changeset 16946:a49fb788ac68

8165367: Additional tests for JEP 288: Disable SHA-1 Certificates Summary: The new tests just focus on the usage constraints TLSSever and TLSClient with TLS communication Reviewed-by: ascarpino Contributed-by: John Jiang <sha.jiang@oracle.com>
author mli
date Tue, 04 Apr 2017 19:58:24 -0700
parents f940fd4232d8
children 9289f04ddb54
files test/sun/security/ssl/CertPathRestrictions/JSSEClient.java test/sun/security/ssl/CertPathRestrictions/JSSEServer.java test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256.cer test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1.cer test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256.cer test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1.cer test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256.cer test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1.cer test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256.cer test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1.cer test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256.cer test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1.cer test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256-PRIV.key test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256.cer
diffstat 25 files changed, 1828 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/JSSEClient.java	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
+ */
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.InetSocketAddress;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+/*
+ * A SSL socket client.
+ */
+public class JSSEClient {
+
+    public static void main(String[] args) throws Exception {
+        System.out.println("Client: arguments=" + String.join("; ", args));
+
+        int port = Integer.valueOf(args[0]);
+        String[] trustNames = args[1].split(TLSRestrictions.DELIMITER);
+        String[] certNames = args[2].split(TLSRestrictions.DELIMITER);
+        String constraint = args[3];
+
+        TLSRestrictions.setConstraint("Client", constraint);
+
+        SSLContext context = TLSRestrictions.createSSLContext(
+                trustNames, certNames);
+        SSLSocketFactory socketFactory = context.getSocketFactory();
+        try (SSLSocket socket = (SSLSocket) socketFactory.createSocket()) {
+            socket.connect(new InetSocketAddress("localhost", port),
+                    TLSRestrictions.TIMEOUT);
+            socket.setSoTimeout(TLSRestrictions.TIMEOUT);
+            System.out.println("Client: connected");
+
+            InputStream sslIS = socket.getInputStream();
+            OutputStream sslOS = socket.getOutputStream();
+            sslOS.write('C');
+            sslOS.flush();
+            sslIS.read();
+            System.out.println("Client: finished");
+        } catch (Exception e) {
+            throw new RuntimeException("Client: failed.", e);
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/JSSEServer.java	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
+ */
+
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+
+/*
+ * A SSL socket server.
+ */
+public class JSSEServer {
+
+    private SSLServerSocket server = null;
+
+    private Exception exception = null;
+
+    public JSSEServer(SSLContext context, String constraint,
+            boolean needClientAuth) throws Exception {
+        TLSRestrictions.setConstraint("Server", constraint);
+
+        SSLServerSocketFactory serverFactory = context.getServerSocketFactory();
+        server = (SSLServerSocket) serverFactory.createServerSocket(0);
+        server.setSoTimeout(TLSRestrictions.TIMEOUT);
+        server.setNeedClientAuth(needClientAuth); // for dual authentication
+        System.out.println("Server: port=" + getPort());
+    }
+
+    public void start() {
+        new Thread(new Runnable() {
+
+            @Override
+            public void run() {
+                try {
+                    System.out.println("Server: started");
+                    try (SSLSocket socket = (SSLSocket) server.accept()) {
+                        socket.setSoTimeout(TLSRestrictions.TIMEOUT);
+                        InputStream sslIS = socket.getInputStream();
+                        OutputStream sslOS = socket.getOutputStream();
+                        sslIS.read();
+                        sslOS.write('S');
+                        sslOS.flush();
+                        System.out.println("Server: finished");
+                    }
+                } catch (Exception e) {
+                    e.printStackTrace(System.out);
+                    exception = e;
+                }
+            }
+        }).start();
+    }
+
+    public int getPort() {
+        return server.getLocalPort();
+    }
+
+    public Exception getException() {
+        return exception;
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,544 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.SocketTimeoutException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyFactory;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.stream.Collectors;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.TrustManagerFactory;
+
+import jdk.test.lib.process.OutputAnalyzer;
+import jdk.test.lib.process.ProcessTools;
+
+/*
+ * @test
+ * @summary Verify the restrictions for certificate path on JSSE with custom trust store.
+ * @library /test/lib
+ * @compile JSSEClient.java
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions DEFAULT
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C1
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S1
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C2
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S2
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C3
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S3
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C4
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S4
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C5
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S5
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C6
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S6
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C7
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S7
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C8
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S8
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C9
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S9
+ */
+public class TLSRestrictions {
+
+    private static final String TEST_CLASSES = System.getProperty("test.classes");
+    private static final char[] PASSWORD = "".toCharArray();
+    private static final String CERT_DIR = System.getProperty("cert.dir",
+            System.getProperty("test.src") + "/certs");
+
+    static final String PROP = "jdk.certpath.disabledAlgorithms";
+    static final String NOSHA1 = "MD2, MD5";
+    private static final String TLSSERVER = "SHA1 usage TLSServer";
+    private static final String TLSCLIENT = "SHA1 usage TLSClient";
+    static final String JDKCATLSSERVER = "SHA1 jdkCA & usage TLSServer";
+    static final String JDKCATLSCLIENT = "SHA1 jdkCA & usage TLSClient";
+
+    // This is a space holder in command arguments, and stands for none certificate.
+    static final String NONE_CERT = "NONE_CERT";
+
+    static final String DELIMITER = ",";
+    static final int TIMEOUT = 30000;
+
+    // It checks if java.security contains constraint "SHA1 jdkCA & usage TLSServer"
+    // for jdk.certpath.disabledAlgorithms by default.
+    private static void checkDefaultConstraint() {
+        System.out.println(
+                "Case: Checks the default value of jdk.certpath.disabledAlgorithms");
+        if (!Security.getProperty(PROP).contains(JDKCATLSSERVER)) {
+            throw new RuntimeException(String.format(
+                    "%s doesn't contain constraint \"%s\", the real value is \"%s\".",
+                    PROP, JDKCATLSSERVER, Security.getProperty(PROP)));
+        }
+    }
+
+    /*
+     * This method creates trust store and key store with specified certificates
+     * respectively. And then it creates SSL context with the stores.
+     * If trustNames contains NONE_CERT only, it does not create a custom trust
+     * store, but the default one in JDK.
+     *
+     * @param trustNames Trust anchors, which are used to create custom trust store.
+     *                   If null, no custom trust store is created and the default
+     *                   trust store in JDK is used.
+     * @param certNames Certificate chain, which is used to create key store.
+     *                  It cannot be null.
+     */
+    static SSLContext createSSLContext(String[] trustNames,
+            String[] certNames) throws Exception {
+        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+
+        TrustManagerFactory tmf = null;
+        if (trustNames != null && trustNames.length > 0
+                && !trustNames[0].equals(NONE_CERT)) {
+            KeyStore trustStore = KeyStore.getInstance("JKS");
+            trustStore.load(null, null);
+            for (int i = 0; i < trustNames.length; i++) {
+                try (InputStream is = new ByteArrayInputStream(
+                        loadCert(trustNames[i]).getBytes())) {
+                    Certificate trustCert = certFactory.generateCertificate(is);
+                    trustStore.setCertificateEntry("trustCert-" + i, trustCert);
+                }
+            }
+
+            tmf = TrustManagerFactory.getInstance("PKIX");
+            tmf.init(trustStore);
+        }
+
+        Certificate[] certChain = new Certificate[certNames.length];
+        for (int i = 0; i < certNames.length; i++) {
+            try (InputStream is = new ByteArrayInputStream(
+                    loadCert(certNames[i]).getBytes())) {
+                Certificate cert = certFactory.generateCertificate(is);
+                certChain[i] = cert;
+            }
+        }
+
+        PKCS8EncodedKeySpec privKeySpec = new PKCS8EncodedKeySpec(
+                Base64.getMimeDecoder().decode(loadPrivKey(certNames[0])));
+        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+        PrivateKey privKey = keyFactory.generatePrivate(privKeySpec);
+
+        KeyStore keyStore = KeyStore.getInstance("JKS");
+        keyStore.load(null, null);
+        keyStore.setKeyEntry("keyCert", privKey, PASSWORD, certChain);
+
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
+        kmf.init(keyStore, PASSWORD);
+
+        SSLContext context = SSLContext.getInstance("TLS");
+        context.init(kmf.getKeyManagers(),
+                tmf == null ? null : tmf.getTrustManagers(), null);
+        return context;
+    }
+
+    /*
+     * This method sets jdk.certpath.disabledAlgorithms, and then retrieves
+     * and prints its value.
+     */
+    static void setConstraint(String side, String constraint) {
+        System.out.printf("%s: Old %s=%s%n", side, PROP,
+                Security.getProperty(PROP));
+        Security.setProperty(PROP, constraint);
+        System.out.printf("%s: New %s=%s%n", side, PROP,
+                Security.getProperty(PROP));
+    }
+
+    /*
+     * This method is used to run a variety of cases.
+     * It launches a server, and then takes a client to connect the server.
+     * Both of server and client use the same certificates.
+     *
+     * @param trustNames Trust anchors, which are used to create custom trust store.
+     *                   If null, the default trust store in JDK is used.
+     * @param certNames Certificate chain, which is used to create key store.
+     *                  It cannot be null. The first certificate is regarded as
+     *                  the end entity.
+     * @param serverConstraint jdk.certpath.disabledAlgorithms value on server side.
+     * @param clientConstraint jdk.certpath.disabledAlgorithms value on client side.
+     * @param needClientAuth If true, server side acquires client authentication;
+     *                       otherwise, false.
+     * @param pass If true, the connection should be blocked; otherwise, false.
+     */
+    static void testConstraint(String[] trustNames, String[] certNames,
+            String serverConstraint, String clientConstraint,
+            boolean needClientAuth, boolean pass) throws Exception {
+        String trustNameStr = trustNames == null ? ""
+                : String.join(DELIMITER, trustNames);
+        String certNameStr = certNames == null ? ""
+                : String.join(DELIMITER, certNames);
+
+        System.out.printf("Case:%n"
+                + "  trustNames=%s; certNames=%s%n"
+                + "  serverConstraint=%s; clientConstraint=%s%n"
+                + "  needClientAuth=%s%n"
+                + "  pass=%s%n%n",
+                trustNameStr, certNameStr,
+                serverConstraint, clientConstraint,
+                needClientAuth,
+                pass);
+
+        JSSEServer server = new JSSEServer(
+                createSSLContext(trustNames, certNames),
+                serverConstraint,
+                needClientAuth);
+        int port = server.getPort();
+        server.start();
+
+        // Run client on another JVM so that its properties cannot be in conflict
+        // with server's.
+        OutputAnalyzer outputAnalyzer = ProcessTools.executeTestJvm(
+                "-Dcert.dir=" + CERT_DIR,
+                "-Djava.security.debug=certpath",
+                "-classpath",
+                TEST_CLASSES,
+                "JSSEClient",
+                port + "",
+                trustNameStr,
+                certNameStr,
+                clientConstraint);
+        int exitValue = outputAnalyzer.getExitValue();
+        String clientOut = outputAnalyzer.getOutput();
+
+        Exception serverException = server.getException();
+        if (serverException != null) {
+            System.out.println("Server: failed");
+        }
+
+        System.out.println("---------- Client output start ----------");
+        System.out.println(clientOut);
+        System.out.println("---------- Client output end ----------");
+
+        if (serverException instanceof SocketTimeoutException
+                || clientOut.contains("SocketTimeoutException")) {
+            System.out.println("The communication gets timeout and skips the test.");
+            return;
+        }
+
+        if (pass) {
+            if (serverException != null || exitValue != 0) {
+                throw new RuntimeException(
+                        "Unexpected failure. Operation was blocked.");
+            }
+        } else {
+            if (serverException == null && exitValue == 0) {
+                throw new RuntimeException(
+                        "Unexpected pass. Operation was allowed.");
+            }
+
+            // The test may encounter non-SSL issues, like network problem.
+            if (!(serverException instanceof SSLHandshakeException
+                    || clientOut.contains("SSLHandshakeException"))) {
+                throw new RuntimeException("Failure with unexpected exception.");
+            }
+        }
+    }
+
+    /*
+     * This method is used to run a variety of cases, which don't require client
+     * authentication by default.
+     */
+    static void testConstraint(String[] trustNames, String[] certNames,
+            String serverConstraint, String clientConstraint, boolean pass)
+            throws Exception {
+        testConstraint(trustNames, certNames, serverConstraint, clientConstraint,
+                false, pass);
+    }
+
+    public static void main(String[] args) throws Exception {
+        switch (args[0]) {
+        // Case DEFAULT only checks one of default settings for
+        // jdk.certpath.disabledAlgorithms in JDK/conf/security/java.security.
+        case "DEFAULT":
+            checkDefaultConstraint();
+            break;
+
+        // Cases C1 and S1 use SHA256 root CA in trust store,
+        // and use SHA256 end entity in key store.
+        // C1 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S1 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should not be blocked.
+        case "C1":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] { "INTER_CA_SHA256-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    true);
+            break;
+        case "S1":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] { "INTER_CA_SHA256-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    true);
+            break;
+
+        // Cases C2 and S2 use SHA256 root CA in trust store,
+        // and use SHA1 end entity in key store.
+        // C2 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S2 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C2":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] { "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S2":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] { "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C3 and S3 use SHA1 root CA in trust store,
+        // and use SHA1 end entity in key store.
+        // C3 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S3 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C3":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] { "INTER_CA_SHA1-ROOT_CA_SHA1" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S3":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] { "INTER_CA_SHA1-ROOT_CA_SHA1" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C4 and S4 use SHA1 root CA as trust store,
+        // and use SHA256 end entity in key store.
+        // C4 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S4 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should not be blocked.
+        case "C4":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] { "INTER_CA_SHA256-ROOT_CA_SHA1" },
+                    NOSHA1,
+                    TLSSERVER,
+                    true);
+            break;
+        case "S4":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] { "INTER_CA_SHA256-ROOT_CA_SHA1" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    true);
+            break;
+
+        // Cases C5 and S5 use SHA1 root CA in trust store,
+        // and use SHA256 intermediate CA and SHA256 end entity in key store.
+        // C5 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S5 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should not be blocked.
+        case "C5":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1",
+                            "INTER_CA_SHA256-ROOT_CA_SHA1" },
+                    NOSHA1,
+                    TLSSERVER,
+                    true);
+            break;
+        case "S5":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1",
+                            "INTER_CA_SHA256-ROOT_CA_SHA1" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    true);
+            break;
+
+        // Cases C6 and S6 use SHA1 root CA as trust store,
+        // and use SHA1 intermediate CA and SHA256 end entity in key store.
+        // C6 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S6 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C6":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1",
+                            "INTER_CA_SHA1-ROOT_CA_SHA1" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S6":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA1" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1",
+                            "INTER_CA_SHA1-ROOT_CA_SHA1" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C7 and S7 use SHA256 root CA in trust store,
+        // and use SHA256 intermediate CA and SHA1 end entity in key store.
+        // C7 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S7 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C7":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256",
+                            "INTER_CA_SHA256-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S7":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256",
+                            "INTER_CA_SHA256-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C8 and S8 use SHA256 root CA in trust store,
+        // and use SHA1 intermediate CA and SHA256 end entity in key store.
+        // C8 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S8 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should be blocked.
+        case "C8":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256",
+                            "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    false);
+            break;
+        case "S8":
+            testConstraint(
+                    new String[] { "ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256",
+                            "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    false);
+            break;
+
+        // Cases C9 and S9 use SHA256 root CA and SHA1 intermediate CA in trust store,
+        // and use SHA256 end entity in key store.
+        // C9 only sets constraint "SHA1 usage TLSServer" on client side;
+        // S9 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+        // The connection of the both cases should not be blocked.
+        case "C9":
+            testConstraint(
+                    new String[] {
+                            "ROOT_CA_SHA256",
+                            "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    NOSHA1,
+                    TLSSERVER,
+                    true);
+            break;
+        case "S9":
+            testConstraint(
+                    new String[] {
+                            "ROOT_CA_SHA256",
+                            "INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    new String[] {
+                            "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256" },
+                    TLSCLIENT,
+                    NOSHA1,
+                    true,
+                    true);
+            break;
+        }
+
+        System.out.println("Case passed");
+        System.out.println("========================================");
+    }
+
+    private static String loadCert(String certName) {
+        try {
+            Path certFilePath = Paths.get(CERT_DIR, certName + ".cer");
+            return String.join("\n",
+                    Files.lines(certFilePath).filter((String line) -> {
+                        return !line.startsWith("Certificate")
+                                && !line.startsWith(" ");
+                    }).collect(Collectors.toList()));
+        } catch (IOException e) {
+            throw new RuntimeException("Load certificate failed", e);
+        }
+    }
+
+    private static String loadPrivKey(String certName) {
+        Path priveKeyFilePath = Paths.get(CERT_DIR, certName + "-PRIV.key");
+        try {
+            return new String(Files.readAllBytes(priveKeyFilePath));
+        } catch (IOException e) {
+            throw new RuntimeException("Load private key failed", e);
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCYQDZxHxNJV8dQ
+I6mfJjuIZxAe5CX9GCrS3Fajh5DXIQwdcvQ4s6YdKzwFn+8dUdspdNTnS+bWjfYw
+0iAbsMt6L6ewutaZf6aufh1EBYiwNOvN8C8Cx0iiE8NiBo833AYWHKhDC4qu63QR
+dYwb9j+Jg8t6p0lQ64sFLDN/RJOcWlaPQbJbSNBKePQR7WOFvdJgFAdQmQjL+ND6
+PSui9QByyXQ+3nfs7ID4paUxYbCrJMh5/AJqaT04DYDEumfmURUn5+ZOIqmqvI2I
+pNXN5gVzL3b8mM2WGr5dpRY5cZ1X//BQ91SNjrKNJlmKFr7nMCfAdzxIW4b/sArv
+eYNE2Vy7AgMBAAECggEBAJNtkopFoiJiKnFypxyiJAG4cwbGu/ZxwX3/uLGPY3S9
+3oJhvxVs+IzEQdHchempSwTAyizS9cuLGfs6bbcConZF0Sa0NXvb/SZ4npQwm6St
+Ci2Xx530JWQ0qPyyB1r65rXguBp8AaXR/8msPqkQ8YOSqKWzea4u96Zhn9g8Koe6
+AD/8FeSzJBDVbJ+C7jKX/7sKsHbYqulzLMQf0lqXFxpGW+5UJaozoQOWXnnmqU3T
+0i4uaGUCXHbQM8eh3fvMFCU4UQMYVS1QOSvZJTnO5bSb8SqeQnCMnQ18ltq4sL43
+qFsEcmAjrlhNoBwslqvfY1bX9NtXyFZ8PuD8OvoFxPkCgYEAxlVfD2qcrAoOcbDe
+Em9hDVPizRuzGuCHi9K2YLDrLVDNd6NF3Pk65JiTsd1fA2AZdi+ljKGEwBhNFOyk
+qwmK2K4sYy7zvyV3Blmwvyo7+OaeexYF8RIw5keGlRsgHTGarzlQAlJu91UmyAmE
+C/99fZbSWo9QndJ0FVR6G3ti71UCgYEAxITBJqVtNFnv4PGdc3FNsYXlRQcSWjs9
+/1lsppLQjC6HMsb6JpxYUF3D4oFiUESKe/9kZzl1H/65Cm2mYq8sj+7lug8P5tz7
+DQa91dFM02r8JLO6TitSuZfbc0XH0K450ntuQlKX581icYSGBUwQHGApespuNVlh
+Mg7CmwNse88CgYAienrhEjaUTdc++nFQoR4tE/UslPEo7fmCXCoqWvc3VIGzl6Ww
+iX8seD3MwOAglRc4DYZpETcjsdXMmmrx9OG3U2gSAfqLszai2vq38N6mIWlRmn2D
+8BaiIbMKvsFxccsjRQJctPnnc10fj0/uSgcFyy9cYOex2AEoKBxmJKgJVQKBgA0c
+HhaJ6qMXbN1AwRQ2dsxk9kqIkjzavuQN/yWNncP8RqCojX+N5oZV+v9dSkW4jNSA
+0R3hw2KDB60ea38h2IMxmLm0z4bDLyxLSta8w7dG59M6+i7EzRv8eXNTMGVHeiwE
+d/KMt/2Kwgp4oMgxrtF1yM6cOoXslINWYL0emVoZAoGAcEKzO8LgPJsIVjRFz3ri
+0AQqiXQzYek2WAXYhlQCvBVn8in3MYcxKhjA3Og3Lym0xvZ+/8SbII9QNaidbgIH
+HDreeJW4KE5EfVnDaYcxwK/9LXZXndIxrpR0YKNSvZT7DuuQtFCoxJcASxb1k9Tc
+5MPT+pyPL+9v2q56ry56qas=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e8:33:78:c7:69:9c:28:c2
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:07 2017 GMT
+            Not After : Mar 28 04:51:07 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:98:40:36:71:1f:13:49:57:c7:50:23:a9:9f:26:
+                    3b:88:67:10:1e:e4:25:fd:18:2a:d2:dc:56:a3:87:
+                    90:d7:21:0c:1d:72:f4:38:b3:a6:1d:2b:3c:05:9f:
+                    ef:1d:51:db:29:74:d4:e7:4b:e6:d6:8d:f6:30:d2:
+                    20:1b:b0:cb:7a:2f:a7:b0:ba:d6:99:7f:a6:ae:7e:
+                    1d:44:05:88:b0:34:eb:cd:f0:2f:02:c7:48:a2:13:
+                    c3:62:06:8f:37:dc:06:16:1c:a8:43:0b:8a:ae:eb:
+                    74:11:75:8c:1b:f6:3f:89:83:cb:7a:a7:49:50:eb:
+                    8b:05:2c:33:7f:44:93:9c:5a:56:8f:41:b2:5b:48:
+                    d0:4a:78:f4:11:ed:63:85:bd:d2:60:14:07:50:99:
+                    08:cb:f8:d0:fa:3d:2b:a2:f5:00:72:c9:74:3e:de:
+                    77:ec:ec:80:f8:a5:a5:31:61:b0:ab:24:c8:79:fc:
+                    02:6a:69:3d:38:0d:80:c4:ba:67:e6:51:15:27:e7:
+                    e6:4e:22:a9:aa:bc:8d:88:a4:d5:cd:e6:05:73:2f:
+                    76:fc:98:cd:96:1a:be:5d:a5:16:39:71:9d:57:ff:
+                    f0:50:f7:54:8d:8e:b2:8d:26:59:8a:16:be:e7:30:
+                    27:c0:77:3c:48:5b:86:ff:b0:0a:ef:79:83:44:d9:
+                    5c:bb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:84:A1:70:1D:0A:92:D3:CC
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         22:63:2a:de:80:70:92:f7:53:e4:7f:ea:01:2b:13:b3:1b:02:
+         2e:10:b4:1d:b7:33:7f:6f:0d:88:46:5a:b8:db:83:95:77:e2:
+         db:da:2e:31:0a:85:c6:9a:75:84:ca:73:5c:be:e3:30:22:7e:
+         bc:60:43:49:7c:69:06:14:4a:89:e4:23:ca:25:99:85:d6:06:
+         16:d5:9e:a8:fd:25:43:88:07:12:0a:7e:de:24:33:71:ab:a4:
+         23:aa:4e:dc:0f:89:ef:a9:09:89:55:a1:1d:ee:48:35:ea:10:
+         42:ff:98:15:2a:e8:5c:46:e0:e4:4f:4c:b9:07:e0:da:08:6f:
+         ce:4a:fe:98:3e:ae:c5:e5:6a:6e:50:0f:2d:39:01:55:ed:59:
+         0b:65:30:54:e8:72:26:ee:9f:cf:3f:ce:6a:20:c8:87:c9:81:
+         bc:f8:b3:ec:77:bb:bc:5b:8c:3f:18:fd:08:76:ad:27:59:fc:
+         b8:74:96:0d:cd:ed:97:91:6b:95:89:3a:f3:78:de:9f:06:a6:
+         ce:36:01:f0:be:ae:d8:d6:c4:3d:51:8a:2a:e0:43:59:8c:b4:
+         eb:63:93:9d:53:72:f8:4b:a3:c7:4a:da:2e:56:33:b6:46:1b:
+         45:a8:23:1b:82:de:6d:4e:e0:18:cf:9b:ba:22:68:8b:8c:de:
+         6f:08:2d:bc
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIJAOgzeMdpnCjCMA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMScwJQYDVQQDDB5JTlRFUl9DQV9TSEEyNTYtUk9PVF9D
+QV9TSEEyNTYwHhcNMTcwMzMwMDQ1MTA3WhcNMjcwMzI4MDQ1MTA3WjB/MQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09y
+ZzENMAsGA1UECwwESmF2YTE3MDUGA1UEAwwuRU5EX0VOVElUWV9TSEExLUlOVEVS
+X0NBX1NIQTI1Ni1ST09UX0NBX1NIQTI1NjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAJhANnEfE0lXx1AjqZ8mO4hnEB7kJf0YKtLcVqOHkNchDB1y9Diz
+ph0rPAWf7x1R2yl01OdL5taN9jDSIBuwy3ovp7C61pl/pq5+HUQFiLA0683wLwLH
+SKITw2IGjzfcBhYcqEMLiq7rdBF1jBv2P4mDy3qnSVDriwUsM39Ek5xaVo9BsltI
+0Ep49BHtY4W90mAUB1CZCMv40Po9K6L1AHLJdD7ed+zsgPilpTFhsKskyHn8Ampp
+PTgNgMS6Z+ZRFSfn5k4iqaq8jYik1c3mBXMvdvyYzZYavl2lFjlxnVf/8FD3VI2O
+so0mWYoWvucwJ8B3PEhbhv+wCu95g0TZXLsCAwEAAaOBjDCBiTB5BgNVHSMEcjBw
+oWOkYTBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkx
+DDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEXMBUGA1UEAwwOUk9PVF9DQV9T
+SEEyNTaCCQCEoXAdCpLTzDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IB
+AQAiYyregHCS91Pkf+oBKxOzGwIuELQdtzN/bw2IRlq424OVd+Lb2i4xCoXGmnWE
+ynNcvuMwIn68YENJfGkGFEqJ5CPKJZmF1gYW1Z6o/SVDiAcSCn7eJDNxq6Qjqk7c
+D4nvqQmJVaEd7kg16hBC/5gVKuhcRuDkT0y5B+DaCG/OSv6YPq7F5WpuUA8tOQFV
+7VkLZTBU6HIm7p/PP85qIMiHyYG8+LPsd7u8W4w/GP0Idq0nWfy4dJYNze2XkWuV
+iTrzeN6fBqbONgHwvq7Y1sQ9UYoq4ENZjLTrY5OdU3L4S6PHStouVjO2RhtFqCMb
+gt5tTuAYz5u6ImiLjN5vCC28
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDaYlKNTU1iQes/
+BtivvM1ixjCk1muM1RdMkJQItZB21y1kM1OLp3EmGKqVqwKbS5OTrMIxjPUwD9Ly
+aRJMvSP1xve7zwmNXOngA8eukmQ2olQU58ble6IAHcj4qg7a38E1ITvDmAswhTzK
+fI4Z6okLCjKfYafnfbi5JA+E6fiArB3zimjne+tiUNYZh2eYspsOOw6cmaLtIbMP
+ZyXy4iP6OCNIikb08Da27zjVn04i1SeUEv1YFmn4B9GWcNLAXyM1LmCNi70+SATp
+aZYRjr/BBR6LNZMBsNKJblWFXK3UtfYFiypyirgQjzPtLb1XsuMhfqMt8QZDh8n3
+YvYTW59xAgMBAAECggEAb4NPdhnoDulsL5XWZf55vhtH0ZQv/Qz+xbj57myQJS8B
+Xa4b1i8dRv/Hc3+MaDIyXHEWBGle9jjOVbwzfP4D88eyzrMMxKOSRTKI72qPQ5qm
+ZrpnxNzZv0d2TQvBZCBnrzKWKu1joVYX0anCghdR/VIqwVoDe+Clx9xTFGLI4yKO
+7v0dkr4Hxn3NT6bTV18V6PoGbUgIsmpNYQPFyUM/IHG2ewDffLP+tm7RsEfKYmcx
+Hr70pmWBpM9hwTAC+uXHuNXnsX4IjEQOXmm4PJ/A/sm2Bad93SPwi15e29MV8YbO
+vvirGLaepa7AUvqoK0DFNCLU6vCeFJ7DUZ/u2P8x8QKBgQDxNOWvy3EV4/P/ocSf
+itMtXZWj4driT4vUGwFZWfr3CVpZVaUmqXYeVdzNGuoWlmXOiOAuOepnlA36FCb5
+aGE4cq/hbdtbr+v6awEj5/A2me/ax1W1z6lD0pg0QJ7KvqFCBzVol5yTiWZKBVE+
+jp2waPfes770AUHczw9KKvEGtQKBgQDnxxiZAxtoNmOaB/NZmPNBKvWDw858+QX2
++u/jEH3pW393tUnipgIoo6yvd6djhJ6/4ViOxdioMIQCBab/xuSB4lfQsrJsWvS9
+uYB794s7CV2r3kUa3ux8wAovW6Fc369nD7JjUPX/Cq3zdlyTDt9LVLRCpZ6Li1xB
+r0ZVlpgPTQKBgQCgKay+X0tW6sdxHfyOp8Lz46liaa1LCuDhVZE+wHXZpXc9zJXe
+JzZMjF0SQGXh27n8O30IlOJmJrRlMw5yG/I6ZkUNXkIDDryVyom2SuOBjhPrZOMv
+15UgeO0h/Sqzm4M+ccTwD4Qjn1+xlPhOnqpsoja8xQPtyAvwz/jqGbtz5QKBgH01
+pSgj8Y5es3fmi6P/aInv9ynzgX0p2fsOnMEBi8Og1j+JBB0YqVni8crozNiKMGhg
+CEM4xk41x1qASzMp8w/ngqEPqCu5BzXnHG3b0K9X4+6Q6KwXeZH6/IWQ7p8Jh+wZ
+IrlcZ0gcMNSxQFmBU0eSvr6yUe/4nSIu2cQq0oKRAoGAUEFd0LxZw50BdCdpJlcQ
++oTbSUYQhAzPF2ybfR6i8IxXoOjVxpvRehlbwXIQV7XEqamXFTmBLIvuAlF1yWoH
+hzxNJuEgPRTPztnHD6LVzvuf2ain+CFZuDrXBT2l8PyF9BNL4/DMRrbgdCxr9F0O
+Ti0VJo1TRE8vVzUfVc9w1RI=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            86:09:85:57:41:bf:86:65
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:06 2017 GMT
+            Not After : Mar 28 04:51:06 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:62:52:8d:4d:4d:62:41:eb:3f:06:d8:af:bc:
+                    cd:62:c6:30:a4:d6:6b:8c:d5:17:4c:90:94:08:b5:
+                    90:76:d7:2d:64:33:53:8b:a7:71:26:18:aa:95:ab:
+                    02:9b:4b:93:93:ac:c2:31:8c:f5:30:0f:d2:f2:69:
+                    12:4c:bd:23:f5:c6:f7:bb:cf:09:8d:5c:e9:e0:03:
+                    c7:ae:92:64:36:a2:54:14:e7:c6:e5:7b:a2:00:1d:
+                    c8:f8:aa:0e:da:df:c1:35:21:3b:c3:98:0b:30:85:
+                    3c:ca:7c:8e:19:ea:89:0b:0a:32:9f:61:a7:e7:7d:
+                    b8:b9:24:0f:84:e9:f8:80:ac:1d:f3:8a:68:e7:7b:
+                    eb:62:50:d6:19:87:67:98:b2:9b:0e:3b:0e:9c:99:
+                    a2:ed:21:b3:0f:67:25:f2:e2:23:fa:38:23:48:8a:
+                    46:f4:f0:36:b6:ef:38:d5:9f:4e:22:d5:27:94:12:
+                    fd:58:16:69:f8:07:d1:96:70:d2:c0:5f:23:35:2e:
+                    60:8d:8b:bd:3e:48:04:e9:69:96:11:8e:bf:c1:05:
+                    1e:8b:35:93:01:b0:d2:89:6e:55:85:5c:ad:d4:b5:
+                    f6:05:8b:2a:72:8a:b8:10:8f:33:ed:2d:bd:57:b2:
+                    e3:21:7e:a3:2d:f1:06:43:87:c9:f7:62:f6:13:5b:
+                    9f:71
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:8D:A0:D2:8A:EE:0B:CF:65
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         29:b0:10:dc:45:ee:68:77:5f:12:9b:fc:de:eb:70:41:2e:6a:
+         a2:5f:a9:cc:ca:97:24:01:4a:1d:c2:78:52:57:34:9c:83:7f:
+         60:f5:d9:68:a2:32:89:e9:d7:25:71:72:71:e5:76:e3:37:af:
+         41:25:cc:8b:a4:fd:81:ef:6b:15:2b:91:3c:68:a5:25:53:cf:
+         c1:b9:aa:49:b4:cd:e3:3c:a2:8e:38:ea:e8:51:7c:7b:92:41:
+         bd:a3:22:7d:97:59:ad:55:e2:7d:9d:6a:bb:1f:95:84:1c:50:
+         00:e9:6c:74:1d:bb:6c:07:ca:bc:6a:a2:dd:c1:66:37:64:bd:
+         fe:1a:c0:8c:a7:8c:a1:60:b8:c3:d2:5f:92:80:ee:ad:79:29:
+         f2:ad:e2:9f:74:39:bf:3b:a4:b6:25:2a:87:3f:36:49:b9:52:
+         fd:91:33:be:1d:41:a9:76:29:47:6e:c7:db:a8:ab:6e:78:91:
+         c0:13:56:1c:25:41:51:a7:64:4f:07:c0:2a:a8:80:63:8d:98:
+         e0:54:7d:a6:f4:22:6b:70:fa:1c:16:82:f4:07:2e:e1:ba:94:
+         96:ec:c7:9e:8e:0a:24:1e:a4:e9:c0:92:ca:bd:32:98:ef:1f:
+         e1:a6:e6:4d:1f:c5:68:1b:77:d0:e0:35:1a:a9:c9:ee:98:72:
+         7b:c3:e7:51
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIJAIYJhVdBv4ZlMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMSMwIQYDVQQDDBpJTlRFUl9DQV9TSEExLVJPT1RfQ0Ff
+U0hBMTAeFw0xNzAzMzAwNDUxMDZaFw0yNzAzMjgwNDUxMDZaMH0xCzAJBgNVBAYT
+AlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0w
+CwYDVQQLDARKYXZhMTUwMwYDVQQDDCxFTkRfRU5USVRZX1NIQTI1Ni1JTlRFUl9D
+QV9TSEExLVJPT1RfQ0FfU0hBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANpiUo1NTWJB6z8G2K+8zWLGMKTWa4zVF0yQlAi1kHbXLWQzU4uncSYYqpWr
+AptLk5OswjGM9TAP0vJpEky9I/XG97vPCY1c6eADx66SZDaiVBTnxuV7ogAdyPiq
+DtrfwTUhO8OYCzCFPMp8jhnqiQsKMp9hp+d9uLkkD4Tp+ICsHfOKaOd762JQ1hmH
+Z5iymw47DpyZou0hsw9nJfLiI/o4I0iKRvTwNrbvONWfTiLVJ5QS/VgWafgH0ZZw
+0sBfIzUuYI2LvT5IBOlplhGOv8EFHos1kwGw0oluVYVcrdS19gWLKnKKuBCPM+0t
+vVey4yF+oy3xBkOHyfdi9hNbn3ECAwEAAaOBijCBhzB3BgNVHSMEcDBuoWGkXzBd
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkxDDAKBgNV
+BAoMA09yZzENMAsGA1UECwwESmF2YTEVMBMGA1UEAwwMUk9PVF9DQV9TSEExggkA
+jaDSiu4Lz2UwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKbAQ3EXu
+aHdfEpv83utwQS5qol+pzMqXJAFKHcJ4Ulc0nIN/YPXZaKIyienXJXFyceV24zev
+QSXMi6T9ge9rFSuRPGilJVPPwbmqSbTN4zyijjjq6FF8e5JBvaMifZdZrVXifZ1q
+ux+VhBxQAOlsdB27bAfKvGqi3cFmN2S9/hrAjKeMoWC4w9JfkoDurXkp8q3in3Q5
+vzuktiUqhz82SblS/ZEzvh1BqXYpR27H26irbniRwBNWHCVBUadkTwfAKqiAY42Y
+4FR9pvQia3D6HBaC9Acu4bqUluzHno4KJB6k6cCSyr0ymO8f4abmTR/FaBt30OA1
+GqnJ7phye8PnUQ==
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDaCsiXcNnu7WpV
+t+FarvFhtaRr4RMQbKGhiIHi4aV0vqWmpX/eFde01eQZTZcPGJzEnjJrkyFo3Wbd
+31bjBLpt40kkI7kbODHrA2L+vY/hoCQeXK8+BrGioX9qHOpD7OLI3Esm1+KDiPPK
+w6qr9O9nS/fOID3zly92r+obY2ZuW6jQC0Yah3K9INrSIjH+rHXsmj2U5dCnktfi
+LzRcocvqtQHASYXFXEhWr1TCMnSz7h+l07O5YgYpmhwkRIPCkcdP+9wGhO2eOJYU
+kfaBteodDh7vHj2F+A6Lheosa4mi/nysyhQJl8uBFw97dqab9ul5Tb03iHmaY/q0
+xJKcEohnAgMBAAECggEBAJsa6K6yHJWWVfo8IBb+M7+qExiat5ELdb8O+DaJBcYS
+iIwPVvKI3zVIokZNp5OZkotbbcqQk0ehl7dlVM2RY30gHbuTne36/6eKdTV5a4y4
++niOviqFYH+sGpNFlnBTZtAzxVIQaJXhKmum3RYN2u/EXrdGwEsz1RO89/AbuZXu
+VdtEKkjPHXrIjnBkiT4271sm3OiPwOe6g0NKBMJ4InTyB+YtpgxlXtF+vv5cv6Vt
+ayT3sNsdsD8HLrenMmwv/k7nTYgNbhaJX2YCs9W7ZEscU2th6F7Cx6Z0z9h1SElC
++OKKhU6HnG/pWFMfWu80ZNjb3NTpXzTv4CLKjEYvz6ECgYEA8qEe+Ga7+XD0XwPB
+bFjoKmhOQhv0VCIiu9RgvIxQn5DuGX4H2hO1GP8LYOQZBm25nICIa+DyDZEaFGgL
+QgfPI4boK/rdV8syFTUNfw1Wq+W/pHhqzgUGHAnzRpX8jBQa9of14O+B7//ZFdGj
+5nt0qFTOAgNGslXMvSicKD/g0mMCgYEA5g7MpMmZI8zPf/PKLBkrQegdX2TBBiI5
+3KzvQuA29tEFdVwUIuhkgQkmy1u9Ujw0jZZ8NVBOsqfg7e7XkVr6/OF+MVWBjWl3
+Jn3DMCHl/HCLIZ4ZOM6/ydIMpBX6Ii53nvpO6vxRaOUg2T2gVHadVjjQAN9Oj68r
+TKUHfs4rTy0CgYB/g5QuQnfqKaYUxXmDQtqJZxYyAlUPXn1Yr85DaY75vYaVGTpx
+L0hPIcNOIbLRQRt6l8aaw7cS0D6fmOrJwibn6f/dFVP8zwq8QIyeSFlTsERe4PZo
+3hUO6V/UqgD3cZ2WEXB0zgtBIfpqUCpOeHWf/inivuwJz7PxegVP1fqHNwKBgA0p
+CZHfqm/+1lvmcUlGg0/43D1JwTT9nju+dM1pkBtcZ6iIBOreSmmLQXnenJzorsTu
+t9pA5s+XhOl3gUNiZfszVwmxb4DMaLF9/j1xovtm4L6ikaTLRvNfnbOBQlbUO6mP
+fhY5KtsKSG/E87gBNQzqoRN7sr3Lcnmm8x/Q4W9dAoGAITDcOI7UgPcnKMO8JUI5
+96Po3c/S7nBilVZRFOwjn0z6jrjzNTd+1IqkzIKBWfs5WlRkzXI6LPJVghwPUqUa
+q2C/3hQATD3FchEIohLfd8bj/wObaZNlKJB59a1RjxRZxuVQl3jvovvpn/hdXuJB
+nGIx7MryEG/yRpfrk2DL0bI=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            9e:f7:d7:79:1c:06:83:d5
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:05 2017 GMT
+            Not After : Mar 28 04:51:05 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:da:0a:c8:97:70:d9:ee:ed:6a:55:b7:e1:5a:ae:
+                    f1:61:b5:a4:6b:e1:13:10:6c:a1:a1:88:81:e2:e1:
+                    a5:74:be:a5:a6:a5:7f:de:15:d7:b4:d5:e4:19:4d:
+                    97:0f:18:9c:c4:9e:32:6b:93:21:68:dd:66:dd:df:
+                    56:e3:04:ba:6d:e3:49:24:23:b9:1b:38:31:eb:03:
+                    62:fe:bd:8f:e1:a0:24:1e:5c:af:3e:06:b1:a2:a1:
+                    7f:6a:1c:ea:43:ec:e2:c8:dc:4b:26:d7:e2:83:88:
+                    f3:ca:c3:aa:ab:f4:ef:67:4b:f7:ce:20:3d:f3:97:
+                    2f:76:af:ea:1b:63:66:6e:5b:a8:d0:0b:46:1a:87:
+                    72:bd:20:da:d2:22:31:fe:ac:75:ec:9a:3d:94:e5:
+                    d0:a7:92:d7:e2:2f:34:5c:a1:cb:ea:b5:01:c0:49:
+                    85:c5:5c:48:56:af:54:c2:32:74:b3:ee:1f:a5:d3:
+                    b3:b9:62:06:29:9a:1c:24:44:83:c2:91:c7:4f:fb:
+                    dc:06:84:ed:9e:38:96:14:91:f6:81:b5:ea:1d:0e:
+                    1e:ef:1e:3d:85:f8:0e:8b:85:ea:2c:6b:89:a2:fe:
+                    7c:ac:ca:14:09:97:cb:81:17:0f:7b:76:a6:9b:f6:
+                    e9:79:4d:bd:37:88:79:9a:63:fa:b4:c4:92:9c:12:
+                    88:67
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:84:A1:70:1D:0A:92:D3:CD
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         89:84:ce:6d:80:83:e7:19:80:21:a5:d3:79:ac:c4:2f:5c:5f:
+         47:f1:1c:e7:40:2a:57:ec:76:01:a9:10:b6:a2:2b:1b:02:ac:
+         f7:46:b1:67:b3:36:0f:fa:f0:a3:40:c2:5a:38:00:67:a9:9d:
+         e8:59:be:2f:5b:d0:c6:6c:20:90:c0:3b:6b:af:75:8c:93:ac:
+         5a:1e:8b:66:2c:79:0b:6d:9d:0d:d3:68:b5:b6:df:d6:04:6b:
+         24:f7:5a:b9:f0:18:08:81:b1:50:1c:ac:1b:7a:b7:b8:d8:8e:
+         6f:15:78:7e:23:5f:41:5c:df:76:09:1a:67:36:15:35:6a:77:
+         36:09:19:50:12:6d:60:20:c1:7a:36:cb:4c:ee:a8:d7:b7:c7:
+         29:26:31:04:0a:44:48:25:be:dd:00:92:ea:8c:00:ee:b4:eb:
+         52:4a:da:47:97:d7:42:df:dd:7d:17:de:e3:a1:14:49:3b:2d:
+         aa:ac:e7:83:0f:c0:2d:3f:31:c5:af:bb:b1:1e:53:d1:a7:13:
+         55:e3:25:f6:67:95:a1:75:e9:b8:a1:81:eb:d0:de:8a:a3:af:
+         78:dc:d0:39:d0:e7:d6:61:9e:39:7b:8b:f9:ee:44:48:78:92:
+         e7:22:fa:9c:a4:d0:6b:2b:89:0a:fa:78:3d:7a:af:44:91:e5:
+         8a:40:2f:10
+-----BEGIN CERTIFICATE-----
+MIIEAjCCAuqgAwIBAgIJAJ7313kcBoPVMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMSUwIwYDVQQDDBxJTlRFUl9DQV9TSEExLVJPT1RfQ0Ff
+U0hBMjU2MB4XDTE3MDMzMDA0NTEwNVoXDTI3MDMyODA0NTEwNVowgYQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMTwwOgYDVQQDDDNFTkRfRU5USVRZX1NIQTI1Ni1JTlRF
+Ul9DQV9TSEExLVJPT1RfQ0FfU0hBMjU2LVBSSVYwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDaCsiXcNnu7WpVt+FarvFhtaRr4RMQbKGhiIHi4aV0vqWm
+pX/eFde01eQZTZcPGJzEnjJrkyFo3Wbd31bjBLpt40kkI7kbODHrA2L+vY/hoCQe
+XK8+BrGioX9qHOpD7OLI3Esm1+KDiPPKw6qr9O9nS/fOID3zly92r+obY2ZuW6jQ
+C0Yah3K9INrSIjH+rHXsmj2U5dCnktfiLzRcocvqtQHASYXFXEhWr1TCMnSz7h+l
+07O5YgYpmhwkRIPCkcdP+9wGhO2eOJYUkfaBteodDh7vHj2F+A6Lheosa4mi/nys
+yhQJl8uBFw97dqab9ul5Tb03iHmaY/q0xJKcEohnAgMBAAGjgYwwgYkweQYDVR0j
+BHIwcKFjpGEwXzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARD
+aXR5MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFzAVBgNVBAMMDlJPT1Rf
+Q0FfU0hBMjU2ggkAhKFwHQqS080wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
+AAOCAQEAiYTObYCD5xmAIaXTeazEL1xfR/Ec50AqV+x2AakQtqIrGwKs90axZ7M2
+D/rwo0DCWjgAZ6md6Fm+L1vQxmwgkMA7a691jJOsWh6LZix5C22dDdNotbbf1gRr
+JPdaufAYCIGxUBysG3q3uNiObxV4fiNfQVzfdgkaZzYVNWp3NgkZUBJtYCDBejbL
+TO6o17fHKSYxBApESCW+3QCS6owA7rTrUkraR5fXQt/dfRfe46EUSTstqqzngw/A
+LT8xxa+7sR5T0acTVeMl9meVoXXpuKGB69DeiqOveNzQOdDn1mGeOXuL+e5ESHiS
+5yL6nKTQayuJCvp4PXqvRJHlikAvEA==
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHC0ieOFNTJjP+
+HMlFQ/w50Hx/+FYh9z9w3i08dVvi8oEhGUop7fvsqEyuAj3U/BYG87Wsv27wfa9l
+qSJRSgqUT3yI4jsMY/ozUInuKpp/yL97abyZVDUZc3diDZqryA/Qur8HNVLyA2hD
+DA9x8Ioeu5EDFl7AeqV3jx+A8fbulwVeCa29GByVkWRUEVF/48a1jpazBf2YQvrm
+5ElWoG8fuMrz6vgj+gYZYb1GPXmJQrtAIRp4Z1/AquPS4A/O21DnPLEM8WSw+rSC
+KGGKMqefJw74zeVyPlOiOmjFTeNfeVDViQrDgU++CTDjFa8XhweU6v+MtY5Mmzmf
+2AETGyd9AgMBAAECggEANCdMu8hebOcRsH+ybSfHKw7p0E4to3C5esV8bN8DWI/a
+LeYGfL4SyIvAq8eClBAJZYDuFXmDhBgqoSSUDWCtLPc21lcQycpYgKGVwoX/PYRI
+R/oIpNRfpW+P1G1kHaaqHjMQYr8iIK+r3gWG9n/kcPEMqhZudVitiopB4vODlDgf
+OI0goNWwYOPzoBkJSBbgfYC7vSz0dg+j9ooYPDnyUnHjykhu95mkmBHYc/MVMP8s
+ntFB5pgtWuLQATZImW4A1dtZiqCsF6APvJIQASxVq+wv3dwhejF9xMZR96QchVZJ
+QvPOcH76njIH4fThb0e46Dn54+KBpCnveSnDtAz5sQKBgQD2u6gWOK/Z4VqGlff1
+diLqzesdalCJhydKzOGRzRiJeW4E4MhEpUjIo44zPGkQ64zq6nefqIltdiaE7T9C
+Fnyu/+vd0zE1v3Ipgv0wD3NgTj3gGrBwl2gkY5sfSbCR+8vS/DhRU+s3KN45m3s4
+XfM27Uw/Zh/DFIe7jmGezfe/3wKBgQDOhRjDfxDDLCEXw4QFQb7Sp/43EGfoTd8h
+m700T/QXUTGx6qRhzHF9mUVea7FT+3I6CEqYNnZtFlYsJlq1g457rnvUJnTjJZb7
+wFl1h+u4u3IKo/lUUh2vD89PPOkMUF/uamJLh5jK7KNkOjwEDN2yPkRgaedY++nv
+NBcUPpGUIwKBgEkFmOWauVC+hVA3qj8XS5Y6g08dW+CYA2T75faEwLJPIeSHsj2+
+vR/EaB15z46WaApOgkDaXHHs+dF1dbdVeGlCjMgF7RZ/JoZqogxLRlZGUcG1pGpu
+JQBACnTkFkHeR6CVzQUk1QRqL/rUrU8tXwHukRZiXxwZQ2Ka7QFW6+/5AoGAHGem
+Dk2NyqppKtGTeP2f921vw7cX85WyWPcIwQc2NXbPdP8m+OSbv4CzT9dUHo75GQ5G
+5ESpaTunQo9L7qdXk59eHMHlVdC3wYylQUsemtv9RYVkJ7rbplZwVx+zliP/7dTo
+DCdsVozRtFlmI9B5Najm0rP+Q/jyJhpuCjTI5S0CgYEAsYcmFZZotwOyT4oJ/1Fu
+BtSOsoxnCa1vPJTVXEoX3F28ZUP4X0iWgGDO1e3aoWWYxWusf1fUj9BWbVnbtJfb
+gJ5JtQTAuMvmjCwFRWcBUytdxTUsWFbuDc5fw7DMW7YqjkCCISkd6Q8JyaFsJPy1
+7uFzumBnFtZGUIo2w4l8yrQ=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            9e:b3:99:30:15:24:2c:69
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:06 2017 GMT
+            Not After : Mar 28 04:51:06 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c7:0b:48:9e:38:53:53:26:33:fe:1c:c9:45:43:
+                    fc:39:d0:7c:7f:f8:56:21:f7:3f:70:de:2d:3c:75:
+                    5b:e2:f2:81:21:19:4a:29:ed:fb:ec:a8:4c:ae:02:
+                    3d:d4:fc:16:06:f3:b5:ac:bf:6e:f0:7d:af:65:a9:
+                    22:51:4a:0a:94:4f:7c:88:e2:3b:0c:63:fa:33:50:
+                    89:ee:2a:9a:7f:c8:bf:7b:69:bc:99:54:35:19:73:
+                    77:62:0d:9a:ab:c8:0f:d0:ba:bf:07:35:52:f2:03:
+                    68:43:0c:0f:71:f0:8a:1e:bb:91:03:16:5e:c0:7a:
+                    a5:77:8f:1f:80:f1:f6:ee:97:05:5e:09:ad:bd:18:
+                    1c:95:91:64:54:11:51:7f:e3:c6:b5:8e:96:b3:05:
+                    fd:98:42:fa:e6:e4:49:56:a0:6f:1f:b8:ca:f3:ea:
+                    f8:23:fa:06:19:61:bd:46:3d:79:89:42:bb:40:21:
+                    1a:78:67:5f:c0:aa:e3:d2:e0:0f:ce:db:50:e7:3c:
+                    b1:0c:f1:64:b0:fa:b4:82:28:61:8a:32:a7:9f:27:
+                    0e:f8:cd:e5:72:3e:53:a2:3a:68:c5:4d:e3:5f:79:
+                    50:d5:89:0a:c3:81:4f:be:09:30:e3:15:af:17:87:
+                    07:94:ea:ff:8c:b5:8e:4c:9b:39:9f:d8:01:13:1b:
+                    27:7d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:8D:A0:D2:8A:EE:0B:CF:64
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         2b:43:e4:c1:37:36:00:a3:ed:25:15:c7:9f:6b:25:0e:24:cd:
+         1c:e8:d2:8c:a6:11:05:a9:2b:b5:dc:7b:fd:55:8e:be:1d:15:
+         d7:8b:a8:a6:44:cf:03:ba:ba:78:74:26:b9:19:11:c0:03:9b:
+         4d:2f:f9:f7:ea:da:a3:2f:82:f9:9e:d0:77:d6:bf:eb:fd:57:
+         c8:eb:03:54:0a:0c:2b:36:0c:e5:99:b7:93:4d:a9:9d:e9:50:
+         80:66:4e:73:c1:bd:83:13:09:ee:b9:01:62:ed:90:0e:4f:ff:
+         9d:92:f3:cd:db:1f:ba:da:fc:67:9d:cb:a0:09:99:8b:3e:ea:
+         9d:61:55:ac:6f:fb:11:5c:c0:fe:fb:ff:5b:15:7d:a7:c1:aa:
+         3a:cd:30:43:35:ea:44:8a:21:ae:9f:af:bc:5c:ae:3a:01:2c:
+         3b:eb:b6:8c:6a:e1:1c:4e:55:0a:84:5b:f8:68:71:aa:97:02:
+         9b:5d:c4:c9:42:df:19:91:28:4a:12:35:8d:2e:3d:10:ec:35:
+         8a:b1:d7:e0:e2:a6:f9:f6:47:4b:17:75:84:8e:2d:66:e8:74:
+         be:d6:27:6b:a2:28:23:26:41:70:92:c2:7c:50:e2:81:c9:e0:
+         10:84:5d:87:4f:db:93:ce:dd:09:d2:48:63:3d:53:66:31:64:
+         5a:13:b5:a6
+-----BEGIN CERTIFICATE-----
+MIID+jCCAuKgAwIBAgIJAJ6zmTAVJCxpMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMSUwIwYDVQQDDBxJTlRFUl9DQV9TSEEyNTYtUk9PVF9D
+QV9TSEExMB4XDTE3MDMzMDA0NTEwNloXDTI3MDMyODA0NTEwNlowfzELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DTALBgNVBAsMBEphdmExNzA1BgNVBAMMLkVORF9FTlRJVFlfU0hBMjU2LUlOVEVS
+X0NBX1NIQTI1Ni1ST09UX0NBX1NIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDHC0ieOFNTJjP+HMlFQ/w50Hx/+FYh9z9w3i08dVvi8oEhGUop7fvs
+qEyuAj3U/BYG87Wsv27wfa9lqSJRSgqUT3yI4jsMY/ozUInuKpp/yL97abyZVDUZ
+c3diDZqryA/Qur8HNVLyA2hDDA9x8Ioeu5EDFl7AeqV3jx+A8fbulwVeCa29GByV
+kWRUEVF/48a1jpazBf2YQvrm5ElWoG8fuMrz6vgj+gYZYb1GPXmJQrtAIRp4Z1/A
+quPS4A/O21DnPLEM8WSw+rSCKGGKMqefJw74zeVyPlOiOmjFTeNfeVDViQrDgU++
+CTDjFa8XhweU6v+MtY5Mmzmf2AETGyd9AgMBAAGjgYowgYcwdwYDVR0jBHAwbqFh
+pF8wXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARDaXR5MQww
+CgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFTATBgNVBAMMDFJPT1RfQ0FfU0hB
+MYIJAI2g0oruC89kMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACtD
+5ME3NgCj7SUVx59rJQ4kzRzo0oymEQWpK7Xce/1Vjr4dFdeLqKZEzwO6unh0JrkZ
+EcADm00v+ffq2qMvgvme0HfWv+v9V8jrA1QKDCs2DOWZt5NNqZ3pUIBmTnPBvYMT
+Ce65AWLtkA5P/52S883bH7ra/Gedy6AJmYs+6p1hVaxv+xFcwP77/1sVfafBqjrN
+MEM16kSKIa6fr7xcrjoBLDvrtoxq4RxOVQqEW/hocaqXAptdxMlC3xmRKEoSNY0u
+PRDsNYqx1+Dipvn2R0sXdYSOLWbodL7WJ2uiKCMmQXCSwnxQ4oHJ4BCEXYdP25PO
+3QnSSGM9U2YxZFoTtaY=
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDuH2+6I/ytoLeW
+AG3J0xMQafYmxYDZNaDjiWBl7TGpL4TjRY84FuHI/G8ib0VY9DKtyUixm7qZev+b
+ExrfQGk9ZV7Dn41uBvmGcUMSqwb0QV/5/hneP7/3EXhoWjsCFUe0r0zOgCM7O9+F
+jUlSuxEHyaFE09PxWGVZpU4Yu71PeoI/JJGITV81o2Fst7Urz65NE5OWrvbO+pfD
+EiRvjLv/uil7znYV28lCbH7U1K8q5nGVtnpgTguhGL6/N3lIgvxoBtoXEQwdMV59
+APsH8anA19rHn5h/ZmknryxAs0c6Rg9Plo30MonIU/eAVZwNw8TczD276Rc02xnW
+RmbmxToRAgMBAAECggEAbK3OWV9JWJlMkNqbQQzj247w+FsV5ozSZGbzpzFtg/Eb
+Lns11XykCg4kTswIE4RIiQaf9efEb34yoL1Ee3YzUgEtEg2FCB2IzvJskV2ba+lW
+e4uclNH1tDa2BLKB0f6SXoXPgUP8UHGQH60PNQIJ0MsWnoorZjBY+WQ305QD3/yB
+fMonkjpWN+ZNTY8Y3vA2SsS4EoY0Ndy2FpmWPwKKMCcqXw6xzVjKvq+jpFfsGpcj
+i3MlKsCG5koreWrXdyt28CVOc6eMW5rsJfAHRw+OSn7PdLaGyZCUUsFXCjG0Vq2G
+YwuMfTJprrZk+lbi3XUXWk7XUEURB7Q4lIBxAcskAQKBgQD8pVj0OIsVHAGjQQ7C
+ZAnxFlON7XX3fgPdLtil9c+a1GlcPA2K52fBp8YlKlAS4bmZIQHbbkEBjh8KfG1P
+x7zBHoUXV8ruo/axzRPoeBVQat5NQKcKnlITrqdf8J3a+8iMxpMpd53h97HGiayq
+W04ZQNf7wjXvR+pJVluTEaoVUQKBgQDxSLruMmCsYvD+sipaQ3rBEMIAI3kc7ctl
+fEnipEk5wtPkKKldw+rvbh/AwY2i2JMUDcW92hkB5vCvbcKmCEkEO3FbawNkJnJi
+qfwbvHP/fGThMV3gbWWF3GZvBKY2+toSa2rwoR5kYTT1e4+byk38NAp/HAItFHIT
+DgAgMy6owQKBgQCjd8jKnBtBmVFl9B48oMXd+/gsCM0fSaXuYvVCzH17TJyvVRve
+GEQGBSwrt+j/jpWsArNU602cV/y1qDSCPlZfDgRHSkK/jc9805hh/fCsi7kyevaZ
+5D5vBb6+UM2Sdv8YNxPY7NB2+PFJ6KKTx2gM5uvYtZx4KivpL7souXE3QQKBgDxg
+FZ5q7rPUIjepP13MyteqqNC+D51Eh4PCgP58W3JfpQPPhOnYj14QMVPbWuSnys3W
+0Gc8PsuyDQHoti8znYm4khntAjE6SZ8Up+gM1P3WE6wh3Tq+RQwk5WDcSfcx+AVp
+6Z2Cw4ccp9LRc1LpYXA9WW8LBCRhnFXWSAPGquNBAoGAdCsvFzSipQ5qxWPlClRM
+lKqDdQheRl9IKCuImXZAvdX952VhmP7QV5PUwLV/CkVquvSdRSshrMO/fqFjfkjr
+puajXghFXa+YppQW42tPYBmKDnNVgxW5d5sC62AYaykh2iNw3v4BJyN+MMmkSf0M
+4/mKvs5m8N2OkOpY6r2wCp8=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e8:33:78:c7:69:9c:28:c1
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:04 2017 GMT
+            Not After : Mar 28 04:51:04 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ee:1f:6f:ba:23:fc:ad:a0:b7:96:00:6d:c9:d3:
+                    13:10:69:f6:26:c5:80:d9:35:a0:e3:89:60:65:ed:
+                    31:a9:2f:84:e3:45:8f:38:16:e1:c8:fc:6f:22:6f:
+                    45:58:f4:32:ad:c9:48:b1:9b:ba:99:7a:ff:9b:13:
+                    1a:df:40:69:3d:65:5e:c3:9f:8d:6e:06:f9:86:71:
+                    43:12:ab:06:f4:41:5f:f9:fe:19:de:3f:bf:f7:11:
+                    78:68:5a:3b:02:15:47:b4:af:4c:ce:80:23:3b:3b:
+                    df:85:8d:49:52:bb:11:07:c9:a1:44:d3:d3:f1:58:
+                    65:59:a5:4e:18:bb:bd:4f:7a:82:3f:24:91:88:4d:
+                    5f:35:a3:61:6c:b7:b5:2b:cf:ae:4d:13:93:96:ae:
+                    f6:ce:fa:97:c3:12:24:6f:8c:bb:ff:ba:29:7b:ce:
+                    76:15:db:c9:42:6c:7e:d4:d4:af:2a:e6:71:95:b6:
+                    7a:60:4e:0b:a1:18:be:bf:37:79:48:82:fc:68:06:
+                    da:17:11:0c:1d:31:5e:7d:00:fb:07:f1:a9:c0:d7:
+                    da:c7:9f:98:7f:66:69:27:af:2c:40:b3:47:3a:46:
+                    0f:4f:96:8d:f4:32:89:c8:53:f7:80:55:9c:0d:c3:
+                    c4:dc:cc:3d:bb:e9:17:34:db:19:d6:46:66:e6:c5:
+                    3a:11
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:84:A1:70:1D:0A:92:D3:CC
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         1d:1a:87:7d:11:0e:cc:cd:7f:6c:ed:21:1a:2c:35:de:09:b8:
+         c4:cf:0c:31:00:3d:f5:bd:d4:6e:f0:4f:7e:c2:8d:d6:c5:28:
+         ed:38:9d:d7:52:32:e2:8d:7b:64:c8:1d:4e:69:7e:49:5f:e1:
+         5e:04:c7:d3:96:d2:63:ef:2c:35:4f:eb:08:2b:9d:b0:15:df:
+         33:d8:1c:59:8e:bb:f1:28:4f:f0:85:bb:3c:56:e1:86:a4:75:
+         2b:44:8a:1c:98:ae:94:f3:b6:76:a9:a3:e7:d6:bc:58:ef:fe:
+         32:11:6f:76:5b:85:f8:14:91:83:2c:b6:20:a5:48:48:8b:6e:
+         ee:a8:6c:2b:12:18:94:3e:59:5e:a6:66:53:dc:40:b2:da:fd:
+         a4:5f:16:35:b6:20:2b:31:86:9b:91:55:b2:35:63:d2:47:bd:
+         91:7e:43:bc:d6:0e:dc:95:1a:f0:8d:08:e5:66:cd:d1:0b:32:
+         d6:92:26:3e:78:e8:70:74:e1:14:64:b0:39:5d:7c:d0:28:23:
+         c7:83:53:02:90:fe:fc:9e:aa:9a:fb:c4:ef:9d:d5:22:f6:c1:
+         fd:e4:07:04:25:4f:8f:b2:13:6f:0d:51:cc:54:b4:38:d3:ac:
+         31:aa:94:c5:d0:c8:5a:58:35:13:87:3e:f6:74:26:8c:2b:7d:
+         6c:8e:36:a5
+-----BEGIN CERTIFICATE-----
+MIIEATCCAumgAwIBAgIJAOgzeMdpnCjBMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMScwJQYDVQQDDB5JTlRFUl9DQV9TSEEyNTYtUk9PVF9D
+QV9TSEEyNTYwHhcNMTcwMzMwMDQ1MTA0WhcNMjcwMzI4MDQ1MTA0WjCBgTELMAkG
+A1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANP
+cmcxDTALBgNVBAsMBEphdmExOTA3BgNVBAMMMEVORF9FTlRJVFlfU0hBMjU2LUlO
+VEVSX0NBX1NIQTI1Ni1ST09UX0NBX1NIQTI1NjCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAO4fb7oj/K2gt5YAbcnTExBp9ibFgNk1oOOJYGXtMakvhONF
+jzgW4cj8byJvRVj0Mq3JSLGbupl6/5sTGt9AaT1lXsOfjW4G+YZxQxKrBvRBX/n+
+Gd4/v/cReGhaOwIVR7SvTM6AIzs734WNSVK7EQfJoUTT0/FYZVmlThi7vU96gj8k
+kYhNXzWjYWy3tSvPrk0Tk5au9s76l8MSJG+Mu/+6KXvOdhXbyUJsftTUryrmcZW2
+emBOC6EYvr83eUiC/GgG2hcRDB0xXn0A+wfxqcDX2sefmH9maSevLECzRzpGD0+W
+jfQyichT94BVnA3DxNzMPbvpFzTbGdZGZubFOhECAwEAAaOBjDCBiTB5BgNVHSME
+cjBwoWOkYTBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENp
+dHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEXMBUGA1UEAwwOUk9PVF9D
+QV9TSEEyNTaCCQCEoXAdCpLTzDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQAdGod9EQ7MzX9s7SEaLDXeCbjEzwwxAD31vdRu8E9+wo3WxSjtOJ3XUjLi
+jXtkyB1OaX5JX+FeBMfTltJj7yw1T+sIK52wFd8z2BxZjrvxKE/whbs8VuGGpHUr
+RIocmK6U87Z2qaPn1rxY7/4yEW92W4X4FJGDLLYgpUhIi27uqGwrEhiUPllepmZT
+3ECy2v2kXxY1tiArMYabkVWyNWPSR72RfkO81g7clRrwjQjlZs3RCzLWkiY+eOhw
+dOEUZLA5XXzQKCPHg1MCkP78nqqa+8TvndUi9sH95AcEJU+PshNvDVHMVLQ406wx
+qpTF0MhaWDUThz72dCaMK31sjjal
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX1pPNXGpnPQNc
+x9ReXrjbcHkIoyXcdXbhO0TnUBV5aGJTEn5/meDsK76Y2KDVyU/EO2jXpaQ5QiGn
+UzY6vKIn6boqTov4NLYwBsVPdAG/xZyr5q7p6bnJ8WRj40A2JeOeZ3FMglRtBCNg
+rYeEC4MDp2F41OVxsJZ4huodq94arqhD/hjE40g06UNa0I+/2dIpI2cSamIC5b3L
+/DK3ol+gIw/OOxMCgzAUSjeH6nTrrW1hUeSKx0NPGWRLWzLQ2yxhYcXlsedNuKHo
+ux/p3EkGXoGPajK7s7IlKj9CPQYwlQez37jCLJGovArqTr/8hxfrKMdZOl5bp+6H
+6uWh6af7AgMBAAECggEAXrUsM79qfRR7pjmVCTe9G6T1pwGXum3clSYhrPIqChTw
+mA0Ubr9Bv7/OKVlc8ZIdKzj6Xy2yquFGzRopQIrHCIZ5htjieC4BB3/hEmUP42s9
+vPxDIibJvD/s0hvEcD4d68LuJylFDHT1ZRWf0iQPAApxLckVSNa4n/hrQEvK8J+G
+HIH8VATq9iHp/GQmmFB8b3ubqn46zDGqly14+TGP2KtVJlY9FuCpvmtZZZjJ+K09
+vYM+BATwje6N6PqX5a3Z+NFC1NK9CmC+U6ECJ27uhySn8kvlU/i/SOAnrPftByO7
+g7K8p2Qzq1LlVIUU/JTidNZGXTaTMOVg8eHLmyt92QKBgQD9a94rLqk9BUtVsTYa
+AImt+KbUMB+Zi83cYDiCfNBkfIYw4dVUFJecmqZwg7IeqNwuSmXP41fASOvDel/L
+8bOj/rPccVSG9pmU0ir5WK9n8zobogfAzvaFr8cmo+TVv0FOZZA8e/+UfVsiKAsW
+3nwhwxN8ieILU1dtaNV1IfnAPwKBgQDaCM9URf+DFILI2WpuzKpk1loF6HrlklIn
++N0IFFcalqUpC8GhXTw7suypRBCZ+cp32h7WEcN9aHLMrnkDQP3bGTv53pJT5N9k
+7nk9Bfrk0CJCxeMRKwtuMhLkOmT0eh2aB1lWR0owA5b1Gjtiz5kTW7NN2+paJCDz
+SiDLVoFpRQKBgQCHvt0N4nuy/QACkd86BGm7b8LlTDXRCMsnrb73XqY9/VngG0gr
+NrCTqV9YS6MAu1Dd1uo8djnN/QGU/xsLYpfoU4nCnk450SQpTH7Ke8/Rbb8FiECA
+7hutNqAFuardOApiVRLy4zTfNFq5rBtsj5aMezMX9b/Ic0cUiyA0ExP1/wKBgQCp
+SDvI34wRdqRQUtWa7xbAsdg1TBnXEjLtTAA4nKpAP4Q+CR2uLlhstW+fv/PvyIwV
+X+mfJS2VubmgBzp3d0dhjAcP6mnL7yAvGiRRZ8ozSxG+rCuvEa+PQBuAzYHCeulu
+xJPtM+56tt7GsDY5cpsT95eQNNWQZQqcOgqaNTDGzQKBgCmMwRP1HN0qUSSVO1d8
+8N17OoZe5yntppEjesYQrLf4AEgPS3Qj8dv0qfe3z1B0gAKlG9+OR8cUBCMGVyum
+b51SiSi3LSm1VeuMfT7JDMSxTkbaI5CY7v+/5yCRFqikgBtCkHM9m4K95d3dVDO8
+JGrlKiKVIbu5LnQZMkPHRIEX
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            8d:a0:d2:8a:ee:0b:cf:65
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:04 2017 GMT
+            Not After : Mar 28 04:51:04 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d7:d6:93:cd:5c:6a:67:3d:03:5c:c7:d4:5e:5e:
+                    b8:db:70:79:08:a3:25:dc:75:76:e1:3b:44:e7:50:
+                    15:79:68:62:53:12:7e:7f:99:e0:ec:2b:be:98:d8:
+                    a0:d5:c9:4f:c4:3b:68:d7:a5:a4:39:42:21:a7:53:
+                    36:3a:bc:a2:27:e9:ba:2a:4e:8b:f8:34:b6:30:06:
+                    c5:4f:74:01:bf:c5:9c:ab:e6:ae:e9:e9:b9:c9:f1:
+                    64:63:e3:40:36:25:e3:9e:67:71:4c:82:54:6d:04:
+                    23:60:ad:87:84:0b:83:03:a7:61:78:d4:e5:71:b0:
+                    96:78:86:ea:1d:ab:de:1a:ae:a8:43:fe:18:c4:e3:
+                    48:34:e9:43:5a:d0:8f:bf:d9:d2:29:23:67:12:6a:
+                    62:02:e5:bd:cb:fc:32:b7:a2:5f:a0:23:0f:ce:3b:
+                    13:02:83:30:14:4a:37:87:ea:74:eb:ad:6d:61:51:
+                    e4:8a:c7:43:4f:19:64:4b:5b:32:d0:db:2c:61:61:
+                    c5:e5:b1:e7:4d:b8:a1:e8:bb:1f:e9:dc:49:06:5e:
+                    81:8f:6a:32:bb:b3:b2:25:2a:3f:42:3d:06:30:95:
+                    07:b3:df:b8:c2:2c:91:a8:bc:0a:ea:4e:bf:fc:87:
+                    17:eb:28:c7:59:3a:5e:5b:a7:ee:87:ea:e5:a1:e9:
+                    a7:fb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:F1:3B:B7:FB:28:3F:52:09
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         d3:ce:da:23:e1:7c:73:fb:7f:26:d7:a4:3c:7b:17:01:75:ce:
+         a5:bd:75:f1:65:1b:56:27:ae:f8:97:a6:c4:ca:94:93:c9:12:
+         bb:c7:ec:2b:d5:38:d5:43:3a:6c:c2:51:3a:79:2f:d7:4e:da:
+         2d:12:1f:b8:c2:4f:c8:ba:33:d3:f5:0c:78:cc:26:69:24:47:
+         3f:ed:17:a0:7f:d0:20:fe:11:ca:75:50:1a:61:e1:91:b5:fa:
+         91:04:e9:14:59:77:d4:29:0f:43:19:e0:dc:dd:a6:18:14:f4:
+         33:3e:f0:cb:36:7b:18:04:03:dd:be:35:41:c4:3e:65:d2:67:
+         44:73:ab:7f:d1:b9:26:7e:b3:1e:d0:e4:a4:52:83:60:a9:e6:
+         e1:bf:62:bb:9b:16:0c:97:ad:11:1a:2f:eb:92:ca:7e:98:15:
+         46:23:59:5d:26:d9:ec:57:85:51:5b:09:f1:9b:1b:d3:5d:53:
+         02:67:1a:e4:24:49:67:87:04:75:66:13:56:1b:8b:a1:08:de:
+         c8:4b:f8:87:73:6e:c2:31:ee:f6:32:14:45:32:a3:3f:e4:b1:
+         0f:23:28:29:b4:a3:86:65:4f:2e:57:ad:8f:44:77:f8:4b:ea:
+         7b:9d:8e:dc:cb:07:ee:b4:78:46:db:cd:12:eb:ad:ef:9b:8f:
+         22:ba:83:7b
+-----BEGIN CERTIFICATE-----
+MIID1jCCAr6gAwIBAgIJAI2g0oruC89lMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTEwHhcNMTcwMzMw
+MDQ1MTA0WhcNMjcwMzI4MDQ1MTA0WjBrMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEj
+MCEGA1UEAwwaSU5URVJfQ0FfU0hBMS1ST09UX0NBX1NIQTEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDX1pPNXGpnPQNcx9ReXrjbcHkIoyXcdXbhO0Tn
+UBV5aGJTEn5/meDsK76Y2KDVyU/EO2jXpaQ5QiGnUzY6vKIn6boqTov4NLYwBsVP
+dAG/xZyr5q7p6bnJ8WRj40A2JeOeZ3FMglRtBCNgrYeEC4MDp2F41OVxsJZ4huod
+q94arqhD/hjE40g06UNa0I+/2dIpI2cSamIC5b3L/DK3ol+gIw/OOxMCgzAUSjeH
+6nTrrW1hUeSKx0NPGWRLWzLQ2yxhYcXlsedNuKHoux/p3EkGXoGPajK7s7IlKj9C
+PQYwlQez37jCLJGovArqTr/8hxfrKMdZOl5bp+6H6uWh6af7AgMBAAGjgYowgYcw
+dwYDVR0jBHAwbqFhpF8wXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYD
+VQQHDARDaXR5MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFTATBgNVBAMM
+DFJPT1RfQ0FfU0hBMYIJAPE7t/soP1IJMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADggEBANPO2iPhfHP7fybXpDx7FwF1zqW9dfFlG1YnrviXpsTKlJPJErvH
+7CvVONVDOmzCUTp5L9dO2i0SH7jCT8i6M9P1DHjMJmkkRz/tF6B/0CD+Ecp1UBph
+4ZG1+pEE6RRZd9QpD0MZ4NzdphgU9DM+8Ms2exgEA92+NUHEPmXSZ0Rzq3/RuSZ+
+sx7Q5KRSg2Cp5uG/YrubFgyXrREaL+uSyn6YFUYjWV0m2exXhVFbCfGbG9NdUwJn
+GuQkSWeHBHVmE1Ybi6EI3shL+IdzbsIx7vYyFEUyoz/ksQ8jKCm0o4ZlTy5XrY9E
+d/hL6nudjtzLB+60eEbbzRLrre+bjyK6g3s=
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDWN68vV57EPqPZ
+Dtvi2+NI4tfxUgkaWJXbqrLKuAJC8bff9edZpMXGAyqMpDDr7MAjs/3TDYpVaWYN
+Id5iwqamImbBLYf/K0LOkaX6+TyogaqwwdNVryR5eYcGXEiJY1MJ2mgzCNeGJ091
+4qwll3xkjAFolB6o9QoIbLB3cctl0vw6oAoi3TKWQxJ+UI6/uBotX5eQ9z1b/MDs
+6PNXHB22jYAj4tOePMZxq7AVCwTFpWbHK8j5ftXxpVoU5ECNHfIAHLprJqc/lKdf
+7rMyflbsjD8nV7TwY+FW7WfOQgiJhk0OK3VaBeSsovpOOwjS4Lpsazh3eUXeZJUk
+lrYrMfI3AgMBAAECggEAEpXmNx9NAQ3GPXDSlw4o3AwCXEeXzpdc+SAIPxpT5+b8
+4wt8tQRcvF9N88HTFMUHrpFRNlx4Ygyw8/a6SqtEtilJ7Py8TeE8/JsaYXn6T0xg
+uNE4OrjlWzy2AFFFYdYiQDqYy8S6nkMO29V8xg4slrSm8qHXPyVzZ2O2s8ZFtWG+
+ItAMb+Gv7FU2M4te/TwRnadljFAoyWry0XCXle1fN1Y3QJXtu3VDdmLmU0t+VGfa
+wuZ5k0FIb9TFIQuxtgUNXJZmIjZw4Ych3luUc1bMSn9FPHeOzk8J3yo1tGqQu15M
+KMLHxASTgt6opfhDbYIpD0fJJqCPdiJlMrqXHBPYwQKBgQDy8lrmsjBE97H0U2sS
+tqlJq+7VOe2ien+z6seXFxd6XHBI8D/wTi2Q/7BpIGbpek3xc0ujxaFbcqo/RJZA
+TUzYmc5leQLTwy4a54Neo33+sOuYPg8fQIMPT1OGa3DXv3EPSC8FdQrweNjn/bDX
+YXbXJ2nKc3RgdTVehuMh6mw25wKBgQDhuitrTL3dlyHMGhO+djxW3cgjsUbJXQsK
+1GnkGw5mzzL67M6ixw4WNxNJjuXEUI5Vat8iJzhZOA+Ae84DDbeN2FCM7UBpUsyB
+9T9aApBYLLMflZhl4PXK/zkh1J9vA5NqqJbAcw6a5uH0kjtuJOSvP5CVQc2xsX9i
+U9+eZesQMQKBgHo4Znasqg/oNIRf+vvdHOlNL8fhbqVQzzHqKSLfoRYTrwFirCfu
+jInnuA4LGPrYZqHTiPgJEpX456EQli4fNUu6hNUTvdJe3LD4S2SvB1G8G6npfp4Q
+TF7FX5W+M3S2gOBZRh6OtUQo56Y+QFr6U1kGIPiSgLeN/51gap/DWVF9AoGBAMmL
+hMEloFF+Y/rtPbvNrkqRc+YKn32jyfw9dN7rGYzKbGaHkmjc+sLzIhGHubfzhWLX
+Law9AJ8I4y6BXIx1bvMDtche/igMefV/mLUxnNhd8QG+fHhayJwcDlMamdBxjOqq
+5Q+oq927UP0ipFXQMzAWvW3Hd3W1WlvdL8kqjxvBAoGBAMaZ9JZO48Zn17IUweZC
+oVfM99YaHa+dm3L47PdQN6Ag6UjQ+sZ/6SLGIIg67SDhUQ+nuPCL8PH3Rf7PCuqW
+oHW3F+44SIrVdLlMkWb444dxdP6Xvb9aOMpvopBDuvzYPR3xzZ202DZbZ0sIEVu8
+8a+09JbRmEI2/Ee+em6a/Y4T
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            84:a1:70:1d:0a:92:d3:cd
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:03 2017 GMT
+            Not After : Mar 28 04:51:03 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d6:37:af:2f:57:9e:c4:3e:a3:d9:0e:db:e2:db:
+                    e3:48:e2:d7:f1:52:09:1a:58:95:db:aa:b2:ca:b8:
+                    02:42:f1:b7:df:f5:e7:59:a4:c5:c6:03:2a:8c:a4:
+                    30:eb:ec:c0:23:b3:fd:d3:0d:8a:55:69:66:0d:21:
+                    de:62:c2:a6:a6:22:66:c1:2d:87:ff:2b:42:ce:91:
+                    a5:fa:f9:3c:a8:81:aa:b0:c1:d3:55:af:24:79:79:
+                    87:06:5c:48:89:63:53:09:da:68:33:08:d7:86:27:
+                    4f:75:e2:ac:25:97:7c:64:8c:01:68:94:1e:a8:f5:
+                    0a:08:6c:b0:77:71:cb:65:d2:fc:3a:a0:0a:22:dd:
+                    32:96:43:12:7e:50:8e:bf:b8:1a:2d:5f:97:90:f7:
+                    3d:5b:fc:c0:ec:e8:f3:57:1c:1d:b6:8d:80:23:e2:
+                    d3:9e:3c:c6:71:ab:b0:15:0b:04:c5:a5:66:c7:2b:
+                    c8:f9:7e:d5:f1:a5:5a:14:e4:40:8d:1d:f2:00:1c:
+                    ba:6b:26:a7:3f:94:a7:5f:ee:b3:32:7e:56:ec:8c:
+                    3f:27:57:b4:f0:63:e1:56:ed:67:ce:42:08:89:86:
+                    4d:0e:2b:75:5a:05:e4:ac:a2:fa:4e:3b:08:d2:e0:
+                    ba:6c:6b:38:77:79:45:de:64:95:24:96:b6:2b:31:
+                    f2:37
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:A3:52:9D:82:6F:DD:C6:1D
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         56:fb:b0:ab:a6:bb:3a:55:04:ed:5c:3b:ae:0c:0d:32:8f:aa:
+         ec:b7:24:2c:d5:37:b9:1f:91:64:21:c2:c0:6d:bc:d4:d4:5e:
+         e2:f1:12:ad:34:02:93:65:10:6c:93:93:2c:23:53:e8:ed:96:
+         c7:3b:6b:44:df:ff:24:8b:c1:cc:26:b2:1e:8f:26:66:34:3a:
+         bb:7d:ef:4e:a6:7e:b2:c8:93:c9:f7:46:5a:de:40:88:70:28:
+         c7:d1:fd:27:c3:99:fd:6a:a1:a5:e1:6d:c3:5a:bc:99:28:95:
+         e9:17:ed:a4:56:a5:04:ad:fb:74:a2:01:26:2a:5a:45:bc:7b:
+         0d:df:0c:41:79:8b:b4:15:50:cd:88:ce:f5:a7:ee:cb:d2:5b:
+         76:81:4c:1b:09:92:0e:e9:c6:42:df:b7:81:9e:89:3d:49:ed:
+         17:fa:d2:2f:bd:8b:74:d5:cb:ce:af:46:6a:74:b3:34:a0:c5:
+         a0:64:66:7a:80:59:15:1e:de:16:df:11:3d:1e:96:e2:e5:2d:
+         f1:4d:20:f3:f6:f1:19:aa:ac:f8:b4:6e:76:a0:26:6c:cd:90:
+         f2:23:35:a0:8b:c8:e8:5d:27:5d:34:d3:69:74:61:c5:ac:6a:
+         54:e9:86:8d:ca:ca:16:03:48:7f:cd:23:43:41:e2:77:3a:5d:
+         f2:3e:de:fa
+-----BEGIN CERTIFICATE-----
+MIID3DCCAsSgAwIBAgIJAIShcB0KktPNMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjAeFw0xNzAz
+MzAwNDUxMDNaFw0yNzAzMjgwNDUxMDNaMG0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZh
+MSUwIwYDVQQDDBxJTlRFUl9DQV9TSEExLVJPT1RfQ0FfU0hBMjU2MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jevL1eexD6j2Q7b4tvjSOLX8VIJGliV
+26qyyrgCQvG33/XnWaTFxgMqjKQw6+zAI7P90w2KVWlmDSHeYsKmpiJmwS2H/ytC
+zpGl+vk8qIGqsMHTVa8keXmHBlxIiWNTCdpoMwjXhidPdeKsJZd8ZIwBaJQeqPUK
+CGywd3HLZdL8OqAKIt0ylkMSflCOv7gaLV+XkPc9W/zA7OjzVxwdto2AI+LTnjzG
+cauwFQsExaVmxyvI+X7V8aVaFORAjR3yABy6ayanP5SnX+6zMn5W7Iw/J1e08GPh
+Vu1nzkIIiYZNDit1WgXkrKL6TjsI0uC6bGs4d3lF3mSVJJa2KzHyNwIDAQABo4GM
+MIGJMHkGA1UdIwRyMHChY6RhMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEN
+MAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZhMRcwFQYD
+VQQDDA5ST09UX0NBX1NIQTI1NoIJAKNSnYJv3cYdMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADggEBAFb7sKumuzpVBO1cO64MDTKPquy3JCzVN7kfkWQhwsBt
+vNTUXuLxEq00ApNlEGyTkywjU+jtlsc7a0Tf/ySLwcwmsh6PJmY0Ort9706mfrLI
+k8n3RlreQIhwKMfR/SfDmf1qoaXhbcNavJkolekX7aRWpQSt+3SiASYqWkW8ew3f
+DEF5i7QVUM2IzvWn7svSW3aBTBsJkg7pxkLft4GeiT1J7Rf60i+9i3TVy86vRmp0
+szSgxaBkZnqAWRUe3hbfET0eluLlLfFNIPP28RmqrPi0bnagJmzNkPIjNaCLyOhd
+J10002l0YcWsalTpho3KyhYDSH/NI0NB4nc6XfI+3vo=
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDh12cWta4H1sY6
+KHyfvxSJk1JIUAe08JFmHwvO0Eb6LRmKrqwbXEyGs0CPGhMlnmxjvrfXbKkUjodY
+9ByxSBa7zYaVdPDGKDQ3HvPxyjZ0npPrHDII2wR+0UOD0ftkDbPHWQFBsl0OY/sI
+pRzihYRh8MwCrADdza3vHPrNBz2umuM5jnN20FVIGKhGMGbg5eackBmgvcaWT6BW
+B67iYRWVRwLywdSE+imOIS4P7ivndBe1DlB+z4oBmbBwYkM+5WyR3yT4+stdByyn
+naL+kExsC/TWDw+sE9TQUo2zqRbNI1j8UhBaQZz1pbX5YeGPTq/Z2J8EGvPxz6VY
+PmkDyMl3AgMBAAECggEAKrlDKUqpZ5Y73di26smNKxGRqVhqfNJdz0HkS/We18kc
+Yd31dR+a4oial/fI038K5ju4L6rAucDU3gEgRHFsy45v/Won+nS0nBDg+UbV0m4F
+cZ7d4Er+qLcR3KgmtKDa98VgtXr2m7hSTypdMoUrrBOPpJnBeDRmyStkTtEl3Bfa
+Fh72SZXNauGvB5+qrbPhls1HoWVbzZ3i6oUCBDrfmLD6G0ipGM+AQICmXjYX8OxT
+Ye5u/6DU4TkWu5A6/1m0Q4clGZXSeMx2d4PkZ0jZKOXdhwvzAaGh7I0AkuA4ZlCj
+slXENyAzQhm4EHHWxvld11e8oEh4DUfWtUXeLttawQKBgQDybE5gjAZdv+5BJXWV
+l2G+zb5tKHWd0XQQ2epktX+i+iA5lA0bLkAA4rrmZVsDEc4D2yjINsopBHTjwvtV
+F/LBBWIynm6MkIyjY6+0fBfoikz9ebKikuf1YRoRC5Dl0pd2Wa/ps2wowDbQnj3o
+4e6x+z0WviyL+uRr1JyotR2J5wKBgQDufVw64Z6AdWThlnP8qXqW12QQBd5qChPr
+fHJEkx0ViBoM97yalVzDssXn4X2ESVDqtsxH21SzKzDGzLoCG3PwCPgp9zWk9GS/
+HfhXFzI3qHIlI+s6481vjqDnXtvJ7oHutxYkkYQXSMgC69jeRY0nW78Bz03BAYjQ
+boRmeK1x8QKBgQDw9VBOTMADLUPvQwGGKAsC8VQHAgEuVcONAF0nrvPoFcA0GwGP
+87+wYayuVy5IdckVMiBuKW91p7VbsjHJGd2zl9tMPwfY9dCkkvBRcEr/W4A9Llqt
+l2GyF8smCB4FIfZkr67Xlvy54Jxbbf5RXUi5ZeUJlwuGM2IaACGa2zM6HwKBgEmW
+iOTqRTwh/RTWlcd6jAcLQybmiLBzl53r8l5SfoDsVA14S8vvFoaUHRjlrRMqhDtI
+WFQ7yzDVvOE6vpJz4hxIyDo6u2TAvG10U/Kbh7VA1qe7I5QyQmuPuPprfKocXB9K
+gxyZggalQIIWP/6lu15PoupuCvHpBUw7LcNorSwhAoGAXXBcp4U369B3ld+M+hC9
+G+2VttaC2917iqoM8R7WOiwez+10s+fNv89B6DjZxeX5haa7bbB+RvfqN8OysIRK
+m0Bh4w6q/JuRydj9T5sJLk9oUrEFLncqihlNT+1WEwR5x50OODYjpHz1YORo5HzL
+cnXKk8xTZFE7mXD1ZJoRLxc=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            8d:a0:d2:8a:ee:0b:cf:64
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:03 2017 GMT
+            Not After : Mar 28 04:51:03 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e1:d7:67:16:b5:ae:07:d6:c6:3a:28:7c:9f:bf:
+                    14:89:93:52:48:50:07:b4:f0:91:66:1f:0b:ce:d0:
+                    46:fa:2d:19:8a:ae:ac:1b:5c:4c:86:b3:40:8f:1a:
+                    13:25:9e:6c:63:be:b7:d7:6c:a9:14:8e:87:58:f4:
+                    1c:b1:48:16:bb:cd:86:95:74:f0:c6:28:34:37:1e:
+                    f3:f1:ca:36:74:9e:93:eb:1c:32:08:db:04:7e:d1:
+                    43:83:d1:fb:64:0d:b3:c7:59:01:41:b2:5d:0e:63:
+                    fb:08:a5:1c:e2:85:84:61:f0:cc:02:ac:00:dd:cd:
+                    ad:ef:1c:fa:cd:07:3d:ae:9a:e3:39:8e:73:76:d0:
+                    55:48:18:a8:46:30:66:e0:e5:e6:9c:90:19:a0:bd:
+                    c6:96:4f:a0:56:07:ae:e2:61:15:95:47:02:f2:c1:
+                    d4:84:fa:29:8e:21:2e:0f:ee:2b:e7:74:17:b5:0e:
+                    50:7e:cf:8a:01:99:b0:70:62:43:3e:e5:6c:91:df:
+                    24:f8:fa:cb:5d:07:2c:a7:9d:a2:fe:90:4c:6c:0b:
+                    f4:d6:0f:0f:ac:13:d4:d0:52:8d:b3:a9:16:cd:23:
+                    58:fc:52:10:5a:41:9c:f5:a5:b5:f9:61:e1:8f:4e:
+                    af:d9:d8:9f:04:1a:f3:f1:cf:a5:58:3e:69:03:c8:
+                    c9:77
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:F1:3B:B7:FB:28:3F:52:09
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         24:74:94:0a:7d:81:62:16:ed:4e:0f:e2:19:06:bd:8b:7a:e4:
+         35:63:4c:73:ec:3a:45:d7:2a:8c:80:e6:6b:d9:26:7d:78:9f:
+         6b:36:f9:fd:94:f7:ac:86:3c:0e:95:66:80:f3:0b:93:0f:44:
+         0a:05:76:d9:1d:c6:37:6f:ea:02:b9:29:e9:96:11:d1:e6:1e:
+         70:95:31:77:22:ed:3c:96:ad:9f:74:8c:41:f5:44:47:a2:4e:
+         d4:58:86:92:31:36:94:90:05:9d:94:16:8c:f8:c8:18:7b:45:
+         dc:49:45:53:63:06:bb:c6:a9:33:72:fe:48:7b:0e:21:89:e2:
+         6c:44:29:3c:10:65:c6:7d:8e:6c:cb:95:ea:a1:ae:3b:c1:12:
+         98:ce:b9:c8:98:12:0d:ac:a7:bd:31:cc:aa:ac:51:b4:a7:33:
+         5b:60:0d:d6:ed:e0:29:5a:29:f5:fc:e0:27:db:77:88:fd:59:
+         0c:02:70:d8:f4:1d:89:88:13:94:55:5b:77:a3:a6:8e:18:9a:
+         b8:82:5b:64:27:8c:ef:10:6a:df:ed:fd:a4:b5:2b:44:0f:5f:
+         89:08:15:48:df:b0:13:08:7c:08:cc:07:ea:b8:a6:17:ab:35:
+         65:07:2c:b9:ec:9a:d0:1f:e7:b9:a7:36:9e:24:f7:73:10:e0:
+         70:6c:78:6e
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIJAI2g0oruC89kMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTEwHhcNMTcwMzMw
+MDQ1MTAzWhcNMjcwMzI4MDQ1MTAzWjBtMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEl
+MCMGA1UEAwwcSU5URVJfQ0FfU0hBMjU2LVJPT1RfQ0FfU0hBMTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOHXZxa1rgfWxjoofJ+/FImTUkhQB7TwkWYf
+C87QRvotGYqurBtcTIazQI8aEyWebGO+t9dsqRSOh1j0HLFIFrvNhpV08MYoNDce
+8/HKNnSek+scMgjbBH7RQ4PR+2QNs8dZAUGyXQ5j+wilHOKFhGHwzAKsAN3Nre8c
++s0HPa6a4zmOc3bQVUgYqEYwZuDl5pyQGaC9xpZPoFYHruJhFZVHAvLB1IT6KY4h
+Lg/uK+d0F7UOUH7PigGZsHBiQz7lbJHfJPj6y10HLKedov6QTGwL9NYPD6wT1NBS
+jbOpFs0jWPxSEFpBnPWltflh4Y9Or9nYnwQa8/HPpVg+aQPIyXcCAwEAAaOBijCB
+hzB3BgNVHSMEcDBuoWGkXzBdMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTAL
+BgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEVMBMGA1UE
+AwwMUk9PVF9DQV9TSEExggkA8Tu3+yg/UgkwDAYDVR0TBAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJHSUCn2BYhbtTg/iGQa9i3rkNWNMc+w6RdcqjIDma9kmfXif
+azb5/ZT3rIY8DpVmgPMLkw9ECgV22R3GN2/qArkp6ZYR0eYecJUxdyLtPJatn3SM
+QfVER6JO1FiGkjE2lJAFnZQWjPjIGHtF3ElFU2MGu8apM3L+SHsOIYnibEQpPBBl
+xn2ObMuV6qGuO8ESmM65yJgSDaynvTHMqqxRtKczW2AN1u3gKVop9fzgJ9t3iP1Z
+DAJw2PQdiYgTlFVbd6OmjhiauIJbZCeM7xBq3+39pLUrRA9fiQgVSN+wEwh8CMwH
+6rimF6s1ZQcsueya0B/nuac2niT3cxDgcGx4bg==
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDbXbqJwTisc3wF
+Z6MYWonNxMsWBfNfwFB/KLQfEfZ+phvReORvJZ5lVT/1gTVs5/QhREU0qW48OxyM
+NXKgkcBZGLkRvVlDaOEcbTIDa4PYf7rnsTtU8DWYuyqqmeBnJ2ViKJ3ZGA750ctm
+ZsDZlWdwE5iCqX3hA/pfHGu+CNiW2jWSulookdIPqdJeLiwgnntm5tZFxoZ9hD1h
+J88iRqmqpS4joYXPxUNxfJ49Nx4iRfrx7HpyUVg3i5Q2q/AVuVSwbbPfNaQrG71V
+EbK0K7EjtL8Gw8DCS8Gvr0ApIpabA644BueWA9skjns9lvfSuH76Y5e2nHGJiOz7
+LWMFV24LAgMBAAECggEAD546u7gQCucl+1SHniJEEWxjcSv3SeftU0BYoqWqwRWe
+gWl0Ch3Jizlollger6RME1pC+x7dBFjJDYp4oMn/wdgqxQKQKmZ7MITtvKSY/H8L
+lZdevAtmJXud7AuMmIuLglOV+XDnEA5Jxv6l2Ff0x1v9zb+3gJ/B4aeqXBtRIFxD
+CfCcvcN1Bl+jj2fvS8iRrqofGa6DGXZVZvtIVjIvJnR1YBVMVYBNs6kcscM5Nblr
+PJFDDsg+Ph7hq5gpwj7pyb4e54sn06pdfBLgGkHJ82tCNkc+f4Ee2M7MoS//m4IC
+ajV+xht4REHuB7h5GM50TF5Gziianyc3g8//M7sC8QKBgQD7tvSzJK1N0w9NPK1e
+Q5zfEWxU1c7dJ/hr81OpvEzUut1vZeKT1mydtA0YJftDTFTXe5fsPKNTIrL4BWUw
+PLa3jWQNNDSLDNhdoqKrno+017pD7+p8G8x3AfyHxn6x2Shoz0jHTnGf+Q0vnvdT
+ZTFpWU+3J8Wp4+1Nx2lwGGEJXwKBgQDfGcnk/fTSs/QQNgzkC1HaQ35b66eEBwK3
+yi8KNsNxDByvdYGxaK/tLRiZIsKMxAV+3jebfA4WSgDkenmzGLn4gYUr5gkkmEW5
+irETT+HDK8LeM2iIbCROactwu3ytJrgpaoDXxRbDsGCUf98hjz1JDCR94wjGH78H
+K3Pmbm6e1QKBgEIuTVIYj5RJrNlC3dZN8p3Xx+LaQER3cOJ5HIMhJhY8d2IFqLf0
+BaTFJTg3LEP6esgZD82l988w7Vs2l+9B10yVWTv7gOEaZHzh+OEklGYY3jlkiANP
+j8eudwX/02nRTcWY0mrMniVQZv4hTqfXkFFBkSr3wwmzCr6LcpZtYn4DAoGBAIEm
+2bTBu1/aoxhbYd0GHI1g8x5dbm1E7bLdzZt5Fm00GMsOGFVOiEGiEJJeCAgbVh8a
+n1BYYYNPtfKOYDNoxgfxWtmN4o8Xw41kl5vZa5VjmPyu//2xtNbb8dTCBKvsNUJs
+kEfYpZQFX/O3jsFLvauy5tElhCfFqv2IjyC/nzQ9AoGBAJLCz62crl/AXqArSnAH
+efX9ozrNMJMQDMDtw5xB/EqRMazmTlqkYr0H4iTS69QNAPr8czdmpY6uO6BRE9+/
+f/tWZXQj7eT8pd1Dp2Ed1vHsOfiAUha0cYUMrqshsqKNXrCxl7144iRGZY7OjFI1
+USqVVNaci2IrtW5+NGV62BYP
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            84:a1:70:1d:0a:92:d3:cc
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:02 2017 GMT
+            Not After : Mar 28 04:51:02 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:db:5d:ba:89:c1:38:ac:73:7c:05:67:a3:18:5a:
+                    89:cd:c4:cb:16:05:f3:5f:c0:50:7f:28:b4:1f:11:
+                    f6:7e:a6:1b:d1:78:e4:6f:25:9e:65:55:3f:f5:81:
+                    35:6c:e7:f4:21:44:45:34:a9:6e:3c:3b:1c:8c:35:
+                    72:a0:91:c0:59:18:b9:11:bd:59:43:68:e1:1c:6d:
+                    32:03:6b:83:d8:7f:ba:e7:b1:3b:54:f0:35:98:bb:
+                    2a:aa:99:e0:67:27:65:62:28:9d:d9:18:0e:f9:d1:
+                    cb:66:66:c0:d9:95:67:70:13:98:82:a9:7d:e1:03:
+                    fa:5f:1c:6b:be:08:d8:96:da:35:92:ba:5a:28:91:
+                    d2:0f:a9:d2:5e:2e:2c:20:9e:7b:66:e6:d6:45:c6:
+                    86:7d:84:3d:61:27:cf:22:46:a9:aa:a5:2e:23:a1:
+                    85:cf:c5:43:71:7c:9e:3d:37:1e:22:45:fa:f1:ec:
+                    7a:72:51:58:37:8b:94:36:ab:f0:15:b9:54:b0:6d:
+                    b3:df:35:a4:2b:1b:bd:55:11:b2:b4:2b:b1:23:b4:
+                    bf:06:c3:c0:c2:4b:c1:af:af:40:29:22:96:9b:03:
+                    ae:38:06:e7:96:03:db:24:8e:7b:3d:96:f7:d2:b8:
+                    7e:fa:63:97:b6:9c:71:89:88:ec:fb:2d:63:05:57:
+                    6e:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:A3:52:9D:82:6F:DD:C6:1D
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         3f:f2:91:96:59:da:c1:8a:8c:4d:eb:25:1f:74:87:6f:fc:2e:
+         92:7e:44:ff:a7:0b:78:aa:6d:2b:fe:b8:0a:b9:e9:bc:19:87:
+         44:15:e1:3a:e4:54:e6:4b:54:3c:75:d9:f8:c9:07:83:74:f4:
+         4c:ab:e4:6b:19:64:b6:4b:69:44:6e:74:f6:66:cf:16:43:8f:
+         9c:cb:20:e4:7a:5e:78:13:00:6f:28:78:8d:c5:05:46:a9:92:
+         0f:d0:38:c3:8b:0e:39:d4:87:e9:ee:35:07:78:dd:1a:1a:8c:
+         3a:36:56:4e:3b:96:7a:d1:2c:29:95:06:29:ac:b2:f7:5c:fc:
+         09:1c:72:24:e2:9e:72:bf:60:3a:7a:9b:59:35:48:6a:d2:3e:
+         76:7f:ad:41:45:a5:6f:93:96:10:c4:4c:cf:3f:f1:1d:00:5f:
+         d1:60:f1:88:86:d8:ef:ff:72:63:8f:4c:df:9e:35:cb:17:2c:
+         16:7b:d4:6c:0e:67:b6:ee:bc:68:07:b0:99:df:c5:f3:88:28:
+         a1:46:bb:6d:f5:2c:45:6b:e9:90:c0:78:35:20:73:14:5a:d0:
+         a5:56:cb:04:f4:43:a7:cf:28:f5:a3:5b:ac:f2:a3:4c:f6:39:
+         3c:ef:f4:b1:42:20:8e:2a:14:0d:a1:b4:38:b2:f2:6c:14:33:
+         05:04:bb:a7
+-----BEGIN CERTIFICATE-----
+MIID3jCCAsagAwIBAgIJAIShcB0KktPMMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjAeFw0xNzAz
+MzAwNDUxMDJaFw0yNzAzMjgwNDUxMDJaMG8xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZh
+MScwJQYDVQQDDB5JTlRFUl9DQV9TSEEyNTYtUk9PVF9DQV9TSEEyNTYwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbXbqJwTisc3wFZ6MYWonNxMsWBfNf
+wFB/KLQfEfZ+phvReORvJZ5lVT/1gTVs5/QhREU0qW48OxyMNXKgkcBZGLkRvVlD
+aOEcbTIDa4PYf7rnsTtU8DWYuyqqmeBnJ2ViKJ3ZGA750ctmZsDZlWdwE5iCqX3h
+A/pfHGu+CNiW2jWSulookdIPqdJeLiwgnntm5tZFxoZ9hD1hJ88iRqmqpS4joYXP
+xUNxfJ49Nx4iRfrx7HpyUVg3i5Q2q/AVuVSwbbPfNaQrG71VEbK0K7EjtL8Gw8DC
+S8Gvr0ApIpabA644BueWA9skjns9lvfSuH76Y5e2nHGJiOz7LWMFV24LAgMBAAGj
+gYwwgYkweQYDVR0jBHIwcKFjpGEwXzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+MQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFzAV
+BgNVBAMMDlJPT1RfQ0FfU0hBMjU2ggkAo1Kdgm/dxh0wDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAQEAP/KRllnawYqMTeslH3SHb/wukn5E/6cLeKptK/64
+CrnpvBmHRBXhOuRU5ktUPHXZ+MkHg3T0TKvkaxlktktpRG509mbPFkOPnMsg5Hpe
+eBMAbyh4jcUFRqmSD9A4w4sOOdSH6e41B3jdGhqMOjZWTjuWetEsKZUGKayy91z8
+CRxyJOKecr9gOnqbWTVIatI+dn+tQUWlb5OWEMRMzz/xHQBf0WDxiIbY7/9yY49M
+3541yxcsFnvUbA5ntu68aAewmd/F84gooUa7bfUsRWvpkMB4NSBzFFrQpVbLBPRD
+p88o9aNbrPKjTPY5PO/0sUIgjioUDaG0OLLybBQzBQS7pw==
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDhROyqYZ5UdQJ0
+xJdG4B+aXPHbIKV0w5AvJ7r4SuvIJ/4pEmV6fIU3+4CvN2sXKzW+0DppOBz99Oe6
+19jfMAx5t0pKHkwh5J0bduLf1k83lm8CvoX1a9lYY6ER4Y8wWtTcHG016onl8Lxq
+QVqlqbk9zsbNipvWxipIQOgzq7DmTXQ2Hrx0tg4DROlgwuarPBWcZjq6dG09nI0E
+zSY/Wis619L/6sdCxGFhvnJ0YbULvIqdR2J638KEO+rx1RXD66Jqc0KhnGZLf7NT
+YfTlY0zIMHE8oMkJPdH9tPKbyXMXhiG/u5x81RcJxT4gLi5fq2yrvMsaUC13bnJJ
+npFNy6XTAgMBAAECggEAPS4h9Jg0jw2EUEBAMaCXFK5fhTrVlOO0Ggp5TgvTA3ZR
+Ich8RQrih3TH2056yD0VCLC23HK/9Pz5npYWsW70RG5SP9UAqkfTn2znaxFiTF+P
+4Lfr296hlc7hJOEUqXZRz0HtKzJ6pzd9hIIhY1K4G6A4AATAFFGXlC4Eolvj3Hf0
+NgVFDYaFDEpEiin+fAsM5c1ZE0pxRZSVE5Emr9XvkvxLm5dK9lKOyyOQ+5RHhxQ6
+J4n+6Ct0O+FkeP9u3jTMtew9gxTwvHSgkf05hSRoqgMKcusKpqhHp6E4mT7sus7q
+AYzdv5sNIcx7PpojuHjploMH7ghhYxCmVOOFxXJ4CQKBgQD2naA8zZnh5BfbVC8p
+C9A6HfwnZ7cCjGtL30y8fh8OAMHbdGE4JXlhifPgW7PDxZ0Yho4rYd9MxLVcGl+p
+YPOKKcaKbzwdUJwZ4Zs1dJC+LTRqku6O3qlEofeojHN5IctLoLqDsiZBD7aT4l+O
+wmAWqwLZZQtiFpA/jbCb/Qw7tQKBgQDp11rFSHLKuVdMuSnUon3WN6lj9WNM3KFy
+C8R4EN/DTnuHrVL0MCff9eddBYvpQe0z/LA74oAD9fSjmtYe/24qIm2lAWVkwxBm
+yyspUmOybU8Q3GN8xw1Vrwg8JR5JVAOwKHwCGmybT7Zs+9eJRONnnZ6nUbTQ94cP
+sJVkyGUgZwKBgQCd/0CAk+xpl1tdbiLEtkfSZBF/IWhTXqkDM+2SuW6l5wBL29TJ
+RuDsB5jR/Y4+96T86H++9XY9Va0nc9IjzvRYaQlE+ZzW3yUTQ8HPTn3JCWcSfE4Q
+BEEHsojbWBhG28rGChRUeVceybVcK2SzLn6nJyqtIppXXkNOJDWoykcDHQKBgHzY
+27+k1JTjq3ZtDaZXMvQiN7AEnYW17gRjv/uSlsVBq7ZelYGGDGQIeAQ0J+Tbq/cr
+nDP80/hJYtnOmy9llL2uL/f+7NGFS8Z2Bo9DS7NBpQsNf5ho9fefQbhK4Qapcmak
+1sCQtxec0XsSYpsJSphRkRkoCG/hGB0KXFi4nTVVAoGAJrrh1rG1UMXmFUpraXIy
+Mc58lEYB87EkMOthyK8XklxLoYKPZlVS7AZZDtQMpRC6YnweiX6LmO4AamtlT71x
+BzQgmwHn4wOaysDPHFuf5hNCobXJREoiNzHb4AcqiZ7SNAW5Jd+0/PSY47hrDnRy
+wNFyg3O0k3kaXz5h3lVhxo4=
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f1:3b:b7:fb:28:3f:52:09
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+        Validity
+            Not Before: Mar 30 04:51:01 2017 GMT
+            Not After : Mar 28 04:51:01 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e1:44:ec:aa:61:9e:54:75:02:74:c4:97:46:e0:
+                    1f:9a:5c:f1:db:20:a5:74:c3:90:2f:27:ba:f8:4a:
+                    eb:c8:27:fe:29:12:65:7a:7c:85:37:fb:80:af:37:
+                    6b:17:2b:35:be:d0:3a:69:38:1c:fd:f4:e7:ba:d7:
+                    d8:df:30:0c:79:b7:4a:4a:1e:4c:21:e4:9d:1b:76:
+                    e2:df:d6:4f:37:96:6f:02:be:85:f5:6b:d9:58:63:
+                    a1:11:e1:8f:30:5a:d4:dc:1c:6d:35:ea:89:e5:f0:
+                    bc:6a:41:5a:a5:a9:b9:3d:ce:c6:cd:8a:9b:d6:c6:
+                    2a:48:40:e8:33:ab:b0:e6:4d:74:36:1e:bc:74:b6:
+                    0e:03:44:e9:60:c2:e6:ab:3c:15:9c:66:3a:ba:74:
+                    6d:3d:9c:8d:04:cd:26:3f:5a:2b:3a:d7:d2:ff:ea:
+                    c7:42:c4:61:61:be:72:74:61:b5:0b:bc:8a:9d:47:
+                    62:7a:df:c2:84:3b:ea:f1:d5:15:c3:eb:a2:6a:73:
+                    42:a1:9c:66:4b:7f:b3:53:61:f4:e5:63:4c:c8:30:
+                    71:3c:a0:c9:09:3d:d1:fd:b4:f2:9b:c9:73:17:86:
+                    21:bf:bb:9c:7c:d5:17:09:c5:3e:20:2e:2e:5f:ab:
+                    6c:ab:bc:cb:1a:50:2d:77:6e:72:49:9e:91:4d:cb:
+                    a5:d3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+                serial:F1:3B:B7:FB:28:3F:52:09
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+         0b:be:7b:c7:53:14:87:37:02:66:37:f5:6f:38:3c:75:b3:72:
+         f6:f8:9c:77:4d:9a:e4:5c:23:3a:4a:5f:aa:6e:90:23:e9:b8:
+         48:fd:6d:e1:88:b5:a2:a5:0a:30:c0:7d:33:a8:6f:79:42:52:
+         80:f8:87:4b:2a:15:0a:ff:14:88:97:21:12:89:1c:d3:33:bf:
+         fa:4f:5e:68:9a:c6:69:2f:aa:1d:31:aa:80:f5:b0:d3:72:c9:
+         fa:ce:3b:5f:15:a6:61:e0:f1:d1:ab:e7:40:48:c1:d4:30:bd:
+         0a:13:37:0d:ea:ac:38:b2:af:1b:78:3a:29:53:ee:90:71:3b:
+         2b:a4:8b:16:e9:da:94:59:44:3d:7f:34:fb:0a:d1:6b:db:3d:
+         66:01:a6:0f:98:b5:cc:57:39:b9:09:f2:01:cc:e5:89:86:7d:
+         f2:9a:b2:ad:08:3d:da:05:f9:24:1e:30:98:cc:92:a9:4c:4a:
+         cf:a3:53:6e:7f:5e:db:aa:43:9c:ac:b1:b5:80:ab:7e:a3:89:
+         71:37:c2:4a:c1:16:9d:26:d5:70:89:8a:8e:a8:cb:40:3b:b8:
+         f0:d2:31:54:c2:1f:fc:24:5e:29:c1:5e:86:48:1e:83:4e:44:
+         30:ff:8d:46:47:b6:0e:9c:77:bf:ba:08:8b:bd:eb:b7:ca:45:
+         0a:e3:0c:ec
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArCgAwIBAgIJAPE7t/soP1IJMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTEwHhcNMTcwMzMw
+MDQ1MTAxWhcNMjcwMzI4MDQ1MTAxWjBdMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEV
+MBMGA1UEAwwMUk9PVF9DQV9TSEExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA4UTsqmGeVHUCdMSXRuAfmlzx2yCldMOQLye6+ErryCf+KRJlenyFN/uA
+rzdrFys1vtA6aTgc/fTnutfY3zAMebdKSh5MIeSdG3bi39ZPN5ZvAr6F9WvZWGOh
+EeGPMFrU3BxtNeqJ5fC8akFapam5Pc7GzYqb1sYqSEDoM6uw5k10Nh68dLYOA0Tp
+YMLmqzwVnGY6unRtPZyNBM0mP1orOtfS/+rHQsRhYb5ydGG1C7yKnUdiet/ChDvq
+8dUVw+uianNCoZxmS3+zU2H05WNMyDBxPKDJCT3R/bTym8lzF4Yhv7ucfNUXCcU+
+IC4uX6tsq7zLGlAtd25ySZ6RTcul0wIDAQABo4GKMIGHMHcGA1UdIwRwMG6hYaRf
+MF0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoG
+A1UECgwDT3JnMQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTGC
+CQDxO7f7KD9SCTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQALvnvH
+UxSHNwJmN/VvODx1s3L2+Jx3TZrkXCM6Sl+qbpAj6bhI/W3hiLWipQowwH0zqG95
+QlKA+IdLKhUK/xSIlyESiRzTM7/6T15omsZpL6odMaqA9bDTcsn6zjtfFaZh4PHR
+q+dASMHUML0KEzcN6qw4sq8beDopU+6QcTsrpIsW6dqUWUQ9fzT7CtFr2z1mAaYP
+mLXMVzm5CfIBzOWJhn3ymrKtCD3aBfkkHjCYzJKpTErPo1Nuf17bqkOcrLG1gKt+
+o4lxN8JKwRadJtVwiYqOqMtAO7jw0jFUwh/8JF4pwV6GSB6DTkQw/41GR7YOnHe/
+ugiLveu3ykUK4wzs
+-----END CERTIFICATE-----
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256-PRIV.key	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2DzrIXts3huIs
+dtX+ZbY6RR5/S4yXUs3jJXc4mbITLn7PO1QVBT528NZVOu6jUxXsPTpTg1jgresh
+6Pcv1LNj7bP30uPXhmyawgQVUgLTGyU0+JWLJrpU7cEOTK4f/j58A+UHL255fM7T
+B3EvIj2Ad1MAYwIvVZnAXPSFt72YGz15doYiewp8dTXcX4TsFisCbypFikWxpXIF
+qjVqbAUx8fYgQxfPWFw4HbVvo3Nu1LqypswAfsmHd2v5nMv8wkAcPG5dIYHACN9r
+kPLMoUNUcBLn6QdIUrhk7dldRlR0TWT+VtRLKVWlGkMk9rRK+RnskNSuPg8fjb/Y
+gM0m5p0JAgMBAAECggEAPVk8cbClJjzpkhopWiRkF5abBEItCgD5KAXD+uqvuw77
+5FEVsE+oEORvFSFasOaaiJTJRsMH/A4fIbojMZb3LEE5V9VUuZeumSevwI92LDUF
+gKgTnGRcfanwWCU2t8kwvRGC57zv+Tg5aZskZMGg/901tvemENVDjjLEoxqbZNmX
+WZnhB8XiPxl9K32K0l+qNW3HvKJ8lkaW0L6/4HWWU4rYwbc9TZpzHDOXhAICQB76
+fCw4hcy1K6KjfGjfE/6afqMa76KSxxeCvUYorZlm2gk1WcEafkg9Jwzz2SWtsa8W
+L+YzbTd1GE8Z9bDA88Dw3vgdC1Pt0ywX/fJ/GCDHUQKBgQDjNaW/enKYXGTsM5C1
+I94OgSmgnjnjPZIBY0u89iCAf07ueqrNaLJgOEkGpCrLEa4tC2qc57ge1DO2rxTa
+6RowUzqG3Oqdsq21QaQZAmjjDC5mXlYPRpWvWVjBRaIDKw9zAUg9qEy24e/pRjdP
+cugR30d1OaxExdgoAt8iOqZ67wKBgQDNIPqF/+npd1UAqgdC9lOxnPQly1zjz/zY
+jbeJeww9Ut9aCXj0+we4gKhD37d178y1H2QBod+IPpqQ/uZmbNmN5JP+MIk2kZKB
+4jquQLa5jEc+y57h8UrWJBY+Ls7xiu/cw3aCAk0JaZRSrH/KzWE91x3s7o2yV43d
+dMkRmTTHhwKBgQCHaq4C1WP/UvIDpSgWDe6HDoxU4nj16vheQ2Qcl0T/0OCmWg36
+pu/JUUKU5rtqlHsO9cLxCVo/ZZH8y5TOdCfbrX8wafKbUqcdZKX9EeaZi+ULtiXs
+rNEB1WqEpo/M+5kVnioENY6jYT2v9t14SK/wFvdr8pet1YzjK/L5X6NhmQKBgFK4
+0u7I9k61Ve0vpEAH0FaXIgo/yZUBYkj+VZ62pYfxbKsFmObKeSGZmMHObVC9RMNi
+BlV2LwvlmzWP5eA2U0GahWgDsMH10KxaTCnLZSTMgkq7mLYrNW/IG8Q14jScQAC6
+PodNYD3EexEgCWUCkA19O885oKDkGAzPtOpI63TvAoGBAJvbKiJSFJNd3CIQlrOM
+wNw+Sww+c2Qw4PZZvIJNzjWumjesfUsuAyySrO2nXPzzSOrh7dRW98suaFi1Mih6
+ZwBpIll5VQsd2dwEa6vp6RFGWFNKPvDILEVgcCEOmckKRWDo+fb5bx2VHj1v4kfG
+MHDqy8Y2ercsU0Z5mEN8bUD7
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256.cer	Tue Apr 04 19:58:24 2017 -0700
@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            a3:52:9d:82:6f:dd:c6:1d
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+        Validity
+            Not Before: Mar 30 04:51:01 2017 GMT
+            Not After : Mar 28 04:51:01 2027 GMT
+        Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b6:0f:3a:c8:5e:db:37:86:e2:2c:76:d5:fe:65:
+                    b6:3a:45:1e:7f:4b:8c:97:52:cd:e3:25:77:38:99:
+                    b2:13:2e:7e:cf:3b:54:15:05:3e:76:f0:d6:55:3a:
+                    ee:a3:53:15:ec:3d:3a:53:83:58:e0:ad:eb:21:e8:
+                    f7:2f:d4:b3:63:ed:b3:f7:d2:e3:d7:86:6c:9a:c2:
+                    04:15:52:02:d3:1b:25:34:f8:95:8b:26:ba:54:ed:
+                    c1:0e:4c:ae:1f:fe:3e:7c:03:e5:07:2f:6e:79:7c:
+                    ce:d3:07:71:2f:22:3d:80:77:53:00:63:02:2f:55:
+                    99:c0:5c:f4:85:b7:bd:98:1b:3d:79:76:86:22:7b:
+                    0a:7c:75:35:dc:5f:84:ec:16:2b:02:6f:2a:45:8a:
+                    45:b1:a5:72:05:aa:35:6a:6c:05:31:f1:f6:20:43:
+                    17:cf:58:5c:38:1d:b5:6f:a3:73:6e:d4:ba:b2:a6:
+                    cc:00:7e:c9:87:77:6b:f9:9c:cb:fc:c2:40:1c:3c:
+                    6e:5d:21:81:c0:08:df:6b:90:f2:cc:a1:43:54:70:
+                    12:e7:e9:07:48:52:b8:64:ed:d9:5d:46:54:74:4d:
+                    64:fe:56:d4:4b:29:55:a5:1a:43:24:f6:b4:4a:f9:
+                    19:ec:90:d4:ae:3e:0f:1f:8d:bf:d8:80:cd:26:e6:
+                    9d:09
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+                serial:A3:52:9D:82:6F:DD:C6:1D
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         6f:2f:a4:56:d5:58:6d:20:74:6b:66:b7:41:eb:c2:8c:56:2e:
+         1b:51:79:b0:07:a6:63:28:8b:20:40:b9:72:4b:f5:e0:6b:18:
+         39:5b:b4:ae:50:58:25:81:86:e3:19:ec:b1:dd:fb:5c:f5:d4:
+         a8:7d:a0:50:46:ac:1e:80:dc:cc:aa:0c:61:f8:a3:41:af:03:
+         35:a4:02:4f:23:c7:5c:36:26:90:fe:51:07:58:0f:e7:14:26:
+         34:c2:a7:bd:f2:34:33:cf:67:e4:2d:82:b6:e8:94:85:d6:8b:
+         01:6f:ba:3d:78:f6:db:3d:dc:ba:6e:6d:83:fa:ea:d0:60:ab:
+         1b:ad:9b:e2:ba:e3:e3:9f:26:5b:9a:c7:fb:9f:c1:7d:cc:0b:
+         cf:23:e0:ac:e1:e4:09:08:84:98:d4:6e:16:34:a5:5e:74:d5:
+         a8:61:e1:65:f7:9a:51:9f:f0:9f:86:65:ce:4f:b8:b6:64:7d:
+         86:62:21:ec:71:50:70:ca:6b:2e:74:12:51:b1:68:b0:4a:66:
+         19:60:e9:f8:b0:bf:6e:d8:ad:75:29:c3:31:13:73:01:3d:d5:
+         d4:5b:c2:60:bb:c4:c8:e6:29:cf:a3:49:65:8d:c2:1d:7d:c9:
+         75:33:9b:97:73:38:99:5c:7d:b3:9f:b0:be:0d:f4:6a:c6:19:
+         8d:98:a1:ca
+-----BEGIN CERTIFICATE-----
+MIIDzjCCAragAwIBAgIJAKNSnYJv3cYdMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjAeFw0xNzAz
+MzAwNDUxMDFaFw0yNzAzMjgwNDUxMDFaMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZh
+MRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALYPOshe2zeG4ix21f5ltjpFHn9LjJdSzeMldziZshMufs87VBUF
+Pnbw1lU67qNTFew9OlODWOCt6yHo9y/Us2Pts/fS49eGbJrCBBVSAtMbJTT4lYsm
+ulTtwQ5Mrh/+PnwD5Qcvbnl8ztMHcS8iPYB3UwBjAi9VmcBc9IW3vZgbPXl2hiJ7
+Cnx1NdxfhOwWKwJvKkWKRbGlcgWqNWpsBTHx9iBDF89YXDgdtW+jc27UurKmzAB+
+yYd3a/mcy/zCQBw8bl0hgcAI32uQ8syhQ1RwEufpB0hSuGTt2V1GVHRNZP5W1Esp
+VaUaQyT2tEr5GeyQ1K4+Dx+Nv9iAzSbmnQkCAwEAAaOBjDCBiTB5BgNVHSMEcjBw
+oWOkYTBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkx
+DDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEXMBUGA1UEAwwOUk9PVF9DQV9T
+SEEyNTaCCQCjUp2Cb93GHTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
+AQBvL6RW1VhtIHRrZrdB68KMVi4bUXmwB6ZjKIsgQLlyS/Xgaxg5W7SuUFglgYbj
+Geyx3ftc9dSofaBQRqwegNzMqgxh+KNBrwM1pAJPI8dcNiaQ/lEHWA/nFCY0wqe9
+8jQzz2fkLYK26JSF1osBb7o9ePbbPdy6bm2D+urQYKsbrZviuuPjnyZbmsf7n8F9
+zAvPI+Cs4eQJCISY1G4WNKVedNWoYeFl95pRn/CfhmXOT7i2ZH2GYiHscVBwymsu
+dBJRsWiwSmYZYOn4sL9u2K11KcMxE3MBPdXUW8Jgu8TI5inPo0lljcIdfcl1M5uX
+cziZXH2zn7C+DfRqxhmNmKHK
+-----END CERTIFICATE-----