changeset 12731:24364089455f

Merge
author asaha
date Mon, 26 Jun 2017 22:23:36 -0700
parents 0f0ef949a54a ca29e45bee9a
children c4ad4e7a509f
files .hgtags
diffstat 71 files changed, 3776 insertions(+), 1173 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Thu May 18 14:30:18 2017 -0700
+++ b/.hgtags	Mon Jun 26 22:23:36 2017 -0700
@@ -710,3 +710,12 @@
 9fd2a2019a5b7f35957c43c83eb00e1ae371a95e jdk8u141-b07
 64261149b033dd6f625ccf7b4aaf7452baec82ef jdk8u141-b08
 276269460238f84410a70ffe735db9cf78651b8f jdk8u141-b09
+c92d704420d707d3016d8ee3a4239d1c57692ddd jdk8u141-b10
+3237f27a9d22ee02d0bfbd6f662a4d948d25a74f jdk8u141-b11
+2966589b3f330b6e676418b48d2960e294d35060 jdk8u141-b12
+2966589b3f330b6e676418b48d2960e294d35060 jdk8u141-b12
+0000000000000000000000000000000000000000 jdk8u141-b12
+0000000000000000000000000000000000000000 jdk8u141-b12
+996632997de8c889067dafd5a5827146e02c9130 jdk8u141-b12
+c6bc194fedb63b20c45c793405d215d206fb4654 jdk8u141-b13
+d630e23b8e36c2863225d7ae107c73a38d3e6102 jdk8u141-b14
--- a/THIRD_PARTY_README	Thu May 18 14:30:18 2017 -0700
+++ b/THIRD_PARTY_README	Mon Jun 26 22:23:36 2017 -0700
@@ -285,13 +285,53 @@
 form with the JDK 8 and OpenJDK 8 source distributions, and as object code in
 the JRE 8 & JDK 8 runtimes.
 
-In the case of the JRE 8 & JDK 8 runtimes, the terms of the Oracle license do
+In the case of the JRE & JDK runtimes, the terms of the Oracle license do
 NOT apply to the Elliptic Curve Cryptography library; it is licensed under the
 following license, separately from Oracle's JDK & JRE.  If you do not wish to
-install the Elliptic Curve Cryptography library, you may delete the library
-named libsunec.so (on Solaris and Linux systems) or sunec.dll (on Windows
-systems) from the JRE bin directory reserved for native libraries.
-
+install the Elliptic Curve Cryptography library, you may delete the
+Elliptic Curve Cryptography library:
+   - On Solaris and Linux systems: delete $(JAVA_HOME)/lib/libsunec.so
+   - On Windows systems: delete $(JAVA_HOME)\bin\sunec.dll
+   - On Mac systems, delete:
+      for JRE: /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/libsunec.dylib
+      for JDK: $(JAVA_HOME)/jre/lib/libsunec.dylib
+
+Written Offer for ECC Source Code
+  For third party technology that you receive from Oracle in binary form 
+  which is licensed under an open source license that gives you the right
+  to receive the source code for that binary, you can obtain a copy of 
+  the applicable source code from this page:
+     http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
+
+  If the source code for the technology was not provided to you with the 
+  binary, you can also receive a copy of the source code on physical 
+  media by submitting a written request to:
+
+     Oracle America, Inc.
+     Attn: Associate General Counsel,
+     Development and Engineering Legal
+     500 Oracle Parkway, 10th Floor
+     Redwood Shores, CA 94065
+
+  Or, you may send an email to Oracle using the form at:
+     http://www.oracle.com/goto/opensourcecode/request
+
+  Your request should include:
+    - The name of the component or binary file(s) for which you are requesting 
+      the source code
+    - The name and version number of the Oracle product containing the binary
+    - The date you received the Oracle product
+    - Your name
+    - Your company name (if applicable)
+    - Your return mailing address and email and
+    - A telephone number in the event we need to reach you.
+
+  We may charge you a fee to cover the cost of physical media and processing. 
+  Your request must be sent (i) within three (3) years of the date you 
+  received the Oracle product that included the component or binary 
+  file(s) that are the subject of your request, or (ii) in the case of 
+  code licensed under the GPL v3, for as long as Oracle offers spare 
+  parts or customer support for that product model.
 
 --- begin of LICENSE ---
 
@@ -870,63 +910,6 @@
 OF SUCH DAMAGE.
 --- end of LICENSE ---
 
-%% This notice is provided with respect to Dynalink library which is included
-with the Nashorn technology.
-
---- begin of LICENSE ---
-Copyright (c) 2009-2013, Attila Szegedi
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-* Redistributions of source code must retain the above copyright
-  notice, this list of conditions and the following disclaimer.
-* Redistributions in binary form must reproduce the above copyright
-  notice, this list of conditions and the following disclaimer in the
-  documentation and/or other materials provided with the distribution.
-* Neither the name of the copyright holder nor the names of
-  contributors may be used to endorse or promote products derived from
-  this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
-IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER
-BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
---- end of LICENSE ---
-
-%% This notice is provided with respect to Joni library which is included
-with the Nashorn technology.
-
---- begin of LICENSE ---
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
-of the Software, and to permit persons to whom the Software is furnished to do
-so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
---- end of LICENSE ---
-
--------------------------------------------------------------------------------
-
 %% This notice is provided with respect to FontConfig 2.5, which may be 
 included with JRE 8, JDK 8, and OpenJDK 8 source distributions on
 Linux and Solaris.
@@ -956,6 +939,74 @@
 
 -------------------------------------------------------------------------------
 
+%% This notice is provided with respect to freebXML Registry 3.0 & 3.1,
+which may be included with JRE 8, JDK 8, and OpenJDK 8.
+
+--- begin of LICENSE ---
+
+freebxml:  Copyright (c) 2001 freebxml.org.  All rights reserved.
+
+The names "The freebXML Registry Project" and "freebxml Software
+Foundation" must not be used to endorse or promote products derived
+from this software or be used in a product name without prior
+written permission. For written permission, please contact
+ebxmlrr-team@lists.sourceforge.net.
+
+This software consists of voluntary contributions made by many individuals
+on behalf of the the freebxml Software Foundation. For more information on
+the freebxml Software Foundation, please see <http://www.freebxml.org/>.
+
+This product includes software developed by the Apache Software Foundation
+(http://www.apache.org/).
+
+The freebxml License, Version 1.1 5
+Copyright (c) 2001 freebxml.org. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+
+ 3. The end-user documentation included with the redistribution, if
+    any, must include the following acknowlegement:
+       "This product includes software developed by
+        freebxml.org (http://www.freebxml.org/)."
+    Alternately, this acknowlegement may appear in the software itself,
+    if and wherever such third-party acknowlegements normally appear.
+
+ 4. The names "The freebXML Registry Project", "freebxml Software
+    Foundation" must not be used to endorse or promote products derived
+    from this software without prior written permission. For written
+    permission, please contact ebxmlrr-team@lists.sourceforge.net.
+
+ 5. Products derived from this software may not be called "freebxml",
+    "freebXML Registry" nor may freebxml" appear in their names without
+    prior written permission of the freebxml Group.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED.  IN NO EVENT SHALL THE freebxml SOFTWARE FOUNDATION OR
+ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+--- end of LICENSE ---
+
+-------------------------------------------------------------------------------
+
 %% This notice is provided with respect to IAIK PKCS#11 Wrapper, 
 which may be included with JRE 8, JDK 8, and OpenJDK 8.
 
@@ -1083,6 +1134,47 @@
 
 --------------------------------------------------------------------------------
 
+%% This notice is provided with respect to Jing 20030619, which may 
+be included with JRE 8, JDK 8, and OpenJDK 8.
+
+--- begin of LICENSE  ---
+
+Copyright (c) 2001-2003 Thai Open Source Software Center Ltd All
+rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+Neither the name of the Thai Open Source Software Center Ltd nor
+the names of its contributors may be used to endorse or promote
+products derived from this software without specific prior written
+permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+--- end of LICENSE  ---
+
+--------------------------------------------------------------------------------
+
 %% This notice is provided with respect to Joni v1.1.9, which may be 
 included with JRE 8, JDK 8, and OpenJDK 8.
 
@@ -1215,7 +1307,7 @@
 
 -------------------------------------------------------------------------------
 
-%% Portions Copyright Eastman Kodak Company 1992
+%% Portions Copyright Eastman Kodak Company 1991-2003
 
 -------------------------------------------------------------------------------
 
@@ -1339,8 +1431,8 @@
 
 -------------------------------------------------------------------------------
 
-%% This notice is provided with respect to GIFLIB 5.1.1 & libungif 4.1.3, which may be 
-included with JRE 8, JDK 8, and OpenJDK 8.
+%% This notice is provided with respect to GIFLIB 5.1.1 & libungif 4.1.3, 
+which may be included with JRE 8, JDK 8, and OpenJDK 8.
 
 --- begin of LICENSE ---
 
@@ -1972,67 +2064,45 @@
 
 -------------------------------------------------------------------------------
 
-%% This notice is provided with respect to SAX 2.0.1, which may be included 
-with JRE 8, JDK 8, and OpenJDK 8.
-
---- begin of LICENSE ---
-
- SAX is free!
-
- In fact, it's not possible to own a license to SAX, since it's been placed in
- the public domain.
-
- No Warranty
-
- Because SAX is released to the public domain, there is no warranty for the
- design or for the software implementation, to the extent permitted by
- applicable law. Except when otherwise stated in writing the copyright holders
- and/or other parties provide SAX "as is" without warranty of any kind, either
- expressed or implied, including, but not limited to, the implied warranties
- of merchantability and fitness for a particular purpose. The entire risk as
- to the quality and performance of SAX is with you. Should SAX prove
- defective, you assume the cost of all necessary servicing, repair or
- correction.
-
- In no event unless required by applicable law or agreed to in writing will
- any copyright holder, or any other party who may modify and/or redistribute
- SAX, be liable to you for damages, including any general, special, incidental
- or consequential damages arising out of the use or inability to use SAX
- (including but not limited to loss of data or data being rendered inaccurate
- or losses sustained by you or third parties or a failure of the SAX to
- operate with any other programs), even if such holder or other party has been
- advised of the possibility of such damages.
-
- Copyright Disclaimers 
-
- This page includes statements to that effect by David Megginson, who would
- have been able to claim copyright for the original work.  SAX 1.0
-
- Version 1.0 of the Simple API for XML (SAX), created collectively by the
- membership of the XML-DEV mailing list, is hereby released into the public
- domain.
-
- No one owns SAX: you may use it freely in both commercial and non-commercial
- applications, bundle it with your software distribution, include it on a
- CD-ROM, list the source code in a book, mirror the documentation at your own
- web site, or use it in any other way you see fit.
-
- David Megginson, sax@megginson.com
- 1998-05-11
-
- SAX 2.0 
-
- I hereby abandon any property rights to SAX 2.0 (the Simple API for XML), and
- release all of the SAX 2.0 source code, compiled code, and documentation
- contained in this distribution into the Public Domain. SAX comes with NO
- WARRANTY or guarantee of fitness for any purpose.
-
- David Megginson, david@megginson.com
- 2000-05-05
-
---- end of LICENSE ---
-
--------------------------------------------------------------------------------
+%% This notice is provided with respect to Relax NG Datatype 1.0, which 
+may be included with JRE 8, JDK 8, and OpenJDK 8.  
+
+--- begin of LICENSE  ---
+
+Copyright (c) 2005, 2010 Thai Open Source Software Center Ltd
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+    Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+
+    Neither the names of the copyright holders nor the names of its
+    contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+--- end of LICENSE  ---
+
+--------------------------------------------------------------------------------
 
 %% This notice is provided with respect to SoftFloat version 2b, which may be 
 included with JRE 8, JDK 8, and OpenJDK 8 on Linux/ARM.
@@ -2518,26 +2588,66 @@
 
 --- begin of LICENSE ---
 
-          Licenses
-The X.Org Foundation March 2004
-
-1. Introduction
-
-The X.org Foundation X Window System distribution is a compilation of code and
-documentation from many sources. This document is intended primarily as a
-guide to the licenses used in the distribution: you must check each file
-and/or package for precise redistribution terms. None-the-less, this summary
-may be useful to many users. No software incorporating the XFree86 1.1 license
-has been incorporated.
-
-This document is based on the compilation from XFree86.
-
-2. XFree86 License
-
-XFree86 code without an explicit copyright is covered by the following
-copyright/license:
-
-Copyright (C) 1994-2003 The XFree86 Project, Inc. All Rights Reserved.
+This is the copyright for the files in src/solaris/native/sun/awt: list.h, 
+multiVis.h, wsutils.h, list.c, multiVis.c
+Copyright (c) 1994 Hewlett-Packard Co.
+Copyright (c) 1996 X Consortium
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of the X Consortium shall
+not be used in advertising or otherwise to promote the sale, use or
+other dealings in this Software without prior written authorization
+from the X Consortium.
+___________________________
+The files in motif/lib/Xm/util included this copyright:mkdirhier.man,
+xmkmf.man, chownxterm.c, makeg.man, mergelib.cpp, lndir.man, makestrs.man, 
+checktree.c, lndir.c, makestrs.c
+Copyright (c) 1993, 1994 X Consortium
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the "Software"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
+OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+Except as contained in this notice, the name of the X Consortium shall not
+be used in advertising or otherwise to promote the sale, use or other
+dealing in this Software without prior written authorization from the
+X Consortium.
+_____________________________
+Xmos_r.h:
+/*
+Copyright (c) 1996 X Consortium
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -2546,773 +2656,153 @@
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-XFREE86 PROJECT BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-Except as contained in this notice, the name of the XFree86 Project shall not
-be used in advertising or otherwise to promote the sale, use or other dealings
-in this Software without prior written authorization from the XFree86 Project.
-
-3. Other Licenses
-
-Portions of code are covered by the following licenses/copyrights. See
-individual files for the copyright dates.
-
-3.1. X/MIT Copyrights
-
-3.1.1. X Consortium
-
-Copyright (C) <date> X Consortium
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE X
-CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
-ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
 Except as contained in this notice, the name of the X Consortium shall not be
-used in advertising or otherwise to promote the sale, use or other dealings in
-this Software without prior written authorization from the X Consortium.
-
-X Window System is a trademark of X Consortium, Inc.
-
-3.1.2. The Open Group
-
-Copyright <date> The Open Group
-
-Permission to use, copy, modify, distribute, and sell this software and its
-documentation for any purpose is hereby granted without fee, provided that the
-above copyright notice appear in all copies and that both that copyright
-notice and this permission notice appear in supporting documentation.
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization from the X Consortium.
+*/
+
+_____________________________
+Copyright notice for extutil.h:
+Copyright 1989, 1998 The Open Group
+
+All Rights Reserved.
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
-ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 Except as contained in this notice, the name of The Open Group shall not be
-used in advertising or otherwise to promote the sale, use or other dealings in
-this Software without prior written authorization from The Open Group.  3.2.
-Berkeley-based copyrights:
-
-o
-3.2.1. General
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-   1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-
-   2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-   3. The name of the author may not be used to endorse or promote products
-   derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
-WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
-EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
-IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.  3.2.2. UCB/LBL
-
-Copyright (c) 1993 The Regents of the University of California. All rights
-reserved.
-
-This software was developed by the Computer Systems Engineering group at
-Lawrence Berkeley Laboratory under DARPA contract BG 91-66 and contributed to
-Berkeley.
-
-All advertising materials mentioning features or use of this software must
-display the following acknowledgement: This product includes software
-developed by the University of California, Lawrence Berkeley Laboratory.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-   1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-
-   2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-   3. All advertising materials mentioning features or use of this software
-   must display the following acknowledgement: This product includes software
-   developed by the University of California, Berkeley and its contributors.
-
-   4. Neither the name of the University nor the names of its contributors may
-   be used to endorse or promote products derived from this software without
-   specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  3.2.3. The
-NetBSD Foundation, Inc.
-
-Copyright (c) 2003 The NetBSD Foundation, Inc. All rights reserved.
-
-This code is derived from software contributed to The NetBSD Foundation by Ben
-Collver <collver1@attbi.com>
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-   1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-
-   2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-   3. All advertising materials mentioning features or use of this software
-   must display the following acknowledgement: This product includes software
-   developed by the NetBSD Foundation, Inc. and its contributors.
-
-   4. Neither the name of The NetBSD Foundation nor the names of its
-   contributors may be used to endorse or promote products derived from this
-   software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS ``AS
-IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  3.2.4. Theodore
-Ts'o.
-
-Copyright Theodore Ts'o, 1994, 1995, 1996, 1997, 1998, 1999. All rights
-reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-   1. Redistributions of source code must retain the above copyright notice,
-   and the entire permission notice in its entirety, including the disclaimer
-   of warranties.
-
-   2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-   3. he name of the author may not be used to endorse or promote products
-   derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS FOR A PARTICULAR PURPOSE, ALL OF WHICH ARE HEREBY DISCLAIMED. IN NO
-EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
-IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.  3.2.5. Theo de Raadt and Damien Miller
-
-Copyright (c) 1995,1999 Theo de Raadt. All rights reserved. Copyright (c)
-2001-2002 Damien Miller. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-   1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-
-   2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
-WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
-EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
-IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.  3.2.6. Todd C. Miller
-
-Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any purpose
-with or without fee is hereby granted, provided that the above copyright
-notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.  3.2.7. Thomas
-Winischhofer
-
-Copyright (C) 2001-2004 Thomas Winischhofer
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-   1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-
-   2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-   3. The name of the author may not be used to endorse or promote products
-   derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESSED OR IMPLIED
-WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
-EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
-IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.  3.3. NVIDIA Corp
-
-Copyright (c) 1996 NVIDIA, Corp. All rights reserved.
-
-NOTICE TO USER: The source code is copyrighted under U.S. and international
-laws. NVIDIA, Corp. of Sunnyvale, California owns the copyright and as design
-patents pending on the design and interface of the NV chips. Users and
-possessors of this source code are hereby granted a nonexclusive, royalty-free
-copyright and design patent license to use this code in individual and
-commercial software.
-
-Any use of this source code must include, in the user documentation and
-internal comments to the code, notices to the end user as follows:
-
-Copyright (c) 1996 NVIDIA, Corp. NVIDIA design patents pending in the U.S. and
-foreign countries.
-
-NVIDIA, CORP. MAKES NO REPRESENTATION ABOUT THE SUITABILITY OF THIS SOURCE
-CODE FOR ANY PURPOSE. IT IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED
-WARRANTY OF ANY KIND. NVIDIA, CORP. DISCLAIMS ALL WARRANTIES WITH REGARD TO
-THIS SOURCE CODE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL NVIDIA, CORP. BE LIABLE
-FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, OR ANY
-DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOURCE CODE.  3.4. GLX Public
-License
-
-GLX PUBLIC LICENSE (Version 1.0 (2/11/99)) ("License")
-
-Subject to any third party claims, Silicon Graphics, Inc. ("SGI") hereby
-grants permission to Recipient (defined below), under Recipient's copyrights
-in the Original Software (defined below), to use, copy, modify, merge,
-publish, distribute, sublicense and/or sell copies of Subject Software
-(defined below), and to permit persons to whom the Subject Software is
-furnished in accordance with this License to do the same, subject to all of
-the following terms and conditions, which Recipient accepts by engaging in any
-such use, copying, modifying, merging, publishing, distributing, sublicensing
-or selling:
-
-1. Definitions.
-
-    (a) "Original Software" means source code of computer software code which
-    is described in Exhibit A as Original Software.
-
-    (b) "Modifications" means any addition to or deletion from the substance
-    or structure of either the Original Software or any previous
-    Modifications. When Subject Software is released as a series of files, a
-    Modification means (i) any addition to or deletion from the contents of a
-    file containing Original Software or previous Modifications and (ii) any
-    new file that contains any part of the Original Code or previous
-    Modifications.
-
-    (c) "Subject Software" means the Original Software or Modifications or the
-    combination of the Original Software and Modifications, or portions of any
-    of the foregoing.
-
-    (d) "Recipient" means an individual or a legal entity exercising rights
-    under, and complying with all of the terms of, this License. For legal
-    entities, "Recipient" includes any entity which controls, is controlled
-    by, or is under common control with Recipient. For purposes of this
-    definition, "control" of an entity means (a) the power, direct or
-    indirect, to direct or manage such entity, or (b) ownership of fifty
-    percent (50%) or more of the outstanding shares or beneficial ownership of
-    such entity.
-
-2. Redistribution of Source Code Subject to These Terms. Redistributions of
-Subject Software in source code form must retain the notice set forth in
-Exhibit A, below, in every file. A copy of this License must be included in
-any documentation for such Subject Software where the recipients' rights
-relating to Subject Software are described. Recipient may distribute the
-source code version of Subject Software under a license of Recipient's choice,
-which may contain terms different from this License, provided that (i)
-Recipient is in compliance with the terms of this License, and (ii) the
-license terms include this Section 2 and Sections 3, 4, 7, 8, 10, 12 and 13 of
-this License, which terms may not be modified or superseded by any other terms
-of such license. If Recipient distributes the source code version under a
-different license Recipient must make it absolutely clear that any terms which
-differ from this License are offered by Recipient alone, not by SGI. Recipient
-hereby agrees to indemnify SGI for any liability incurred by SGI as a result
-of any such terms Recipient offers.
-
-3. Redistribution in Executable Form. The notice set forth in Exhibit A must
-be conspicuously included in any notice in an executable version of Subject
-Software, related documentation or collateral in which Recipient describes the
-user's rights relating to the Subject Software. Recipient may distribute the
-executable version of Subject Software under a license of Recipient's choice,
-which may contain terms different from this License, provided that (i)
-Recipient is in compliance with the terms of this License, and (ii) the
-license terms include this Section 3 and Sections 4, 7, 8, 10, 12 and 13 of
-this License, which terms may not be modified or superseded by any other terms
-of such license. If Recipient distributes the executable version under a
-different license Recipient must make it absolutely clear that any terms which
-differ from this License are offered by Recipient alone, not by SGI. Recipient
-hereby agrees to indemnify SGI for any liability incurred by SGI as a result
-of any such terms Recipient offers.
-
-4. Termination. This License and the rights granted hereunder will terminate
-automatically if Recipient fails to comply with terms herein and fails to cure
-such breach within 30 days of the breach. Any sublicense to the Subject
-Software which is properly granted shall survive any termination of this
-License absent termination by the terms of such sublicense. Provisions which,
-by their nature, must remain in effect beyond the termination of this License
-shall survive.
-
-5. No Trademark Rights. This License does not grant any rights to use any
-trade name, trademark or service mark whatsoever. No trade name, trademark or
-service mark of SGI may be used to endorse or promote products derived from
-the Subject Software without prior written permission of SGI.
-
-6. No Other Rights. This License does not grant any rights with respect to the
-OpenGL API or to any software or hardware implementation thereof or to any
-other software whatsoever, nor shall any other rights or licenses not
-expressly granted hereunder arise by implication, estoppel or otherwise with
-respect to the Subject Software. Title to and ownership of the Original
-Software at all times remains with SGI. All rights in the Original Software
-not expressly granted under this License are reserved.
-
-7. Compliance with Laws; Non-Infringement. Recipient shall comply with all
-applicable laws and regulations in connection with use and distribution of the
-Subject Software, including but not limited to, all export and import control
-laws and regulations of the U.S. government and other countries. Recipient may
-not distribute Subject Software that (i) in any way infringes (directly or
-contributorily) the rights (including patent, copyright, trade secret,
-trademark or other intellectual property rights of any kind) of any other
-person or entity or (ii) breaches any representation or warranty, express,
-implied or statutory, which under any applicable law it might be deemed to
-have been distributed.
-
-8. Claims of Infringement. If Recipient at any time has knowledge of any one
-or more third party claims that reproduction, modification, use, distribution,
-import or sale of Subject Software (including particular functionality or code
-incorporated in Subject Software) infringes the third party's intellectual
-property rights, Recipient must place in a well-identified web page bearing
-the title "LEGAL" a description of each such claim and a description of the
-party making each such claim in sufficient detail that a user of the Subject
-Software will know whom to contact regarding the claim. Also, upon gaining
-such knowledge of any such claim, Recipient must conspicuously include the URL
-for such web page in the Exhibit A notice required under Sections 2 and 3,
-above, and in the text of any related documentation, license agreement or
-collateral in which Recipient describes end user's rights relating to the
-Subject Software. If Recipient obtains such knowledge after it makes Subject
-Software available to any other person or entity, Recipient shall take other
-steps (such as notifying appropriate mailing lists or newsgroups) reasonably
-calculated to inform those who received the Subject Software that new
-knowledge has been obtained.
-
-9. DISCLAIMER OF WARRANTY. SUBJECT SOFTWARE IS PROVIDED ON AN "AS IS" BASIS,
-WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
-LIMITATION, WARRANTIES THAT THE SUBJECT SOFTWARE IS FREE OF DEFECTS,
-MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON- INFRINGING. SGI ASSUMES NO
-RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE. SHOULD ANY SOFTWARE
-PROVE DEFECTIVE IN ANY RESPECT, SGI ASSUMES NO COST OR LIABILITY FOR ANY
-SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN
-ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY SUBJECT SOFTWARE IS AUTHORIZED
-HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
-
-10. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY,
-WHETHER TORT (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE OR STRICT LIABILITY),
-CONTRACT, OR OTHERWISE, SHALL SGI OR ANY SGI LICENSOR BE LIABLE FOR ANY
-DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY
-CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK
-STOPPAGE, LOSS OF DATA, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER
-COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF
-THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY
-TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SGI's NEGLIGENCE TO
-THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT
-ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO
-THAT EXCLUSION AND LIMITATION MAY NOT APPLY TO RECIPIENT.
-
-11. Indemnity. Recipient shall be solely responsible for damages arising,
-directly or indirectly, out of its utilization of rights under this License.
-Recipient will defend, indemnify and hold harmless Silicon Graphics, Inc. from
-and against any loss, liability, damages, costs or expenses (including the
-payment of reasonable attorneys fees) arising out of Recipient's use,
-modification, reproduction and distribution of the Subject Software or out of
-any representation or warranty made by Recipient.
-
-12. U.S. Government End Users. The Subject Software is a "commercial item"
-consisting of "commercial computer software" as such terms are defined in
-title 48 of the Code of Federal Regulations and all U.S. Government End Users
-acquire only the rights set forth in this License and are subject to the terms
-of this License.
-
-13. Miscellaneous. This License represents the complete agreement concerning
-subject matter hereof. If any provision of this License is held to be
-unenforceable, such provision shall be reformed so as to achieve as nearly as
-possible the same economic effect as the original provision and the remainder
-of this License will remain in effect. This License shall be governed by and
-construed in accordance with the laws of the United States and the State of
-California as applied to agreements entered into and to be performed entirely
-within California between California residents. Any litigation relating to
-this License shall be subject to the exclusive jurisdiction of the Federal
-Courts of the Northern District of California (or, absent subject matter
-jurisdiction in such courts, the courts of the State of California), with
-venue lying exclusively in Santa Clara County, California, with the losing
-party responsible for costs, including without limitation, court costs and
-reasonable attorneys fees and expenses. The application of the United Nations
-Convention on Contracts for the International Sale of Goods is expressly
-excluded. Any law or regulation which provides that the language of a contract
-shall be construed against the drafter shall not apply to this License.
-
-Exhibit A
-
-The contents of this file are subject to Sections 2, 3, 4, 7, 8, 10, 12 and 13
-of the GLX Public License Version 1.0 (the "License"). You may not use this
-file except in compliance with those sections of the License. You may obtain a
-copy of the License at Silicon Graphics, Inc., attn: Legal Services, 2011 N.
-Shoreline Blvd., Mountain View, CA 94043 or at
-http://www.sgi.com/software/opensource/glx/license.html.
-
-Software distributed under the License is distributed on an "AS IS" basis. ALL
-WARRANTIES ARE DISCLAIMED, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED
-WARRANTIES OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE OR OF NON-
-INFRINGEMENT. See the License for the specific language governing rights and
-limitations under the License.
-
-The Original Software is GLX version 1.2 source code, released February, 1999.
-The developer of the Original Software is Silicon Graphics, Inc. Those
-portions of the Subject Software created by Silicon Graphics, Inc. are
-Copyright (c) 1991-9 Silicon Graphics, Inc. All Rights Reserved.  3.5. CID
-Font Code Public License
-
-CID FONT CODE PUBLIC LICENSE (Version 1.0 (3/31/99))("License")
-
-Subject to any applicable third party claims, Silicon Graphics, Inc. ("SGI")
-hereby grants permission to Recipient (defined below), under SGI's copyrights
-in the Original Software (defined below), to use, copy, modify, merge,
-publish, distribute, sublicense and/or sell copies of Subject Software
-(defined below) in both source code and executable form, and to permit persons
-to whom the Subject Software is furnished in accordance with this License to
-do the same, subject to all of the following terms and conditions, which
-Recipient accepts by engaging in any such use, copying, modifying, merging,
-publication, distributing, sublicensing or selling:
-
-1. Definitions.
-
-    a. "Original Software" means source code of computer software code that is
-    described in Exhibit A as Original Software.
-
-    b. "Modifications" means any addition to or deletion from the substance or
-    structure of either the Original Software or any previous Modifications.
-    When Subject Software is released as a series of files, a Modification
-    means (i) any addition to or deletion from the contents of a file
-    containing Original Software or previous Modifications and (ii) any new
-    file that contains any part of the Original Code or previous
-    Modifications.
-
-    c. "Subject Software" means the Original Software or Modifications or the
-    combination of the Original Software and Modifications, or portions of any
-    of the foregoing.
-
-    d. "Recipient" means an individual or a legal entity exercising rights
-    under the terms of this License. For legal entities, "Recipient" includes
-    any entity that controls, is controlled by, or is under common control
-    with Recipient. For purposes of this definition, "control" of an entity
-    means (i) the power, direct or indirect, to direct or manage such entity,
-    or (ii) ownership of fifty percent (50%) or more of the outstanding shares
-    or beneficial ownership of such entity.
-
-    e. "Required Notice" means the notice set forth in Exhibit A to this
-    License.
-
-    f. "Accompanying Technology" means any software or other technology that
-    is not a Modification and that is distributed or made publicly available
-    by Recipient with the Subject Software. Separate software files that do
-    not contain any Original Software or any previous Modification shall not
-    be deemed a Modification, even if such software files are aggregated as
-    part of a product, or in any medium of storage, with any file that does
-    contain Original Software or any previous Modification.
-
-2. License Terms. All distribution of the Subject Software must be made
-subject to the terms of this License. A copy of this License and the Required
-Notice must be included in any documentation for Subject Software where
-Recipient's rights relating to Subject Software and/or any Accompanying
-Technology are described. Distributions of Subject Software in source code
-form must also include the Required Notice in every file distributed. In
-addition, a ReadMe file entitled "Important Legal Notice" must be distributed
-with each distribution of one or more files that incorporate Subject Software.
-That file must be included with distributions made in both source code and
-executable form. A copy of the License and the Required Notice must be
-included in that file. Recipient may distribute Accompanying Technology under
-a license of Recipient's choice, which may contain terms different from this
-License, provided that (i) Recipient is in compliance with the terms of this
-License, (ii) such other license terms do not modify or supersede the terms of
-this License as applicable to the Subject Software, (iii) Recipient hereby
-indemnifies SGI for any liability incurred by SGI as a result of the
-distribution of Accompanying Technology or the use of other license terms.
-
-3. Termination. This License and the rights granted hereunder will terminate
-automatically if Recipient fails to comply with terms herein and fails to cure
-such breach within 30 days of the breach. Any sublicense to the Subject
-Software that is properly granted shall survive any termination of this
-License absent termination by the terms of such sublicense. Provisions which,
-by their nature, must remain in effect beyond the termination of this License
-shall survive.
-
-4. Trademark Rights. This License does not grant any rights to use any trade
-name, trademark or service mark whatsoever. No trade name, trademark or
-service mark of SGI may be used to endorse or promote products derived from or
-incorporating any Subject Software without prior written permission of SGI.
-
-5. No Other Rights. No rights or licenses not expressly granted hereunder
-shall arise by implication, estoppel or otherwise. Title to and ownership of
-the Original Software at all times remains with SGI. All rights in the
-Original Software not expressly granted under this License are reserved.
-
-6. Compliance with Laws; Non-Infringement. Recipient shall comply with all
-applicable laws and regulations in connection with use and distribution of the
-Subject Software, including but not limited to, all export and import control
-laws and regulations of the U.S. government and other countries. Recipient may
-not distribute Subject Software that (i) in any way infringes (directly or
-contributorily) the rights (including patent, copyright, trade secret,
-trademark or other intellectual property rights of any kind) of any other
-person or entity, or (ii) breaches any representation or warranty, express,
-implied or statutory, which under any applicable law it might be deemed to
-have been distributed.
-
-7. Claims of Infringement. If Recipient at any time has knowledge of any one
-or more third party claims that reproduction, modification, use, distribution,
-import or sale of Subject Software (including particular functionality or code
-incorporated in Subject Software) infringes the third party's intellectual
-property rights, Recipient must place in a well-identified web page bearing
-the title "LEGAL" a description of each such claim and a description of the
-party making each such claim in sufficient detail that a user of the Subject
-Software will know whom to contact regarding the claim. Also, upon gaining
-such knowledge of any such claim, Recipient must conspicuously include the URL
-for such web page in the Required Notice, and in the text of any related
-documentation, license agreement or collateral in which Recipient describes
-end user's rights relating to the Subject Software. If Recipient obtains such
-knowledge after it makes Subject Software available to any other person or
-entity, Recipient shall take other steps (such as notifying appropriate
-mailing lists or newsgroups) reasonably calculated to provide such knowledge
-to those who received the Subject Software.
-
-8. DISCLAIMER OF WARRANTY. SUBJECT SOFTWARE IS PROVIDED ON AN "AS IS" BASIS,
-WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
-LIMITATION, WARRANTIES THAT THE SUBJECT SOFTWARE IS FREE OF DEFECTS,
-MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. SGI ASSUMES NO
-RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE. SHOULD ANY SOFTWARE
-PROVE DEFECTIVE IN ANY RESPECT, SGI ASSUMES NO COST OR LIABILITY FOR ANY
-SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN
-ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY SUBJECT SOFTWARE IS AUTHORIZED
-HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
-
-9. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY,
-WHETHER TORT (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE OR STRICT LIABILITY),
-CONTRACT, OR OTHERWISE, SHALL SGI OR ANY SGI LICENSOR BE LIABLE FOR ANY CLAIM,
-DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
-OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SUBJECT SOFTWARE OR
-THE USE OR OTHER DEALINGS IN THE SUBJECT SOFTWARE. SOME JURISDICTIONS DO NOT
-ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES, SO THIS EXCLUSION AND
-LIMITATION MAY NOT APPLY TO RECIPIENT TO THE EXTENT SO DISALLOWED.
-
-10. Indemnity. Recipient shall be solely responsible for damages arising,
-directly or indirectly, out of its utilization of rights under this License.
-Recipient will defend, indemnify and hold SGI and its successors and assigns
-harmless from and against any loss, liability, damages, costs or expenses
-(including the payment of reasonable attorneys fees) arising out of
-(Recipient's use, modification, reproduction and distribution of the Subject
-Software or out of any representation or warranty made by Recipient.
-
-11. U.S. Government End Users. The Subject Software is a "commercial item"
-consisting of "commercial computer software" as such terms are defined in
-title 48 of the Code of Federal Regulations and all U.S. Government End Users
-acquire only the rights set forth in this License and are subject to the terms
-of this License.
-
-12. Miscellaneous. This License represents the complete agreement concerning
-subject matter hereof. If any provision of this License is held to be
-unenforceable by any judicial or administrative authority having proper
-jurisdiction with respect thereto, such provision shall be reformed so as to
-achieve as nearly as possible the same economic effect as the original
-provision and the remainder of this License will remain in effect. This
-License shall be governed by and construed in accordance with the laws of the
-United States and the State of California as applied to agreements entered
-into and to be performed entirely within California between California
-residents. Any litigation relating to this License shall be subject to the
-exclusive jurisdiction of the Federal Courts of the Northern District of
-California (or, absent subject matter jurisdiction in such courts, the courts
-of the State of California), with venue lying exclusively in Santa Clara
-County, California, with the losing party responsible for costs, including
-without limitation, court costs and reasonable attorneys fees and expenses.
-The application of the United Nations Convention on Contracts for the
-International Sale of Goods is expressly excluded. Any law or regulation that
-provides that the language of a contract shall be construed against the
-drafter shall not apply to this License.
-
-Exhibit A
-
-Copyright (c) 1994-1999 Silicon Graphics, Inc.
-
-The contents of this file are subject to the CID Font Code Public License
-Version 1.0 (the "License"). You may not use this file except in compliance
-with the License. You may obtain a copy of the License at Silicon Graphics,
-Inc., attn: Legal Services, 2011 N. Shoreline Blvd., Mountain View, CA 94043
-or at http://www.sgi.com/software/opensource/cid/license.html
-
-Software distributed under the License is distributed on an "AS IS" basis. ALL
-WARRANTIES ARE DISCLAIMED, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED
-WARRANTIES OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE OR OF
-NON-INFRINGEMENT. See the License for the specific language governing rights
-and limitations under the License.
-
-The Original Software (as defined in the License) is CID font code that was
-developed by Silicon Graphics, Inc. Those portions of the Subject Software (as
-defined in the License) that were created by Silicon Graphics, Inc. are
-Copyright (c) 1994-1999 Silicon Graphics, Inc. All Rights Reserved.
-
-[NOTE: When using this text in connection with Subject Software delivered
-solely in object code form, Recipient may replace the words "this file" with
-"this software" in both the first and second sentences.] 3.6. Bitstream Vera
-Fonts Copyright
-
-The fonts have a generous copyright, allowing derivative works (as long as
-"Bitstream" or "Vera" are not in the names), and full redistribution (so long
-as they are not *sold* by themselves). They can be be bundled, redistributed
-and sold with any software.
-
-The fonts are distributed under the following copyright:
-
-Copyright (c) 2003 by Bitstream, Inc. All Rights Reserved. Bitstream Vera is a
-trademark of Bitstream, Inc.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of the fonts accompanying this license ("Fonts") and associated documentation
-files (the "Font Software"), to reproduce and distribute the Font Software,
-including without limitation the rights to use, copy, merge, publish,
-distribute, and/or sell copies of the Font Software, and to permit persons to
-whom the Font Software is furnished to do so, subject to the following
-conditions:
-
-The above copyright and trademark notices and this permission notice shall be
-included in all copies of one or more of the Font Software typefaces.
-
-The Font Software may be modified, altered, or added to, and in particular the
-designs of glyphs or characters in the Fonts may be modified and additional
-glyphs or characters may be added to the Fonts, only if the fonts are renamed
-to names not containing either the words "Bitstream" or the word "Vera".
-
-This License becomes null and void to the extent applicable to Fonts or Font
-Software that has been modified and is distributed under the "Bitstream Vera"
-names.
-
-The Font Software may be sold as part of a larger software package but no copy
-of one or more of the Font Software typefaces may be sold by itself.
-
-THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF COPYRIGHT, PATENT,
-TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL BITSTREAM OR THE GNOME FOUNDATION
-BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL,
-SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF THE USE OR INABILITY TO
-USE THE FONT SOFTWARE OR FROM OTHER DEALINGS IN THE FONT SOFTWARE.
-
-Except as contained in this notice, the names of Gnome, the Gnome Foundation,
-and Bitstream Inc., shall not be used in advertising or otherwise to promote
-the sale, use or other dealings in this Font Software without prior written
-authorization from the Gnome Foundation or Bitstream Inc., respectively. For
-further information, contact: fonts at gnome dot org.  3.7. Bigelow & Holmes
-Inc and URW++ GmbH Luxi font license
-
-Luxi fonts copyright (c) 2001 by Bigelow & Holmes Inc. Luxi font instruction
-code copyright (c) 2001 by URW++ GmbH. All Rights Reserved. Luxi is a
-registered trademark of Bigelow & Holmes Inc.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of these Fonts and associated documentation files (the "Font Software"), to
-deal in the Font Software, including without limitation the rights to use,
-copy, merge, publish, distribute, sublicense, and/or sell copies of the Font
-Software, and to permit persons to whom the Font Software is furnished to do
-so, subject to the following conditions:
-
-The above copyright and trademark notices and this permission notice shall be
-included in all copies of one or more of the Font Software.
-
-The Font Software may not be modified, altered, or added to, and in particular
-the designs of glyphs or characters in the Fonts may not be modified nor may
-additional glyphs or characters be added to the Fonts. This License becomes
-null and void when the Fonts or Font Software have been modified.
-
-THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF COPYRIGHT, PATENT,
-TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL BIGELOW & HOLMES INC. OR URW++
-GMBH. BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, INCLUDING ANY
-GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WHETHER IN
-AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF THE USE OR
-INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER DEALINGS IN THE FONT
+used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization from The Open Group.
+*
+* Author: Jim Fulton, MIT The Open Group
+*
+* Xlib Extension-Writing Utilities
+*
+* This package contains utilities for writing the client API for various
+* protocol extensions. THESE INTERFACES ARE NOT PART OF THE X STANDARD AND
+* ARE SUBJECT TO CHANGE!
+*/
+
+_____________________________
+Copyright notice for HPkeysym.h:
+/*
+
+Copyright 1987, 1998 The Open Group
+
+All Rights Reserved.
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of The Open Group shall
+not be used in advertising or otherwise to promote the sale, use or
+other dealings in this Software without prior written authorization
+from The Open Group.
+
+Copyright 1987 by Digital Equipment Corporation, Maynard, Massachusetts,
+
+All Rights Reserved
+
+Permission to use, copy, modify, and distribute this software and its
+documentation for any purpose and without fee is hereby granted,
+provided that the above copyright notice appear in all copies and that
+both that copyright notice and this permission notice appear in
+supporting documentation, and that the names of Hewlett Packard
+or Digital not be
+used in advertising or publicity pertaining to distribution of the
+software without specific, written prior permission.
+
+DIGITAL DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING
+ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL
+DIGITAL BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
+ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
 SOFTWARE.
 
-Except as contained in this notice, the names of Bigelow & Holmes Inc. and
-URW++ GmbH. shall not be used in advertising or otherwise to promote the sale,
-use or other dealings in this Font Software without prior written
-authorization from Bigelow & Holmes Inc. and URW++ GmbH.
-
-For further information, contact:
-
-info@urwpp.de or design@bigelowandholmes.com
-
+HEWLETT-PACKARD MAKES NO WARRANTY OF ANY KIND WITH REGARD
+TO THIS SOFWARE, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. Hewlett-Packard shall not be liable for errors
+contained herein or direct, indirect, special, incidental or
+consequential damages in connection with the furnishing,
+performance, or use of this material.
+
+*/
+_____________________________________
+Copyright notice in keysym2ucs.h:
+
+Copyright 1987, 1994, 1998 The Open Group
+
+Permission to use, copy, modify, distribute, and sell this software and its
+documentation for any purpose is hereby granted without fee, provided that
+the above copyright notice appear in all copies and that both that
+copyright notice and this permission notice appear in supporting
+documentation.
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of The Open Group shall
+not be used in advertising or otherwise to promote the sale, use or
+other dealings in this Software without prior written authorization
+from The Open Group.
+
+
+Copyright 1987 by Digital Equipment Corporation, Maynard, Massachusetts
+
+All Rights Reserved
+
+Permission to use, copy, modify, and distribute this software and its
+documentation for any purpose and without fee is hereby granted,
+provided that the above copyright notice appear in all copies and that
+both that copyright notice and this permission notice appear in
+supporting documentation, and that the name of Digital not be
+used in advertising or publicity pertaining to distribution of the
+software without specific, written prior permission.
+
+DIGITAL DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING
+ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL
+DIGITAL BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
+ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+SOFTWARE.
+
+*/
 
 --- end of LICENSE ---
 
@@ -3325,7 +2815,7 @@
 
   version 1.2.11, January 15th, 2017
 
-  Copyright (C) 1995-2013 Jean-loup Gailly and Mark Adler
+  Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
 
   This software is provided 'as-is', without any express or implied
   warranty.  In no event will the authors be held liable for any damages
@@ -3361,7 +2851,6 @@
   Apache Xalan-Java 2.7.1 
   Apache Xerces Java 2.10.0 
   Apache XML Resolver 1.1 
-  Dynalink 0.5
 
 
 --- begin of LICENSE ---
--- a/make/GenerateClasses.gmk	Thu May 18 14:30:18 2017 -0700
+++ b/make/GenerateClasses.gmk	Mon Jun 26 22:23:36 2017 -0700
@@ -78,13 +78,6 @@
     RUN_V12 := true))
 GENCLASSES += $(RMI_12)
 
-$(eval $(call SetupRMICompilation,RMI_11, \
-    CLASSES := sun.rmi.registry.RegistryImpl, \
-    CLASSES_DIR := $(CLASSES_DIR), \
-    STUB_CLASSES_DIR := $(STUB_CLASSES_DIR), \
-    RUN_V11 := true))
-GENCLASSES += $(RMI_11)
-
 # For RMI/IIOP call rmic a second time with -standardPackage option
 # so that *_tie classes are generated in package without the prefix
 # org.omg.stub (6375696)
@@ -111,7 +104,7 @@
 
 ##########################################################################################
 
-$(RMI_12) $(RMI_11) $(RMI_IIOP) $(RMI_SRC): $(BUILD_BOOTSTRAP_RMIC)
+$(RMI_12) $(RMI_IIOP) $(RMI_SRC): $(BUILD_BOOTSTRAP_RMIC)
 
 $(RMIC_GENSRC_DIR)/_the.classes.removed: $(GENCLASSES)
 	$(FIND) $(RMIC_GENSRC_DIR) -name "*.class" $(FIND_DELETE)
--- a/src/share/classes/com/sun/accessibility/internal/resources/accessibility_sv.properties	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/com/sun/accessibility/internal/resources/accessibility_sv.properties	Mon Jun 26 22:23:36 2017 -0700
@@ -93,7 +93,7 @@
 resizable=storleks\u00E4ndringsbar
 selectable=valbar
 selected=vald
-showing=visas
+showing=visar
 singleline=en rad
 transient=tillf\u00E4llig
 visible=synlig
--- a/src/share/classes/com/sun/jndi/ldap/LdapClient.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/com/sun/jndi/ldap/LdapClient.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1233,6 +1233,7 @@
     static final int LDAP_REF_FOLLOW = 0x01;            // follow referrals
     static final int LDAP_REF_THROW = 0x02;             // throw referral ex.
     static final int LDAP_REF_IGNORE = 0x03;            // ignore referrals
+    static final int LDAP_REF_FOLLOW_SCHEME = 0x04;     // follow referrals of the same scheme
 
     static final String LDAP_URL = "ldap://";           // LDAPv3
     static final String LDAPS_URL = "ldaps://";         // LDAPv3
--- a/src/share/classes/com/sun/jndi/ldap/LdapCtx.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/com/sun/jndi/ldap/LdapCtx.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -2413,6 +2413,9 @@
         // First determine the referral mode
         if (ref != null) {
             switch (ref) {
+                case "follow-scheme":
+                    handleReferrals = LdapClient.LDAP_REF_FOLLOW_SCHEME;
+                    break;
                 case "follow":
                     handleReferrals = LdapClient.LDAP_REF_FOLLOW;
                     break;
@@ -2975,8 +2978,23 @@
             r = new LdapReferralException(resolvedName, resolvedObj, remainName,
                 msg, envprops, fullDN, handleReferrals, reqCtls);
             // only one set of URLs is present
-            r.setReferralInfo(res.referrals == null ? null :
-                    res.referrals.elementAt(0), false);
+            Vector<String> refs;
+            if (res.referrals == null) {
+                refs = null;
+            } else if (handleReferrals == LdapClient.LDAP_REF_FOLLOW_SCHEME) {
+                refs = new Vector<>();
+                for (String s : res.referrals.elementAt(0)) {
+                    if (s.startsWith("ldap:")) {
+                        refs.add(s);
+                    }
+                }
+                if (refs.isEmpty()) {
+                    refs = null;
+                }
+            } else {
+                refs = res.referrals.elementAt(0);
+            }
+            r.setReferralInfo(refs, false);
 
             if (hopCount > 1) {
                 r.setHopCount(hopCount);
--- a/src/share/classes/com/sun/jndi/ldap/LdapReferralException.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/com/sun/jndi/ldap/LdapReferralException.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -117,7 +117,8 @@
 
         // If following referral, request controls are passed to referral ctx
         this.reqCtls =
-            (handleReferrals == LdapClient.LDAP_REF_FOLLOW ? reqCtls : null);
+            (handleReferrals == LdapClient.LDAP_REF_FOLLOW ||
+                    handleReferrals == LdapClient.LDAP_REF_FOLLOW_SCHEME ? reqCtls : null);
     }
 
     /**
--- a/src/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -63,9 +63,10 @@
      * @param  outputFile the system-dependent filename
      * @param  live if <tt>true</tt> dump only <i>live</i> objects
      *         i.e. objects that are reachable from others
-     * @throws IOException if the <tt>outputFile</tt>
+     * @throws IOException if the <tt>outputFile</tt> already exists,
      *                     cannot be created, opened, or written to.
      * @throws UnsupportedOperationException if this operation is not supported.
+     * @throws IllegalArgumentException if <tt>outputFile</tt> does not end with ".hprof" suffix.
      * @throws NullPointerException if <tt>outputFile</tt> is <tt>null</tt>.
      * @throws SecurityException
      *         If a security manager exists and its {@link
--- a/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1482,9 +1482,6 @@
     /**
      * Invokes {@code shutdown} when this executor is no longer
      * referenced and it has no threads.
-     *
-     * <p>This method is invoked with privileges that are restricted by
-     * the security context of the caller that invokes the constructor.
      */
     protected void finalize() {
         SecurityManager sm = System.getSecurityManager();
--- a/src/share/classes/sun/awt/resources/awt_sv.properties	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/awt/resources/awt_sv.properties	Mon Jun 26 22:23:36 2017 -0700
@@ -71,7 +71,7 @@
 AWT.f22=F22
 AWT.f23=F23
 AWT.f24=F24
-AWT.printScreen=Print Screen
+AWT.printScreen=Sk\u00E4rmutskrift
 AWT.insert=Insert
 AWT.help=Hj\u00E4lp
 AWT.windows=Windows
--- a/src/share/classes/sun/launcher/resources/launcher_es.properties	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/launcher/resources/launcher_es.properties	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -34,7 +34,7 @@
 java.launcher.ergo.message2  =\                  porque la ejecuci\u00F3n se est\u00E1 llevando a cabo en una m\u00E1quina de clase de servidor.\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer     =\    -cp <ruta de acceso de b\u00FAsqueda de clases de los directorios y los archivos zip/jar>\n    -classpath <ruta de acceso de b\u00FAsqueda de clases de los directorios y los archivos zip/jar>\n                  Lista separada por {0} de directorios, archivos JAR\n                  y archivos ZIP para buscar archivos de clase.\n    -D<nombre>=<valor>\n                  definir una propiedad del sistema\n    -verbose:[class|gc|jni]\n                  activar la salida verbose\n    -version      imprimir la versi\u00F3n del producto y salir\n    -version:<valor>\n                  Advertencia: Esta funci\u00F3n est\u00E1 anticuada y se eliminar\u00E1\n                  en una versi\u00F3n futura.\n                  es necesario que se ejecute la versi\u00F3n especificada\n    -showversion  imprimir la versi\u00F3n del producto y continuar\n    -jre-restrict-search | -no-jre-restrict-search\n                  Advertencia: Esta funci\u00F3n est\u00E1 anticuada y se eliminar\u00E1\n                  en una versi\u00F3n futura.\n                  incluir/excluir JRE privados de usuario en la b\u00FAsqueda de versi\u00F3n\n    -? -help      imprimir este mensaje de ayuda\n    -X            imprimir la ayuda sobre las opciones que no sean est\u00E1ndar\n    -ea[:<nombre_paquete>...|:<nombre_clase>]\n    -enableassertions[:<nombre_paquete>...|:<nombre_clase>]\n                  activar afirmaciones con la granularidad especificada\n    -da[:<nombre_paquete>...|:<nombre_clase>]\n    -disableassertions[:<nombre_paquete>...|:<nombre_clase>]\n                  desactivar afirmaciones con la granularidad especificada\n    -esa | -enablesystemassertions\n                  activar afirmaciones del sistema\n    -dsa | -disablesystemassertions\n                  desactivar afirmaciones del sistema\n    -agentlib:<nombre_bib>[=<opciones>]\n                  cargar la biblioteca de agente nativa <nombre_bib>, como -agentlib:hprof\n                  v\u00E9ase tambi\u00E9n -agentlib:jdwp=help y -agentlib:hprof=help\n    -agentpath:<nombre_ruta_acceso>[=<opciones>]\n                  cargar biblioteca de agente nativa con el nombre de la ruta de acceso completa\n    -javaagent:<ruta_acceso_jar>[=<opciones>]\n                  cargar agente de lenguaje de programaci\u00F3n Java, v\u00E9ase java.lang.instrument\n    -splash:<ruta_acceso_imagen>\n                  mostrar una pantalla de presentaci\u00F3n con la imagen especificada\nConsulte http://www.oracle.com/technetwork/java/javase/documentation/index.html para obtener m\u00E1s informaci\u00F3n.
+java.launcher.opt.footer     =\    -cp <ruta de acceso de b\u00FAsqueda de clases de los directorios y los archivos zip/jar>\n    -classpath <ruta de acceso de b\u00FAsqueda de clases de los directorios y los archivos zip/jar>\n                  Lista separada por {0} de directorios, archivos JAR\n                  y archivos ZIP para buscar archivos de clase.\n    -D<nombre>=<valor>\n                  definir una propiedad del sistema\n    -verbose:[class|gc|jni]\n                  activar la salida verbose\n    -version      imprimir la versi\u00F3n del producto y salir\n    -version:<valor>\n                  Advertencia: Esta funci\u00F3n est\u00E1 anticuada y se eliminar\u00E1\n                  en una versi\u00F3n futura.\n                  es necesario que se ejecute la versi\u00F3n especificada\n    -showversion  imprimir la versi\u00F3n del producto y continuar\n    -jre-restrict-search | -no-jre-restrict-search\n                  Advertencia: Esta funci\u00F3n est\u00E1 anticuada y se eliminar\u00E1\n                  en una versi\u00F3n futura.\n                  incluir/excluir JRE privados de usuario en la b\u00FAsqueda de versi\u00F3n\n    -? -help      imprimir este mensaje de ayuda\n    -X            imprimir la ayuda sobre las opciones que no sean est\u00E1ndar\n    -ea[:<nombre paquete>...|:<nombre clase>]\n    -enableassertions[:<nombre paquete>...|:<nombre clase>]\n                  activar afirmaciones con la granularidad especificada\n    -da[:<nombre paquete>...|:<nombre clase>]\n    -disableassertions[:<nombre paquete>...|:<nombre clase>]\n                  desactivar afirmaciones con la granularidad especificada\n    -esa | -enablesystemassertions\n                  activar afirmaciones del sistema\n    -dsa | -disablesystemassertions\n                  desactivar afirmaciones del sistema\n    -agentlib:<nombre bib>[=<opciones>]\n                  cargar la biblioteca de agente nativa <nombre bib>, como -agentlib:hprof\n                  v\u00E9ase tambi\u00E9n -agentlib:jdwp=help y -agentlib:hprof=help\n    -agentpath:<nombre ruta acceso>[=<opciones>]\n                  cargar biblioteca de agente nativa con el nombre de la ruta de acceso completa\n    -javaagent:<ruta acceso jar>[=<opciones>]\n                  cargar agente de lenguaje de programaci\u00F3n Java, v\u00E9ase java.lang.instrument\n    -splash:<ruta acceso imagen>\n                  mostrar una pantalla de presentaci\u00F3n con la imagen especificada\nConsulte http://www.oracle.com/technetwork/java/javase/documentation/index.html para obtener m\u00E1s informaci\u00F3n.
 
 # Translators please note do not translate the options themselves
 java.launcher.X.usage=\    -Xmixed           ejecuci\u00F3n de modo mixto (por defecto)\n    -Xint             s\u00F3lo ejecuci\u00F3n de modo interpretado\n    -Xbootclasspath:<directorios y archivos zip/jar separados por {0}>\n                      definir la ruta de acceso de b\u00FAsqueda para los recursos y clases de inicializaci\u00F3n de datos\n    -Xbootclasspath/a:<directorios y archivos zip/jar separados por {0}>\n                      agregar al final de la ruta de acceso de la clase de inicializaci\u00F3n de datos\n    -Xbootclasspath/p:<directorios y archivos zip/jar separados por {0}>\n                      anteponer a la ruta de acceso de la clase de inicializaci\u00F3n de datos\n    -Xdiag            mostrar mensajes de diagn\u00F3stico adicionales\n    -Xnoclassgc       desactivar la recolecci\u00F3n de basura de clases\n    -Xincgc           activar la recolecci\u00F3n de basura de clases\n    -Xloggc:<archivo> registrar el estado de GC en un archivo con registros de hora\n    -Xbatch           desactivar compilaci\u00F3n en segundo plano\n    -Xms<tama\u00F1o>      definir tama\u00F1o de pila Java inicial\n    -Xmx<tama\u00F1o>      definir tama\u00F1o de pila Java m\u00E1ximo\n    -Xss<tama\u00F1o>      definir tama\u00F1o de la pila del thread de Java\n    -Xprof            datos de salida de creaci\u00F3n de perfil de CPU\n    -Xfuture          activar las comprobaciones m\u00E1s estrictas, anticip\u00E1ndose al futuro valor por defecto\n    -Xrs              reducir el uso de se\u00F1ales de sistema operativo por parte de Java/VM (consulte la documentaci\u00F3n)\n    -Xcheck:jni       realizar comprobaciones adicionales para las funciones de JNI\n    -Xshare:off       no intentar usar datos de clase compartidos\n    -Xshare:auto      usar datos de clase compartidos si es posible (valor por defecto)\n    -Xshare:on        es obligatorio el uso de datos de clase compartidos, de lo contrario se emitir\u00E1 un fallo.\n    -XshowSettings    mostrar todos los valores y continuar\n    -XshowSettings:all\n                      mostrar todos los valores y continuar\n    -XshowSettings:vm mostrar todos los valores de la VM y continuar\n    -XshowSettings:properties\n                      mostrar todos los valores de las propiedades y continuar\n    -XshowSettings:locale\n                      mostrar todos los valores relacionados con la configuraci\u00F3n regional y continuar\n\nLas opciones -X no son est\u00E1ndar, por lo que podr\u00EDan cambiarse sin previo aviso.\n
--- a/src/share/classes/sun/launcher/resources/launcher_sv.properties	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/launcher/resources/launcher_sv.properties	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -37,7 +37,7 @@
 java.launcher.opt.footer     =\    -cp <class search path of directories and zip/jar files>\n    -classpath <class search path of directories and zip/jar files>\n                  En lista \u00F6ver kataloger, JAR-arkiv och och ZIP-arkiv\n                  f\u00F6r s\u00F6kning efter klassfiler avgr\u00E4nsad med {0}.\n    -D<name>=<value>\n                  ange en systemegenskap\n    -verbose:[class|gc|jni]\n                  aktivera utf\u00F6rliga utdata\n    -version      skriv ut produktversion och avsluta\n    -version:<value>\n                  Varning: den h\u00E4r funktionen \u00E4r inaktuell och kommer\n                  att tas bort i en framtida utg\u00E5va.\n                  kr\u00E4v den angivna versionen f\u00F6r att k\u00F6ra\n    -showversion  skriv ut produktversion och forts\u00E4tt\n    -jre-restrict-search | -no-jre-restrict-search\n                  Varning: den h\u00E4r funktionen \u00E4r inaktuell och kommer\n                  att tas bort i en framtida utg\u00E5va.\n                  inkludera/exkludera anv\u00E4ndarprivata JRE:er i versionss\u00F6kningen\n    -? -help      skriv ut det h\u00E4r hj\u00E4lpmeddelandet\n    -X            skriv ut hj\u00E4lp f\u00F6r icke-standardalternativ\n    -ea[:<packagename>...|:<classname>]\n    -enableassertions[:<packagename>...|:<classname>]\n                  aktivera verifieringar med den angivna detaljgraden\n    -da[:<packagename>...|:<classname>]\n    -disableassertions[:<packagename>...|:<classname>]\n                  avaktivera verifieringar med den angivna detaljgraden\n    -esa | -enablesystemassertions\n                  aktivera systemverifieringar\n    -dsa | -disablesystemassertions\n                  avaktivera systemverifieringar\n    -agentlib:<libname>[=<options>]\n                  ladda det ursprungliga agentbiblioteket <libname>, t.ex. -agentlib:hprof\n                  se \u00E4ven -agentlib:jdwp=help och -agentlib:hprof=help\n    -agentpath:<pathname>[=<options>]\n                  ladda det ursprungliga agentbiblioteket med det fullst\u00E4ndiga s\u00F6kv\u00E4gsnamnet\n    -javaagent:<jarpath>[=<options>]\n                  ladda agenten f\u00F6r programmeringsspr\u00E5ket Java, se java.lang.instrument\n    -splash:<imagepath>\n                  visa v\u00E4lkomstsk\u00E4rmen med den angivna bilden\nMer information finns p\u00E5 http://www.oracle.com/technetwork/java/javase/documentation/index.html.
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\    -Xmixed           k\u00F6rning i blandat l\u00E4ge (standard)\n    -Xint             endast k\u00F6rning i tolkat l\u00E4ge\n    -Xbootclasspath:<kataloger och zip-/jar-filer avgr\u00E4nsas med {0}>\n                      ange s\u00F6kv\u00E4g f\u00F6r programladdningsklasser och -resurser\n    -Xbootclasspath/a:<kataloger och zip-/jar-filer avgr\u00E4nsas med {0}>\n                      l\u00E4gg till i slutet av programladdningsklassens s\u00F6kv\u00E4g\n    -Xbootclasspath/p:<kataloger och zip-/jar-filer avgr\u00E4nsas med {0}>\n                      l\u00E4gg till i b\u00F6rjan av programladdningsklassens s\u00F6kv\u00E4g\n    -Xdiag            visa ytterligare diagnostiska meddelanden\n    -Xnoclassgc       avaktivera klassens skr\u00E4pinsamling\n    -Xincgc           aktivera inkrementell skr\u00E4pinsamling\n    -Xloggc:<fil>    logga GC-status till en fil med tidsst\u00E4mplar\n    -Xbatch           avaktivera bakgrundskompilering\n    -Xms<storlek>        ange ursprunglig storlek f\u00F6r Java-heap\n    -Xmx<storlek>        ange maximal storlek f\u00F6r Java-heap\n    -Xss<storlek>        ange storlek f\u00F6r java-tr\u00E5dsstack\n    -Xprof            utdata f\u00F6r processorprofilering\n    -Xfuture          aktivera str\u00E4ngaste kontroller, f\u00F6rv\u00E4ntad framtida standard\n    -Xrs              minska OS-signalanv\u00E4ndning av Java/VM (se dokumentation)\n    -Xcheck:jni       utf\u00F6r ytterligare kontroller f\u00F6r JNI-funktioner\n    -Xshare:off       anv\u00E4nd inte delade klassdata\n    -Xshare:auto      anv\u00E4nd delade klassdata om det g\u00E5r (standard)\n    -Xshare:on        kr\u00E4v att delade klassdata anv\u00E4nds, annars slutf\u00F6r inte.\n    -XshowSettings    visa alla inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:all\n                      visa alla inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:vm visa alla vm-relaterade inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:properties\n                      visa alla egenskapsinst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:locale\n                      visa alla spr\u00E5krelaterade inst\u00E4llningar och forts\u00E4tt\n\n-X-alternativen \u00E4r inte standard och kan \u00E4ndras utan f\u00F6reg\u00E5ende meddelande.\n
+java.launcher.X.usage=\    -Xmixed           exekvering i blandat l\u00E4ge (standard)\n    -Xint             endast exekvering i tolkat l\u00E4ge\n    -Xbootclasspath:<kataloger och zip-/jar-filer avgr\u00E4nsas med {0}>\n                      ange s\u00F6kv\u00E4g f\u00F6r programladdningsklasser och -resurser\n    -Xbootclasspath/a:<kataloger och zip-/jar-filer avgr\u00E4nsas med {0}>\n                      l\u00E4gg till i slutet av programladdningsklassens s\u00F6kv\u00E4g\n    -Xbootclasspath/p:<kataloger och zip-/jar-filer avgr\u00E4nsas med {0}>\n                      l\u00E4gg till i b\u00F6rjan av programladdningsklassens s\u00F6kv\u00E4g\n    -Xdiag            visa ytterligare diagnostiska meddelanden\n    -Xnoclassgc       avaktivera klassens skr\u00E4pinsamling\n    -Xincgc           aktivera inkrementell skr\u00E4pinsamling\n    -Xloggc:<fil>    logga GC-status till en fil med tidsst\u00E4mplar\n    -Xbatch           avaktivera bakgrundskompilering\n    -Xms<storlek>        ange ursprunglig storlek f\u00F6r Java-heap\n    -Xmx<storlek>        ange maximal storlek f\u00F6r Java-heap\n    -Xss<storlek>        ange storlek f\u00F6r java-tr\u00E5dsstack\n    -Xprof            utdata f\u00F6r processorprofilering\n    -Xfuture          aktivera str\u00E4ngaste kontroller, f\u00F6rv\u00E4ntad framtida standard\n    -Xrs              minska OS-signalanv\u00E4ndning av Java/VM (se dokumentation)\n    -Xcheck:jni       utf\u00F6r ytterligare kontroller f\u00F6r JNI-funktioner\n    -Xshare:off       anv\u00E4nd inte delade klassdata\n    -Xshare:auto      anv\u00E4nd delade klassdata om det g\u00E5r (standard)\n    -Xshare:on        kr\u00E4v att delade klassdata anv\u00E4nds, annars slutf\u00F6r inte.\n    -XshowSettings    visa alla inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:all\n                      visa alla inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:vm visa alla vm-relaterade inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:properties\n                      visa alla egenskapsinst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:locale\n                      visa alla spr\u00E5krelaterade inst\u00E4llningar och forts\u00E4tt\n\n-X-alternativen \u00E4r inte standard och kan \u00E4ndras utan f\u00F6reg\u00E5ende meddelande.\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\nF\u00F6ljande alternativ \u00E4r specifika f\u00F6r Mac OS X:\n    -XstartOnFirstThread\n                      k\u00F6r huvudmetoden() p\u00E5 den f\u00F6rsta (AppKit) tr\u00E5den\n    -Xdock:name=<application name>"\n                      \u00E5sidosatt standardapplikationsnamn visas i docka\n    -Xdock:icon=<path to icon file>\n                      \u00E5sidosatt standardikon visas i docka\n\n
--- a/src/share/classes/sun/management/HotSpotDiagnostic.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/management/HotSpotDiagnostic.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,8 @@
 
 import com.sun.management.HotSpotDiagnosticMXBean;
 import com.sun.management.VMOption;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 /**
  * Implementation of the diagnostic MBean for Hotspot VM.
@@ -41,6 +43,14 @@
     }
 
     public void dumpHeap(String outputFile, boolean live) throws IOException {
+
+        String propertyName = "jdk.management.heapdump.allowAnyFileSuffix";
+        PrivilegedAction<Boolean> pa = () -> Boolean.parseBoolean(System.getProperty(propertyName, "false"));
+        boolean allowAnyFileSuffix = AccessController.doPrivileged(pa);
+        if (!allowAnyFileSuffix && !outputFile.endsWith(".hprof")) {
+            throw new IllegalArgumentException("heapdump file must have .hprof extention");
+        }
+
         SecurityManager security = System.getSecurityManager();
         if (security != null) {
             security.checkWrite(outputFile);
--- a/src/share/classes/sun/management/jmxremote/SingleEntryRegistry.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/management/jmxremote/SingleEntryRegistry.java	Mon Jun 26 22:23:36 2017 -0700
@@ -32,6 +32,7 @@
 
 package sun.management.jmxremote;
 
+import sun.misc.ObjectInputFilter;
 import java.rmi.AccessException;
 import java.rmi.NotBoundException;
 import java.rmi.Remote;
@@ -56,7 +57,7 @@
                         String name,
                         Remote object)
             throws RemoteException {
-        super(port, csf, ssf);
+        super(port, csf, ssf, SingleEntryRegistry::singleRegistryFilter);
         this.name = name;
         this.object = object;
     }
@@ -84,6 +85,23 @@
         throw new AccessException("Cannot modify this registry");
     }
 
+    /**
+     * ObjectInputFilter to check parameters to SingleEntryRegistry.
+     * Since it is a read-only Registry, no classes are accepted.
+     * String arguments are accepted without passing them to the serialFilter.
+     *
+     * @param info a reference to the serialization filter information
+     * @return Status.REJECTED if parameters are out of range
+     */
+    private static ObjectInputFilter.Status singleRegistryFilter(ObjectInputFilter.FilterInfo info) {
+        return (info.serialClass() != null ||
+                info.depth() > 2 ||
+                info.references() > 4 ||
+                info.arrayLength() >= 0)
+        ? ObjectInputFilter.Status.REJECTED
+        : ObjectInputFilter.Status.ALLOWED;
+    }
+
     private final String name;
     private final Remote object;
 
--- a/src/share/classes/sun/management/resources/agent_sv.properties	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/management/resources/agent_sv.properties	Mon Jun 26 22:23:36 2017 -0700
@@ -1,6 +1,6 @@
 #
 #
-# Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -70,10 +70,10 @@
 agent.err.invalid.snmp.port        = Ogiltigt com.sun.management.snmp.port-nummer
 agent.err.invalid.snmp.trap.port   = Ogiltigt com.sun.management.snmp.trap-nummer
 agent.err.unknown.snmp.interface   = Ok\u00E4nt SNMP-gr\u00E4nssnitt
-agent.err.acl.file.notset          = Ingen SNMP ACL-fil har angetts, men com.sun.management.snmp.acl=true
-agent.err.acl.file.notfound        = SNMP ACL-filen hittades inte
-agent.err.acl.file.not.readable    = SNMP ACL-filen \u00E4r inte l\u00E4sbar
-agent.err.acl.file.read.failed     = Kunde inte l\u00E4sa filen SNMP ACL
+agent.err.acl.file.notset          = Ingen SNMP \u00E5tkomstkontrollista-fil har angetts, men com.sun.management.snmp.acl=true
+agent.err.acl.file.notfound        = SNMP \u00E5tkomstkontrollista-filen hittades inte
+agent.err.acl.file.not.readable    = SNMP \u00E5tkomstkontrollista-filen \u00E4r inte l\u00E4sbar
+agent.err.acl.file.read.failed     = Kunde inte l\u00E4sa filen SNMP \u00E5tkomstkontrollista
 agent.err.acl.file.access.notrestricted = L\u00E4sbeh\u00F6righeten f\u00F6r filen m\u00E5ste begr\u00E4nsas
 
 agent.err.snmp.adaptor.start.failed = Kunde inte starta SNMP-adaptern med adressen
@@ -85,7 +85,7 @@
 jmxremote.ConnectorBootstrap.password.readonly = L\u00E4sbeh\u00F6righeten f\u00F6r l\u00F6senordsfilen m\u00E5ste begr\u00E4nsas: {0}
 jmxremote.ConnectorBootstrap.file.readonly = Fill\u00E4snings\u00E5tkomst m\u00E5ste begr\u00E4nsas {0}
 
-jmxremote.AdaptorBootstrap.getTargetList.processing = ACL bearbetas
+jmxremote.AdaptorBootstrap.getTargetList.processing = \u00E5tkomstkontrollista bearbetas
 jmxremote.AdaptorBootstrap.getTargetList.adding = M\u00E5l l\u00E4ggs till: {0}
 jmxremote.AdaptorBootstrap.getTargetList.starting = Adapterservern startas:
 jmxremote.AdaptorBootstrap.getTargetList.initialize1 = Adaptern redo.
--- a/src/share/classes/sun/rmi/registry/RegistryImpl.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/rmi/registry/RegistryImpl.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -69,6 +69,10 @@
  * registry.
  *
  * The LocateRegistry class is used to obtain registry for different hosts.
+ * <p>
+ * The default RegistryImpl exported restricts access to clients on the local host
+ * for the methods {@link #bind}, {@link #rebind}, {@link #unbind} by checking
+ * the client host in the skeleton.
  *
  * @see java.rmi.registry.LocateRegistry
  */
@@ -96,10 +100,10 @@
     private static final String REGISTRY_FILTER_PROPNAME = "sun.rmi.registry.registryFilter";
 
     /** Registry max depth of remote invocations. **/
-    private static int REGISTRY_MAX_DEPTH = 5;
+    private static final int REGISTRY_MAX_DEPTH = 20;
 
     /** Registry maximum array size in remote invocations. **/
-    private static int REGISTRY_MAX_ARRAY_SIZE = 10000;
+    private static final int REGISTRY_MAX_ARRAY_SIZE = 10000;
 
     /**
      * The registryFilter created from the value of the {@code "sun.rmi.registry.registryFilter"}
@@ -137,13 +141,27 @@
                         RMIServerSocketFactory ssf)
         throws RemoteException
     {
+        this(port, csf, ssf, RegistryImpl::registryFilter);
+    }
+
+
+    /**
+     * Construct a new RegistryImpl on the specified port with the
+     * given custom socket factory pair and ObjectInputFilter.
+     */
+    public RegistryImpl(int port,
+                        RMIClientSocketFactory csf,
+                        RMIServerSocketFactory ssf,
+                        ObjectInputFilter serialFilter)
+        throws RemoteException
+    {
         if (port == Registry.REGISTRY_PORT && System.getSecurityManager() != null) {
             // grant permission for default port only.
             try {
                 AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
                     public Void run() throws RemoteException {
                         LiveRef lref = new LiveRef(id, port, csf, ssf);
-                        setup(new UnicastServerRef2(lref, RegistryImpl::registryFilter));
+                        setup(new UnicastServerRef2(lref, serialFilter));
                         return null;
                     }
                 }, null, new SocketPermission("localhost:"+port, "listen,accept"));
@@ -219,7 +237,8 @@
     public void bind(String name, Remote obj)
         throws RemoteException, AlreadyBoundException, AccessException
     {
-        checkAccess("Registry.bind");
+        // The access check preventing remote access is done in the skeleton
+        // and is not applicable to local access.
         synchronized (bindings) {
             Remote curr = bindings.get(name);
             if (curr != null)
@@ -236,7 +255,8 @@
     public void unbind(String name)
         throws RemoteException, NotBoundException, AccessException
     {
-        checkAccess("Registry.unbind");
+        // The access check preventing remote access is done in the skeleton
+        // and is not applicable to local access.
         synchronized (bindings) {
             Remote obj = bindings.get(name);
             if (obj == null)
@@ -252,7 +272,8 @@
     public void rebind(String name, Remote obj)
         throws RemoteException, AccessException
     {
-        checkAccess("Registry.rebind");
+        // The access check preventing remote access is done in the skeleton
+        // and is not applicable to local access.
         bindings.put(name, obj);
     }
 
@@ -279,7 +300,6 @@
      * The client must be on same the same host as this server.
      */
     public static void checkAccess(String op) throws AccessException {
-
         try {
             /*
              * Get client host that this registry operation was made from.
@@ -305,7 +325,7 @@
 
                 if (clientHost.isAnyLocalAddress()) {
                     throw new AccessException(
-                        "Registry." + op + " disallowed; origin unknown");
+                        op + " disallowed; origin unknown");
                 }
 
                 try {
@@ -328,7 +348,7 @@
                     // must have been an IOException
 
                     throw new AccessException(
-                        "Registry." + op + " disallowed; origin " +
+                        op + " disallowed; origin " +
                         clientHost + " is non-local host");
                 }
             }
@@ -337,8 +357,7 @@
              * Local call from this VM: allow access.
              */
         } catch (java.net.UnknownHostException ex) {
-            throw new AccessException("Registry." + op +
-                                      " disallowed; origin is unknown host");
+            throw new AccessException(op + " disallowed; origin is unknown host");
         }
     }
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/rmi/registry/RegistryImpl_Skel.java	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+
+package sun.rmi.registry;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.rmi.AccessException;
+import java.rmi.server.RemoteCall;
+
+import sun.rmi.transport.Connection;
+import sun.rmi.transport.StreamRemoteCall;
+import sun.rmi.transport.tcp.TCPConnection;
+
+/**
+ * Skeleton to dispatch RegistryImpl methods.
+ * Originally generated by RMIC but frozen to match the stubs.
+ */
+@SuppressWarnings({"deprecation", "serial"})
+public final class RegistryImpl_Skel
+        implements java.rmi.server.Skeleton {
+    private static final java.rmi.server.Operation[] operations = {
+            new java.rmi.server.Operation("void bind(java.lang.String, java.rmi.Remote)"),
+            new java.rmi.server.Operation("java.lang.String list()[]"),
+            new java.rmi.server.Operation("java.rmi.Remote lookup(java.lang.String)"),
+            new java.rmi.server.Operation("void rebind(java.lang.String, java.rmi.Remote)"),
+            new java.rmi.server.Operation("void unbind(java.lang.String)")
+    };
+
+    private static final long interfaceHash = 4905912898345647071L;
+
+    public java.rmi.server.Operation[] getOperations() {
+        return operations.clone();
+    }
+
+    public void dispatch(java.rmi.Remote obj, java.rmi.server.RemoteCall call, int opnum, long hash)
+            throws java.lang.Exception {
+        if (hash != interfaceHash)
+            throw new java.rmi.server.SkeletonMismatchException("interface hash mismatch");
+
+        sun.rmi.registry.RegistryImpl server = (sun.rmi.registry.RegistryImpl) obj;
+        switch (opnum) {
+            case 0: // bind(String, Remote)
+            {
+                // Check access before reading the arguments
+                RegistryImpl.checkAccess("Registry.bind");
+
+                java.lang.String $param_String_1;
+                java.rmi.Remote $param_Remote_2;
+                try {
+                    java.io.ObjectInput in = call.getInputStream();
+                    $param_String_1 = (java.lang.String) in.readObject();
+                    $param_Remote_2 = (java.rmi.Remote) in.readObject();
+                } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+                    throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+                } finally {
+                    call.releaseInputStream();
+                }
+                server.bind($param_String_1, $param_Remote_2);
+                try {
+                    call.getResultStream(true);
+                } catch (java.io.IOException e) {
+                    throw new java.rmi.MarshalException("error marshalling return", e);
+                }
+                break;
+            }
+
+            case 1: // list()
+            {
+                call.releaseInputStream();
+                java.lang.String[] $result = server.list();
+                try {
+                    java.io.ObjectOutput out = call.getResultStream(true);
+                    out.writeObject($result);
+                } catch (java.io.IOException e) {
+                    throw new java.rmi.MarshalException("error marshalling return", e);
+                }
+                break;
+            }
+
+            case 2: // lookup(String)
+            {
+                java.lang.String $param_String_1;
+                try {
+                    java.io.ObjectInput in = call.getInputStream();
+                    $param_String_1 = (java.lang.String) in.readObject();
+                } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+                    throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+                } finally {
+                    call.releaseInputStream();
+                }
+                java.rmi.Remote $result = server.lookup($param_String_1);
+                try {
+                    java.io.ObjectOutput out = call.getResultStream(true);
+                    out.writeObject($result);
+                } catch (java.io.IOException e) {
+                    throw new java.rmi.MarshalException("error marshalling return", e);
+                }
+                break;
+            }
+
+            case 3: // rebind(String, Remote)
+            {
+                // Check access before reading the arguments
+                RegistryImpl.checkAccess("Registry.rebind");
+
+                java.lang.String $param_String_1;
+                java.rmi.Remote $param_Remote_2;
+                try {
+                    java.io.ObjectInput in = call.getInputStream();
+                    $param_String_1 = (java.lang.String) in.readObject();
+                    $param_Remote_2 = (java.rmi.Remote) in.readObject();
+                } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+                    throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+                } finally {
+                    call.releaseInputStream();
+                }
+                server.rebind($param_String_1, $param_Remote_2);
+                try {
+                    call.getResultStream(true);
+                } catch (java.io.IOException e) {
+                    throw new java.rmi.MarshalException("error marshalling return", e);
+                }
+                break;
+            }
+
+            case 4: // unbind(String)
+            {
+                // Check access before reading the arguments
+                RegistryImpl.checkAccess("Registry.unbind");
+
+                java.lang.String $param_String_1;
+                try {
+                    java.io.ObjectInput in = call.getInputStream();
+                    $param_String_1 = (java.lang.String) in.readObject();
+                } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+                    throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+                } finally {
+                    call.releaseInputStream();
+                }
+                server.unbind($param_String_1);
+                try {
+                    call.getResultStream(true);
+                } catch (java.io.IOException e) {
+                    throw new java.rmi.MarshalException("error marshalling return", e);
+                }
+                break;
+            }
+
+            default:
+                throw new java.rmi.UnmarshalException("invalid method number");
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/rmi/registry/RegistryImpl_Stub.java	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,189 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.rmi.registry;
+/**
+ * Stubs to invoke RegistryImpl remote methods.
+ * Originally generated from RMIC but frozen to match RegistryImpl_Skel.
+ */
+@SuppressWarnings({"deprecation", "serial"})
+public final class RegistryImpl_Stub
+        extends java.rmi.server.RemoteStub
+        implements java.rmi.registry.Registry, java.rmi.Remote {
+    private static final java.rmi.server.Operation[] operations = {
+            new java.rmi.server.Operation("void bind(java.lang.String, java.rmi.Remote)"),
+            new java.rmi.server.Operation("java.lang.String list()[]"),
+            new java.rmi.server.Operation("java.rmi.Remote lookup(java.lang.String)"),
+            new java.rmi.server.Operation("void rebind(java.lang.String, java.rmi.Remote)"),
+            new java.rmi.server.Operation("void unbind(java.lang.String)")
+    };
+
+    private static final long interfaceHash = 4905912898345647071L;
+
+    // constructors
+    public RegistryImpl_Stub() {
+        super();
+    }
+
+    public RegistryImpl_Stub(java.rmi.server.RemoteRef ref) {
+        super(ref);
+    }
+
+    // methods from remote interfaces
+
+    // implementation of bind(String, Remote)
+    public void bind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2)
+            throws java.rmi.AccessException, java.rmi.AlreadyBoundException, java.rmi.RemoteException {
+        try {
+            java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 0, interfaceHash);
+            try {
+                java.io.ObjectOutput out = call.getOutputStream();
+                out.writeObject($param_String_1);
+                out.writeObject($param_Remote_2);
+            } catch (java.io.IOException e) {
+                throw new java.rmi.MarshalException("error marshalling arguments", e);
+            }
+            ref.invoke(call);
+            ref.done(call);
+        } catch (java.lang.RuntimeException e) {
+            throw e;
+        } catch (java.rmi.RemoteException e) {
+            throw e;
+        } catch (java.rmi.AlreadyBoundException e) {
+            throw e;
+        } catch (java.lang.Exception e) {
+            throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+        }
+    }
+
+    // implementation of list()
+    public java.lang.String[] list()
+            throws java.rmi.AccessException, java.rmi.RemoteException {
+        try {
+            java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 1, interfaceHash);
+            ref.invoke(call);
+            java.lang.String[] $result;
+            try {
+                java.io.ObjectInput in = call.getInputStream();
+                $result = (java.lang.String[]) in.readObject();
+            } catch (java.io.IOException e) {
+                throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+            } catch (java.lang.ClassNotFoundException e) {
+                throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+            } finally {
+                ref.done(call);
+            }
+            return $result;
+        } catch (java.lang.RuntimeException e) {
+            throw e;
+        } catch (java.rmi.RemoteException e) {
+            throw e;
+        } catch (java.lang.Exception e) {
+            throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+        }
+    }
+
+    // implementation of lookup(String)
+    public java.rmi.Remote lookup(java.lang.String $param_String_1)
+            throws java.rmi.AccessException, java.rmi.NotBoundException, java.rmi.RemoteException {
+        try {
+            java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 2, interfaceHash);
+            try {
+                java.io.ObjectOutput out = call.getOutputStream();
+                out.writeObject($param_String_1);
+            } catch (java.io.IOException e) {
+                throw new java.rmi.MarshalException("error marshalling arguments", e);
+            }
+            ref.invoke(call);
+            java.rmi.Remote $result;
+            try {
+                java.io.ObjectInput in = call.getInputStream();
+                $result = (java.rmi.Remote) in.readObject();
+            } catch (java.io.IOException e) {
+                throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+            } catch (java.lang.ClassNotFoundException e) {
+                throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+            } finally {
+                ref.done(call);
+            }
+            return $result;
+        } catch (java.lang.RuntimeException e) {
+            throw e;
+        } catch (java.rmi.RemoteException e) {
+            throw e;
+        } catch (java.rmi.NotBoundException e) {
+            throw e;
+        } catch (java.lang.Exception e) {
+            throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+        }
+    }
+
+    // implementation of rebind(String, Remote)
+    public void rebind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2)
+            throws java.rmi.AccessException, java.rmi.RemoteException {
+        try {
+            java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 3, interfaceHash);
+            try {
+                java.io.ObjectOutput out = call.getOutputStream();
+                out.writeObject($param_String_1);
+                out.writeObject($param_Remote_2);
+            } catch (java.io.IOException e) {
+                throw new java.rmi.MarshalException("error marshalling arguments", e);
+            }
+            ref.invoke(call);
+            ref.done(call);
+        } catch (java.lang.RuntimeException e) {
+            throw e;
+        } catch (java.rmi.RemoteException e) {
+            throw e;
+        } catch (java.lang.Exception e) {
+            throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+        }
+    }
+
+    // implementation of unbind(String)
+    public void unbind(java.lang.String $param_String_1)
+            throws java.rmi.AccessException, java.rmi.NotBoundException, java.rmi.RemoteException {
+        try {
+            java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 4, interfaceHash);
+            try {
+                java.io.ObjectOutput out = call.getOutputStream();
+                out.writeObject($param_String_1);
+            } catch (java.io.IOException e) {
+                throw new java.rmi.MarshalException("error marshalling arguments", e);
+            }
+            ref.invoke(call);
+            ref.done(call);
+        } catch (java.lang.RuntimeException e) {
+            throw e;
+        } catch (java.rmi.RemoteException e) {
+            throw e;
+        } catch (java.rmi.NotBoundException e) {
+            throw e;
+        } catch (java.lang.Exception e) {
+            throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+        }
+    }
+}
--- a/src/share/classes/sun/rmi/server/Activation.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/rmi/server/Activation.java	Mon Jun 26 22:23:36 2017 -0700
@@ -30,6 +30,7 @@
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.ObjectInput;
 import java.io.ObjectInputStream;
 import java.io.OutputStream;
 import java.io.PrintStream;
@@ -105,7 +106,6 @@
 import sun.rmi.log.ReliableLog;
 import sun.rmi.registry.RegistryImpl;
 import sun.rmi.runtime.NewThreadAction;
-import sun.rmi.server.UnicastServerRef;
 import sun.rmi.transport.LiveRef;
 import sun.security.action.GetBooleanAction;
 import sun.security.action.GetIntegerAction;
@@ -345,6 +345,7 @@
                 throw new AccessException(
                     "binding ActivationSystem is disallowed");
             } else {
+                RegistryImpl.checkAccess("ActivationSystem.bind");
                 super.bind(name, obj);
             }
         }
@@ -356,6 +357,7 @@
                 throw new AccessException(
                     "unbinding ActivationSystem is disallowed");
             } else {
+                RegistryImpl.checkAccess("ActivationSystem.unbind");
                 super.unbind(name);
             }
         }
@@ -368,6 +370,7 @@
                 throw new AccessException(
                     "binding ActivationSystem is disallowed");
             } else {
+                RegistryImpl.checkAccess("ActivationSystem.rebind");
                 super.rebind(name, obj);
             }
         }
@@ -458,6 +461,33 @@
     }
 
 
+    /**
+     * SameHostOnlyServerRef checks that access is from a local client
+     * before the parameters are deserialized.  The unmarshalCustomCallData
+     * hook is used to check the network address of the caller
+     * with RegistryImpl.checkAccess().
+     * The kind of access is retained for an exception if one is thrown.
+     */
+    static class SameHostOnlyServerRef extends UnicastServerRef {
+        private static final long serialVersionUID = 1234L;
+        private String accessKind;      // an exception message
+
+        /**
+         * Construct a new SameHostOnlyServerRef from a LiveRef.
+         * @param lref a LiveRef
+         */
+        SameHostOnlyServerRef(LiveRef lref, String accessKind) {
+            super(lref);
+            this.accessKind = accessKind;
+        }
+
+        @Override
+        protected void unmarshalCustomCallData(ObjectInput in) throws IOException, ClassNotFoundException {
+            RegistryImpl.checkAccess(accessKind);
+            super.unmarshalCustomCallData(in);
+        }
+    }
+
     class ActivationSystemImpl
         extends RemoteServer
         implements ActivationSystem
@@ -475,7 +505,8 @@
              * 'this' can be exported.
              */
             LiveRef lref = new LiveRef(new ObjID(4), port, null, ssf);
-            UnicastServerRef uref = new UnicastServerRef(lref);
+            UnicastServerRef uref = new SameHostOnlyServerRef(lref,
+                    "ActivationSystem.nonLocalAccess");
             ref = uref;
             uref.exportObject(this, null);
         }
@@ -484,8 +515,8 @@
             throws ActivationException, UnknownGroupException, RemoteException
         {
             checkShutdown();
-            RegistryImpl.checkAccess("ActivationSystem.registerObject");
-
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
             ActivationGroupID groupID = desc.getGroupID();
             ActivationID id = new ActivationID(activatorStub);
             getGroupEntry(groupID).registerObject(id, desc, true);
@@ -496,15 +527,18 @@
             throws ActivationException, UnknownObjectException, RemoteException
         {
             checkShutdown();
-            RegistryImpl.checkAccess("ActivationSystem.unregisterObject");
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
             getGroupEntry(id).unregisterObject(id, true);
         }
 
         public ActivationGroupID registerGroup(ActivationGroupDesc desc)
             throws ActivationException, RemoteException
         {
+            Thread.dumpStack();
             checkShutdown();
-            RegistryImpl.checkAccess("ActivationSystem.registerGroup");
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
             checkArgs(desc, null);
 
             ActivationGroupID id = new ActivationGroupID(systemStub);
@@ -521,7 +555,8 @@
             throws ActivationException, UnknownGroupException, RemoteException
         {
             checkShutdown();
-            RegistryImpl.checkAccess("ActivationSystem.activeGroup");
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
 
             getGroupEntry(id).activeGroup(group, incarnation);
             return monitor;
@@ -531,7 +566,8 @@
             throws ActivationException, UnknownGroupException, RemoteException
         {
             checkShutdown();
-            RegistryImpl.checkAccess("ActivationSystem.unregisterGroup");
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
 
             // remove entry before unregister so state is updated before
             // logged
@@ -543,7 +579,8 @@
             throws ActivationException, UnknownObjectException, RemoteException
         {
             checkShutdown();
-            RegistryImpl.checkAccess("ActivationSystem.setActivationDesc");
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
 
             if (!getGroupID(id).equals(desc.getGroupID())) {
                 throw new ActivationException(
@@ -557,8 +594,8 @@
             throws ActivationException, UnknownGroupException, RemoteException
         {
             checkShutdown();
-            RegistryImpl.checkAccess(
-                "ActivationSystem.setActivationGroupDesc");
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
 
             checkArgs(desc, null);
             return getGroupEntry(id).setActivationGroupDesc(id, desc, true);
@@ -568,7 +605,8 @@
             throws ActivationException, UnknownObjectException, RemoteException
         {
             checkShutdown();
-            RegistryImpl.checkAccess("ActivationSystem.getActivationDesc");
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
 
             return getGroupEntry(id).getActivationDesc(id);
         }
@@ -577,8 +615,8 @@
             throws ActivationException, UnknownGroupException, RemoteException
         {
             checkShutdown();
-            RegistryImpl.checkAccess
-                ("ActivationSystem.getActivationGroupDesc");
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
 
             return getGroupEntry(id).desc;
         }
@@ -588,7 +626,8 @@
          * the activation daemon and exits the activation daemon.
          */
         public void shutdown() throws AccessException {
-            RegistryImpl.checkAccess("ActivationSystem.shutdown");
+            // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+            // during unmarshallCustomData and is not applicable to local access.
 
             Object lock = startupLock;
             if (lock != null) {
--- a/src/share/classes/sun/rmi/server/UnicastServerRef.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/rmi/server/UnicastServerRef.java	Mon Jun 26 22:23:36 2017 -0700
@@ -32,6 +32,7 @@
 import java.io.ObjectStreamClass;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.rmi.AccessException;
 import java.rmi.MarshalException;
 import java.rmi.Remote;
 import java.rmi.RemoteException;
@@ -290,20 +291,25 @@
             try {
                 in = call.getInputStream();
                 num = in.readInt();
-                if (num >= 0) {
-                    if (skel != null) {
-                        oldDispatch(obj, call, num);
-                        return;
-                    } else {
-                        throw new UnmarshalException(
-                            "skeleton class not found but required " +
-                            "for client version");
-                    }
+            } catch (Exception readEx) {
+                throw new UnmarshalException("error unmarshalling call header",
+                                             readEx);
+            }
+            if (num >= 0) {
+                if (skel != null) {
+                    oldDispatch(obj, call, num);
+                    return;
+                } else {
+                    throw new UnmarshalException(
+                        "skeleton class not found but required " +
+                        "for client version");
                 }
+            }
+            try {
                 op = in.readLong();
             } catch (Exception readEx) {
                 throw new UnmarshalException("error unmarshalling call header",
-                                             readEx);
+                        readEx);
             }
 
             /*
@@ -331,6 +337,11 @@
             try {
                 unmarshalCustomCallData(in);
                 params = unmarshalParameters(obj, method, marshalStream);
+            } catch (AccessException aex) {
+                // For compatibility, AccessException is not wrapped in UnmarshalException
+                // disable saving any refs in the inputStream for GC
+                ((StreamRemoteCall) call).discardPendingRefs();
+                throw aex;
             } catch (java.io.IOException | ClassNotFoundException e) {
                 // disable saving any refs in the inputStream for GC
                 ((StreamRemoteCall) call).discardPendingRefs();
@@ -367,6 +378,7 @@
                  */
             }
         } catch (Throwable e) {
+            Throwable origEx = e;
             logCallException(e);
 
             ObjectOutput out = call.getResultStream(false);
@@ -382,6 +394,12 @@
                 clearStackTraces(e);
             }
             out.writeObject(e);
+
+            // AccessExceptions should cause Transport.serviceCall
+            // to flag the connection as unusable.
+            if (origEx instanceof AccessException) {
+                throw new IOException("Connection is not reusable", origEx);
+            }
         } finally {
             call.releaseInputStream(); // in case skeleton doesn't
             call.releaseOutputStream();
@@ -413,62 +431,41 @@
      * Handle server-side dispatch using the RMI 1.1 stub/skeleton
      * protocol, given a non-negative operation number that has
      * already been read from the call stream.
+     * Exceptions are handled by the caller to be sent to the remote client.
      *
      * @param obj the target remote object for the call
      * @param call the "remote call" from which operation and
      * method arguments can be obtained.
      * @param op the operation number
-     * @exception IOException if unable to marshal return result or
+     * @throws Exception if unable to marshal return result or
      * release input or output streams
      */
-    public void oldDispatch(Remote obj, RemoteCall call, int op)
-        throws IOException
+    private void oldDispatch(Remote obj, RemoteCall call, int op)
+        throws Exception
     {
         long hash;              // hash for matching stub with skeleton
 
+        // read remote call header
+        ObjectInput in;
+        in = call.getInputStream();
         try {
-            // read remote call header
-            ObjectInput in;
-            try {
-                in = call.getInputStream();
-                try {
-                    Class<?> clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel");
-                    if (clazz.isAssignableFrom(skel.getClass())) {
-                        ((MarshalInputStream)in).useCodebaseOnly();
-                    }
-                } catch (ClassNotFoundException ignore) { }
-                hash = in.readLong();
-            } catch (Exception readEx) {
-                throw new UnmarshalException("error unmarshalling call header",
-                                             readEx);
+            Class<?> clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel");
+            if (clazz.isAssignableFrom(skel.getClass())) {
+                ((MarshalInputStream)in).useCodebaseOnly();
             }
+        } catch (ClassNotFoundException ignore) { }
 
-            // if calls are being logged, write out object id and operation
-            logCall(obj, skel.getOperations()[op]);
-            unmarshalCustomCallData(in);
-            // dispatch to skeleton for remote object
-            skel.dispatch(obj, call, op, hash);
+        try {
+            hash = in.readLong();
+        } catch (Exception ioe) {
+            throw new UnmarshalException("error unmarshalling call header", ioe);
+        }
 
-        } catch (Throwable e) {
-            logCallException(e);
-
-            ObjectOutput out = call.getResultStream(false);
-            if (e instanceof Error) {
-                e = new ServerError(
-                    "Error occurred in server thread", (Error) e);
-            } else if (e instanceof RemoteException) {
-                e = new ServerException(
-                    "RemoteException occurred in server thread",
-                    (Exception) e);
-            }
-            if (suppressStackTraces) {
-                clearStackTraces(e);
-            }
-            out.writeObject(e);
-        } finally {
-            call.releaseInputStream(); // in case skeleton doesn't
-            call.releaseOutputStream();
-        }
+        // if calls are being logged, write out object id and operation
+        logCall(obj, skel.getOperations()[op]);
+        unmarshalCustomCallData(in);
+        // dispatch to skeleton for remote object
+        skel.dispatch(obj, call, op, hash);
     }
 
     /**
--- a/src/share/classes/sun/security/ec/ECDSASignature.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/security/ec/ECDSASignature.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -287,11 +287,15 @@
         }
         random.nextBytes(seed);
 
+        // random bits needed for timing countermeasures
+        int timingArgument = random.nextInt();
+        // values must be non-zero to enable countermeasures
+        timingArgument |= 1;
+
         try {
-
             return encodeSignature(
-                signDigest(getDigestValue(), s, encodedParams, seed));
-
+                signDigest(getDigestValue(), s, encodedParams, seed,
+                    timingArgument));
         } catch (GeneralSecurityException e) {
             throw new SignatureException("Could not sign data", e);
         }
@@ -418,11 +422,19 @@
      * @param s the private key's S value.
      * @param encodedParams the curve's DER encoded object identifier.
      * @param seed the random seed.
+     * @param timing When non-zero, the implmentation will use timing
+     *     countermeasures to hide secrets from timing channels. The EC
+     *     implementation will disable the countermeasures when this value is
+     *     zero, because the underlying EC functions are shared by several
+     *     crypto operations, some of which do not use the countermeasures.
+     *     The high-order 31 bits must be uniformly random. The entropy from
+     *     these bits is used by the countermeasures.
      *
      * @return byte[] the signature.
      */
     private static native byte[] signDigest(byte[] digest, byte[] s,
-        byte[] encodedParams, byte[] seed) throws GeneralSecurityException;
+        byte[] encodedParams, byte[] seed, int timing)
+            throws GeneralSecurityException;
 
     /**
      * Verifies the signed digest using the public key.
--- a/src/share/classes/sun/security/provider/DSA.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/security/provider/DSA.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -67,6 +67,13 @@
     /* Are we debugging? */
     private static final boolean debug = false;
 
+    /* The number of bits used in exponent blinding */
+    private static final int BLINDING_BITS = 7;
+
+    /* The constant component of the exponent blinding value */
+    private static final BigInteger BLINDING_CONSTANT =
+        BigInteger.valueOf(1 << BLINDING_BITS);
+
     /* The parameter object */
     private DSAParams params;
 
@@ -312,8 +319,19 @@
         return null;
     }
 
+
     private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g,
                          BigInteger k) {
+
+        // exponent blinding to hide information from timing channel
+        SecureRandom random = getSigningRandom();
+        // start with a random blinding component
+        BigInteger blindingValue = new BigInteger(BLINDING_BITS, random);
+        // add the fixed blinding component
+        blindingValue = blindingValue.add(BLINDING_CONSTANT);
+        // replace k with a blinded value that is congruent (mod q)
+        k = k.add(q.multiply(blindingValue));
+
         BigInteger temp = g.modPow(k, p);
         return temp.mod(q);
     }
@@ -378,43 +396,8 @@
         byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8];
 
         random.nextBytes(kValue);
-        BigInteger k = new BigInteger(1, kValue).mod(
+        return new BigInteger(1, kValue).mod(
                 q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
-
-        // Using an equivalent exponent of fixed length (same as q or 1 bit
-        // less than q) to keep the kG timing relatively constant.
-        //
-        // Note that this is an extra step on top of the approach defined in
-        // FIPS 186-4 AppendixB.2.1 so as to make a fixed length K.
-        k = k.add(q).divide(BigInteger.valueOf(2));
-
-        // An alternative implementation based on FIPS 186-4 AppendixB2.2
-        // with fixed-length K.
-        //
-        // Please keep it here as we may need to switch to it in the future.
-        //
-        // SecureRandom random = getSigningRandom();
-        // byte[] kValue = new byte[(q.bitLength() + 7)/8];
-        // BigInteger d = q.subtract(BigInteger.TWO);
-        // BigInteger k;
-        // do {
-        //     random.nextBytes(kValue);
-        //     BigInteger c = new BigInteger(1, kValue);
-        //     if (c.compareTo(d) <= 0) {
-        //         k = c.add(BigInteger.ONE);
-        //         // Using an equivalent exponent of fixed length to keep
-        //         // the g^k timing relatively constant.
-        //         //
-        //         // Note that this is an extra step on top of the approach
-        //         // defined in FIPS 186-4 AppendixB.2.2 so as to make a
-        //         // fixed length K.
-        //         if (k.bitLength() >= q.bitLength()) {
-        //             break;
-        //         }
-        //     }
-        // } while (true);
-
-        return k;
     }
 
     // Use the application-specified SecureRandom Object if provided.
--- a/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -265,7 +265,7 @@
              */
             Hashtable<?,?> currentEnv = ctx.getEnvironment();
             if (currentEnv.get(Context.REFERRAL) == null) {
-                ctx.addToEnvironment(Context.REFERRAL, "follow");
+                ctx.addToEnvironment(Context.REFERRAL, "follow-scheme");
             }
         } catch (NamingException e) {
             if (debug != null) {
--- a/src/share/classes/sun/security/tools/keytool/Resources_sv.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/security/tools/keytool/Resources_sv.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -55,7 +55,7 @@
         {"Changes.an.entry.s.alias",
                 "\u00C4ndrar postalias"}, //-changealias
         {"Deletes.an.entry",
-                "Tar bort post"}, //-delete
+                "Tar bort en post"}, //-delete
         {"Exports.certificate",
                 "Exporterar certifikat"}, //-exportcert
         {"Generates.a.key.pair",
@@ -175,7 +175,7 @@
         {"validity.number.of.days",
                 "antal dagar f\u00F6r giltighet"}, //-validity
         {"Serial.ID.of.cert.to.revoke",
-                 "Seriellt id f\u00F6r certifikat som ska \u00E5terkallas"}, //-id
+                 "Serienummer p\u00E5 certifikat som ska \u00E5terkallas"}, //-id
         // keytool: Running part
         {"keytool.error.", "nyckelverktygsfel: "},
         {"Illegal.option.", "Otill\u00E5tet alternativ:  "},
@@ -266,7 +266,7 @@
                 "Certifikatet har inte lagts till i nyckellagret"},
         {".Storing.ksfname.", "[Lagrar {0}]"},
         {"alias.has.no.public.key.certificate.",
-                "{0} saknar offentlig nyckel (certifikat)"},
+                "{0} saknar \u00F6ppen nyckel (certifikat)"},
         {"Cannot.derive.signature.algorithm",
                 "Kan inte h\u00E4rleda signaturalgoritm"},
         {"Alias.alias.does.not.exist",
@@ -316,7 +316,7 @@
         {"Failed.to.parse.input", "Kunde inte tolka indata"},
         {"Empty.input", "Inga indata"},
         {"Not.X.509.certificate", "Inte ett X.509-certifikat"},
-        {"alias.has.no.public.key", "{0} saknar offentlig nyckel"},
+        {"alias.has.no.public.key", "{0} saknar \u00F6ppen nyckel"},
         {"alias.has.no.X.509.certificate", "{0} saknar X.509-certifikat"},
         {"New.certificate.self.signed.", "Nytt certifikat (sj\u00E4lvsignerat):"},
         {"Reply.has.no.certificates", "Svaret saknar certifikat"},
@@ -371,7 +371,7 @@
 
         {".WARNING.WARNING.WARNING.",
             "*****************  WARNING WARNING WARNING  *****************"},
-        {"Signer.d.", "Signerare #%d:"},
+        {"Signer.d.", "Undertecknare %d:"},
         {"Timestamp.", "Tidsst\u00E4mpel:"},
         {"Signature.", "Signatur:"},
         {"CRLs.", "CRL:er:"},
@@ -386,7 +386,7 @@
             "* Integriteten f\u00F6r den information som lagras i srckeystore*\n* har INTE verifierats!  Om du vill verifiera dess integritet *\n* m\u00E5ste du ange l\u00F6senordet f\u00F6r srckeystore.                *"},
 
         {"Certificate.reply.does.not.contain.public.key.for.alias.",
-                "Certifikatsvaret inneh\u00E5ller inte n\u00E5gon offentlig nyckel f\u00F6r <{0}>"},
+                "Certifikatsvaret inneh\u00E5ller inte n\u00E5gon \u00F6ppen nyckel f\u00F6r <{0}>"},
         {"Incomplete.certificate.chain.in.reply",
                 "Ofullst\u00E4ndig certifikatskedja i svaret"},
         {"Certificate.chain.in.reply.does.not.verify.",
@@ -417,7 +417,7 @@
         {".Empty.value.", "(Tomt v\u00E4rde)"},
         {"Extension.Request.", "Till\u00E4ggsbeg\u00E4ran:"},
         {"PKCS.10.Certificate.Request.Version.1.0.Subject.s.Public.Key.s.format.s.key.",
-                "PKCS #10 certifikatbeg\u00E4ran (version 1.0)\n\u00C4mne: %s\nAllm\u00E4n nyckel: %s-format %s-nyckel\n"},
+                "PKCS #10 certifikatbeg\u00E4ran (version 1.0)\n\u00C4rende: %s\n\u00D6ppen nyckel: %s-format %s-nyckel\n"},
         {"Unknown.keyUsage.type.", "Ok\u00E4nd keyUsage-typ: "},
         {"Unknown.extendedkeyUsage.type.", "Ok\u00E4nd extendedkeyUsage-typ: "},
         {"Unknown.AccessDescription.type.", "Ok\u00E4nd AccessDescription-typ: "},
--- a/src/share/classes/sun/security/tools/policytool/Resources_sv.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/security/tools/policytool/Resources_sv.java	Mon Jun 26 22:23:36 2017 -0700
@@ -35,7 +35,7 @@
     private static final Object[][] contents = {
         {"NEWLINE", "\n"},
         {"Warning.A.public.key.for.alias.signers.i.does.not.exist.Make.sure.a.KeyStore.is.properly.configured.",
-                "Varning! Det finns ingen offentlig nyckel f\u00F6r aliaset {0}. Kontrollera att det aktuella nyckellagret \u00E4r korrekt konfigurerat."},
+                "Varning! Det finns ingen \u00F6ppen nyckel f\u00F6r aliaset {0}. Kontrollera att det aktuella nyckellagret \u00E4r korrekt konfigurerat."},
         {"Warning.Class.not.found.class", "Varning! Klassen hittades inte: {0}"},
         {"Warning.Invalid.argument.s.for.constructor.arg",
                 "Varning! Ogiltiga argument f\u00F6r konstruktor: {0}"},
@@ -59,8 +59,8 @@
         {"Warning.File.name.may.include.escaped.backslash.characters.It.is.not.necessary.to.escape.backslash.characters.the.tool.escapes",
             "Varning! Filnamnet kan inneh\u00E5lla omv\u00E4nda snedstreck inom citattecken. Citattecken kr\u00E4vs inte f\u00F6r omv\u00E4nda snedstreck (verktyget hanterar detta n\u00E4r policyinneh\u00E5llet skrivs till det best\u00E4ndiga lagret).\n\nKlicka p\u00E5 Beh\u00E5ll f\u00F6r att beh\u00E5lla det angivna namnet, eller klicka p\u00E5 Redigera f\u00F6r att \u00E4ndra det."},
 
-        {"Add.Public.Key.Alias", "L\u00E4gg till offentligt nyckelalias"},
-        {"Remove.Public.Key.Alias", "Ta bort offentligt nyckelalias"},
+        {"Add.Public.Key.Alias", "L\u00E4gg till alias till \u00F6ppen nyckel"},
+        {"Remove.Public.Key.Alias", "Ta bort alias f\u00F6r \u00F6ppen nyckel"},
         {"File", "&Arkiv"},
         {"KeyStore", "&KeyStore"},
         {"Policy.File.", "Policyfil:"},
@@ -136,7 +136,7 @@
         {"provider.name", "leverant\u00F6rsnamn"},
         {"url", "url"},
         {"method.list", "metodlista"},
-        {"request.headers.list", "beg\u00E4ranrubriklista"},
+        {"request.headers.list", "lista \u00F6ver beg\u00E4randehuvuden"},
         {"Principal.List", "Lista \u00F6ver identitetshavare"},
         {"Permission.List", "Beh\u00F6righetslista"},
         {"Code.Base", "Kodbas"},
--- a/src/share/classes/sun/security/util/AuthResources_sv.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/security/util/AuthResources_sv.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -137,7 +137,7 @@
         // provided.null.name is the NullPointerException message when a
         // developer incorrectly passes a null name to the constructor of
         // subclasses of java.security.Principal
-        {"provided.null.name", "angav null-namn"}
+        {"provided.null.name", "null-namn angavs"}
 
     };
 
--- a/src/share/classes/sun/security/util/Resources_sv.java	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/classes/sun/security/util/Resources_sv.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,9 +53,9 @@
                 "CredOwner:\n\tIdentitetshavareklass = {0}\n\tIdentitetshavarenamn = {1}"},
 
         // javax.security.auth.x500
-        {"provided.null.name", "angav null-namn"},
-        {"provided.null.keyword.map", "nullnyckelordsmappning tillhandah\u00F6lls"},
-        {"provided.null.OID.map", "null-OID-mappning tillhandah\u00F6lls"},
+        {"provided.null.name", "null-namn angavs"},
+        {"provided.null.keyword.map", "nullnyckelordsmappning angavs"},
+        {"provided.null.OID.map", "null-OID-mappning angavs"},
 
         // javax.security.auth.Subject
         {"NEWLINE", "\n"},
@@ -73,7 +73,7 @@
                 "\tPrivat inloggning \u00E4r inte tillg\u00E4nglig\n"},
         {"Subject.is.read.only", "Innehavare \u00E4r skrivskyddad"},
         {"attempting.to.add.an.object.which.is.not.an.instance.of.java.security.Principal.to.a.Subject.s.Principal.Set",
-                "f\u00F6rs\u00F6k att l\u00E4gga till ett objekt som inte \u00E4r en f\u00F6rekomst av java.security.Principal till en upps\u00E4ttning av identitetshavare"},
+                "f\u00F6rs\u00F6k att l\u00E4gga till ett objekt som inte \u00E4r en instans av java.security.Principal till ett subjekts upps\u00E4ttning av identitetshavare"},
         {"attempting.to.add.an.object.which.is.not.an.instance.of.class",
                 "f\u00F6rs\u00F6ker l\u00E4gga till ett objekt som inte \u00E4r en instans av {0}"},
 
@@ -84,11 +84,11 @@
         {"Invalid.null.input.name", "Ogiltiga null-indata: namn"},
         {"No.LoginModules.configured.for.name",
          "Inga inloggningsmoduler har konfigurerats f\u00F6r {0}"},
-        {"invalid.null.Subject.provided", "ogiltig null-innehavare"},
+        {"invalid.null.Subject.provided", "ogiltig null-subjekt"},
         {"invalid.null.CallbackHandler.provided",
                 "ogiltig null-CallbackHandler"},
         {"null.subject.logout.called.before.login",
-                "null-innehavare - utloggning anropades f\u00F6re inloggning"},
+                "null-subjekt - utloggning anropades f\u00F6re inloggning"},
         {"unable.to.instantiate.LoginModule.module.because.it.does.not.provide.a.no.argument.constructor",
                 "kan inte instansiera LoginModule, {0}, eftersom den inte tillhandah\u00E5ller n\u00E5gon icke-argumentskonstruktor"},
         {"unable.to.instantiate.LoginModule",
@@ -148,12 +148,12 @@
 
         // sun.security.pkcs11.SunPKCS11
         {"PKCS11.Token.providerName.Password.",
-                "PKCS11-tecken [{0}] L\u00F6senord: "},
+                "L\u00F6senord f\u00F6r PKCS11-token [{0}]: "},
 
         /* --- DEPRECATED --- */
         // javax.security.auth.Policy
         {"unable.to.instantiate.Subject.based.policy",
-                "den innehavarbaserade policyn kan inte skapas"}
+                "kan inte instansiera subjektbaserad policy"}
     };
 
 
--- a/src/share/native/sun/security/ec/ECC_JNI.cpp	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/ECC_JNI.cpp	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -190,7 +190,7 @@
  */
 JNIEXPORT jbyteArray
 JNICALL Java_sun_security_ec_ECDSASignature_signDigest
-  (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed)
+  (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
 {
     jbyte* pDigestBuffer = NULL;
     jint jDigestLength = env->GetArrayLength(digest);
@@ -250,7 +250,7 @@
 
     // Sign the digest (using the supplied seed)
     if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
-        (unsigned char *) pSeedBuffer, jSeedLength, 0) != SECSuccess) {
+        (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) {
         ThrowException(env, KEY_EXCEPTION);
         goto cleanup;
     }
--- a/src/share/native/sun/security/ec/impl/ec.c	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ec.c	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -34,7 +34,7 @@
  *   Dr Vipul Gupta <vipul.gupta@sun.com> and
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
- * Last Modified Date from the Original Code: November 2016
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #include "mplogic.h"
@@ -87,7 +87,7 @@
  */
 SECStatus
 ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2,
-             const SECItem *pointP, SECItem *pointQ, int kmflag)
+             const SECItem *pointP, SECItem *pointQ, int kmflag, int timing)
 {
     mp_int Px, Py, Qx, Qy;
     mp_int Gx, Gy, order, irreducible, a, b;
@@ -199,9 +199,9 @@
                 goto cleanup;
 
         if ((k2 != NULL) && (pointP != NULL)) {
-                CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy) );
+                CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy, timing) );
         } else {
-                CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy) );
+                CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy, timing) );
     }
 
     /* Construct the SECItem representation of point Q */
@@ -332,7 +332,8 @@
     CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data,
         (mp_size) len) );
 
-    rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue), kmflag);
+    /* key generation does not support timing mitigation */
+    rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue), kmflag, /*timing*/ 0);
     if (rv != SECSuccess) goto cleanup;
     *privKey = key;
 
@@ -609,7 +610,8 @@
     }
 
     /* Multiply our private key and peer's public point */
-    if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ, kmflag) != SECSuccess) ||
+    /* ECDH doesn't support timing mitigation */
+    if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ, kmflag, /*timing*/ 0) != SECSuccess) ||
         ec_point_at_infinity(&pointQ))
         goto cleanup;
 
@@ -644,7 +646,8 @@
  */
 SECStatus
 ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
-    const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag)
+    const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag,
+    int timing)
 {
     SECStatus rv = SECFailure;
     mp_int x1;
@@ -714,16 +717,6 @@
     }
 
     /*
-     * Using an equivalent exponent of fixed length (same as n or 1 bit less
-     * than n) to keep the kG timing relatively constant.
-     *
-     * Note that this is an extra step on top of the approach defined in
-     * ANSI X9.62 so as to make a fixed length K.
-     */
-    CHECK_MPI_OK( mp_add(&k, &n, &k) );
-    CHECK_MPI_OK( mp_div_2(&k, &k) );
-
-    /*
     ** ANSI X9.62, Section 5.3.2, Step 2
     **
     ** Compute kG
@@ -731,7 +724,7 @@
     kGpoint.len = 2*flen + 1;
     kGpoint.data = PORT_Alloc(2*flen + 1, kmflag);
     if ((kGpoint.data == NULL) ||
-        (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag)
+        (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag, timing)
             != SECSuccess))
         goto cleanup;
 
@@ -853,7 +846,7 @@
 */
 SECStatus
 ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest,
-    const unsigned char* random, int randomLen, int kmflag)
+    const unsigned char* random, int randomLen, int kmflag, int timing)
 {
     SECStatus rv = SECFailure;
     int len;
@@ -871,7 +864,7 @@
     if (kBytes == NULL) goto cleanup;
 
     /* Generate ECDSA signature with the specified k value */
-    rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len, kmflag);
+    rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len, kmflag, timing);
 
 cleanup:
     if (kBytes) {
@@ -1017,7 +1010,8 @@
     ** Here, A = u1.G     B = u2.Q    and   C = A + B
     ** If the result, C, is the point at infinity, reject the signature
     */
-    if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC, kmflag)
+    /* verification does not support timing mitigation */
+    if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC, kmflag, /*timing*/ 0)
         != SECSuccess) {
         rv = SECFailure;
         goto cleanup;
--- a/src/share/native/sun/security/ec/impl/ec2.h	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ec2.h	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
  * Contributor(s):
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #ifndef _EC2_H
@@ -79,7 +80,7 @@
  * determines the field GF2m.  Uses Montgomery projective coordinates. */
 mp_err ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px,
                                                    const mp_int *py, mp_int *rx, mp_int *ry,
-                                                   const ECGroup *group);
+                                                   const ECGroup *group, int timing);
 
 #ifdef ECL_ENABLE_GF2M_PROJ
 /* Converts a point P(px, py) from affine coordinates to projective
--- a/src/share/native/sun/security/ec/impl/ec2_aff.c	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ec2_aff.c	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
  * Contributor(s):
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #include "ec2.h"
@@ -329,7 +330,8 @@
     /* 4: Verify that the order of the curve times the publicValue
      *    is the point at infinity.
      */
-        MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
+        /* timing mitigation is not supported */
+        MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt, /*timing*/ 0) );
         if (ec_GF2m_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
                 res = MP_NO;
                 goto CLEANUP;
--- a/src/share/native/sun/security/ec/impl/ec2_mont.c	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ec2_mont.c	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -35,6 +35,7 @@
  *   Stephen Fung <fungstep@hotmail.com>, and
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories.
  *
+ *  Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #include "ec2.h"
@@ -181,10 +182,12 @@
 /* Computes R = nP based on algorithm 2P of Lopex, J. and Dahab, R.  "Fast
  * multiplication on elliptic curves over GF(2^m) without
  * precomputation". Elliptic curve points P and R can be identical. Uses
- * Montgomery projective coordinates. */
+ * Montgomery projective coordinates. The timing parameter is ignored
+ * because this algorithm resists timing attacks by default. */
 mp_err
 ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px, const mp_int *py,
-                                        mp_int *rx, mp_int *ry, const ECGroup *group)
+                                        mp_int *rx, mp_int *ry, const ECGroup *group,
+                                        int timing)
 {
         mp_err res = MP_OKAY;
         mp_int x1, x2, z1, z2;
--- a/src/share/native/sun/security/ec/impl/ecc_impl.h	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ecc_impl.h	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -34,7 +34,7 @@
  *   Dr Vipul Gupta <vipul.gupta@sun.com> and
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
- * Last Modified Date from the Original Code: November 2013
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #ifndef _ECC_IMPL_H
@@ -258,7 +258,7 @@
     const unsigned char* random, int randomlen, int);
 /* This function has been modified to accept an array of random bytes */
 extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *,
-    const unsigned char* random, int randomlen, int);
+    const unsigned char* random, int randomlen, int, int timing);
 extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *,
     const SECItem *, int);
 extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
--- a/src/share/native/sun/security/ec/impl/ecl-priv.h	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ecl-priv.h	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -34,6 +34,7 @@
  *   Stephen Fung <fungstep@hotmail.com> and
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #ifndef _ECL_PRIV_H
@@ -193,12 +194,13 @@
                                                  mp_int *ry, const ECGroup *group);
         mp_err (*point_mul) (const mp_int *n, const mp_int *px,
                                                  const mp_int *py, mp_int *rx, mp_int *ry,
-                                                 const ECGroup *group);
+                                                 const ECGroup *group, int timing);
         mp_err (*base_point_mul) (const mp_int *n, mp_int *rx, mp_int *ry,
                                                           const ECGroup *group);
         mp_err (*points_mul) (const mp_int *k1, const mp_int *k2,
                                                   const mp_int *px, const mp_int *py, mp_int *rx,
-                                                  mp_int *ry, const ECGroup *group);
+                                                  mp_int *ry, const ECGroup *group,
+                                                  int timing);
         mp_err (*validate_point) (const mp_int *px, const mp_int *py, const ECGroup *group);
         /* Extra storage for implementation-specific data.  Any memory
          * allocated to these extra fields will be cleared by extra_free. */
@@ -262,10 +264,12 @@
 /* point multiplication */
 mp_err ec_pts_mul_basic(const mp_int *k1, const mp_int *k2,
                                                 const mp_int *px, const mp_int *py, mp_int *rx,
-                                                mp_int *ry, const ECGroup *group);
+                                                mp_int *ry, const ECGroup *group,
+                                                int timing);
 mp_err ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2,
                                                    const mp_int *px, const mp_int *py, mp_int *rx,
-                                                   mp_int *ry, const ECGroup *group);
+                                                   mp_int *ry, const ECGroup *group,
+                                                   int timing);
 
 /* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should
  * be an array of signed char's to output to, bitsize should be the number
--- a/src/share/native/sun/security/ec/impl/ecl.h	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ecl.h	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
  * Contributor(s):
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #ifndef _ECL_H
@@ -70,7 +71,8 @@
  * of the group of points on the elliptic curve. Input and output values
  * are assumed to be NOT field-encoded. */
 mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
-                                   const mp_int *py, mp_int *qx, mp_int *qy);
+                                   const mp_int *py, mp_int *qx, mp_int *qy,
+                                   int timing);
 
 /* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k1 * G +
  * k2 * P(x, y), where G is the generator (base point) of the group of
@@ -78,7 +80,7 @@
  * be NOT field-encoded. */
 mp_err ECPoints_mul(const ECGroup *group, const mp_int *k1,
                                         const mp_int *k2, const mp_int *px, const mp_int *py,
-                                        mp_int *qx, mp_int *qy);
+                                        mp_int *qx, mp_int *qy, int timing);
 
 /* Validates an EC public key as described in Section 5.2.2 of X9.62.
  * Returns MP_YES if the public key is valid, MP_NO if the public key
--- a/src/share/native/sun/security/ec/impl/ecl_mult.c	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ecl_mult.c	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -49,7 +49,8 @@
  * are assumed to be NOT field-encoded. */
 mp_err
 ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
-                        const mp_int *py, mp_int *rx, mp_int *ry)
+                        const mp_int *py, mp_int *rx, mp_int *ry,
+                        int timing)
 {
         mp_err res = MP_OKAY;
         mp_int kt;
@@ -74,15 +75,15 @@
                 } else {
                         MP_CHECKOK(group->
                                            point_mul(&kt, &group->genx, &group->geny, rx, ry,
-                                                                 group));
+                                                                 group, timing));
                 }
         } else {
                 if (group->meth->field_enc) {
                         MP_CHECKOK(group->meth->field_enc(px, rx, group->meth));
                         MP_CHECKOK(group->meth->field_enc(py, ry, group->meth));
-                        MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group));
+                        MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group, timing));
                 } else {
-                        MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group));
+                        MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group, timing));
                 }
         }
         if (group->meth->field_dec) {
@@ -104,7 +105,7 @@
 mp_err
 ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px,
                                  const mp_int *py, mp_int *rx, mp_int *ry,
-                                 const ECGroup *group)
+                                 const ECGroup *group, int timing)
 {
         mp_err res = MP_OKAY;
         mp_int sx, sy;
@@ -116,9 +117,9 @@
 
         /* if some arguments are not defined used ECPoint_mul */
         if (k1 == NULL) {
-                return ECPoint_mul(group, k2, px, py, rx, ry);
+                return ECPoint_mul(group, k2, px, py, rx, ry, timing);
         } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
-                return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+                return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing);
         }
 
         MP_DIGITS(&sx) = 0;
@@ -126,8 +127,8 @@
         MP_CHECKOK(mp_init(&sx, FLAG(k1)));
         MP_CHECKOK(mp_init(&sy, FLAG(k1)));
 
-        MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy));
-        MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry));
+        MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy, timing));
+        MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry, timing));
 
         if (group->meth->field_enc) {
                 MP_CHECKOK(group->meth->field_enc(&sx, &sx, group->meth));
@@ -159,7 +160,7 @@
 mp_err
 ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
                                         const mp_int *py, mp_int *rx, mp_int *ry,
-                                        const ECGroup *group)
+                                        const ECGroup *group, int timing)
 {
         mp_err res = MP_OKAY;
         mp_int precomp[4][4][2];
@@ -174,9 +175,9 @@
 
         /* if some arguments are not defined used ECPoint_mul */
         if (k1 == NULL) {
-                return ECPoint_mul(group, k2, px, py, rx, ry);
+                return ECPoint_mul(group, k2, px, py, rx, ry, timing);
         } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
-                return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+                return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing);
         }
 
         /* initialize precomputation table */
@@ -308,7 +309,8 @@
  * Input and output values are assumed to be NOT field-encoded. */
 mp_err
 ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2,
-                         const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry)
+                         const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry,
+                         int timing)
 {
         mp_err res = MP_OKAY;
         mp_int k1t, k2t;
@@ -345,9 +347,9 @@
 
         /* if points_mul is defined, then use it */
         if (group->points_mul) {
-                res = group->points_mul(k1p, k2p, px, py, rx, ry, group);
+                res = group->points_mul(k1p, k2p, px, py, rx, ry, group, timing);
         } else {
-                res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group);
+                res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group, timing);
         }
 
   CLEANUP:
--- a/src/share/native/sun/security/ec/impl/ecp.h	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ecp.h	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
  * Contributor(s):
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #ifndef _ECP_H
@@ -122,7 +123,7 @@
 mp_err
  ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
                                         const mp_int *py, mp_int *rx, mp_int *ry,
-                                        const ECGroup *group);
+                                        const ECGroup *group, int timing);
 
 /* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
  * curve points P and R can be identical. Uses mixed Modified-Jacobian
@@ -131,9 +132,13 @@
  * returns output that is still field-encoded. Uses 5-bit window NAF
  * method (algorithm 11) for scalar-point multiplication from Brown,
  * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic
- * Curves Over Prime Fields. */
+ * Curves Over Prime Fields. The implementation includes a countermeasure
+ * that attempts to hide the size of n from timing channels. This counter-
+ * measure is enabled using the timing argument. The high-rder bits of timing
+ * must be uniformly random in order for this countermeasure to work. */
 mp_err
  ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
-                                           mp_int *rx, mp_int *ry, const ECGroup *group);
+                                           mp_int *rx, mp_int *ry, const ECGroup *group,
+                                           int timing);
 
 #endif /* _ECP_H */
--- a/src/share/native/sun/security/ec/impl/ecp_aff.c	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ecp_aff.c	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -38,6 +38,7 @@
  *   Nils Larsch <nla@trustcenter.de>, and
  *   Lenka Fibikova <fibikova@exp-math.uni-essen.de>, the OpenSSL Project
  *
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #include "ecp.h"
@@ -340,7 +341,8 @@
     /* 4: Verify that the order of the curve times the publicValue
      *    is the point at infinity.
      */
-        MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
+        /* timing mitigation is not supported */
+        MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt, /*timing*/ 0) );
         if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
                 res = MP_NO;
                 goto CLEANUP;
--- a/src/share/native/sun/security/ec/impl/ecp_jac.c	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ecp_jac.c	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -38,6 +38,7 @@
  *   Nils Larsch <nla@trustcenter.de>, and
  *   Lenka Fibikova <fibikova@exp-math.uni-essen.de>, the OpenSSL Project
  *
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #include "ecp.h"
@@ -180,6 +181,15 @@
         MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth));
         MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth));
 
+        /*
+         * Additional checks for point equality and point at infinity
+         */
+        if (mp_cmp(px, &A) == 0 && mp_cmp(py, &B) == 0) {
+            /* POINT_DOUBLE(P) */
+            MP_CHECKOK(ec_GFp_pt_dbl_jac(px, py, pz, rx, ry, rz, group));
+            goto CLEANUP;
+        }
+
         /* C = A - px, D = B - py */
         MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth));
         MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth));
@@ -406,7 +416,7 @@
 mp_err
 ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
                                    const mp_int *py, mp_int *rx, mp_int *ry,
-                                   const ECGroup *group)
+                                   const ECGroup *group, int timing)
 {
         mp_err res = MP_OKAY;
         mp_int precomp[4][4][2];
@@ -430,9 +440,9 @@
 
         /* if some arguments are not defined used ECPoint_mul */
         if (k1 == NULL) {
-                return ECPoint_mul(group, k2, px, py, rx, ry);
+                return ECPoint_mul(group, k2, px, py, rx, ry, timing);
         } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
-                return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+                return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing);
         }
 
         /* initialize precomputation table */
--- a/src/share/native/sun/security/ec/impl/ecp_jm.c	Thu May 18 14:30:18 2017 -0700
+++ b/src/share/native/sun/security/ec/impl/ecp_jm.c	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
  * Contributor(s):
  *   Stephen Fung <fungstep@hotmail.com>, Sun Microsystems Laboratories
  *
+ * Last Modified Date from the Original Code: May 2017
  *********************************************************************** */
 
 #include "ecp.h"
@@ -165,6 +166,16 @@
         MP_CHECKOK(group->meth->field_mul(A, qx, A, group->meth));
         MP_CHECKOK(group->meth->field_mul(B, qy, B, group->meth));
 
+        /*
+         * Additional checks for point equality and point at infinity
+         */
+        if (mp_cmp(px, A) == 0 && mp_cmp(py, B) == 0) {
+            /* POINT_DOUBLE(P) */
+            MP_CHECKOK(ec_GFp_pt_dbl_jm(px, py, pz, paz4, rx, ry, rz, raz4,
+                                        scratch, group));
+            goto CLEANUP;
+        }
+
         /* C = A - px, D = B - py */
         MP_CHECKOK(group->meth->field_sub(A, px, C, group->meth));
         MP_CHECKOK(group->meth->field_sub(B, py, D, group->meth));
@@ -213,19 +224,23 @@
  * Curves Over Prime Fields. */
 mp_err
 ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
-                                          mp_int *rx, mp_int *ry, const ECGroup *group)
+                                          mp_int *rx, mp_int *ry, const ECGroup *group,
+                                          int timing)
 {
         mp_err res = MP_OKAY;
-        mp_int precomp[16][2], rz, tpx, tpy;
-        mp_int raz4;
+        mp_int precomp[16][2], rz, tpx, tpy, tpz;
+        mp_int raz4, tpaz4;
         mp_int scratch[MAX_SCRATCH];
         signed char *naf = NULL;
         int i, orderBitSize;
+        int numDoubles, numAdds, extraDoubles, extraAdds;
 
         MP_DIGITS(&rz) = 0;
         MP_DIGITS(&raz4) = 0;
         MP_DIGITS(&tpx) = 0;
         MP_DIGITS(&tpy) = 0;
+        MP_DIGITS(&tpz) = 0;
+        MP_DIGITS(&tpaz4) = 0;
         for (i = 0; i < 16; i++) {
                 MP_DIGITS(&precomp[i][0]) = 0;
                 MP_DIGITS(&precomp[i][1]) = 0;
@@ -239,7 +254,9 @@
 
         /* initialize precomputation table */
         MP_CHECKOK(mp_init(&tpx, FLAG(n)));
-        MP_CHECKOK(mp_init(&tpy, FLAG(n)));;
+        MP_CHECKOK(mp_init(&tpy, FLAG(n)));
+        MP_CHECKOK(mp_init(&tpz, FLAG(n)));
+        MP_CHECKOK(mp_init(&tpaz4, FLAG(n)));
         MP_CHECKOK(mp_init(&rz, FLAG(n)));
         MP_CHECKOK(mp_init(&raz4, FLAG(n)));
 
@@ -295,19 +312,64 @@
         /* Compute 5NAF */
         ec_compute_wNAF(naf, orderBitSize, n, 5);
 
+        numAdds = 0;
+        numDoubles = orderBitSize;
         /* wNAF method */
         for (i = orderBitSize; i >= 0; i--) {
+
+                if (ec_GFp_pt_is_inf_jac(rx, ry, &rz) == MP_YES) {
+                  numDoubles--;
+                }
+
                 /* R = 2R */
                 ec_GFp_pt_dbl_jm(rx, ry, &rz, &raz4, rx, ry, &rz,
                                              &raz4, scratch, group);
+
                 if (naf[i] != 0) {
                         ec_GFp_pt_add_jm_aff(rx, ry, &rz, &raz4,
                                                                  &precomp[(naf[i] + 15) / 2][0],
                                                                  &precomp[(naf[i] + 15) / 2][1], rx, ry,
                                                                  &rz, &raz4, scratch, group);
+                        numAdds++;
                 }
         }
 
+        /* extra operations to make timing less dependent on secrets */
+        if (timing) {
+                /* low-order bit of timing argument contains no entropy */
+                timing >>= 1;
+
+                MP_CHECKOK(ec_GFp_pt_set_inf_jac(&tpx, &tpy, &tpz));
+                mp_zero(&tpaz4);
+
+                /* Set the temp value to a non-infinite point */
+                ec_GFp_pt_add_jm_aff(&tpx, &tpy, &tpz, &tpaz4,
+                                                                 &precomp[8][0],
+                                                                 &precomp[8][1], &tpx, &tpy,
+                                                                 &tpz, &tpaz4, scratch, group);
+
+                /* two bits of extra adds */
+                extraAdds = timing & 0x3;
+                timing >>= 2;
+                /* Window size is 5, so the maximum number of additions is ceil(orderBitSize/5) */
+                /* This is the same as (orderBitSize + 4) / 5 */
+                for(i = numAdds; i <= (orderBitSize + 4) / 5 + extraAdds; i++) {
+                        ec_GFp_pt_add_jm_aff(&tpx, &tpy, &tpz, &tpaz4,
+                                                                 &precomp[9 + (i % 3)][0],
+                                                                 &precomp[9 + (i % 3)][1], &tpx, &tpy,
+                                                                 &tpz, &tpaz4, scratch, group);
+                }
+
+                /* two bits of extra doubles */
+                extraDoubles = timing & 0x3;
+                timing >>= 2;
+                for(i = numDoubles; i <= orderBitSize + extraDoubles; i++) {
+                        ec_GFp_pt_dbl_jm(&tpx, &tpy, &tpz, &tpaz4, &tpx, &tpy, &tpz,
+                                             &tpaz4, scratch, group);
+                }
+
+        }
+
         /* convert result S to affine coordinates */
         MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
 
@@ -321,6 +383,8 @@
         }
         mp_clear(&tpx);
         mp_clear(&tpy);
+        mp_clear(&tpz);
+        mp_clear(&tpaz4);
         mp_clear(&rz);
         mp_clear(&raz4);
 #ifdef _KERNEL
--- a/src/windows/native/sun/windows/ShellFolder2.cpp	Thu May 18 14:30:18 2017 -0700
+++ b/src/windows/native/sun/windows/ShellFolder2.cpp	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -192,14 +192,19 @@
 static jstring jstringFromSTRRET(JNIEnv* env, LPITEMIDLIST pidl, STRRET* pStrret) {
     switch (pStrret->uType) {
         case STRRET_CSTR :
-            return JNU_NewStringPlatform(env, reinterpret_cast<const char*>(pStrret->cStr));
+            if (pStrret->cStr != NULL) {
+                return JNU_NewStringPlatform(env, reinterpret_cast<const char*>(pStrret->cStr));
+            }
+            break;
         case STRRET_OFFSET :
             // Note : this may need to be WCHAR instead
             return JNU_NewStringPlatform(env,
                                          (CHAR*)pidl + pStrret->uOffset);
         case STRRET_WSTR :
-            return env->NewString(reinterpret_cast<const jchar*>(pStrret->pOleStr),
-                static_cast<jsize>(wcslen(pStrret->pOleStr)));
+            if (pStrret->pOleStr != NULL) {
+                return env->NewString(reinterpret_cast<const jchar*>(pStrret->pOleStr),
+                    static_cast<jsize>(wcslen(pStrret->pOleStr)));
+            }
     }
     return NULL;
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/rmi/activation/nonLocalActivation/NonLocalActivationTest.java	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.rmi.AccessException;
+import java.rmi.activation.ActivationSystem;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Set;
+import java.util.HashSet;
+
+/*
+ * @test
+ * @bug 8174770
+ * @summary Verify that ActivationSystem rejects non-local access.
+ *    The test is manual because the (non-local) host running rmid must be supplied as a property.
+ * @run main/manual/othervm -Dactivation.host=rmid-host NonLocalActivationTest
+ */
+
+/**
+ * Lookup the ActivationSystem on a different host and invoke its remote interface methods.
+ * They should all throw an exception, non-local access is prohibited.
+ *
+ * This test is a manual test and uses rmid running on a *different* host.
+ * The default port (1098) for the Activation System is ok and expected.
+ * Login or ssh to the different host and invoke {@code $JDK_HOME/bin/rmid}.
+ * It will not show any output.
+ *
+ * On the first host modify the @run command above to replace "rmid-host"
+ * with the hostname or IP address of the different host and run the test with jtreg.
+ */
+public class NonLocalActivationTest
+{
+    public static void main(String[] args) throws Exception {
+
+        String host = System.getProperty("activation.host");
+        if (host == null || host.isEmpty()) {
+            throw new RuntimeException("Specify host with system property: -Dactivation.host=<host>");
+        }
+
+        // Check if running the test on a local system; it only applies to remote
+        String myHostName = InetAddress.getLocalHost().getHostName();
+        Set<InetAddress> myAddrs = new HashSet<>();
+        InetAddress[] myAddrsArr = InetAddress.getAllByName(myHostName);
+        for (InetAddress a : myAddrsArr) {
+            myAddrs.add(a);
+        }
+        Set<InetAddress> hostAddrs = new HashSet<>();
+        InetAddress[] hostAddrsArr = InetAddress.getAllByName(host);
+        for (InetAddress a : hostAddrsArr) {
+            hostAddrs.add(a);
+        }
+        if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i))
+                || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) {
+            throw new RuntimeException("Error: property 'activation.host' must not be the local host%n");
+        }
+
+        // Locate the registry operated by the ActivationSystem
+        // Test SystemRegistryImpl
+        Registry registry = LocateRegistry.getRegistry(host, ActivationSystem.SYSTEM_PORT);
+        try {
+            // Verify it is an ActivationSystem registry
+            registry.lookup("java.rmi.activation.ActivationSystem");
+        } catch (Exception nf) {
+            throw new RuntimeException("Not a ActivationSystem registry, does not contain java.rmi.activation.ActivationSystem", nf);
+        }
+
+        try {
+            registry.bind("foo", null);
+            throw new RuntimeException("Remote access should not succeed for method: bind");
+        } catch (Exception e) {
+            assertIsAccessException(e, "Registry.bind");
+        }
+
+        try {
+            registry.rebind("foo", null);
+            throw new RuntimeException("Remote access should not succeed for method: rebind");
+        } catch (Exception e) {
+            assertIsAccessException(e, "Registry.rebind");
+        }
+
+        try {
+            registry.unbind("foo");
+            throw new RuntimeException("Remote access should not succeed for method: unbind");
+        } catch (Exception e) {
+            assertIsAccessException(e, "Registry.unbind");
+        }
+
+
+        // Locate the ActivationSystem on the specified host and default port.
+        // Test each of the ActivationSystem methods
+        ActivationSystem as = (ActivationSystem) registry.lookup("java.rmi.activation.ActivationSystem");
+
+        // Argument is not material, access check is before arg processing
+
+        try {
+            as.registerGroup(null);
+        } catch (Exception aex) {
+            assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+        }
+
+        try {
+            as.getActivationDesc(null);
+        } catch (Exception aex) {
+            assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+        }
+
+        try {
+            as.getActivationGroupDesc(null);
+        } catch (Exception aex) {
+            assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+        }
+
+        try {
+            as.registerObject(null);
+        } catch (Exception aex) {
+            assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+        }
+
+        try {
+            as.unregisterGroup(null);
+        } catch (Exception aex) {
+            assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+        }
+
+        try {
+            as.unregisterObject(null);
+        } catch (Exception aex) {
+            assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+        }
+
+        try {
+            as.setActivationDesc(null, null);
+        } catch (Exception aex) {
+            assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+        }
+
+        try {
+            as.setActivationGroupDesc(null, null);
+        } catch (Exception aex) {
+            assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+        }
+    }
+
+    /**
+     * Check the exception chain for the expected AccessException and message.
+     * @param ex the exception from the remote invocation.
+     */
+    private static void assertIsAccessException(Exception ex, String msg1) {
+        Throwable t = ex;
+        System.out.println();
+        while (!(t instanceof AccessException) && t.getCause() != null) {
+            t = t.getCause();
+        }
+        if (t instanceof AccessException) {
+            String msg = t.getMessage();
+            int asIndex = msg.indexOf(msg1);
+            int disallowIndex = msg.indexOf("disallowed");
+            int nonLocalHostIndex = msg.indexOf("non-local host");
+            if (asIndex < 0 ||
+                    disallowIndex < 0 ||
+                    nonLocalHostIndex < 0 ) {
+                throw new RuntimeException("exception message is malformed", t);
+            }
+            System.out.printf("Found expected AccessException: %s%n", t);
+        } else {
+            throw new RuntimeException("AccessException did not occur", ex);
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/rmi/registry/nonLocalRegistry/NonLocalRegistryTest.java	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.rmi.AccessException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Set;
+import java.util.HashSet;
+
+/* @test
+ * @bug 8174770
+ * @summary Verify that Registry rejects non-local access for bind, unbind, rebind.
+ *    The test is manual because the (non-local) host running rmiregistry must be supplied as a property.
+ * @run main/othervm/manual -Dregistry.host=rmi-registry-host NonLocalRegistryTest
+ */
+
+/**
+ * Verify that access checks for Registry.bind(), .rebind(), and .unbind()
+ * are prevented on remote access to the registry.
+ *
+ * This test is a manual test and uses a standard rmiregistry running
+ * on a *different* host.
+ * The test verifies that the access check is performed *before* the object to be
+ * bound or rebound is deserialized.
+ *
+ * Login or ssh to the different host and invoke {@code $JDK_HOME/bin/rmiregistry}.
+ * It will not show any output.
+ *
+ * On the first host modify the @run command above to replace "rmi-registry-host"
+ * with the hostname or IP address of the different host and run the test with jtreg.
+ */
+public class NonLocalRegistryTest {
+
+    public static void main(String[] args) throws Exception {
+
+        String host = System.getProperty("registry.host");
+        if (host == null || host.isEmpty()) {
+            throw new RuntimeException("Specify host with system property: -Dregistry.host=<host>");
+        }
+
+        // Check if running the test on a local system; it only applies to remote
+        String myHostName = InetAddress.getLocalHost().getHostName();
+        Set<InetAddress> myAddrs = new HashSet<>();
+        InetAddress[] myAddrsArr = InetAddress.getAllByName(myHostName);
+        for (InetAddress a : myAddrsArr) {
+            myAddrs.add(a);
+        }
+        Set<InetAddress> hostAddrs = new HashSet<>();
+        InetAddress[] hostAddrsArr = InetAddress.getAllByName(host);
+        for (InetAddress a : hostAddrsArr) {
+            hostAddrs.add(a);
+        }
+        if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i))
+                || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) {
+            throw new RuntimeException("Error: property 'registry.host' must not be the local host%n");
+        }
+
+        Registry registry = LocateRegistry.getRegistry(host, Registry.REGISTRY_PORT);
+
+        try {
+            registry.bind("foo", null);
+            throw new RuntimeException("Remote access should not succeed for method: bind");
+        } catch (Exception e) {
+            assertIsAccessException(e);
+        }
+
+        try {
+            registry.rebind("foo", null);
+            throw new RuntimeException("Remote access should not succeed for method: rebind");
+        } catch (Exception e) {
+            assertIsAccessException(e);
+        }
+
+        try {
+            registry.unbind("foo");
+            throw new RuntimeException("Remote access should not succeed for method: unbind");
+        } catch (Exception e) {
+            assertIsAccessException(e);
+        }
+    }
+
+    /**
+     * Check the exception chain for the expected AccessException and message.
+     * @param ex the exception from the remote invocation.
+     */
+    private static void assertIsAccessException(Throwable ex) {
+        Throwable t = ex;
+        while (!(t instanceof AccessException) && t.getCause() != null) {
+            t = t.getCause();
+        }
+        if (t instanceof AccessException) {
+            String msg = t.getMessage();
+            int asIndex = msg.indexOf("Registry");
+            int rrIndex = msg.indexOf("Registry.Registry");     // Obsolete error text
+            int disallowIndex = msg.indexOf("disallowed");
+            int nonLocalHostIndex = msg.indexOf("non-local host");
+            if (asIndex < 0 ||
+                    rrIndex != -1 ||
+                    disallowIndex < 0 ||
+                    nonLocalHostIndex < 0 ) {
+                throw new RuntimeException("exception message is malformed", t);
+            }
+            System.out.printf("Found expected AccessException: %s%n%n", t);
+        } else {
+            throw new RuntimeException("AccessException did not occur when expected", ex);
+        }
+    }
+}
--- a/test/java/rmi/registry/serialFilter/RegistryFilterTest.java	Thu May 18 14:30:18 2017 -0700
+++ b/test/java/rmi/registry/serialFilter/RegistryFilterTest.java	Mon Jun 26 22:23:36 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,24 +21,18 @@
  * questions.
  */
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.io.ObjectOutputStream;
 import java.io.Serializable;
 
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
+import java.rmi.AlreadyBoundException;
 import java.rmi.MarshalledObject;
 import java.rmi.NotBoundException;
 import java.rmi.Remote;
 import java.rmi.RemoteException;
-import java.rmi.AlreadyBoundException;
 import java.rmi.registry.LocateRegistry;
 import java.rmi.registry.Registry;
+import java.security.Security;
 import java.util.Objects;
-import java.security.Security;
 
 import org.testng.Assert;
 import org.testng.TestNG;
@@ -57,7 +51,8 @@
  * @summary Test filters for the RMI Registry
  * @run testng/othervm RegistryFilterTest
  * @run testng/othervm
- *        -Dsun.rmi.registry.registryFilter=!java.lang.Long;!RegistryFilterTest$RejectableClass
+ *        -Dsun.rmi.registry.registryFilter=!java.lang.Long;!RegistryFilterTest$RejectableClass;maxdepth=19
+ *        -Dtest.maxdepth=19
  *        RegistryFilterTest
  * @run testng/othervm/policy=security.policy
  *        -Djava.security.properties=${test.src}/java.security-extra1
@@ -68,6 +63,8 @@
     private static int port;
     private static Registry registry;
 
+    static final int REGISTRY_MAX_DEPTH = 20;
+
     static final int REGISTRY_MAX_ARRAY = 10000;
 
     static final String registryFilter =
@@ -125,7 +122,7 @@
 
 
     /*
-     * Test registry rejects an object with the max array size  + 1.
+     * Test registry rejects an object with the max array size + 1.
      */
     @Test(dataProvider="bindData")
     public void simpleBind(String name, Remote obj, boolean blacklisted) throws RemoteException, AlreadyBoundException, NotBoundException {
@@ -139,9 +136,9 @@
     }
 
     /*
-    * Test registry rejects an object with a well known class
-    * if blacklisted in the security properties.
-    */
+     * Test registry rejects an object with a well known class
+     * if blacklisted in the security properties.
+     */
     @Test
     public void simpleRejectableClass() throws RemoteException, AlreadyBoundException, NotBoundException {
         RejectableClass r1 = null;
@@ -150,9 +147,46 @@
             r1 = new RejectableClass();
             registry.bind(name, r1);
             registry.unbind(name);
-            Assert.assertNull(registryFilter, "Registry filter should not have rejected");
+            Assert.assertNull(registryFilter, "Registry filter should have rejected");
         } catch (Exception rex) {
-            Assert.assertNotNull(registryFilter, "Registry filter should have rejected");
+            Assert.assertNotNull(registryFilter, "Registry filter should not have rejected");
+        }
+    }
+
+    /*
+     * Test registry does not reject an object with depth at the built-in limit.
+     */
+    @Test
+    public void simpleDepthBuiltinNonRejectable() throws RemoteException, AlreadyBoundException, NotBoundException {
+        int depthOverride = Integer.getInteger("test.maxdepth", REGISTRY_MAX_DEPTH);
+        depthOverride = Math.min(depthOverride, REGISTRY_MAX_DEPTH);
+        System.out.printf("overrideDepth: %d, filter: %s%n", depthOverride, registryFilter);
+        try {
+            String name = "reject2";
+            DepthRejectableClass r1 = DepthRejectableClass.create(depthOverride);
+            registry.bind(name, r1);
+            registry.unbind(name);
+        } catch (Exception rex) {
+            Assert.fail("Registry filter should not have rejected depth: "
+                            + depthOverride);
+        }
+    }
+
+    /*
+     * Test registry rejects an object with depth at the limit + 1.
+     */
+    @Test
+    public void simpleDepthRejectable() throws RemoteException, AlreadyBoundException, NotBoundException {
+        int depthOverride = Integer.getInteger("test.maxdepth", REGISTRY_MAX_DEPTH);
+        depthOverride = Math.min(depthOverride, REGISTRY_MAX_DEPTH);
+        System.out.printf("overrideDepth: %d, filter: %s%n", depthOverride, registryFilter);
+        try {
+            String name = "reject3";
+            DepthRejectableClass r1 = DepthRejectableClass.create(depthOverride + 1);
+            registry.bind(name, r1);
+            Assert.fail("Registry filter should have rejected depth: " + depthOverride + 1);
+        } catch (Exception rex) {
+            // Rejection expected
         }
     }
 
@@ -173,6 +207,7 @@
             return super.toString() + "//" + Objects.toString(obj);
         }
     }
+
     /**
      * A simple Serializable Remote object that is passed by value.
      * It and its contents are checked by the Registry serial filter.
@@ -183,4 +218,25 @@
         RejectableClass() {}
     }
 
+    /**
+     * A simple Serializable Remote object that is passed by value.
+     * It and its contents are checked by the Registry serial filter.
+     */
+    static class DepthRejectableClass implements Serializable, Remote {
+        private static final long serialVersionUID = 362498820763181264L;
+        private final DepthRejectableClass next;
+
+        private DepthRejectableClass(DepthRejectableClass next) {
+            this.next = next;
+        }
+
+        static DepthRejectableClass create(int depth) {
+            DepthRejectableClass next = new DepthRejectableClass(null);
+            for (int i = 1; i < depth; i++) {
+                next = new DepthRejectableClass(next);
+            }
+            return next;
+        }
+    }
+
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.rmi.AccessException;
+import java.rmi.NotBoundException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Set;
+import java.util.HashSet;
+
+/* @test
+ * @bug 8174770
+ * @summary Verify that JMX Registry rejects non-local access for bind, unbind, rebind.
+ *    The test is manual because the (non-local) host and port running JMX must be supplied as properties.
+ * @run main/othervm/manual -Djmx-registry.host=jmx-registry-host -Djmx-registry.port=jmx-registry-port NonLocalJMXRemoteTest
+ */
+
+/**
+ * Verify that access checks for the Registry exported by JMX Registry.bind(),
+ * .rebind(), and .unbind() are prevented on remote access to the registry.
+ * The test verifies that the access check is performed *before* the object to be
+ * bound or rebound is deserialized.
+ * This tests the SingleEntryRegistry implemented by JMX.
+ * This test is a manual test and uses JMX running on a *different* host.
+ * JMX can be enabled in any Java runtime; for example:
+ * login or ssh to the different host and invoke rmiregistry with arguments below.
+ * It will not show any output.
+ * {@code $JDK_HOME/bin/rmiregistry \
+ *         -J-Dcom.sun.management.jmxremote.port=8888 \
+ *         -J-Dcom.sun.management.jmxremote.local.only=false \
+ *         -J-Dcom.sun.management.jmxremote.ssl=false \
+ *         -J-Dcom.sun.management.jmxremote.authenticate=false
+ * }
+ * On the first host modify the @run command above to replace "jmx-registry-host"
+ * with the hostname or IP address of the different host and run the test with jtreg.
+ */
+public class NonLocalJMXRemoteTest {
+
+    public static void main(String[] args) throws Exception {
+
+        String host = System.getProperty("jmx-registry.host");
+        if (host == null || host.isEmpty()) {
+            throw new RuntimeException("Specify host with system property: -Djmx-registry.host=<host>");
+        }
+        int port = Integer.getInteger("jmx-registry.port", -1);
+        if (port <= 0) {
+            throw new RuntimeException("Specify port with system property: -Djmx-registry.port=<port>");
+        }
+
+        // Check if running the test on a local system; it only applies to remote
+        String myHostName = InetAddress.getLocalHost().getHostName();
+        Set<InetAddress> myAddrs = new HashSet<>();
+        InetAddress[] myAddrsArr = InetAddress.getAllByName(myHostName);
+        for (InetAddress a : myAddrsArr) {
+            myAddrs.add(a);
+        }
+        Set<InetAddress> hostAddrs = new HashSet<>();
+        InetAddress[] hostAddrsArr = InetAddress.getAllByName(host);
+        for (InetAddress a : hostAddrsArr) {
+            hostAddrs.add(a);
+        }
+        if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i))
+                || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) {
+            throw new RuntimeException("Error: property 'jmx-registry.host' must not be the local host%n");
+        }
+
+        Registry registry = LocateRegistry.getRegistry(host, port);
+        try {
+            // Verify it is a JMX Registry
+            registry.lookup("jmxrmi");
+        } catch (NotBoundException nf) {
+            throw new RuntimeException("Not a JMX registry, jmxrmi is not bound", nf);
+        }
+
+        try {
+            registry.bind("foo", null);
+            throw new RuntimeException("Remote access should not succeed for method: bind");
+        } catch (Exception e) {
+            assertIsAccessException(e);
+        }
+
+        try {
+            registry.rebind("foo", null);
+            throw new RuntimeException("Remote access should not succeed for method: rebind");
+        } catch (Exception e) {
+            assertIsAccessException(e);
+        }
+
+        try {
+            registry.unbind("foo");
+            throw new RuntimeException("Remote access should not succeed for method: unbind");
+        } catch (Exception e) {
+            assertIsAccessException(e);
+        }
+    }
+
+    /**
+     * Check the exception chain for the expected AccessException and message.
+     * @param ex the exception from the remote invocation.
+     */
+    private static void assertIsAccessException(Throwable ex) {
+        Throwable t = ex;
+        while (!(t instanceof AccessException) && t.getCause() != null) {
+            t = t.getCause();
+        }
+        if (t instanceof AccessException) {
+            String msg = t.getMessage();
+            int asIndex = msg.indexOf("Registry");
+            int disallowIndex = msg.indexOf("disallowed");
+            int nonLocalHostIndex = msg.indexOf("non-local host");
+            if (asIndex < 0 ||
+                    disallowIndex < 0 ||
+                    nonLocalHostIndex < 0 ) {
+                throw new RuntimeException("exception message is malformed", t);
+            }
+            System.out.printf("Found expected AccessException: %s%n%n", t);
+        } else {
+            throw new RuntimeException("AccessException did not occur when expected", ex);
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/javax/swing/JFileChooser/GodMode/JFileChooserTest.java	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ /*
+ * @test
+ * @bug 8179014
+ * @requires (os.family == "Windows")
+ * @summary Check if JFileChooser crashes with GodMode Directory.
+ * @run main/manual JFileChooserTest
+ */
+import java.awt.Color;
+import java.awt.GridBagConstraints;
+import java.awt.GridBagLayout;
+import java.util.concurrent.CountDownLatch;
+import javax.swing.JPanel;
+import javax.swing.JTextArea;
+import javax.swing.SwingUtilities;
+import javax.swing.JButton;
+import javax.swing.JFrame;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.util.concurrent.TimeUnit;
+import javax.swing.JFileChooser;
+import javax.swing.UIManager;
+
+public class JFileChooserTest {
+
+    public static void main(String args[]) throws Exception {
+        final CountDownLatch latch = new CountDownLatch(1);
+        TestUI test = new TestUI(latch);
+        SwingUtilities.invokeAndWait(() -> {
+            try {
+                test.createUI();
+            } catch (Exception ex) {
+                throw new RuntimeException("Exception while creating UI");
+            }
+        });
+
+        boolean status = latch.await(5, TimeUnit.MINUTES);
+
+        if (!status) {
+            System.out.println("Test timed out.");
+        }
+
+        SwingUtilities.invokeAndWait(() -> {
+            try {
+                test.disposeUI();
+            } catch (Exception ex) {
+                throw new RuntimeException("Exception while disposing UI");
+            }
+        });
+
+        if (test.testResult == false) {
+            throw new RuntimeException("Test Failed.");
+        }
+    }
+}
+
+class TestUI {
+
+    private static JFrame mainFrame;
+    private static JPanel mainControlPanel;
+
+    private static JTextArea instructionTextArea;
+
+    private static JPanel resultButtonPanel;
+    private static JButton passButton;
+    private static JButton failButton;
+
+    private static GridBagLayout layout;
+    private final CountDownLatch latch;
+    public boolean testResult = false;
+
+    public TestUI(CountDownLatch latch) throws Exception {
+        this.latch = latch;
+    }
+
+    public final void createUI() throws Exception {
+        UIManager.setLookAndFeel(UIManager.getSystemLookAndFeelClassName());
+        mainFrame = new JFrame("JFileChooserTest");
+
+        layout = new GridBagLayout();
+        mainControlPanel = new JPanel(layout);
+        resultButtonPanel = new JPanel(layout);
+
+        GridBagConstraints gbc = new GridBagConstraints();
+
+        // Create Test instructions
+        String instructions
+                = "INSTRUCTIONS:"
+                + "\n 1. Create a new folder on the desktop."
+                + "\n 2. Rename the folder exactly as given below: "
+                + "\n    GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} "
+                + "\n 3. Click on Launch Button. "
+                + "\n    Check if JFileChooser is launched successfully. "
+                + "\n    If yes, close the JFileChooser and click Pass, "
+                + "\n    else Fail. "
+                + "\n 4. Delete the GodMode folder.";
+
+        instructionTextArea = new JTextArea();
+        instructionTextArea.setText(instructions);
+        instructionTextArea.setEnabled(false);
+        instructionTextArea.setDisabledTextColor(Color.black);
+        instructionTextArea.setBackground(Color.white);
+
+        gbc.gridx = 0;
+        gbc.gridy = 0;
+        gbc.fill = GridBagConstraints.HORIZONTAL;
+        mainControlPanel.add(instructionTextArea, gbc);
+        JButton launchButton = new JButton("Launch");
+        launchButton.setActionCommand("Launch");
+        launchButton.addActionListener((ActionEvent e) -> {
+            JFileChooser fileChooser = new JFileChooser();
+            fileChooser.showOpenDialog(null);
+        }
+        );
+
+        gbc.gridx = 0;
+        gbc.gridy = 1;
+        mainControlPanel.add(launchButton, gbc);
+
+        passButton = new JButton("Pass");
+        passButton.setActionCommand("Pass");
+        passButton.addActionListener((ActionEvent e) -> {
+            testResult = true;
+            mainFrame.dispose();
+            latch.countDown();
+
+        });
+        failButton = new JButton("Fail");
+        failButton.setActionCommand("Fail");
+        failButton.addActionListener(new ActionListener() {
+            @Override
+            public void actionPerformed(ActionEvent e) {
+                testResult = false;
+                mainFrame.dispose();
+                latch.countDown();
+            }
+        });
+        gbc.gridx = 0;
+        gbc.gridy = 0;
+        resultButtonPanel.add(passButton, gbc);
+        gbc.gridx = 1;
+        gbc.gridy = 0;
+        resultButtonPanel.add(failButton, gbc);
+
+        gbc.gridx = 0;
+        gbc.gridy = 2;
+        mainControlPanel.add(resultButtonPanel, gbc);
+
+        mainFrame.add(mainControlPanel);
+        mainFrame.pack();
+        mainFrame.setVisible(true);
+    }
+
+    public void disposeUI() {
+        mainFrame.setVisible(false);
+        mainFrame.dispose();
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/JSSEClient.java	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.InetSocketAddress;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+/*
+ * A SSL socket client.
+ */
+public class JSSEClient {
+
+    public static void main(String[] args) throws Exception {
+        System.out.println("Client: arguments=" + String.join("; ", args));
+
+        int port = Integer.valueOf(args[0]);
+        String[] trustNames = args[1].split(TLSRestrictions.DELIMITER);
+        String[] certNames = args[2].split(TLSRestrictions.DELIMITER);
+        String constraint = args[3];
+
+        TLSRestrictions.setConstraint("Client", constraint);
+
+        SSLContext context = TLSRestrictions.createSSLContext(
+                trustNames, certNames);
+        SSLSocketFactory socketFactory = context.getSocketFactory();
+        try (SSLSocket socket = (SSLSocket) socketFactory.createSocket()) {
+            socket.connect(new InetSocketAddress("localhost", port),
+                    TLSRestrictions.TIMEOUT);
+            socket.setSoTimeout(TLSRestrictions.TIMEOUT);
+            System.out.println("Client: connected");
+
+            InputStream sslIS = socket.getInputStream();
+            OutputStream sslOS = socket.getOutputStream();
+            sslOS.write('C');
+            sslOS.flush();
+            sslIS.read();
+            System.out.println("Client: finished");
+        } catch (Exception e) {
+            throw new RuntimeException("Client: failed.", e);
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/JSSEServer.java	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+
+/*
+ * A SSL socket server.
+ */
+public class JSSEServer {
+
+    private SSLServerSocket server = null;
+
+    private Exception exception = null;
+
+    public JSSEServer(SSLContext context,
+            boolean needClientAuth) throws Exception {
+        SSLServerSocketFactory serverFactory = context.getServerSocketFactory();
+        server = (SSLServerSocket) serverFactory.createServerSocket(0);
+        server.setSoTimeout(TLSRestrictions.TIMEOUT);
+        server.setNeedClientAuth(needClientAuth); // for dual authentication
+        System.out.println("Server: port=" + getPort());
+    }
+
+    public void start() {
+        new Thread(new Runnable() {
+
+            @Override
+            public void run() {
+                try {
+                    System.out.println("Server: started");
+                    try (SSLSocket socket = (SSLSocket) server.accept()) {
+                        socket.setSoTimeout(TLSRestrictions.TIMEOUT);
+                        InputStream sslIS = socket.getInputStream();
+                        OutputStream sslOS = socket.getOutputStream();
+                        sslIS.read();
+                        sslOS.write('S');
+                        sslOS.flush();
+                        System.out.println("Server: finished");
+                    }
+                } catch (Exception e) {
+                    e.printStackTrace(System.out);
+                    exception = e;
+                }
+            }
+        }).start();
+    }
+
+    public int getPort() {
+        return server.getLocalPort();
+    }
+
+    public Exception getException() {
+        return exception;
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,541 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.SocketTimeoutException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyFactory;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.stream.Collectors;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.TrustManagerFactory;
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+
+/*
+ * @test
+ * @summary Verify the restrictions for certificate path on JSSE with custom trust store.
+ * @library /lib/testlibrary
+ * @compile JSSEClient.java
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions DEFAULT
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C1
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S1
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C2
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S2
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C3
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S3
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C4
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S4
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C5
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S5
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C6
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S6
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C7
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S7
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C8
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S8
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C9
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S9
+ */
+public class TLSRestrictions {
+
+    private static final String TEST_CLASSES = System.getProperty("test.classes");
+    private static final char[] PASSWORD = "".toCharArray();
+    private static final String CERT_DIR = System.getProperty("cert.dir",
+            System.getProperty("test.src") + "/certs");
+
+    static final String PROP = "jdk.certpath.disabledAlgorithms";
+    static final String NOSHA1 = "MD2, MD5";
+    private static final String TLSSERVER = "SHA1 usage TLSServer";
+    private static final String TLSCLIENT = "SHA1 usage TLSClient";
+    static final String JDKCATLSSERVER = "SHA1 jdkCA & usage TLSServer";
+    static final String JDKCATLSCLIENT = "SHA1 jdkCA & usage TLSClient";
+
+    // This is a space holder in command arguments, and stands for none certificate.
+    static final String NONE_CERT = "NONE_CERT";
+
+    static final String DELIMITER = ",";
+    static final int TIMEOUT = 30000;
+
+    // It checks if java.security contains constraint "SHA1 jdkCA & usage TLSServer"
+    // for jdk.certpath.disabledAlgorithms by default.
+    private static void checkDefaultConstraint() {
+        System.out.println(
+                "Case: Checks the default value of jdk.certpath.disabledAlgorithms");
+        if (!Security.getProperty(PROP).contains(JDKCATLSSERVER)) {
+            throw new RuntimeException(String.format(
+                    "%s doesn't contain constraint \"%s\", the real value is \"%s\".",
+                    PROP, JDKCATLSSERVER, Security.getProperty(PROP)));
+        }
+    }
+
+    /*
+     * This method creates trust store and key store with specified certificates
+     * respectively. And then it creates SSL context with the stores.
+     * If trustNames contains NONE_CERT only, it does not create a custom trust
+     * store, but the default one in JDK.
+     *
+     * @param trustNames Trust anchors, which are used to create custom trust store.
+     *                   If null, no custom trust store is created and the default
+     *                   trust store in JDK is used.
+     * @param certNames Certificate chain, which is used to create key store.
+     *                  It cannot be null.
+     */
+    static SSLContext createSSLContext(String[] trustNames,
+            String[] certNames) throws Exception {
+        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+
+        TrustManagerFactory tmf = null;
+        if (trustNames != null && trustNames.length > 0
+                && !trustNames[0].equals(NONE_CERT)) {
+            KeyStore trustStore = KeyStore.getInstance("JKS");
+            trustStore.load(null, null);
+            for (int i = 0; i < trustNames.length; i++) {
+                try (InputStream is = new ByteArrayInputStream(
+                        loadCert(trustNames[i]).getBytes())) {
+                    Certificate trustCert = certFactory.generateCertificate(is);
+                    trustStore.setCertificateEntry("trustCert-" + i, trustCert);
+                }
+            }
+
+            tmf = TrustManagerFactory.getInstance("PKIX");
+            tmf.init(trustStore);
+        }
+
+        Certificate[] certChain = new Certificate[certNames.length];
+        for (int i = 0; i < certNames.length; i++) {
+            try (InputStream is = new ByteArrayInputStream(
+                    loadCert(certNames[i]).getBytes())) {
+                Certificate cert = certFactory.generateCertificate(is);
+                certChain[i] = cert;
+            }
+        }
+
+        PKCS8EncodedKeySpec privKeySpec = new PKCS8EncodedKeySpec(
+                Base64.getMimeDecoder().decode(loadPrivKey(certNames[0])));
+        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+        PrivateKey privKey = keyFactory.generatePrivate(privKeySpec);
+
+        KeyStore keyStore = KeyStore.getInstance("JKS");
+        keyStore.load(null, null);
+        keyStore.setKeyEntry("keyCert", privKey, PASSWORD, certChain);
+
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
+        kmf.init(keyStore, PASSWORD);
+
+        SSLContext context = SSLContext.getInstance("TLS");
+        context.init(kmf.getKeyManagers(),
+                tmf == null ? null : tmf.getTrustManagers(), null);
+        return context;
+    }
+
+    /*
+     * This method sets jdk.certpath.disabledAlgorithms, and then retrieves
+     * and prints its value.
+     */
+    static void setConstraint(String side, String constraint) {
+        System.out.printf("%s: Old %s=%s%n", side, PROP,
+                Security.getProperty(PROP));
+        Security.setProperty(PROP, constraint);
+        System.out.printf("%s: New %s=%s%n", side, PROP,
+                Security.getProperty(PROP));
+    }
+
+    /*
+     * This method is used to run a variety of cases.
+     * It launches a server, and then takes a client to connect the server.
+     * Both of server and client use the same certificates.
+     *
+     * @param trustNames Trust anchors, which are used to create custom trust store.
+     *                   If null, the default trust store in JDK is used.
+     * @param certNames Certificate chain, which is used to create key store.
+     *                  It cannot be null. The first certificate is regarded as
+     *                  the end entity.
+     * @param serverConstraint jdk.certpath.disabledAlgorithms value on server side.
+     * @param clientConstraint jdk.certpath.disabledAlgorithms value on client side.
+     * @param needClientAuth If true, server side acquires client authentication;
+     *                       otherwise, false.
+     * @param pass If true, the connection should be blocked; otherwise, false.
+     */
+    static void testConstraint(String[] trustNames, String[] certNames,
+            String serverConstraint, String clientConstraint,
+            boolean needClientAuth, boolean pass) throws Throwable {
+        String trustNameStr = trustNames == null ? ""
+                : String.join(DELIMITER, trustNames);
+        String certNameStr = certNames == null ? ""
+                : String.join(DELIMITER, certNames);
+
+        System.out.printf("Case:%n"
+                + "  trustNames=%s; certNames=%s%n"
+                + "  serverConstraint=%s; clientConstraint=%s%n"
+                + "  needClientAuth=%s%n"
+                + "  pass=%s%n%n",
+                trustNameStr, certNameStr,
+                serverConstraint, clientConstraint,
+                needClientAuth,
+                pass);
+        setConstraint("Server", serverConstraint);
+        JSSEServer server = new JSSEServer(
+                createSSLContext(trustNames, certNames),
+                needClientAuth);
+        int port = server.getPort();
+        server.start();
+
+        // Run client on another JVM so that its properties cannot be in conflict
+        // with server's.
+        OutputAnalyzer outputAnalyzer = ProcessTools.executeTestJvm(
+                "-Dcert.dir=" + CERT_DIR,
+                "-Djava.security.debug=certpath",
+                "-classpath",
+                TEST_CLASSES,
+                "JSSEClient",
+                port + "",
+                trustNameStr,
+                certNameStr,
+                clientConstraint);
+        int exitValue = outputAnalyzer.getExitValue();
+        String clientOut = outputAnalyzer.getOutput();
+
+        Exception serverException = server.getException();
+        if (serverException != null) {
+            System.out.println("Server: failed");
+        }
+
+        System.out.println("---------- Client output start ----------");
+        System.out.println(clientOut);
+        System.out.println("---------- Client output end ----------");
+
+        if (serverException instanceof SocketTimeoutException
+                || clientOut.contains("SocketTimeoutException")) {
+            System.out.println("The communication gets timeout and skips the test.");
+            return;
+        }
+
+        if (pass) {
+            if (serverException != null || exitValue != 0) {
+                throw new RuntimeException(
+                        "Unexpected failure. Operation was blocked.");
+            }
+        } else {
+            if (serverException == null && exitValue == 0) {
+                throw new RuntimeException(
+                        "Unexpected pass. Operation was allowed.");
+            }
+
+            // The test may encounter non-SSL issues, like network problem.
+            if (!(serverException instanceof SSLHandshakeException
+                    || clientOut.contains("SSLHandshakeException"))) {
+                throw new RuntimeException("Failure with unexpected exception.");
+            }
+        }
+    }
+
+    /*
+     * This method is used to run a variety of cases, which don't require client
+     * authentication by default.
+     */
+    static void testConstraint(String[] trustNames, String[] certNames,
+            String serverConstraint, String clientConstraint, boolean pass)
+            throws Throwable {
+        testConstraint(trustNames, certNames, serverConstraint, clientConstraint,
+                false, pass);
+    }
+
+    public static void main(String[] args) throws Throwable {
+        switch (args[0]) {
+        // Case DEFAULT only checks one of default settings for
+        // jdk.certpath.disabledAlgorithms in JDK/conf/security/java.security.
+        case "DEFAULT":
+            checkDefaultConstraint();
+            break;
+
+        // Cases C1 and S1 use SHA256 root CA in trust store,
+        // and use SHA256 end entity in key store.
+        // C1 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S1 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should not be blocked.
+        case "C1":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] { "INTER_CA_SHA256-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    true);
+            break;
+        case "S1":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] { "INTER_CA_SHA256-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    true);
+            break;
+
+        // Cases C2 and S2 use SHA256 root CA in trust store,
+        // and use SHA1 end entity in key store.
+        // C2 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S2 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C2":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] { "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S2":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] { "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C3 and S3 use SHA1 root CA in trust store,
+        // and use SHA1 end entity in key store.
+        // C3 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S3 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C3":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] { "INTER_CA_SHA1-ROOT_CA_SHA1" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S3":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] { "INTER_CA_SHA1-ROOT_CA_SHA1" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C4 and S4 use SHA1 root CA as trust store,
+        // and use SHA256 end entity in key store.
+        // C4 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S4 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should not be blocked.
+        case "C4":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] { "INTER_CA_SHA256-ROOT_CA_SHA1" },
+                    NOSHA1,
+                    TLSSERVER,
+                    true);
+            break;
+        case "S4":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] { "INTER_CA_SHA256-ROOT_CA_SHA1" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    true);
+            break;
+
+        // Cases C5 and S5 use SHA1 root CA in trust store,
+        // and use SHA256 intermediate CA and SHA256 end entity in key store.
+        // C5 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S5 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should not be blocked.
+        case "C5":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1",
+                            "INTER_CA_SHA256-ROOT_CA_SHA1" },
+                    NOSHA1,
+                    TLSSERVER,
+                    true);
+            break;
+        case "S5":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1",
+                            "INTER_CA_SHA256-ROOT_CA_SHA1" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    true);
+            break;
+
+        // Cases C6 and S6 use SHA1 root CA as trust store,
+        // and use SHA1 intermediate CA and SHA256 end entity in key store.
+        // C6 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S6 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C6":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1",
+                            "INTER_CA_SHA1-ROOT_CA_SHA1" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S6":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1",
+                            "INTER_CA_SHA1-ROOT_CA_SHA1" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C7 and S7 use SHA256 root CA in trust store,
+        // and use SHA256 intermediate CA and SHA1 end entity in key store.
+        // C7 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S7 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C7":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256",
+                            "INTER_CA_SHA256-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S7":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256",
+                            "INTER_CA_SHA256-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C8 and S8 use SHA256 root CA in trust store,
+        // and use SHA1 intermediate CA and SHA256 end entity in key store.
+        // C8 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S8 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C8":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256",
+                            "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S8":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256",
+                            "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C9 and S9 use SHA256 root CA and SHA1 intermediate CA in trust store,
+        // and use SHA256 end entity in key store.
+        // C9 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S9 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should not be blocked.
+        case "C9":
+            testConstraint(
+                    new String[] {
+                            "ROOT_CA_SHA256",
+                            "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    true);
+            break;
+        case "S9":
+            testConstraint(
+                    new String[] {
+                            "ROOT_CA_SHA256",
+                            "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    true);
+            break;
+        }
+
+        System.out.println("Case passed");
+        System.out.println("========================================");
+    }
+
+    private static String loadCert(String certName) {
+        try {
+            Path certFilePath = Paths.get(CERT_DIR, certName + ".cer");
+            return String.join("\n",
+                    Files.lines(certFilePath).filter((String line) -> {
+                        return !line.startsWith("Certificate")
+                                && !line.startsWith(" ");
+                    }).collect(Collectors.toList()));
+        } catch (IOException e) {
+            throw new RuntimeException("Load certificate failed", e);
+        }
+    }
+
+    private static String loadPrivKey(String certName) {
+        Path priveKeyFilePath = Paths.get(CERT_DIR, certName + "-PRIV.key");
+        try {
+            return new String(Files.readAllBytes(priveKeyFilePath));
+        } catch (IOException e) {
+            throw new RuntimeException("Load private key failed", e);
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCYQDZxHxNJV8dQ
+I6mfJjuIZxAe5CX9GCrS3Fajh5DXIQwdcvQ4s6YdKzwFn+8dUdspdNTnS+bWjfYw
+0iAbsMt6L6ewutaZf6aufh1EBYiwNOvN8C8Cx0iiE8NiBo833AYWHKhDC4qu63QR
+dYwb9j+Jg8t6p0lQ64sFLDN/RJOcWlaPQbJbSNBKePQR7WOFvdJgFAdQmQjL+ND6
+PSui9QByyXQ+3nfs7ID4paUxYbCrJMh5/AJqaT04DYDEumfmURUn5+ZOIqmqvI2I
+pNXN5gVzL3b8mM2WGr5dpRY5cZ1X//BQ91SNjrKNJlmKFr7nMCfAdzxIW4b/sArv
+eYNE2Vy7AgMBAAECggEBAJNtkopFoiJiKnFypxyiJAG4cwbGu/ZxwX3/uLGPY3S9
+3oJhvxVs+IzEQdHchempSwTAyizS9cuLGfs6bbcConZF0Sa0NXvb/SZ4npQwm6St
+Ci2Xx530JWQ0qPyyB1r65rXguBp8AaXR/8msPqkQ8YOSqKWzea4u96Zhn9g8Koe6
+AD/8FeSzJBDVbJ+C7jKX/7sKsHbYqulzLMQf0lqXFxpGW+5UJaozoQOWXnnmqU3T
+0i4uaGUCXHbQM8eh3fvMFCU4UQMYVS1QOSvZJTnO5bSb8SqeQnCMnQ18ltq4sL43
+qFsEcmAjrlhNoBwslqvfY1bX9NtXyFZ8PuD8OvoFxPkCgYEAxlVfD2qcrAoOcbDe
+Em9hDVPizRuzGuCHi9K2YLDrLVDNd6NF3Pk65JiTsd1fA2AZdi+ljKGEwBhNFOyk
+qwmK2K4sYy7zvyV3Blmwvyo7+OaeexYF8RIw5keGlRsgHTGarzlQAlJu91UmyAmE
+C/99fZbSWo9QndJ0FVR6G3ti71UCgYEAxITBJqVtNFnv4PGdc3FNsYXlRQcSWjs9
+/1lsppLQjC6HMsb6JpxYUF3D4oFiUESKe/9kZzl1H/65Cm2mYq8sj+7lug8P5tz7
+DQa91dFM02r8JLO6TitSuZfbc0XH0K450ntuQlKX581icYSGBUwQHGApespuNVlh
+Mg7CmwNse88CgYAienrhEjaUTdc++nFQoR4tE/UslPEo7fmCXCoqWvc3VIGzl6Ww
+iX8seD3MwOAglRc4DYZpETcjsdXMmmrx9OG3U2gSAfqLszai2vq38N6mIWlRmn2D
+8BaiIbMKvsFxccsjRQJctPnnc10fj0/uSgcFyy9cYOex2AEoKBxmJKgJVQKBgA0c
+HhaJ6qMXbN1AwRQ2dsxk9kqIkjzavuQN/yWNncP8RqCojX+N5oZV+v9dSkW4jNSA
+0R3hw2KDB60ea38h2IMxmLm0z4bDLyxLSta8w7dG59M6+i7EzRv8eXNTMGVHeiwE
+d/KMt/2Kwgp4oMgxrtF1yM6cOoXslINWYL0emVoZAoGAcEKzO8LgPJsIVjRFz3ri
+0AQqiXQzYek2WAXYhlQCvBVn8in3MYcxKhjA3Og3Lym0xvZ+/8SbII9QNaidbgIH
+HDreeJW4KE5EfVnDaYcxwK/9LXZXndIxrpR0YKNSvZT7DuuQtFCoxJcASxb1k9Tc
+5MPT+pyPL+9v2q56ry56qas=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e8:33:78:c7:69:9c:28:c2
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:07 2017 GMT
+            Not After : Mar 28 04:51:07 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:98:40:36:71:1f:13:49:57:c7:50:23:a9:9f:26:
+                    3b:88:67:10:1e:e4:25:fd:18:2a:d2:dc:56:a3:87:
+                    90:d7:21:0c:1d:72:f4:38:b3:a6:1d:2b:3c:05:9f:
+                    ef:1d:51:db:29:74:d4:e7:4b:e6:d6:8d:f6:30:d2:
+                    20:1b:b0:cb:7a:2f:a7:b0:ba:d6:99:7f:a6:ae:7e:
+                    1d:44:05:88:b0:34:eb:cd:f0:2f:02:c7:48:a2:13:
+                    c3:62:06:8f:37:dc:06:16:1c:a8:43:0b:8a:ae:eb:
+                    74:11:75:8c:1b:f6:3f:89:83:cb:7a:a7:49:50:eb:
+                    8b:05:2c:33:7f:44:93:9c:5a:56:8f:41:b2:5b:48:
+                    d0:4a:78:f4:11:ed:63:85:bd:d2:60:14:07:50:99:
+                    08:cb:f8:d0:fa:3d:2b:a2:f5:00:72:c9:74:3e:de:
+                    77:ec:ec:80:f8:a5:a5:31:61:b0:ab:24:c8:79:fc:
+                    02:6a:69:3d:38:0d:80:c4:ba:67:e6:51:15:27:e7:
+                    e6:4e:22:a9:aa:bc:8d:88:a4:d5:cd:e6:05:73:2f:
+                    76:fc:98:cd:96:1a:be:5d:a5:16:39:71:9d:57:ff:
+                    f0:50:f7:54:8d:8e:b2:8d:26:59:8a:16:be:e7:30:
+                    27:c0:77:3c:48:5b:86:ff:b0:0a:ef:79:83:44:d9:
+                    5c:bb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:84:A1:70:1D:0A:92:D3:CC
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         22:63:2a:de:80:70:92:f7:53:e4:7f:ea:01:2b:13:b3:1b:02:
+         2e:10:b4:1d:b7:33:7f:6f:0d:88:46:5a:b8:db:83:95:77:e2:
+         db:da:2e:31:0a:85:c6:9a:75:84:ca:73:5c:be:e3:30:22:7e:
+         bc:60:43:49:7c:69:06:14:4a:89:e4:23:ca:25:99:85:d6:06:
+         16:d5:9e:a8:fd:25:43:88:07:12:0a:7e:de:24:33:71:ab:a4:
+         23:aa:4e:dc:0f:89:ef:a9:09:89:55:a1:1d:ee:48:35:ea:10:
+         42:ff:98:15:2a:e8:5c:46:e0:e4:4f:4c:b9:07:e0:da:08:6f:
+         ce:4a:fe:98:3e:ae:c5:e5:6a:6e:50:0f:2d:39:01:55:ed:59:
+         0b:65:30:54:e8:72:26:ee:9f:cf:3f:ce:6a:20:c8:87:c9:81:
+         bc:f8:b3:ec:77:bb:bc:5b:8c:3f:18:fd:08:76:ad:27:59:fc:
+         b8:74:96:0d:cd:ed:97:91:6b:95:89:3a:f3:78:de:9f:06:a6:
+         ce:36:01:f0:be:ae:d8:d6:c4:3d:51:8a:2a:e0:43:59:8c:b4:
+         eb:63:93:9d:53:72:f8:4b:a3:c7:4a:da:2e:56:33:b6:46:1b:
+         45:a8:23:1b:82:de:6d:4e:e0:18:cf:9b:ba:22:68:8b:8c:de:
+         6f:08:2d:bc
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIJAOgzeMdpnCjCMA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMScwJQYDVQQDDB5JTlRFUl9DQV9TSEEyNTYtUk9PVF9D
+QV9TSEEyNTYwHhcNMTcwMzMwMDQ1MTA3WhcNMjcwMzI4MDQ1MTA3WjB/MQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09y
+ZzENMAsGA1UECwwESmF2YTE3MDUGA1UEAwwuRU5EX0VOVElUWV9TSEExLUlOVEVS
+X0NBX1NIQTI1Ni1ST09UX0NBX1NIQTI1NjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAJhANnEfE0lXx1AjqZ8mO4hnEB7kJf0YKtLcVqOHkNchDB1y9Diz
+ph0rPAWf7x1R2yl01OdL5taN9jDSIBuwy3ovp7C61pl/pq5+HUQFiLA0683wLwLH
+SKITw2IGjzfcBhYcqEMLiq7rdBF1jBv2P4mDy3qnSVDriwUsM39Ek5xaVo9BsltI
+0Ep49BHtY4W90mAUB1CZCMv40Po9K6L1AHLJdD7ed+zsgPilpTFhsKskyHn8Ampp
+PTgNgMS6Z+ZRFSfn5k4iqaq8jYik1c3mBXMvdvyYzZYavl2lFjlxnVf/8FD3VI2O
+so0mWYoWvucwJ8B3PEhbhv+wCu95g0TZXLsCAwEAAaOBjDCBiTB5BgNVHSMEcjBw
+oWOkYTBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkx
+DDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEXMBUGA1UEAwwOUk9PVF9DQV9T
+SEEyNTaCCQCEoXAdCpLTzDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IB
+AQAiYyregHCS91Pkf+oBKxOzGwIuELQdtzN/bw2IRlq424OVd+Lb2i4xCoXGmnWE
+ynNcvuMwIn68YENJfGkGFEqJ5CPKJZmF1gYW1Z6o/SVDiAcSCn7eJDNxq6Qjqk7c
+D4nvqQmJVaEd7kg16hBC/5gVKuhcRuDkT0y5B+DaCG/OSv6YPq7F5WpuUA8tOQFV
+7VkLZTBU6HIm7p/PP85qIMiHyYG8+LPsd7u8W4w/GP0Idq0nWfy4dJYNze2XkWuV
+iTrzeN6fBqbONgHwvq7Y1sQ9UYoq4ENZjLTrY5OdU3L4S6PHStouVjO2RhtFqCMb
+gt5tTuAYz5u6ImiLjN5vCC28
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDaYlKNTU1iQes/
+BtivvM1ixjCk1muM1RdMkJQItZB21y1kM1OLp3EmGKqVqwKbS5OTrMIxjPUwD9Ly
+aRJMvSP1xve7zwmNXOngA8eukmQ2olQU58ble6IAHcj4qg7a38E1ITvDmAswhTzK
+fI4Z6okLCjKfYafnfbi5JA+E6fiArB3zimjne+tiUNYZh2eYspsOOw6cmaLtIbMP
+ZyXy4iP6OCNIikb08Da27zjVn04i1SeUEv1YFmn4B9GWcNLAXyM1LmCNi70+SATp
+aZYRjr/BBR6LNZMBsNKJblWFXK3UtfYFiypyirgQjzPtLb1XsuMhfqMt8QZDh8n3
+YvYTW59xAgMBAAECggEAb4NPdhnoDulsL5XWZf55vhtH0ZQv/Qz+xbj57myQJS8B
+Xa4b1i8dRv/Hc3+MaDIyXHEWBGle9jjOVbwzfP4D88eyzrMMxKOSRTKI72qPQ5qm
+ZrpnxNzZv0d2TQvBZCBnrzKWKu1joVYX0anCghdR/VIqwVoDe+Clx9xTFGLI4yKO
+7v0dkr4Hxn3NT6bTV18V6PoGbUgIsmpNYQPFyUM/IHG2ewDffLP+tm7RsEfKYmcx
+Hr70pmWBpM9hwTAC+uXHuNXnsX4IjEQOXmm4PJ/A/sm2Bad93SPwi15e29MV8YbO
+vvirGLaepa7AUvqoK0DFNCLU6vCeFJ7DUZ/u2P8x8QKBgQDxNOWvy3EV4/P/ocSf
+itMtXZWj4driT4vUGwFZWfr3CVpZVaUmqXYeVdzNGuoWlmXOiOAuOepnlA36FCb5
+aGE4cq/hbdtbr+v6awEj5/A2me/ax1W1z6lD0pg0QJ7KvqFCBzVol5yTiWZKBVE+
+jp2waPfes770AUHczw9KKvEGtQKBgQDnxxiZAxtoNmOaB/NZmPNBKvWDw858+QX2
++u/jEH3pW393tUnipgIoo6yvd6djhJ6/4ViOxdioMIQCBab/xuSB4lfQsrJsWvS9
+uYB794s7CV2r3kUa3ux8wAovW6Fc369nD7JjUPX/Cq3zdlyTDt9LVLRCpZ6Li1xB
+r0ZVlpgPTQKBgQCgKay+X0tW6sdxHfyOp8Lz46liaa1LCuDhVZE+wHXZpXc9zJXe
+JzZMjF0SQGXh27n8O30IlOJmJrRlMw5yG/I6ZkUNXkIDDryVyom2SuOBjhPrZOMv
+15UgeO0h/Sqzm4M+ccTwD4Qjn1+xlPhOnqpsoja8xQPtyAvwz/jqGbtz5QKBgH01
+pSgj8Y5es3fmi6P/aInv9ynzgX0p2fsOnMEBi8Og1j+JBB0YqVni8crozNiKMGhg
+CEM4xk41x1qASzMp8w/ngqEPqCu5BzXnHG3b0K9X4+6Q6KwXeZH6/IWQ7p8Jh+wZ
+IrlcZ0gcMNSxQFmBU0eSvr6yUe/4nSIu2cQq0oKRAoGAUEFd0LxZw50BdCdpJlcQ
++oTbSUYQhAzPF2ybfR6i8IxXoOjVxpvRehlbwXIQV7XEqamXFTmBLIvuAlF1yWoH
+hzxNJuEgPRTPztnHD6LVzvuf2ain+CFZuDrXBT2l8PyF9BNL4/DMRrbgdCxr9F0O
+Ti0VJo1TRE8vVzUfVc9w1RI=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            86:09:85:57:41:bf:86:65
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:06 2017 GMT
+            Not After : Mar 28 04:51:06 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:62:52:8d:4d:4d:62:41:eb:3f:06:d8:af:bc:
+                    cd:62:c6:30:a4:d6:6b:8c:d5:17:4c:90:94:08:b5:
+                    90:76:d7:2d:64:33:53:8b:a7:71:26:18:aa:95:ab:
+                    02:9b:4b:93:93:ac:c2:31:8c:f5:30:0f:d2:f2:69:
+                    12:4c:bd:23:f5:c6:f7:bb:cf:09:8d:5c:e9:e0:03:
+                    c7:ae:92:64:36:a2:54:14:e7:c6:e5:7b:a2:00:1d:
+                    c8:f8:aa:0e:da:df:c1:35:21:3b:c3:98:0b:30:85:
+                    3c:ca:7c:8e:19:ea:89:0b:0a:32:9f:61:a7:e7:7d:
+                    b8:b9:24:0f:84:e9:f8:80:ac:1d:f3:8a:68:e7:7b:
+                    eb:62:50:d6:19:87:67:98:b2:9b:0e:3b:0e:9c:99:
+                    a2:ed:21:b3:0f:67:25:f2:e2:23:fa:38:23:48:8a:
+                    46:f4:f0:36:b6:ef:38:d5:9f:4e:22:d5:27:94:12:
+                    fd:58:16:69:f8:07:d1:96:70:d2:c0:5f:23:35:2e:
+                    60:8d:8b:bd:3e:48:04:e9:69:96:11:8e:bf:c1:05:
+                    1e:8b:35:93:01:b0:d2:89:6e:55:85:5c:ad:d4:b5:
+                    f6:05:8b:2a:72:8a:b8:10:8f:33:ed:2d:bd:57:b2:
+                    e3:21:7e:a3:2d:f1:06:43:87:c9:f7:62:f6:13:5b:
+                    9f:71
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:8D:A0:D2:8A:EE:0B:CF:65
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         29:b0:10:dc:45:ee:68:77:5f:12:9b:fc:de:eb:70:41:2e:6a:
+         a2:5f:a9:cc:ca:97:24:01:4a:1d:c2:78:52:57:34:9c:83:7f:
+         60:f5:d9:68:a2:32:89:e9:d7:25:71:72:71:e5:76:e3:37:af:
+         41:25:cc:8b:a4:fd:81:ef:6b:15:2b:91:3c:68:a5:25:53:cf:
+         c1:b9:aa:49:b4:cd:e3:3c:a2:8e:38:ea:e8:51:7c:7b:92:41:
+         bd:a3:22:7d:97:59:ad:55:e2:7d:9d:6a:bb:1f:95:84:1c:50:
+         00:e9:6c:74:1d:bb:6c:07:ca:bc:6a:a2:dd:c1:66:37:64:bd:
+         fe:1a:c0:8c:a7:8c:a1:60:b8:c3:d2:5f:92:80:ee:ad:79:29:
+         f2:ad:e2:9f:74:39:bf:3b:a4:b6:25:2a:87:3f:36:49:b9:52:
+         fd:91:33:be:1d:41:a9:76:29:47:6e:c7:db:a8:ab:6e:78:91:
+         c0:13:56:1c:25:41:51:a7:64:4f:07:c0:2a:a8:80:63:8d:98:
+         e0:54:7d:a6:f4:22:6b:70:fa:1c:16:82:f4:07:2e:e1:ba:94:
+         96:ec:c7:9e:8e:0a:24:1e:a4:e9:c0:92:ca:bd:32:98:ef:1f:
+         e1:a6:e6:4d:1f:c5:68:1b:77:d0:e0:35:1a:a9:c9:ee:98:72:
+         7b:c3:e7:51
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIJAIYJhVdBv4ZlMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMSMwIQYDVQQDDBpJTlRFUl9DQV9TSEExLVJPT1RfQ0Ff
+U0hBMTAeFw0xNzAzMzAwNDUxMDZaFw0yNzAzMjgwNDUxMDZaMH0xCzAJBgNVBAYT
+AlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0w
+CwYDVQQLDARKYXZhMTUwMwYDVQQDDCxFTkRfRU5USVRZX1NIQTI1Ni1JTlRFUl9D
+QV9TSEExLVJPT1RfQ0FfU0hBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANpiUo1NTWJB6z8G2K+8zWLGMKTWa4zVF0yQlAi1kHbXLWQzU4uncSYYqpWr
+AptLk5OswjGM9TAP0vJpEky9I/XG97vPCY1c6eADx66SZDaiVBTnxuV7ogAdyPiq
+DtrfwTUhO8OYCzCFPMp8jhnqiQsKMp9hp+d9uLkkD4Tp+ICsHfOKaOd762JQ1hmH
+Z5iymw47DpyZou0hsw9nJfLiI/o4I0iKRvTwNrbvONWfTiLVJ5QS/VgWafgH0ZZw
+0sBfIzUuYI2LvT5IBOlplhGOv8EFHos1kwGw0oluVYVcrdS19gWLKnKKuBCPM+0t
+vVey4yF+oy3xBkOHyfdi9hNbn3ECAwEAAaOBijCBhzB3BgNVHSMEcDBuoWGkXzBd
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkxDDAKBgNV
+BAoMA09yZzENMAsGA1UECwwESmF2YTEVMBMGA1UEAwwMUk9PVF9DQV9TSEExggkA
+jaDSiu4Lz2UwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKbAQ3EXu
+aHdfEpv83utwQS5qol+pzMqXJAFKHcJ4Ulc0nIN/YPXZaKIyienXJXFyceV24zev
+QSXMi6T9ge9rFSuRPGilJVPPwbmqSbTN4zyijjjq6FF8e5JBvaMifZdZrVXifZ1q
+ux+VhBxQAOlsdB27bAfKvGqi3cFmN2S9/hrAjKeMoWC4w9JfkoDurXkp8q3in3Q5
+vzuktiUqhz82SblS/ZEzvh1BqXYpR27H26irbniRwBNWHCVBUadkTwfAKqiAY42Y
+4FR9pvQia3D6HBaC9Acu4bqUluzHno4KJB6k6cCSyr0ymO8f4abmTR/FaBt30OA1
+GqnJ7phye8PnUQ==
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDaCsiXcNnu7WpV
+t+FarvFhtaRr4RMQbKGhiIHi4aV0vqWmpX/eFde01eQZTZcPGJzEnjJrkyFo3Wbd
+31bjBLpt40kkI7kbODHrA2L+vY/hoCQeXK8+BrGioX9qHOpD7OLI3Esm1+KDiPPK
+w6qr9O9nS/fOID3zly92r+obY2ZuW6jQC0Yah3K9INrSIjH+rHXsmj2U5dCnktfi
+LzRcocvqtQHASYXFXEhWr1TCMnSz7h+l07O5YgYpmhwkRIPCkcdP+9wGhO2eOJYU
+kfaBteodDh7vHj2F+A6Lheosa4mi/nysyhQJl8uBFw97dqab9ul5Tb03iHmaY/q0
+xJKcEohnAgMBAAECggEBAJsa6K6yHJWWVfo8IBb+M7+qExiat5ELdb8O+DaJBcYS
+iIwPVvKI3zVIokZNp5OZkotbbcqQk0ehl7dlVM2RY30gHbuTne36/6eKdTV5a4y4
++niOviqFYH+sGpNFlnBTZtAzxVIQaJXhKmum3RYN2u/EXrdGwEsz1RO89/AbuZXu
+VdtEKkjPHXrIjnBkiT4271sm3OiPwOe6g0NKBMJ4InTyB+YtpgxlXtF+vv5cv6Vt
+ayT3sNsdsD8HLrenMmwv/k7nTYgNbhaJX2YCs9W7ZEscU2th6F7Cx6Z0z9h1SElC
++OKKhU6HnG/pWFMfWu80ZNjb3NTpXzTv4CLKjEYvz6ECgYEA8qEe+Ga7+XD0XwPB
+bFjoKmhOQhv0VCIiu9RgvIxQn5DuGX4H2hO1GP8LYOQZBm25nICIa+DyDZEaFGgL
+QgfPI4boK/rdV8syFTUNfw1Wq+W/pHhqzgUGHAnzRpX8jBQa9of14O+B7//ZFdGj
+5nt0qFTOAgNGslXMvSicKD/g0mMCgYEA5g7MpMmZI8zPf/PKLBkrQegdX2TBBiI5
+3KzvQuA29tEFdVwUIuhkgQkmy1u9Ujw0jZZ8NVBOsqfg7e7XkVr6/OF+MVWBjWl3
+Jn3DMCHl/HCLIZ4ZOM6/ydIMpBX6Ii53nvpO6vxRaOUg2T2gVHadVjjQAN9Oj68r
+TKUHfs4rTy0CgYB/g5QuQnfqKaYUxXmDQtqJZxYyAlUPXn1Yr85DaY75vYaVGTpx
+L0hPIcNOIbLRQRt6l8aaw7cS0D6fmOrJwibn6f/dFVP8zwq8QIyeSFlTsERe4PZo
+3hUO6V/UqgD3cZ2WEXB0zgtBIfpqUCpOeHWf/inivuwJz7PxegVP1fqHNwKBgA0p
+CZHfqm/+1lvmcUlGg0/43D1JwTT9nju+dM1pkBtcZ6iIBOreSmmLQXnenJzorsTu
+t9pA5s+XhOl3gUNiZfszVwmxb4DMaLF9/j1xovtm4L6ikaTLRvNfnbOBQlbUO6mP
+fhY5KtsKSG/E87gBNQzqoRN7sr3Lcnmm8x/Q4W9dAoGAITDcOI7UgPcnKMO8JUI5
+96Po3c/S7nBilVZRFOwjn0z6jrjzNTd+1IqkzIKBWfs5WlRkzXI6LPJVghwPUqUa
+q2C/3hQATD3FchEIohLfd8bj/wObaZNlKJB59a1RjxRZxuVQl3jvovvpn/hdXuJB
+nGIx7MryEG/yRpfrk2DL0bI=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            9e:f7:d7:79:1c:06:83:d5
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:05 2017 GMT
+            Not After : Mar 28 04:51:05 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:0a:c8:97:70:d9:ee:ed:6a:55:b7:e1:5a:ae:
+                    f1:61:b5:a4:6b:e1:13:10:6c:a1:a1:88:81:e2:e1:
+                    a5:74:be:a5:a6:a5:7f:de:15:d7:b4:d5:e4:19:4d:
+                    97:0f:18:9c:c4:9e:32:6b:93:21:68:dd:66:dd:df:
+                    56:e3:04:ba:6d:e3:49:24:23:b9:1b:38:31:eb:03:
+                    62:fe:bd:8f:e1:a0:24:1e:5c:af:3e:06:b1:a2:a1:
+                    7f:6a:1c:ea:43:ec:e2:c8:dc:4b:26:d7:e2:83:88:
+                    f3:ca:c3:aa:ab:f4:ef:67:4b:f7:ce:20:3d:f3:97:
+                    2f:76:af:ea:1b:63:66:6e:5b:a8:d0:0b:46:1a:87:
+                    72:bd:20:da:d2:22:31:fe:ac:75:ec:9a:3d:94:e5:
+                    d0:a7:92:d7:e2:2f:34:5c:a1:cb:ea:b5:01:c0:49:
+                    85:c5:5c:48:56:af:54:c2:32:74:b3:ee:1f:a5:d3:
+                    b3:b9:62:06:29:9a:1c:24:44:83:c2:91:c7:4f:fb:
+                    dc:06:84:ed:9e:38:96:14:91:f6:81:b5:ea:1d:0e:
+                    1e:ef:1e:3d:85:f8:0e:8b:85:ea:2c:6b:89:a2:fe:
+                    7c:ac:ca:14:09:97:cb:81:17:0f:7b:76:a6:9b:f6:
+                    e9:79:4d:bd:37:88:79:9a:63:fa:b4:c4:92:9c:12:
+                    88:67
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:84:A1:70:1D:0A:92:D3:CD
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         89:84:ce:6d:80:83:e7:19:80:21:a5:d3:79:ac:c4:2f:5c:5f:
+         47:f1:1c:e7:40:2a:57:ec:76:01:a9:10:b6:a2:2b:1b:02:ac:
+         f7:46:b1:67:b3:36:0f:fa:f0:a3:40:c2:5a:38:00:67:a9:9d:
+         e8:59:be:2f:5b:d0:c6:6c:20:90:c0:3b:6b:af:75:8c:93:ac:
+         5a:1e:8b:66:2c:79:0b:6d:9d:0d:d3:68:b5:b6:df:d6:04:6b:
+         24:f7:5a:b9:f0:18:08:81:b1:50:1c:ac:1b:7a:b7:b8:d8:8e:
+         6f:15:78:7e:23:5f:41:5c:df:76:09:1a:67:36:15:35:6a:77:
+         36:09:19:50:12:6d:60:20:c1:7a:36:cb:4c:ee:a8:d7:b7:c7:
+         29:26:31:04:0a:44:48:25:be:dd:00:92:ea:8c:00:ee:b4:eb:
+         52:4a:da:47:97:d7:42:df:dd:7d:17:de:e3:a1:14:49:3b:2d:
+         aa:ac:e7:83:0f:c0:2d:3f:31:c5:af:bb:b1:1e:53:d1:a7:13:
+         55:e3:25:f6:67:95:a1:75:e9:b8:a1:81:eb:d0:de:8a:a3:af:
+         78:dc:d0:39:d0:e7:d6:61:9e:39:7b:8b:f9:ee:44:48:78:92:
+         e7:22:fa:9c:a4:d0:6b:2b:89:0a:fa:78:3d:7a:af:44:91:e5:
+         8a:40:2f:10
+-----BEGIN CERTIFICATE-----
+MIIEAjCCAuqgAwIBAgIJAJ7313kcBoPVMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMSUwIwYDVQQDDBxJTlRFUl9DQV9TSEExLVJPT1RfQ0Ff
+U0hBMjU2MB4XDTE3MDMzMDA0NTEwNVoXDTI3MDMyODA0NTEwNVowgYQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMTwwOgYDVQQDDDNFTkRfRU5USVRZX1NIQTI1Ni1JTlRF
+Ul9DQV9TSEExLVJPT1RfQ0FfU0hBMjU2LVBSSVYwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDaCsiXcNnu7WpVt+FarvFhtaRr4RMQbKGhiIHi4aV0vqWm
+pX/eFde01eQZTZcPGJzEnjJrkyFo3Wbd31bjBLpt40kkI7kbODHrA2L+vY/hoCQe
+XK8+BrGioX9qHOpD7OLI3Esm1+KDiPPKw6qr9O9nS/fOID3zly92r+obY2ZuW6jQ
+C0Yah3K9INrSIjH+rHXsmj2U5dCnktfiLzRcocvqtQHASYXFXEhWr1TCMnSz7h+l
+07O5YgYpmhwkRIPCkcdP+9wGhO2eOJYUkfaBteodDh7vHj2F+A6Lheosa4mi/nys
+yhQJl8uBFw97dqab9ul5Tb03iHmaY/q0xJKcEohnAgMBAAGjgYwwgYkweQYDVR0j
+BHIwcKFjpGEwXzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARD
+aXR5MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFzAVBgNVBAMMDlJPT1Rf
+Q0FfU0hBMjU2ggkAhKFwHQqS080wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
+AAOCAQEAiYTObYCD5xmAIaXTeazEL1xfR/Ec50AqV+x2AakQtqIrGwKs90axZ7M2
+D/rwo0DCWjgAZ6md6Fm+L1vQxmwgkMA7a691jJOsWh6LZix5C22dDdNotbbf1gRr
+JPdaufAYCIGxUBysG3q3uNiObxV4fiNfQVzfdgkaZzYVNWp3NgkZUBJtYCDBejbL
+TO6o17fHKSYxBApESCW+3QCS6owA7rTrUkraR5fXQt/dfRfe46EUSTstqqzngw/A
+LT8xxa+7sR5T0acTVeMl9meVoXXpuKGB69DeiqOveNzQOdDn1mGeOXuL+e5ESHiS
+5yL6nKTQayuJCvp4PXqvRJHlikAvEA==
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHC0ieOFNTJjP+
+HMlFQ/w50Hx/+FYh9z9w3i08dVvi8oEhGUop7fvsqEyuAj3U/BYG87Wsv27wfa9l
+qSJRSgqUT3yI4jsMY/ozUInuKpp/yL97abyZVDUZc3diDZqryA/Qur8HNVLyA2hD
+DA9x8Ioeu5EDFl7AeqV3jx+A8fbulwVeCa29GByVkWRUEVF/48a1jpazBf2YQvrm
+5ElWoG8fuMrz6vgj+gYZYb1GPXmJQrtAIRp4Z1/AquPS4A/O21DnPLEM8WSw+rSC
+KGGKMqefJw74zeVyPlOiOmjFTeNfeVDViQrDgU++CTDjFa8XhweU6v+MtY5Mmzmf
+2AETGyd9AgMBAAECggEANCdMu8hebOcRsH+ybSfHKw7p0E4to3C5esV8bN8DWI/a
+LeYGfL4SyIvAq8eClBAJZYDuFXmDhBgqoSSUDWCtLPc21lcQycpYgKGVwoX/PYRI
+R/oIpNRfpW+P1G1kHaaqHjMQYr8iIK+r3gWG9n/kcPEMqhZudVitiopB4vODlDgf
+OI0goNWwYOPzoBkJSBbgfYC7vSz0dg+j9ooYPDnyUnHjykhu95mkmBHYc/MVMP8s
+ntFB5pgtWuLQATZImW4A1dtZiqCsF6APvJIQASxVq+wv3dwhejF9xMZR96QchVZJ
+QvPOcH76njIH4fThb0e46Dn54+KBpCnveSnDtAz5sQKBgQD2u6gWOK/Z4VqGlff1
+diLqzesdalCJhydKzOGRzRiJeW4E4MhEpUjIo44zPGkQ64zq6nefqIltdiaE7T9C
+Fnyu/+vd0zE1v3Ipgv0wD3NgTj3gGrBwl2gkY5sfSbCR+8vS/DhRU+s3KN45m3s4
+XfM27Uw/Zh/DFIe7jmGezfe/3wKBgQDOhRjDfxDDLCEXw4QFQb7Sp/43EGfoTd8h
+m700T/QXUTGx6qRhzHF9mUVea7FT+3I6CEqYNnZtFlYsJlq1g457rnvUJnTjJZb7
+wFl1h+u4u3IKo/lUUh2vD89PPOkMUF/uamJLh5jK7KNkOjwEDN2yPkRgaedY++nv
+NBcUPpGUIwKBgEkFmOWauVC+hVA3qj8XS5Y6g08dW+CYA2T75faEwLJPIeSHsj2+
+vR/EaB15z46WaApOgkDaXHHs+dF1dbdVeGlCjMgF7RZ/JoZqogxLRlZGUcG1pGpu
+JQBACnTkFkHeR6CVzQUk1QRqL/rUrU8tXwHukRZiXxwZQ2Ka7QFW6+/5AoGAHGem
+Dk2NyqppKtGTeP2f921vw7cX85WyWPcIwQc2NXbPdP8m+OSbv4CzT9dUHo75GQ5G
+5ESpaTunQo9L7qdXk59eHMHlVdC3wYylQUsemtv9RYVkJ7rbplZwVx+zliP/7dTo
+DCdsVozRtFlmI9B5Najm0rP+Q/jyJhpuCjTI5S0CgYEAsYcmFZZotwOyT4oJ/1Fu
+BtSOsoxnCa1vPJTVXEoX3F28ZUP4X0iWgGDO1e3aoWWYxWusf1fUj9BWbVnbtJfb
+gJ5JtQTAuMvmjCwFRWcBUytdxTUsWFbuDc5fw7DMW7YqjkCCISkd6Q8JyaFsJPy1
+7uFzumBnFtZGUIo2w4l8yrQ=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            9e:b3:99:30:15:24:2c:69
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:06 2017 GMT
+            Not After : Mar 28 04:51:06 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c7:0b:48:9e:38:53:53:26:33:fe:1c:c9:45:43:
+                    fc:39:d0:7c:7f:f8:56:21:f7:3f:70:de:2d:3c:75:
+                    5b:e2:f2:81:21:19:4a:29:ed:fb:ec:a8:4c:ae:02:
+                    3d:d4:fc:16:06:f3:b5:ac:bf:6e:f0:7d:af:65:a9:
+                    22:51:4a:0a:94:4f:7c:88:e2:3b:0c:63:fa:33:50:
+                    89:ee:2a:9a:7f:c8:bf:7b:69:bc:99:54:35:19:73:
+                    77:62:0d:9a:ab:c8:0f:d0:ba:bf:07:35:52:f2:03:
+                    68:43:0c:0f:71:f0:8a:1e:bb:91:03:16:5e:c0:7a:
+                    a5:77:8f:1f:80:f1:f6:ee:97:05:5e:09:ad:bd:18:
+                    1c:95:91:64:54:11:51:7f:e3:c6:b5:8e:96:b3:05:
+                    fd:98:42:fa:e6:e4:49:56:a0:6f:1f:b8:ca:f3:ea:
+                    f8:23:fa:06:19:61:bd:46:3d:79:89:42:bb:40:21:
+                    1a:78:67:5f:c0:aa:e3:d2:e0:0f:ce:db:50:e7:3c:
+                    b1:0c:f1:64:b0:fa:b4:82:28:61:8a:32:a7:9f:27:
+                    0e:f8:cd:e5:72:3e:53:a2:3a:68:c5:4d:e3:5f:79:
+                    50:d5:89:0a:c3:81:4f:be:09:30:e3:15:af:17:87:
+                    07:94:ea:ff:8c:b5:8e:4c:9b:39:9f:d8:01:13:1b:
+                    27:7d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:8D:A0:D2:8A:EE:0B:CF:64
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         2b:43:e4:c1:37:36:00:a3:ed:25:15:c7:9f:6b:25:0e:24:cd:
+         1c:e8:d2:8c:a6:11:05:a9:2b:b5:dc:7b:fd:55:8e:be:1d:15:
+         d7:8b:a8:a6:44:cf:03:ba:ba:78:74:26:b9:19:11:c0:03:9b:
+         4d:2f:f9:f7:ea:da:a3:2f:82:f9:9e:d0:77:d6:bf:eb:fd:57:
+         c8:eb:03:54:0a:0c:2b:36:0c:e5:99:b7:93:4d:a9:9d:e9:50:
+         80:66:4e:73:c1:bd:83:13:09:ee:b9:01:62:ed:90:0e:4f:ff:
+         9d:92:f3:cd:db:1f:ba:da:fc:67:9d:cb:a0:09:99:8b:3e:ea:
+         9d:61:55:ac:6f:fb:11:5c:c0:fe:fb:ff:5b:15:7d:a7:c1:aa:
+         3a:cd:30:43:35:ea:44:8a:21:ae:9f:af:bc:5c:ae:3a:01:2c:
+         3b:eb:b6:8c:6a:e1:1c:4e:55:0a:84:5b:f8:68:71:aa:97:02:
+         9b:5d:c4:c9:42:df:19:91:28:4a:12:35:8d:2e:3d:10:ec:35:
+         8a:b1:d7:e0:e2:a6:f9:f6:47:4b:17:75:84:8e:2d:66:e8:74:
+         be:d6:27:6b:a2:28:23:26:41:70:92:c2:7c:50:e2:81:c9:e0:
+         10:84:5d:87:4f:db:93:ce:dd:09:d2:48:63:3d:53:66:31:64:
+         5a:13:b5:a6
+-----BEGIN CERTIFICATE-----
+MIID+jCCAuKgAwIBAgIJAJ6zmTAVJCxpMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMSUwIwYDVQQDDBxJTlRFUl9DQV9TSEEyNTYtUk9PVF9D
+QV9TSEExMB4XDTE3MDMzMDA0NTEwNloXDTI3MDMyODA0NTEwNlowfzELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DTALBgNVBAsMBEphdmExNzA1BgNVBAMMLkVORF9FTlRJVFlfU0hBMjU2LUlOVEVS
+X0NBX1NIQTI1Ni1ST09UX0NBX1NIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDHC0ieOFNTJjP+HMlFQ/w50Hx/+FYh9z9w3i08dVvi8oEhGUop7fvs
+qEyuAj3U/BYG87Wsv27wfa9lqSJRSgqUT3yI4jsMY/ozUInuKpp/yL97abyZVDUZ
+c3diDZqryA/Qur8HNVLyA2hDDA9x8Ioeu5EDFl7AeqV3jx+A8fbulwVeCa29GByV
+kWRUEVF/48a1jpazBf2YQvrm5ElWoG8fuMrz6vgj+gYZYb1GPXmJQrtAIRp4Z1/A
+quPS4A/O21DnPLEM8WSw+rSCKGGKMqefJw74zeVyPlOiOmjFTeNfeVDViQrDgU++
+CTDjFa8XhweU6v+MtY5Mmzmf2AETGyd9AgMBAAGjgYowgYcwdwYDVR0jBHAwbqFh
+pF8wXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARDaXR5MQww
+CgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFTATBgNVBAMMDFJPT1RfQ0FfU0hB
+MYIJAI2g0oruC89kMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACtD
+5ME3NgCj7SUVx59rJQ4kzRzo0oymEQWpK7Xce/1Vjr4dFdeLqKZEzwO6unh0JrkZ
+EcADm00v+ffq2qMvgvme0HfWv+v9V8jrA1QKDCs2DOWZt5NNqZ3pUIBmTnPBvYMT
+Ce65AWLtkA5P/52S883bH7ra/Gedy6AJmYs+6p1hVaxv+xFcwP77/1sVfafBqjrN
+MEM16kSKIa6fr7xcrjoBLDvrtoxq4RxOVQqEW/hocaqXAptdxMlC3xmRKEoSNY0u
+PRDsNYqx1+Dipvn2R0sXdYSOLWbodL7WJ2uiKCMmQXCSwnxQ4oHJ4BCEXYdP25PO
+3QnSSGM9U2YxZFoTtaY=
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDuH2+6I/ytoLeW
+AG3J0xMQafYmxYDZNaDjiWBl7TGpL4TjRY84FuHI/G8ib0VY9DKtyUixm7qZev+b
+ExrfQGk9ZV7Dn41uBvmGcUMSqwb0QV/5/hneP7/3EXhoWjsCFUe0r0zOgCM7O9+F
+jUlSuxEHyaFE09PxWGVZpU4Yu71PeoI/JJGITV81o2Fst7Urz65NE5OWrvbO+pfD
+EiRvjLv/uil7znYV28lCbH7U1K8q5nGVtnpgTguhGL6/N3lIgvxoBtoXEQwdMV59
+APsH8anA19rHn5h/ZmknryxAs0c6Rg9Plo30MonIU/eAVZwNw8TczD276Rc02xnW
+RmbmxToRAgMBAAECggEAbK3OWV9JWJlMkNqbQQzj247w+FsV5ozSZGbzpzFtg/Eb
+Lns11XykCg4kTswIE4RIiQaf9efEb34yoL1Ee3YzUgEtEg2FCB2IzvJskV2ba+lW
+e4uclNH1tDa2BLKB0f6SXoXPgUP8UHGQH60PNQIJ0MsWnoorZjBY+WQ305QD3/yB
+fMonkjpWN+ZNTY8Y3vA2SsS4EoY0Ndy2FpmWPwKKMCcqXw6xzVjKvq+jpFfsGpcj
+i3MlKsCG5koreWrXdyt28CVOc6eMW5rsJfAHRw+OSn7PdLaGyZCUUsFXCjG0Vq2G
+YwuMfTJprrZk+lbi3XUXWk7XUEURB7Q4lIBxAcskAQKBgQD8pVj0OIsVHAGjQQ7C
+ZAnxFlON7XX3fgPdLtil9c+a1GlcPA2K52fBp8YlKlAS4bmZIQHbbkEBjh8KfG1P
+x7zBHoUXV8ruo/axzRPoeBVQat5NQKcKnlITrqdf8J3a+8iMxpMpd53h97HGiayq
+W04ZQNf7wjXvR+pJVluTEaoVUQKBgQDxSLruMmCsYvD+sipaQ3rBEMIAI3kc7ctl
+fEnipEk5wtPkKKldw+rvbh/AwY2i2JMUDcW92hkB5vCvbcKmCEkEO3FbawNkJnJi
+qfwbvHP/fGThMV3gbWWF3GZvBKY2+toSa2rwoR5kYTT1e4+byk38NAp/HAItFHIT
+DgAgMy6owQKBgQCjd8jKnBtBmVFl9B48oMXd+/gsCM0fSaXuYvVCzH17TJyvVRve
+GEQGBSwrt+j/jpWsArNU602cV/y1qDSCPlZfDgRHSkK/jc9805hh/fCsi7kyevaZ
+5D5vBb6+UM2Sdv8YNxPY7NB2+PFJ6KKTx2gM5uvYtZx4KivpL7souXE3QQKBgDxg
+FZ5q7rPUIjepP13MyteqqNC+D51Eh4PCgP58W3JfpQPPhOnYj14QMVPbWuSnys3W
+0Gc8PsuyDQHoti8znYm4khntAjE6SZ8Up+gM1P3WE6wh3Tq+RQwk5WDcSfcx+AVp
+6Z2Cw4ccp9LRc1LpYXA9WW8LBCRhnFXWSAPGquNBAoGAdCsvFzSipQ5qxWPlClRM
+lKqDdQheRl9IKCuImXZAvdX952VhmP7QV5PUwLV/CkVquvSdRSshrMO/fqFjfkjr
+puajXghFXa+YppQW42tPYBmKDnNVgxW5d5sC62AYaykh2iNw3v4BJyN+MMmkSf0M
+4/mKvs5m8N2OkOpY6r2wCp8=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e8:33:78:c7:69:9c:28:c1
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:04 2017 GMT
+            Not After : Mar 28 04:51:04 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ee:1f:6f:ba:23:fc:ad:a0:b7:96:00:6d:c9:d3:
+                    13:10:69:f6:26:c5:80:d9:35:a0:e3:89:60:65:ed:
+                    31:a9:2f:84:e3:45:8f:38:16:e1:c8:fc:6f:22:6f:
+                    45:58:f4:32:ad:c9:48:b1:9b:ba:99:7a:ff:9b:13:
+                    1a:df:40:69:3d:65:5e:c3:9f:8d:6e:06:f9:86:71:
+                    43:12:ab:06:f4:41:5f:f9:fe:19:de:3f:bf:f7:11:
+                    78:68:5a:3b:02:15:47:b4:af:4c:ce:80:23:3b:3b:
+                    df:85:8d:49:52:bb:11:07:c9:a1:44:d3:d3:f1:58:
+                    65:59:a5:4e:18:bb:bd:4f:7a:82:3f:24:91:88:4d:
+                    5f:35:a3:61:6c:b7:b5:2b:cf:ae:4d:13:93:96:ae:
+                    f6:ce:fa:97:c3:12:24:6f:8c:bb:ff:ba:29:7b:ce:
+                    76:15:db:c9:42:6c:7e:d4:d4:af:2a:e6:71:95:b6:
+                    7a:60:4e:0b:a1:18:be:bf:37:79:48:82:fc:68:06:
+                    da:17:11:0c:1d:31:5e:7d:00:fb:07:f1:a9:c0:d7:
+                    da:c7:9f:98:7f:66:69:27:af:2c:40:b3:47:3a:46:
+                    0f:4f:96:8d:f4:32:89:c8:53:f7:80:55:9c:0d:c3:
+                    c4:dc:cc:3d:bb:e9:17:34:db:19:d6:46:66:e6:c5:
+                    3a:11
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:84:A1:70:1D:0A:92:D3:CC
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         1d:1a:87:7d:11:0e:cc:cd:7f:6c:ed:21:1a:2c:35:de:09:b8:
+         c4:cf:0c:31:00:3d:f5:bd:d4:6e:f0:4f:7e:c2:8d:d6:c5:28:
+         ed:38:9d:d7:52:32:e2:8d:7b:64:c8:1d:4e:69:7e:49:5f:e1:
+         5e:04:c7:d3:96:d2:63:ef:2c:35:4f:eb:08:2b:9d:b0:15:df:
+         33:d8:1c:59:8e:bb:f1:28:4f:f0:85:bb:3c:56:e1:86:a4:75:
+         2b:44:8a:1c:98:ae:94:f3:b6:76:a9:a3:e7:d6:bc:58:ef:fe:
+         32:11:6f:76:5b:85:f8:14:91:83:2c:b6:20:a5:48:48:8b:6e:
+         ee:a8:6c:2b:12:18:94:3e:59:5e:a6:66:53:dc:40:b2:da:fd:
+         a4:5f:16:35:b6:20:2b:31:86:9b:91:55:b2:35:63:d2:47:bd:
+         91:7e:43:bc:d6:0e:dc:95:1a:f0:8d:08:e5:66:cd:d1:0b:32:
+         d6:92:26:3e:78:e8:70:74:e1:14:64:b0:39:5d:7c:d0:28:23:
+         c7:83:53:02:90:fe:fc:9e:aa:9a:fb:c4:ef:9d:d5:22:f6:c1:
+         fd:e4:07:04:25:4f:8f:b2:13:6f:0d:51:cc:54:b4:38:d3:ac:
+         31:aa:94:c5:d0:c8:5a:58:35:13:87:3e:f6:74:26:8c:2b:7d:
+         6c:8e:36:a5
+-----BEGIN CERTIFICATE-----
+MIIEATCCAumgAwIBAgIJAOgzeMdpnCjBMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMScwJQYDVQQDDB5JTlRFUl9DQV9TSEEyNTYtUk9PVF9D
+QV9TSEEyNTYwHhcNMTcwMzMwMDQ1MTA0WhcNMjcwMzI4MDQ1MTA0WjCBgTELMAkG
+A1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANP
+cmcxDTALBgNVBAsMBEphdmExOTA3BgNVBAMMMEVORF9FTlRJVFlfU0hBMjU2LUlO
+VEVSX0NBX1NIQTI1Ni1ST09UX0NBX1NIQTI1NjCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAO4fb7oj/K2gt5YAbcnTExBp9ibFgNk1oOOJYGXtMakvhONF
+jzgW4cj8byJvRVj0Mq3JSLGbupl6/5sTGt9AaT1lXsOfjW4G+YZxQxKrBvRBX/n+
+Gd4/v/cReGhaOwIVR7SvTM6AIzs734WNSVK7EQfJoUTT0/FYZVmlThi7vU96gj8k
+kYhNXzWjYWy3tSvPrk0Tk5au9s76l8MSJG+Mu/+6KXvOdhXbyUJsftTUryrmcZW2
+emBOC6EYvr83eUiC/GgG2hcRDB0xXn0A+wfxqcDX2sefmH9maSevLECzRzpGD0+W
+jfQyichT94BVnA3DxNzMPbvpFzTbGdZGZubFOhECAwEAAaOBjDCBiTB5BgNVHSME
+cjBwoWOkYTBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENp
+dHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEXMBUGA1UEAwwOUk9PVF9D
+QV9TSEEyNTaCCQCEoXAdCpLTzDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQAdGod9EQ7MzX9s7SEaLDXeCbjEzwwxAD31vdRu8E9+wo3WxSjtOJ3XUjLi
+jXtkyB1OaX5JX+FeBMfTltJj7yw1T+sIK52wFd8z2BxZjrvxKE/whbs8VuGGpHUr
+RIocmK6U87Z2qaPn1rxY7/4yEW92W4X4FJGDLLYgpUhIi27uqGwrEhiUPllepmZT
+3ECy2v2kXxY1tiArMYabkVWyNWPSR72RfkO81g7clRrwjQjlZs3RCzLWkiY+eOhw
+dOEUZLA5XXzQKCPHg1MCkP78nqqa+8TvndUi9sH95AcEJU+PshNvDVHMVLQ406wx
+qpTF0MhaWDUThz72dCaMK31sjjal
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX1pPNXGpnPQNc
+x9ReXrjbcHkIoyXcdXbhO0TnUBV5aGJTEn5/meDsK76Y2KDVyU/EO2jXpaQ5QiGn
+UzY6vKIn6boqTov4NLYwBsVPdAG/xZyr5q7p6bnJ8WRj40A2JeOeZ3FMglRtBCNg
+rYeEC4MDp2F41OVxsJZ4huodq94arqhD/hjE40g06UNa0I+/2dIpI2cSamIC5b3L
+/DK3ol+gIw/OOxMCgzAUSjeH6nTrrW1hUeSKx0NPGWRLWzLQ2yxhYcXlsedNuKHo
+ux/p3EkGXoGPajK7s7IlKj9CPQYwlQez37jCLJGovArqTr/8hxfrKMdZOl5bp+6H
+6uWh6af7AgMBAAECggEAXrUsM79qfRR7pjmVCTe9G6T1pwGXum3clSYhrPIqChTw
+mA0Ubr9Bv7/OKVlc8ZIdKzj6Xy2yquFGzRopQIrHCIZ5htjieC4BB3/hEmUP42s9
+vPxDIibJvD/s0hvEcD4d68LuJylFDHT1ZRWf0iQPAApxLckVSNa4n/hrQEvK8J+G
+HIH8VATq9iHp/GQmmFB8b3ubqn46zDGqly14+TGP2KtVJlY9FuCpvmtZZZjJ+K09
+vYM+BATwje6N6PqX5a3Z+NFC1NK9CmC+U6ECJ27uhySn8kvlU/i/SOAnrPftByO7
+g7K8p2Qzq1LlVIUU/JTidNZGXTaTMOVg8eHLmyt92QKBgQD9a94rLqk9BUtVsTYa
+AImt+KbUMB+Zi83cYDiCfNBkfIYw4dVUFJecmqZwg7IeqNwuSmXP41fASOvDel/L
+8bOj/rPccVSG9pmU0ir5WK9n8zobogfAzvaFr8cmo+TVv0FOZZA8e/+UfVsiKAsW
+3nwhwxN8ieILU1dtaNV1IfnAPwKBgQDaCM9URf+DFILI2WpuzKpk1loF6HrlklIn
++N0IFFcalqUpC8GhXTw7suypRBCZ+cp32h7WEcN9aHLMrnkDQP3bGTv53pJT5N9k
+7nk9Bfrk0CJCxeMRKwtuMhLkOmT0eh2aB1lWR0owA5b1Gjtiz5kTW7NN2+paJCDz
+SiDLVoFpRQKBgQCHvt0N4nuy/QACkd86BGm7b8LlTDXRCMsnrb73XqY9/VngG0gr
+NrCTqV9YS6MAu1Dd1uo8djnN/QGU/xsLYpfoU4nCnk450SQpTH7Ke8/Rbb8FiECA
+7hutNqAFuardOApiVRLy4zTfNFq5rBtsj5aMezMX9b/Ic0cUiyA0ExP1/wKBgQCp
+SDvI34wRdqRQUtWa7xbAsdg1TBnXEjLtTAA4nKpAP4Q+CR2uLlhstW+fv/PvyIwV
+X+mfJS2VubmgBzp3d0dhjAcP6mnL7yAvGiRRZ8ozSxG+rCuvEa+PQBuAzYHCeulu
+xJPtM+56tt7GsDY5cpsT95eQNNWQZQqcOgqaNTDGzQKBgCmMwRP1HN0qUSSVO1d8
+8N17OoZe5yntppEjesYQrLf4AEgPS3Qj8dv0qfe3z1B0gAKlG9+OR8cUBCMGVyum
+b51SiSi3LSm1VeuMfT7JDMSxTkbaI5CY7v+/5yCRFqikgBtCkHM9m4K95d3dVDO8
+JGrlKiKVIbu5LnQZMkPHRIEX
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            8d:a0:d2:8a:ee:0b:cf:65
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:04 2017 GMT
+            Not After : Mar 28 04:51:04 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d7:d6:93:cd:5c:6a:67:3d:03:5c:c7:d4:5e:5e:
+                    b8:db:70:79:08:a3:25:dc:75:76:e1:3b:44:e7:50:
+                    15:79:68:62:53:12:7e:7f:99:e0:ec:2b:be:98:d8:
+                    a0:d5:c9:4f:c4:3b:68:d7:a5:a4:39:42:21:a7:53:
+                    36:3a:bc:a2:27:e9:ba:2a:4e:8b:f8:34:b6:30:06:
+                    c5:4f:74:01:bf:c5:9c:ab:e6:ae:e9:e9:b9:c9:f1:
+                    64:63:e3:40:36:25:e3:9e:67:71:4c:82:54:6d:04:
+                    23:60:ad:87:84:0b:83:03:a7:61:78:d4:e5:71:b0:
+                    96:78:86:ea:1d:ab:de:1a:ae:a8:43:fe:18:c4:e3:
+                    48:34:e9:43:5a:d0:8f:bf:d9:d2:29:23:67:12:6a:
+                    62:02:e5:bd:cb:fc:32:b7:a2:5f:a0:23:0f:ce:3b:
+                    13:02:83:30:14:4a:37:87:ea:74:eb:ad:6d:61:51:
+                    e4:8a:c7:43:4f:19:64:4b:5b:32:d0:db:2c:61:61:
+                    c5:e5:b1:e7:4d:b8:a1:e8:bb:1f:e9:dc:49:06:5e:
+                    81:8f:6a:32:bb:b3:b2:25:2a:3f:42:3d:06:30:95:
+                    07:b3:df:b8:c2:2c:91:a8:bc:0a:ea:4e:bf:fc:87:
+                    17:eb:28:c7:59:3a:5e:5b:a7:ee:87:ea:e5:a1:e9:
+                    a7:fb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:F1:3B:B7:FB:28:3F:52:09
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         d3:ce:da:23:e1:7c:73:fb:7f:26:d7:a4:3c:7b:17:01:75:ce:
+         a5:bd:75:f1:65:1b:56:27:ae:f8:97:a6:c4:ca:94:93:c9:12:
+         bb:c7:ec:2b:d5:38:d5:43:3a:6c:c2:51:3a:79:2f:d7:4e:da:
+         2d:12:1f:b8:c2:4f:c8:ba:33:d3:f5:0c:78:cc:26:69:24:47:
+         3f:ed:17:a0:7f:d0:20:fe:11:ca:75:50:1a:61:e1:91:b5:fa:
+         91:04:e9:14:59:77:d4:29:0f:43:19:e0:dc:dd:a6:18:14:f4:
+         33:3e:f0:cb:36:7b:18:04:03:dd:be:35:41:c4:3e:65:d2:67:
+         44:73:ab:7f:d1:b9:26:7e:b3:1e:d0:e4:a4:52:83:60:a9:e6:
+         e1:bf:62:bb:9b:16:0c:97:ad:11:1a:2f:eb:92:ca:7e:98:15:
+         46:23:59:5d:26:d9:ec:57:85:51:5b:09:f1:9b:1b:d3:5d:53:
+         02:67:1a:e4:24:49:67:87:04:75:66:13:56:1b:8b:a1:08:de:
+         c8:4b:f8:87:73:6e:c2:31:ee:f6:32:14:45:32:a3:3f:e4:b1:
+         0f:23:28:29:b4:a3:86:65:4f:2e:57:ad:8f:44:77:f8:4b:ea:
+         7b:9d:8e:dc:cb:07:ee:b4:78:46:db:cd:12:eb:ad:ef:9b:8f:
+         22:ba:83:7b
+-----BEGIN CERTIFICATE-----
+MIID1jCCAr6gAwIBAgIJAI2g0oruC89lMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTEwHhcNMTcwMzMw
+MDQ1MTA0WhcNMjcwMzI4MDQ1MTA0WjBrMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEj
+MCEGA1UEAwwaSU5URVJfQ0FfU0hBMS1ST09UX0NBX1NIQTEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDX1pPNXGpnPQNcx9ReXrjbcHkIoyXcdXbhO0Tn
+UBV5aGJTEn5/meDsK76Y2KDVyU/EO2jXpaQ5QiGnUzY6vKIn6boqTov4NLYwBsVP
+dAG/xZyr5q7p6bnJ8WRj40A2JeOeZ3FMglRtBCNgrYeEC4MDp2F41OVxsJZ4huod
+q94arqhD/hjE40g06UNa0I+/2dIpI2cSamIC5b3L/DK3ol+gIw/OOxMCgzAUSjeH
+6nTrrW1hUeSKx0NPGWRLWzLQ2yxhYcXlsedNuKHoux/p3EkGXoGPajK7s7IlKj9C
+PQYwlQez37jCLJGovArqTr/8hxfrKMdZOl5bp+6H6uWh6af7AgMBAAGjgYowgYcw
+dwYDVR0jBHAwbqFhpF8wXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYD
+VQQHDARDaXR5MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFTATBgNVBAMM
+DFJPT1RfQ0FfU0hBMYIJAPE7t/soP1IJMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADggEBANPO2iPhfHP7fybXpDx7FwF1zqW9dfFlG1YnrviXpsTKlJPJErvH
+7CvVONVDOmzCUTp5L9dO2i0SH7jCT8i6M9P1DHjMJmkkRz/tF6B/0CD+Ecp1UBph
+4ZG1+pEE6RRZd9QpD0MZ4NzdphgU9DM+8Ms2exgEA92+NUHEPmXSZ0Rzq3/RuSZ+
+sx7Q5KRSg2Cp5uG/YrubFgyXrREaL+uSyn6YFUYjWV0m2exXhVFbCfGbG9NdUwJn
+GuQkSWeHBHVmE1Ybi6EI3shL+IdzbsIx7vYyFEUyoz/ksQ8jKCm0o4ZlTy5XrY9E
+d/hL6nudjtzLB+60eEbbzRLrre+bjyK6g3s=
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDWN68vV57EPqPZ
+Dtvi2+NI4tfxUgkaWJXbqrLKuAJC8bff9edZpMXGAyqMpDDr7MAjs/3TDYpVaWYN
+Id5iwqamImbBLYf/K0LOkaX6+TyogaqwwdNVryR5eYcGXEiJY1MJ2mgzCNeGJ091
+4qwll3xkjAFolB6o9QoIbLB3cctl0vw6oAoi3TKWQxJ+UI6/uBotX5eQ9z1b/MDs
+6PNXHB22jYAj4tOePMZxq7AVCwTFpWbHK8j5ftXxpVoU5ECNHfIAHLprJqc/lKdf
+7rMyflbsjD8nV7TwY+FW7WfOQgiJhk0OK3VaBeSsovpOOwjS4Lpsazh3eUXeZJUk
+lrYrMfI3AgMBAAECggEAEpXmNx9NAQ3GPXDSlw4o3AwCXEeXzpdc+SAIPxpT5+b8
+4wt8tQRcvF9N88HTFMUHrpFRNlx4Ygyw8/a6SqtEtilJ7Py8TeE8/JsaYXn6T0xg
+uNE4OrjlWzy2AFFFYdYiQDqYy8S6nkMO29V8xg4slrSm8qHXPyVzZ2O2s8ZFtWG+
+ItAMb+Gv7FU2M4te/TwRnadljFAoyWry0XCXle1fN1Y3QJXtu3VDdmLmU0t+VGfa
+wuZ5k0FIb9TFIQuxtgUNXJZmIjZw4Ych3luUc1bMSn9FPHeOzk8J3yo1tGqQu15M
+KMLHxASTgt6opfhDbYIpD0fJJqCPdiJlMrqXHBPYwQKBgQDy8lrmsjBE97H0U2sS
+tqlJq+7VOe2ien+z6seXFxd6XHBI8D/wTi2Q/7BpIGbpek3xc0ujxaFbcqo/RJZA
+TUzYmc5leQLTwy4a54Neo33+sOuYPg8fQIMPT1OGa3DXv3EPSC8FdQrweNjn/bDX
+YXbXJ2nKc3RgdTVehuMh6mw25wKBgQDhuitrTL3dlyHMGhO+djxW3cgjsUbJXQsK
+1GnkGw5mzzL67M6ixw4WNxNJjuXEUI5Vat8iJzhZOA+Ae84DDbeN2FCM7UBpUsyB
+9T9aApBYLLMflZhl4PXK/zkh1J9vA5NqqJbAcw6a5uH0kjtuJOSvP5CVQc2xsX9i
+U9+eZesQMQKBgHo4Znasqg/oNIRf+vvdHOlNL8fhbqVQzzHqKSLfoRYTrwFirCfu
+jInnuA4LGPrYZqHTiPgJEpX456EQli4fNUu6hNUTvdJe3LD4S2SvB1G8G6npfp4Q
+TF7FX5W+M3S2gOBZRh6OtUQo56Y+QFr6U1kGIPiSgLeN/51gap/DWVF9AoGBAMmL
+hMEloFF+Y/rtPbvNrkqRc+YKn32jyfw9dN7rGYzKbGaHkmjc+sLzIhGHubfzhWLX
+Law9AJ8I4y6BXIx1bvMDtche/igMefV/mLUxnNhd8QG+fHhayJwcDlMamdBxjOqq
+5Q+oq927UP0ipFXQMzAWvW3Hd3W1WlvdL8kqjxvBAoGBAMaZ9JZO48Zn17IUweZC
+oVfM99YaHa+dm3L47PdQN6Ag6UjQ+sZ/6SLGIIg67SDhUQ+nuPCL8PH3Rf7PCuqW
+oHW3F+44SIrVdLlMkWb444dxdP6Xvb9aOMpvopBDuvzYPR3xzZ202DZbZ0sIEVu8
+8a+09JbRmEI2/Ee+em6a/Y4T
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            84:a1:70:1d:0a:92:d3:cd
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:03 2017 GMT
+            Not After : Mar 28 04:51:03 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d6:37:af:2f:57:9e:c4:3e:a3:d9:0e:db:e2:db:
+                    e3:48:e2:d7:f1:52:09:1a:58:95:db:aa:b2:ca:b8:
+                    02:42:f1:b7:df:f5:e7:59:a4:c5:c6:03:2a:8c:a4:
+                    30:eb:ec:c0:23:b3:fd:d3:0d:8a:55:69:66:0d:21:
+                    de:62:c2:a6:a6:22:66:c1:2d:87:ff:2b:42:ce:91:
+                    a5:fa:f9:3c:a8:81:aa:b0:c1:d3:55:af:24:79:79:
+                    87:06:5c:48:89:63:53:09:da:68:33:08:d7:86:27:
+                    4f:75:e2:ac:25:97:7c:64:8c:01:68:94:1e:a8:f5:
+                    0a:08:6c:b0:77:71:cb:65:d2:fc:3a:a0:0a:22:dd:
+                    32:96:43:12:7e:50:8e:bf:b8:1a:2d:5f:97:90:f7:
+                    3d:5b:fc:c0:ec:e8:f3:57:1c:1d:b6:8d:80:23:e2:
+                    d3:9e:3c:c6:71:ab:b0:15:0b:04:c5:a5:66:c7:2b:
+                    c8:f9:7e:d5:f1:a5:5a:14:e4:40:8d:1d:f2:00:1c:
+                    ba:6b:26:a7:3f:94:a7:5f:ee:b3:32:7e:56:ec:8c:
+                    3f:27:57:b4:f0:63:e1:56:ed:67:ce:42:08:89:86:
+                    4d:0e:2b:75:5a:05:e4:ac:a2:fa:4e:3b:08:d2:e0:
+                    ba:6c:6b:38:77:79:45:de:64:95:24:96:b6:2b:31:
+                    f2:37
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:A3:52:9D:82:6F:DD:C6:1D
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         56:fb:b0:ab:a6:bb:3a:55:04:ed:5c:3b:ae:0c:0d:32:8f:aa:
+         ec:b7:24:2c:d5:37:b9:1f:91:64:21:c2:c0:6d:bc:d4:d4:5e:
+         e2:f1:12:ad:34:02:93:65:10:6c:93:93:2c:23:53:e8:ed:96:
+         c7:3b:6b:44:df:ff:24:8b:c1:cc:26:b2:1e:8f:26:66:34:3a:
+         bb:7d:ef:4e:a6:7e:b2:c8:93:c9:f7:46:5a:de:40:88:70:28:
+         c7:d1:fd:27:c3:99:fd:6a:a1:a5:e1:6d:c3:5a:bc:99:28:95:
+         e9:17:ed:a4:56:a5:04:ad:fb:74:a2:01:26:2a:5a:45:bc:7b:
+         0d:df:0c:41:79:8b:b4:15:50:cd:88:ce:f5:a7:ee:cb:d2:5b:
+         76:81:4c:1b:09:92:0e:e9:c6:42:df:b7:81:9e:89:3d:49:ed:
+         17:fa:d2:2f:bd:8b:74:d5:cb:ce:af:46:6a:74:b3:34:a0:c5:
+         a0:64:66:7a:80:59:15:1e:de:16:df:11:3d:1e:96:e2:e5:2d:
+         f1:4d:20:f3:f6:f1:19:aa:ac:f8:b4:6e:76:a0:26:6c:cd:90:
+         f2:23:35:a0:8b:c8:e8:5d:27:5d:34:d3:69:74:61:c5:ac:6a:
+         54:e9:86:8d:ca:ca:16:03:48:7f:cd:23:43:41:e2:77:3a:5d:
+         f2:3e:de:fa
+-----BEGIN CERTIFICATE-----
+MIID3DCCAsSgAwIBAgIJAIShcB0KktPNMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjAeFw0xNzAz
+MzAwNDUxMDNaFw0yNzAzMjgwNDUxMDNaMG0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZh
+MSUwIwYDVQQDDBxJTlRFUl9DQV9TSEExLVJPT1RfQ0FfU0hBMjU2MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jevL1eexD6j2Q7b4tvjSOLX8VIJGliV
+26qyyrgCQvG33/XnWaTFxgMqjKQw6+zAI7P90w2KVWlmDSHeYsKmpiJmwS2H/ytC
+zpGl+vk8qIGqsMHTVa8keXmHBlxIiWNTCdpoMwjXhidPdeKsJZd8ZIwBaJQeqPUK
+CGywd3HLZdL8OqAKIt0ylkMSflCOv7gaLV+XkPc9W/zA7OjzVxwdto2AI+LTnjzG
+cauwFQsExaVmxyvI+X7V8aVaFORAjR3yABy6ayanP5SnX+6zMn5W7Iw/J1e08GPh
+Vu1nzkIIiYZNDit1WgXkrKL6TjsI0uC6bGs4d3lF3mSVJJa2KzHyNwIDAQABo4GM
+MIGJMHkGA1UdIwRyMHChY6RhMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEN
+MAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZhMRcwFQYD
+VQQDDA5ST09UX0NBX1NIQTI1NoIJAKNSnYJv3cYdMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADggEBAFb7sKumuzpVBO1cO64MDTKPquy3JCzVN7kfkWQhwsBt
+vNTUXuLxEq00ApNlEGyTkywjU+jtlsc7a0Tf/ySLwcwmsh6PJmY0Ort9706mfrLI
+k8n3RlreQIhwKMfR/SfDmf1qoaXhbcNavJkolekX7aRWpQSt+3SiASYqWkW8ew3f
+DEF5i7QVUM2IzvWn7svSW3aBTBsJkg7pxkLft4GeiT1J7Rf60i+9i3TVy86vRmp0
+szSgxaBkZnqAWRUe3hbfET0eluLlLfFNIPP28RmqrPi0bnagJmzNkPIjNaCLyOhd
+J10002l0YcWsalTpho3KyhYDSH/NI0NB4nc6XfI+3vo=
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDh12cWta4H1sY6
+KHyfvxSJk1JIUAe08JFmHwvO0Eb6LRmKrqwbXEyGs0CPGhMlnmxjvrfXbKkUjodY
+9ByxSBa7zYaVdPDGKDQ3HvPxyjZ0npPrHDII2wR+0UOD0ftkDbPHWQFBsl0OY/sI
+pRzihYRh8MwCrADdza3vHPrNBz2umuM5jnN20FVIGKhGMGbg5eackBmgvcaWT6BW
+B67iYRWVRwLywdSE+imOIS4P7ivndBe1DlB+z4oBmbBwYkM+5WyR3yT4+stdByyn
+naL+kExsC/TWDw+sE9TQUo2zqRbNI1j8UhBaQZz1pbX5YeGPTq/Z2J8EGvPxz6VY
+PmkDyMl3AgMBAAECggEAKrlDKUqpZ5Y73di26smNKxGRqVhqfNJdz0HkS/We18kc
+Yd31dR+a4oial/fI038K5ju4L6rAucDU3gEgRHFsy45v/Won+nS0nBDg+UbV0m4F
+cZ7d4Er+qLcR3KgmtKDa98VgtXr2m7hSTypdMoUrrBOPpJnBeDRmyStkTtEl3Bfa
+Fh72SZXNauGvB5+qrbPhls1HoWVbzZ3i6oUCBDrfmLD6G0ipGM+AQICmXjYX8OxT
+Ye5u/6DU4TkWu5A6/1m0Q4clGZXSeMx2d4PkZ0jZKOXdhwvzAaGh7I0AkuA4ZlCj
+slXENyAzQhm4EHHWxvld11e8oEh4DUfWtUXeLttawQKBgQDybE5gjAZdv+5BJXWV
+l2G+zb5tKHWd0XQQ2epktX+i+iA5lA0bLkAA4rrmZVsDEc4D2yjINsopBHTjwvtV
+F/LBBWIynm6MkIyjY6+0fBfoikz9ebKikuf1YRoRC5Dl0pd2Wa/ps2wowDbQnj3o
+4e6x+z0WviyL+uRr1JyotR2J5wKBgQDufVw64Z6AdWThlnP8qXqW12QQBd5qChPr
+fHJEkx0ViBoM97yalVzDssXn4X2ESVDqtsxH21SzKzDGzLoCG3PwCPgp9zWk9GS/
+HfhXFzI3qHIlI+s6481vjqDnXtvJ7oHutxYkkYQXSMgC69jeRY0nW78Bz03BAYjQ
+boRmeK1x8QKBgQDw9VBOTMADLUPvQwGGKAsC8VQHAgEuVcONAF0nrvPoFcA0GwGP
+87+wYayuVy5IdckVMiBuKW91p7VbsjHJGd2zl9tMPwfY9dCkkvBRcEr/W4A9Llqt
+l2GyF8smCB4FIfZkr67Xlvy54Jxbbf5RXUi5ZeUJlwuGM2IaACGa2zM6HwKBgEmW
+iOTqRTwh/RTWlcd6jAcLQybmiLBzl53r8l5SfoDsVA14S8vvFoaUHRjlrRMqhDtI
+WFQ7yzDVvOE6vpJz4hxIyDo6u2TAvG10U/Kbh7VA1qe7I5QyQmuPuPprfKocXB9K
+gxyZggalQIIWP/6lu15PoupuCvHpBUw7LcNorSwhAoGAXXBcp4U369B3ld+M+hC9
+G+2VttaC2917iqoM8R7WOiwez+10s+fNv89B6DjZxeX5haa7bbB+RvfqN8OysIRK
+m0Bh4w6q/JuRydj9T5sJLk9oUrEFLncqihlNT+1WEwR5x50OODYjpHz1YORo5HzL
+cnXKk8xTZFE7mXD1ZJoRLxc=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            8d:a0:d2:8a:ee:0b:cf:64
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:03 2017 GMT
+            Not After : Mar 28 04:51:03 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e1:d7:67:16:b5:ae:07:d6:c6:3a:28:7c:9f:bf:
+                    14:89:93:52:48:50:07:b4:f0:91:66:1f:0b:ce:d0:
+                    46:fa:2d:19:8a:ae:ac:1b:5c:4c:86:b3:40:8f:1a:
+                    13:25:9e:6c:63:be:b7:d7:6c:a9:14:8e:87:58:f4:
+                    1c:b1:48:16:bb:cd:86:95:74:f0:c6:28:34:37:1e:
+                    f3:f1:ca:36:74:9e:93:eb:1c:32:08:db:04:7e:d1:
+                    43:83:d1:fb:64:0d:b3:c7:59:01:41:b2:5d:0e:63:
+                    fb:08:a5:1c:e2:85:84:61:f0:cc:02:ac:00:dd:cd:
+                    ad:ef:1c:fa:cd:07:3d:ae:9a:e3:39:8e:73:76:d0:
+                    55:48:18:a8:46:30:66:e0:e5:e6:9c:90:19:a0:bd:
+                    c6:96:4f:a0:56:07:ae:e2:61:15:95:47:02:f2:c1:
+                    d4:84:fa:29:8e:21:2e:0f:ee:2b:e7:74:17:b5:0e:
+                    50:7e:cf:8a:01:99:b0:70:62:43:3e:e5:6c:91:df:
+                    24:f8:fa:cb:5d:07:2c:a7:9d:a2:fe:90:4c:6c:0b:
+                    f4:d6:0f:0f:ac:13:d4:d0:52:8d:b3:a9:16:cd:23:
+                    58:fc:52:10:5a:41:9c:f5:a5:b5:f9:61:e1:8f:4e:
+                    af:d9:d8:9f:04:1a:f3:f1:cf:a5:58:3e:69:03:c8:
+                    c9:77
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:F1:3B:B7:FB:28:3F:52:09
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         24:74:94:0a:7d:81:62:16:ed:4e:0f:e2:19:06:bd:8b:7a:e4:
+         35:63:4c:73:ec:3a:45:d7:2a:8c:80:e6:6b:d9:26:7d:78:9f:
+         6b:36:f9:fd:94:f7:ac:86:3c:0e:95:66:80:f3:0b:93:0f:44:
+         0a:05:76:d9:1d:c6:37:6f:ea:02:b9:29:e9:96:11:d1:e6:1e:
+         70:95:31:77:22:ed:3c:96:ad:9f:74:8c:41:f5:44:47:a2:4e:
+         d4:58:86:92:31:36:94:90:05:9d:94:16:8c:f8:c8:18:7b:45:
+         dc:49:45:53:63:06:bb:c6:a9:33:72:fe:48:7b:0e:21:89:e2:
+         6c:44:29:3c:10:65:c6:7d:8e:6c:cb:95:ea:a1:ae:3b:c1:12:
+         98:ce:b9:c8:98:12:0d:ac:a7:bd:31:cc:aa:ac:51:b4:a7:33:
+         5b:60:0d:d6:ed:e0:29:5a:29:f5:fc:e0:27:db:77:88:fd:59:
+         0c:02:70:d8:f4:1d:89:88:13:94:55:5b:77:a3:a6:8e:18:9a:
+         b8:82:5b:64:27:8c:ef:10:6a:df:ed:fd:a4:b5:2b:44:0f:5f:
+         89:08:15:48:df:b0:13:08:7c:08:cc:07:ea:b8:a6:17:ab:35:
+         65:07:2c:b9:ec:9a:d0:1f:e7:b9:a7:36:9e:24:f7:73:10:e0:
+         70:6c:78:6e
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIJAI2g0oruC89kMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTEwHhcNMTcwMzMw
+MDQ1MTAzWhcNMjcwMzI4MDQ1MTAzWjBtMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEl
+MCMGA1UEAwwcSU5URVJfQ0FfU0hBMjU2LVJPT1RfQ0FfU0hBMTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOHXZxa1rgfWxjoofJ+/FImTUkhQB7TwkWYf
+C87QRvotGYqurBtcTIazQI8aEyWebGO+t9dsqRSOh1j0HLFIFrvNhpV08MYoNDce
+8/HKNnSek+scMgjbBH7RQ4PR+2QNs8dZAUGyXQ5j+wilHOKFhGHwzAKsAN3Nre8c
++s0HPa6a4zmOc3bQVUgYqEYwZuDl5pyQGaC9xpZPoFYHruJhFZVHAvLB1IT6KY4h
+Lg/uK+d0F7UOUH7PigGZsHBiQz7lbJHfJPj6y10HLKedov6QTGwL9NYPD6wT1NBS
+jbOpFs0jWPxSEFpBnPWltflh4Y9Or9nYnwQa8/HPpVg+aQPIyXcCAwEAAaOBijCB
+hzB3BgNVHSMEcDBuoWGkXzBdMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTAL
+BgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEVMBMGA1UE
+AwwMUk9PVF9DQV9TSEExggkA8Tu3+yg/UgkwDAYDVR0TBAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJHSUCn2BYhbtTg/iGQa9i3rkNWNMc+w6RdcqjIDma9kmfXif
+azb5/ZT3rIY8DpVmgPMLkw9ECgV22R3GN2/qArkp6ZYR0eYecJUxdyLtPJatn3SM
+QfVER6JO1FiGkjE2lJAFnZQWjPjIGHtF3ElFU2MGu8apM3L+SHsOIYnibEQpPBBl
+xn2ObMuV6qGuO8ESmM65yJgSDaynvTHMqqxRtKczW2AN1u3gKVop9fzgJ9t3iP1Z
+DAJw2PQdiYgTlFVbd6OmjhiauIJbZCeM7xBq3+39pLUrRA9fiQgVSN+wEwh8CMwH
+6rimF6s1ZQcsueya0B/nuac2niT3cxDgcGx4bg==
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDbXbqJwTisc3wF
+Z6MYWonNxMsWBfNfwFB/KLQfEfZ+phvReORvJZ5lVT/1gTVs5/QhREU0qW48OxyM
+NXKgkcBZGLkRvVlDaOEcbTIDa4PYf7rnsTtU8DWYuyqqmeBnJ2ViKJ3ZGA750ctm
+ZsDZlWdwE5iCqX3hA/pfHGu+CNiW2jWSulookdIPqdJeLiwgnntm5tZFxoZ9hD1h
+J88iRqmqpS4joYXPxUNxfJ49Nx4iRfrx7HpyUVg3i5Q2q/AVuVSwbbPfNaQrG71V
+EbK0K7EjtL8Gw8DCS8Gvr0ApIpabA644BueWA9skjns9lvfSuH76Y5e2nHGJiOz7
+LWMFV24LAgMBAAECggEAD546u7gQCucl+1SHniJEEWxjcSv3SeftU0BYoqWqwRWe
+gWl0Ch3Jizlollger6RME1pC+x7dBFjJDYp4oMn/wdgqxQKQKmZ7MITtvKSY/H8L
+lZdevAtmJXud7AuMmIuLglOV+XDnEA5Jxv6l2Ff0x1v9zb+3gJ/B4aeqXBtRIFxD
+CfCcvcN1Bl+jj2fvS8iRrqofGa6DGXZVZvtIVjIvJnR1YBVMVYBNs6kcscM5Nblr
+PJFDDsg+Ph7hq5gpwj7pyb4e54sn06pdfBLgGkHJ82tCNkc+f4Ee2M7MoS//m4IC
+ajV+xht4REHuB7h5GM50TF5Gziianyc3g8//M7sC8QKBgQD7tvSzJK1N0w9NPK1e
+Q5zfEWxU1c7dJ/hr81OpvEzUut1vZeKT1mydtA0YJftDTFTXe5fsPKNTIrL4BWUw
+PLa3jWQNNDSLDNhdoqKrno+017pD7+p8G8x3AfyHxn6x2Shoz0jHTnGf+Q0vnvdT
+ZTFpWU+3J8Wp4+1Nx2lwGGEJXwKBgQDfGcnk/fTSs/QQNgzkC1HaQ35b66eEBwK3
+yi8KNsNxDByvdYGxaK/tLRiZIsKMxAV+3jebfA4WSgDkenmzGLn4gYUr5gkkmEW5
+irETT+HDK8LeM2iIbCROactwu3ytJrgpaoDXxRbDsGCUf98hjz1JDCR94wjGH78H
+K3Pmbm6e1QKBgEIuTVIYj5RJrNlC3dZN8p3Xx+LaQER3cOJ5HIMhJhY8d2IFqLf0
+BaTFJTg3LEP6esgZD82l988w7Vs2l+9B10yVWTv7gOEaZHzh+OEklGYY3jlkiANP
+j8eudwX/02nRTcWY0mrMniVQZv4hTqfXkFFBkSr3wwmzCr6LcpZtYn4DAoGBAIEm
+2bTBu1/aoxhbYd0GHI1g8x5dbm1E7bLdzZt5Fm00GMsOGFVOiEGiEJJeCAgbVh8a
+n1BYYYNPtfKOYDNoxgfxWtmN4o8Xw41kl5vZa5VjmPyu//2xtNbb8dTCBKvsNUJs
+kEfYpZQFX/O3jsFLvauy5tElhCfFqv2IjyC/nzQ9AoGBAJLCz62crl/AXqArSnAH
+efX9ozrNMJMQDMDtw5xB/EqRMazmTlqkYr0H4iTS69QNAPr8czdmpY6uO6BRE9+/
+f/tWZXQj7eT8pd1Dp2Ed1vHsOfiAUha0cYUMrqshsqKNXrCxl7144iRGZY7OjFI1
+USqVVNaci2IrtW5+NGV62BYP
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            84:a1:70:1d:0a:92:d3:cc
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:02 2017 GMT
+            Not After : Mar 28 04:51:02 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:db:5d:ba:89:c1:38:ac:73:7c:05:67:a3:18:5a:
+                    89:cd:c4:cb:16:05:f3:5f:c0:50:7f:28:b4:1f:11:
+                    f6:7e:a6:1b:d1:78:e4:6f:25:9e:65:55:3f:f5:81:
+                    35:6c:e7:f4:21:44:45:34:a9:6e:3c:3b:1c:8c:35:
+                    72:a0:91:c0:59:18:b9:11:bd:59:43:68:e1:1c:6d:
+                    32:03:6b:83:d8:7f:ba:e7:b1:3b:54:f0:35:98:bb:
+                    2a:aa:99:e0:67:27:65:62:28:9d:d9:18:0e:f9:d1:
+                    cb:66:66:c0:d9:95:67:70:13:98:82:a9:7d:e1:03:
+                    fa:5f:1c:6b:be:08:d8:96:da:35:92:ba:5a:28:91:
+                    d2:0f:a9:d2:5e:2e:2c:20:9e:7b:66:e6:d6:45:c6:
+                    86:7d:84:3d:61:27:cf:22:46:a9:aa:a5:2e:23:a1:
+                    85:cf:c5:43:71:7c:9e:3d:37:1e:22:45:fa:f1:ec:
+                    7a:72:51:58:37:8b:94:36:ab:f0:15:b9:54:b0:6d:
+                    b3:df:35:a4:2b:1b:bd:55:11:b2:b4:2b:b1:23:b4:
+                    bf:06:c3:c0:c2:4b:c1:af:af:40:29:22:96:9b:03:
+                    ae:38:06:e7:96:03:db:24:8e:7b:3d:96:f7:d2:b8:
+                    7e:fa:63:97:b6:9c:71:89:88:ec:fb:2d:63:05:57:
+                    6e:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:A3:52:9D:82:6F:DD:C6:1D
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         3f:f2:91:96:59:da:c1:8a:8c:4d:eb:25:1f:74:87:6f:fc:2e:
+         92:7e:44:ff:a7:0b:78:aa:6d:2b:fe:b8:0a:b9:e9:bc:19:87:
+         44:15:e1:3a:e4:54:e6:4b:54:3c:75:d9:f8:c9:07:83:74:f4:
+         4c:ab:e4:6b:19:64:b6:4b:69:44:6e:74:f6:66:cf:16:43:8f:
+         9c:cb:20:e4:7a:5e:78:13:00:6f:28:78:8d:c5:05:46:a9:92:
+         0f:d0:38:c3:8b:0e:39:d4:87:e9:ee:35:07:78:dd:1a:1a:8c:
+         3a:36:56:4e:3b:96:7a:d1:2c:29:95:06:29:ac:b2:f7:5c:fc:
+         09:1c:72:24:e2:9e:72:bf:60:3a:7a:9b:59:35:48:6a:d2:3e:
+         76:7f:ad:41:45:a5:6f:93:96:10:c4:4c:cf:3f:f1:1d:00:5f:
+         d1:60:f1:88:86:d8:ef:ff:72:63:8f:4c:df:9e:35:cb:17:2c:
+         16:7b:d4:6c:0e:67:b6:ee:bc:68:07:b0:99:df:c5:f3:88:28:
+         a1:46:bb:6d:f5:2c:45:6b:e9:90:c0:78:35:20:73:14:5a:d0:
+         a5:56:cb:04:f4:43:a7:cf:28:f5:a3:5b:ac:f2:a3:4c:f6:39:
+         3c:ef:f4:b1:42:20:8e:2a:14:0d:a1:b4:38:b2:f2:6c:14:33:
+         05:04:bb:a7
+-----BEGIN CERTIFICATE-----
+MIID3jCCAsagAwIBAgIJAIShcB0KktPMMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjAeFw0xNzAz
+MzAwNDUxMDJaFw0yNzAzMjgwNDUxMDJaMG8xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZh
+MScwJQYDVQQDDB5JTlRFUl9DQV9TSEEyNTYtUk9PVF9DQV9TSEEyNTYwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbXbqJwTisc3wFZ6MYWonNxMsWBfNf
+wFB/KLQfEfZ+phvReORvJZ5lVT/1gTVs5/QhREU0qW48OxyMNXKgkcBZGLkRvVlD
+aOEcbTIDa4PYf7rnsTtU8DWYuyqqmeBnJ2ViKJ3ZGA750ctmZsDZlWdwE5iCqX3h
+A/pfHGu+CNiW2jWSulookdIPqdJeLiwgnntm5tZFxoZ9hD1hJ88iRqmqpS4joYXP
+xUNxfJ49Nx4iRfrx7HpyUVg3i5Q2q/AVuVSwbbPfNaQrG71VEbK0K7EjtL8Gw8DC
+S8Gvr0ApIpabA644BueWA9skjns9lvfSuH76Y5e2nHGJiOz7LWMFV24LAgMBAAGj
+gYwwgYkweQYDVR0jBHIwcKFjpGEwXzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+MQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFzAV
+BgNVBAMMDlJPT1RfQ0FfU0hBMjU2ggkAo1Kdgm/dxh0wDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAQEAP/KRllnawYqMTeslH3SHb/wukn5E/6cLeKptK/64
+CrnpvBmHRBXhOuRU5ktUPHXZ+MkHg3T0TKvkaxlktktpRG509mbPFkOPnMsg5Hpe
+eBMAbyh4jcUFRqmSD9A4w4sOOdSH6e41B3jdGhqMOjZWTjuWetEsKZUGKayy91z8
+CRxyJOKecr9gOnqbWTVIatI+dn+tQUWlb5OWEMRMzz/xHQBf0WDxiIbY7/9yY49M
+3541yxcsFnvUbA5ntu68aAewmd/F84gooUa7bfUsRWvpkMB4NSBzFFrQpVbLBPRD
+p88o9aNbrPKjTPY5PO/0sUIgjioUDaG0OLLybBQzBQS7pw==
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDhROyqYZ5UdQJ0
+xJdG4B+aXPHbIKV0w5AvJ7r4SuvIJ/4pEmV6fIU3+4CvN2sXKzW+0DppOBz99Oe6
+19jfMAx5t0pKHkwh5J0bduLf1k83lm8CvoX1a9lYY6ER4Y8wWtTcHG016onl8Lxq
+QVqlqbk9zsbNipvWxipIQOgzq7DmTXQ2Hrx0tg4DROlgwuarPBWcZjq6dG09nI0E
+zSY/Wis619L/6sdCxGFhvnJ0YbULvIqdR2J638KEO+rx1RXD66Jqc0KhnGZLf7NT
+YfTlY0zIMHE8oMkJPdH9tPKbyXMXhiG/u5x81RcJxT4gLi5fq2yrvMsaUC13bnJJ
+npFNy6XTAgMBAAECggEAPS4h9Jg0jw2EUEBAMaCXFK5fhTrVlOO0Ggp5TgvTA3ZR
+Ich8RQrih3TH2056yD0VCLC23HK/9Pz5npYWsW70RG5SP9UAqkfTn2znaxFiTF+P
+4Lfr296hlc7hJOEUqXZRz0HtKzJ6pzd9hIIhY1K4G6A4AATAFFGXlC4Eolvj3Hf0
+NgVFDYaFDEpEiin+fAsM5c1ZE0pxRZSVE5Emr9XvkvxLm5dK9lKOyyOQ+5RHhxQ6
+J4n+6Ct0O+FkeP9u3jTMtew9gxTwvHSgkf05hSRoqgMKcusKpqhHp6E4mT7sus7q
+AYzdv5sNIcx7PpojuHjploMH7ghhYxCmVOOFxXJ4CQKBgQD2naA8zZnh5BfbVC8p
+C9A6HfwnZ7cCjGtL30y8fh8OAMHbdGE4JXlhifPgW7PDxZ0Yho4rYd9MxLVcGl+p
+YPOKKcaKbzwdUJwZ4Zs1dJC+LTRqku6O3qlEofeojHN5IctLoLqDsiZBD7aT4l+O
+wmAWqwLZZQtiFpA/jbCb/Qw7tQKBgQDp11rFSHLKuVdMuSnUon3WN6lj9WNM3KFy
+C8R4EN/DTnuHrVL0MCff9eddBYvpQe0z/LA74oAD9fSjmtYe/24qIm2lAWVkwxBm
+yyspUmOybU8Q3GN8xw1Vrwg8JR5JVAOwKHwCGmybT7Zs+9eJRONnnZ6nUbTQ94cP
+sJVkyGUgZwKBgQCd/0CAk+xpl1tdbiLEtkfSZBF/IWhTXqkDM+2SuW6l5wBL29TJ
+RuDsB5jR/Y4+96T86H++9XY9Va0nc9IjzvRYaQlE+ZzW3yUTQ8HPTn3JCWcSfE4Q
+BEEHsojbWBhG28rGChRUeVceybVcK2SzLn6nJyqtIppXXkNOJDWoykcDHQKBgHzY
+27+k1JTjq3ZtDaZXMvQiN7AEnYW17gRjv/uSlsVBq7ZelYGGDGQIeAQ0J+Tbq/cr
+nDP80/hJYtnOmy9llL2uL/f+7NGFS8Z2Bo9DS7NBpQsNf5ho9fefQbhK4Qapcmak
+1sCQtxec0XsSYpsJSphRkRkoCG/hGB0KXFi4nTVVAoGAJrrh1rG1UMXmFUpraXIy
+Mc58lEYB87EkMOthyK8XklxLoYKPZlVS7AZZDtQMpRC6YnweiX6LmO4AamtlT71x
+BzQgmwHn4wOaysDPHFuf5hNCobXJREoiNzHb4AcqiZ7SNAW5Jd+0/PSY47hrDnRy
+wNFyg3O0k3kaXz5h3lVhxo4=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f1:3b:b7:fb:28:3f:52:09
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:01 2017 GMT
+            Not After : Mar 28 04:51:01 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e1:44:ec:aa:61:9e:54:75:02:74:c4:97:46:e0:
+                    1f:9a:5c:f1:db:20:a5:74:c3:90:2f:27:ba:f8:4a:
+                    eb:c8:27:fe:29:12:65:7a:7c:85:37:fb:80:af:37:
+                    6b:17:2b:35:be:d0:3a:69:38:1c:fd:f4:e7:ba:d7:
+                    d8:df:30:0c:79:b7:4a:4a:1e:4c:21:e4:9d:1b:76:
+                    e2:df:d6:4f:37:96:6f:02:be:85:f5:6b:d9:58:63:
+                    a1:11:e1:8f:30:5a:d4:dc:1c:6d:35:ea:89:e5:f0:
+                    bc:6a:41:5a:a5:a9:b9:3d:ce:c6:cd:8a:9b:d6:c6:
+                    2a:48:40:e8:33:ab:b0:e6:4d:74:36:1e:bc:74:b6:
+                    0e:03:44:e9:60:c2:e6:ab:3c:15:9c:66:3a:ba:74:
+                    6d:3d:9c:8d:04:cd:26:3f:5a:2b:3a:d7:d2:ff:ea:
+                    c7:42:c4:61:61:be:72:74:61:b5:0b:bc:8a:9d:47:
+                    62:7a:df:c2:84:3b:ea:f1:d5:15:c3:eb:a2:6a:73:
+                    42:a1:9c:66:4b:7f:b3:53:61:f4:e5:63:4c:c8:30:
+                    71:3c:a0:c9:09:3d:d1:fd:b4:f2:9b:c9:73:17:86:
+                    21:bf:bb:9c:7c:d5:17:09:c5:3e:20:2e:2e:5f:ab:
+                    6c:ab:bc:cb:1a:50:2d:77:6e:72:49:9e:91:4d:cb:
+                    a5:d3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:F1:3B:B7:FB:28:3F:52:09
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         0b:be:7b:c7:53:14:87:37:02:66:37:f5:6f:38:3c:75:b3:72:
+         f6:f8:9c:77:4d:9a:e4:5c:23:3a:4a:5f:aa:6e:90:23:e9:b8:
+         48:fd:6d:e1:88:b5:a2:a5:0a:30:c0:7d:33:a8:6f:79:42:52:
+         80:f8:87:4b:2a:15:0a:ff:14:88:97:21:12:89:1c:d3:33:bf:
+         fa:4f:5e:68:9a:c6:69:2f:aa:1d:31:aa:80:f5:b0:d3:72:c9:
+         fa:ce:3b:5f:15:a6:61:e0:f1:d1:ab:e7:40:48:c1:d4:30:bd:
+         0a:13:37:0d:ea:ac:38:b2:af:1b:78:3a:29:53:ee:90:71:3b:
+         2b:a4:8b:16:e9:da:94:59:44:3d:7f:34:fb:0a:d1:6b:db:3d:
+         66:01:a6:0f:98:b5:cc:57:39:b9:09:f2:01:cc:e5:89:86:7d:
+         f2:9a:b2:ad:08:3d:da:05:f9:24:1e:30:98:cc:92:a9:4c:4a:
+         cf:a3:53:6e:7f:5e:db:aa:43:9c:ac:b1:b5:80:ab:7e:a3:89:
+         71:37:c2:4a:c1:16:9d:26:d5:70:89:8a:8e:a8:cb:40:3b:b8:
+         f0:d2:31:54:c2:1f:fc:24:5e:29:c1:5e:86:48:1e:83:4e:44:
+         30:ff:8d:46:47:b6:0e:9c:77:bf:ba:08:8b:bd:eb:b7:ca:45:
+         0a:e3:0c:ec
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArCgAwIBAgIJAPE7t/soP1IJMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTEwHhcNMTcwMzMw
+MDQ1MTAxWhcNMjcwMzI4MDQ1MTAxWjBdMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEV
+MBMGA1UEAwwMUk9PVF9DQV9TSEExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA4UTsqmGeVHUCdMSXRuAfmlzx2yCldMOQLye6+ErryCf+KRJlenyFN/uA
+rzdrFys1vtA6aTgc/fTnutfY3zAMebdKSh5MIeSdG3bi39ZPN5ZvAr6F9WvZWGOh
+EeGPMFrU3BxtNeqJ5fC8akFapam5Pc7GzYqb1sYqSEDoM6uw5k10Nh68dLYOA0Tp
+YMLmqzwVnGY6unRtPZyNBM0mP1orOtfS/+rHQsRhYb5ydGG1C7yKnUdiet/ChDvq
+8dUVw+uianNCoZxmS3+zU2H05WNMyDBxPKDJCT3R/bTym8lzF4Yhv7ucfNUXCcU+
+IC4uX6tsq7zLGlAtd25ySZ6RTcul0wIDAQABo4GKMIGHMHcGA1UdIwRwMG6hYaRf
+MF0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoG
+A1UECgwDT3JnMQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTGC
+CQDxO7f7KD9SCTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQALvnvH
+UxSHNwJmN/VvODx1s3L2+Jx3TZrkXCM6Sl+qbpAj6bhI/W3hiLWipQowwH0zqG95
+QlKA+IdLKhUK/xSIlyESiRzTM7/6T15omsZpL6odMaqA9bDTcsn6zjtfFaZh4PHR
+q+dASMHUML0KEzcN6qw4sq8beDopU+6QcTsrpIsW6dqUWUQ9fzT7CtFr2z1mAaYP
+mLXMVzm5CfIBzOWJhn3ymrKtCD3aBfkkHjCYzJKpTErPo1Nuf17bqkOcrLG1gKt+
+o4lxN8JKwRadJtVwiYqOqMtAO7jw0jFUwh/8JF4pwV6GSB6DTkQw/41GR7YOnHe/
+ugiLveu3ykUK4wzs
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256-PRIV.key	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2DzrIXts3huIs
+dtX+ZbY6RR5/S4yXUs3jJXc4mbITLn7PO1QVBT528NZVOu6jUxXsPTpTg1jgresh
+6Pcv1LNj7bP30uPXhmyawgQVUgLTGyU0+JWLJrpU7cEOTK4f/j58A+UHL255fM7T
+B3EvIj2Ad1MAYwIvVZnAXPSFt72YGz15doYiewp8dTXcX4TsFisCbypFikWxpXIF
+qjVqbAUx8fYgQxfPWFw4HbVvo3Nu1LqypswAfsmHd2v5nMv8wkAcPG5dIYHACN9r
+kPLMoUNUcBLn6QdIUrhk7dldRlR0TWT+VtRLKVWlGkMk9rRK+RnskNSuPg8fjb/Y
+gM0m5p0JAgMBAAECggEAPVk8cbClJjzpkhopWiRkF5abBEItCgD5KAXD+uqvuw77
+5FEVsE+oEORvFSFasOaaiJTJRsMH/A4fIbojMZb3LEE5V9VUuZeumSevwI92LDUF
+gKgTnGRcfanwWCU2t8kwvRGC57zv+Tg5aZskZMGg/901tvemENVDjjLEoxqbZNmX
+WZnhB8XiPxl9K32K0l+qNW3HvKJ8lkaW0L6/4HWWU4rYwbc9TZpzHDOXhAICQB76
+fCw4hcy1K6KjfGjfE/6afqMa76KSxxeCvUYorZlm2gk1WcEafkg9Jwzz2SWtsa8W
+L+YzbTd1GE8Z9bDA88Dw3vgdC1Pt0ywX/fJ/GCDHUQKBgQDjNaW/enKYXGTsM5C1
+I94OgSmgnjnjPZIBY0u89iCAf07ueqrNaLJgOEkGpCrLEa4tC2qc57ge1DO2rxTa
+6RowUzqG3Oqdsq21QaQZAmjjDC5mXlYPRpWvWVjBRaIDKw9zAUg9qEy24e/pRjdP
+cugR30d1OaxExdgoAt8iOqZ67wKBgQDNIPqF/+npd1UAqgdC9lOxnPQly1zjz/zY
+jbeJeww9Ut9aCXj0+we4gKhD37d178y1H2QBod+IPpqQ/uZmbNmN5JP+MIk2kZKB
+4jquQLa5jEc+y57h8UrWJBY+Ls7xiu/cw3aCAk0JaZRSrH/KzWE91x3s7o2yV43d
+dMkRmTTHhwKBgQCHaq4C1WP/UvIDpSgWDe6HDoxU4nj16vheQ2Qcl0T/0OCmWg36
+pu/JUUKU5rtqlHsO9cLxCVo/ZZH8y5TOdCfbrX8wafKbUqcdZKX9EeaZi+ULtiXs
+rNEB1WqEpo/M+5kVnioENY6jYT2v9t14SK/wFvdr8pet1YzjK/L5X6NhmQKBgFK4
+0u7I9k61Ve0vpEAH0FaXIgo/yZUBYkj+VZ62pYfxbKsFmObKeSGZmMHObVC9RMNi
+BlV2LwvlmzWP5eA2U0GahWgDsMH10KxaTCnLZSTMgkq7mLYrNW/IG8Q14jScQAC6
+PodNYD3EexEgCWUCkA19O885oKDkGAzPtOpI63TvAoGBAJvbKiJSFJNd3CIQlrOM
+wNw+Sww+c2Qw4PZZvIJNzjWumjesfUsuAyySrO2nXPzzSOrh7dRW98suaFi1Mih6
+ZwBpIll5VQsd2dwEa6vp6RFGWFNKPvDILEVgcCEOmckKRWDo+fb5bx2VHj1v4kfG
+MHDqy8Y2ercsU0Z5mEN8bUD7
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256.cer	Mon Jun 26 22:23:36 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            a3:52:9d:82:6f:dd:c6:1d
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:01 2017 GMT
+            Not After : Mar 28 04:51:01 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b6:0f:3a:c8:5e:db:37:86:e2:2c:76:d5:fe:65:
+                    b6:3a:45:1e:7f:4b:8c:97:52:cd:e3:25:77:38:99:
+                    b2:13:2e:7e:cf:3b:54:15:05:3e:76:f0:d6:55:3a:
+                    ee:a3:53:15:ec:3d:3a:53:83:58:e0:ad:eb:21:e8:
+                    f7:2f:d4:b3:63:ed:b3:f7:d2:e3:d7:86:6c:9a:c2:
+                    04:15:52:02:d3:1b:25:34:f8:95:8b:26:ba:54:ed:
+                    c1:0e:4c:ae:1f:fe:3e:7c:03:e5:07:2f:6e:79:7c:
+                    ce:d3:07:71:2f:22:3d:80:77:53:00:63:02:2f:55:
+                    99:c0:5c:f4:85:b7:bd:98:1b:3d:79:76:86:22:7b:
+                    0a:7c:75:35:dc:5f:84:ec:16:2b:02:6f:2a:45:8a:
+                    45:b1:a5:72:05:aa:35:6a:6c:05:31:f1:f6:20:43:
+                    17:cf:58:5c:38:1d:b5:6f:a3:73:6e:d4:ba:b2:a6:
+                    cc:00:7e:c9:87:77:6b:f9:9c:cb:fc:c2:40:1c:3c:
+                    6e:5d:21:81:c0:08:df:6b:90:f2:cc:a1:43:54:70:
+                    12:e7:e9:07:48:52:b8:64:ed:d9:5d:46:54:74:4d:
+                    64:fe:56:d4:4b:29:55:a5:1a:43:24:f6:b4:4a:f9:
+                    19:ec:90:d4:ae:3e:0f:1f:8d:bf:d8:80:cd:26:e6:
+                    9d:09
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:A3:52:9D:82:6F:DD:C6:1D
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         6f:2f:a4:56:d5:58:6d:20:74:6b:66:b7:41:eb:c2:8c:56:2e:
+         1b:51:79:b0:07:a6:63:28:8b:20:40:b9:72:4b:f5:e0:6b:18:
+         39:5b:b4:ae:50:58:25:81:86:e3:19:ec:b1:dd:fb:5c:f5:d4:
+         a8:7d:a0:50:46:ac:1e:80:dc:cc:aa:0c:61:f8:a3:41:af:03:
+         35:a4:02:4f:23:c7:5c:36:26:90:fe:51:07:58:0f:e7:14:26:
+         34:c2:a7:bd:f2:34:33:cf:67:e4:2d:82:b6:e8:94:85:d6:8b:
+         01:6f:ba:3d:78:f6:db:3d:dc:ba:6e:6d:83:fa:ea:d0:60:ab:
+         1b:ad:9b:e2:ba:e3:e3:9f:26:5b:9a:c7:fb:9f:c1:7d:cc:0b:
+         cf:23:e0:ac:e1:e4:09:08:84:98:d4:6e:16:34:a5:5e:74:d5:
+         a8:61:e1:65:f7:9a:51:9f:f0:9f:86:65:ce:4f:b8:b6:64:7d:
+         86:62:21:ec:71:50:70:ca:6b:2e:74:12:51:b1:68:b0:4a:66:
+         19:60:e9:f8:b0:bf:6e:d8:ad:75:29:c3:31:13:73:01:3d:d5:
+         d4:5b:c2:60:bb:c4:c8:e6:29:cf:a3:49:65:8d:c2:1d:7d:c9:
+         75:33:9b:97:73:38:99:5c:7d:b3:9f:b0:be:0d:f4:6a:c6:19:
+         8d:98:a1:ca
+-----BEGIN CERTIFICATE-----
+MIIDzjCCAragAwIBAgIJAKNSnYJv3cYdMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjAeFw0xNzAz
+MzAwNDUxMDFaFw0yNzAzMjgwNDUxMDFaMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZh
+MRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALYPOshe2zeG4ix21f5ltjpFHn9LjJdSzeMldziZshMufs87VBUF
+Pnbw1lU67qNTFew9OlODWOCt6yHo9y/Us2Pts/fS49eGbJrCBBVSAtMbJTT4lYsm
+ulTtwQ5Mrh/+PnwD5Qcvbnl8ztMHcS8iPYB3UwBjAi9VmcBc9IW3vZgbPXl2hiJ7
+Cnx1NdxfhOwWKwJvKkWKRbGlcgWqNWpsBTHx9iBDF89YXDgdtW+jc27UurKmzAB+
+yYd3a/mcy/zCQBw8bl0hgcAI32uQ8syhQ1RwEufpB0hSuGTt2V1GVHRNZP5W1Esp
+VaUaQyT2tEr5GeyQ1K4+Dx+Nv9iAzSbmnQkCAwEAAaOBjDCBiTB5BgNVHSMEcjBw
+oWOkYTBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkx
+DDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEXMBUGA1UEAwwOUk9PVF9DQV9T
+SEEyNTaCCQCjUp2Cb93GHTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
+AQBvL6RW1VhtIHRrZrdB68KMVi4bUXmwB6ZjKIsgQLlyS/Xgaxg5W7SuUFglgYbj
+Geyx3ftc9dSofaBQRqwegNzMqgxh+KNBrwM1pAJPI8dcNiaQ/lEHWA/nFCY0wqe9
+8jQzz2fkLYK26JSF1osBb7o9ePbbPdy6bm2D+urQYKsbrZviuuPjnyZbmsf7n8F9
+zAvPI+Cs4eQJCISY1G4WNKVedNWoYeFl95pRn/CfhmXOT7i2ZH2GYiHscVBwymsu
+dBJRsWiwSmYZYOn4sL9u2K11KcMxE3MBPdXUW8Jgu8TI5inPo0lljcIdfcl1M5uX
+cziZXH2zn7C+DfRqxhmNmKHK
+-----END CERTIFICATE-----