- a/src/share/lib/security/java.security-solaris	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/lib/security/java.security-solaris	Thu Jul 16 16:54:12 2015 -0700
@@ -483,7 +483,7 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
--- a/src/share/lib/security/java.security-windows	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/share/lib/security/java.security-windows	Thu Jul 16 16:54:12 2015 -0700
@@ -484,7 +484,7 @@
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
--- a/src/windows/native/sun/bridge/AccessBridgeDebug.cpp	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/windows/native/sun/bridge/AccessBridgeDebug.cpp	Thu Jul 16 16:54:12 2015 -0700
@@ -36,39 +36,6 @@
 extern "C" {
 #endif
 
-/**
- * print a GetLastError message
- */
-char *printError(char *msg) {
-    LPVOID lpMsgBuf = NULL;
-    static char retbuf[256];
-
-    if (msg != NULL) {
-        strncpy((char *)retbuf, msg, sizeof(retbuf));
-    }
-    if (!FormatMessage(
-                       FORMAT_MESSAGE_ALLOCATE_BUFFER |
-                       FORMAT_MESSAGE_FROM_SYSTEM |
-                       FORMAT_MESSAGE_IGNORE_INSERTS,
-                       NULL,
-                       GetLastError(),
-                       MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
-                       (LPTSTR) &lpMsgBuf,
-                       0,
-                       NULL ))
-        {
-            PrintDebugString("  %s: FormatMessage failed", msg);
-        } else {
-            PrintDebugString("  %s: %s", msg, (char *)lpMsgBuf);
-        }
-    if (lpMsgBuf != NULL) {
-        strncat((char *)retbuf, ": ", sizeof(retbuf) - strlen(retbuf) - 1);
-        strncat((char *)retbuf, (char *)lpMsgBuf, sizeof(retbuf) - strlen(retbuf) - 1);
-    }
-    return (char *)retbuf;
-}
-
-
     /**
      * Send debugging info to the appropriate place
      */
--- a/src/windows/native/sun/bridge/AccessBridgeDebug.h	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/windows/native/sun/bridge/AccessBridgeDebug.h	Thu Jul 16 16:54:12 2015 -0700
@@ -49,7 +49,6 @@
 extern "C" {
 #endif
 
-    char *printError(char *msg);
     void PrintDebugString(char *msg, ...);
     void PrintJavaDebugString(char *msg, ...);
     void wPrintJavaDebugString(wchar_t *msg, ...);
--- a/src/windows/native/sun/bridge/WinAccessBridge.cpp	Thu Jul 16 14:23:13 2015 -0700
+++ b/src/windows/native/sun/bridge/WinAccessBridge.cpp	Thu Jul 16 16:54:12 2015 -0700
@@ -262,34 +262,6 @@
     theWindowsAccessBridge = this;
     isVMInstanceChainInUse = false;
 
-
-    // notify the user if new JVMs are found
-    /*
-      newJVMs = (char **)malloc(MAX_NEW_JVMS_FOUND);
-      for (int i = 0; i < MAX_NEW_JVMS_FOUND; i++) {
-      newJVMs[i] = (char *)malloc(SHORT_STRING_SIZE);
-      newJVMs[i][0] = 0;
-      }
-
-      BOOL newJ2SEFound = findNewJVMs(J2SE_REG_PATH, newJVMs);
-      BOOL newJ2REFound = TRUE; // findNewJVMs(J2RE_REG_PATH, newJVMs);
-
-      if (newJ2SEFound || newJ2REFound) {
-
-      int result = DialogBox(windowsInstance,
-      "FOUNDNEWJVMDIALOG",
-      NULL,
-      (DLGPROC)newJVMFoundDialogProc);
-      if (result < 0) {
-      printError("DialogBox failed");
-      }
-
-      PrintDebugString("  FOUNDNEWJVMDIALOG: result = %d", result);
-
-      ShowWindow((HWND)result, SW_SHOW);
-      }
-    */
-
     ShowWindow(theDialogWindow, SW_SHOW);
 }
 
--- a/test/java/security/cert/CertPathBuilder/selfIssued/DisableRevocation.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/java/security/cert/CertPathBuilder/selfIssued/DisableRevocation.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,6 +21,12 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /**
  * @test
  * @bug 6852744
@@ -234,6 +240,10 @@
 
 
     public static void main(String[] args) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
 
         X509CertSelector selector = generateSelector(args[0]);
--- a/test/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,6 +21,12 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /**
  * @test
  * @bug 6852744
@@ -277,6 +283,10 @@
 
 
     public static void main(String[] args) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
 
         X509CertSelector selector = generateSelector(args[0]);
--- a/test/java/security/cert/CertPathBuilder/selfIssued/StatusLoopDependency.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/java/security/cert/CertPathBuilder/selfIssued/StatusLoopDependency.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,6 +21,12 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /**
  * @test
  * @bug 6852744
@@ -283,6 +289,10 @@
 
 
     public static void main(String[] args) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
 
         X509CertSelector selector = generateSelector(args[0]);
--- a/test/java/security/cert/CertPathValidator/OCSP/AIACheck.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/java/security/cert/CertPathValidator/OCSP/AIACheck.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,12 +21,19 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /**
  * @test
  * @bug 5072953
  * @summary Verify that the URL for an OCSP responder can be extracted from a
  *          certificate's AuthorityInfoAccess extension when OCSP certifiate
  *          validation has been enabled.
+ * @run main/othervm AIACheck
  */
 
 import java.io.*;
@@ -51,6 +58,10 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         X509Certificate aiaCert = loadCertificate("AIACert.pem");
         X509Certificate rootCert = loadCertificate("RootCert.pem");
 
--- a/test/java/security/cert/CertPathValidator/OCSP/FailoverToCRL.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/java/security/cert/CertPathValidator/OCSP/FailoverToCRL.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,16 +21,24 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /**
  * @test
  * @bug 6383095
  * @summary CRL revoked certificate failures masked by OCSP failures
- *
+ * @run main/othervm FailoverToCRL
+ * @author Xuelei Fan
+ */
+
+/*
  * Note that the certificate validity is from Mar 16 14:55:35 2009 GMT to
  * Dec 1 14:55:35 2028 GMT, please update it with newer certificate if
  * expires.
- *
- * @author Xuelei Fan
  */
 
 /*
@@ -229,6 +237,10 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         CertPath path = generateCertificatePath();
         Set<TrustAnchor> anchors = generateTrustAnchors();
         CertStore crls = generateCertificateStore();
--- a/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,11 +21,18 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /**
  * @test
  *
  * @bug 6720721
  * @summary CRL check with circular depency support needed
+ * @run main/othervm CircularCRLOneLevel
  * @author Xuelei Fan
  */
 
@@ -158,6 +165,10 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         CertPath path = generateCertificatePath();
         Set<TrustAnchor> anchors = generateTrustAnchors();
         CertStore crls = generateCertificateStore();
--- a/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,11 +21,18 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /**
  * @test
  *
  * @bug 6720721
  * @summary CRL check with circular depency support needed
+ * @run main/othervm CircularCRLOneLevelRevoked
  * @author Xuelei Fan
  */
 
@@ -159,6 +166,10 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         CertPath path = generateCertificatePath();
         Set<TrustAnchor> anchors = generateTrustAnchors();
         CertStore crls = generateCertificateStore();
--- a/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,11 +21,18 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /**
  * @test
  *
  * @bug 6720721
  * @summary CRL check with circular depency support needed
+ * @run main/othervm CircularCRLTwoLevel
  * @author Xuelei Fan
  */
 
@@ -210,6 +217,10 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         CertPath path = generateCertificatePath();
         Set<TrustAnchor> anchors = generateTrustAnchors();
         CertStore crls = generateCertificateStore();
--- a/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,11 +21,18 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /**
  * @test
  *
  * @bug 6720721
  * @summary CRL check with circular depency support needed
+ * @run main/othervm CircularCRLTwoLevelRevoked
  * @author Xuelei Fan
  */
 
@@ -211,6 +218,10 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         CertPath path = generateCertificatePath();
         Set<TrustAnchor> anchors = generateTrustAnchors();
         CertStore crls = generateCertificateStore();
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/javax/xml/jaxp/transform/8079323/TemplatesTest.java	Thu Jul 16 16:54:12 2015 -0700
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8079323
+ * @summary This file contains tests for Templates.
+ * @run testng/othervm TemplatesTest
+ */
+
+import java.io.ByteArrayOutputStream;
+import java.io.NotSerializableException;
+import java.io.ObjectOutputStream;
+import java.io.StringReader;
+import javax.xml.transform.Templates;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.stream.StreamSource;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+public class TemplatesTest {
+
+    /**
+     * bug 8079323 Test Templates serialization
+     * <p>
+     * Serialization compatibility test: verify that serializing the Templates
+     * that contain auxiliary classes will result in a NotSerializableException
+     * due to the use of Xalan's non-serializable Hashtable.
+     *
+     * @param templates an instance of Templates
+     * @throws Exception as expected.
+     */
+    @Test(dataProvider = "templates", expectedExceptions = NotSerializableException.class)
+    public void testSerialization(Templates templates) throws Exception {
+        Transformer xformer = templates.newTransformer();
+        try (ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
+                ObjectOutputStream out = new ObjectOutputStream(byteOut);) {
+            out.writeObject(templates);
+            out.flush();
+        }
+    }
+
+    /*
+     * DataProvider: Templates
+     */
+    @DataProvider(name = "templates")
+    Object[][] getTemplates() throws Exception {
+        return new Object[][]{{TransformerFactory.newInstance().
+                newTemplates(new StreamSource(new StringReader(XSL)))}};
+    }
+
+    static final String XSL = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>"
+            + "<xsl:stylesheet version=\"1.0\""
+            + "      xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">"
+            + "<xsl:variable name=\"validAffectsRelClasses\">"
+            + "</xsl:variable>"
+            + "<xsl:key name=\"UniqueAffectsRelObjects\""
+            + "      match=\"/ObjectSetRoot/Object["
+            + "      contains($validAffectsRelClasses, @Class)]\""
+            + "      use=\"not(@OBID=preceding-sibling::Object["
+            + "      contains($validAffectsRelClasses, @Class)]/@OBID)\"/>"
+            + "</xsl:stylesheet>";
+}
--- a/test/sun/security/krb5/auto/KDC.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/krb5/auto/KDC.java	Thu Jul 16 16:54:12 2015 -0700
@@ -858,8 +858,9 @@
 
         PrincipalName service = asReq.reqBody.sname;
         if (options.containsKey(KDC.Option.RESP_NT)) {
-            service = new PrincipalName(service.getNameStrings(),
-                    (int)options.get(KDC.Option.RESP_NT));
+            service = new PrincipalName((int)options.get(KDC.Option.RESP_NT),
+                    service.getNameStrings(),
+                    Realm.getDefault());
         }
         try {
             System.out.println(realm + "> " + asReq.reqBody.cname +
--- a/test/sun/security/krb5/auto/SSL.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/krb5/auto/SSL.java	Thu Jul 16 16:54:12 2015 -0700
@@ -77,7 +77,10 @@
             return;
         }
         ServicePermission p = (ServicePermission)perm;
-        permChecks = permChecks + p.getActions().toUpperCase().charAt(0);
+        // ServicePermissions required to create GSSName are ignored
+        if (!p.getActions().isEmpty()) {
+            permChecks = permChecks + p.getActions().toUpperCase().charAt(0);
+        }
     }
 
     public static void main(String[] args) throws Exception {
--- a/test/sun/security/krb5/name/Constructors.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/krb5/name/Constructors.java	Thu Jul 16 16:54:12 2015 -0700
@@ -40,22 +40,22 @@
 
         // Good ones
         type = PrincipalName.KRB_NT_UNKNOWN;
-        checkName("a", type, "R", "R", "a");
-        checkName("a@R2", type, "R", "R", "a");
-        checkName("a/b", type, "R", "R", "a", "b");
-        checkName("a/b@R2", type, "R", "R", "a", "b");
-        checkName("a/b/c", type, "R", "R", "a", "b", "c");
-        checkName("a/b/c@R2", type, "R", "R", "a", "b", "c");
+        checkName("a", type, "R", "R", false, "a");
+        checkName("a@R2", type, "R", "R", false, "a");
+        checkName("a/b", type, "R", "R", false, "a", "b");
+        checkName("a/b@R2", type, "R", "R", false, "a", "b");
+        checkName("a/b/c", type, "R", "R", false, "a", "b", "c");
+        checkName("a/b/c@R2", type, "R", "R", false, "a", "b", "c");
         // Weird ones
-        checkName("a\\/b", type, "R", "R", "a/b");
-        checkName("a\\/b\\/c", type, "R", "R", "a/b/c");
-        checkName("a\\/b\\@R2", type, "R", "R", "a/b@R2");
+        checkName("a\\/b", type, "R", "R", false, "a/b");
+        checkName("a\\/b\\/c", type, "R", "R", false, "a/b/c");
+        checkName("a\\/b\\@R2", type, "R", "R", false, "a/b@R2");
         // Bad ones
-        checkName("a", type, "", null);
-        checkName("a/", type, "R", null);
-        checkName("/a", type, "R", null);
-        checkName("a//b", type, "R", null);
-        checkName("a@", type, null, null);
+        checkName("a", type, "", null, false);
+        checkName("a/", type, "R", null, false);
+        checkName("/a", type, "R", null, false);
+        checkName("a//b", type, "R", null, false);
+        checkName("a@", type, null, null, false);
         type = PrincipalName.KRB_NT_SRV_HST;
 
         // Part 2: on realm choices
@@ -77,17 +77,17 @@
 
         if (testNoDefaultDomain) {
             type = PrincipalName.KRB_NT_UNKNOWN;
-            checkName("a", type, "R1", "R1", "a");      // arg
-            checkName("a@R1", type, null, "R1", "a");   // or r in name
-            checkName("a@R2", type, "R1", "R1", "a");   // arg over r
-            checkName("a", type, null, null);      // fail if none
-            checkName("a/b@R1", type, null, "R1", "a", "b");
+            checkName("a", type, "R1", "R1", false, "a");      // arg
+            checkName("a@R1", type, null, "R1", false, "a");   // or r in name
+            checkName("a@R2", type, "R1", "R1", false, "a");   // arg over r
+            checkName("a", type, null, null, false);      // fail if none
+            checkName("a/b@R1", type, null, "R1", false, "a", "b");
             type = PrincipalName.KRB_NT_SRV_HST;
             // Let's pray "b.h" won't be canonicalized
-            checkName("a/b.h", type, "R1", "R1", "a", "b.h");    // arg
-            checkName("a/b.h@R1", type, null, "R1", "a", "b.h"); // or r in name
-            checkName("a/b.h@R1", type, "R2", "R2", "a", "b.h"); // arg over r
-            checkName("a/b.h", type, null, null);    // fail if none
+            checkName("a/b.h", type, "R1", "R1", false, "a", "b.h");    // arg
+            checkName("a/b.h@R1", type, null, "R1", false, "a", "b.h"); // or r in name
+            checkName("a/b.h@R1", type, "R2", "R2", false, "a", "b.h"); // arg over r
+            checkName("a/b.h", type, null, null, false);    // fail if none
         }
 
         // When there is default realm
@@ -96,25 +96,25 @@
         Config.refresh();
 
         type = PrincipalName.KRB_NT_UNKNOWN;
-        checkName("a", type, "R1", "R1", "a");      // arg
-        checkName("a@R1", type, null, "R1", "a");   // or r in name
-        checkName("a@R2", type, "R1", "R1", "a");   // arg over r
-        checkName("a", type, null, "R", "a");       // default
-        checkName("a/b", type, null, "R", "a", "b");
+        checkName("a", type, "R1", "R1", false, "a");      // arg
+        checkName("a@R1", type, null, "R1", false, "a");   // or r in name
+        checkName("a@R2", type, "R1", "R1", false, "a");   // arg over r
+        checkName("a", type, null, "R", true, "a");       // default
+        checkName("a/b", type, null, "R", true, "a", "b");
         type = PrincipalName.KRB_NT_SRV_HST;
-        checkName("a/b.h3", type, "R1", "R1", "a", "b.h3");     // arg
-        checkName("a/b.h@R1", type, null, "R1", "a", "b.h");    // or r in name
-        checkName("a/b.h3@R2", type, "R1", "R1", "a", "b.h3");  // arg over r
-        checkName("a/b.h2", type, "R1", "R1", "a", "b.h2");     // arg over map
-        checkName("a/b.h2@R1", type, null, "R1", "a", "b.h2");  // r over map
-        checkName("a/b.h2", type, null, "R2", "a", "b.h2");     // map
-        checkName("a/b.h", type, null, "R", "a", "b.h");        // default
+        checkName("a/b.h3", type, "R1", "R1", false, "a", "b.h3");     // arg
+        checkName("a/b.h@R1", type, null, "R1", false, "a", "b.h");    // or r in name
+        checkName("a/b.h3@R2", type, "R1", "R1", false, "a", "b.h3");  // arg over r
+        checkName("a/b.h2", type, "R1", "R1", false, "a", "b.h2");     // arg over map
+        checkName("a/b.h2@R1", type, null, "R1", false, "a", "b.h2");  // r over map
+        checkName("a/b.h2", type, null, "R2", true, "a", "b.h2");     // map
+        checkName("a/b.h", type, null, "R", true, "a", "b.h");        // default
     }
 
     // Check if the creation matches the expected output.
     // Note: realm == null means creation failure
     static void checkName(String n, int t, String s,
-            String realm, String... parts)
+            String realm, boolean deduced, String... parts)
             throws Exception {
         PrincipalName pn = null;
         try {
@@ -131,5 +131,8 @@
             throw new Exception(pn.toString() + " vs "
                     + Arrays.toString(parts) + "@" + realm);
         }
+        if (deduced != pn.isRealmDeduced()) {
+            throw new Exception("pn.realmDeduced is " + pn.isRealmDeduced());
+        }
     }
 }
--- a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Thu Jul 16 16:54:12 2015 -0700
@@ -58,6 +58,10 @@
 
     public void main(Provider p) throws Exception {
         String testWithoutSunEC = System.getProperty("testWithoutSunEC");
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (p.getService("KeyFactory", "EC") == null) {
             System.out.println("Provider does not support EC, skipping");
             return;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/provider/certpath/DisabledAlgorithms/CPBuilderWithMD5.java	Thu Jul 16 16:54:12 2015 -0700
@@ -0,0 +1,449 @@
+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+// This test case relies on static security property, no way to re-use
+// security property in samevm/agentvm mode.
+
+/**
+ * @test
+ *
+ * @bug 8030829
+ * @summary Add MD5 to jdk.certpath.disabledAlgorithms security property
+ *
+ * @run main/othervm CPBuilderWithMD5 trustAnchor_SHA1withRSA_1024 0 true
+ * @run main/othervm CPBuilderWithMD5 trustAnchor_SHA1withRSA_512  0 true
+ * @run main/othervm CPBuilderWithMD5 intermediate_SHA1withRSA_1024_1024 1 true
+ * @run main/othervm CPBuilderWithMD5 intermediate_SHA1withRSA_1024_512  1 false
+ * @run main/othervm CPBuilderWithMD5 intermediate_SHA1withRSA_512_1024  1 false
+ * @run main/othervm CPBuilderWithMD5 intermediate_SHA1withRSA_512_512  1 false
+ * @run main/othervm CPBuilderWithMD5 intermediate_MD5withRSA_1024_1024  1 false
+ * @run main/othervm CPBuilderWithMD5 intermediate_MD5withRSA_1024_512  1 false
+ * @run main/othervm CPBuilderWithMD5 endentiry_SHA1withRSA_1024_1024  2 true
+ * @run main/othervm CPBuilderWithMD5 endentiry_SHA1withRSA_1024_512  2 false
+ * @run main/othervm CPBuilderWithMD5 endentiry_SHA1withRSA_512_1024  2 false
+ * @run main/othervm CPBuilderWithMD5 endentiry_SHA1withRSA_512_512  2 false
+ * @run main/othervm CPBuilderWithMD5 endentiry_MD5withRSA_1024_1024  2 false
+ * @run main/othervm CPBuilderWithMD5 endentiry_MD5withRSA_1024_512  2 false
+ *
+ * @author Xuelei Fan
+ */
+
+/*
+ * The generate.sh was designed to generate MD2 signed certificates.  The
+ * certificates used in this test are generated by an updated generate.sh that
+ * replacing MD2 with MD5 algorithm.
+ */
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import sun.security.util.DerInputStream;
+
+public class CPBuilderWithMD5 {
+
+    // SHA1withRSA 1024
+    static String trustAnchor_SHA1withRSA_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA4NTFaFw0zNDEyMDgxMTA4NTFa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQDn3JSHACqi/bcohVy7eFqDs3L5ehnXmF9Jrg4rMRUeNrxA\n" +
+        "61F8bJ9JXx4j8WyqmT0TtokgXuqGxbsXRQVVw4AdXLF2PwCs/y+Y+AwU59uDHA3J\n" +
+        "AMk4VvjV9MB2Ea6YzuLnbbj/TNrfxB6LZ7KBvh0fYGt2T40yMvOvilU/f6e3zQID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBSIxINDFVm8GpUz3v+BbWNmDEKP7TBHBgNVHSME\n" +
+        "QDA+gBSIxINDFVm8GpUz3v+BbWNmDEKP7aEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEFBQADgYEAt0mYDXTpInrGvEOylIL2gx65A/bpdz9iDQsSs5sZ\n" +
+        "r3m0v9zJnzR8lRqN4GbaD1vrFdkUrIoObcvXjXitnf5QqDzmc9BbIYj83Ft8QSUj\n" +
+        "jCMy04EGT/7ATss4SiFEu6sJpmOBjsgH6wYuobR27wl/01XOu2CXUo3OOjgAoPBs\n" +
+        "QoQ=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512
+    static String trustAnchor_SHA1withRSA_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIBuTCCAWOgAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA4NTFaFw0zNDEyMDgxMTA4NTFa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMFwwDQYJKoZIhvcNAQEB\n" +
+        "BQADSwAwSAJBANLqQkOpH7rBTo/a2ccYjJxvNib/Lxm6UXO1uAd/0AUzPWzJsOpB\n" +
+        "u2zyD26UYc0GNyXCkWMZ44FrtSQ8VI146j8CAwEAAaOBiTCBhjAdBgNVHQ4EFgQU\n" +
+        "5PVLxBY//smN31jHb/MAmCEz5NIwRwYDVR0jBEAwPoAU5PVLxBY//smN31jHb/MA\n" +
+        "mCEz5NKhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMA8G\n" +
+        "A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBBQUAA0EAzF9E\n" +
+        "dXYPLqziCRY45IHCUtxaLjLQmwsjEu91TV4xyuuozGEumcqH7m6Hg6Ohnd1FGfsN\n" +
+        "X+vt1tdaDIu9+OzGjQ==\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 1024
+    static String intermediate_SHA1withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/m9wdJT0HR+exquh2Q2Yq\n" +
+        "XvL9HtEsCabCikd0Vjuoi3sZJ/5SBbbHTvh7z7enW0NEpLHQee0ry5FW8mLxDtrR\n" +
+        "38NjE9W7zutucBG5WztwGuvcts13aEw+vH+EwhokJW9PXz9Do+y4PTJo3vdsk7Zs\n" +
+        "bGVY9+YjvlgEaozWXZ1JhQIDAQABo4GJMIGGMB0GA1UdDgQWBBQIsaDZL94kLug/\n" +
+        "A1N4EkNOA4z47DBHBgNVHSMEQDA+gBSIxINDFVm8GpUz3v+BbWNmDEKP7aEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEA0673aIUF2k20jkpR\n" +
+        "4USN9UkbfX57Uazhl4n765EeAiteWnTzKztISeH1GTrCw7bSl1r07aaflsnbKOHC\n" +
+        "RrL2RxbxNwQARvuuCxr664vXnsGrt86xA5F2iNF22uDM/5HA5sIfBmEk5xXSLrgH\n" +
+        "I7jOaYqAA1b8C+4DU2Z5ZgO4LOA=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 512
+    static String intermediate_SHA1withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICDzCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/m9wdJT0HR+exquh2Q2Yq\n" +
+        "XvL9HtEsCabCikd0Vjuoi3sZJ/5SBbbHTvh7z7enW0NEpLHQee0ry5FW8mLxDtrR\n" +
+        "38NjE9W7zutucBG5WztwGuvcts13aEw+vH+EwhokJW9PXz9Do+y4PTJo3vdsk7Zs\n" +
+        "bGVY9+YjvlgEaozWXZ1JhQIDAQABo4GJMIGGMB0GA1UdDgQWBBQIsaDZL94kLug/\n" +
+        "A1N4EkNOA4z47DBHBgNVHSMEQDA+gBTk9UvEFj/+yY3fWMdv8wCYITPk0qEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADQQAihshnF7RWZ13tUGsH\n" +
+        "iM4i8HmBjw2+pwW/cs0E8BcycYEy3beWMcL1Np2yfOa/7K5ZvGPhe/piwzTel+Kt\n" +
+        "5VLm\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 1024
+    static String intermediate_SHA1withRSA_512_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICDDCCAXWgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK4h/iW3wt+ugR5ObWiFSl394UU/\n" +
+        "lWNm+N6UAgsBRhSzZz/Iof7xZTQI+usNXzOrTnU3+uZsMgokpjkrko1osxUCAwEA\n" +
+        "AaOBiTCBhjAdBgNVHQ4EFgQU88OD48Osuh7lJiLnhfMhrySqW8QwRwYDVR0jBEAw\n" +
+        "PoAUiMSDQxVZvBqVM97/gW1jZgxCj+2hI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0G\n" +
+        "CSqGSIb3DQEBBQUAA4GBAAHN8XUTT6asa1MvpfqAvKTH6tNrMOmzoFsUamPxSrUB\n" +
+        "tnBv/fa/E9+1QvQwl3g6luVXBkQf2/nVD0195IdkEuD/C6psuGKerXmiaRMv5Wcs\n" +
+        "B+8bTzhNxMzHKPZDJ8Tf/RD3XpPvtxw0T+I5xud68FH/WDhJtu7TiXPAhs7srtHt\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 512
+    static String intermediate_SHA1withRSA_512_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIByzCCAXWgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK4h/iW3wt+ugR5ObWiFSl394UU/\n" +
+        "lWNm+N6UAgsBRhSzZz/Iof7xZTQI+usNXzOrTnU3+uZsMgokpjkrko1osxUCAwEA\n" +
+        "AaOBiTCBhjAdBgNVHQ4EFgQU88OD48Osuh7lJiLnhfMhrySqW8QwRwYDVR0jBEAw\n" +
+        "PoAU5PVLxBY//smN31jHb/MAmCEz5NKhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0G\n" +
+        "CSqGSIb3DQEBBQUAA0EASLN+1/pfo+9ty5EaYkoPu4QeYGr+5wmXyDceiaED/Lok\n" +
+        "RdV0ZH0qwD4kiarlJssNOgMCk+2EzgvXcIhEMDa5hA==\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD5withRSA 1024 signed with RSA 1024
+    static String intermediate_MD5withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBBzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/m9wdJT0HR+exquh2Q2Yq\n" +
+        "XvL9HtEsCabCikd0Vjuoi3sZJ/5SBbbHTvh7z7enW0NEpLHQee0ry5FW8mLxDtrR\n" +
+        "38NjE9W7zutucBG5WztwGuvcts13aEw+vH+EwhokJW9PXz9Do+y4PTJo3vdsk7Zs\n" +
+        "bGVY9+YjvlgEaozWXZ1JhQIDAQABo4GJMIGGMB0GA1UdDgQWBBQIsaDZL94kLug/\n" +
+        "A1N4EkNOA4z47DBHBgNVHSMEQDA+gBSIxINDFVm8GpUz3v+BbWNmDEKP7aEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAerx2je3FBVn2eoPs\n" +
+        "nTzLKILezqCTCO7mXWiyBidRhh4RGdM8JggMN5SRmuwRurxfYFgPfqmAenWtEFqO\n" +
+        "xZrTXQUvIrrEgpzqkfppFnkCh4kDsX4roD5Nho3J4MTBQkqE0r676Yq6Rp6cywCq\n" +
+        "CHQQztRGY7n/ZYRNJ3uzvuoT1tk=\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD5withRSA 1024 signed with RSA 512
+    static String intermediate_MD5withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICDzCCAbmgAwIBAgIBCDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MTBaFw0zMzA5MTQxMTA5MTBa\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/m9wdJT0HR+exquh2Q2Yq\n" +
+        "XvL9HtEsCabCikd0Vjuoi3sZJ/5SBbbHTvh7z7enW0NEpLHQee0ry5FW8mLxDtrR\n" +
+        "38NjE9W7zutucBG5WztwGuvcts13aEw+vH+EwhokJW9PXz9Do+y4PTJo3vdsk7Zs\n" +
+        "bGVY9+YjvlgEaozWXZ1JhQIDAQABo4GJMIGGMB0GA1UdDgQWBBQIsaDZL94kLug/\n" +
+        "A1N4EkNOA4z47DBHBgNVHSMEQDA+gBTk9UvEFj/+yY3fWMdv8wCYITPk0qEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADQQA3XGQPNin8cDIsJ4vx\n" +
+        "tTxUO6XVJoWOdTsjwzlMrPmLvjJNZeXLtQe3pQu0vjgyUpQ59VYLW3qKN/LF3UH0\n" +
+        "Ep7V\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 1024
+    static String endentiry_SHA1withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" +
+        "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAvktJqK4/SvQrTyGgV8tM6zP/K5xQP1pFRipRKS8i\n" +
+        "2yaXdlW4jQBZWVXdfEsm8YwGwtXFKIlleALmgJcLldPwNm0qaKixL4mRJVMm4bXM\n" +
+        "UXCfmr+Im1SpA4Yum4VFCfIJ1kkeQkXqc57sCSfS+rFnC+1kSNa9wj+Mc4+5FR4k\n" +
+        "zqUCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBRDzLh/sWyTsdq1KKnG\n" +
+        "8e7JW1tPUDAfBgNVHSMEGDAWgBQIsaDZL94kLug/A1N4EkNOA4z47DANBgkqhkiG\n" +
+        "9w0BAQUFAAOBgQB2RkWHOaL4WTOGoeTS4J4o9FW+4UXihbocdI/64rMExERjDkE/\n" +
+        "Jh31TEmatnP1gPrF1AfmqQPubqVSbRtCHrZF+Ilk6L6YeyRNzKvsLiMUtgrLYLas\n" +
+        "Vop0DFZxR02xHgaJdoJkcWBjNadb9zG7eZtt8OOOJ4lRwg02aLTy+WDqPA==\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 512
+    static String endentiry_SHA1withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIB9jCCAaCgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" +
+        "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAvktJqK4/SvQrTyGgV8tM6zP/K5xQP1pFRipRKS8i\n" +
+        "2yaXdlW4jQBZWVXdfEsm8YwGwtXFKIlleALmgJcLldPwNm0qaKixL4mRJVMm4bXM\n" +
+        "UXCfmr+Im1SpA4Yum4VFCfIJ1kkeQkXqc57sCSfS+rFnC+1kSNa9wj+Mc4+5FR4k\n" +
+        "zqUCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBRDzLh/sWyTsdq1KKnG\n" +
+        "8e7JW1tPUDAfBgNVHSMEGDAWgBTzw4Pjw6y6HuUmIueF8yGvJKpbxDANBgkqhkiG\n" +
+        "9w0BAQUFAANBAIapvjECUm4YD4O99G0v2SM17cKQzjZtSWkScS7FSk4sxS+dP3hM\n" +
+        "Qb2UpoRl6CGynhOVVy2G/VJN8BEqOfywj8k=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 1024
+    static String endentiry_SHA1withRSA_512_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIB8zCCAVygAwIBAgIBBDANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" +
+        "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTBcMA0GCSqGSIb3\n" +
+        "DQEBAQUAA0sAMEgCQQCngiNTE+qngHcfj2jUpdc82gCw+TFRjR7oMSdp7b/3NwpD\n" +
+        "E+11z9WspoXTDzvbKcGUH9svFl691NyY0ZUmf+4RAgMBAAGjTzBNMAsGA1UdDwQE\n" +
+        "AwID6DAdBgNVHQ4EFgQUK+oVsFTQbz08evgQZ5Sd82c2y4UwHwYDVR0jBBgwFoAU\n" +
+        "CLGg2S/eJC7oPwNTeBJDTgOM+OwwDQYJKoZIhvcNAQEFBQADgYEAMd/8XnjRz5jK\n" +
+        "nbss9DDQQC2mUuCbV/tGdke7eQ1DtBVZLBU6wDgisGr52sUXmyZIPmSVKpQqwCG5\n" +
+        "8cY5uQhaNwPtPmMMKXzX32zN9NhVkiDNceL+zHs3vdjD1i/QiUTST+NKfLYVb6dF\n" +
+        "YMG65lxe3gMVxMweiHSZSukmk1k3gUA=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 512
+    static String endentiry_SHA1withRSA_512_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIBsjCCAVygAwIBAgIBBTANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" +
+        "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTBcMA0GCSqGSIb3\n" +
+        "DQEBAQUAA0sAMEgCQQCngiNTE+qngHcfj2jUpdc82gCw+TFRjR7oMSdp7b/3NwpD\n" +
+        "E+11z9WspoXTDzvbKcGUH9svFl691NyY0ZUmf+4RAgMBAAGjTzBNMAsGA1UdDwQE\n" +
+        "AwID6DAdBgNVHQ4EFgQUK+oVsFTQbz08evgQZ5Sd82c2y4UwHwYDVR0jBBgwFoAU\n" +
+        "88OD48Osuh7lJiLnhfMhrySqW8QwDQYJKoZIhvcNAQEFBQADQQB4xFWtC6ijDBIe\n" +
+        "/Gkf3B9+ycmP52pTPNiPwMS6u1a5vTRXMn5xRDexWfxJKJVZ2s9UR1jheZvWgPC8\n" +
+        "VUWO8bbG\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD5withRSA 1024 signed with RSA 1024
+    static String endentiry_MD5withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICNzCCAaCgAwIBAgIBBjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" +
+        "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAvktJqK4/SvQrTyGgV8tM6zP/K5xQP1pFRipRKS8i\n" +
+        "2yaXdlW4jQBZWVXdfEsm8YwGwtXFKIlleALmgJcLldPwNm0qaKixL4mRJVMm4bXM\n" +
+        "UXCfmr+Im1SpA4Yum4VFCfIJ1kkeQkXqc57sCSfS+rFnC+1kSNa9wj+Mc4+5FR4k\n" +
+        "zqUCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBRDzLh/sWyTsdq1KKnG\n" +
+        "8e7JW1tPUDAfBgNVHSMEGDAWgBQIsaDZL94kLug/A1N4EkNOA4z47DANBgkqhkiG\n" +
+        "9w0BAQQFAAOBgQBCVn9/JQxsRTaKIKSrgB+KtEreat+33k3SXuJICuRxcmvjOXIx\n" +
+        "wSdq+mRCA+DpIPSNtgnDAUyipnyxRxpdmRRUHuRYpkALq4a5QtTJK0Y/CEMfsd2J\n" +
+        "Yd2zKcfynDLW6LVeNdtjlY7fTemJnbA/WImNhwyW55V9vbnk3J04EZN8jw==\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD5withRSA 1024 signed with RSA 512
+    static String endentiry_MD5withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIB9jCCAaCgAwIBAgIBBzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" +
+        "MTNaFw0zMzA5MTQxMTA5MTNaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAvktJqK4/SvQrTyGgV8tM6zP/K5xQP1pFRipRKS8i\n" +
+        "2yaXdlW4jQBZWVXdfEsm8YwGwtXFKIlleALmgJcLldPwNm0qaKixL4mRJVMm4bXM\n" +
+        "UXCfmr+Im1SpA4Yum4VFCfIJ1kkeQkXqc57sCSfS+rFnC+1kSNa9wj+Mc4+5FR4k\n" +
+        "zqUCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBRDzLh/sWyTsdq1KKnG\n" +
+        "8e7JW1tPUDAfBgNVHSMEGDAWgBTzw4Pjw6y6HuUmIueF8yGvJKpbxDANBgkqhkiG\n" +
+        "9w0BAQQFAANBAAbZwmkqb6sfiiIxuLnj6PjhJsXGfvPomkkbLu5CapAMhen/p6ZG\n" +
+        "6vh69TbIsBR9UHu7qDyTl5Xax7bmYeW+sDQ=\n" +
+        "-----END CERTIFICATE-----";
+
+    static HashMap<String, String> certmap = new HashMap<String, String>();
+    static {
+        certmap.put("trustAnchor_SHA1withRSA_1024",
+                                    trustAnchor_SHA1withRSA_1024);
+        certmap.put("trustAnchor_SHA1withRSA_512",
+                                    trustAnchor_SHA1withRSA_512);
+        certmap.put("intermediate_SHA1withRSA_1024_1024",
+                                    intermediate_SHA1withRSA_1024_1024);
+        certmap.put("intermediate_SHA1withRSA_1024_512",
+                                    intermediate_SHA1withRSA_1024_512);
+        certmap.put("intermediate_SHA1withRSA_512_1024",
+                                    intermediate_SHA1withRSA_512_1024);
+        certmap.put("intermediate_SHA1withRSA_512_512",
+                                    intermediate_SHA1withRSA_512_512);
+        certmap.put("intermediate_MD5withRSA_1024_1024",
+                                    intermediate_MD5withRSA_1024_1024);
+        certmap.put("intermediate_MD5withRSA_1024_512",
+                                    intermediate_MD5withRSA_1024_512);
+        certmap.put("endentiry_SHA1withRSA_1024_1024",
+                                    endentiry_SHA1withRSA_1024_1024);
+        certmap.put("endentiry_SHA1withRSA_1024_512",
+                                    endentiry_SHA1withRSA_1024_512);
+        certmap.put("endentiry_SHA1withRSA_512_1024",
+                                    endentiry_SHA1withRSA_512_1024);
+        certmap.put("endentiry_SHA1withRSA_512_512",
+                                    endentiry_SHA1withRSA_512_512);
+        certmap.put("endentiry_MD5withRSA_1024_1024",
+                                    endentiry_MD5withRSA_1024_1024);
+        certmap.put("endentiry_MD5withRSA_1024_512",
+                                    endentiry_MD5withRSA_1024_512);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        HashSet<TrustAnchor> anchors = new HashSet<TrustAnchor>();
+
+        ByteArrayInputStream is =
+            new ByteArrayInputStream(trustAnchor_SHA1withRSA_1024.getBytes());
+        Certificate cert = cf.generateCertificate(is);
+        TrustAnchor anchor = new TrustAnchor((X509Certificate)cert, null);
+        anchors.add(anchor);
+
+        is = new ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes());
+        cert = cf.generateCertificate(is);
+        anchor = new TrustAnchor((X509Certificate)cert, null);
+        anchors.add(anchor);
+
+        return anchors;
+    }
+
+    private static CertStore generateCertificateStore() throws Exception {
+        Collection entries = new HashSet();
+
+        // generate certificate from certificate string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        for (String key : certmap.keySet()) {
+            String certStr = certmap.get(key);
+            ByteArrayInputStream is =
+                        new ByteArrayInputStream(certStr.getBytes());;
+            Certificate cert = cf.generateCertificate(is);
+            entries.add(cert);
+        }
+
+        return CertStore.getInstance("Collection",
+                            new CollectionCertStoreParameters(entries));
+    }
+
+    private static X509CertSelector generateSelector(String name)
+                throws Exception {
+        X509CertSelector selector = new X509CertSelector();
+
+        String certStr = certmap.get(name);
+        if (certStr == null) {
+            return null;
+        }
+
+        // generate certificate from certificate string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        ByteArrayInputStream is = new ByteArrayInputStream(certStr.getBytes());
+        X509Certificate target = (X509Certificate)cf.generateCertificate(is);
+
+        selector.setCertificate(target);
+
+        return selector;
+    }
+
+    private static boolean match(String name, Certificate cert)
+                throws Exception {
+        X509CertSelector selector = new X509CertSelector();
+
+        String certStr = certmap.get(name);
+        if (certStr == null) {
+            return false;
+        }
+
+        // generate certificate from certificate string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        ByteArrayInputStream is = new ByteArrayInputStream(certStr.getBytes());
+        X509Certificate target = (X509Certificate)cf.generateCertificate(is);
+
+        return target.equals(cert);
+    }
+
+    public static void main(String args[]) throws Exception {
+        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
+
+        X509CertSelector selector = generateSelector(args[0]);
+        if (selector == null) {
+            // no target certificate, ignore it
+            return;
+        }
+
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+        CertStore certs = generateCertificateStore();
+
+        PKIXBuilderParameters params =
+                new PKIXBuilderParameters(anchors, selector);
+        params.addCertStore(certs);
+        params.setRevocationEnabled(false);
+        params.setDate(new Date(114, 9, 1));   // 2014-09-01
+
+        boolean success = Boolean.valueOf(args[2]);
+        try {
+            PKIXCertPathBuilderResult result =
+                        (PKIXCertPathBuilderResult)builder.build(params);
+            if (!success) {
+                throw new Exception("expected algorithm disabled exception");
+            }
+
+            int length = Integer.parseInt(args[1]);
+            List<? extends Certificate> path =
+                                    result.getCertPath().getCertificates();
+            if (length != path.size()) {
+                throw new Exception("unexpected certification path length");
+            }
+
+            if (!path.isEmpty()) {    // the target is not a trust anchor
+                if (!match(args[0], path.get(0))) {
+                    throw new Exception("unexpected certificate");
+                }
+            }
+        } catch (CertPathBuilderException cpbe) {
+            if (success) {
+                throw new Exception("unexpected exception", cpbe);
+            } else {
+                System.out.println("Get the expected exception " + cpbe);
+            }
+        }
+    }
+
+}
--- a/test/sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,15 +21,23 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /*
  * @test
  * @bug 7167988
  * @summary PKIX CertPathBuilder in reverse mode doesn't work if more than
  *          one trust anchor is specified
+ * @run main/othervm ReverseBuild
  */
 import java.io.*;
 import java.util.*;
 import java.security.cert.*;
+import java.security.Security;
 
 import sun.security.provider.certpath.SunCertPathBuilderParameters;
 
@@ -279,6 +287,9 @@
 
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
 
         // generate certificate from cert string
         CertificateFactory cf = CertificateFactory.getInstance("X.509");
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/MD2InTrustAnchor.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/MD2InTrustAnchor.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,13 +23,15 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 7113275
  * @summary compatibility issue with MD2 trust anchor and old X509TrustManager
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @run main/othervm MD2InTrustAnchor PKIX TLSv1.1
  * @run main/othervm MD2InTrustAnchor SunX509 TLSv1.1
  * @run main/othervm MD2InTrustAnchor PKIX TLSv1.2
@@ -40,6 +42,7 @@
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -283,6 +286,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/TrustTrustedCert.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/TrustTrustedCert.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,13 +23,15 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 7113275
  * @summary compatibility issue with MD2 trust anchor and old X509TrustManager
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @run main/othervm TrustTrustedCert PKIX TLSv1.1
  * @run main/othervm TrustTrustedCert SunX509 TLSv1.1
  * @run main/othervm TrustTrustedCert PKIX TLSv1.2
@@ -336,6 +338,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,11 +21,18 @@
  * questions.
  */
 
+//
+// Security properties, once set, cannot revert to unset.  To avoid
+// conflicts with tests running in the same VM isolate this test by
+// running it in otherVM mode.
+//
+
 /*
  * @test
  * @bug 6302644
  * @summary X509KeyManager implementation for NewSunX509 doesn't return most
  *          preferable key
+ * @run main/othervm PreferredKey
  */
 import java.io.*;
 import java.net.*;
@@ -49,6 +56,10 @@
 
 
     public static void main(String[] args) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         KeyStore ks;
         KeyManagerFactory kmf;
         X509KeyManager km;
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/BasicConstraints.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/BasicConstraints.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,14 +21,16 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 7166570
  * @summary JSSE certificate validation has started to fail for
  *     certificate chains
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @run main/othervm BasicConstraints PKIX
  * @run main/othervm BasicConstraints SunX509
  */
@@ -37,6 +39,7 @@
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.*;
@@ -454,6 +457,10 @@
     volatile Exception clientException = null;
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/PKIXExtendedTM.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/PKIXExtendedTM.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,21 +21,23 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
 
 /*
  * @test
  * @bug 6916074
  * @summary Add support for TLS 1.2
  * @run main/othervm PKIXExtendedTM
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  */
 
 import java.net.*;
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -791,6 +793,10 @@
     volatile Exception clientException = null;
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SelfIssuedCert.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SelfIssuedCert.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,15 +21,17 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 6822460
  * @summary support self-issued certificate
  * @run main/othervm SelfIssuedCert PKIX
  * @run main/othervm SelfIssuedCert SunX509
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @author Xuelei Fan
  */
 
@@ -37,6 +39,7 @@
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -302,6 +305,10 @@
     volatile Exception clientException = null;
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,20 +21,23 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 6916074
  * @summary Add support for TLS 1.2
  * @run main/othervm SunX509ExtendedTM
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  */
 
 import java.net.*;
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -792,6 +795,10 @@
     volatile Exception clientException = null;
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,18 +21,21 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 6668231
  * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
  *          fail trusted checks
  * @run main/othervm CriticalSubjectAltName
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
- *
  * @author Xuelei Fan
- *
+ */
+
+/*
  * This test depends on binary keystore, crisubn.jks and trusted.jks. Because
  * JAVA keytool cannot generate X509 certificate with SubjectAltName extension,
  * the certificates are generated with openssl toolkits and then imported into
@@ -47,6 +50,7 @@
 import java.io.*;
 import java.net.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.cert.Certificate;
 
 public class CriticalSubjectAltName implements HostnameVerifier {
@@ -154,6 +158,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- a/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketSNISensitive.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/javax/net/ssl/ServerName/SSLSocketSNISensitive.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -44,6 +44,7 @@
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -431,6 +432,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,15 +23,16 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 4873188
  * @summary Support TLS 1.1
  * @run main/othervm EmptyCertificateAuthorities
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
- *
  * @author Xuelei Fan
  */
 
@@ -228,6 +229,10 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         String keyFilename =
             System.getProperty("test.src", ".") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,13 +21,15 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /* @test
  * @bug 6766775
  * @summary X509 certificate hostname checking is broken in JDK1.6.0_10
  * @run main/othervm DNSIdentities
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @author Xuelei Fan
  */
 
@@ -35,6 +37,7 @@
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -743,6 +746,10 @@
     volatile Exception clientException = null;
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,13 +21,15 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /* @test
  * @summary X509 certificate hostname checking is broken in JDK1.6.0_10
  * @bug 6766775
  * @run main/othervm IPAddressIPIdentities
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @author Xuelei Fan
  */
 
@@ -35,6 +37,7 @@
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -744,6 +747,10 @@
     volatile Exception clientException = null;
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,13 +21,15 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /* @test
  * @summary X509 certificate hostname checking is broken in JDK1.6.0_10
  * @bug 6766775
  * @run main/othervm IPIdentities
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @author Xuelei Fan
  */
 
@@ -35,6 +37,7 @@
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -743,6 +746,10 @@
     volatile Exception clientException = null;
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");
 
--- a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/Identities.java	Thu Jul 16 14:23:13 2015 -0700
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/Identities.java	Thu Jul 16 16:54:12 2015 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,13 +21,15 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /* @test
  * @bug 6766775
  * @summary X509 certificate hostname checking is broken in JDK1.6.0_10
  * @run main/othervm Identities
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  * @author Xuelei Fan
  */
 
@@ -35,6 +37,7 @@
 import java.util.*;
 import java.io.*;
 import javax.net.ssl.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -743,6 +746,10 @@
     volatile Exception clientException = null;
 
     public static void main(String args[]) throws Exception {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        Security.setProperty(
+                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
+
         if (debug)
             System.setProperty("javax.net.debug", "all");