changeset 13383:d1d759924a53 jdk8u202-b04

Merge
author aefimov
date Thu, 08 Nov 2018 18:48:19 +0000
parents 8074df94875b 02cfe7f5d619
children 73c9f1fc9b13
files .hgtags src/share/classes/sun/nio/ch/FileChannelImpl.java src/solaris/native/java/net/net_util_md.c src/solaris/native/sun/awt/awt_UNIXToolkit.c test/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.jks.base64 test/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.sh
diffstat 51 files changed, 1683 insertions(+), 863 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Wed Nov 07 05:14:12 2018 -0800
+++ b/.hgtags	Thu Nov 08 18:48:19 2018 +0000
@@ -915,6 +915,7 @@
 22e01e7c5c39bfa3f5e2d18be76c7bf0dc71033a jdk8u181-b12
 0cb452d66676bc1b3824bea4a0c16ac76e58b070 jdk8u181-b13
 b01c6e5aa43c784fc66465b56227ddd9aa29eee6 jdk8u191-b01
+2db6890a956723ac347b573217d91bbbedbb0528 jdk8u201-b00
 2db6890a956723ac347b573217d91bbbedbb0528 jdk8u191-b02
 89e2889d02d2f5dabdeda7f60cf80a8df3100eb4 jdk8u191-b03
 94e4769c6d69241f9eb7164a85fc91fc83faab5c jdk8u191-b04
@@ -945,6 +946,16 @@
 2cd82eb879dd0f853dbfb7ffa2441e81e2413447 jdk8u192-b11
 f877dad22786f92aa495a595a1a4a16f0163c573 jdk8u192-b12
 996dd3ce1ec5437da8b5a742c60a5ff7b6028122 jdk8u192-b26
+38b4a5b97f38c467446f1767d148075ac98397d1 jdk8u181-b31
+d679861a9a1efc80e0671b1c6b870fcffbfb9d9c jdk8u181-b32
+078a06936ffe2db2a00e928f88c6e345a126985a jdk8u181-b33
+ecfdede1e6ddf37dcca415861ab031c18ec4b349 jdk8u181-b34
+ac943243eaf1cb3971b953d56527287ae3f8d223 jdk8u181-b35
+674963395b9f747e746af782f2f3ea7995385420 jdk8u181-b36
+92587df933606ff8f03c6073be6c4089211de2b3 jdk8u181-b37
+fbc886dd68cc0e2d877406f73a24bd332bf78244 jdk8u201-b01
+fbeb9b9cc0106ef9bd6b03a441c9a2e06db07bd9 jdk8u201-b02
+274162fd9a2334ac99157a87ff3caff9069e4a66 jdk8u201-b03
 9da3ff5cd435240bc4941bc1c2ca170c567e012f jdk8u202-b01
 478a4add975beb90696a4ead5f8fcd9c17fc1a83 jdk8u202-b02
 03719dd7706173821b51f42b20ac3cb040696a56 jdk8u202-b03
--- a/make/lib/NetworkingLibraries.gmk	Wed Nov 07 05:14:12 2018 -0800
+++ b/make/lib/NetworkingLibraries.gmk	Thu Nov 08 18:48:19 2018 +0000
@@ -75,7 +75,7 @@
     LDFLAGS_SUFFIX_linux := $(LIBDL) -ljvm -lpthread -ljava, \
     LDFLAGS_SUFFIX_aix := $(LIBDL) -ljvm -ljava,\
     LDFLAGS_SUFFIX_windows := ws2_32.lib jvm.lib secur32.lib iphlpapi.lib \
-        delayimp.lib $(WIN_JAVA_LIB) advapi32.lib \
+        delayimp.lib urlmon.lib $(WIN_JAVA_LIB) advapi32.lib \
         -DELAYLOAD:secur32.dll -DELAYLOAD:iphlpapi.dll, \
     VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \
     RC_FLAGS := $(RC_FLAGS) \
--- a/src/share/classes/com/sun/crypto/provider/RSACipher.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/com/sun/crypto/provider/RSACipher.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -329,7 +329,7 @@
         if ((inLen == 0) || (in == null)) {
             return;
         }
-        if (bufOfs + inLen > buffer.length) {
+        if (inLen > (buffer.length - bufOfs)) {
             bufOfs = buffer.length + 1;
             return;
         }
--- a/src/share/classes/java/awt/Robot.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/java/awt/Robot.java	Thu Nov 08 18:48:19 2018 +0000
@@ -391,6 +391,7 @@
      * @return  Color of the pixel
      */
     public synchronized Color getPixelColor(int x, int y) {
+        checkScreenCaptureAllowed();
         Color color = new Color(peer.getRGBPixel(x, y));
         return color;
     }
--- a/src/share/classes/java/math/BigDecimal.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/java/math/BigDecimal.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,8 +29,8 @@
 
 package java.math;
 
+import static java.math.BigInteger.LONG_MASK;
 import java.util.Arrays;
-import static java.math.BigInteger.LONG_MASK;
 
 /**
  * Immutable, arbitrary-precision signed decimal numbers.  A
@@ -407,9 +407,12 @@
      * @since  1.5
      */
     public BigDecimal(char[] in, int offset, int len, MathContext mc) {
-        // protect against huge length.
-        if (offset + len > in.length || offset < 0)
-            throw new NumberFormatException("Bad offset or len arguments for char[] input.");
+        // protect against huge length, negative values, and integer overflow
+        if ((in.length | len | offset) < 0 || len > in.length - offset) {
+            throw new NumberFormatException
+                ("Bad offset or len arguments for char[] input.");
+        }
+
         // This is the primary string to BigDecimal constructor; all
         // incoming strings end up here; it uses explicit (inline)
         // parsing for speed and generates at most one intermediate
--- a/src/share/classes/java/math/BigInteger.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/java/math/BigInteger.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1161,6 +1161,14 @@
     private static final double LOG_TWO = Math.log(2.0);
 
     static {
+        assert 0 < KARATSUBA_THRESHOLD
+            && KARATSUBA_THRESHOLD < TOOM_COOK_THRESHOLD
+            && TOOM_COOK_THRESHOLD < Integer.MAX_VALUE
+            && 0 < KARATSUBA_SQUARE_THRESHOLD
+            && KARATSUBA_SQUARE_THRESHOLD < TOOM_COOK_SQUARE_THRESHOLD
+            && TOOM_COOK_SQUARE_THRESHOLD < Integer.MAX_VALUE :
+            "Algorithm thresholds are inconsistent";
+
         for (int i = 1; i <= MAX_CONSTANT; i++) {
             int[] magnitude = new int[1];
             magnitude[0] = i;
@@ -1482,6 +1490,18 @@
      * @return {@code this * val}
      */
     public BigInteger multiply(BigInteger val) {
+        return multiply(val, false);
+    }
+
+    /**
+     * Returns a BigInteger whose value is {@code (this * val)}.  If
+     * the invocation is recursive certain overflow checks are skipped.
+     *
+     * @param  val value to be multiplied by this BigInteger.
+     * @param  isRecursion whether this is a recursive invocation
+     * @return {@code this * val}
+     */
+    private BigInteger multiply(BigInteger val, boolean isRecursion) {
         if (val.signum == 0 || signum == 0)
             return ZERO;
 
@@ -1509,6 +1529,63 @@
             if ((xlen < TOOM_COOK_THRESHOLD) && (ylen < TOOM_COOK_THRESHOLD)) {
                 return multiplyKaratsuba(this, val);
             } else {
+                //
+                // In "Hacker's Delight" section 2-13, p.33, it is explained
+                // that if x and y are unsigned 32-bit quantities and m and n
+                // are their respective numbers of leading zeros within 32 bits,
+                // then the number of leading zeros within their product as a
+                // 64-bit unsigned quantity is either m + n or m + n + 1. If
+                // their product is not to overflow, it cannot exceed 32 bits,
+                // and so the number of leading zeros of the product within 64
+                // bits must be at least 32, i.e., the leftmost set bit is at
+                // zero-relative position 31 or less.
+                //
+                // From the above there are three cases:
+                //
+                //     m + n    leftmost set bit    condition
+                //     -----    ----------------    ---------
+                //     >= 32    x <= 64 - 32 = 32   no overflow
+                //     == 31    x >= 64 - 32 = 32   possible overflow
+                //     <= 30    x >= 64 - 31 = 33   definite overflow
+                //
+                // The "possible overflow" condition cannot be detected by
+                // examning data lengths alone and requires further calculation.
+                //
+                // By analogy, if 'this' and 'val' have m and n as their
+                // respective numbers of leading zeros within 32*MAX_MAG_LENGTH
+                // bits, then:
+                //
+                //     m + n >= 32*MAX_MAG_LENGTH        no overflow
+                //     m + n == 32*MAX_MAG_LENGTH - 1    possible overflow
+                //     m + n <= 32*MAX_MAG_LENGTH - 2    definite overflow
+                //
+                // Note however that if the number of ints in the result
+                // were to be MAX_MAG_LENGTH and mag[0] < 0, then there would
+                // be overflow. As a result the leftmost bit (of mag[0]) cannot
+                // be used and the constraints must be adjusted by one bit to:
+                //
+                //     m + n >  32*MAX_MAG_LENGTH        no overflow
+                //     m + n == 32*MAX_MAG_LENGTH        possible overflow
+                //     m + n <  32*MAX_MAG_LENGTH        definite overflow
+                //
+                // The foregoing leading zero-based discussion is for clarity
+                // only. The actual calculations use the estimated bit length
+                // of the product as this is more natural to the internal
+                // array representation of the magnitude which has no leading
+                // zero elements.
+                //
+                if (!isRecursion) {
+                    // The bitLength() instance method is not used here as we
+                    // are only considering the magnitudes as non-negative. The
+                    // Toom-Cook multiplication algorithm determines the sign
+                    // at its end from the two signum values.
+                    if (bitLength(mag, mag.length) +
+                        bitLength(val.mag, val.mag.length) >
+                        32L*MAX_MAG_LENGTH) {
+                        reportOverflow();
+                    }
+                }
+
                 return multiplyToomCook3(this, val);
             }
         }
@@ -1587,7 +1664,7 @@
         int ystart = ylen - 1;
 
         if (z == null || z.length < (xlen+ ylen))
-            z = new int[xlen+ylen];
+             z = new int[xlen+ylen];
 
         long carry = 0;
         for (int j=ystart, k=ystart+1+xstart; j >= 0; j--, k--) {
@@ -1709,16 +1786,16 @@
 
         BigInteger v0, v1, v2, vm1, vinf, t1, t2, tm1, da1, db1;
 
-        v0 = a0.multiply(b0);
+        v0 = a0.multiply(b0, true);
         da1 = a2.add(a0);
         db1 = b2.add(b0);
-        vm1 = da1.subtract(a1).multiply(db1.subtract(b1));
+        vm1 = da1.subtract(a1).multiply(db1.subtract(b1), true);
         da1 = da1.add(a1);
         db1 = db1.add(b1);
-        v1 = da1.multiply(db1);
+        v1 = da1.multiply(db1, true);
         v2 = da1.add(a2).shiftLeft(1).subtract(a0).multiply(
-             db1.add(b2).shiftLeft(1).subtract(b0));
-        vinf = a2.multiply(b2);
+             db1.add(b2).shiftLeft(1).subtract(b0), true);
+        vinf = a2.multiply(b2, true);
 
         // The algorithm requires two divisions by 2 and one by 3.
         // All divisions are known to be exact, that is, they do not produce
@@ -1884,6 +1961,17 @@
      * @return {@code this<sup>2</sup>}
      */
     private BigInteger square() {
+        return square(false);
+    }
+
+    /**
+     * Returns a BigInteger whose value is {@code (this<sup>2</sup>)}. If
+     * the invocation is recursive certain overflow checks are skipped.
+     *
+     * @param isRecursion whether this is a recursive invocation
+     * @return {@code this<sup>2</sup>}
+     */
+    private BigInteger square(boolean isRecursion) {
         if (signum == 0) {
             return ZERO;
         }
@@ -1896,6 +1984,15 @@
             if (len < TOOM_COOK_SQUARE_THRESHOLD) {
                 return squareKaratsuba();
             } else {
+                //
+                // For a discussion of overflow detection see multiply()
+                //
+                if (!isRecursion) {
+                    if (bitLength(mag, mag.length) > 16L*MAX_MAG_LENGTH) {
+                        reportOverflow();
+                    }
+                }
+
                 return squareToomCook3();
             }
         }
@@ -2046,13 +2143,13 @@
         a0 = getToomSlice(k, r, 2, len);
         BigInteger v0, v1, v2, vm1, vinf, t1, t2, tm1, da1;
 
-        v0 = a0.square();
+        v0 = a0.square(true);
         da1 = a2.add(a0);
-        vm1 = da1.subtract(a1).square();
+        vm1 = da1.subtract(a1).square(true);
         da1 = da1.add(a1);
-        v1 = da1.square();
-        vinf = a2.square();
-        v2 = da1.add(a2).shiftLeft(1).subtract(a0).square();
+        v1 = da1.square(true);
+        vinf = a2.square(true);
+        v2 = da1.add(a2).shiftLeft(1).subtract(a0).square(true);
 
         // The algorithm requires two divisions by 2 and one by 3.
         // All divisions are known to be exact, that is, they do not produce
@@ -2223,10 +2320,11 @@
         // The remaining part can then be exponentiated faster.  The
         // powers of two will be multiplied back at the end.
         int powersOfTwo = partToSquare.getLowestSetBit();
-        long bitsToShift = (long)powersOfTwo * exponent;
-        if (bitsToShift > Integer.MAX_VALUE) {
+        long bitsToShiftLong = (long)powersOfTwo * exponent;
+        if (bitsToShiftLong > Integer.MAX_VALUE) {
             reportOverflow();
         }
+        int bitsToShift = (int)bitsToShiftLong;
 
         int remainingBits;
 
@@ -2236,9 +2334,9 @@
             remainingBits = partToSquare.bitLength();
             if (remainingBits == 1) {  // Nothing left but +/- 1?
                 if (signum < 0 && (exponent&1) == 1) {
-                    return NEGATIVE_ONE.shiftLeft(powersOfTwo*exponent);
+                    return NEGATIVE_ONE.shiftLeft(bitsToShift);
                 } else {
-                    return ONE.shiftLeft(powersOfTwo*exponent);
+                    return ONE.shiftLeft(bitsToShift);
                 }
             }
         } else {
@@ -2283,13 +2381,16 @@
                 if (bitsToShift + scaleFactor <= 62) { // Fits in long?
                     return valueOf((result << bitsToShift) * newSign);
                 } else {
-                    return valueOf(result*newSign).shiftLeft((int) bitsToShift);
+                    return valueOf(result*newSign).shiftLeft(bitsToShift);
                 }
-            }
-            else {
+            } else {
                 return valueOf(result*newSign);
             }
         } else {
+            if ((long)bitLength() * exponent / Integer.SIZE > MAX_MAG_LENGTH) {
+                reportOverflow();
+            }
+
             // Large number algorithm.  This is basically identical to
             // the algorithm above, but calls multiply() and square()
             // which may use more efficient algorithms for large numbers.
@@ -2309,7 +2410,7 @@
             // Multiply back the (exponentiated) powers of two (quickly,
             // by shifting left)
             if (powersOfTwo > 0) {
-                answer = answer.shiftLeft(powersOfTwo*exponent);
+                answer = answer.shiftLeft(bitsToShift);
             }
 
             if (signum < 0 && (exponent&1) == 1) {
@@ -3434,7 +3535,7 @@
                      for (int i=1; i< len && pow2; i++)
                          pow2 = (mag[i] == 0);
 
-                     n = (pow2 ? magBitLength -1 : magBitLength);
+                     n = (pow2 ? magBitLength - 1 : magBitLength);
                  } else {
                      n = magBitLength;
                  }
--- a/src/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java	Thu Nov 08 18:48:19 2018 +0000
@@ -33,8 +33,7 @@
  * credentials without prompting) should only be tried with trusted sites.
  */
 public abstract class NTLMAuthenticationCallback {
-    private static volatile NTLMAuthenticationCallback callback =
-            new DefaultNTLMAuthenticationCallback();
+    private static volatile NTLMAuthenticationCallback callback;
 
     public static void setNTLMAuthenticationCallback(
             NTLMAuthenticationCallback callback) {
@@ -50,10 +49,5 @@
      * transparent Authentication.
      */
     public abstract boolean isTrustedSite(URL url);
-
-    static class DefaultNTLMAuthenticationCallback extends NTLMAuthenticationCallback {
-        @Override
-        public boolean isTrustedSite(URL url) { return true; }
-    }
 }
 
--- a/src/share/classes/sun/nio/ch/FileChannelImpl.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/sun/nio/ch/FileChannelImpl.java	Thu Nov 08 18:48:19 2018 +0000
@@ -551,11 +551,10 @@
     {
         // Untrusted target: Use a newly-erased buffer
         int c = Math.min(icount, TRANSFER_SIZE);
-        ByteBuffer bb = Util.getTemporaryDirectBuffer(c);
+        ByteBuffer bb = ByteBuffer.allocate(c);
         long tw = 0;                    // Total bytes written
         long pos = position;
         try {
-            Util.erase(bb);
             while (tw < icount) {
                 bb.limit(Math.min((int)(icount - tw), TRANSFER_SIZE));
                 int nr = read(bb, pos);
@@ -576,8 +575,6 @@
             if (tw > 0)
                 return tw;
             throw x;
-        } finally {
-            Util.releaseTemporaryDirectBuffer(bb);
         }
     }
 
@@ -661,11 +658,10 @@
     {
         // Untrusted target: Use a newly-erased buffer
         int c = (int)Math.min(count, TRANSFER_SIZE);
-        ByteBuffer bb = Util.getTemporaryDirectBuffer(c);
+        ByteBuffer bb = ByteBuffer.allocate(c);
         long tw = 0;                    // Total bytes written
         long pos = position;
         try {
-            Util.erase(bb);
             while (tw < count) {
                 bb.limit((int)Math.min((count - tw), (long)TRANSFER_SIZE));
                 // ## Bug: Will block reading src if this channel
@@ -686,8 +682,6 @@
             if (tw > 0)
                 return tw;
             throw x;
-        } finally {
-            Util.releaseTemporaryDirectBuffer(bb);
         }
     }
 
--- a/src/share/classes/sun/security/pkcs11/P11Signature.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/sun/security/pkcs11/P11Signature.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -472,6 +472,10 @@
         if (len == 0) {
             return;
         }
+        // check for overflow
+        if (len + bytesProcessed < 0) {
+            throw new ProviderException("Processed bytes limits exceeded.");
+        }
         switch (type) {
         case T_UPDATE:
             try {
--- a/src/share/classes/sun/security/provider/DSA.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/sun/security/provider/DSA.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -491,7 +491,7 @@
                 }
             }
             protected void engineUpdate(byte[] input, int offset, int len) {
-                if (ofs + len > digestBuffer.length) {
+                if (len > (digestBuffer.length - ofs)) {
                     ofs = Integer.MAX_VALUE;
                 } else {
                     System.arraycopy(input, offset, digestBuffer, ofs, len);
@@ -500,7 +500,7 @@
             }
             protected final void engineUpdate(ByteBuffer input) {
                 int inputLen = input.remaining();
-                if (ofs + inputLen > digestBuffer.length) {
+                if (inputLen > (digestBuffer.length - ofs)) {
                     ofs = Integer.MAX_VALUE;
                 } else {
                     input.get(digestBuffer, ofs, inputLen);
--- a/src/share/classes/sun/security/tools/jarsigner/Main.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/sun/security/tools/jarsigner/Main.java	Thu Nov 08 18:48:19 2018 +0000
@@ -29,6 +29,7 @@
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXBuilderParameters;
 import java.util.*;
+import java.util.stream.Collectors;
 import java.util.zip.*;
 import java.util.jar.*;
 import java.math.BigInteger;
@@ -101,6 +102,7 @@
     private static final String P11KEYSTORE = "PKCS11";
 
     private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds
+    private static final long ONE_YEAR = 366*24*60*60*1000L;
 
     private static final DisabledAlgorithmConstraints DISABLED_CHECK =
             new DisabledAlgorithmConstraints(
@@ -111,6 +113,14 @@
     private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections
             .unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
 
+    static final String VERSION = "1.0";
+
+    static final int IN_KEYSTORE = 0x01;        // signer is in keystore
+    static final int IN_SCOPE = 0x02;
+    static final int NOT_ALIAS = 0x04;          // alias list is NOT empty and
+    // signer is not in alias list
+    static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list
+
     // Attention:
     // This is the entry that get launched by the security tool jarsigner.
     public static void main(String args[]) throws Exception {
@@ -118,14 +128,6 @@
         js.run(args);
     }
 
-    static final String VERSION = "1.0";
-
-    static final int IN_KEYSTORE = 0x01;        // signer is in keystore
-    static final int IN_SCOPE = 0x02;
-    static final int NOT_ALIAS = 0x04;          // alias list is NOT empty and
-                                                // signer is not in alias list
-    static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list
-
     X509Certificate[] certChain;    // signer's cert chain (when composing)
     PrivateKey privateKey;          // private key
     KeyStore store;                 // the keystore specified by -keystore
@@ -172,8 +174,16 @@
 
     // Informational warnings
     private boolean hasExpiringCert = false;
-    private boolean noTimestamp = false;
-    private Date expireDate = new Date(0L);     // used in noTimestamp warning
+    private boolean hasExpiringTsaCert = false;
+    private boolean noTimestamp = true;
+
+    // Expiration date. The value could be null if signed by a trusted cert.
+    private Date expireDate = null;
+    private Date tsaExpireDate = null;
+
+    // If there is a time stamp block inside the PKCS7 block file
+    boolean hasTimestampBlock = false;
+
 
     // Severe warnings.
 
@@ -186,6 +196,7 @@
 
     private int weakAlg = 0; // 1. digestalg, 2. sigalg, 4. tsadigestalg
     private boolean hasExpiredCert = false;
+    private boolean hasExpiredTsaCert = false;
     private boolean notYetValidCert = false;
     private boolean chainNotValidated = false;
     private boolean tsaChainNotValidated = false;
@@ -203,6 +214,7 @@
     private boolean seeWeak = false;
 
     PKIXBuilderParameters pkixParameters;
+    Set<X509Certificate> trustedCerts = new HashSet<>();
 
     public void run(String args[]) {
         try {
@@ -289,8 +301,8 @@
 
         if (strict) {
             int exitCode = 0;
-            if (weakAlg != 0 || chainNotValidated
-                    || hasExpiredCert || notYetValidCert || signerSelfSigned) {
+            if (weakAlg != 0 || chainNotValidated || hasExpiredCert
+                    || hasExpiredTsaCert || notYetValidCert || signerSelfSigned) {
                 exitCode |= 4;
             }
             if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
@@ -825,9 +837,6 @@
                 System.out.println(rb.getString("no.manifest."));
             }
 
-            // If there is a time stamp block inside the PKCS7 block file
-            boolean hasTimestampBlock = false;
-
             // Even if the verbose option is not specified, all out strings
             // must be generated so seeWeak can be updated.
             if (!digestMap.isEmpty()
@@ -913,8 +922,9 @@
             System.out.println();
 
             // If signer is a trusted cert or private entry in user's own
-            // keystore, it can be self-signed.
-            if (!aliasNotInStore) {
+            // keystore, it can be self-signed. Please note aliasNotInStore
+            // is always false when ~/.keystore is used.
+            if (!aliasNotInStore && keystore != null) {
                 signerSelfSigned = false;
             }
 
@@ -934,116 +944,7 @@
                     System.out.println(rb.getString("jar.is.unsigned"));
                 }
             } else {
-                boolean warningAppeared = false;
-                boolean errorAppeared = false;
-                if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
-                        notYetValidCert || chainNotValidated || hasExpiredCert ||
-                        hasUnsignedEntry || signerSelfSigned || (weakAlg != 0) ||
-                        aliasNotInStore || notSignedByAlias || tsaChainNotValidated) {
-
-                    if (strict) {
-                        System.out.println(rb.getString("jar.verified.with.signer.errors."));
-                        System.out.println();
-                        System.out.println(rb.getString("Error."));
-                        errorAppeared = true;
-                    } else {
-                        System.out.println(rb.getString("jar.verified."));
-                        System.out.println();
-                        System.out.println(rb.getString("Warning."));
-                        warningAppeared = true;
-                    }
-
-                    if (weakAlg != 0) {
-                        // In fact, jarsigner verification did not catch this
-                        // since it has not read the JarFile content itself.
-                        // Everything is done with JarFile API.
-                    }
-
-                    if (badKeyUsage) {
-                        System.out.println(
-                            rb.getString("This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
-                    }
-
-                    if (badExtendedKeyUsage) {
-                        System.out.println(
-                            rb.getString("This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
-                    }
-
-                    if (badNetscapeCertType) {
-                        System.out.println(
-                            rb.getString("This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
-                    }
-
-                    if (hasUnsignedEntry) {
-                        System.out.println(rb.getString(
-                            "This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked."));
-                    }
-                    if (hasExpiredCert) {
-                        System.out.println(rb.getString(
-                            "This.jar.contains.entries.whose.signer.certificate.has.expired."));
-                    }
-                    if (notYetValidCert) {
-                        System.out.println(rb.getString(
-                            "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid."));
-                    }
-
-                    if (chainNotValidated) {
-                        System.out.println(String.format(
-                                rb.getString("This.jar.contains.entries.whose.certificate.chain.is.invalid.reason.1"),
-                                chainNotValidatedReason.getLocalizedMessage()));
-                    }
-
-                    if (tsaChainNotValidated) {
-                        System.out.println(String.format(
-                                rb.getString("This.jar.contains.entries.whose.tsa.certificate.chain.is.invalid.reason.1"),
-                                tsaChainNotValidatedReason.getLocalizedMessage()));
-                    }
-
-                    if (notSignedByAlias) {
-                        System.out.println(
-                                rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es."));
-                    }
-
-                    if (aliasNotInStore) {
-                        System.out.println(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
-                    }
-
-                    if (signerSelfSigned) {
-                        System.out.println(rb.getString(
-                                "This.jar.contains.entries.whose.signer.certificate.is.self.signed."));
-                    }
-                } else {
-                    System.out.println(rb.getString("jar.verified."));
-                }
-                if (hasExpiringCert || noTimestamp) {
-                    if (!warningAppeared) {
-                        System.out.println();
-                        System.out.println(rb.getString("Warning."));
-                        warningAppeared = true;
-                    }
-                    if (hasExpiringCert) {
-                        System.out.println(rb.getString(
-                                "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
-                    }
-                    if (noTimestamp) {
-                        if (hasTimestampBlock) {
-                            // JarSigner API has not seen the timestamp,
-                            // might have ignored it due to weak alg, etc.
-                            System.out.println(
-                                    String.format(rb.getString("bad.timestamp.verifying"), expireDate));
-                        } else {
-                            System.out.println(
-                                    String.format(rb.getString("no.timestamp.verifying"), expireDate));
-                        }
-                    }
-                }
-                if (warningAppeared || errorAppeared) {
-                    if (! (verbose != null && showcerts)) {
-                        System.out.println();
-                        System.out.println(rb.getString(
-                                "Re.run.with.the.verbose.and.certs.options.for.more.details."));
-                    }
-                }
+                displayMessagesAndResult(false);
             }
             return;
         } catch (Exception e) {
@@ -1060,6 +961,230 @@
         System.exit(1);
     }
 
+    private void displayMessagesAndResult(boolean isSigning) {
+        String result;
+        List<String> errors = new ArrayList<>();
+        List<String> warnings = new ArrayList<>();
+        List<String> info = new ArrayList<>();
+
+        boolean signerNotExpired = expireDate == null
+                || expireDate.after(new Date());
+
+        if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
+                notYetValidCert || chainNotValidated || hasExpiredCert ||
+                hasUnsignedEntry || signerSelfSigned || (weakAlg != 0) ||
+                aliasNotInStore || notSignedByAlias ||
+                tsaChainNotValidated ||
+                (hasExpiredTsaCert && !signerNotExpired)) {
+
+            if (strict) {
+                result = rb.getString(isSigning
+                        ? "jar.signed.with.signer.errors."
+                        : "jar.verified.with.signer.errors.");
+            } else {
+                result = rb.getString(isSigning
+                        ? "jar.signed."
+                        : "jar.verified.");
+            }
+
+            if (badKeyUsage) {
+                errors.add(rb.getString(isSigning
+                        ? "The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."
+                        : "This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
+            }
+
+            if (badExtendedKeyUsage) {
+                errors.add(rb.getString(isSigning
+                        ? "The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."
+                        : "This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
+            }
+
+            if (badNetscapeCertType) {
+                errors.add(rb.getString(isSigning
+                        ? "The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."
+                        : "This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
+            }
+
+            // only in verifying
+            if (hasUnsignedEntry) {
+                errors.add(rb.getString(
+                        "This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked."));
+            }
+            if (hasExpiredCert) {
+                errors.add(rb.getString(isSigning
+                        ? "The.signer.certificate.has.expired."
+                        : "This.jar.contains.entries.whose.signer.certificate.has.expired."));
+            }
+            if (notYetValidCert) {
+                errors.add(rb.getString(isSigning
+                        ? "The.signer.certificate.is.not.yet.valid."
+                        : "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid."));
+            }
+
+            if (chainNotValidated) {
+                errors.add(String.format(rb.getString(isSigning
+                                ? "The.signer.s.certificate.chain.is.invalid.reason.1"
+                                : "This.jar.contains.entries.whose.certificate.chain.is.invalid.reason.1"),
+                        chainNotValidatedReason.getLocalizedMessage()));
+            }
+
+            if (hasExpiredTsaCert) {
+                errors.add(rb.getString("The.timestamp.has.expired."));
+            }
+            if (tsaChainNotValidated) {
+                errors.add(String.format(rb.getString(isSigning
+                                ? "The.tsa.certificate.chain.is.invalid.reason.1"
+                                : "This.jar.contains.entries.whose.tsa.certificate.chain.is.invalid.reason.1"),
+                        tsaChainNotValidatedReason.getLocalizedMessage()));
+            }
+
+            // only in verifying
+            if (notSignedByAlias) {
+                errors.add(
+                        rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es."));
+            }
+
+            // only in verifying
+            if (aliasNotInStore) {
+                errors.add(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
+            }
+
+            if (signerSelfSigned) {
+                errors.add(rb.getString(isSigning
+                        ? "The.signer.s.certificate.is.self.signed."
+                        : "This.jar.contains.entries.whose.signer.certificate.is.self.signed."));
+            }
+
+            // weakAlg only detected in signing. The jar file is
+            // now simply treated unsigned in verifying.
+            if ((weakAlg & 1) == 1) {
+                errors.add(String.format(
+                        rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
+                        digestalg, "-digestalg"));
+            }
+
+            if ((weakAlg & 2) == 2) {
+                errors.add(String.format(
+                        rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
+                        sigalg, "-sigalg"));
+            }
+            if ((weakAlg & 4) == 4) {
+                errors.add(String.format(
+                        rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
+                        tSADigestAlg, "-tsadigestalg"));
+            }
+            if ((weakAlg & 8) == 8) {
+                errors.add(String.format(
+                        rb.getString("The.1.signing.key.has.a.keysize.of.2.which.is.considered.a.security.risk."),
+                        privateKey.getAlgorithm(), KeyUtil.getKeySize(privateKey)));
+            }
+        } else {
+            result = rb.getString(isSigning ? "jar.signed." : "jar.verified.");
+        }
+
+        if (hasExpiredTsaCert) {
+            // No need to warn about expiring if already expired
+            hasExpiringTsaCert = false;
+        }
+
+        if (hasExpiringCert ||
+                (hasExpiringTsaCert  && expireDate != null) ||
+                (noTimestamp && expireDate != null) ||
+                (hasExpiredTsaCert && signerNotExpired)) {
+
+            if (hasExpiredTsaCert && signerNotExpired) {
+                if (expireDate != null) {
+                    warnings.add(String.format(
+                            rb.getString("The.timestamp.expired.1.but.usable.2"),
+                            tsaExpireDate,
+                            expireDate));
+                }
+                // Reset the flag so exit code is 0
+                hasExpiredTsaCert = false;
+            }
+            if (hasExpiringCert) {
+                warnings.add(rb.getString(isSigning
+                        ? "The.signer.certificate.will.expire.within.six.months."
+                        : "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
+            }
+            if (hasExpiringTsaCert && expireDate != null) {
+                if (expireDate.after(tsaExpireDate)) {
+                    warnings.add(String.format(rb.getString(
+                            "The.timestamp.will.expire.within.one.year.on.1.but.2"), tsaExpireDate, expireDate));
+                } else {
+                    warnings.add(String.format(rb.getString(
+                            "The.timestamp.will.expire.within.one.year.on.1"), tsaExpireDate));
+                }
+            }
+            if (noTimestamp && expireDate != null) {
+                if (hasTimestampBlock) {
+                    warnings.add(String.format(rb.getString(isSigning
+                            ? "invalid.timestamp.signing"
+                            : "bad.timestamp.verifying"), expireDate));
+                } else {
+                    warnings.add(String.format(rb.getString(isSigning
+                            ? "no.timestamp.signing"
+                            : "no.timestamp.verifying"), expireDate));
+                }
+            }
+        }
+
+        System.out.println(result);
+        if (strict) {
+            if (!errors.isEmpty()) {
+                System.out.println();
+                System.out.println(rb.getString("Error."));
+                errors.forEach(System.out::println);
+            }
+            if (!warnings.isEmpty()) {
+                System.out.println();
+                System.out.println(rb.getString("Warning."));
+                warnings.forEach(System.out::println);
+            }
+        } else {
+            if (!errors.isEmpty() || !warnings.isEmpty()) {
+                System.out.println();
+                System.out.println(rb.getString("Warning."));
+                errors.forEach(System.out::println);
+                warnings.forEach(System.out::println);
+            }
+        }
+        if (!isSigning && (!errors.isEmpty() || !warnings.isEmpty())) {
+            if (! (verbose != null && showcerts)) {
+                System.out.println();
+                System.out.println(rb.getString(
+                        "Re.run.with.the.verbose.and.certs.options.for.more.details."));
+            }
+        }
+
+        if (isSigning || verbose != null) {
+            // Always print out expireDate, unless expired or expiring.
+            if (!hasExpiringCert && !hasExpiredCert
+                    && expireDate != null && signerNotExpired) {
+                info.add(String.format(rb.getString(
+                        "The.signer.certificate.will.expire.on.1."), expireDate));
+            }
+            if (!noTimestamp) {
+                if (!hasExpiringTsaCert && !hasExpiredTsaCert && tsaExpireDate != null) {
+                    if (signerNotExpired) {
+                        info.add(String.format(rb.getString(
+                                "The.timestamp.will.expire.on.1."), tsaExpireDate));
+                    } else {
+                        info.add(String.format(rb.getString(
+                                "signer.cert.expired.1.but.timestamp.good.2."),
+                                expireDate,
+                                tsaExpireDate));
+                    }
+                }
+            }
+        }
+
+        if (!info.isEmpty()) {
+            System.out.println();
+            info.forEach(System.out::println);
+        }
+    }
+
     private String withWeak(String alg, Set<CryptoPrimitive> primitiveSet) {
         if (DISABLED_CHECK.permits(primitiveSet, alg, null)) {
             return alg;
@@ -1094,8 +1219,9 @@
      *
      * Note: no newline character at the end.
      *
-     * When isTsCert is true, this method sets global flags like hasExpiredCert,
-     * notYetValidCert, badKeyUsage, badExtendedKeyUsage, badNetscapeCertType.
+     * This method sets global flags like hasExpiringCert, hasExpiredCert,
+     * notYetValidCert, badKeyUsage, badExtendedKeyUsage, badNetscapeCertType,
+     * hasExpiringTsaCert, hasExpiredTsaCert.
      *
      * @param isTsCert true if c is in the TSA cert chain, false otherwise.
      * @param checkUsage true to check code signer keyUsage
@@ -1124,55 +1250,75 @@
         if (x509Cert != null) {
 
             certStr.append("\n").append(tab).append("[");
-            Date notAfter = x509Cert.getNotAfter();
-            try {
-                boolean printValidity = true;
-                if (timestamp == null) {
-                    if (expireDate.getTime() == 0 || expireDate.after(notAfter)) {
-                        expireDate = notAfter;
+
+            if (trustedCerts.contains(x509Cert)) {
+                certStr.append(rb.getString("trusted.certificate"));
+            } else {
+                Date notAfter = x509Cert.getNotAfter();
+                try {
+                    boolean printValidity = true;
+                    if (isTsCert) {
+                        if (tsaExpireDate == null || tsaExpireDate.after(notAfter)) {
+                            tsaExpireDate = notAfter;
+                        }
+                    } else {
+                        if (expireDate == null || expireDate.after(notAfter)) {
+                            expireDate = notAfter;
+                        }
                     }
-                    x509Cert.checkValidity();
-                    // test if cert will expire within six months
-                    if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
-                        if (!isTsCert) hasExpiringCert = true;
-                        if (expiringTimeForm == null) {
-                            expiringTimeForm = new MessageFormat(
-                                rb.getString("certificate.will.expire.on"));
+                    if (timestamp == null) {
+                        x509Cert.checkValidity();
+                        // test if cert will expire within six months (or one year for tsa)
+                        long age = isTsCert ? ONE_YEAR : SIX_MONTHS;
+                        if (notAfter.getTime() < System.currentTimeMillis() + age) {
+                            if (isTsCert) {
+                                hasExpiringTsaCert = true;
+                            } else {
+                                hasExpiringCert = true;
+                            }
+                            if (expiringTimeForm == null) {
+                                expiringTimeForm = new MessageFormat(
+                                        rb.getString("certificate.will.expire.on"));
+                            }
+                            Object[] source = {notAfter};
+                            certStr.append(expiringTimeForm.format(source));
+                            printValidity = false;
                         }
-                        Object[] source = { notAfter };
-                        certStr.append(expiringTimeForm.format(source));
-                        printValidity = false;
+                    } else {
+                        x509Cert.checkValidity(timestamp);
                     }
-                } else {
-                    x509Cert.checkValidity(timestamp);
+                    if (printValidity) {
+                        if (validityTimeForm == null) {
+                            validityTimeForm = new MessageFormat(
+                                    rb.getString("certificate.is.valid.from"));
+                        }
+                        Object[] source = {x509Cert.getNotBefore(), notAfter};
+                        certStr.append(validityTimeForm.format(source));
+                    }
+                } catch (CertificateExpiredException cee) {
+                    if (isTsCert) {
+                        hasExpiredTsaCert = true;
+                    } else {
+                        hasExpiredCert = true;
+                    }
+
+                    if (expiredTimeForm == null) {
+                        expiredTimeForm = new MessageFormat(
+                                rb.getString("certificate.expired.on"));
+                    }
+                    Object[] source = {notAfter};
+                    certStr.append(expiredTimeForm.format(source));
+
+                } catch (CertificateNotYetValidException cnyve) {
+                    if (!isTsCert) notYetValidCert = true;
+
+                    if (notYetTimeForm == null) {
+                        notYetTimeForm = new MessageFormat(
+                                rb.getString("certificate.is.not.valid.until"));
+                    }
+                    Object[] source = {x509Cert.getNotBefore()};
+                    certStr.append(notYetTimeForm.format(source));
                 }
-                if (printValidity) {
-                    if (validityTimeForm == null) {
-                        validityTimeForm = new MessageFormat(
-                            rb.getString("certificate.is.valid.from"));
-                    }
-                    Object[] source = { x509Cert.getNotBefore(), notAfter };
-                    certStr.append(validityTimeForm.format(source));
-                }
-            } catch (CertificateExpiredException cee) {
-                if (!isTsCert) hasExpiredCert = true;
-
-                if (expiredTimeForm == null) {
-                    expiredTimeForm = new MessageFormat(
-                        rb.getString("certificate.expired.on"));
-                }
-                Object[] source = { notAfter };
-                certStr.append(expiredTimeForm.format(source));
-
-            } catch (CertificateNotYetValidException cnyve) {
-                if (!isTsCert) notYetValidCert = true;
-
-                if (notYetTimeForm == null) {
-                    notYetTimeForm = new MessageFormat(
-                        rb.getString("certificate.is.not.valid.until"));
-                }
-                Object[] source = { x509Cert.getNotBefore() };
-                certStr.append(notYetTimeForm.format(source));
             }
             certStr.append("]");
 
@@ -1638,152 +1784,57 @@
         // The JarSigner API always accepts the timestamp received.
         // We need to extract the certs from the signed jar to
         // validate it.
-        if (!noTimestamp) {
-            try (JarFile check = new JarFile(signedJarFile)) {
-                PKCS7 p7 = new PKCS7(check.getInputStream(check.getEntry(
-                        "META-INF/" + sigfile + "." + privateKey.getAlgorithm())));
+        try (JarFile check = new JarFile(signedJarFile)) {
+            PKCS7 p7 = new PKCS7(check.getInputStream(check.getEntry(
+                    "META-INF/" + sigfile + "." + privateKey.getAlgorithm())));
+            Timestamp ts = null;
+            try {
                 SignerInfo si = p7.getSignerInfos()[0];
-                PKCS7 tsToken = si.getTsToken();
-                SignerInfo tsSi = tsToken.getSignerInfos()[0];
-                try {
-                    validateCertChain(Validator.VAR_TSA_SERVER,
-                            tsSi.getCertificateChain(tsToken), null);
-                } catch (Exception e) {
-                    tsaChainNotValidated = true;
-                    tsaChainNotValidatedReason = e;
+                if (si.getTsToken() != null) {
+                    hasTimestampBlock = true;
                 }
+                ts = si.getTimestamp();
             } catch (Exception e) {
-                if (debug) {
-                    e.printStackTrace();
+                tsaChainNotValidated = true;
+                tsaChainNotValidatedReason = e;
+            }
+            // Spaces before the ">>> Signer" and other lines are different
+            String result = certsAndTSInfo("", "    ", Arrays.asList(certChain), ts);
+            if (verbose != null) {
+                System.out.println(result);
+            }
+        } catch (Exception e) {
+            if (debug) {
+                e.printStackTrace();
+            }
+        }
+
+        if (signedjar == null) {
+            // attempt an atomic rename. If that fails,
+            // rename the original jar file, then the signed
+            // one, then delete the original.
+            if (!signedJarFile.renameTo(jarFile)) {
+                File origJar = new File(jarName+".orig");
+
+                if (jarFile.renameTo(origJar)) {
+                    if (signedJarFile.renameTo(jarFile)) {
+                        origJar.delete();
+                    } else {
+                        MessageFormat form = new MessageFormat(rb.getString
+                    ("attempt.to.rename.signedJarFile.to.jarFile.failed"));
+                        Object[] source = {signedJarFile, jarFile};
+                        error(form.format(source));
+                    }
+                } else {
+                    MessageFormat form = new MessageFormat(rb.getString
+                        ("attempt.to.rename.jarFile.to.origJar.failed"));
+                    Object[] source = {jarFile, origJar};
+                    error(form.format(source));
                 }
             }
         }
 
-        // no IOException thrown in the follow try clause, so disable
-        // the try clause.
-        // try {
-            if (signedjar == null) {
-                // attempt an atomic rename. If that fails,
-                // rename the original jar file, then the signed
-                // one, then delete the original.
-                if (!signedJarFile.renameTo(jarFile)) {
-                    File origJar = new File(jarName+".orig");
-
-                    if (jarFile.renameTo(origJar)) {
-                        if (signedJarFile.renameTo(jarFile)) {
-                            origJar.delete();
-                        } else {
-                            MessageFormat form = new MessageFormat(rb.getString
-                        ("attempt.to.rename.signedJarFile.to.jarFile.failed"));
-                            Object[] source = {signedJarFile, jarFile};
-                            error(form.format(source));
-                        }
-                    } else {
-                        MessageFormat form = new MessageFormat(rb.getString
-                            ("attempt.to.rename.jarFile.to.origJar.failed"));
-                        Object[] source = {jarFile, origJar};
-                        error(form.format(source));
-                    }
-                }
-            }
-
-            boolean warningAppeared = false;
-            if (weakAlg != 0 || badKeyUsage || badExtendedKeyUsage
-                    || badNetscapeCertType || notYetValidCert
-                    || chainNotValidated || tsaChainNotValidated
-                    || hasExpiredCert || signerSelfSigned) {
-                if (strict) {
-                    System.out.println(rb.getString("jar.signed.with.signer.errors."));
-                    System.out.println();
-                    System.out.println(rb.getString("Error."));
-                } else {
-                    System.out.println(rb.getString("jar.signed."));
-                    System.out.println();
-                    System.out.println(rb.getString("Warning."));
-                    warningAppeared = true;
-                }
-
-                if (badKeyUsage) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
-                }
-
-                if (badExtendedKeyUsage) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
-                }
-
-                if (badNetscapeCertType) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
-                }
-
-                if (hasExpiredCert) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.has.expired."));
-                } else if (notYetValidCert) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.is.not.yet.valid."));
-                }
-
-                if (chainNotValidated) {
-                    System.out.println(String.format(
-                            rb.getString("The.signer.s.certificate.chain.is.invalid.reason.1"),
-                            chainNotValidatedReason.getLocalizedMessage()));
-                }
-
-                if (tsaChainNotValidated) {
-                    System.out.println(String.format(
-                            rb.getString("The.tsa.certificate.chain.is.invalid.reason.1"),
-                            tsaChainNotValidatedReason.getLocalizedMessage()));
-                }
-
-                if (signerSelfSigned) {
-                    System.out.println(
-                            rb.getString("The.signer.s.certificate.is.self.signed."));
-                }
-
-                if ((weakAlg & 1) == 1) {
-                    System.out.println(String.format(
-                            rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
-                            digestalg, "-digestalg"));
-                }
-
-                if ((weakAlg & 2) == 2) {
-                    System.out.println(String.format(
-                            rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
-                            sigalg, "-sigalg"));
-                }
-                if ((weakAlg & 4) == 4) {
-                    System.out.println(String.format(
-                            rb.getString("The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk."),
-                            tSADigestAlg, "-tsadigestalg"));
-                }
-            } else {
-                System.out.println(rb.getString("jar.signed."));
-            }
-            if (hasExpiringCert || noTimestamp) {
-                if (!warningAppeared) {
-                    System.out.println();
-                    System.out.println(rb.getString("Warning."));
-                }
-
-                if (hasExpiringCert) {
-                    System.out.println(
-                            rb.getString("The.signer.certificate.will.expire.within.six.months."));
-                }
-
-                if (noTimestamp) {
-                    System.out.println(
-                            String.format(rb.getString("no.timestamp.signing"), expireDate));
-                }
-            }
-
-        // no IOException thrown in the above try clause, so disable
-        // the catch clause.
-        // } catch(IOException ioe) {
-        //     error(rb.getString("unable.to.sign.jar.")+ioe, ioe);
-        // }
+        displayMessagesAndResult(true);
     }
 
     /**
@@ -1831,31 +1882,57 @@
     Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<>();
 
     /**
-     * Returns a string of singer info, with a newline at the end
+     * Returns a string of signer info, with a newline at the end.
+     * Called by verifyJar().
      */
     private String signerInfo(CodeSigner signer, String tab) throws Exception {
         if (cacheForSignerInfo.containsKey(signer)) {
             return cacheForSignerInfo.get(signer);
         }
-        StringBuilder sb = new StringBuilder();
         List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
-        // display the signature timestamp, if present
+        // signing time is only displayed on verification
+        Timestamp ts = signer.getTimestamp();
+        String tsLine = "";
+        if (ts != null) {
+            tsLine = printTimestamp(tab, ts) + "\n";
+        }
+        // Spaces before the ">>> Signer" and other lines are the same.
+
+        String result = certsAndTSInfo(tab, tab, certs, ts);
+        cacheForSignerInfo.put(signer, tsLine + result);
+        return result;
+    }
+
+    /**
+     * Fills info on certs and timestamp into a StringBuilder, sets
+     * warning flags (through printCert) and validates cert chains.
+     *
+     * @param tab1 spaces before the ">>> Signer" line
+     * @param tab2 spaces before the other lines
+     * @param certs the signer cert
+     * @param ts the timestamp, can be null
+     * @return the info as a string
+     */
+    private String certsAndTSInfo(
+            String tab1,
+            String tab2,
+            List<? extends Certificate> certs, Timestamp ts)
+            throws Exception {
+
         Date timestamp;
-        Timestamp ts = signer.getTimestamp();
         if (ts != null) {
-            sb.append(printTimestamp(tab, ts));
-            sb.append('\n');
             timestamp = ts.getTimestamp();
+            noTimestamp = false;
         } else {
             timestamp = null;
-            noTimestamp = true;
         }
         // display the certificate(s). The first one is end-entity cert and
         // its KeyUsage should be checked.
         boolean first = true;
-        sb.append(tab).append(rb.getString("...Signer")).append('\n');
+        StringBuilder sb = new StringBuilder();
+        sb.append(tab1).append(rb.getString("...Signer")).append('\n');
         for (Certificate c : certs) {
-            sb.append(printCert(false, tab, c, timestamp, first));
+            sb.append(printCert(false, tab2, c, timestamp, first));
             sb.append('\n');
             first = false;
         }
@@ -1864,13 +1941,13 @@
         } catch (Exception e) {
             chainNotValidated = true;
             chainNotValidatedReason = e;
-            sb.append(tab).append(rb.getString(".Invalid.certificate.chain."))
+            sb.append(tab2).append(rb.getString(".Invalid.certificate.chain."))
                     .append(e.getLocalizedMessage()).append("]\n");
         }
         if (ts != null) {
-            sb.append(tab).append(rb.getString("...TSA")).append('\n');
+            sb.append(tab1).append(rb.getString("...TSA")).append('\n');
             for (Certificate c : ts.getSignerCertPath().getCertificates()) {
-                sb.append(printCert(true, tab, c, timestamp, false));
+                sb.append(printCert(true, tab2, c, null, false));
                 sb.append('\n');
             }
             try {
@@ -1879,7 +1956,7 @@
             } catch (Exception e) {
                 tsaChainNotValidated = true;
                 tsaChainNotValidatedReason = e;
-                sb.append(tab).append(rb.getString(".Invalid.TSA.certificate.chain."))
+                sb.append(tab2).append(rb.getString(".Invalid.TSA.certificate.chain."))
                         .append(e.getLocalizedMessage()).append("]\n");
             }
         }
@@ -1887,9 +1964,8 @@
                 && KeyStoreUtil.isSelfSigned((X509Certificate)certs.get(0))) {
             signerSelfSigned = true;
         }
-        String result = sb.toString();
-        cacheForSignerInfo.put(signer, result);
-        return result;
+
+        return sb.toString();
     }
 
     private void writeEntry(ZipFile zf, ZipOutputStream os, ZipEntry ze)
@@ -1939,7 +2015,6 @@
         }
 
         try {
-            Set<TrustAnchor> tas = new HashSet<>();
             try {
                 KeyStore caks = KeyStoreUtil.getCacertsKeyStore();
                 if (caks != null) {
@@ -1947,7 +2022,7 @@
                     while (aliases.hasMoreElements()) {
                         String a = aliases.nextElement();
                         try {
-                            tas.add(new TrustAnchor((X509Certificate)caks.getCertificate(a), null));
+                            trustedCerts.add((X509Certificate)caks.getCertificate(a));
                         } catch (Exception e2) {
                             // ignore, when a SecretkeyEntry does not include a cert
                         }
@@ -2006,7 +2081,7 @@
                         // PrivateKeyEntry
                         if (store.isCertificateEntry(a) ||
                                 c.getSubjectDN().equals(c.getIssuerDN())) {
-                            tas.add(new TrustAnchor(c, null));
+                            trustedCerts.add(c);
                         }
                     } catch (Exception e2) {
                         // ignore, when a SecretkeyEntry does not include a cert
@@ -2014,7 +2089,11 @@
                 }
             } finally {
                 try {
-                    pkixParameters = new PKIXBuilderParameters(tas, null);
+                    pkixParameters = new PKIXBuilderParameters(
+                            trustedCerts.stream()
+                                    .map(c -> new TrustAnchor(c, null))
+                                    .collect(Collectors.toSet()),
+                            null);
                     pkixParameters.setRevocationEnabled(false);
                 } catch (InvalidAlgorithmParameterException ex) {
                     // Only if tas is empty
@@ -2130,6 +2209,7 @@
         }
     }
 
+    // Called by signJar().
     void getAliasInfo(String alias) throws Exception {
 
         Key key = null;
@@ -2174,22 +2254,6 @@
                 certChain[i] = (X509Certificate)cs[i];
             }
 
-            // We don't meant to print anything, the next call
-            // checks validity and keyUsage etc
-            printCert(false, "", certChain[0], null, true);
-
-            try {
-                validateCertChain(Validator.VAR_CODE_SIGNING,
-                        Arrays.asList(certChain), null);
-            } catch (Exception e) {
-                chainNotValidated = true;
-                chainNotValidatedReason = e;
-            }
-
-            if (KeyStoreUtil.isSelfSigned(certChain[0])) {
-                signerSelfSigned = true;
-            }
-
             try {
                 if (!token && keypass == null)
                     key = store.getKey(alias, storepass);
@@ -2247,7 +2311,7 @@
      * @param parameter this might be a timestamp
      */
     void validateCertChain(String variant, List<? extends Certificate> certs,
-                           Object parameter)
+                           Timestamp parameter)
             throws Exception {
         try {
             Validator.getInstance(Validator.TYPE_PKIX,
@@ -2261,8 +2325,22 @@
             }
 
             // Exception might be dismissed if another warning flag
-            // is already set by printCert. This is only done for
-            // code signing certs.
+            // is already set by printCert.
+
+            if (variant.equals(Validator.VAR_TSA_SERVER) &&
+                    e instanceof ValidatorException) {
+                // Throw cause if it's CertPathValidatorException,
+                if (e.getCause() != null &&
+                        e.getCause() instanceof CertPathValidatorException) {
+                    e = (Exception) e.getCause();
+                    Throwable t = e.getCause();
+                    if ((t instanceof CertificateExpiredException &&
+                            hasExpiredTsaCert)) {
+                        // we already have hasExpiredTsaCert
+                        return;
+                    }
+                }
+            }
 
             if (variant.equals(Validator.VAR_CODE_SIGNING) &&
                     e instanceof ValidatorException) {
--- a/src/share/classes/sun/security/tools/jarsigner/Resources.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/classes/sun/security/tools/jarsigner/Resources.java	Thu Nov 08 18:48:19 2018 +0000
@@ -219,6 +219,7 @@
         {"Error.", "Error: "},
         {"...Signer", ">>> Signer"},
         {"...TSA", ">>> TSA"},
+        {"trusted.certificate", "trusted certificate"},
         {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
                 "This jar contains unsigned entries which have not been integrity-checked. "},
         {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
@@ -235,8 +236,16 @@
                 "Re-run with the -verbose and -certs options for more details."},
         {"The.signer.certificate.has.expired.",
                 "The signer certificate has expired."},
+        {"The.timestamp.expired.1.but.usable.2",
+                "The timestamp expired on %1$tY-%1$tm-%1$td. However, the JAR will be valid until the signer certificate expires on %2$tY-%2$tm-%2$td."},
+        {"The.timestamp.has.expired.",
+                "The timestamp has expired."},
         {"The.signer.certificate.will.expire.within.six.months.",
                 "The signer certificate will expire within six months."},
+        {"The.timestamp.will.expire.within.one.year.on.1",
+                "The timestamp will expire within one year on %1$tY-%1$tm-%1$td."},
+        {"The.timestamp.will.expire.within.one.year.on.1.but.2",
+                "The timestamp will expire within one year on %1$tY-%1$tm-%1$td. However, the JAR will be valid until the signer certificate expires on %2$tY-%2$tm-%2$td."},
         {"The.signer.certificate.is.not.yet.valid.",
                 "The signer certificate is not yet valid."},
         {"The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
@@ -267,10 +276,18 @@
                 "This jar contains entries whose TSA certificate chain is invalid. Reason: %s"},
         {"no.timestamp.signing",
                 "No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
+        {"invalid.timestamp.signing",
+                "The timestamp is invalid. Without a valid timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td)."},
         {"no.timestamp.verifying",
-                "This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
+                "This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as %1$tY-%1$tm-%1$td)."},
         {"bad.timestamp.verifying",
                 "This jar contains signatures that include an invalid timestamp. Without a valid timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as %1$tY-%1$tm-%1$td).\nRerun jarsigner with -J-Djava.security.debug=jar for more information."},
+        {"The.signer.certificate.will.expire.on.1.",
+                "The signer certificate will expire on %1$tY-%1$tm-%1$td."},
+        {"The.timestamp.will.expire.on.1.",
+                "The timestamp will expire on %1$tY-%1$tm-%1$td."},
+        {"signer.cert.expired.1.but.timestamp.good.2.",
+                "The signer certificate expired on %1$tY-%1$tm-%1$td. However, the JAR will be valid until the timestamp expires on %2$tY-%2$tm-%2$td."},
         {"Unknown.password.type.", "Unknown password type: "},
         {"Cannot.find.environment.variable.",
                 "Cannot find environment variable: "},
--- a/src/share/lib/net.properties	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/lib/net.properties	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 ############################################################
-#  	Default Networking Configuration File
+#       Default Networking Configuration File
 #
 # This file may contain default values for the networking system properties.
 # These values are only used when the system properties are not specified
@@ -14,7 +14,7 @@
 # Note that the system properties that do explicitely set proxies
 # (like http.proxyHost) do take precedence over the system settings
 # even if java.net.useSystemProxies is set to true.
- 
+
 java.net.useSystemProxies=false
 
 #------------------------------------------------------------------------
@@ -66,8 +66,8 @@
 # socksProxyPort=1080
 #
 # HTTP Keep Alive settings. remainingData is the maximum amount of data
-# in kilobytes that will be cleaned off the underlying socket so that it 
-# can be reused (default value is 512K), queuedConnections is the maximum 
+# in kilobytes that will be cleaned off the underlying socket so that it
+# can be reused (default value is 512K), queuedConnections is the maximum
 # number of Keep Alive connections to be on the queue for clean up (default
 # value is 10).
 # http.KeepAlive.remainingData=512
@@ -99,3 +99,23 @@
 #jdk.http.auth.proxying.disabledSchemes=
 jdk.http.auth.tunneling.disabledSchemes=Basic
 
+#
+# Transparent NTLM HTTP authentication mode on Windows. Transparent authentication
+# can be used for the NTLM scheme, where the security credentials based on the
+# currently logged in user's name and password can be obtained directly from the
+# operating system, without prompting the user. This property has three possible
+# values which regulate the behavior as shown below. Other unrecognized values
+# are handled the same as 'disabled'. Note, that NTLM is not considered to be a
+# strongly secure authentication scheme and care should be taken before enabling
+# this mechanism.
+#
+# Transparent authentication never used.
+#jdk.http.ntlm.transparentAuth=disabled
+#
+# Enabled for all hosts.
+#jdk.http.ntlm.transparentAuth=allHosts
+#
+# Enabled for hosts that are trusted in Windows Internet settings
+#jdk.http.ntlm.transparentAuth=trustedHosts
+#
+jdk.http.ntlm.transparentAuth=disabled
--- a/src/share/native/sun/awt/image/jpeg/jmemmgr.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/native/sun/awt/image/jpeg/jmemmgr.c	Thu Nov 08 18:48:19 2018 +0000
@@ -406,6 +406,9 @@
   JDIMENSION rowsperchunk, currow, i;
   long ltemp;
 
+  if (samplesperrow == 0) {
+    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+  }
   /* Calculate max # of rows allowed in one allocation chunk */
   ltemp = (MAX_ALLOC_CHUNK-SIZEOF(large_pool_hdr)) /
           ((long) samplesperrow * SIZEOF(JSAMPLE));
@@ -454,6 +457,10 @@
   JDIMENSION rowsperchunk, currow, i;
   long ltemp;
 
+  if (blocksperrow == 0) {
+    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+  }
+
   /* Calculate max # of rows allowed in one allocation chunk */
   ltemp = (MAX_ALLOC_CHUNK-SIZEOF(large_pool_hdr)) /
           ((long) blocksperrow * SIZEOF(JBLOCK));
--- a/src/share/native/sun/java2d/cmm/lcms/cmscgats.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/share/native/sun/java2d/cmm/lcms/cmscgats.c	Thu Nov 08 18:48:19 2018 +0000
@@ -1535,10 +1535,16 @@
     t-> nSamples   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
     t-> nPatches   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
 
-    t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
-    if (t->Data == NULL) {
-
-        SynError(it8, "AllocateDataSet: Unable to allocate data array");
+    if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
+    {
+        SynError(it8, "AllocateDataSet: too much data");
+    }
+    else {
+        t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
+        if (t->Data == NULL) {
+
+            SynError(it8, "AllocateDataSet: Unable to allocate data array");
+        }
     }
 
 }
--- a/src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java	Thu Nov 08 18:48:19 2018 +0000
@@ -90,10 +90,13 @@
 
     /**
      * Returns true if the given site is trusted, i.e. we can try
-     * transparent Authentication.
+     * transparent Authentication. Shouldn't be called since
+     * capability not supported on Unix
      */
     public static boolean isTrustedSite(URL url) {
-        return NTLMAuthCallback.isTrustedSite(url);
+        if (NTLMAuthCallback != null)
+            return NTLMAuthCallback.isTrustedSite(url);
+        return false;
     }
 
     private void init0() {
--- a/src/solaris/instrument/FileSystemSupport_md.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/solaris/instrument/FileSystemSupport_md.c	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2018 Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,6 +23,7 @@
  * questions.
  */
 
+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -50,6 +51,10 @@
     } else {
         int len = last - path;
         char* str = (char*)malloc(len+1);
+        if (str == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         if (len > 0) {
             memcpy(str, path, len);
         }
@@ -80,6 +85,10 @@
     if (n == 0) return strdup("/");
 
     sb = (char*)malloc(strlen(pathname)+1);
+    if (sb == NULL) {
+        fprintf(stderr, "OOM error in native tmp buffer allocation");
+        return NULL;
+    }
     sbLen = 0;
 
     if (off > 0) {
@@ -128,6 +137,10 @@
     len = parentEnd + cn - childStart;
     if (child[0] == slash) {
         theChars = (char*)malloc(len+1);
+        if (theChars == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         if (parentEnd > 0)
             memcpy(theChars, parent, parentEnd);
         if (cn > 0)
@@ -135,6 +148,10 @@
         theChars[len] = '\0';
     } else {
         theChars = (char*)malloc(len+2);
+        if (theChars == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         if (parentEnd > 0)
             memcpy(theChars, parent, parentEnd);
         theChars[parentEnd] = slash;
@@ -150,10 +167,13 @@
     if (len > 1 && path[len-1] == slash) {
         // "/foo/" --> "/foo", but "/" --> "/"
         char* str = (char*)malloc(len);
-        if (str != NULL) {
-            memcpy(str, path, len-1);
-            str[len-1] = '\0';
+        if (str == NULL)
+        {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
         }
+        memcpy(str, path, len-1);
+        str[len-1] = '\0';
         return str;
     } else {
         return (char*)path;
--- a/src/solaris/native/java/net/net_util_md.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/solaris/native/java/net/net_util_md.c	Thu Nov 08 18:48:19 2018 +0000
@@ -608,6 +608,8 @@
 
                 if (loRoutesTemp == 0) {
                     free(loRoutes);
+                    loRoutes = NULL;
+                    nRoutes = 0;
                     fclose (f);
                     return;
                 }
--- a/src/solaris/native/sun/awt/awt_UNIXToolkit.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/solaris/native/sun/awt/awt_UNIXToolkit.c	Thu Nov 08 18:48:19 2018 +0000
@@ -184,6 +184,7 @@
         detail_str = (char *)SAFE_SIZE_ARRAY_ALLOC(malloc,
                 sizeof(char), len + 1);
         if (detail_str == NULL) {
+            free(stock_id_str);
             JNU_ThrowOutOfMemoryError(env, "OutOfMemoryError");
             return JNI_FALSE;
         }
--- a/src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java	Thu Nov 08 18:48:19 2018 +0000
@@ -30,6 +30,7 @@
 import java.net.PasswordAuthentication;
 import java.net.UnknownHostException;
 import java.net.URL;
+import sun.net.NetProperties;
 import sun.net.www.HeaderParser;
 import sun.net.www.protocol.http.AuthenticationInfo;
 import sun.net.www.protocol.http.AuthScheme;
@@ -52,6 +53,14 @@
     private static String defaultDomain; /* Domain to use if not specified by user */
     private static final boolean ntlmCache; /* Whether cache is enabled for NTLM */
 
+    enum TransparentAuth {
+        DISABLED,      // disable for all hosts (default)
+        TRUSTED_HOSTS, // use Windows trusted hosts settings
+        ALL_HOSTS      // attempt for all hosts
+    }
+
+    private static final TransparentAuth authMode;
+
     static {
         defaultDomain = java.security.AccessController.doPrivileged(
             new sun.security.action.GetPropertyAction("http.auth.ntlm.domain",
@@ -59,6 +68,19 @@
         String ntlmCacheProp = java.security.AccessController.doPrivileged(
             new sun.security.action.GetPropertyAction("jdk.ntlm.cache", "true"));
         ntlmCache = Boolean.parseBoolean(ntlmCacheProp);
+        String modeProp = java.security.AccessController.doPrivileged(
+            new java.security.PrivilegedAction<String>() {
+                public String run() {
+                    return NetProperties.get("jdk.http.ntlm.transparentAuth");
+                }
+            });
+
+        if ("trustedHosts".equalsIgnoreCase(modeProp))
+            authMode = TransparentAuth.TRUSTED_HOSTS;
+        else if ("allHosts".equalsIgnoreCase(modeProp))
+            authMode = TransparentAuth.ALL_HOSTS;
+        else
+            authMode = TransparentAuth.DISABLED;
     };
 
     private void init0() {
@@ -159,9 +181,21 @@
      * transparent Authentication.
      */
     public static boolean isTrustedSite(URL url) {
-        return NTLMAuthCallback.isTrustedSite(url);
+        if (NTLMAuthCallback != null)
+            return NTLMAuthCallback.isTrustedSite(url);
+
+        switch (authMode) {
+            case TRUSTED_HOSTS:
+                return isTrustedSite(url.toString());
+            case ALL_HOSTS:
+                return true;
+            default:
+                return false;
+        }
     }
 
+    static native boolean isTrustedSite(String url);
+
     /**
      * Not supported. Must use the setHeaders() method
      */
@@ -211,5 +245,4 @@
             return false;
         }
     }
-
 }
--- a/src/windows/classes/sun/security/mscapi/KeyStore.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/classes/sun/security/mscapi/KeyStore.java	Thu Nov 08 18:48:19 2018 +0000
@@ -753,6 +753,7 @@
     /**
      * Generates a certificate chain from the collection of
      * certificates and stores the result into a key entry.
+     * This method is called by native code in libsunmscapi.
      */
     private void generateCertificateChain(String alias,
         Collection<? extends Certificate> certCollection)
@@ -775,13 +776,15 @@
         catch (Throwable e)
         {
             // Ignore the exception and skip this entry
-            // TODO - throw CertificateException?
+            // If e is thrown, remember to deal with it in
+            // native code.
         }
     }
 
     /**
      * Generates RSA key and certificate chain from the private key handle,
      * collection of certificates and stores the result into key entries.
+     * This method is called by native code in libsunmscapi.
      */
     private void generateRSAKeyAndCertificateChain(String alias,
         long hCryptProv, long hCryptKey, int keyLength,
@@ -807,12 +810,14 @@
         catch (Throwable e)
         {
             // Ignore the exception and skip this entry
-            // TODO - throw CertificateException?
+            // If e is thrown, remember to deal with it in
+            // native code.
         }
     }
 
     /**
      * Generates certificates from byte data and stores into cert collection.
+     * This method is called by native code in libsunmscapi.
      *
      * @param data Byte data.
      * @param certCollection Collection of certificates.
@@ -836,12 +841,14 @@
         catch (CertificateException e)
         {
             // Ignore the exception and skip this certificate
-            // TODO - throw CertificateException?
+            // If e is thrown, remember to deal with it in
+            // native code.
         }
         catch (Throwable te)
         {
             // Ignore the exception and skip this certificate
-            // TODO - throw CertificateException?
+            // If e is thrown, remember to deal with it in
+            // native code.
         }
     }
 
--- a/src/windows/classes/sun/security/mscapi/RSASignature.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/classes/sun/security/mscapi/RSASignature.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -132,7 +132,7 @@
         @Override
         protected void engineUpdate(byte[] b, int off, int len)
                 throws SignatureException {
-            if (offset + len > precomputedDigest.length) {
+            if (len > (precomputedDigest.length - offset)) {
                 offset = RAW_RSA_MAX + 1;
                 return;
             }
@@ -147,7 +147,7 @@
             if (len <= 0) {
                 return;
             }
-            if (offset + len > precomputedDigest.length) {
+            if (len > (precomputedDigest.length - offset)) {
                 offset = RAW_RSA_MAX + 1;
                 return;
             }
--- a/src/windows/instrument/FileSystemSupport_md.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/instrument/FileSystemSupport_md.c	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2018 Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,6 +23,7 @@
  * questions.
  */
 
+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <malloc.h>
@@ -66,6 +67,10 @@
     } else {
         int len = (int)(last - path);
         char* str = (char*)malloc(len+1);
+        if (str == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         if (len > 0) {
             memcpy(str, path, len);
         }
@@ -135,6 +140,10 @@
     if (off < 3) off = 0;       /* Avoid fencepost cases with UNC pathnames */
 
     sb = (char*)malloc(len+1);
+    if (sb == NULL) {
+        fprintf(stderr, "OOM error in native tmp buffer allocation");
+        return NULL;
+    }
     sbLen = 0;
 
     if (off == 0) {
@@ -261,11 +270,19 @@
 
     if (child[childStart] == slash) {
         theChars = (char*)malloc(len+1);
+        if (theChars == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         memcpy(theChars, parent, parentEnd);
         memcpy(theChars+parentEnd, child+childStart, (cn-childStart));
         theChars[len] = '\0';
     } else {
         theChars = (char*)malloc(len+2);
+        if (theChars == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         memcpy(theChars, parent, parentEnd);
         theChars[parentEnd] = slash;
         memcpy(theChars+parentEnd+1, child+childStart, (cn-childStart));
@@ -320,10 +337,12 @@
         return (char*)path;
     } else {
         char* p = (char*)malloc(len+1);
-        if (p != NULL) {
-            memcpy(p, path+start, len);
-            p[len] = '\0';
+        if (p == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
         }
+        memcpy(p, path+start, len);
+        p[len] = '\0';
         return p;
     }
 }
--- a/src/windows/native/java/net/NetworkInterface.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/native/java/net/NetworkInterface.c	Thu Nov 08 18:48:19 2018 +0000
@@ -279,7 +279,7 @@
                 // But in rare case it fails, we allow 'char' to be displayed
                 curr->displayName = (char *)malloc(ifrowP->dwDescrLen + 1);
             } else {
-                curr->displayName = (wchar_t *)malloc(wlen*(sizeof(wchar_t))+1);
+                curr->displayName = (wchar_t *)malloc((wlen+1)*sizeof(wchar_t));
             }
 
             curr->name = (char *)malloc(strlen(dev_name) + 1);
@@ -322,7 +322,7 @@
                 free(curr);
                 return -1;
             } else {
-                curr->displayName[wlen*(sizeof(wchar_t))] = '\0';
+                ((wchar_t *)curr->displayName)[wlen] = L'\0';
                 curr->dNameIsUnicode = TRUE;
             }
         }
@@ -861,6 +861,7 @@
     /* allocate a NetworkInterface array */
     netIFArr = (*env)->NewObjectArray(env, count, cls, NULL);
     if (netIFArr == NULL) {
+        free_netif(ifList);
         return NULL;
     }
 
@@ -875,6 +876,7 @@
 
         netifObj = createNetworkInterface(env, curr, -1, NULL);
         if (netifObj == NULL) {
+            free_netif(ifList);
             return NULL;
         }
 
--- a/src/windows/native/sun/bridge/AccessBridgeMessageQueue.cpp	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/native/sun/bridge/AccessBridgeMessageQueue.cpp	Thu Nov 08 18:48:19 2018 +0000
@@ -32,6 +32,7 @@
 #include "AccessBridgePackages.h"               // for debugging only
 #include <windows.h>
 #include <malloc.h>
+#include <new>
 
 DEBUG_CODE(extern HWND theDialogWindow);
 extern "C" {
@@ -46,6 +47,9 @@
     next = (AccessBridgeQueueElement *) 0;
     previous = (AccessBridgeQueueElement *) 0;
     buffer = (char *) malloc(bufsize);
+    if (buffer == NULL) {
+        throw std::bad_alloc();
+    }
     memcpy(buffer, buf, bufsize);
 }
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/windows/native/sun/net/www/protocol/http/ntlm/NTLMAuthentication.c	Thu Nov 08 18:48:19 2018 +0000
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <jni.h>
+#include <windows.h>
+#include "jni_util.h"
+#include <urlmon.h>
+
+JNIEXPORT jboolean JNICALL Java_sun_net_www_protocol_http_ntlm_NTLMAuthentication_isTrustedSite(JNIEnv *env, jclass clazz, jstring url )
+{
+
+    HRESULT hr;
+    DWORD dwZone;
+    DWORD  pPolicy = 0;
+    IInternetSecurityManager *spSecurityManager;
+    jboolean ret;
+    LPCWSTR bstrURL;
+
+    // Create IInternetSecurityManager
+    hr = CoInternetCreateSecurityManager(NULL, &spSecurityManager, (DWORD)0);
+    if (FAILED(hr)) {
+        return JNI_FALSE;
+    }
+
+    bstrURL = (LPCWSTR)((*env)->GetStringChars(env, url, NULL));
+    if (bstrURL == NULL) {
+        if (!(*env)->ExceptionCheck(env))
+            JNU_ThrowOutOfMemoryError(env, NULL);
+        spSecurityManager->lpVtbl->Release(spSecurityManager);
+        return JNI_FALSE;
+    }
+
+    // Determines the policy for the URLACTION_CREDENTIALS_USE action and display
+    // a user interface, if the policy indicates that the user should be queried
+    hr = spSecurityManager->lpVtbl->ProcessUrlAction(
+        spSecurityManager,
+        bstrURL,
+        URLACTION_CREDENTIALS_USE,
+        (LPBYTE)&pPolicy,
+        sizeof(DWORD), 0, 0, 0, 0);
+
+    if (FAILED(hr)) {
+        ret = JNI_FALSE;
+        goto cleanupAndReturn;
+    }
+
+    // If these two User Authentication Logon options is selected
+    // Anonymous logon
+    // Prompt for user name and password
+    if (pPolicy == URLPOLICY_CREDENTIALS_ANONYMOUS_ONLY ||
+        pPolicy == URLPOLICY_CREDENTIALS_MUST_PROMPT_USER) {
+        ret = JNI_FALSE;
+        goto cleanupAndReturn;
+    }
+
+    // Option "Automatic logon with current user name and password" is selected
+    if (pPolicy == URLPOLICY_CREDENTIALS_SILENT_LOGON_OK) {
+        ret = JNI_TRUE;
+        goto cleanupAndReturn;
+    }
+
+    // Option "Automatic logon only in intranet zone" is selected
+    if (pPolicy == URLPOLICY_CREDENTIALS_CONDITIONAL_PROMPT) {
+
+        // Gets the zone index from the specified URL
+        hr = spSecurityManager->lpVtbl->MapUrlToZone(
+                spSecurityManager, bstrURL, &dwZone, 0);
+        if (FAILED(hr)) {
+            ret = JNI_FALSE;
+            goto cleanupAndReturn;
+        }
+
+        // Check if the URL is in Local or Intranet zone
+        if (dwZone == URLZONE_INTRANET || dwZone == URLZONE_LOCAL_MACHINE) {
+            ret = JNI_TRUE;
+            goto cleanupAndReturn;
+        }
+    }
+    ret = JNI_FALSE;
+
+cleanupAndReturn:
+    (*env)->ReleaseStringChars(env, url, bstrURL);
+    spSecurityManager->lpVtbl->Release(spSecurityManager);
+    return ret;
+}
--- a/src/windows/native/sun/nio/ch/DatagramDispatcher.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/native/sun/nio/ch/DatagramDispatcher.c	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -95,6 +95,10 @@
     jint fd = fdval(env, fdo);
     struct iovec *iovp = (struct iovec *)address;
     WSABUF *bufs = malloc(len * sizeof(WSABUF));
+    if (bufs == NULL) {
+        JNU_ThrowOutOfMemoryError(env, NULL);
+        return IOS_THROWN;
+    }
 
     /* copy iovec into WSABUF */
     for(i=0; i<len; i++) {
@@ -182,6 +186,10 @@
     jint fd = fdval(env, fdo);
     struct iovec *iovp = (struct iovec *)address;
     WSABUF *bufs = malloc(len * sizeof(WSABUF));
+    if (bufs == NULL) {
+        JNU_ThrowOutOfMemoryError(env, NULL);
+        return IOS_THROWN;
+    }
 
     /* copy iovec into WSABUF */
     for(i=0; i<len; i++) {
--- a/src/windows/native/sun/nio/ch/WindowsSelectorImpl.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/native/sun/nio/ch/WindowsSelectorImpl.c	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -208,6 +208,10 @@
     /* Prepare corresponding buffer if needed, and then read */
     if (bytesToRead > WAKEUP_SOCKET_BUF_SIZE) {
         char* buf = (char*)malloc(bytesToRead);
+        if (buf == NULL) {
+            JNU_ThrowOutOfMemoryError(env, NULL);
+            return;
+        }
         recv(scinFd, buf, bytesToRead, 0);
         free(buf);
     } else {
--- a/src/windows/native/sun/security/krb5/NativeCreds.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/native/sun/security/krb5/NativeCreds.c	Thu Nov 08 18:48:19 2018 +0000
@@ -76,7 +76,8 @@
 
 BOOL PackageConnectLookup(PHANDLE,PULONG);
 
-NTSTATUS ConstructTicketRequest(UNICODE_STRING DomainName,
+NTSTATUS ConstructTicketRequest(JNIEnv *env,
+                                UNICODE_STRING DomainName,
                                 PKERB_RETRIEVE_TKT_REQUEST *outRequest,
                                 ULONG *outSize);
 
@@ -102,6 +103,8 @@
 jobject BuildTicketFlags(JNIEnv *env, PULONG flags);
 jobject BuildKerberosTime(JNIEnv *env, PLARGE_INTEGER kerbtime);
 
+void ThrowOOME(JNIEnv *env, const char *szMessage);
+
 /*
  * Class:     sun_security_krb5_KrbCreds
  * Method:    JNI_OnLoad
@@ -495,7 +498,7 @@
             }
 
             // use domain to request Ticket
-            Status = ConstructTicketRequest(msticket->TargetDomainName,
+            Status = ConstructTicketRequest(env, msticket->TargetDomainName,
                                 &pTicketRequest, &requestSize);
             if (!LSA_SUCCESS(Status)) {
                 ShowNTError("ConstructTicketRequest status", Status);
@@ -689,7 +692,7 @@
 }
 
 static NTSTATUS
-ConstructTicketRequest(UNICODE_STRING DomainName,
+ConstructTicketRequest(JNIEnv *env, UNICODE_STRING DomainName,
                 PKERB_RETRIEVE_TKT_REQUEST *outRequest, ULONG *outSize)
 {
     NTSTATUS Status;
@@ -736,8 +739,10 @@
 
     pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST)
                     LocalAlloc(LMEM_ZEROINIT, RequestSize);
-    if (!pTicketRequest)
+    if (!pTicketRequest) {
+        ThrowOOME(env, "Can't allocate memory for ticket");
         return GetLastError();
+    }
 
     //
     // Concatenate the target prefix with the previous response's
@@ -894,7 +899,7 @@
     jbyteArray ary;
 
     ary = (*env)->NewByteArray(env,encodedTicketSize);
-    if ((*env)->ExceptionOccurred(env)) {
+    if (ary == NULL) {
         return (jobject) NULL;
     }
 
@@ -940,6 +945,10 @@
 
     realm = (WCHAR *) LocalAlloc(LMEM_ZEROINIT,
             ((domainName.Length)*sizeof(WCHAR) + sizeof(UNICODE_NULL)));
+    if (realm == NULL) {
+        ThrowOOME(env, "Can't allocate memory for realm");
+        return NULL;
+    }
     wcsncpy(realm, domainName.Buffer, domainName.Length/sizeof(WCHAR));
 
     if (native_debug) {
@@ -1014,6 +1023,9 @@
     }
 
     ary = (*env)->NewByteArray(env,cryptoKey->Length);
+    if (ary == NULL) {
+        return (jobject) NULL;
+    }
     (*env)->SetByteArrayRegion(env, ary, (jsize) 0, cryptoKey->Length,
                                     (jbyte *)cryptoKey->Value);
     if ((*env)->ExceptionOccurred(env)) {
@@ -1036,6 +1048,9 @@
     ULONG nlflags = htonl(*flags);
 
     ary = (*env)->NewByteArray(env, sizeof(*flags));
+    if (ary == NULL) {
+        return (jobject) NULL;
+    }
     (*env)->SetByteArrayRegion(env, ary, (jsize) 0, sizeof(*flags),
                                     (jbyte *)&nlflags);
     if ((*env)->ExceptionOccurred(env)) {
@@ -1088,3 +1103,10 @@
     }
     return kerberosTime;
 }
+
+void ThrowOOME(JNIEnv *env, const char *szMessage) {
+    jclass exceptionClazz = (*env)->FindClass(env, "java/lang/OutOfMemoryError");
+    if (exceptionClazz != NULL) {
+        (*env)->ThrowNew(env, exceptionClazz, szMessage);
+    }
+}
--- a/src/windows/native/sun/security/mscapi/security.cpp	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/native/sun/security/mscapi/security.cpp	Thu Nov 08 18:48:19 2018 +0000
@@ -425,6 +425,15 @@
                     // Create ArrayList to store certs in each chain
                     jobject jArrayList =
                         env->NewObject(clazzArrayList, mNewArrayList);
+                    if (jArrayList == NULL) {
+                        __leave;
+                    }
+
+                    // Cleanup the previous allocated name
+                    if (pszNameString) {
+                        delete [] pszNameString;
+                        pszNameString = NULL;
+                    }
 
                     for (unsigned int j=0; j < rgpChain->cElement; j++)
                     {
@@ -463,6 +472,9 @@
 
                         // Allocate and populate byte array
                         jbyteArray byteArray = env->NewByteArray(cbCertEncoded);
+                        if (byteArray == NULL) {
+                            __leave;
+                        }
                         env->SetByteArrayRegion(byteArray, 0, cbCertEncoded,
                             (jbyte*) pbCertEncoded);
 
@@ -471,30 +483,44 @@
                         env->CallVoidMethod(obj, mGenCert, byteArray, jArrayList);
                     }
 
-                    if (bHasNoPrivateKey)
+                    // Usually pszNameString should be non-NULL. It's either
+                    // the friendly name or an element from the subject name
+                    // or SAN.
+                    if (pszNameString)
                     {
-                        // Generate certificate chain and store into cert chain
-                        // collection
-                        env->CallVoidMethod(obj, mGenCertChain,
-                            env->NewStringUTF(pszNameString),
-                            jArrayList);
-                    }
-                    else
-                    {
-                        // Determine key type: RSA or DSA
-                        DWORD dwData = CALG_RSA_KEYX;
-                        DWORD dwSize = sizeof(DWORD);
-                        ::CryptGetKeyParam(hUserKey, KP_ALGID, (BYTE*)&dwData,
-                                &dwSize, NULL);
+                        if (bHasNoPrivateKey)
+                        {
+                            // Generate certificate chain and store into cert chain
+                            // collection
+                            jstring name = env->NewStringUTF(pszNameString);
+                            if (name == NULL) {
+                                __leave;
+                            }
+                            env->CallVoidMethod(obj, mGenCertChain,
+                                name,
+                                jArrayList);
+                        }
+                        else
+                        {
+                            // Determine key type: RSA or DSA
+                            DWORD dwData = CALG_RSA_KEYX;
+                            DWORD dwSize = sizeof(DWORD);
+                            ::CryptGetKeyParam(hUserKey, KP_ALGID, (BYTE*)&dwData,
+                                    &dwSize, NULL);
 
-                        if ((dwData & ALG_TYPE_RSA) == ALG_TYPE_RSA)
-                        {
-                            // Generate RSA certificate chain and store into cert
-                            // chain collection
-                            env->CallVoidMethod(obj, mGenRSAKeyAndCertChain,
-                                    env->NewStringUTF(pszNameString),
-                                    (jlong) hCryptProv, (jlong) hUserKey,
-                                    dwPublicKeyLength, jArrayList);
+                            if ((dwData & ALG_TYPE_RSA) == ALG_TYPE_RSA)
+                            {
+                                // Generate RSA certificate chain and store into cert
+                                // chain collection
+                                jstring name = env->NewStringUTF(pszNameString);
+                                if (name == NULL) {
+                                    __leave;
+                                }
+                                env->CallVoidMethod(obj, mGenRSAKeyAndCertChain,
+                                        name,
+                                        (jlong) hCryptProv, (jlong) hUserKey,
+                                        dwPublicKeyLength, jArrayList);
+                            }
                         }
                     }
                 }
@@ -641,6 +667,9 @@
 
         // Create new byte array
         jbyteArray temp = env->NewByteArray(dwBufLen);
+        if (temp == NULL) {
+            __leave;
+        }
 
         // Copy data from native buffer
         env->SetByteArrayRegion(temp, 0, dwBufLen, pSignedHashBuffer);
@@ -964,6 +993,9 @@
         }
 
         jCertAliasChars = env->GetStringChars(jCertAliasName, NULL);
+        if (jCertAliasChars == NULL) {
+            __leave;
+        }
         memcpy(pszCertAliasName, jCertAliasChars, size * sizeof(WCHAR));
         pszCertAliasName[size] = 0; // append the string terminator
 
@@ -1600,7 +1632,9 @@
         }
 
         // Create new byte array
-        result = env->NewByteArray(dwBufLen);
+        if ((result = env->NewByteArray(dwBufLen)) == NULL) {
+            __leave;
+        }
 
         // Copy data from native buffer to Java buffer
         env->SetByteArrayRegion(result, 0, dwBufLen, (jbyte*) pData);
@@ -1651,7 +1685,9 @@
         }
 
         // Create new byte array
-        blob = env->NewByteArray(dwBlobLen);
+        if ((blob = env->NewByteArray(dwBlobLen)) == NULL) {
+            __leave;
+        }
 
         // Copy data from native buffer to Java buffer
         env->SetByteArrayRegion(blob, 0, dwBlobLen, (jbyte*) pbKeyBlob);
@@ -1680,6 +1716,13 @@
     __try {
 
         jsize length = env->GetArrayLength(jKeyBlob);
+        jsize headerLength = sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY);
+
+        if (length < headerLength) {
+            ThrowExceptionWithMessage(env, KEY_EXCEPTION, "Invalid BLOB");
+            __leave;
+        }
+
         if ((keyBlob = env->GetByteArrayElements(jKeyBlob, 0)) == NULL) {
             __leave;
         }
@@ -1706,7 +1749,9 @@
             exponentBytes[i] = ((BYTE*) &pRsaPubKey->pubexp)[j];
         }
 
-        exponent = env->NewByteArray(len);
+        if ((exponent = env->NewByteArray(len)) == NULL) {
+            __leave;
+        }
         env->SetByteArrayRegion(exponent, 0, len, exponentBytes);
     }
     __finally
@@ -1736,6 +1781,13 @@
     __try {
 
         jsize length = env->GetArrayLength(jKeyBlob);
+        jsize headerLength = sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY);
+
+        if (length < headerLength) {
+            ThrowExceptionWithMessage(env, KEY_EXCEPTION, "Invalid BLOB");
+            __leave;
+        }
+
         if ((keyBlob = env->GetByteArrayElements(jKeyBlob, 0)) == NULL) {
             __leave;
         }
@@ -1752,19 +1804,25 @@
             (RSAPUBKEY *) (keyBlob + sizeof(PUBLICKEYSTRUC));
 
         int len = pRsaPubKey->bitlen / 8;
+        if (len < 0 || len > length - headerLength) {
+            ThrowExceptionWithMessage(env, KEY_EXCEPTION, "Invalid key length");
+            __leave;
+        }
+
         modulusBytes = new (env) jbyte[len];
         if (modulusBytes == NULL) {
             __leave;
         }
-        BYTE * pbModulus =
-            (BYTE *) (keyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY));
+        BYTE * pbModulus = (BYTE *) (keyBlob + headerLength);
 
         // convert from little-endian while copying from blob
         for (int i = 0, j = len - 1; i < len; i++, j--) {
             modulusBytes[i] = pbModulus[j];
         }
 
-        modulus = env->NewByteArray(len);
+        if ((modulus = env->NewByteArray(len)) == NULL) {
+            __leave;
+        }
         env->SetByteArrayRegion(modulus, 0, len, modulusBytes);
     }
     __finally
@@ -1972,7 +2030,9 @@
             }
         }
 
-        jBlob = env->NewByteArray(jBlobLength);
+        if ((jBlob = env->NewByteArray(jBlobLength)) == NULL) {
+            __leave;
+        }
         env->SetByteArrayRegion(jBlob, 0, jBlobLength, jBlobBytes);
 
     }
--- a/src/windows/native/sun/security/pkcs11/wrapper/p11_md.c	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/native/sun/security/pkcs11/wrapper/p11_md.c	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -75,18 +75,20 @@
  * Signature: (Ljava/lang/String;)V
  */
 JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_connect
-    (JNIEnv *env, jobject obj, jstring jPkcs11ModulePath, jstring jGetFunctionList)
+    (JNIEnv *env, jobject obj, jstring jPkcs11ModulePath,
+        jstring jGetFunctionList)
 {
     HINSTANCE hModule;
     CK_C_GetFunctionList C_GetFunctionList;
-    CK_RV rv;
+    CK_RV rv = CK_ASSERT_OK;
     ModuleData *moduleData;
     jobject globalPKCS11ImplementationReference;
-    LPVOID lpMsgBuf;
-    char *exceptionMessage;
+    LPVOID lpMsgBuf = NULL;
+    char *exceptionMessage = NULL;
     const char *getFunctionListStr;
 
-    const char *libraryNameStr = (*env)->GetStringUTFChars(env, jPkcs11ModulePath, 0);
+    const char *libraryNameStr = (*env)->GetStringUTFChars(env,
+            jPkcs11ModulePath, 0);
     TRACE1("DEBUG: connect to PKCS#11 module: %s ... ", libraryNameStr);
 
 
@@ -106,21 +108,24 @@
             0,
             NULL
         );
-        exceptionMessage = (char *) malloc(sizeof(char) * (strlen((LPTSTR) lpMsgBuf) + strlen(libraryNameStr) + 1));
+        exceptionMessage = (char *) malloc(sizeof(char) *
+                (strlen((LPTSTR) lpMsgBuf) + strlen(libraryNameStr) + 1));
+        if (exceptionMessage == NULL) {
+            throwOutOfMemoryError(env, 0);
+            goto cleanup;
+        }
         strcpy(exceptionMessage, (LPTSTR) lpMsgBuf);
         strcat(exceptionMessage, libraryNameStr);
         throwIOException(env, (LPTSTR) exceptionMessage);
-        /* Free the buffer. */
-        free(exceptionMessage);
-        LocalFree(lpMsgBuf);
-        return;
+        goto cleanup;
     }
 
     /*
      * Get function pointer to C_GetFunctionList
      */
     getFunctionListStr = (*env)->GetStringUTFChars(env, jGetFunctionList, 0);
-    C_GetFunctionList = (CK_C_GetFunctionList) GetProcAddress(hModule, getFunctionListStr);
+    C_GetFunctionList = (CK_C_GetFunctionList) GetProcAddress(hModule,
+            getFunctionListStr);
     (*env)->ReleaseStringUTFChars(env, jGetFunctionList, getFunctionListStr);
     if (C_GetFunctionList == NULL) {
         FormatMessage(
@@ -135,24 +140,37 @@
             NULL
         );
         throwIOException(env, (LPTSTR) lpMsgBuf);
-        /* Free the buffer. */
-        LocalFree( lpMsgBuf );
-        return;
+        goto cleanup;
     }
 
     /*
      * Get function pointers to all PKCS #11 functions
      */
     moduleData = (ModuleData *) malloc(sizeof(ModuleData));
+    if (moduleData == NULL) {
+        throwOutOfMemoryError(env, 0);
+        goto cleanup;
+    }
     moduleData->hModule = hModule;
     moduleData->applicationMutexHandler = NULL;
     rv = (C_GetFunctionList)(&(moduleData->ckFunctionListPtr));
     globalPKCS11ImplementationReference = (*env)->NewGlobalRef(env, obj);
     putModuleEntry(env, globalPKCS11ImplementationReference, moduleData);
 
-    (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr);
     TRACE0("FINISHED\n");
 
+cleanup:
+    /* Free up allocated buffers we no longer need */
+    if (lpMsgBuf != NULL) {
+        LocalFree( lpMsgBuf );
+    }
+    if (libraryNameStr != NULL) {
+        (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr);
+    }
+    if (exceptionMessage != NULL) {
+        free(exceptionMessage);
+    }
+
     if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
 }
 
--- a/src/windows/native/sun/windows/WPrinterJob.cpp	Wed Nov 07 05:14:12 2018 -0800
+++ b/src/windows/native/sun/windows/WPrinterJob.cpp	Thu Nov 08 18:48:19 2018 +0000
@@ -886,10 +886,12 @@
               if (!present) {
                   defIndices[0] = papers[0];
               }
-              if (papers != NULL) {
-                  free((char*)papers);
-              }
           }
+          // If DeviceCapabilities fails, then also free paper allocation
+          if (papers != NULL) {
+              free((char*)papers);
+          }
+
       }
       RESTORE_CONTROLWORD
   }
--- a/test/java/math/BigDecimal/AddTests.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/java/math/BigDecimal/AddTests.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 6362557
+ * @bug 6362557 8200698
  * @summary Some tests of add(BigDecimal, mc)
  * @author Joseph D. Darcy
  */
@@ -290,12 +290,35 @@
         return failures;
     }
 
+    private static int arithmeticExceptionTest() {
+        int failures = 0;
+        BigDecimal x;
+        try {
+            //
+            // The string representation "1e2147483647", which is equivalent
+            // to 10^Integer.MAX_VALUE, is used to create an augend with an
+            // unscaled value of 1 and a scale of -Integer.MAX_VALUE. The
+            // addend "1" has an unscaled value of 1 with a scale of 0. The
+            // addition is performed exactly and is specified to have a
+            // preferred scale of max(-Integer.MAX_VALUE, 0). As the scale
+            // of the result is 0, a value with Integer.MAX_VALUE + 1 digits
+            // would need to be created. Therefore the next statement is
+            // expected to overflow with an ArithmeticException.
+            //
+            x = new BigDecimal("1e2147483647").add(new BigDecimal(1));
+            failures++;
+        } catch (ArithmeticException ae) {
+        }
+        return failures;
+    }
+
     public static void main(String argv[]) {
         int failures = 0;
 
         failures += extremaTests();
         failures += roundingGradationTests();
         failures += precisionConsistencyTest();
+        failures += arithmeticExceptionTest();
 
         if (failures > 0) {
             throw new RuntimeException("Incurred " + failures +
--- a/test/java/math/BigDecimal/Constructor.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/java/math/BigDecimal/Constructor.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,20 +23,48 @@
 
 /*
  * @test
- * @bug 4259453
- * @summary Test string constructor of BigDecimal
+ * @bug 4259453 8200698
+ * @summary Test constructors of BigDecimal
+ * @library ..
+ * @run testng Constructor
  */
+
 import java.math.BigDecimal;
+import org.testng.annotations.Test;
 
 public class Constructor {
-    public static void main(String[] args) throws Exception {
-        boolean nfe = false;
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void stringConstructor() {
+        BigDecimal bd = new BigDecimal("1.2e");
+    }
+
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void charArrayConstructorNegativeOffset() {
+        BigDecimal bd = new BigDecimal(new char[5], -1, 4, null);
+    }
+
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void charArrayConstructorNegativeLength() {
+        BigDecimal bd = new BigDecimal(new char[5], 0, -1, null);
+    }
+
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void charArrayConstructorIntegerOverflow() {
         try {
-            BigDecimal bd = new BigDecimal("1.2e");
-        } catch (NumberFormatException e) {
-            nfe = true;
+            BigDecimal bd = new BigDecimal(new char[5], Integer.MAX_VALUE - 5,
+                6, null);
+        } catch (NumberFormatException nfe) {
+            if (nfe.getCause() instanceof IndexOutOfBoundsException) {
+                throw new RuntimeException
+                    ("NumberFormatException should not have a cause");
+            } else {
+                throw nfe;
+            }
         }
-        if (!nfe)
-            throw new Exception("Didn't throw NumberFormatException");
+    }
+
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void charArrayConstructorIndexOutOfBounds() {
+        BigDecimal bd = new BigDecimal(new char[5], 1, 5, null);
     }
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/math/BigInteger/LargeValueExceptions.java	Thu Nov 08 18:48:19 2018 +0000
@@ -0,0 +1,192 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8200698
+ * @summary Tests that exceptions are thrown for ops which would overflow
+ * @requires (sun.arch.data.model == "64" & os.maxMemory > 4g)
+ * @run testng/othervm -Xmx4g LargeValueExceptions
+ */
+import java.math.BigInteger;
+import static java.math.BigInteger.ONE;
+import org.testng.annotations.Test;
+
+//
+// The intent of this test is to probe the boundaries between overflow and
+// non-overflow, principally for multiplication and squaring, specifically
+// the largest values which should not overflow and the smallest values which
+// should. The transition values used are not necessarily at the exact
+// boundaries but should be "close." Quite a few different values were used
+// experimentally before settling on the ones in this test. For multiplication
+// and squaring all cases are exercised: definite overflow and non-overflow
+// which can be detected "up front," and "indefinite" overflow, i.e., overflow
+// which cannot be detected up front so further calculations are required.
+//
+// Testing negative values is unnecessary. For both multiplication and squaring
+// the paths lead to the Toom-Cook algorithm where the signum is used only to
+// determine the sign of the result and not in the intermediate calculations.
+// This is also true for exponentiation.
+//
+// @Test annotations with optional element "enabled" set to "false" should
+// succeed when "enabled" is set to "true" but they take too to run in the
+// course of the typical regression test execution scenario.
+//
+public class LargeValueExceptions {
+    // BigInteger.MAX_MAG_LENGTH
+    private static final int MAX_INTS = 1 << 26;
+
+    // Number of bits corresponding to MAX_INTS
+    private static final long MAX_BITS = (0xffffffffL & MAX_INTS) << 5L;
+
+    // Half BigInteger.MAX_MAG_LENGTH
+    private static final int MAX_INTS_HALF = MAX_INTS / 2;
+
+    // --- squaring ---
+
+    // Largest no overflow determined by examining data lengths alone.
+    @Test(enabled=false)
+    public void squareNoOverflow() {
+        BigInteger x = ONE.shiftLeft(16*MAX_INTS - 1).subtract(ONE);
+        BigInteger y = x.multiply(x);
+    }
+
+    // Smallest no overflow determined by extra calculations.
+    @Test(enabled=false)
+    public void squareIndefiniteOverflowSuccess() {
+        BigInteger x = ONE.shiftLeft(16*MAX_INTS - 1);
+        BigInteger y = x.multiply(x);
+    }
+
+    // Largest overflow detected by extra calculations.
+    @Test(expectedExceptions=ArithmeticException.class,enabled=false)
+    public void squareIndefiniteOverflowFailure() {
+        BigInteger x = ONE.shiftLeft(16*MAX_INTS).subtract(ONE);
+        BigInteger y = x.multiply(x);
+    }
+
+    // Smallest overflow detected by examining data lengths alone.
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void squareDefiniteOverflow() {
+        BigInteger x = ONE.shiftLeft(16*MAX_INTS);
+        BigInteger y = x.multiply(x);
+    }
+
+    // --- multiplication ---
+
+    // Largest no overflow determined by examining data lengths alone.
+    @Test(enabled=false)
+    public void multiplyNoOverflow() {
+        final int halfMaxBits = MAX_INTS_HALF << 5;
+
+        BigInteger x = ONE.shiftLeft(halfMaxBits).subtract(ONE);
+        BigInteger y = ONE.shiftLeft(halfMaxBits - 1).subtract(ONE);
+        BigInteger z = x.multiply(y);
+    }
+
+    // Smallest no overflow determined by extra calculations.
+    @Test(enabled=false)
+    public void multiplyIndefiniteOverflowSuccess() {
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS/2) - 1);
+        long m = MAX_BITS - x.bitLength();
+
+        BigInteger y = ONE.shiftLeft((int)(MAX_BITS/2) - 1);
+        long n = MAX_BITS - y.bitLength();
+
+        if (m + n != MAX_BITS) {
+            throw new RuntimeException("Unexpected leading zero sum");
+        }
+
+        BigInteger z = x.multiply(y);
+    }
+
+    // Largest overflow detected by extra calculations.
+    @Test(expectedExceptions=ArithmeticException.class,enabled=false)
+    public void multiplyIndefiniteOverflowFailure() {
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS/2)).subtract(ONE);
+        long m = MAX_BITS - x.bitLength();
+
+        BigInteger y = ONE.shiftLeft((int)(MAX_BITS/2)).subtract(ONE);
+        long n = MAX_BITS - y.bitLength();
+
+        if (m + n != MAX_BITS) {
+            throw new RuntimeException("Unexpected leading zero sum");
+        }
+
+        BigInteger z = x.multiply(y);
+    }
+
+    // Smallest overflow detected by examining data lengths alone.
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void multiplyDefiniteOverflow() {
+        // multiply by 4 as MAX_INTS_HALF refers to ints
+        byte[] xmag = new byte[4*MAX_INTS_HALF];
+        xmag[0] = (byte)0xff;
+        BigInteger x = new BigInteger(1, xmag);
+
+        byte[] ymag = new byte[4*MAX_INTS_HALF + 1];
+        ymag[0] = (byte)0xff;
+        BigInteger y = new BigInteger(1, ymag);
+
+        BigInteger z = x.multiply(y);
+    }
+
+    // --- exponentiation ---
+
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void powOverflow() {
+        BigInteger.TEN.pow(Integer.MAX_VALUE);
+    }
+
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void powOverflow1() {
+        int shift = 20;
+        int exponent = 1 << shift;
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS / exponent));
+        BigInteger y = x.pow(exponent);
+    }
+
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void powOverflow2() {
+        int shift = 20;
+        int exponent = 1 << shift;
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS / exponent)).add(ONE);
+        BigInteger y = x.pow(exponent);
+    }
+
+    @Test(expectedExceptions=ArithmeticException.class,enabled=false)
+    public void powOverflow3() {
+        int shift = 20;
+        int exponent = 1 << shift;
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS / exponent)).subtract(ONE);
+        BigInteger y = x.pow(exponent);
+    }
+
+    @Test(enabled=false)
+    public void powOverflow4() {
+        int shift = 20;
+        int exponent = 1 << shift;
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS / exponent - 1)).add(ONE);
+        BigInteger y = x.pow(exponent);
+    }
+}
--- a/test/sun/security/tools/jarsigner/TimestampCheck.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/TimestampCheck.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -75,6 +75,7 @@
  *          java.base/sun.security.util
  *          java.base/sun.security.tools.keytool
  * @library /lib/testlibrary
+ * @compile -XDignore.symbol.file TimestampCheck.java
  * @run main/othervm/timeout=600 TimestampCheck
  */
 public class TimestampCheck {
@@ -121,12 +122,12 @@
          */
         byte[] sign(byte[] input, String path) throws Exception {
             DerValue value = new DerValue(input);
-            System.out.println("\nIncoming Request\n===================");
-            System.out.println("Version: " + value.data.getInteger());
+            System.out.println("#\n# Incoming Request\n===================");
+            System.out.println("# Version: " + value.data.getInteger());
             DerValue messageImprint = value.data.getDerValue();
             AlgorithmId aid = AlgorithmId.parse(
                     messageImprint.data.getDerValue());
-            System.out.println("AlgorithmId: " + aid);
+            System.out.println("# AlgorithmId: " + aid);
 
             ObjectIdentifier policyId = new ObjectIdentifier(defaultPolicyId);
             BigInteger nonce = null;
@@ -134,16 +135,16 @@
                 DerValue v = value.data.getDerValue();
                 if (v.tag == DerValue.tag_Integer) {
                     nonce = v.getBigInteger();
-                    System.out.println("nonce: " + nonce);
+                    System.out.println("# nonce: " + nonce);
                 } else if (v.tag == DerValue.tag_Boolean) {
-                    System.out.println("certReq: " + v.getBoolean());
+                    System.out.println("# certReq: " + v.getBoolean());
                 } else if (v.tag == DerValue.tag_ObjectId) {
                     policyId = v.getOID();
-                    System.out.println("PolicyID: " + policyId);
+                    System.out.println("# PolicyID: " + policyId);
                 }
             }
 
-            System.out.println("\nResponse\n===================");
+            System.out.println("#\n# Response\n===================");
             FileInputStream is = new FileInputStream(keystore);
             KeyStore ks = KeyStore.getInstance("JCEKS");
             ks.load(is, "changeit".toCharArray());
@@ -229,10 +230,10 @@
                     "1.2.840.113549.1.9.16.1.4"),
                     new DerValue(tstInfo2.toByteArray()));
 
-            System.out.println("Signing...");
-            System.out.println(new X500Name(signer
+            System.out.println("# Signing...");
+            System.out.println("# " + new X500Name(signer
                     .getIssuerX500Principal().getName()));
-            System.out.println(signer.getSerialNumber());
+            System.out.println("# " + signer.getSerialNumber());
 
             SignerInfo signerInfo = new SignerInfo(
                     new X500Name(signer.getIssuerX500Principal().getName()),
@@ -303,8 +304,6 @@
 
     public static void main(String[] args) throws Throwable {
 
-        prepare();
-
         try (Handler tsa = Handler.init(0, "ks");) {
             tsa.start();
             int port = tsa.getPort();
@@ -313,62 +312,99 @@
 
             if (args.length == 0) {         // Run this test
 
+                prepare();
+
                 sign("normal")
                         .shouldNotContain("Warning")
+                        .shouldContain("The signer certificate will expire on")
+                        .shouldContain("The timestamp will expire on")
                         .shouldHaveExitValue(0);
 
                 verify("normal.jar")
                         .shouldNotContain("Warning")
                         .shouldHaveExitValue(0);
 
+                verify("normal.jar", "-verbose")
+                        .shouldNotContain("Warning")
+                        .shouldContain("The signer certificate will expire on")
+                        .shouldContain("The timestamp will expire on")
+                        .shouldHaveExitValue(0);
+
                 // Simulate signing at a previous date:
                 // 1. tsold will create a timestamp of 20 days ago.
                 // 2. oldsigner expired 10 days ago.
-                // jarsigner will show a warning at signing.
                 signVerbose("tsold", "unsigned.jar", "tsold.jar", "oldsigner")
-                        .shouldHaveExitValue(4);
+                        .shouldNotContain("Warning")
+                        .shouldMatch("signer certificate expired on .*. "
+                                + "However, the JAR will be valid")
+                        .shouldHaveExitValue(0);
 
                 // It verifies perfectly.
                 verify("tsold.jar", "-verbose", "-certs")
                         .shouldNotContain("Warning")
+                        .shouldMatch("signer certificate expired on .*. "
+                                + "However, the JAR will be valid")
                         .shouldHaveExitValue(0);
 
+                // No timestamp
                 signVerbose(null, "unsigned.jar", "none.jar", "signer")
                         .shouldContain("is not timestamped")
+                        .shouldContain("The signer certificate will expire on")
                         .shouldHaveExitValue(0);
 
+                verify("none.jar", "-verbose")
+                        .shouldContain("do not include a timestamp")
+                        .shouldContain("The signer certificate will expire on")
+                        .shouldHaveExitValue(0);
+
+                // Error cases
+
                 signVerbose(null, "unsigned.jar", "badku.jar", "badku")
+                        .shouldContain("KeyUsage extension doesn't allow code signing")
                         .shouldHaveExitValue(8);
                 checkBadKU("badku.jar");
 
                 // 8180289: unvalidated TSA cert chain
                 sign("tsnoca")
-                        .shouldContain("TSA certificate chain is invalid")
+                        .shouldContain("The TSA certificate chain is invalid. "
+                                + "Reason: Path does not chain with any of the trust anchors")
                         .shouldHaveExitValue(64);
 
                 verify("tsnoca.jar", "-verbose", "-certs")
                         .shouldHaveExitValue(64)
                         .shouldContain("jar verified")
-                        .shouldContain("Invalid TSA certificate chain")
-                        .shouldContain("TSA certificate chain is invalid");
+                        .shouldContain("Invalid TSA certificate chain: "
+                                + "Path does not chain with any of the trust anchors")
+                        .shouldContain("TSA certificate chain is invalid."
+                                + " Reason: Path does not chain with any of the trust anchors");
 
                 sign("nononce")
+                        .shouldContain("Nonce missing in timestamp token")
                         .shouldHaveExitValue(1);
                 sign("diffnonce")
+                        .shouldContain("Nonce changed in timestamp token")
                         .shouldHaveExitValue(1);
                 sign("baddigest")
+                        .shouldContain("Digest octets changed in timestamp token")
                         .shouldHaveExitValue(1);
                 sign("diffalg")
+                        .shouldContain("Digest algorithm not")
                         .shouldHaveExitValue(1);
+
                 sign("fullchain")
                         .shouldHaveExitValue(0);   // Success, 6543440 solved.
+
                 sign("tsbad1")
+                        .shouldContain("Certificate is not valid for timestamping")
                         .shouldHaveExitValue(1);
                 sign("tsbad2")
+                        .shouldContain("Certificate is not valid for timestamping")
                         .shouldHaveExitValue(1);
                 sign("tsbad3")
+                        .shouldContain("Certificate is not valid for timestamping")
                         .shouldHaveExitValue(1);
                 sign("nocert")
+                        .shouldContain("Certificate not included in timestamp token")
                         .shouldHaveExitValue(1);
 
                 sign("policy", "-tsapolicyid",  "1.2.3")
@@ -376,6 +412,7 @@
                 checkTimestamp("policy.jar", "1.2.3", "SHA-256");
 
                 sign("diffpolicy", "-tsapolicyid", "1.2.3")
+                        .shouldContain("TSAPolicyID changed in timestamp token")
                         .shouldHaveExitValue(1);
 
                 sign("sha1alg", "-tsadigestalg", "SHA")
@@ -384,11 +421,13 @@
 
                 sign("tsweak", "-digestalg", "MD5",
                                 "-sigalg", "MD5withRSA", "-tsadigestalg", "MD5")
-                        .shouldHaveExitValue(68);
+                        .shouldHaveExitValue(68)
+                        .shouldContain("The timestamp is invalid. Without a valid timestamp");
                 checkWeak("tsweak.jar");
 
                 signVerbose("tsweak", "unsigned.jar", "tsweak2.jar", "signer")
                         .shouldHaveExitValue(64)
+                        .shouldContain("The timestamp is invalid. Without a valid timestamp")
                         .shouldContain("TSA certificate chain is invalid");
 
                 // Weak timestamp is an error and jar treated unsigned
@@ -397,19 +436,26 @@
                         .shouldContain("treated as unsigned")
                         .shouldMatch("Timestamp.*512.*weak");
 
+                // Algorithm used in signing is weak
                 signVerbose("normal", "unsigned.jar", "halfWeak.jar", "signer",
                         "-digestalg", "MD5")
+                        .shouldContain("-digestalg option is considered a security risk")
                         .shouldHaveExitValue(4);
                 checkHalfWeak("halfWeak.jar");
 
                 // sign with DSA key
                 signVerbose("normal", "unsigned.jar", "sign1.jar", "dsakey")
                         .shouldHaveExitValue(0);
+
                 // sign with RSAkeysize < 1024
                 signVerbose("normal", "sign1.jar", "sign2.jar", "weakkeysize")
+                        .shouldContain("Algorithm constraints check failed on keysize")
                         .shouldHaveExitValue(4);
                 checkMultiple("sign2.jar");
 
+                // 8191438: jarsigner should print when a timestamp will expire
+                checkExpiration();
+
                 // When .SF or .RSA is missing or invalid
                 checkMissingOrInvalidFiles("normal.jar");
 
@@ -417,12 +463,118 @@
                     checkInvalidTsaCertKeyUsage();
                 }
             } else {                        // Run as a standalone server
-                System.out.println("Press Enter to quit server");
+                System.out.println("TSA started at " + host
+                        + ". Press Enter to quit server");
                 System.in.read();
             }
         }
     }
 
+    private static void checkExpiration() throws Exception {
+
+        // Warning when expired or expiring
+        signVerbose(null, "unsigned.jar", "expired.jar", "expired")
+                .shouldContain("signer certificate has expired")
+                .shouldHaveExitValue(4);
+        verify("expired.jar")
+                .shouldContain("signer certificate has expired")
+                .shouldHaveExitValue(4);
+        signVerbose(null, "unsigned.jar", "expiring.jar", "expiring")
+                .shouldContain("signer certificate will expire within")
+                .shouldHaveExitValue(0);
+        verify("expiring.jar")
+                .shouldContain("signer certificate will expire within")
+                .shouldHaveExitValue(0);
+        // Info for long
+        signVerbose(null, "unsigned.jar", "long.jar", "long")
+                .shouldNotContain("signer certificate has expired")
+                .shouldNotContain("signer certificate will expire within")
+                .shouldContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+        verify("long.jar")
+                .shouldNotContain("signer certificate has expired")
+                .shouldNotContain("signer certificate will expire within")
+                .shouldNotContain("The signer certificate will expire")
+                .shouldHaveExitValue(0);
+        verify("long.jar", "-verbose")
+                .shouldContain("The signer certificate will expire")
+                .shouldHaveExitValue(0);
+
+        // Both expired
+        signVerbose("tsexpired", "unsigned.jar",
+                "tsexpired-expired.jar", "expired")
+                .shouldContain("The signer certificate has expired.")
+                .shouldContain("The timestamp has expired.")
+                .shouldHaveExitValue(4);
+        verify("tsexpired-expired.jar")
+                .shouldContain("signer certificate has expired")
+                .shouldContain("timestamp has expired.")
+                .shouldHaveExitValue(4);
+
+        // TS expired but signer still good
+        signVerbose("tsexpired", "unsigned.jar",
+                "tsexpired-long.jar", "long")
+                .shouldContain("The timestamp expired on")
+                .shouldHaveExitValue(0);
+        verify("tsexpired-long.jar")
+                .shouldMatch("timestamp expired on.*However, the JAR will be valid")
+                .shouldNotContain("Error")
+                .shouldHaveExitValue(0);
+
+        signVerbose("tsexpired", "unsigned.jar",
+                "tsexpired-ca.jar", "ca")
+                .shouldContain("The timestamp has expired.")
+                .shouldHaveExitValue(4);
+        verify("tsexpired-ca.jar")
+                .shouldNotContain("timestamp has expired")
+                .shouldNotContain("Error")
+                .shouldHaveExitValue(0);
+
+        // Warning when expiring
+        sign("tsexpiring")
+                .shouldContain("timestamp will expire within")
+                .shouldHaveExitValue(0);
+        verify("tsexpiring.jar")
+                .shouldContain("timestamp will expire within")
+                .shouldNotContain("still valid")
+                .shouldHaveExitValue(0);
+
+        signVerbose("tsexpiring", "unsigned.jar",
+                "tsexpiring-ca.jar", "ca")
+                .shouldContain("self-signed")
+                .stderrShouldNotMatch("The.*expir")
+                .shouldHaveExitValue(4); // self-signed
+        verify("tsexpiring-ca.jar")
+                .stderrShouldNotMatch("The.*expir")
+                .shouldHaveExitValue(0);
+
+        signVerbose("tsexpiringsoon", "unsigned.jar",
+                "tsexpiringsoon-long.jar", "long")
+                .shouldContain("The timestamp will expire")
+                .shouldHaveExitValue(0);
+        verify("tsexpiringsoon-long.jar")
+                .shouldMatch("timestamp will expire.*However, the JAR will be valid until")
+                .shouldHaveExitValue(0);
+
+        // Info for long
+        sign("tslong")
+                .shouldNotContain("timestamp has expired")
+                .shouldNotContain("timestamp will expire within")
+                .shouldContain("timestamp will expire on")
+                .shouldContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+        verify("tslong.jar")
+                .shouldNotContain("timestamp has expired")
+                .shouldNotContain("timestamp will expire within")
+                .shouldNotContain("timestamp will expire on")
+                .shouldNotContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+        verify("tslong.jar", "-verbose")
+                .shouldContain("timestamp will expire on")
+                .shouldContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+    }
+
     private static void checkInvalidTsaCertKeyUsage() throws Exception {
 
         // Hack: Rewrite the TSA cert inside normal.jar into ts2.jar.
@@ -670,6 +822,14 @@
         keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");
         keytool("-alias tsnoca -genkeypair -dname CN=tsnoca");
 
+        keytool("-alias expired -genkeypair -dname CN=expired");
+        keytool("-alias expiring -genkeypair -dname CN=expiring");
+        keytool("-alias long -genkeypair -dname CN=long");
+        keytool("-alias tsexpired -genkeypair -dname CN=tsexpired");
+        keytool("-alias tsexpiring -genkeypair -dname CN=tsexpiring");
+        keytool("-alias tsexpiringsoon -genkeypair -dname CN=tsexpiringsoon");
+        keytool("-alias tslong -genkeypair -dname CN=tslong");
+
         // tsnoca's issuer will be removed from keystore later
         keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
         gencert("tsnoca", "-ext eku:critical=ts");
@@ -681,7 +841,15 @@
         gencert("dsakey");
         gencert("weakkeysize");
         gencert("badku", "-ext ku:critical=keyAgreement");
-        gencert("ts", "-ext eku:critical=ts");
+        gencert("ts", "-ext eku:critical=ts -validity 500");
+
+        gencert("expired", "-validity 10 -startdate -12d");
+        gencert("expiring", "-validity 178");
+        gencert("long", "-validity 182");
+        gencert("tsexpired", "-ext eku:critical=ts -validity 10 -startdate -12d");
+        gencert("tsexpiring", "-ext eku:critical=ts -validity 364");
+        gencert("tsexpiringsoon", "-ext eku:critical=ts -validity 170"); // earlier than expiring
+        gencert("tslong", "-ext eku:critical=ts -validity 367");
 
 
         for (int i = 0; i < 5; i++) {
@@ -701,7 +869,7 @@
             }
         }
 
-        gencert("tsold", "-ext eku:critical=ts -startdate -40d -validity 45");
+        gencert("tsold", "-ext eku:critical=ts -startdate -40d -validity 500");
 
         gencert("tsweak", "-ext eku:critical=ts");
         gencert("tsbad1");
--- a/test/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -51,32 +51,12 @@
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
         // create first key pair for signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", FIRST_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", BOTH_KEYS_KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=First",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
-
-        // create second key pair for signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", SECOND_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", BOTH_KEYS_KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Second",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+        createAlias(FIRST_KEY_ALIAS);
+        createAlias(SECOND_KEY_ALIAS);
 
         // sign jar with first key
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
-                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 "-signedjar", SIGNED_JARFILE,
@@ -93,7 +73,7 @@
 
         // sign jar with second key
         analyzer = ProcessTools.executeCommand(JARSIGNER,
-                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 UPDATED_SIGNED_JARFILE,
@@ -104,7 +84,7 @@
         // create keystore that contains only first key
         ProcessTools.executeCommand(KEYTOOL,
                 "-importkeystore",
-                "-srckeystore", BOTH_KEYS_KEYSTORE,
+                "-srckeystore", KEYSTORE,
                 "-srcalias", FIRST_KEY_ALIAS,
                 "-srcstorepass", PASSWORD,
                 "-srckeypass", PASSWORD,
@@ -113,7 +93,7 @@
                 "-deststorepass", PASSWORD,
                 "-destkeypass", PASSWORD).shouldHaveExitValue(0);
 
-        // verify jar with keystore that contains only first key in strict mode,
+        // verify jar with keystore that contains only first key,
         // so there is signed entry (FirstClass.class) that is not signed
         // by any alias in the keystore
         analyzer = ProcessTools.executeCommand(JARSIGNER,
--- a/test/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -52,17 +52,14 @@
 
         // create a certificate whose signer certificate's
         // ExtendedKeyUsage extension doesn't allow code signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
+        // create key pair for jar signing
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+
+        issueCert(
+                KEY_ALIAS,
                 "-ext", "ExtendedkeyUsage=serverAuth",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
 
         // sign jar
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
--- a/test/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,17 +53,13 @@
 
         // create a certificate whose signer certificate's KeyUsage extension
         // doesn't allow code signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+
+        issueCert(
+                KEY_ALIAS,
                 "-ext", "KeyUsage=keyAgreement",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
 
         // sign jar
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
--- a/test/sun/security/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,10 +25,6 @@
 import jdk.testlibrary.ProcessTools;
 import jdk.testlibrary.JarUtils;
 
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.util.Base64;
-
 /**
  * @test
  * @bug 8024302 8026037
@@ -38,25 +34,14 @@
  */
 public class BadNetscapeCertTypeTest extends Test {
 
-    private static final String NETSCAPE_KEYSTORE_BASE64 = TEST_SOURCES + FS
-            + "bad_netscape_cert_type.jks.base64";
-
-    private static final String NETSCAPE_KEYSTORE
-            = "bad_netscape_cert_type.jks";
-
     /**
      * The test signs and verifies a jar that contains entries
      * whose signer certificate's NetscapeCertType extension
      * doesn't allow code signing (badNetscapeCertType).
      * Warning message is expected.
-     * Run bad_netscape_cert_type.sh script to create bad_netscape_cert_type.jks
      */
     public static void main(String[] args) throws Throwable {
 
-        Files.write(Paths.get(NETSCAPE_KEYSTORE),
-                Base64.getMimeDecoder().decode(
-                    Files.readAllBytes(Paths.get(NETSCAPE_KEYSTORE_BASE64))));
-
         BadNetscapeCertTypeTest test = new BadNetscapeCertTypeTest();
         test.start();
     }
@@ -66,10 +51,22 @@
         Utils.createFiles(FIRST_FILE);
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
+        // create a certificate whose signer certificate's
+        // NetscapeCertType extension doesn't allow code signing
+        // create key pair for jar signing
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+
+        issueCert(
+                KEY_ALIAS,
+                // NetscapeCertType [ SSL client ]
+                "-ext", "2.16.840.1.113730.1.1=03020780",
+                "-validity", Integer.toString(VALIDITY));
+
         // sign jar
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
                 "-verbose",
-                "-keystore", NETSCAPE_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 "-signedjar", SIGNED_JARFILE,
@@ -82,7 +79,7 @@
         analyzer = ProcessTools.executeCommand(JARSIGNER,
                 "-verify",
                 "-verbose",
-                "-keystore", NETSCAPE_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 SIGNED_JARFILE);
@@ -94,7 +91,7 @@
                 "-verify",
                 "-verbose",
                 "-strict",
-                "-keystore", NETSCAPE_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 SIGNED_JARFILE);
--- a/test/sun/security/tools/jarsigner/warnings/ChainNotValidatedTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/ChainNotValidatedTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,117 +21,52 @@
  * questions.
  */
 
-import java.io.File;
 import jdk.testlibrary.OutputAnalyzer;
 import jdk.testlibrary.ProcessTools;
 import jdk.testlibrary.JarUtils;
 
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
 /**
  * @test
  * @bug 8024302 8026037
  * @summary Test for chainNotValidated warning
  * @library /lib/testlibrary ../
- * @run main ChainNotValidatedTest
+ * @run main ChainNotValidatedTest ca2yes
+ * @run main ChainNotValidatedTest ca2no
  */
 public class ChainNotValidatedTest extends Test {
 
-    private static final String CHAIN = "chain";
-
-    /**
-     * The test signs and verifies a jar that contains entries
-     * whose cert chain can't be correctly validated (chainNotValidated).
-     * Warning message is expected.
-     */
     public static void main(String[] args) throws Throwable {
         ChainNotValidatedTest test = new ChainNotValidatedTest();
-        test.start();
+        test.start(args[0].equals("ca2yes"));
     }
 
-    private void start() throws Throwable {
+    private void start(boolean ca2yes) throws Throwable {
         // create a jar file that contains one class file
         Utils.createFiles(FIRST_FILE);
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
-        // create self-signed certificate whose BasicConstraints extension
-        // is set to false, so the certificate may not be used
-        // as a parent certificate (certpath validation should fail)
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkeypair",
-                "-alias", CA_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=CA",
-                "-ext", "BasicConstraints:critical=ca:false",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+        // We have 2 @run. Need cleanup.
+        Files.deleteIfExists(Paths.get(KEYSTORE));
 
-        // create a certificate that is signed by self-signed certificate
-        // despite of it may not be used as a parent certificate
-        // (certpath validation should fail)
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkeypair",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
-                "-ext", "BasicConstraints:critical=ca:false",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+        // Root CA is not checked at all. If the intermediate CA has
+        // BasicConstraints extension set to true, it will be valid.
+        // Otherwise, chain validation will fail.
+        createAlias(CA_KEY_ALIAS);
+        createAlias(CA2_KEY_ALIAS);
+        issueCert(CA2_KEY_ALIAS,
+                "-ext",
+                "bc=ca:" + ca2yes);
 
-        ProcessTools.executeCommand(KEYTOOL,
-                "-certreq",
-                "-alias", KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-file", CERT_REQUEST_FILENAME).shouldHaveExitValue(0);
+        createAlias(KEY_ALIAS);
+        issueCert(KEY_ALIAS, "-alias", CA2_KEY_ALIAS);
 
-        ProcessTools.executeCommand(KEYTOOL,
-                "-gencert",
-                "-alias", CA_KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-infile", CERT_REQUEST_FILENAME,
-                "-validity", Integer.toString(VALIDITY),
-                "-outfile", CERT_FILENAME).shouldHaveExitValue(0);
-
-        ProcessTools.executeCommand(KEYTOOL,
-                "-importcert",
-                "-alias", KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-file", CERT_FILENAME).shouldHaveExitValue(0);
-
-        ProcessBuilder pb = new ProcessBuilder(KEYTOOL,
-                "-export",
-                "-rfc",
-                "-alias", KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD);
-        pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
-        ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
-
-        pb = new ProcessBuilder(KEYTOOL,
-                "-export",
-                "-rfc",
-                "-alias", CA_KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD);
-        pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
-        ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
-
-        // remove CA certificate
+        // remove CA2 certificate so it's not trusted
         ProcessTools.executeCommand(KEYTOOL,
                 "-delete",
-                "-alias", CA_KEY_ALIAS,
+                "-alias", CA2_KEY_ALIAS,
                 "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD).shouldHaveExitValue(0);
@@ -141,12 +76,15 @@
                 "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
-                "-certchain", CHAIN,
                 "-signedjar", SIGNED_JARFILE,
                 UNSIGNED_JARFILE,
                 KEY_ALIAS);
 
-        checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
+        if (ca2yes) {
+            checkSigning(analyzer, "!" + CHAIN_NOT_VALIDATED_SIGNING_WARNING);
+        } else {
+            checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
+        }
 
         // verify signed jar
         analyzer = ProcessTools.executeCommand(JARSIGNER,
@@ -155,10 +93,13 @@
                 "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
-                "-certchain", CHAIN,
                 SIGNED_JARFILE);
 
-        checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        if (ca2yes) {
+            checkVerifying(analyzer, 0, "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        } else {
+            checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        }
 
         // verify signed jar in strict mode
         analyzer = ProcessTools.executeCommand(JARSIGNER,
@@ -168,11 +109,15 @@
                 "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
-                "-certchain", CHAIN,
                 SIGNED_JARFILE);
 
-        checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
-                CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        if (ca2yes) {
+            checkVerifying(analyzer, 0,
+                    "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        } else {
+            checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
+                    CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        }
 
         System.out.println("Test passed");
     }
--- a/test/sun/security/tools/jarsigner/warnings/HasExpiredCertTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/HasExpiredCertTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -52,18 +52,13 @@
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
         // create key pair for jar signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+
+        issueCert(
+                KEY_ALIAS,
                 "-startdate", "-" + SHORT_VALIDITY * 2 + "d",
-                "-validity", Integer.toString(SHORT_VALIDITY))
-                .shouldHaveExitValue(0);
+                "-validity", Integer.toString(SHORT_VALIDITY));
 
         // sign jar
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
--- a/test/sun/security/tools/jarsigner/warnings/HasExpiringCertTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/HasExpiringCertTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -52,17 +52,12 @@
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
         // create key pair for jar signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
-                "-validity", Integer.toString(SHORT_VALIDITY))
-                .shouldHaveExitValue(0);
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+
+        issueCert(
+                KEY_ALIAS,
+                "-validity", Integer.toString(SHORT_VALIDITY));
 
         // sign jar
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
--- a/test/sun/security/tools/jarsigner/warnings/HasUnsignedEntryTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/HasUnsignedEntryTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -51,16 +51,11 @@
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
         // create key pair for signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+        issueCert(
+                KEY_ALIAS,
+                "-validity", Integer.toString(VALIDITY));
 
         // sign jar
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
--- a/test/sun/security/tools/jarsigner/warnings/MultipleWarningsTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/MultipleWarningsTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -54,35 +54,25 @@
         // create a jar file that contains one class file
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
+        createAlias(CA_KEY_ALIAS);
+
         // create first expired certificate
         // whose ExtendedKeyUsage extension does not allow code signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", FIRST_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=First",
+        createAlias(FIRST_KEY_ALIAS);
+        issueCert(
+                FIRST_KEY_ALIAS,
                 "-ext", "ExtendedkeyUsage=serverAuth",
                 "-startdate", "-" + VALIDITY * 2 + "d",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
 
         // create second expired certificate
         // whose KeyUsage extension does not allow code signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", SECOND_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Second",
+        createAlias(SECOND_KEY_ALIAS);
+        issueCert(
+                SECOND_KEY_ALIAS,
                 "-ext", "ExtendedkeyUsage=serverAuth",
                 "-startdate", "-" + VALIDITY * 2 + "d",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
 
         // sign jar with first key
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
--- a/test/sun/security/tools/jarsigner/warnings/NoTimestampTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/NoTimestampTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -57,15 +57,9 @@
                 * 24 * 60 * 60 * 1000L);
 
         // create key pair
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+        issueCert(KEY_ALIAS,
                 "-validity", Integer.toString(VALIDITY));
 
         // sign jar file
--- a/test/sun/security/tools/jarsigner/warnings/NotSignedByAliasTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/NotSignedByAliasTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -49,29 +49,19 @@
         Utils.createFiles(FIRST_FILE);
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
-        // create first key pair for signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", FIRST_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=First",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+        createAlias(CA_KEY_ALIAS);
 
         // create first key pair for signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", SECOND_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Second",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+        createAlias(FIRST_KEY_ALIAS);
+        issueCert(
+                FIRST_KEY_ALIAS,
+                "-validity", Integer.toString(VALIDITY));
+
+        // create first key pair for signing
+        createAlias(SECOND_KEY_ALIAS);
+        issueCert(
+                SECOND_KEY_ALIAS,
+                "-validity", Integer.toString(VALIDITY));
 
         // sign jar with first key
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
--- a/test/sun/security/tools/jarsigner/warnings/NotYetValidCertTest.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/NotYetValidCertTest.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -50,15 +50,11 @@
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
         // create certificate that will be valid only tomorrow
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+
+        issueCert(
+                KEY_ALIAS,
                 "-startdate", "+1d",
                 "-validity", Integer.toString(VALIDITY));
 
--- a/test/sun/security/tools/jarsigner/warnings/Test.java	Wed Nov 07 05:14:12 2018 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/Test.java	Thu Nov 08 18:48:19 2018 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,7 +45,6 @@
     static final String FIRST_FILE = "first.txt";
     static final String SECOND_FILE = "second.txt";
     static final String PASSWORD = "password";
-    static final String BOTH_KEYS_KEYSTORE = "both_keys.jks";
     static final String FIRST_KEY_KEYSTORE = "first_key.jks";
     static final String KEYSTORE = "keystore.jks";
     static final String FIRST_KEY_ALIAS = "first";
@@ -55,11 +54,13 @@
     static final String CERT_REQUEST_FILENAME = "test.req";
     static final String CERT_FILENAME = "test.crt";
     static final String CA_KEY_ALIAS = "ca";
+    static final String CA2_KEY_ALIAS = "ca2";
     static final int KEY_SIZE = 2048;
     static final int TIMEOUT = 6 * 60 * 1000;   // in millis
     static final int VALIDITY = 365;
 
     static final String WARNING = "Warning:";
+    static final String WARNING_OR_ERROR = "(Warning|Error):";
 
     static final String CHAIN_NOT_VALIDATED_VERIFYING_WARNING
             = "This jar contains entries "
@@ -126,10 +127,10 @@
             + "(%1$tY-%1$tm-%1$td) or after any future revocation date.";
 
     static final String NO_TIMESTAMP_VERIFYING_WARN_TEMPLATE
-            = "This jar contains signatures that does not include a timestamp. "
+            = "This jar contains signatures that do not include a timestamp. "
             + "Without a timestamp, users may not be able to validate this jar "
-            + "after the signer certificate's expiration date "
-            + "(%1$tY-%1$tm-%1$td) or after any future revocation date.";
+            + "after any of the signer certificates expire "
+            + "(as early as %1$tY-%1$tm-%1$td).";
 
     static final String NOT_YET_VALID_CERT_SIGNING_WARNING
             = "The signer certificate is not yet valid.";
@@ -154,14 +155,72 @@
     static final int ALIAS_NOT_IN_STORE_EXIT_CODE = 32;
     static final int NOT_SIGNED_BY_ALIAS_EXIT_CODE = 32;
 
+    protected void createAlias(String alias, String ... options)
+            throws Throwable {
+        List<String> cmd = new ArrayList<>();
+        cmd.addAll(Arrays.asList(
+                "-genkeypair",
+                "-alias", alias,
+                "-keyalg", KEY_ALG,
+                "-keysize", Integer.toString(KEY_SIZE),
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-dname", "CN=" + alias));
+        cmd.addAll(Arrays.asList(options));
+
+        keytool(cmd.toArray(new String[cmd.size()]))
+                .shouldHaveExitValue(0);
+    }
+
+    protected void issueCert(String alias, String ... options)
+            throws Throwable {
+        keytool("-certreq",
+                "-alias", alias,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-file", alias + ".req")
+                    .shouldHaveExitValue(0);
+
+        List<String> cmd = new ArrayList<>();
+        cmd.addAll(Arrays.asList(
+                "-gencert",
+                "-alias", CA_KEY_ALIAS,
+                "-infile", alias + ".req",
+                "-outfile", alias + ".cert",
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-file", alias + ".req"));
+        cmd.addAll(Arrays.asList(options));
+
+        keytool(cmd.toArray(new String[cmd.size()]))
+                .shouldHaveExitValue(0);
+
+        keytool("-importcert",
+                "-alias", alias,
+                "-keystore", KEYSTORE,
+                "-storepass", PASSWORD,
+                "-keypass", PASSWORD,
+                "-file", alias + ".cert")
+                    .shouldHaveExitValue(0);
+    }
+
     protected void checkVerifying(OutputAnalyzer analyzer, int expectedExitCode,
             String... warnings) {
         analyzer.shouldHaveExitValue(expectedExitCode);
+        int count = 0;
         for (String warning : warnings) {
-            analyzer.shouldContain(warning);
+            if (warning.startsWith("!")) {
+                analyzer.shouldNotContain(warning.substring(1));
+            } else {
+                count++;
+                analyzer.shouldContain(warning);
+            }
         }
-        if (warnings.length > 0) {
-            analyzer.shouldContain(WARNING);
+        if (count > 0) {
+            analyzer.shouldMatch(WARNING_OR_ERROR);
         }
         if (expectedExitCode == 0) {
             analyzer.shouldContain(JAR_VERIFIED);
@@ -172,11 +231,17 @@
 
     protected void checkSigning(OutputAnalyzer analyzer, String... warnings) {
         analyzer.shouldHaveExitValue(0);
+        int count = 0;
         for (String warning : warnings) {
-            analyzer.shouldContain(warning);
+            if (warning.startsWith("!")) {
+                analyzer.shouldNotContain(warning.substring(1));
+            } else {
+                count++;
+                analyzer.shouldContain(warning);
+            }
         }
-        if (warnings.length > 0) {
-            analyzer.shouldContain(WARNING);
+        if (count > 0) {
+            analyzer.shouldMatch(WARNING_OR_ERROR);
         }
         analyzer.shouldContain(JAR_SIGNED);
     }
--- a/test/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.jks.base64	Wed Nov 07 05:14:12 2018 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-/u3+7QAAAAIAAAABAAAAAQAFYWxpYXMAAAFBpkwW0gAAAr0wggK5MA4GCisGAQQB
-KgIRAQEFAASCAqWkGJ3PPjYmWNKrV23Y1u413RMAkrRZ+1OLWYRcQt4jtxtIyEH5
-Ho5b9dy9XN9FBKlTOD4c2Pc1T43BLKXeuLu3uLLeIxgXFt0z9CLyGwdYZZ751kXr
-DQ99qY6aNQUO6SeE4Wdty0KPAqid6ZJ8bF7T6wsTZSvNhaBRzyFydEfG7bbUYjOl
-mWC44nlsu6VEU3o9RQpcm1gIMwradOaIVT/HoB2bKmAv8gHqI6kreiEZwTdZkSAI
-IRi2vt1RPllXt5hgjDxUfZe8XOYYweR4Vt2/jVuKLJ80DNTu/9SeUD88zQAz53k4
-r3nRhv6TRcPm6tV/Fh92XLHiskL+TAzTfm+bUAudPCCVxN+yRtxvAgA+UhdV/SuM
-Zn5F6nrmP+YJG1hmprgCJIJJaCEXa9RXYC+vIVpO0WVNRuGlGm+/1afnOuQC8Wss
-ShXwjkaqTwAhqBFq7eYmmP8BK3gflYrt2zDLXvhl4ndVvMhMthFJ3ZvLh2LWpqLI
-/n8EMCf8US3lIEFk9DTHBZjffiHkqK2e7+FXEpG3xrgE6ZYLMdbd5Pb3YjZfhQx+
-ZTtiEFzYSaEGhacek/m7dRq1qmwgFsytng2OdWZe2ln8LJY0odr1dGUfJHfgafvi
-tlfbkg/rgjONtwliChDggbkUwnerrj/D/zrdEufUvfyltSshhHXRNDD3fH6spmEk
-hHKgxEc4yvxqJxzdMGtuib355aSfNegyl+GsnsKzXQCVEK2h3BLTQObzaD+8NZ12
-LQHvbrCiaS34vxJ3rEC+a+SW7itZp0aCdXMWdMJNkRKqyLBD3vG3zN05sN3XrhEM
-8BRT020TWY00tbVFbbBFheYLQRgTjrQtr0Yt6UHWBZc4N20crDLcSH5gqcCOVpla
-1Y2uqFEn8yqrGRwn/kgfNgAAAAEABVguNTA5AAABtTCCAbEwggEaoAMCAQICCQDH
-cEuVvzCuqzANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARUZXN0MB4XDTEzMTAx
-MTA2NTUwNloXDTIzMTAwOTA2NTUwNlowDzENMAsGA1UEAwwEVGVzdDCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA8hOfp2Dcnvt//ZZQAja9TRiwKqXVS+TiYE3S
-gngCBjIi+YYdo0DsUeO5MBfE6uvCWOr5lwAR/u1iaJOhIoGJDiGoPasZlt+yIgtR
-LzA7j2q+1q6kcwiVxfikI3aUgHV/QsybTriT4Bf7TQNKtJG23MQa4sD7+PjtCWD7
-p3cHTfkCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3DQEBBQUA
-A4GBAKoDlTJ8wLRA7G8XdGm4gv733n1cSQzlkcsjfOO6/mA5Jvu8tyFNq9HTf9AT
-VXbrbGcUYJjhzSSY3w5apXK1kXyqTB1LUNEJ45WnmciqSSecVTpJz9TuegyoX0Zf
-HScSgqfDmjqoiiFiNCgn3ZEJ85ykGvoFYGH+php+BVi3S0bj5E/jRpyV3vNnii/S
-wJDSAXF6bYU=
--- a/test/sun/security/tools/jarsigner/warnings/bad_netscape_cert_type.sh	Wed Nov 07 05:14:12 2018 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,48 +0,0 @@
-#
-# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-#!/bin/sh
-
-# This script creates JKS keystore with a certificate
-# that contains Netscape Certificate Type extension
-# that does not allow code signing
-# The keystore is used by BadNetscapeCertTypeTest.java test
-
-rm -rf keystore.jks
-echo "nsCertType = client" > ext.cfg
-
-openssl req -new -out cert.req -keyout key.pem -days 3650 \
-    -passin pass:password -passout pass:password -subj "/CN=Test"
-openssl x509 -in cert.req -out cert.pem -req -signkey key.pem -days 3650 \
-    -passin pass:password -extfile ext.cfg
-openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 \
-    -passin pass:password -passout pass:password -name alias
-
-${JAVA_HOME}/bin/keytool -importkeystore \
-    -srckeystore keystore.p12 -srcstoretype pkcs12 \
-    -srcstorepass password -alias alias \
-    -destkeystore bad_netscape_cert_type.jks -deststoretype jks \
-    -deststorepass password -destalias alias \
-
-openssl base64 < bad_netscape_cert_type.jks > bad_netscape_cert_type.jks.base64
-rm -rf cert.req key.pem cert.pem keystore.p12 ext.cfg bad_netscape_cert_type.jks