changeset 6484:fe28e0b035e7

7194449: String resources for Key Tool and Policy Tool should be in their respective packages Reviewed-by: alanb, weijun, mullan
author sflores
date Sun, 14 Oct 2012 22:58:59 +0100
parents ff641c5b329b
children 7055257a25c4
files make/common/Release.gmk make/launchers/Makefile make/sun/security/tools/Makefile makefiles/CompileLaunchers.gmk makefiles/CreateJars.gmk src/share/classes/sun/security/tools/CertAndKeyGen.java src/share/classes/sun/security/tools/JarSigner.java src/share/classes/sun/security/tools/JarSignerResources.java src/share/classes/sun/security/tools/JarSignerResources_ja.java src/share/classes/sun/security/tools/JarSignerResources_zh_CN.java src/share/classes/sun/security/tools/KeyStoreUtil.java src/share/classes/sun/security/tools/KeyTool.java src/share/classes/sun/security/tools/TimestampedSigner.java src/share/classes/sun/security/tools/jarsigner/Main.java src/share/classes/sun/security/tools/jarsigner/Resources.java src/share/classes/sun/security/tools/jarsigner/Resources_ja.java src/share/classes/sun/security/tools/jarsigner/Resources_zh_CN.java src/share/classes/sun/security/tools/jarsigner/TimestampedSigner.java src/share/classes/sun/security/tools/keytool/CertAndKeyGen.java src/share/classes/sun/security/tools/keytool/Main.java src/share/classes/sun/security/tools/keytool/Resources.java src/share/classes/sun/security/tools/keytool/Resources_de.java src/share/classes/sun/security/tools/keytool/Resources_es.java src/share/classes/sun/security/tools/keytool/Resources_fr.java src/share/classes/sun/security/tools/keytool/Resources_it.java src/share/classes/sun/security/tools/keytool/Resources_ja.java src/share/classes/sun/security/tools/keytool/Resources_ko.java src/share/classes/sun/security/tools/keytool/Resources_pt_BR.java src/share/classes/sun/security/tools/keytool/Resources_sv.java src/share/classes/sun/security/tools/keytool/Resources_zh_CN.java src/share/classes/sun/security/tools/keytool/Resources_zh_HK.java src/share/classes/sun/security/tools/keytool/Resources_zh_TW.java src/share/classes/sun/security/tools/policytool/PolicyTool.java src/share/classes/sun/security/tools/policytool/Resources.java src/share/classes/sun/security/tools/policytool/Resources_de.java src/share/classes/sun/security/tools/policytool/Resources_es.java src/share/classes/sun/security/tools/policytool/Resources_fr.java src/share/classes/sun/security/tools/policytool/Resources_it.java src/share/classes/sun/security/tools/policytool/Resources_ja.java src/share/classes/sun/security/tools/policytool/Resources_ko.java src/share/classes/sun/security/tools/policytool/Resources_pt_BR.java src/share/classes/sun/security/tools/policytool/Resources_sv.java src/share/classes/sun/security/tools/policytool/Resources_zh_CN.java src/share/classes/sun/security/tools/policytool/Resources_zh_HK.java src/share/classes/sun/security/tools/policytool/Resources_zh_TW.java src/share/classes/sun/security/util/Resources.java src/share/classes/sun/security/util/Resources_de.java src/share/classes/sun/security/util/Resources_es.java src/share/classes/sun/security/util/Resources_fr.java src/share/classes/sun/security/util/Resources_it.java src/share/classes/sun/security/util/Resources_ja.java src/share/classes/sun/security/util/Resources_ko.java src/share/classes/sun/security/util/Resources_pt_BR.java src/share/classes/sun/security/util/Resources_sv.java src/share/classes/sun/security/util/Resources_zh_CN.java src/share/classes/sun/security/util/Resources_zh_TW.java test/sun/security/pkcs12/PKCS12SameKeyId.java test/sun/security/tools/jarsigner/JarSigningNonAscii.java test/sun/security/tools/jarsigner/LargeJarEntry.java test/sun/security/tools/keytool/CloseFile.java test/sun/security/tools/keytool/KeyToolTest.java test/sun/security/tools/keytool/NewSize7.java test/sun/security/tools/keytool/StartDateTest.java test/sun/security/tools/keytool/UnknownAndUnparseable.java test/sun/security/tools/keytool/autotest.sh test/sun/security/tools/keytool/standard.sh test/sun/security/util/Resources/Format.java test/sun/security/util/Resources/NewNamesFormat.java test/sun/security/util/Resources/NewResourcesNames.java test/sun/security/x509/AlgorithmId/NonStandardNames.java
diffstat 70 files changed, 15062 insertions(+), 13394 deletions(-) [+]
line wrap: on
line diff
--- a/make/common/Release.gmk	Sat Oct 13 10:15:57 2012 +0100
+++ b/make/common/Release.gmk	Sun Oct 14 22:58:59 2012 +0100
@@ -348,15 +348,15 @@
 	sun/tools/serialver	\
 	sun/tools/tree		\
 	sun/tools/util		\
-	sun/security/tools/JarBASE64Encoder.class \
-	sun/security/tools/JarSigner.class \
-	sun/security/tools/JarSignerParameters.class \
-	sun/security/tools/JarSignerResources.class \
-	sun/security/tools/JarSignerResources_ja.class \
-	sun/security/tools/JarSignerResources_zh_CN.class \
-	sun/security/tools/SignatureFile\$$Block.class \
-	sun/security/tools/SignatureFile.class \
-	sun/security/tools/TimestampedSigner.class \
+	sun/security/tools/jarsigner/JarBASE64Encoder.class \
+	sun/security/tools/jarsigner/Main.class \
+	sun/security/tools/jarsigner/JarSignerParameters.class \
+	sun/security/tools/jarsigner/Resources.class \
+	sun/security/tools/jarsigner/Resources_ja.class \
+	sun/security/tools/jarsigner/Resources_zh_CN.class \
+	sun/security/tools/jarsigner/SignatureFile\$$Block.class \
+	sun/security/tools/jarsigner/SignatureFile.class \
+	sun/security/tools/jarsigner/TimestampedSigner.class \
 	sun/rmi/rmic		\
 	sun/applet		\
 	sun/jvmstat		\
@@ -572,15 +572,15 @@
 	$(ECHO) "sun/tools/serialver/" >> $@
 	$(ECHO) "sun/tools/tree/" >> $@
 	$(ECHO) "sun/tools/util/" >> $@
-	$(ECHO) "sun/security/tools/JarBASE64Encoder.class" >> $@
-	$(ECHO) "sun/security/tools/JarSigner.class" >> $@
-	$(ECHO) "sun/security/tools/JarSignerParameters.class" >> $@
-	$(ECHO) "sun/security/tools/JarSignerResources.class" >> $@
-	$(ECHO) "sun/security/tools/JarSignerResources_ja.class" >> $@
-	$(ECHO) "sun/security/tools/JarSignerResources_zh_CN.class" >> $@
-	$(ECHO) "sun/security/tools/SignatureFile\$$Block.class" >> $@
-	$(ECHO) "sun/security/tools/SignatureFile.class" >> $@
-	$(ECHO) "sun/security/tools/TimestampedSigner.class" >> $@
+	$(ECHO) "sun/security/tools/jarsigner/JarBASE64Encoder.class" >> $@
+	$(ECHO) "sun/security/tools/jarsigner/Main.class" >> $@
+	$(ECHO) "sun/security/tools/jarsigner/JarSignerParameters.class" >> $@
+	$(ECHO) "sun/security/tools/jarsigner/Resources.class" >> $@
+	$(ECHO) "sun/security/tools/jarsigner/Resources_ja.class" >> $@
+	$(ECHO) "sun/security/tools/jarsigner/Resources_zh_CN.class" >> $@
+	$(ECHO) "sun/security/tools/jarsigner/SignatureFile\$$Block.class" >> $@
+	$(ECHO) "sun/security/tools/jarsigner/SignatureFile.class" >> $@
+	$(ECHO) "sun/security/tools/jarsigner/TimestampedSigner.class" >> $@
 	$(ECHO) "sun/security/provider/Sun.class" >> $@
 	$(ECHO) "sun/security/rsa/SunRsaSign.class" >> $@
 	$(ECHO) "sun/security/ssl/" >> $@
--- a/make/launchers/Makefile	Sat Oct 13 10:15:57 2012 +0100
+++ b/make/launchers/Makefile	Sun Oct 14 22:58:59 2012 +0100
@@ -58,7 +58,7 @@
 $(call make-launcher, extcheck, com.sun.tools.extcheck.Main, , )
 $(call make-launcher, idlj, com.sun.tools.corba.se.idl.toJavaPortable.Compile, , )
 $(call make-launcher, jar, sun.tools.jar.Main, , )
-$(call make-launcher, jarsigner, sun.security.tools.JarSigner, , )
+$(call make-launcher, jarsigner, sun.security.tools.jarsigner.Main, , )
 $(call make-launcher, javac, com.sun.tools.javac.Main, , )
 $(call make-launcher, javadoc, com.sun.tools.javadoc.Main, , )
 $(call make-launcher, javah, com.sun.tools.javah.Main, , )
--- a/make/sun/security/tools/Makefile	Sat Oct 13 10:15:57 2012 +0100
+++ b/make/sun/security/tools/Makefile	Sun Oct 14 22:58:59 2012 +0100
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -37,7 +37,7 @@
 # Resources
 #
 LOCALE_SET_DEFINITION = jdk
-RESOURCE_BUNDLES_JAVA = sun/security/tools/JarSignerResources.java
+RESOURCE_BUNDLES_JAVA = sun/security/tools/jarsigner/Resources.java
 
 #
 # Rules
@@ -45,7 +45,7 @@
 include $(BUILDDIR)/common/Classes.gmk
 
 build:
-	$(call make-launcher, keytool, sun.security.tools.KeyTool, , )
+	$(call make-launcher, keytool, sun.security.tools.keytool.Main, , )
 ifndef BUILD_HEADLESS_ONLY
 	$(call make-launcher, policytool, sun.security.tools.policytool.PolicyTool, , )
 endif
--- a/makefiles/CompileLaunchers.gmk	Sat Oct 13 10:15:57 2012 +0100
+++ b/makefiles/CompileLaunchers.gmk	Sun Oct 14 22:58:59 2012 +0100
@@ -232,7 +232,7 @@
     -DJAVA_ARGS='{ "-J-ms8m"$(COMMA) "sun.tools.jar.Main"$(COMMA) }'))
 
 $(eval $(call SetupLauncher,jarsigner,\
-    -DJAVA_ARGS='{ "-J-ms8m"$(COMMA) "sun.security.tools.JarSigner"$(COMMA) }'))
+    -DJAVA_ARGS='{ "-J-ms8m"$(COMMA) "sun.security.tools.jarsigner.Main"$(COMMA) }'))
 
 $(eval $(call SetupLauncher,javac,\
     -DEXPAND_CLASSPATH_WILDCARDS \
@@ -310,7 +310,7 @@
     -DJAVA_ARGS='{ "-J-ms8m"$(COMMA) "sun.tools.jstatd.Jstatd"$(COMMA) }'))
 
 $(eval $(call SetupLauncher,keytool,\
-    -DJAVA_ARGS='{ "-J-ms8m"$(COMMA) "sun.security.tools.KeyTool"$(COMMA) }'))
+    -DJAVA_ARGS='{ "-J-ms8m"$(COMMA) "sun.security.tools.keytool.Main"$(COMMA) }'))
 
 $(eval $(call SetupLauncher,native2ascii,\
     -DJAVA_ARGS='{ "-J-ms8m"$(COMMA) "sun.tools.native2ascii.Main"$(COMMA) }'))
--- a/makefiles/CreateJars.gmk	Sat Oct 13 10:15:57 2012 +0100
+++ b/makefiles/CreateJars.gmk	Sun Oct 14 22:58:59 2012 +0100
@@ -131,15 +131,15 @@
 	sun/tools/serialver \
 	sun/tools/tree \
 	sun/tools/util \
-	sun/security/tools/JarBASE64Encoder.class \
-	sun/security/tools/JarSigner.class \
-	sun/security/tools/JarSignerParameters.class \
-	sun/security/tools/JarSignerResources.class \
-	sun/security/tools/JarSignerResources_ja.class \
-	sun/security/tools/JarSignerResources_zh_CN.class \
-	sun/security/tools/SignatureFile\$$$$Block.class \
-	sun/security/tools/SignatureFile.class \
-	sun/security/tools/TimestampedSigner.class \
+	sun/security/tools/jarsigner/JarBASE64Encoder.class \
+	sun/security/tools/jarsigner/Main.class \
+	sun/security/tools/jarsigner/JarSignerParameters.class \
+	sun/security/tools/jarsigner/Resources.class \
+	sun/security/tools/jarsigner/Resources_ja.class \
+	sun/security/tools/jarsigner/Resources_zh_CN.class \
+	sun/security/tools/jarsigner/SignatureFile\$$$$Block.class \
+	sun/security/tools/jarsigner/SignatureFile.class \
+	sun/security/tools/jarsigner/TimestampedSigner.class \
 	sun/security/provider/Sun.class \
 	sun/security/rsa/SunRsaSign.class \
 	sun/security/ssl \
--- a/src/share/classes/sun/security/tools/CertAndKeyGen.java	Sat Oct 13 10:15:57 2012 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,328 +0,0 @@
-/*
- * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.tools;
-
-import java.io.IOException;
-import java.security.cert.X509Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateEncodingException;
-import java.security.*;
-import java.util.Date;
-
-import sun.security.pkcs10.PKCS10;
-import sun.security.x509.*;
-
-
-/**
- * Generate a pair of keys, and provide access to them.  This class is
- * provided primarily for ease of use.
- *
- * <P>This provides some simple certificate management functionality.
- * Specifically, it allows you to create self-signed X.509 certificates
- * as well as PKCS 10 based certificate signing requests.
- *
- * <P>Keys for some public key signature algorithms have algorithm
- * parameters, such as DSS/DSA.  Some sites' Certificate Authorities
- * adopt fixed algorithm parameters, which speeds up some operations
- * including key generation and signing.  <em>At this time, this interface
- * does not provide a way to provide such algorithm parameters, e.g.
- * by providing the CA certificate which includes those parameters.</em>
- *
- * <P>Also, note that at this time only signature-capable keys may be
- * acquired through this interface.  Diffie-Hellman keys, used for secure
- * key exchange, may be supported later.
- *
- * @author David Brownell
- * @author Hemma Prafullchandra
- * @see PKCS10
- * @see X509CertImpl
- */
-public final class CertAndKeyGen {
-    /**
-     * Creates a CertAndKeyGen object for a particular key type
-     * and signature algorithm.
-     *
-     * @param keyType type of key, e.g. "RSA", "DSA"
-     * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA",
-     *          "MD2WithRSA", "SHAwithDSA".
-     * @exception NoSuchAlgorithmException on unrecognized algorithms.
-     */
-    public CertAndKeyGen (String keyType, String sigAlg)
-    throws NoSuchAlgorithmException
-    {
-        keyGen = KeyPairGenerator.getInstance(keyType);
-        this.sigAlg = sigAlg;
-    }
-
-    /**
-     * Creates a CertAndKeyGen object for a particular key type,
-     * signature algorithm, and provider.
-     *
-     * @param keyType type of key, e.g. "RSA", "DSA"
-     * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA",
-     *          "MD2WithRSA", "SHAwithDSA".
-     * @param providerName name of the provider
-     * @exception NoSuchAlgorithmException on unrecognized algorithms.
-     * @exception NoSuchProviderException on unrecognized providers.
-     */
-    public CertAndKeyGen (String keyType, String sigAlg, String providerName)
-    throws NoSuchAlgorithmException, NoSuchProviderException
-    {
-        if (providerName == null) {
-            keyGen = KeyPairGenerator.getInstance(keyType);
-        } else {
-            try {
-                keyGen = KeyPairGenerator.getInstance(keyType, providerName);
-            } catch (Exception e) {
-                // try first available provider instead
-                keyGen = KeyPairGenerator.getInstance(keyType);
-            }
-        }
-        this.sigAlg = sigAlg;
-    }
-
-    /**
-     * Sets the source of random numbers used when generating keys.
-     * If you do not provide one, a system default facility is used.
-     * You may wish to provide your own source of random numbers
-     * to get a reproducible sequence of keys and signatures, or
-     * because you may be able to take advantage of strong sources
-     * of randomness/entropy in your environment.
-     */
-    public void         setRandom (SecureRandom generator)
-    {
-        prng = generator;
-    }
-
-    // want "public void generate (X509Certificate)" ... inherit DSA/D-H param
-
-    /**
-     * Generates a random public/private key pair, with a given key
-     * size.  Different algorithms provide different degrees of security
-     * for the same key size, because of the "work factor" involved in
-     * brute force attacks.  As computers become faster, it becomes
-     * easier to perform such attacks.  Small keys are to be avoided.
-     *
-     * <P>Note that not all values of "keyBits" are valid for all
-     * algorithms, and not all public key algorithms are currently
-     * supported for use in X.509 certificates.  If the algorithm
-     * you specified does not produce X.509 compatible keys, an
-     * invalid key exception is thrown.
-     *
-     * @param keyBits the number of bits in the keys.
-     * @exception InvalidKeyException if the environment does not
-     *  provide X.509 public keys for this signature algorithm.
-     */
-    public void generate (int keyBits)
-    throws InvalidKeyException
-    {
-        KeyPair pair;
-
-        try {
-            if (prng == null) {
-                prng = new SecureRandom();
-            }
-            keyGen.initialize(keyBits, prng);
-            pair = keyGen.generateKeyPair();
-
-        } catch (Exception e) {
-            throw new IllegalArgumentException(e.getMessage());
-        }
-
-        publicKey = pair.getPublic();
-        privateKey = pair.getPrivate();
-
-        // publicKey's format must be X.509 otherwise
-        // the whole CertGen part of this class is broken.
-        if (!"X.509".equalsIgnoreCase(publicKey.getFormat())) {
-            throw new IllegalArgumentException("publicKey's is not X.509, but "
-                    + publicKey.getFormat());
-        }
-    }
-
-
-    /**
-     * Returns the public key of the generated key pair if it is of type
-     * <code>X509Key</code>, or null if the public key is of a different type.
-     *
-     * XXX Note: This behaviour is needed for backwards compatibility.
-     * What this method really should return is the public key of the
-     * generated key pair, regardless of whether or not it is an instance of
-     * <code>X509Key</code>. Accordingly, the return type of this method
-     * should be <code>PublicKey</code>.
-     */
-    public X509Key getPublicKey()
-    {
-        if (!(publicKey instanceof X509Key)) {
-            return null;
-        }
-        return (X509Key)publicKey;
-    }
-
-    /**
-     * Always returns the public key of the generated key pair. Used
-     * by KeyTool only.
-     *
-     * The publicKey is not necessarily to be an instance of
-     * X509Key in some JCA/JCE providers, for example SunPKCS11.
-     */
-    public PublicKey getPublicKeyAnyway() {
-        return publicKey;
-    }
-
-    /**
-     * Returns the private key of the generated key pair.
-     *
-     * <P><STRONG><em>Be extremely careful when handling private keys.
-     * When private keys are not kept secret, they lose their ability
-     * to securely authenticate specific entities ... that is a huge
-     * security risk!</em></STRONG>
-     */
-    public PrivateKey getPrivateKey ()
-    {
-        return privateKey;
-    }
-
-    /**
-     * Returns a self-signed X.509v3 certificate for the public key.
-     * The certificate is immediately valid. No extensions.
-     *
-     * <P>Such certificates normally are used to identify a "Certificate
-     * Authority" (CA).  Accordingly, they will not always be accepted by
-     * other parties.  However, such certificates are also useful when
-     * you are bootstrapping your security infrastructure, or deploying
-     * system prototypes.
-     *
-     * @param myname X.500 name of the subject (who is also the issuer)
-     * @param firstDate the issue time of the certificate
-     * @param validity how long the certificate should be valid, in seconds
-     * @exception CertificateException on certificate handling errors.
-     * @exception InvalidKeyException on key handling errors.
-     * @exception SignatureException on signature handling errors.
-     * @exception NoSuchAlgorithmException on unrecognized algorithms.
-     * @exception NoSuchProviderException on unrecognized providers.
-     */
-    public X509Certificate getSelfCertificate (
-            X500Name myname, Date firstDate, long validity)
-    throws CertificateException, InvalidKeyException, SignatureException,
-        NoSuchAlgorithmException, NoSuchProviderException
-    {
-        return getSelfCertificate(myname, firstDate, validity, null);
-    }
-
-    // Like above, plus a CertificateExtensions argument, which can be null.
-    public X509Certificate getSelfCertificate (X500Name myname, Date firstDate,
-            long validity, CertificateExtensions ext)
-    throws CertificateException, InvalidKeyException, SignatureException,
-        NoSuchAlgorithmException, NoSuchProviderException
-    {
-        X509CertImpl    cert;
-        Date            lastDate;
-
-        try {
-            lastDate = new Date ();
-            lastDate.setTime (firstDate.getTime () + validity * 1000);
-
-            CertificateValidity interval =
-                                   new CertificateValidity(firstDate,lastDate);
-
-            X509CertInfo info = new X509CertInfo();
-            // Add all mandatory attributes
-            info.set(X509CertInfo.VERSION,
-                     new CertificateVersion(CertificateVersion.V3));
-            info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
-                    new java.util.Random().nextInt() & 0x7fffffff));
-            AlgorithmId algID = AlgorithmId.get(sigAlg);
-            info.set(X509CertInfo.ALGORITHM_ID,
-                     new CertificateAlgorithmId(algID));
-            info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(myname));
-            info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
-            info.set(X509CertInfo.VALIDITY, interval);
-            info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname));
-            if (ext != null) info.set(X509CertInfo.EXTENSIONS, ext);
-
-            cert = new X509CertImpl(info);
-            cert.sign(privateKey, this.sigAlg);
-
-            return (X509Certificate)cert;
-
-        } catch (IOException e) {
-             throw new CertificateEncodingException("getSelfCert: " +
-                                                    e.getMessage());
-        }
-    }
-
-    // Keep the old method
-    public X509Certificate getSelfCertificate (X500Name myname, long validity)
-    throws CertificateException, InvalidKeyException, SignatureException,
-        NoSuchAlgorithmException, NoSuchProviderException
-    {
-        return getSelfCertificate(myname, new Date(), validity);
-    }
-
-    /**
-     * Returns a PKCS #10 certificate request.  The caller uses either
-     * <code>PKCS10.print</code> or <code>PKCS10.toByteArray</code>
-     * operations on the result, to get the request in an appropriate
-     * transmission format.
-     *
-     * <P>PKCS #10 certificate requests are sent, along with some proof
-     * of identity, to Certificate Authorities (CAs) which then issue
-     * X.509 public key certificates.
-     *
-     * @param myname X.500 name of the subject
-     * @exception InvalidKeyException on key handling errors.
-     * @exception SignatureException on signature handling errors.
-     */
-    public PKCS10 getCertRequest (X500Name myname)
-    throws InvalidKeyException, SignatureException
-    {
-        PKCS10  req = new PKCS10 (publicKey);
-
-        try {
-            Signature signature = Signature.getInstance(sigAlg);
-            signature.initSign (privateKey);
-            req.encodeAndSign(myname, signature);
-
-        } catch (CertificateException e) {
-            throw new SignatureException (sigAlg + " CertificateException");
-
-        } catch (IOException e) {
-            throw new SignatureException (sigAlg + " IOException");
-
-        } catch (NoSuchAlgorithmException e) {
-            // "can't happen"
-            throw new SignatureException (sigAlg + " unavailable?");
-        }
-        return req;
-    }
-
-    private SecureRandom        prng;
-    private String              sigAlg;
-    private KeyPairGenerator    keyGen;
-    private PublicKey           publicKey;
-    private PrivateKey          privateKey;
-}
--- a/src/share/classes/sun/security/tools/JarSigner.java	Sat Oct 13 10:15:57 2012 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,2467 +0,0 @@
-/*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.tools;
-
-import java.io.*;
-import java.util.*;
-import java.util.zip.*;
-import java.util.jar.*;
-import java.math.BigInteger;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.text.Collator;
-import java.text.MessageFormat;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
-import java.security.cert.CertificateException;
-import java.security.*;
-import java.lang.reflect.Constructor;
-
-import com.sun.jarsigner.ContentSigner;
-import com.sun.jarsigner.ContentSignerParameters;
-import java.net.SocketTimeoutException;
-import java.net.URL;
-import java.net.URLClassLoader;
-import java.security.cert.CertPath;
-import java.security.cert.CertPathValidator;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.PKIXParameters;
-import java.security.cert.TrustAnchor;
-import java.util.Map.Entry;
-import sun.security.x509.*;
-import sun.security.util.*;
-import sun.misc.BASE64Encoder;
-
-
-/**
- * <p>The jarsigner utility.
- *
- * The exit codes for the main method are:
- *
- * 0: success
- * 1: any error that the jar cannot be signed or verified, including:
- *      keystore loading error
- *      TSP communication error
- *      jarsigner command line error...
- * otherwise: error codes from -strict
- *
- * @author Roland Schemers
- * @author Jan Luehe
- */
-
-public class JarSigner {
-
-    // for i18n
-    private static final java.util.ResourceBundle rb =
-        java.util.ResourceBundle.getBundle
-        ("sun.security.tools.JarSignerResources");
-    private static final Collator collator = Collator.getInstance();
-    static {
-        // this is for case insensitive string comparisions
-        collator.setStrength(Collator.PRIMARY);
-    }
-
-    private static final String META_INF = "META-INF/";
-
-    // prefix for new signature-related files in META-INF directory
-    private static final String SIG_PREFIX = META_INF + "SIG-";
-
-    private static final Class[] PARAM_STRING = { String.class };
-
-    private static final String NONE = "NONE";
-    private static final String P11KEYSTORE = "PKCS11";
-
-    private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds
-
-    // Attention:
-    // This is the entry that get launched by the security tool jarsigner.
-    public static void main(String args[]) throws Exception {
-        JarSigner js = new JarSigner();
-        js.run(args);
-    }
-
-    static final String VERSION = "1.0";
-
-    static final int IN_KEYSTORE = 0x01;        // signer is in keystore
-    static final int IN_SCOPE = 0x02;
-    static final int NOT_ALIAS = 0x04;          // alias list is NOT empty and
-                                                // signer is not in alias list
-    static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list
-
-    X509Certificate[] certChain;    // signer's cert chain (when composing)
-    PrivateKey privateKey;          // private key
-    KeyStore store;                 // the keystore specified by -keystore
-                                    // or the default keystore, never null
-
-    String keystore; // key store file
-    boolean nullStream = false; // null keystore input stream (NONE)
-    boolean token = false; // token-based keystore
-    String jarfile;  // jar files to sign or verify
-    String alias;    // alias to sign jar with
-    List<String> ckaliases = new ArrayList<>(); // aliases in -verify
-    char[] storepass; // keystore password
-    boolean protectedPath; // protected authentication path
-    String storetype; // keystore type
-    String providerName; // provider name
-    Vector<String> providers = null; // list of providers
-    // arguments for provider constructors
-    HashMap<String,String> providerArgs = new HashMap<>();
-    char[] keypass; // private key password
-    String sigfile; // name of .SF file
-    String sigalg; // name of signature algorithm
-    String digestalg = "SHA-256"; // name of digest algorithm
-    String signedjar; // output filename
-    String tsaUrl; // location of the Timestamping Authority
-    String tsaAlias; // alias for the Timestamping Authority's certificate
-    String altCertChain; // file to read alternative cert chain from
-    boolean verify = false; // verify the jar
-    String verbose = null; // verbose output when signing/verifying
-    boolean showcerts = false; // show certs when verifying
-    boolean debug = false; // debug
-    boolean signManifest = true; // "sign" the whole manifest
-    boolean externalSF = true; // leave the .SF out of the PKCS7 block
-    boolean strict = false;  // treat warnings as error
-
-    // read zip entry raw bytes
-    private ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
-    private byte[] buffer = new byte[8192];
-    private ContentSigner signingMechanism = null;
-    private String altSignerClass = null;
-    private String altSignerClasspath = null;
-    private ZipFile zipFile = null;
-
-    private boolean hasExpiredCert = false;
-    private boolean hasExpiringCert = false;
-    private boolean notYetValidCert = false;
-    private boolean chainNotValidated = false;
-    private boolean notSignedByAlias = false;
-    private boolean aliasNotInStore = false;
-    private boolean hasUnsignedEntry = false;
-    private boolean badKeyUsage = false;
-    private boolean badExtendedKeyUsage = false;
-    private boolean badNetscapeCertType = false;
-
-    CertificateFactory certificateFactory;
-    CertPathValidator validator;
-    PKIXParameters pkixParameters;
-
-    public void run(String args[]) {
-        try {
-            parseArgs(args);
-
-            // Try to load and install the specified providers
-            if (providers != null) {
-                ClassLoader cl = ClassLoader.getSystemClassLoader();
-                Enumeration<String> e = providers.elements();
-                while (e.hasMoreElements()) {
-                    String provName = e.nextElement();
-                    Class<?> provClass;
-                    if (cl != null) {
-                        provClass = cl.loadClass(provName);
-                    } else {
-                        provClass = Class.forName(provName);
-                    }
-
-                    String provArg = providerArgs.get(provName);
-                    Object obj;
-                    if (provArg == null) {
-                        obj = provClass.newInstance();
-                    } else {
-                        Constructor<?> c =
-                                provClass.getConstructor(PARAM_STRING);
-                        obj = c.newInstance(provArg);
-                    }
-
-                    if (!(obj instanceof Provider)) {
-                        MessageFormat form = new MessageFormat(rb.getString
-                            ("provName.not.a.provider"));
-                        Object[] source = {provName};
-                        throw new Exception(form.format(source));
-                    }
-                    Security.addProvider((Provider)obj);
-                }
-            }
-
-            if (verify) {
-                try {
-                    loadKeyStore(keystore, false);
-                } catch (Exception e) {
-                    if ((keystore != null) || (storepass != null)) {
-                        System.out.println(rb.getString("jarsigner.error.") +
-                                        e.getMessage());
-                        System.exit(1);
-                    }
-                }
-                /*              if (debug) {
-                    SignatureFileVerifier.setDebug(true);
-                    ManifestEntryVerifier.setDebug(true);
-                }
-                */
-                verifyJar(jarfile);
-            } else {
-                loadKeyStore(keystore, true);
-                getAliasInfo(alias);
-
-                // load the alternative signing mechanism
-                if (altSignerClass != null) {
-                    signingMechanism = loadSigningMechanism(altSignerClass,
-                        altSignerClasspath);
-                }
-                signJar(jarfile, alias, args);
-            }
-        } catch (Exception e) {
-            System.out.println(rb.getString("jarsigner.error.") + e);
-            if (debug) {
-                e.printStackTrace();
-            }
-            System.exit(1);
-        } finally {
-            // zero-out private key password
-            if (keypass != null) {
-                Arrays.fill(keypass, ' ');
-                keypass = null;
-            }
-            // zero-out keystore password
-            if (storepass != null) {
-                Arrays.fill(storepass, ' ');
-                storepass = null;
-            }
-        }
-
-        if (strict) {
-            int exitCode = 0;
-            if (hasExpiringCert) {
-                exitCode |= 2;
-            }
-            if (chainNotValidated || hasExpiredCert || notYetValidCert) {
-                exitCode |= 4;
-            }
-            if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
-                exitCode |= 8;
-            }
-            if (hasUnsignedEntry) {
-                exitCode |= 16;
-            }
-            if (notSignedByAlias || aliasNotInStore) {
-                exitCode |= 32;
-            }
-            if (exitCode != 0) {
-                System.exit(exitCode);
-            }
-        }
-    }
-
-    /*
-     * Parse command line arguments.
-     */
-    void parseArgs(String args[]) {
-        /* parse flags */
-        int n = 0;
-
-        if (args.length == 0) fullusage();
-        for (n=0; n < args.length; n++) {
-
-            String flags = args[n];
-            String modifier = null;
-            if (flags.charAt(0) == '-') {
-                int pos = flags.indexOf(':');
-                if (pos > 0) {
-                    modifier = flags.substring(pos+1);
-                    flags = flags.substring(0, pos);
-                }
-            }
-
-            if (collator.compare(flags, "-keystore") == 0) {
-                if (++n == args.length) usageNoArg();
-                keystore = args[n];
-            } else if (collator.compare(flags, "-storepass") ==0) {
-                if (++n == args.length) usageNoArg();
-                storepass = getPass(modifier, args[n]);
-            } else if (collator.compare(flags, "-storetype") ==0) {
-                if (++n == args.length) usageNoArg();
-                storetype = args[n];
-            } else if (collator.compare(flags, "-providerName") ==0) {
-                if (++n == args.length) usageNoArg();
-                providerName = args[n];
-            } else if ((collator.compare(flags, "-provider") == 0) ||
-                        (collator.compare(flags, "-providerClass") == 0)) {
-                if (++n == args.length) usageNoArg();
-                if (providers == null) {
-                    providers = new Vector<String>(3);
-                }
-                providers.add(args[n]);
-
-                if (args.length > (n+1)) {
-                    flags = args[n+1];
-                    if (collator.compare(flags, "-providerArg") == 0) {
-                        if (args.length == (n+2)) usageNoArg();
-                        providerArgs.put(args[n], args[n+2]);
-                        n += 2;
-                    }
-                }
-            } else if (collator.compare(flags, "-protected") ==0) {
-                protectedPath = true;
-            } else if (collator.compare(flags, "-certchain") ==0) {
-                if (++n == args.length) usageNoArg();
-                altCertChain = args[n];
-            } else if (collator.compare(flags, "-debug") ==0) {
-                debug = true;
-            } else if (collator.compare(flags, "-keypass") ==0) {
-                if (++n == args.length) usageNoArg();
-                keypass = getPass(modifier, args[n]);
-            } else if (collator.compare(flags, "-sigfile") ==0) {
-                if (++n == args.length) usageNoArg();
-                sigfile = args[n];
-            } else if (collator.compare(flags, "-signedjar") ==0) {
-                if (++n == args.length) usageNoArg();
-                signedjar = args[n];
-            } else if (collator.compare(flags, "-tsa") ==0) {
-                if (++n == args.length) usageNoArg();
-                tsaUrl = args[n];
-            } else if (collator.compare(flags, "-tsacert") ==0) {
-                if (++n == args.length) usageNoArg();
-                tsaAlias = args[n];
-            } else if (collator.compare(flags, "-altsigner") ==0) {
-                if (++n == args.length) usageNoArg();
-                altSignerClass = args[n];
-            } else if (collator.compare(flags, "-altsignerpath") ==0) {
-                if (++n == args.length) usageNoArg();
-                altSignerClasspath = args[n];
-            } else if (collator.compare(flags, "-sectionsonly") ==0) {
-                signManifest = false;
-            } else if (collator.compare(flags, "-internalsf") ==0) {
-                externalSF = false;
-            } else if (collator.compare(flags, "-verify") ==0) {
-                verify = true;
-            } else if (collator.compare(flags, "-verbose") ==0) {
-                verbose = (modifier != null) ? modifier : "all";
-            } else if (collator.compare(flags, "-sigalg") ==0) {
-                if (++n == args.length) usageNoArg();
-                sigalg = args[n];
-            } else if (collator.compare(flags, "-digestalg") ==0) {
-                if (++n == args.length) usageNoArg();
-                digestalg = args[n];
-            } else if (collator.compare(flags, "-certs") ==0) {
-                showcerts = true;
-            } else if (collator.compare(flags, "-strict") ==0) {
-                strict = true;
-            } else if (collator.compare(flags, "-h") == 0 ||
-                        collator.compare(flags, "-help") == 0) {
-                fullusage();
-            } else {
-                if (!flags.startsWith("-")) {
-                    if (jarfile == null) {
-                        jarfile = flags;
-                    } else {
-                        alias = flags;
-                        ckaliases.add(alias);
-                    }
-                } else {
-                    System.err.println(
-                            rb.getString("Illegal.option.") + flags);
-                    usage();
-                }
-            }
-        }
-
-        // -certs must always be specified with -verbose
-        if (verbose == null) showcerts = false;
-
-        if (jarfile == null) {
-            System.err.println(rb.getString("Please.specify.jarfile.name"));
-            usage();
-        }
-        if (!verify && alias == null) {
-            System.err.println(rb.getString("Please.specify.alias.name"));
-            usage();
-        }
-        if (!verify && ckaliases.size() > 1) {
-            System.err.println(rb.getString("Only.one.alias.can.be.specified"));
-            usage();
-        }
-
-        if (storetype == null) {
-            storetype = KeyStore.getDefaultType();
-        }
-        storetype = KeyStoreUtil.niceStoreTypeName(storetype);
-
-        try {
-            if (signedjar != null && new File(signedjar).getCanonicalPath().equals(
-                    new File(jarfile).getCanonicalPath())) {
-                signedjar = null;
-            }
-        } catch (IOException ioe) {
-            // File system error?
-            // Just ignore it.
-        }
-
-        if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
-                KeyStoreUtil.isWindowsKeyStore(storetype)) {
-            token = true;
-            if (keystore == null) {
-                keystore = NONE;
-            }
-        }
-
-        if (NONE.equals(keystore)) {
-            nullStream = true;
-        }
-
-        if (token && !nullStream) {
-            System.err.println(MessageFormat.format(rb.getString
-                (".keystore.must.be.NONE.if.storetype.is.{0}"), storetype));
-            usage();
-        }
-
-        if (token && keypass != null) {
-            System.err.println(MessageFormat.format(rb.getString
-                (".keypass.can.not.be.specified.if.storetype.is.{0}"), storetype));
-            usage();
-        }
-
-        if (protectedPath) {
-            if (storepass != null || keypass != null) {
-                System.err.println(rb.getString
-                        ("If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified"));
-                usage();
-            }
-        }
-        if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
-            if (storepass != null || keypass != null) {
-                System.err.println(rb.getString
-                        ("If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified"));
-                usage();
-            }
-        }
-    }
-
-    static char[] getPass(String modifier, String arg) {
-        char[] output = KeyTool.getPassWithModifier(modifier, arg);
-        if (output != null) return output;
-        usage();
-        return null;    // Useless, usage() already exit
-    }
-
-    static void usageNoArg() {
-        System.out.println(rb.getString("Option.lacks.argument"));
-        usage();
-    }
-
-    static void usage() {
-        System.out.println();
-        System.out.println(rb.getString("Please.type.jarsigner.help.for.usage"));
-        System.exit(1);
-    }
-
-    static void fullusage() {
-        System.out.println(rb.getString
-                ("Usage.jarsigner.options.jar.file.alias"));
-        System.out.println(rb.getString
-                (".jarsigner.verify.options.jar.file.alias."));
-        System.out.println();
-        System.out.println(rb.getString
-                (".keystore.url.keystore.location"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".storepass.password.password.for.keystore.integrity"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".storetype.type.keystore.type"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".keypass.password.password.for.private.key.if.different."));
-        System.out.println();
-        System.out.println(rb.getString
-                (".certchain.file.name.of.alternative.certchain.file"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".sigfile.file.name.of.SF.DSA.file"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".signedjar.file.name.of.signed.JAR.file"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".digestalg.algorithm.name.of.digest.algorithm"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".sigalg.algorithm.name.of.signature.algorithm"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".verify.verify.a.signed.JAR.file"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".verbose.suboptions.verbose.output.when.signing.verifying."));
-        System.out.println(rb.getString
-                (".suboptions.can.be.all.grouped.or.summary"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".certs.display.certificates.when.verbose.and.verifying"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".tsa.url.location.of.the.Timestamping.Authority"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".tsacert.alias.public.key.certificate.for.Timestamping.Authority"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".altsigner.class.class.name.of.an.alternative.signing.mechanism"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".internalsf.include.the.SF.file.inside.the.signature.block"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".sectionsonly.don.t.compute.hash.of.entire.manifest"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".protected.keystore.has.protected.authentication.path"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".providerName.name.provider.name"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".providerClass.class.name.of.cryptographic.service.provider.s"));
-        System.out.println(rb.getString
-                (".providerArg.arg.master.class.file.and.constructor.argument"));
-        System.out.println();
-        System.out.println(rb.getString
-                (".strict.treat.warnings.as.errors"));
-        System.out.println();
-
-        System.exit(0);
-    }
-
-    void verifyJar(String jarName)
-        throws Exception
-    {
-        boolean anySigned = false;  // if there exists entry inside jar signed
-        JarFile jf = null;
-
-        try {
-            jf = new JarFile(jarName, true);
-            Vector<JarEntry> entriesVec = new Vector<>();
-            byte[] buffer = new byte[8192];
-
-            Enumeration<JarEntry> entries = jf.entries();
-            while (entries.hasMoreElements()) {
-                JarEntry je = entries.nextElement();
-                entriesVec.addElement(je);
-                InputStream is = null;
-                try {
-                    is = jf.getInputStream(je);
-                    int n;
-                    while ((n = is.read(buffer, 0, buffer.length)) != -1) {
-                        // we just read. this will throw a SecurityException
-                        // if  a signature/digest check fails.
-                    }
-                } finally {
-                    if (is != null) {
-                        is.close();
-                    }
-                }
-            }
-
-            Manifest man = jf.getManifest();
-
-            // The map to record display info, only used when -verbose provided
-            //      key: signer info string
-            //      value: the list of files with common key
-            Map<String,List<String>> output = new LinkedHashMap<>();
-
-            if (man != null) {
-                if (verbose != null) System.out.println();
-                Enumeration<JarEntry> e = entriesVec.elements();
-
-                String tab = rb.getString("6SPACE");
-
-                while (e.hasMoreElements()) {
-                    JarEntry je = e.nextElement();
-                    String name = je.getName();
-                    CodeSigner[] signers = je.getCodeSigners();
-                    boolean isSigned = (signers != null);
-                    anySigned |= isSigned;
-                    hasUnsignedEntry |= !je.isDirectory() && !isSigned
-                                        && !signatureRelated(name);
-
-                    int inStoreOrScope = inKeyStore(signers);
-
-                    boolean inStore = (inStoreOrScope & IN_KEYSTORE) != 0;
-                    boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
-
-                    notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0;
-                    if (keystore != null) {
-                        aliasNotInStore |= isSigned && (!inStore && !inScope);
-                    }
-
-                    // Only used when -verbose provided
-                    StringBuffer sb = null;
-                    if (verbose != null) {
-                        sb = new StringBuffer();
-                        boolean inManifest =
-                            ((man.getAttributes(name) != null) ||
-                             (man.getAttributes("./"+name) != null) ||
-                             (man.getAttributes("/"+name) != null));
-                        sb.append(
-                          (isSigned ? rb.getString("s") : rb.getString("SPACE")) +
-                          (inManifest ? rb.getString("m") : rb.getString("SPACE")) +
-                          (inStore ? rb.getString("k") : rb.getString("SPACE")) +
-                          (inScope ? rb.getString("i") : rb.getString("SPACE")) +
-                          ((inStoreOrScope & NOT_ALIAS) != 0 ?"X":" ") +
-                          rb.getString("SPACE"));
-                        sb.append("|");
-                    }
-
-                    // When -certs provided, display info has extra empty
-                    // lines at the beginning and end.
-                    if (isSigned) {
-                        if (showcerts) sb.append('\n');
-                        for (CodeSigner signer: signers) {
-                            // signerInfo() must be called even if -verbose
-                            // not provided. The method updates various
-                            // warning flags.
-                            String si = signerInfo(signer, tab);
-                            if (showcerts) {
-                                sb.append(si);
-                                sb.append('\n');
-                            }
-                        }
-                    } else if (showcerts && !verbose.equals("all")) {
-                        // Print no info for unsigned entries when -verbose:all,
-                        // to be consistent with old behavior.
-                        if (signatureRelated(name)) {
-                            sb.append("\n" + tab + rb.getString(
-                                    ".Signature.related.entries.") + "\n\n");
-                        } else {
-                            sb.append("\n" + tab + rb.getString(
-                                    ".Unsigned.entries.") + "\n\n");
-                        }
-                    }
-
-                    if (verbose != null) {
-                        String label = sb.toString();
-                        if (signatureRelated(name)) {
-                            // Entries inside META-INF and other unsigned
-                            // entries are grouped separately.
-                            label = "-" + label;
-                        }
-
-                        // The label finally contains 2 parts separated by '|':
-                        // The legend displayed before the entry names, and
-                        // the cert info (if -certs specfied).
-
-                        if (!output.containsKey(label)) {
-                            output.put(label, new ArrayList<String>());
-                        }
-
-                        StringBuffer fb = new StringBuffer();
-                        String s = Long.toString(je.getSize());
-                        for (int i = 6 - s.length(); i > 0; --i) {
-                            fb.append(' ');
-                        }
-                        fb.append(s).append(' ').
-                                append(new Date(je.getTime()).toString());
-                        fb.append(' ').append(name);
-
-                        output.get(label).add(fb.toString());
-                    }
-                }
-            }
-            if (verbose != null) {
-                for (Entry<String,List<String>> s: output.entrySet()) {
-                    List<String> files = s.getValue();
-                    String key = s.getKey();
-                    if (key.charAt(0) == '-') { // the signature-related group
-                        key = key.substring(1);
-                    }
-                    int pipe = key.indexOf('|');
-                    if (verbose.equals("all")) {
-                        for (String f: files) {
-                            System.out.println(key.substring(0, pipe) + f);
-                            System.out.printf(key.substring(pipe+1));
-                        }
-                    } else {
-                        if (verbose.equals("grouped")) {
-                            for (String f: files) {
-                                System.out.println(key.substring(0, pipe) + f);
-                            }
-                        } else if (verbose.equals("summary")) {
-                            System.out.print(key.substring(0, pipe));
-                            if (files.size() > 1) {
-                                System.out.println(files.get(0) + " " +
-                                        String.format(rb.getString(
-                                        ".and.d.more."), files.size()-1));
-                            } else {
-                                System.out.println(files.get(0));
-                            }
-                        }
-                        System.out.printf(key.substring(pipe+1));
-                    }
-                }
-                System.out.println();
-                System.out.println(rb.getString(
-                    ".s.signature.was.verified."));
-                System.out.println(rb.getString(
-                    ".m.entry.is.listed.in.manifest"));
-                System.out.println(rb.getString(
-                    ".k.at.least.one.certificate.was.found.in.keystore"));
-                System.out.println(rb.getString(
-                    ".i.at.least.one.certificate.was.found.in.identity.scope"));
-                if (ckaliases.size() > 0) {
-                    System.out.println(rb.getString(
-                        ".X.not.signed.by.specified.alias.es."));
-                }
-                System.out.println();
-            }
-            if (man == null)
-                System.out.println(rb.getString("no.manifest."));
-
-            if (!anySigned) {
-                System.out.println(rb.getString(
-                      "jar.is.unsigned.signatures.missing.or.not.parsable."));
-            } else {
-                System.out.println(rb.getString("jar.verified."));
-                if (hasUnsignedEntry || hasExpiredCert || hasExpiringCert ||
-                    badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
-                    notYetValidCert || chainNotValidated ||
-                    aliasNotInStore || notSignedByAlias) {
-
-                    System.out.println();
-                    System.out.println(rb.getString("Warning."));
-                    if (badKeyUsage) {
-                        System.out.println(
-                            rb.getString("This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
-                    }
-
-                    if (badExtendedKeyUsage) {
-                        System.out.println(
-                            rb.getString("This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
-                    }
-
-                    if (badNetscapeCertType) {
-                        System.out.println(
-                            rb.getString("This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
-                    }
-
-                    if (hasUnsignedEntry) {
-                        System.out.println(rb.getString(
-                            "This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked."));
-                    }
-                    if (hasExpiredCert) {
-                        System.out.println(rb.getString(
-                            "This.jar.contains.entries.whose.signer.certificate.has.expired."));
-                    }
-                    if (hasExpiringCert) {
-                        System.out.println(rb.getString(
-                            "This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months."));
-                    }
-                    if (notYetValidCert) {
-                        System.out.println(rb.getString(
-                            "This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid."));
-                    }
-
-                    if (chainNotValidated) {
-                        System.out.println(
-                                rb.getString("This.jar.contains.entries.whose.certificate.chain.is.not.validated."));
-                    }
-
-                    if (notSignedByAlias) {
-                        System.out.println(
-                                rb.getString("This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es."));
-                    }
-
-                    if (aliasNotInStore) {
-                        System.out.println(rb.getString("This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore."));
-                    }
-                    if (! (verbose != null && showcerts)) {
-                        System.out.println();
-                        System.out.println(rb.getString(
-                            "Re.run.with.the.verbose.and.certs.options.for.more.details."));
-                    }
-                }
-            }
-            return;
-        } catch (Exception e) {
-            System.out.println(rb.getString("jarsigner.") + e);
-            if (debug) {
-                e.printStackTrace();
-            }
-        } finally { // close the resource
-            if (jf != null) {
-                jf.close();
-            }
-        }
-
-        System.exit(1);
-    }
-
-    private static MessageFormat validityTimeForm = null;
-    private static MessageFormat notYetTimeForm = null;
-    private static MessageFormat expiredTimeForm = null;
-    private static MessageFormat expiringTimeForm = null;
-
-    /*
-     * Display some details about a certificate:
-     *
-     * [<tab>] <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"]
-     * [<validity-period> | <expiry-warning>]
-     *
-     * Note: no newline character at the end
-     */
-    String printCert(String tab, Certificate c, boolean checkValidityPeriod,
-        Date timestamp, boolean checkUsage) {
-
-        StringBuilder certStr = new StringBuilder();
-        String space = rb.getString("SPACE");
-        X509Certificate x509Cert = null;
-
-        if (c instanceof X509Certificate) {
-            x509Cert = (X509Certificate) c;
-            certStr.append(tab).append(x509Cert.getType())
-                .append(rb.getString("COMMA"))
-                .append(x509Cert.getSubjectDN().getName());
-        } else {
-            certStr.append(tab).append(c.getType());
-        }
-
-        String alias = storeHash.get(c);
-        if (alias != null) {
-            certStr.append(space).append(alias);
-        }
-
-        if (checkValidityPeriod && x509Cert != null) {
-
-            certStr.append("\n").append(tab).append("[");
-            Date notAfter = x509Cert.getNotAfter();
-            try {
-                boolean printValidity = true;
-                if (timestamp == null) {
-                    x509Cert.checkValidity();
-                    // test if cert will expire within six months
-                    if (notAfter.getTime() < System.currentTimeMillis() + SIX_MONTHS) {
-                        hasExpiringCert = true;
-                        if (expiringTimeForm == null) {
-                            expiringTimeForm = new MessageFormat(
-                                rb.getString("certificate.will.expire.on"));
-                        }
-                        Object[] source = { notAfter };
-                        certStr.append(expiringTimeForm.format(source));
-                        printValidity = false;
-                    }
-                } else {
-                    x509Cert.checkValidity(timestamp);
-                }
-                if (printValidity) {
-                    if (validityTimeForm == null) {
-                        validityTimeForm = new MessageFormat(
-                            rb.getString("certificate.is.valid.from"));
-                    }
-                    Object[] source = { x509Cert.getNotBefore(), notAfter };
-                    certStr.append(validityTimeForm.format(source));
-                }
-            } catch (CertificateExpiredException cee) {
-                hasExpiredCert = true;
-
-                if (expiredTimeForm == null) {
-                    expiredTimeForm = new MessageFormat(
-                        rb.getString("certificate.expired.on"));
-                }
-                Object[] source = { notAfter };
-                certStr.append(expiredTimeForm.format(source));
-
-            } catch (CertificateNotYetValidException cnyve) {
-                notYetValidCert = true;
-
-                if (notYetTimeForm == null) {
-                    notYetTimeForm = new MessageFormat(
-                        rb.getString("certificate.is.not.valid.until"));
-                }
-                Object[] source = { x509Cert.getNotBefore() };
-                certStr.append(notYetTimeForm.format(source));
-            }
-            certStr.append("]");
-
-            if (checkUsage) {
-                boolean[] bad = new boolean[3];
-                checkCertUsage(x509Cert, bad);
-                if (bad[0] || bad[1] || bad[2]) {
-                    String x = "";
-                    if (bad[0]) {
-                        x ="KeyUsage";
-                    }
-                    if (bad[1]) {
-                        if (x.length() > 0) x = x + ", ";
-                        x = x + "ExtendedKeyUsage";
-                    }
-                    if (bad[2]) {
-                        if (x.length() > 0) x = x + ", ";
-                        x = x + "NetscapeCertType";
-                    }
-                    certStr.append("\n").append(tab)
-                        .append(MessageFormat.format(rb.getString(
-                        ".{0}.extension.does.not.support.code.signing."), x));
-                }
-            }
-        }
-        return certStr.toString();
-    }
-
-    private static MessageFormat signTimeForm = null;
-
-    private String printTimestamp(String tab, Timestamp timestamp) {
-
-        if (signTimeForm == null) {
-            signTimeForm =
-                new MessageFormat(rb.getString("entry.was.signed.on"));
-        }
-        Object[] source = { timestamp.getTimestamp() };
-
-        return new StringBuilder().append(tab).append("[")
-            .append(signTimeForm.format(source)).append("]").toString();
-    }
-
-    private Map<CodeSigner,Integer> cacheForInKS = new IdentityHashMap<>();
-
-    private int inKeyStoreForOneSigner(CodeSigner signer) {
-        if (cacheForInKS.containsKey(signer)) {
-            return cacheForInKS.get(signer);
-        }
-
-        boolean found = false;
-        int result = 0;
-        List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
-        for (Certificate c : certs) {
-            String alias = storeHash.get(c);
-            if (alias != null) {
-                if (alias.startsWith("(")) {
-                    result |= IN_KEYSTORE;
-                } else if (alias.startsWith("[")) {
-                    result |= IN_SCOPE;
-                }
-                if (ckaliases.contains(alias.substring(1, alias.length() - 1))) {
-                    result |= SIGNED_BY_ALIAS;
-                }
-            } else {
-                if (store != null) {
-                    try {
-                        alias = store.getCertificateAlias(c);
-                    } catch (KeyStoreException kse) {
-                        // never happens, because keystore has been loaded
-                    }
-                    if (alias != null) {
-                        storeHash.put(c, "(" + alias + ")");
-                        found = true;
-                        result |= IN_KEYSTORE;
-                    }
-                }
-                if (ckaliases.contains(alias)) {
-                    result |= SIGNED_BY_ALIAS;
-                }
-            }
-        }
-        cacheForInKS.put(signer, result);
-        return result;
-    }
-
-    Hashtable<Certificate, String> storeHash = new Hashtable<>();
-
-    int inKeyStore(CodeSigner[] signers) {
-
-        if (signers == null)
-            return 0;
-
-        int output = 0;
-
-        for (CodeSigner signer: signers) {
-            int result = inKeyStoreForOneSigner(signer);
-            output |= result;
-        }
-        if (ckaliases.size() > 0 && (output & SIGNED_BY_ALIAS) == 0) {
-            output |= NOT_ALIAS;
-        }
-        return output;
-    }
-
-    void signJar(String jarName, String alias, String[] args)
-        throws Exception {
-        boolean aliasUsed = false;
-        X509Certificate tsaCert = null;
-
-        if (sigfile == null) {
-            sigfile = alias;
-            aliasUsed = true;
-        }
-
-        if (sigfile.length() > 8) {
-            sigfile = sigfile.substring(0, 8).toUpperCase(Locale.ENGLISH);
-        } else {
-            sigfile = sigfile.toUpperCase(Locale.ENGLISH);
-        }
-
-        StringBuilder tmpSigFile = new StringBuilder(sigfile.length());
-        for (int j = 0; j < sigfile.length(); j++) {
-            char c = sigfile.charAt(j);
-            if (!
-                ((c>= 'A' && c<= 'Z') ||
-                (c>= '0' && c<= '9') ||
-                (c == '-') ||
-                (c == '_'))) {
-                if (aliasUsed) {
-                    // convert illegal characters from the alias to be _'s
-                    c = '_';
-                } else {
-                 throw new
-                   RuntimeException(rb.getString
-                        ("signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or."));
-                }
-            }
-            tmpSigFile.append(c);
-        }
-
-        sigfile = tmpSigFile.toString();
-
-        String tmpJarName;
-        if (signedjar == null) tmpJarName = jarName+".sig";
-        else tmpJarName = signedjar;
-
-        File jarFile = new File(jarName);
-        File signedJarFile = new File(tmpJarName);
-
-        // Open the jar (zip) file
-        try {
-            zipFile = new ZipFile(jarName);
-        } catch (IOException ioe) {
-            error(rb.getString("unable.to.open.jar.file.")+jarName, ioe);
-        }
-
-        FileOutputStream fos = null;
-        try {
-            fos = new FileOutputStream(signedJarFile);
-        } catch (IOException ioe) {
-            error(rb.getString("unable.to.create.")+tmpJarName, ioe);
-        }
-
-        PrintStream ps = new PrintStream(fos);
-        ZipOutputStream zos = new ZipOutputStream(ps);
-
-        /* First guess at what they might be - we don't xclude RSA ones. */
-        String sfFilename = (META_INF + sigfile + ".SF").toUpperCase(Locale.ENGLISH);
-        String bkFilename = (META_INF + sigfile + ".DSA").toUpperCase(Locale.ENGLISH);
-
-        Manifest manifest = new Manifest();
-        Map<String,Attributes> mfEntries = manifest.getEntries();
-
-        // The Attributes of manifest before updating
-        Attributes oldAttr = null;
-
-        boolean mfModified = false;
-        boolean mfCreated = false;
-        byte[] mfRawBytes = null;
-
-        try {
-            MessageDigest digests[] = { MessageDigest.getInstance(digestalg) };
-
-            // Check if manifest exists
-            ZipEntry mfFile;
-            if ((mfFile = getManifestFile(zipFile)) != null) {
-                // Manifest exists. Read its raw bytes.
-                mfRawBytes = getBytes(zipFile, mfFile);
-                manifest.read(new ByteArrayInputStream(mfRawBytes));
-                oldAttr = (Attributes)(manifest.getMainAttributes().clone());
-            } else {
-                // Create new manifest
-                Attributes mattr = manifest.getMainAttributes();
-                mattr.putValue(Attributes.Name.MANIFEST_VERSION.toString(),
-                               "1.0");
-                String javaVendor = System.getProperty("java.vendor");
-                String jdkVersion = System.getProperty("java.version");
-                mattr.putValue("Created-By", jdkVersion + " (" +javaVendor
-                               + ")");
-                mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
-                mfCreated = true;
-            }
-
-            /*
-             * For each entry in jar
-             * (except for signature-related META-INF entries),
-             * do the following:
-             *
-             * - if entry is not contained in manifest, add it to manifest;
-             * - if entry is contained in manifest, calculate its hash and
-             *   compare it with the one in the manifest; if they are
-             *   different, replace the hash in the manifest with the newly
-             *   generated one. (This may invalidate existing signatures!)
-             */
-            BASE64Encoder encoder = new JarBASE64Encoder();
-            Vector<ZipEntry> mfFiles = new Vector<>();
-
-            boolean wasSigned = false;
-
-            for (Enumeration<? extends ZipEntry> enum_=zipFile.entries();
-                        enum_.hasMoreElements();) {
-                ZipEntry ze = enum_.nextElement();
-
-                if (ze.getName().startsWith(META_INF)) {
-                    // Store META-INF files in vector, so they can be written
-                    // out first
-                    mfFiles.addElement(ze);
-
-                    if (SignatureFileVerifier.isBlockOrSF(
-                            ze.getName().toUpperCase(Locale.ENGLISH))) {
-                        wasSigned = true;
-                    }
-
-                    if (signatureRelated(ze.getName())) {
-                        // ignore signature-related and manifest files
-                        continue;
-                    }
-                }
-
-                if (manifest.getAttributes(ze.getName()) != null) {
-                    // jar entry is contained in manifest, check and
-                    // possibly update its digest attributes
-                    if (updateDigests(ze, zipFile, digests, encoder,
-                                      manifest) == true) {
-                        mfModified = true;
-                    }
-                } else if (!ze.isDirectory()) {
-                    // Add entry to manifest
-                    Attributes attrs = getDigestAttributes(ze, zipFile,
-                                                           digests,
-                                                           encoder);
-                    mfEntries.put(ze.getName(), attrs);
-                    mfModified = true;
-                }
-            }
-
-            // Recalculate the manifest raw bytes if necessary
-            if (mfModified) {
-                ByteArrayOutputStream baos = new ByteArrayOutputStream();
-                manifest.write(baos);
-                if (wasSigned) {
-                    byte[] newBytes = baos.toByteArray();
-                    if (mfRawBytes != null
-                            && oldAttr.equals(manifest.getMainAttributes())) {
-
-                        /*
-                         * Note:
-                         *
-                         * The Attributes object is based on HashMap and can handle
-                         * continuation columns. Therefore, even if the contents are
-                         * not changed (in a Map view), the bytes that it write()
-                         * may be different from the original bytes that it read()
-                         * from. Since the signature on the main attributes is based
-                         * on raw bytes, we must retain the exact bytes.
-                         */
-
-                        int newPos = findHeaderEnd(newBytes);
-                        int oldPos = findHeaderEnd(mfRawBytes);
-
-                        if (newPos == oldPos) {
-                            System.arraycopy(mfRawBytes, 0, newBytes, 0, oldPos);
-                        } else {
-                            // cat oldHead newTail > newBytes
-                            byte[] lastBytes = new byte[oldPos +
-                                    newBytes.length - newPos];
-                            System.arraycopy(mfRawBytes, 0, lastBytes, 0, oldPos);
-                            System.arraycopy(newBytes, newPos, lastBytes, oldPos,
-                                    newBytes.length - newPos);
-                            newBytes = lastBytes;
-                        }
-                    }
-                    mfRawBytes = newBytes;
-                } else {
-                    mfRawBytes = baos.toByteArray();
-                }
-            }
-
-            // Write out the manifest
-            if (mfModified) {
-                // manifest file has new length
-                mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
-            }
-            if (verbose != null) {
-                if (mfCreated) {
-                    System.out.println(rb.getString(".adding.") +
-                                        mfFile.getName());
-                } else if (mfModified) {
-                    System.out.println(rb.getString(".updating.") +
-                                        mfFile.getName());
-                }
-            }
-            zos.putNextEntry(mfFile);
-            zos.write(mfRawBytes);
-
-            // Calculate SignatureFile (".SF") and SignatureBlockFile
-            ManifestDigester manDig = new ManifestDigester(mfRawBytes);
-            SignatureFile sf = new SignatureFile(digests, manifest, manDig,
-                                                 sigfile, signManifest);
-
-            if (tsaAlias != null) {
-                tsaCert = getTsaCert(tsaAlias);
-            }
-
-            SignatureFile.Block block = null;
-
-            try {
-                block =
-                    sf.generateBlock(privateKey, sigalg, certChain,
-                        externalSF, tsaUrl, tsaCert, signingMechanism, args,
-                        zipFile);
-            } catch (SocketTimeoutException e) {
-                // Provide a helpful message when TSA is beyond a firewall
-                error(rb.getString("unable.to.sign.jar.") +
-                rb.getString("no.response.from.the.Timestamping.Authority.") +
-                "\n  -J-Dhttp.proxyHost=<hostname>" +
-                "\n  -J-Dhttp.proxyPort=<portnumber>\n" +
-                rb.getString("or") +
-                "\n  -J-Dhttps.proxyHost=<hostname> " +
-                "\n  -J-Dhttps.proxyPort=<portnumber> ", e);
-            }
-
-            sfFilename = sf.getMetaName();
-            bkFilename = block.getMetaName();
-
-            ZipEntry sfFile = new ZipEntry(sfFilename);
-            ZipEntry bkFile = new ZipEntry(bkFilename);
-
-            long time = System.currentTimeMillis();
-            sfFile.setTime(time);
-            bkFile.setTime(time);
-
-            // signature file
-            zos.putNextEntry(sfFile);
-            sf.write(zos);
-            if (verbose != null) {
-                if (zipFile.getEntry(sfFilename) != null) {
-                    System.out.println(rb.getString(".updating.") +
-                                sfFilename);
-                } else {
-                    System.out.println(rb.getString(".adding.") +
-                                sfFilename);
-                }
-            }
-
-            if (verbose != null) {
-                if (tsaUrl != null || tsaCert != null) {
-                    System.out.println(
-                        rb.getString("requesting.a.signature.timestamp"));
-                }
-                if (tsaUrl != null) {
-                    System.out.println(rb.getString("TSA.location.") + tsaUrl);
-                }
-                if (tsaCert != null) {
-                    URI tsaURI = TimestampedSigner.getTimestampingURI(tsaCert);
-                    if (tsaURI != null) {
-                        System.out.println(rb.getString("TSA.location.") +
-                            tsaURI);
-                    }
-                    System.out.println(rb.getString("TSA.certificate.") +
-                        printCert("", tsaCert, false, null, false));
-                }
-                if (signingMechanism != null) {
-                    System.out.println(
-                        rb.getString("using.an.alternative.signing.mechanism"));
-                }
-            }
-
-            // signature block file
-            zos.putNextEntry(bkFile);
-            block.write(zos);
-            if (verbose != null) {
-                if (zipFile.getEntry(bkFilename) != null) {
-                    System.out.println(rb.getString(".updating.") +
-                        bkFilename);
-                } else {
-                    System.out.println(rb.getString(".adding.") +
-                        bkFilename);
-                }
-            }
-
-            // Write out all other META-INF files that we stored in the
-            // vector
-            for (int i=0; i<mfFiles.size(); i++) {
-                ZipEntry ze = mfFiles.elementAt(i);
-                if (!ze.getName().equalsIgnoreCase(JarFile.MANIFEST_NAME)
-                    && !ze.getName().equalsIgnoreCase(sfFilename)
-                    && !ze.getName().equalsIgnoreCase(bkFilename)) {
-                    writeEntry(zipFile, zos, ze);
-                }
-            }
-
-            // Write out all other files
-            for (Enumeration<? extends ZipEntry> enum_=zipFile.entries();
-                        enum_.hasMoreElements();) {
-                ZipEntry ze = enum_.nextElement();
-
-                if (!ze.getName().startsWith(META_INF)) {
-                    if (verbose != null) {
-                        if (manifest.getAttributes(ze.getName()) != null)
-                          System.out.println(rb.getString(".signing.") +
-                                ze.getName());
-                        else
-                          System.out.println(rb.getString(".adding.") +
-                                ze.getName());
-                    }
-                    writeEntry(zipFile, zos, ze);
-                }
-            }
-        } catch(IOException ioe) {
-            error(rb.getString("unable.to.sign.jar.")+ioe, ioe);
-        } finally {
-            // close the resouces
-            if (zipFile != null) {
-                zipFile.close();
-                zipFile = null;
-            }
-
-            if (zos != null) {
-                zos.close();
-            }
-        }
-
-        // no IOException thrown in the follow try clause, so disable
-        // the try clause.
-        // try {
-            if (signedjar == null) {
-                // attempt an atomic rename. If that fails,
-                // rename the original jar file, then the signed
-                // one, then delete the original.
-                if (!signedJarFile.renameTo(jarFile)) {
-                    File origJar = new File(jarName+".orig");
-
-                    if (jarFile.renameTo(origJar)) {
-                        if (signedJarFile.renameTo(jarFile)) {
-                            origJar.delete();
-                        } else {
-                            MessageFormat form = new MessageFormat(rb.getString
-                        ("attempt.to.rename.signedJarFile.to.jarFile.failed"));
-                            Object[] source = {signedJarFile, jarFile};
-                            error(form.format(source));
-                        }
-                    } else {
-                        MessageFormat form = new MessageFormat(rb.getString
-                            ("attempt.to.rename.jarFile.to.origJar.failed"));
-                        Object[] source = {jarFile, origJar};
-                        error(form.format(source));
-                    }
-                }
-            }
-
-            if (hasExpiredCert || hasExpiringCert || notYetValidCert
-                    || badKeyUsage || badExtendedKeyUsage
-                    || badNetscapeCertType || chainNotValidated) {
-                System.out.println();
-
-                System.out.println(rb.getString("Warning."));
-                if (badKeyUsage) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing."));
-                }
-
-                if (badExtendedKeyUsage) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing."));
-                }
-
-                if (badNetscapeCertType) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing."));
-                }
-
-                if (hasExpiredCert) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.has.expired."));
-                } else if (hasExpiringCert) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.will.expire.within.six.months."));
-                } else if (notYetValidCert) {
-                    System.out.println(
-                        rb.getString("The.signer.certificate.is.not.yet.valid."));
-                }
-
-                if (chainNotValidated) {
-                    System.out.println(
-                            rb.getString("The.signer.s.certificate.chain.is.not.validated."));
-                }
-            }
-
-        // no IOException thrown in the above try clause, so disable
-        // the catch clause.
-        // } catch(IOException ioe) {
-        //     error(rb.getString("unable.to.sign.jar.")+ioe, ioe);
-        // }
-    }
-
-    /**
-     * Find the length of header inside bs. The header is a multiple (>=0)
-     * lines of attributes plus an empty line. The empty line is included
-     * in the header.
-     */
-    @SuppressWarnings("fallthrough")
-    private int findHeaderEnd(byte[] bs) {
-        // Initial state true to deal with empty header
-        boolean newline = true;     // just met a newline
-        int len = bs.length;
-        for (int i=0; i<len; i++) {
-            switch (bs[i]) {
-                case '\r':
-                    if (i < len - 1 && bs[i+1] == '\n') i++;
-                    // fallthrough
-                case '\n':
-                    if (newline) return i+1;    //+1 to get length
-                    newline = true;
-                    break;
-                default:
-                    newline = false;
-            }
-        }
-        // If header end is not found, it means the MANIFEST.MF has only
-        // the main attributes section and it does not end with 2 newlines.
-        // Returns the whole length so that it can be completely replaced.
-        return len;
-    }
-
-    /**
-     * signature-related files include:
-     * . META-INF/MANIFEST.MF
-     * . META-INF/SIG-*
-     * . META-INF/*.SF
-     * . META-INF/*.DSA
-     * . META-INF/*.RSA
-     * . META-INF/*.EC
-     */
-    private boolean signatureRelated(String name) {
-        String ucName = name.toUpperCase(Locale.ENGLISH);
-        if (ucName.equals(JarFile.MANIFEST_NAME) ||
-            ucName.equals(META_INF) ||
-            (ucName.startsWith(SIG_PREFIX) &&
-                ucName.indexOf("/") == ucName.lastIndexOf("/"))) {
-            return true;
-        }
-
-        if (ucName.startsWith(META_INF) &&
-            SignatureFileVerifier.isBlockOrSF(ucName)) {
-            // .SF/.DSA/.RSA/.EC files in META-INF subdirs
-            // are not considered signature-related
-            return (ucName.indexOf("/") == ucName.lastIndexOf("/"));
-        }
-
-        return false;
-    }
-
-    Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<>();
-
-    /**
-     * Returns a string of singer info, with a newline at the end
-     */
-    private String signerInfo(CodeSigner signer, String tab) {
-        if (cacheForSignerInfo.containsKey(signer)) {
-            return cacheForSignerInfo.get(signer);
-        }
-        StringBuffer s = new StringBuffer();
-        List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
-        // display the signature timestamp, if present
-        Date timestamp;
-        Timestamp ts = signer.getTimestamp();
-        if (ts != null) {
-            s.append(printTimestamp(tab, ts));
-            s.append('\n');
-            timestamp = ts.getTimestamp();
-        } else {
-            timestamp = null;
-        }
-        // display the certificate(s). The first one is end-entity cert and
-        // its KeyUsage should be checked.
-        boolean first = true;
-        for (Certificate c : certs) {
-            s.append(printCert(tab, c, true, timestamp, first));
-            s.append('\n');
-            first = false;
-        }
-        try {
-            CertPath cp = certificateFactory.generateCertPath(certs);
-            validator.validate(cp, pkixParameters);
-        } catch (Exception e) {
-            if (debug) {
-                e.printStackTrace();
-            }
-            if (e.getCause() != null &&
-                    (e.getCause() instanceof CertificateExpiredException ||
-                     e.getCause() instanceof CertificateNotYetValidException)) {
-                // No more warning, we alreay have hasExpiredCert or notYetValidCert
-            } else {
-                chainNotValidated = true;
-                s.append(tab + rb.getString(".CertPath.not.validated.") +
-                        e.getLocalizedMessage() + "]\n");   // TODO
-            }
-        }
-        String result = s.toString();
-        cacheForSignerInfo.put(signer, result);
-        return result;
-    }
-
-    private void writeEntry(ZipFile zf, ZipOutputStream os, ZipEntry ze)
-    throws IOException
-    {
-        ZipEntry ze2 = new ZipEntry(ze.getName());
-        ze2.setMethod(ze.getMethod());
-        ze2.setTime(ze.getTime());
-        ze2.setComment(ze.getComment());
-        ze2.setExtra(ze.getExtra());
-        if (ze.getMethod() == ZipEntry.STORED) {
-            ze2.setSize(ze.getSize());
-            ze2.setCrc(ze.getCrc());
-        }
-        os.putNextEntry(ze2);
-        writeBytes(zf, ze, os);
-    }
-
-    /**
-     * Writes all the bytes for a given entry to the specified output stream.
-     */
-    private synchronized void writeBytes
-        (ZipFile zf, ZipEntry ze, ZipOutputStream os) throws IOException {
-        int n;
-
-        InputStream is = null;
-        try {
-            is = zf.getInputStream(ze);
-            long left = ze.getSize();
-
-            while((left > 0) && (n = is.read(buffer, 0, buffer.length)) != -1) {
-                os.write(buffer, 0, n);
-                left -= n;
-            }
-        } finally {
-            if (is != null) {
-                is.close();
-            }
-        }
-    }
-
-    void loadKeyStore(String keyStoreName, boolean prompt) {
-
-        if (!nullStream && keyStoreName == null) {
-            keyStoreName = System.getProperty("user.home") + File.separator
-                + ".keystore";
-        }
-
-        try {
-
-            certificateFactory = CertificateFactory.getInstance("X.509");
-            validator = CertPathValidator.getInstance("PKIX");
-            Set<TrustAnchor> tas = new HashSet<>();
-            try {
-                KeyStore caks = KeyTool.getCacertsKeyStore();
-                if (caks != null) {
-                    Enumeration<String> aliases = caks.aliases();
-                    while (aliases.hasMoreElements()) {
-                        String a = aliases.nextElement();
-                        try {
-                            tas.add(new TrustAnchor((X509Certificate)caks.getCertificate(a), null));
-                        } catch (Exception e2) {
-                            // ignore, when a SecretkeyEntry does not include a cert
-                        }
-                    }
-                }
-            } catch (Exception e) {
-                // Ignore, if cacerts cannot be loaded
-            }
-
-            if (providerName == null) {
-                store = KeyStore.getInstance(storetype);
-            } else {
-                store = KeyStore.getInstance(storetype, providerName);
-            }
-
-            // Get pass phrase
-            // XXX need to disable echo; on UNIX, call getpass(char *prompt)Z
-            // and on NT call ??
-            if (token && storepass == null && !protectedPath
-                    && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
-                storepass = getPass
-                        (rb.getString("Enter.Passphrase.for.keystore."));
-            } else if (!token && storepass == null && prompt) {
-                storepass = getPass
-                        (rb.getString("Enter.Passphrase.for.keystore."));
-            }
-
-            try {
-                if (nullStream) {
-                    store.load(null, storepass);
-                } else {
-                    keyStoreName = keyStoreName.replace(File.separatorChar, '/');
-                    URL url = null;
-                    try {
-                        url = new URL(keyStoreName);
-                    } catch (java.net.MalformedURLException e) {
-                        // try as file
-                        url = new File(keyStoreName).toURI().toURL();
-                    }
-                    InputStream is = null;
-                    try {
-                        is = url.openStream();
-                        store.load(is, storepass);
-                    } finally {
-                        if (is != null) {
-                            is.close();
-                        }
-                    }
-                }
-                Enumeration<String> aliases = store.aliases();
-                while (aliases.hasMoreElements()) {
-                    String a = aliases.nextElement();
-                    try {
-                        X509Certificate c = (X509Certificate)store.getCertificate(a);
-                        // Only add TrustedCertificateEntry and self-signed
-                        // PrivateKeyEntry
-                        if (store.isCertificateEntry(a) ||
-                                c.getSubjectDN().equals(c.getIssuerDN())) {
-                            tas.add(new TrustAnchor(c, null));
-                        }
-                    } catch (Exception e2) {
-                        // ignore, when a SecretkeyEntry does not include a cert
-                    }
-                }
-            } finally {
-                try {
-                    pkixParameters = new PKIXParameters(tas);
-                    pkixParameters.setRevocationEnabled(false);
-                } catch (InvalidAlgorithmParameterException ex) {
-                    // Only if tas is empty
-                }
-            }
-        } catch (IOException ioe) {
-            throw new RuntimeException(rb.getString("keystore.load.") +
-                                        ioe.getMessage());
-        } catch (java.security.cert.CertificateException ce) {
-            throw new RuntimeException(rb.getString("certificate.exception.") +
-                                        ce.getMessage());
-        } catch (NoSuchProviderException pe) {
-            throw new RuntimeException(rb.getString("keystore.load.") +
-                                        pe.getMessage());
-        } catch (NoSuchAlgorithmException nsae) {
-            throw new RuntimeException(rb.getString("keystore.load.") +
-                                        nsae.getMessage());
-        } catch (KeyStoreException kse) {
-            throw new RuntimeException
-                (rb.getString("unable.to.instantiate.keystore.class.") +
-                kse.getMessage());
-        }
-    }
-
-    X509Certificate getTsaCert(String alias) {
-
-        java.security.cert.Certificate cs = null;
-
-        try {
-            cs = store.getCertificate(alias);
-        } catch (KeyStoreException kse) {
-            // this never happens, because keystore has been loaded
-        }
-        if (cs == null || (!(cs instanceof X509Certificate))) {
-            MessageFormat form = new MessageFormat(rb.getString
-                ("Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the"));
-            Object[] source = {alias, alias};
-            error(form.format(source));
-        }
-        return (X509Certificate) cs;
-    }
-
-    /**
-     * Check if userCert is designed to be a code signer
-     * @param userCert the certificate to be examined
-     * @param bad 3 booleans to show if the KeyUsage, ExtendedKeyUsage,
-     *            NetscapeCertType has codeSigning flag turned on.
-     *            If null, the class field badKeyUsage, badExtendedKeyUsage,
-     *            badNetscapeCertType will be set.
-     */
-    void checkCertUsage(X509Certificate userCert, boolean[] bad) {
-
-        // Can act as a signer?
-        // 1. if KeyUsage, then [0:digitalSignature] or
-        //    [1:nonRepudiation] should be true
-        // 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING
-        // 3. if NetscapeCertType, then should contains OBJECT_SIGNING
-        // 1,2,3 must be true
-
-        if (bad != null) {
-            bad[0] = bad[1] = bad[2] = false;
-        }
-
-        boolean[] keyUsage = userCert.getKeyUsage();
-        if (keyUsage != null) {
-            keyUsage = Arrays.copyOf(keyUsage, 9);
-            if (!keyUsage[0] && !keyUsage[1]) {
-                if (bad != null) {
-                    bad[0] = true;
-                    badKeyUsage = true;
-                }
-            }
-        }
-
-        try {
-            List<String> xKeyUsage = userCert.getExtendedKeyUsage();
-            if (xKeyUsage != null) {
-                if (!xKeyUsage.contains("2.5.29.37.0") // anyExtendedKeyUsage
-                        && !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) {  // codeSigning
-                    if (bad != null) {
-                        bad[1] = true;
-                        badExtendedKeyUsage = true;
-                    }
-                }
-            }
-        } catch (java.security.cert.CertificateParsingException e) {
-            // shouldn't happen
-        }
-
-        try {
-            // OID_NETSCAPE_CERT_TYPE
-            byte[] netscapeEx = userCert.getExtensionValue
-                    ("2.16.840.1.113730.1.1");
-            if (netscapeEx != null) {
-                DerInputStream in = new DerInputStream(netscapeEx);
-                byte[] encoded = in.getOctetString();
-                encoded = new DerValue(encoded).getUnalignedBitString()
-                        .toByteArray();
-
-                NetscapeCertTypeExtension extn =
-                        new NetscapeCertTypeExtension(encoded);
-
-                Boolean val = extn.get(NetscapeCertTypeExtension.OBJECT_SIGNING);
-                if (!val) {
-                    if (bad != null) {
-                        bad[2] = true;
-                        badNetscapeCertType = true;
-                    }
-                }
-            }
-        } catch (IOException e) {
-            //
-        }
-    }
-
-    void getAliasInfo(String alias) {
-
-        Key key = null;
-
-        try {
-            java.security.cert.Certificate[] cs = null;
-            if (altCertChain != null) {
-                try {
-                    cs = CertificateFactory.getInstance("X.509").
-                            generateCertificates(new FileInputStream(altCertChain)).
-                            toArray(new Certificate[0]);
-                } catch (CertificateException ex) {
-                    error(rb.getString("Cannot.restore.certchain.from.file.specified"));
-                } catch (FileNotFoundException ex) {
-                    error(rb.getString("File.specified.by.certchain.does.not.exist"));
-                }
-            } else {
-                try {
-                    cs = store.getCertificateChain(alias);
-                } catch (KeyStoreException kse) {
-                    // this never happens, because keystore has been loaded
-                }
-            }
-            if (cs == null || cs.length == 0) {
-                if (altCertChain != null) {
-                    error(rb.getString
-                            ("Certificate.chain.not.found.in.the.file.specified."));
-                } else {
-                    MessageFormat form = new MessageFormat(rb.getString
-                        ("Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and"));
-                    Object[] source = {alias, alias};
-                    error(form.format(source));
-                }
-            }
-
-            certChain = new X509Certificate[cs.length];
-            for (int i=0; i<cs.length; i++) {
-                if (!(cs[i] instanceof X509Certificate)) {
-                    error(rb.getString
-                        ("found.non.X.509.certificate.in.signer.s.chain"));
-                }
-                certChain[i] = (X509Certificate)cs[i];
-            }
-
-            // We don't meant to print anything, the next call
-            // checks validity and keyUsage etc
-            printCert("", certChain[0], true, null, true);
-
-            try {
-                CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));
-                validator.validate(cp, pkixParameters);
-            } catch (Exception e) {
-                if (debug) {
-                    e.printStackTrace();
-                }
-                if (e.getCause() != null &&
-                        (e.getCause() instanceof CertificateExpiredException ||
-                        e.getCause() instanceof CertificateNotYetValidException)) {
-                    // No more warning, we alreay have hasExpiredCert or notYetValidCert
-                } else {
-                    chainNotValidated = true;
-                }
-            }
-
-            try {
-                if (!token && keypass == null)
-                    key = store.getKey(alias, storepass);
-                else
-                    key = store.getKey(alias, keypass);
-            } catch (UnrecoverableKeyException e) {
-                if (token) {
-                    throw e;
-                } else if (keypass == null) {
-                    // Did not work out, so prompt user for key password
-                    MessageFormat form = new MessageFormat(rb.getString
-                        ("Enter.key.password.for.alias."));
-                    Object[] source = {alias};
-                    keypass = getPass(form.format(source));
-                    key = store.getKey(alias, keypass);
-                }
-            }
-        } catch (NoSuchAlgorithmException e) {
-            error(e.getMessage());
-        } catch (UnrecoverableKeyException e) {
-            error(rb.getString("unable.to.recover.key.from.keystore"));
-        } catch (KeyStoreException kse) {
-            // this never happens, because keystore has been loaded
-        }
-
-        if (!(key instanceof PrivateKey)) {
-            MessageFormat form = new MessageFormat(rb.getString
-                ("key.associated.with.alias.not.a.private.key"));
-            Object[] source = {alias};
-            error(form.format(source));
-        } else {
-            privateKey = (PrivateKey)key;
-        }
-    }
-
-    void error(String message)
-    {
-        System.out.println(rb.getString("jarsigner.")+message);
-        System.exit(1);
-    }
-
-
-    void error(String message, Exception e)
-    {
-        System.out.println(rb.getString("jarsigner.")+message);
-        if (debug) {
-            e.printStackTrace();
-        }
-        System.exit(1);
-    }
-
-    char[] getPass(String prompt)
-    {
-        System.err.print(prompt);
-        System.err.flush();
-        try {
-            char[] pass = Password.readPassword(System.in);
-
-            if (pass == null) {
-                error(rb.getString("you.must.enter.key.password"));
-            } else {
-                return pass;
-            }
-        } catch (IOException ioe) {
-            error(rb.getString("unable.to.read.password.")+ioe.getMessage());
-        }
-        // this shouldn't happen
-        return null;
-    }
-
-    /*
-     * Reads all the bytes for a given zip entry.
-     */
-    private synchronized byte[] getBytes(ZipFile zf,
-                                         ZipEntry ze) throws IOException {
-        int n;
-
-        InputStream is = null;
-        try {
-            is = zf.getInputStream(ze);
-            baos.reset();
-            long left = ze.getSize();
-
-            while((left > 0) && (n = is.read(buffer, 0, buffer.length)) != -1) {
-                baos.write(buffer, 0, n);
-                left -= n;
-            }
-        } finally {
-            if (is != null) {
-                is.close();
-            }
-        }
-
-        return baos.toByteArray();
-    }
-
-    /*
-     * Returns manifest entry from given jar file, or null if given jar file
-     * does not have a manifest entry.
-     */
-    private ZipEntry getManifestFile(ZipFile zf) {
-        ZipEntry ze = zf.getEntry(JarFile.MANIFEST_NAME);
-        if (ze == null) {
-            // Check all entries for matching name
-            Enumeration<? extends ZipEntry> enum_ = zf.entries();
-            while (enum_.hasMoreElements() && ze == null) {
-                ze = enum_.nextElement();
-                if (!JarFile.MANIFEST_NAME.equalsIgnoreCase
-                    (ze.getName())) {
-                    ze = null;
-                }
-            }
-        }
-        return ze;
-    }
-
-    /*
-     * Computes the digests of a zip entry, and returns them as an array
-     * of base64-encoded strings.
-     */
-    private synchronized String[] getDigests(ZipEntry ze, ZipFile zf,
-                                             MessageDigest[] digests,
-                                             BASE64Encoder encoder)
-        throws IOException {
-
-        int n, i;
-        InputStream is = null;
-        try {
-            is = zf.getInputStream(ze);
-            long left = ze.getSize();
-            while((left > 0)
-                && (n = is.read(buffer, 0, buffer.length)) != -1) {
-                for (i=0; i<digests.length; i++) {
-                    digests[i].update(buffer, 0, n);
-                }
-                left -= n;
-            }
-        } finally {
-            if (is != null) {
-                is.close();
-            }
-        }
-
-        // complete the digests
-        String[] base64Digests = new String[digests.length];
-        for (i=0; i<digests.length; i++) {
-            base64Digests[i] = encoder.encode(digests[i].digest());
-        }
-        return base64Digests;
-    }
-
-    /*
-     * Computes the digests of a zip entry, and returns them as a list of
-     * attributes
-     */
-    private Attributes getDigestAttributes(ZipEntry ze, ZipFile zf,
-                                           MessageDigest[] digests,
-                                           BASE64Encoder encoder)
-        throws IOException {
-
-        String[] base64Digests = getDigests(ze, zf, digests, encoder);
-        Attributes attrs = new Attributes();
-
-        for (int i=0; i<digests.length; i++) {
-            attrs.putValue(digests[i].getAlgorithm()+"-Digest",
-                           base64Digests[i]);
-        }
-        return attrs;
-    }
-
-    /*
-     * Updates the digest attributes of a manifest entry, by adding or
-     * replacing digest values.
-     * A digest value is added if the manifest entry does not contain a digest
-     * for that particular algorithm.
-     * A digest value is replaced if it is obsolete.
-     *
-     * Returns true if the manifest entry has been changed, and false
-     * otherwise.
-     */
-    private boolean updateDigests(ZipEntry ze, ZipFile zf,
-                                  MessageDigest[] digests,
-                                  BASE64Encoder encoder,
-                                  Manifest mf) throws IOException {
-        boolean update = false;
-
-        Attributes attrs = mf.getAttributes(ze.getName());
-        String[] base64Digests = getDigests(ze, zf, digests, encoder);
-
-        for (int i=0; i<digests.length; i++) {
-            // The entry name to be written into attrs
-            String name = null;
-            try {
-                // Find if the digest already exists
-                AlgorithmId aid = AlgorithmId.get(digests[i].getAlgorithm());
-                for (Object key: attrs.keySet()) {
-                    if (key instanceof Attributes.Name) {
-                        String n = ((Attributes.Name)key).toString();
-                        if (n.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) {
-                            String tmp = n.substring(0, n.length() - 7);
-                            if (AlgorithmId.get(tmp).equals(aid)) {
-                                name = n;
-                                break;
-                            }
-                        }
-                    }
-                }
-            } catch (NoSuchAlgorithmException nsae) {
-                // Ignored. Writing new digest entry.
-            }
-
-            if (name == null) {
-                name = digests[i].getAlgorithm()+"-Digest";
-                attrs.putValue(name, base64Digests[i]);
-                update=true;
-            } else {
-                // compare digests, and replace the one in the manifest
-                // if they are different
-                String mfDigest = attrs.getValue(name);
-                if (!mfDigest.equalsIgnoreCase(base64Digests[i])) {
-                    attrs.putValue(name, base64Digests[i]);
-                    update=true;
-                }
-            }
-        }
-        return update;
-    }
-
-    /*
-     * Try to load the specified signing mechanism.
-     * The URL class loader is used.
-     */
-    private ContentSigner loadSigningMechanism(String signerClassName,
-        String signerClassPath) throws Exception {
-
-        // construct class loader
-        String cpString = null;   // make sure env.class.path defaults to dot
-
-        // do prepends to get correct ordering
-        cpString = PathList.appendPath(System.getProperty("env.class.path"), cpString);
-        cpString = PathList.appendPath(System.getProperty("java.class.path"), cpString);
-        cpString = PathList.appendPath(signerClassPath, cpString);
-        URL[] urls = PathList.pathToURLs(cpString);
-        ClassLoader appClassLoader = new URLClassLoader(urls);
-
-        // attempt to find signer
-        Class<?> signerClass = appClassLoader.loadClass(signerClassName);
-
-        // Check that it implements ContentSigner
-        Object signer = signerClass.newInstance();
-        if (!(signer instanceof ContentSigner)) {
-            MessageFormat form = new MessageFormat(
-                rb.getString("signerClass.is.not.a.signing.mechanism"));
-            Object[] source = {signerClass.getName()};
-            throw new IllegalArgumentException(form.format(source));
-        }
-        return (ContentSigner)signer;
-    }
-}
-
-/**
- * This is a BASE64Encoder that does not insert a default newline at the end of
- * every output line. This is necessary because java.util.jar does its own
- * line management (see Manifest.make72Safe()). Inserting additional new lines
- * can cause line-wrapping problems (see CR 6219522).
- */
-class JarBASE64Encoder extends BASE64Encoder {
-    /**
-     * Encode the suffix that ends every output line.
-     */
-    protected void encodeLineSuffix(OutputStream aStream) throws IOException { }
-}
-
-class SignatureFile {
-
-    /** SignatureFile */
-    Manifest sf;
-
-    /** .SF base name */
-    String baseName;
-
-    public SignatureFile(MessageDigest digests[],
-                         Manifest mf,
-                         ManifestDigester md,
-                         String baseName,
-                         boolean signManifest)
-
-    {
-        this.baseName = baseName;
-
-        String version = System.getProperty("java.version");
-        String javaVendor = System.getProperty("java.vendor");
-
-        sf = new Manifest();
-        Attributes mattr = sf.getMainAttributes();
-        BASE64Encoder encoder = new JarBASE64Encoder();
-
-        mattr.putValue(Attributes.Name.SIGNATURE_VERSION.toString(), "1.0");
-        mattr.putValue("Created-By", version + " (" + javaVendor + ")");
-
-        if (signManifest) {
-            // sign the whole manifest
-            for (int i=0; i < digests.length; i++) {
-                mattr.putValue(digests[i].getAlgorithm()+"-Digest-Manifest",
-                               encoder.encode(md.manifestDigest(digests[i])));
-            }
-        }
-
-        // create digest of the manifest main attributes
-        ManifestDigester.Entry mde =
-                md.get(ManifestDigester.MF_MAIN_ATTRS, false);
-        if (mde != null) {
-            for (int i=0; i < digests.length; i++) {
-                mattr.putValue(digests[i].getAlgorithm() +
-                        "-Digest-" + ManifestDigester.MF_MAIN_ATTRS,
-                        encoder.encode(mde.digest(digests[i])));
-            }
-        } else {
-            throw new IllegalStateException
-                ("ManifestDigester failed to create " +
-                "Manifest-Main-Attribute entry");
-        }
-
-        /* go through the manifest entries and create the digests */
-
-        Map<String,Attributes> entries = sf.getEntries();
-        Iterator<Map.Entry<String,Attributes>> mit =
-                                mf.getEntries().entrySet().iterator();
-        while(mit.hasNext()) {
-            Map.Entry<String,Attributes> e = mit.next();
-            String name = e.getKey();
-            mde = md.get(name, false);
-            if (mde != null) {
-                Attributes attr = new Attributes();
-                for (int i=0; i < digests.length; i++) {
-                    attr.putValue(digests[i].getAlgorithm()+"-Digest",
-                                  encoder.encode(mde.digest(digests[i])));
-                }
-                entries.put(name, attr);
-            }
-        }
-    }
-
-    /**
-     * Writes the SignatureFile to the specified OutputStream.
-     *
-     * @param out the output stream
-     * @exception IOException if an I/O error has occurred
-     */
-
-    public void write(OutputStream out) throws IOException
-    {
-        sf.write(out);
-    }
-
-    /**
-     * get .SF file name
-     */
-    public String getMetaName()
-    {
-        return "META-INF/"+ baseName + ".SF";
-    }
-
-    /**
-     * get base file name
-     */
-    public String getBaseName()
-    {
-        return baseName;
-    }
-
-    /*
-     * Generate a signed data block.
-     * If a URL or a certificate (containing a URL) for a Timestamping
-     * Authority is supplied then a signature timestamp is generated and
-     * inserted into the signed data block.
-     *
-     * @param sigalg signature algorithm to use, or null to use default
-     * @param tsaUrl The location of the Timestamping Authority. If null
-     *               then no timestamp is requested.
-     * @param tsaCert The certificate for the Timestamping Authority. If null
-     *               then no timestamp is requested.
-     * @param signingMechanism The signing mechanism to use.
-     * @param args The command-line arguments to jarsigner.
-     * @param zipFile The original source Zip file.
-     */
-    public Block generateBlock(PrivateKey privateKey,
-                               String sigalg,
-                               X509Certificate[] certChain,
-                               boolean externalSF, String tsaUrl,
-                               X509Certificate tsaCert,
-                               ContentSigner signingMechanism,
-                               String[] args, ZipFile zipFile)
-        throws NoSuchAlgorithmException, InvalidKeyException, IOException,
-            SignatureException, CertificateException
-    {
-        return new Block(this, privateKey, sigalg, certChain, externalSF,
-                tsaUrl, tsaCert, signingMechanism, args, zipFile);
-    }
-
-
-    public static class Block {
-
-        private byte[] block;
-        private String blockFileName;
-
-        /*
-         * Construct a new signature block.
-         */
-        Block(SignatureFile sfg, PrivateKey privateKey, String sigalg,
-            X509Certificate[] certChain, boolean externalSF, String tsaUrl,
-            X509Certificate tsaCert, ContentSigner signingMechanism,
-            String[] args, ZipFile zipFile)
-            throws NoSuchAlgorithmException, InvalidKeyException, IOException,
-            SignatureException, CertificateException {
-
-            Principal issuerName = certChain[0].getIssuerDN();
-            if (!(issuerName instanceof X500Name)) {
-                // must extract the original encoded form of DN for subsequent
-                // name comparison checks (converting to a String and back to
-                // an encoded DN could cause the types of String attribute
-                // values to be changed)
-                X509CertInfo tbsCert = new
-                    X509CertInfo(certChain[0].getTBSCertificate());
-                issuerName = (Principal)
-                    tbsCert.get(CertificateIssuerName.NAME + "." +
-                                CertificateIssuerName.DN_NAME);
-            }
-            BigInteger serial = certChain[0].getSerialNumber();
-
-            String signatureAlgorithm;
-            String keyAlgorithm = privateKey.getAlgorithm();
-            /*
-             * If no signature algorithm was specified, we choose a
-             * default that is compatible with the private key algorithm.
-             */
-            if (sigalg == null) {
-
-                if (keyAlgorithm.equalsIgnoreCase("DSA"))
-                    signatureAlgorithm = "SHA1withDSA";
-                else if (keyAlgorithm.equalsIgnoreCase("RSA"))
-                    signatureAlgorithm = "SHA256withRSA";
-                else if (keyAlgorithm.equalsIgnoreCase("EC"))
-                    signatureAlgorithm = "SHA256withECDSA";
-                else
-                    throw new RuntimeException("private key is not a DSA or "
-                                               + "RSA key");
-            } else {
-                signatureAlgorithm = sigalg;
-            }
-
-            // check common invalid key/signature algorithm combinations
-            String sigAlgUpperCase = signatureAlgorithm.toUpperCase(Locale.ENGLISH);
-            if ((sigAlgUpperCase.endsWith("WITHRSA") &&
-                !keyAlgorithm.equalsIgnoreCase("RSA")) ||
-                (sigAlgUpperCase.endsWith("WITHECDSA") &&
-                !keyAlgorithm.equalsIgnoreCase("EC")) ||
-                (sigAlgUpperCase.endsWith("WITHDSA") &&
-                !keyAlgorithm.equalsIgnoreCase("DSA"))) {
-                throw new SignatureException
-                    ("private key algorithm is not compatible with signature algorithm");
-            }
-
-            blockFileName = "META-INF/"+sfg.getBaseName()+"."+keyAlgorithm;
-
-            AlgorithmId sigAlg = AlgorithmId.get(signatureAlgorithm);
-            AlgorithmId digEncrAlg = AlgorithmId.get(keyAlgorithm);
-
-            Signature sig = Signature.getInstance(signatureAlgorithm);
-            sig.initSign(privateKey);
-
-            ByteArrayOutputStream baos = new ByteArrayOutputStream();
-            sfg.write(baos);
-
-            byte[] content = baos.toByteArray();
-
-            sig.update(content);
-            byte[] signature = sig.sign();
-
-            // Timestamp the signature and generate the signature block file
-            if (signingMechanism == null) {
-                signingMechanism = new TimestampedSigner();
-            }
-            URI tsaUri = null;
-            try {
-                if (tsaUrl != null) {
-                    tsaUri = new URI(tsaUrl);
-                }
-            } catch (URISyntaxException e) {
-                throw new IOException(e);
-            }
-
-            // Assemble parameters for the signing mechanism
-            ContentSignerParameters params =
-                new JarSignerParameters(args, tsaUri, tsaCert, signature,
-                    signatureAlgorithm, certChain, content, zipFile);
-
-            // Generate the signature block
-            block = signingMechanism.generateSignedData(
-                    params, externalSF, (tsaUrl != null || tsaCert != null));
-        }
-
-        /*
-         * get block file name.
-         */
-        public String getMetaName()
-        {
-            return blockFileName;
-        }
-
-        /**
-         * Writes the block file to the specified OutputStream.
-         *
-         * @param out the output stream
-         * @exception IOException if an I/O error has occurred
-         */
-
-        public void write(OutputStream out) throws IOException
-        {
-            out.write(block);
-        }
-    }
-}
-
-
-/*
- * This object encapsulates the parameters used to perform content signing.
- */
-class JarSignerParameters implements ContentSignerParameters {
-
-    private String[] args;
-    private URI tsa;
-    private X509Certificate tsaCertificate;
-    private byte[] signature;
-    private String signatureAlgorithm;
-    private X509Certificate[] signerCertificateChain;
-    private byte[] content;
-    private ZipFile source;
-
-    /**
-     * Create a new object.
-     */
-    JarSignerParameters(String[] args, URI tsa, X509Certificate tsaCertificate,
-        byte[] signature, String signatureAlgorithm,
-        X509Certificate[] signerCertificateChain, byte[] content,
-        ZipFile source) {
-
-        if (signature == null || signatureAlgorithm == null ||
-            signerCertificateChain == null) {
-            throw new NullPointerException();
-        }
-        this.args = args;
-        this.tsa = tsa;
-        this.tsaCertificate = tsaCertificate;
-        this.signature = signature;
-        this.signatureAlgorithm = signatureAlgorithm;
-        this.signerCertificateChain = signerCertificateChain;
-        this.content = content;
-        this.source = source;
-    }
-
-    /**
-     * Retrieves the command-line arguments.
-     *
-     * @return The command-line arguments. May be null.
-     */
-    public String[] getCommandLine() {
-        return args;
-    }
-
-    /**
-     * Retrieves the identifier for a Timestamping Authority (TSA).
-     *
-     * @return The TSA identifier. May be null.
-     */
-    public URI getTimestampingAuthority() {
-        return tsa;
-    }
-
-    /**
-     * Retrieves the certificate for a Timestamping Authority (TSA).
-     *
-     * @return The TSA certificate. May be null.
-     */
-    public X509Certificate getTimestampingAuthorityCertificate() {
-        return tsaCertificate;
-    }
-
-    /**
-     * Retrieves the signature.
-     *
-     * @return The non-null signature bytes.
-     */
-    public byte[] getSignature() {
-        return signature;
-    }
-
-    /**
-     * Retrieves the name of the signature algorithm.
-     *
-     * @return The non-null string name of the signature algorithm.
-     */
-    public String getSignatureAlgorithm() {
-        return signatureAlgorithm;
-    }
-
-    /**
-     * Retrieves the signer's X.509 certificate chain.
-     *
-     * @return The non-null array of X.509 public-key certificates.
-     */
-    public X509Certificate[] getSignerCertificateChain() {
-        return signerCertificateChain;
-    }
-
-    /**
-     * Retrieves the content that was signed.
-     *
-     * @return The content bytes. May be null.
-     */
-    public byte[] getContent() {
-        return content;
-    }
-
-    /**
-     * Retrieves the original source ZIP file before it was signed.
-     *
-     * @return The original ZIP file. May be null.
-     */
-    public ZipFile getSource() {
-        return source;
-    }
-}
--- a/src/share/classes/sun/security/tools/JarSignerResources.java	Sat Oct 13 10:15:57 2012 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,242 +0,0 @@
-/*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.tools;
-
-/**
- * <p> This class represents the <code>ResourceBundle</code>
- * for JarSigner.
- *
- */
-public class JarSignerResources extends java.util.ListResourceBundle {
-
-    private static final Object[][] contents = {
-
-        // shared (from jarsigner)
-        {"SPACE", " "},
-        {"2SPACE", "  "},
-        {"6SPACE", "      "},
-        {"COMMA", ", "},
-
-        {"provName.not.a.provider", "{0} not a provider"},
-        {"signerClass.is.not.a.signing.mechanism", "{0} is not a signing mechanism"},
-        {"jarsigner.error.", "jarsigner error: "},
-        {"Illegal.option.", "Illegal option: "},
-        {".keystore.must.be.NONE.if.storetype.is.{0}",
-                "-keystore must be NONE if -storetype is {0}"},
-        {".keypass.can.not.be.specified.if.storetype.is.{0}",
-                "-keypass can not be specified if -storetype is {0}"},
-        {"If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified",
-                "If -protected is specified, then -storepass and -keypass must not be specified"},
-        {"If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified",
-                 "If keystore is not password protected, then -storepass and -keypass must not be specified"},
-        {"Usage.jarsigner.options.jar.file.alias",
-                "Usage: jarsigner [options] jar-file alias"},
-        {".jarsigner.verify.options.jar.file.alias.",
-                "       jarsigner -verify [options] jar-file [alias...]"},
-        {".keystore.url.keystore.location",
-                "[-keystore <url>]           keystore location"},
-        {".storepass.password.password.for.keystore.integrity",
-            "[-storepass <password>]     password for keystore integrity"},
-        {".storetype.type.keystore.type",
-                "[-storetype <type>]         keystore type"},
-        {".keypass.password.password.for.private.key.if.different.",
-                "[-keypass <password>]       password for private key (if different)"},
-        {".certchain.file.name.of.alternative.certchain.file",
-                "[-certchain <file>]         name of alternative certchain file"},
-        {".sigfile.file.name.of.SF.DSA.file",
-                "[-sigfile <file>]           name of .SF/.DSA file"},
-        {".signedjar.file.name.of.signed.JAR.file",
-                "[-signedjar <file>]         name of signed JAR file"},
-        {".digestalg.algorithm.name.of.digest.algorithm",
-                "[-digestalg <algorithm>]    name of digest algorithm"},
-        {".sigalg.algorithm.name.of.signature.algorithm",
-                "[-sigalg <algorithm>]       name of signature algorithm"},
-        {".verify.verify.a.signed.JAR.file",
-                "[-verify]                   verify a signed JAR file"},
-        {".verbose.suboptions.verbose.output.when.signing.verifying.",
-                "[-verbose[:suboptions]]     verbose output when signing/verifying."},
-        {".suboptions.can.be.all.grouped.or.summary",
-                "                            suboptions can be all, grouped or summary"},
-        {".certs.display.certificates.when.verbose.and.verifying",
-                "[-certs]                    display certificates when verbose and verifying"},
-        {".tsa.url.location.of.the.Timestamping.Authority",
-                "[-tsa <url>]                location of the Timestamping Authority"},
-        {".tsacert.alias.public.key.certificate.for.Timestamping.Authority",
-                "[-tsacert <alias>]          public key certificate for Timestamping Authority"},
-        {".altsigner.class.class.name.of.an.alternative.signing.mechanism",
-                "[-altsigner <class>]        class name of an alternative signing mechanism"},
-        {".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism",
-                "[-altsignerpath <pathlist>] location of an alternative signing mechanism"},
-        {".internalsf.include.the.SF.file.inside.the.signature.block",
-                "[-internalsf]               include the .SF file inside the signature block"},
-        {".sectionsonly.don.t.compute.hash.of.entire.manifest",
-                "[-sectionsonly]             don't compute hash of entire manifest"},
-        {".protected.keystore.has.protected.authentication.path",
-                "[-protected]                keystore has protected authentication path"},
-        {".providerName.name.provider.name",
-                "[-providerName <name>]      provider name"},
-        {".providerClass.class.name.of.cryptographic.service.provider.s",
-                "[-providerClass <class>     name of cryptographic service provider's"},
-        {".providerArg.arg.master.class.file.and.constructor.argument",
-                "  [-providerArg <arg>]] ... master class file and constructor argument"},
-        {".strict.treat.warnings.as.errors",
-                "[-strict]                   treat warnings as errors"},
-        {"Option.lacks.argument", "Option lacks argument"},
-        {"Please.type.jarsigner.help.for.usage", "Please type jarsigner -help for usage"},
-        {"Please.specify.jarfile.name", "Please specify jarfile name"},
-        {"Please.specify.alias.name", "Please specify alias name"},
-        {"Only.one.alias.can.be.specified", "Only one alias can be specified"},
-        {"This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es.",
-                 "This jar contains signed entries which is not signed by the specified alias(es)."},
-        {"This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore.",
-                  "This jar contains signed entries that's not signed by alias in this keystore."},
-        {"s", "s"},
-        {"m", "m"},
-        {"k", "k"},
-        {"i", "i"},
-        {".and.d.more.", "(and %d more)"},
-        {".s.signature.was.verified.",
-                "  s = signature was verified "},
-        {".m.entry.is.listed.in.manifest",
-                "  m = entry is listed in manifest"},
-        {".k.at.least.one.certificate.was.found.in.keystore",
-                "  k = at least one certificate was found in keystore"},
-        {".i.at.least.one.certificate.was.found.in.identity.scope",
-                "  i = at least one certificate was found in identity scope"},
-        {".X.not.signed.by.specified.alias.es.",
-                "  X = not signed by specified alias(es)"},
-        {"no.manifest.", "no manifest."},
-        {".Signature.related.entries.","(Signature related entries)"},
-        {".Unsigned.entries.", "(Unsigned entries)"},
-        {"jar.is.unsigned.signatures.missing.or.not.parsable.",
-                "jar is unsigned. (signatures missing or not parsable)"},
-        {"jar.verified.", "jar verified."},
-        {"jarsigner.", "jarsigner: "},
-        {"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
-                "signature filename must consist of the following characters: A-Z, 0-9, _ or -"},
-        {"unable.to.open.jar.file.", "unable to open jar file: "},
-        {"unable.to.create.", "unable to create: "},
-        {".adding.", "   adding: "},
-        {".updating.", " updating: "},
-        {".signing.", "  signing: "},
-        {"attempt.to.rename.signedJarFile.to.jarFile.failed",
-                "attempt to rename {0} to {1} failed"},
-        {"attempt.to.rename.jarFile.to.origJar.failed",
-                "attempt to rename {0} to {1} failed"},
-        {"unable.to.sign.jar.", "unable to sign jar: "},
-        {"Enter.Passphrase.for.keystore.", "Enter Passphrase for keystore: "},
-        {"keystore.load.", "keystore load: "},
-        {"certificate.exception.", "certificate exception: "},
-        {"unable.to.instantiate.keystore.class.",
-                "unable to instantiate keystore class: "},
-        {"Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and",
-                "Certificate chain not found for: {0}.  {1} must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."},
-        {"File.specified.by.certchain.does.not.exist",
-                "File specified by -certchain does not exist"},
-        {"Cannot.restore.certchain.from.file.specified",
-                "Cannot restore certchain from file specified"},
-        {"Certificate.chain.not.found.in.the.file.specified.",
-                "Certificate chain not found in the file specified."},
-        {"found.non.X.509.certificate.in.signer.s.chain",
-                "found non-X.509 certificate in signer's chain"},
-        {"incomplete.certificate.chain", "incomplete certificate chain"},
-        {"Enter.key.password.for.alias.", "Enter key password for {0}: "},
-        {"unable.to.recover.key.from.keystore",
-                "unable to recover key from keystore"},
-        {"key.associated.with.alias.not.a.private.key",
-                "key associated with {0} not a private key"},
-        {"you.must.enter.key.password", "you must enter key password"},
-        {"unable.to.read.password.", "unable to read password: "},
-        {"certificate.is.valid.from", "certificate is valid from {0} to {1}"},
-        {"certificate.expired.on", "certificate expired on {0}"},
-        {"certificate.is.not.valid.until",
-                "certificate is not valid until {0}"},
-        {"certificate.will.expire.on", "certificate will expire on {0}"},
-        {".CertPath.not.validated.", "[CertPath not validated: "},
-        {"requesting.a.signature.timestamp",
-                "requesting a signature timestamp"},
-        {"TSA.location.", "TSA location: "},
-        {"TSA.certificate.", "TSA certificate: "},
-        {"no.response.from.the.Timestamping.Authority.",
-                "no response from the Timestamping Authority. When connecting"
-                + " from behind a firewall an HTTP or HTTPS proxy may need to"
-                + " be specified. Supply the following options to jarsigner:"},
-        {"or", "or"},
-        {"Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the",
-                "Certificate not found for: {0}.  {1} must reference a valid KeyStore entry containing an X.509 public key certificate for the Timestamping Authority."},
-        {"using.an.alternative.signing.mechanism",
-                "using an alternative signing mechanism"},
-        {"entry.was.signed.on", "entry was signed on {0}"},
-        {"Warning.", "Warning: "},
-        {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
-                "This jar contains unsigned entries which have not been integrity-checked. "},
-        {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
-                "This jar contains entries whose signer certificate has expired. "},
-        {"This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months.",
-                "This jar contains entries whose signer certificate will expire within six months. "},
-        {"This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.",
-                "This jar contains entries whose signer certificate is not yet valid. "},
-        {"Re.run.with.the.verbose.option.for.more.details.",
-                "Re-run with the -verbose option for more details."},
-        {"Re.run.with.the.verbose.and.certs.options.for.more.details.",
-                "Re-run with the -verbose and -certs options for more details."},
-        {"The.signer.certificate.has.expired.",
-                "The signer certificate has expired."},
-        {"The.signer.certificate.will.expire.within.six.months.",
-                "The signer certificate will expire within six months."},
-        {"The.signer.certificate.is.not.yet.valid.",
-                "The signer certificate is not yet valid."},
-        {"The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
-                 "The signer certificate's KeyUsage extension doesn't allow code signing."},
-        {"The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.",
-                 "The signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
-        {"The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.",
-                 "The signer certificate's NetscapeCertType extension doesn't allow code signing."},
-        {"This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
-                 "This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."},
-        {"This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.",
-                 "This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
-        {"This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.",
-                 "This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."},
-        {".{0}.extension.does.not.support.code.signing.",
-                 "[{0} extension does not support code signing]"},
-        {"The.signer.s.certificate.chain.is.not.validated.",
-                "The signer's certificate chain is not validated."},
-        {"This.jar.contains.entries.whose.certificate.chain.is.not.validated.",
-                 "This jar contains entries whose certificate chain is not validated."},
-    };
-
-    /**
-     * Returns the contents of this <code>ResourceBundle</code>.
-     *
-     * <p>
-     *
-     * @return the contents of this <code>ResourceBundle</code>.
-     */
-    public Object[][] getContents() {
-        return contents;
-    }
-}
--- a/src/share/classes/sun/security/tools/JarSignerResources_ja.java	Sat Oct 13 10:15:57 2012 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,240 +0,0 @@
-/*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.tools;
-
-/**
- * <p> This class represents the <code>ResourceBundle</code>
- * for JarSigner.
- *
- */
-public class JarSignerResources_ja extends java.util.ListResourceBundle {
-
-    private static final Object[][] contents = {
-
-        // shared (from jarsigner)
-        {"SPACE", " "},
-        {"2SPACE", "  "},
-        {"6SPACE", "      "},
-        {"COMMA", ", "},
-
-        {"provName.not.a.provider", "{0}\u306F\u30D7\u30ED\u30D0\u30A4\u30C0\u3067\u306F\u3042\u308A\u307E\u305B\u3093"},
-        {"signerClass.is.not.a.signing.mechanism", "{0}\u306F\u7F72\u540D\u30E1\u30AB\u30CB\u30BA\u30E0\u3067\u306F\u3042\u308A\u307E\u305B\u3093"},
-        {"jarsigner.error.", "jarsigner\u30A8\u30E9\u30FC: "},
-        {"Illegal.option.", "\u4E0D\u6B63\u306A\u30AA\u30D7\u30B7\u30E7\u30F3: "},
-        {".keystore.must.be.NONE.if.storetype.is.{0}",
-                "-storetype\u304C{0}\u306E\u5834\u5408\u3001-keystore\u306FNONE\u3067\u3042\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059"},
-        {".keypass.can.not.be.specified.if.storetype.is.{0}",
-                "-storetype\u304C{0}\u306E\u5834\u5408\u3001-keypass\u306F\u6307\u5B9A\u3067\u304D\u307E\u305B\u3093"},
-        {"If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified",
-                "-protected\u3092\u6307\u5B9A\u3059\u308B\u5834\u5408\u306F\u3001-storepass\u304A\u3088\u3073-keypass\u3092\u6307\u5B9A\u3057\u306A\u3044\u3067\u304F\u3060\u3055\u3044"},
-        {"If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified",
-                 "\u30AD\u30FC\u30B9\u30C8\u30A2\u304C\u30D1\u30B9\u30EF\u30FC\u30C9\u3067\u4FDD\u8B77\u3055\u308C\u3066\u3044\u306A\u3044\u5834\u5408\u3001-storepass\u304A\u3088\u3073-keypass\u3092\u6307\u5B9A\u3057\u306A\u3044\u3067\u304F\u3060\u3055\u3044"},
-        {"Usage.jarsigner.options.jar.file.alias",
-                "\u4F7F\u7528\u65B9\u6CD5: jarsigner [options] jar-file alias"},
-        {".jarsigner.verify.options.jar.file.alias.",
-                "       jarsigner -verify [options] jar-file [alias...]"},
-        {".keystore.url.keystore.location",
-                "[-keystore <url>]       \u30AD\u30FC\u30B9\u30C8\u30A2\u306E\u4F4D\u7F6E"},
-        {".storepass.password.password.for.keystore.integrity",
-            "[-storepass <password>]   \u30AD\u30FC\u30B9\u30C8\u30A2\u6574\u5408\u6027\u306E\u305F\u3081\u306E\u30D1\u30B9\u30EF\u30FC\u30C9"},
-        {".storetype.type.keystore.type",
-                "[-storetype <type>]     \u30AD\u30FC\u30B9\u30C8\u30A2\u306E\u578B"},
-        {".keypass.password.password.for.private.key.if.different.",
-                "[-keypass <password>]    \u79D8\u5BC6\u9375\u306E\u30D1\u30B9\u30EF\u30FC\u30C9(\u7570\u306A\u308B\u5834\u5408)"},
-        {".certchain.file.name.of.alternative.certchain.file",
-                "[-certchain <file>]         \u4EE3\u66FF\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u30FB\u30D5\u30A1\u30A4\u30EB\u306E\u540D\u524D"},
-        {".sigfile.file.name.of.SF.DSA.file",
-                "[-sigfile <file>]       .SF/.DSA\u30D5\u30A1\u30A4\u30EB\u306E\u540D\u524D"},
-        {".signedjar.file.name.of.signed.JAR.file",
-                "[-signedjar <file>]     \u7F72\u540D\u4ED8\u304DJAR\u30D5\u30A1\u30A4\u30EB\u306E\u540D\u524D"},
-        {".digestalg.algorithm.name.of.digest.algorithm",
-                "[-digestalg <algorithm>]  \u30C0\u30A4\u30B8\u30A7\u30B9\u30C8\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u306E\u540D\u524D"},
-        {".sigalg.algorithm.name.of.signature.algorithm",
-                "[-sigalg <algorithm>]    \u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u306E\u540D\u524D"},
-        {".verify.verify.a.signed.JAR.file",
-                "[-verify]            \u7F72\u540D\u4ED8\u304DJAR\u30D5\u30A1\u30A4\u30EB\u306E\u691C\u8A3C"},
-        {".verbose.suboptions.verbose.output.when.signing.verifying.",
-                "[-verbose[:suboptions]]     \u7F72\u540D/\u691C\u8A3C\u6642\u306E\u8A73\u7D30\u51FA\u529B\u3002"},
-        {".suboptions.can.be.all.grouped.or.summary",
-                "                            \u30B5\u30D6\u30AA\u30D7\u30B7\u30E7\u30F3\u3068\u3057\u3066\u3001\u3059\u3079\u3066\u3001\u30B0\u30EB\u30FC\u30D7\u307E\u305F\u306F\u30B5\u30DE\u30EA\u30FC\u3092\u4F7F\u7528\u3067\u304D\u307E\u3059"},
-        {".certs.display.certificates.when.verbose.and.verifying",
-                "[-certs]             \u8A73\u7D30\u51FA\u529B\u304A\u3088\u3073\u691C\u8A3C\u6642\u306B\u8A3C\u660E\u66F8\u3092\u8868\u793A"},
-        {".tsa.url.location.of.the.Timestamping.Authority",
-                "[-tsa <url>]          \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u5C40\u306E\u5834\u6240"},
-        {".tsacert.alias.public.key.certificate.for.Timestamping.Authority",
-                "[-tsacert <alias>]      \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u5C40\u306E\u516C\u958B\u9375\u8A3C\u660E\u66F8"},
-        {".altsigner.class.class.name.of.an.alternative.signing.mechanism",
-                "[-altsigner <class>]     \u4EE3\u66FF\u7F72\u540D\u30E1\u30AB\u30CB\u30BA\u30E0\u306E\u30AF\u30E9\u30B9\u540D"},
-        {".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism",
-                "[-altsignerpath <pathlist>]\u4EE3\u66FF\u7F72\u540D\u30E1\u30AB\u30CB\u30BA\u30E0\u306E\u4F4D\u7F6E"},
-        {".internalsf.include.the.SF.file.inside.the.signature.block",
-                "[-internalsf]         \u7F72\u540D\u30D6\u30ED\u30C3\u30AF\u306B.SF\u30D5\u30A1\u30A4\u30EB\u3092\u542B\u3081\u308B"},
-        {".sectionsonly.don.t.compute.hash.of.entire.manifest",
-                "[-sectionsonly]        \u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u5168\u4F53\u306E\u30CF\u30C3\u30B7\u30E5\u306F\u8A08\u7B97\u3057\u306A\u3044"},
-        {".protected.keystore.has.protected.authentication.path",
-                "[-protected]          \u30AD\u30FC\u30B9\u30C8\u30A2\u306B\u306F\u4FDD\u8B77\u3055\u308C\u305F\u8A8D\u8A3C\u30D1\u30B9\u304C\u3042\u308B"},
-        {".providerName.name.provider.name",
-                "[-providerName <name>]   \u30D7\u30ED\u30D0\u30A4\u30C0\u540D"},
-        {".providerClass.class.name.of.cryptographic.service.provider.s",
-                "[-providerClass <class>   \u6697\u53F7\u5316\u30B5\u30FC\u30D3\u30B9\u30FB\u30D7\u30ED\u30D0\u30A4\u30C0\u306E\u540D\u524D"},
-        {".providerArg.arg.master.class.file.and.constructor.argument",
-                "  [-providerArg <arg>]] ... \u30DE\u30B9\u30BF\u30FC\u30FB\u30AF\u30E9\u30B9\u30FB\u30D5\u30A1\u30A4\u30EB\u3068\u30B3\u30F3\u30B9\u30C8\u30E9\u30AF\u30BF\u306E\u5F15\u6570"},
-        {".strict.treat.warnings.as.errors",
-                "[-strict]                   \u8B66\u544A\u3092\u30A8\u30E9\u30FC\u3068\u3057\u3066\u51E6\u7406"},
-        {"Option.lacks.argument", "\u30AA\u30D7\u30B7\u30E7\u30F3\u306B\u5F15\u6570\u304C\u3042\u308A\u307E\u305B\u3093"},
-        {"Please.type.jarsigner.help.for.usage", "\u4F7F\u7528\u65B9\u6CD5\u306B\u3064\u3044\u3066\u306Fjarsigner -help\u3068\u5165\u529B\u3057\u3066\u304F\u3060\u3055\u3044"},
-        {"Please.specify.jarfile.name", "jarfile\u540D\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"},
-        {"Please.specify.alias.name", "\u5225\u540D\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"},
-        {"Only.one.alias.can.be.specified", "\u5225\u540D\u306F1\u3064\u306E\u307F\u6307\u5B9A\u3067\u304D\u307E\u3059"},
-        {"This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es.",
-                 "\u3053\u306Ejar\u306B\u542B\u307E\u308C\u308B\u7F72\u540D\u6E08\u30A8\u30F3\u30C8\u30EA\u306F\u3001\u6307\u5B9A\u3055\u308C\u305F\u5225\u540D\u306B\u3088\u3063\u3066\u7F72\u540D\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002"},
-        {"This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore.",
-                  "\u3053\u306Ejar\u306B\u542B\u307E\u308C\u308B\u7F72\u540D\u6E08\u30A8\u30F3\u30C8\u30EA\u306F\u3001\u3053\u306E\u30AD\u30FC\u30B9\u30C8\u30A2\u5185\u306E\u5225\u540D\u306B\u3088\u3063\u3066\u7F72\u540D\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002"},
-        {"s", "s"},
-        {"m", "m"},
-        {"k", "k"},
-        {"i", "i"},
-        {".and.d.more.", "(\u4ED6\u306B\u3082%d\u500B)"},
-        {".s.signature.was.verified.",
-                "  s=\u7F72\u540D\u304C\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F "},
-        {".m.entry.is.listed.in.manifest",
-                "  m=\u30A8\u30F3\u30C8\u30EA\u304C\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u5185\u306B\u30EA\u30B9\u30C8\u3055\u308C\u307E\u3059"},
-        {".k.at.least.one.certificate.was.found.in.keystore",
-                "  k=1\u3064\u4EE5\u4E0A\u306E\u8A3C\u660E\u66F8\u304C\u30AD\u30FC\u30B9\u30C8\u30A2\u3067\u691C\u51FA\u3055\u308C\u307E\u3057\u305F"},
-        {".i.at.least.one.certificate.was.found.in.identity.scope",
-                "  i=1\u3064\u4EE5\u4E0A\u306E\u8A3C\u660E\u66F8\u304C\u30A2\u30A4\u30C7\u30F3\u30C6\u30A3\u30C6\u30A3\u30FB\u30B9\u30B3\u30FC\u30D7\u3067\u691C\u51FA\u3055\u308C\u307E\u3057\u305F"},
-        {".X.not.signed.by.specified.alias.es.",
-                "  X =\u6307\u5B9A\u3057\u305F\u5225\u540D\u3067\u7F72\u540D\u3055\u308C\u3066\u3044\u307E\u305B\u3093"},
-        {"no.manifest.", "\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u306F\u5B58\u5728\u3057\u307E\u305B\u3093\u3002"},
-        {".Signature.related.entries.","(\u7F72\u540D\u95A2\u9023\u30A8\u30F3\u30C8\u30EA)"},
-        {".Unsigned.entries.", "(\u672A\u7F72\u540D\u306E\u30A8\u30F3\u30C8\u30EA)"},
-        {"jar.is.unsigned.signatures.missing.or.not.parsable.",
-                "jar\u306F\u7F72\u540D\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002(\u7F72\u540D\u304C\u898B\u3064\u304B\u3089\u306A\u3044\u304B\u3001\u69CB\u6587\u89E3\u6790\u3067\u304D\u307E\u305B\u3093)"},
-        {"jar.verified.", "jar\u304C\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F\u3002"},
-        {"jarsigner.", "jarsigner: "},
-        {"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
-                "\u7F72\u540D\u306E\u30D5\u30A1\u30A4\u30EB\u540D\u306B\u4F7F\u7528\u3067\u304D\u308B\u6587\u5B57\u306F\u3001A-Z\u30010-9\u3001_\u3001- \u306E\u307F\u3067\u3059\u3002"},
-        {"unable.to.open.jar.file.", "\u6B21\u306Ejar\u30D5\u30A1\u30A4\u30EB\u3092\u958B\u304F\u3053\u3068\u304C\u3067\u304D\u307E\u305B\u3093: "},
-        {"unable.to.create.", "\u4F5C\u6210\u3067\u304D\u307E\u305B\u3093: "},
-        {".adding.", "   \u8FFD\u52A0\u4E2D: "},
-        {".updating.", " \u66F4\u65B0\u4E2D: "},
-        {".signing.", "  \u7F72\u540D\u4E2D: "},
-        {"attempt.to.rename.signedJarFile.to.jarFile.failed",
-                "{0}\u306E\u540D\u524D\u3092{1}\u306B\u5909\u66F4\u3057\u3088\u3046\u3068\u3057\u307E\u3057\u305F\u304C\u5931\u6557\u3057\u307E\u3057\u305F"},
-        {"attempt.to.rename.jarFile.to.origJar.failed",
-                "{0}\u306E\u540D\u524D\u3092{1}\u306B\u5909\u66F4\u3057\u3088\u3046\u3068\u3057\u307E\u3057\u305F\u304C\u5931\u6557\u3057\u307E\u3057\u305F"},
-        {"unable.to.sign.jar.", "jar\u306B\u7F72\u540D\u3067\u304D\u307E\u305B\u3093: "},
-        {"Enter.Passphrase.for.keystore.", "\u30AD\u30FC\u30B9\u30C8\u30A2\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u5165\u529B\u3057\u3066\u304F\u3060\u3055\u3044: "},
-        {"keystore.load.", "\u30AD\u30FC\u30B9\u30C8\u30A2\u306E\u30ED\u30FC\u30C9: "},
-        {"certificate.exception.", "\u8A3C\u660E\u66F8\u4F8B\u5916: "},
-        {"unable.to.instantiate.keystore.class.",
-                "\u30AD\u30FC\u30B9\u30C8\u30A2\u30FB\u30AF\u30E9\u30B9\u306E\u30A4\u30F3\u30B9\u30BF\u30F3\u30B9\u3092\u751F\u6210\u3067\u304D\u307E\u305B\u3093: "},
-        {"Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and",
-                "\u6B21\u306E\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093: {0}\u3002{1}\u306F\u3001\u79D8\u5BC6\u9375\u304A\u3088\u3073\u5BFE\u5FDC\u3059\u308B\u516C\u958B\u9375\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u3092\u542B\u3080\u6709\u52B9\u306AKeyStore\u9375\u30A8\u30F3\u30C8\u30EA\u3092\u53C2\u7167\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002"},
-        {"File.specified.by.certchain.does.not.exist",
-                "-certchain\u3067\u6307\u5B9A\u3055\u308C\u3066\u3044\u308B\u30D5\u30A1\u30A4\u30EB\u306F\u5B58\u5728\u3057\u307E\u305B\u3093"},
-        {"Cannot.restore.certchain.from.file.specified",
-                "\u6307\u5B9A\u3055\u308C\u305F\u30D5\u30A1\u30A4\u30EB\u304B\u3089\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u3092\u5FA9\u5143\u3067\u304D\u307E\u305B\u3093"},
-        {"Certificate.chain.not.found.in.the.file.specified.",
-                "\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u306F\u6307\u5B9A\u3055\u308C\u305F\u30D5\u30A1\u30A4\u30EB\u306B\u898B\u3064\u304B\u308A\u307E\u305B\u3093\u3002"},
-        {"found.non.X.509.certificate.in.signer.s.chain",
-                "\u7F72\u540D\u8005\u306E\u9023\u9396\u5185\u3067\u975EX.509\u8A3C\u660E\u66F8\u304C\u691C\u51FA\u3055\u308C\u307E\u3057\u305F"},
-        {"incomplete.certificate.chain", "\u4E0D\u5B8C\u5168\u306A\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3"},
-        {"Enter.key.password.for.alias.", "{0}\u306E\u9375\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u5165\u529B\u3057\u3066\u304F\u3060\u3055\u3044: "},
-        {"unable.to.recover.key.from.keystore",
-                "\u30AD\u30FC\u30B9\u30C8\u30A2\u304B\u3089\u9375\u3092\u5FA9\u5143\u3067\u304D\u307E\u305B\u3093"},
-        {"key.associated.with.alias.not.a.private.key",
-                "{0}\u3068\u95A2\u9023\u4ED8\u3051\u3089\u308C\u305F\u9375\u306F\u3001\u79D8\u5BC6\u9375\u3067\u306F\u3042\u308A\u307E\u305B\u3093"},
-        {"you.must.enter.key.password", "\u9375\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u5165\u529B\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059"},
-        {"unable.to.read.password.", "\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u8AAD\u307F\u8FBC\u3081\u307E\u305B\u3093: "},
-        {"certificate.is.valid.from", "\u8A3C\u660E\u66F8\u306F{0}\u304B\u3089{1}\u307E\u3067\u6709\u52B9\u3067\u3059"},
-        {"certificate.expired.on", "\u8A3C\u660E\u66F8\u306F{0}\u306B\u5931\u52B9\u3057\u307E\u3057\u305F"},
-        {"certificate.is.not.valid.until",
-                "\u8A3C\u660E\u66F8\u306F{0}\u307E\u3067\u6709\u52B9\u3067\u306F\u3042\u308A\u307E\u305B\u3093"},
-        {"certificate.will.expire.on", "\u8A3C\u660E\u66F8\u306F{0}\u306B\u5931\u52B9\u3057\u307E\u3059"},
-        {".CertPath.not.validated.", "[CertPath\u304C\u691C\u8A3C\u3055\u308C\u3066\u3044\u307E\u305B\u3093: "},
-        {"requesting.a.signature.timestamp",
-                "\u7F72\u540D\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306E\u30EA\u30AF\u30A8\u30B9\u30C8"},
-        {"TSA.location.", "TSA\u306E\u5834\u6240: "},
-        {"TSA.certificate.", "TSA\u8A3C\u660E\u66F8: "},
-        {"no.response.from.the.Timestamping.Authority.",
-                "\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u5C40\u304B\u3089\u306E\u30EC\u30B9\u30DD\u30F3\u30B9\u304C\u3042\u308A\u307E\u305B\u3093\u3002\u30D5\u30A1\u30A4\u30A2\u30A6\u30A9\u30FC\u30EB\u3092\u4ECB\u3057\u3066\u63A5\u7D9A\u3059\u308B\u3068\u304D\u306F\u3001\u5FC5\u8981\u306B\u5FDC\u3058\u3066HTTP\u307E\u305F\u306FHTTPS\u30D7\u30ED\u30AD\u30B7\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044\u3002jarsigner\u306B\u6B21\u306E\u30AA\u30D7\u30B7\u30E7\u30F3\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044:"},
-        {"or", "\u307E\u305F\u306F"},
-        {"Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the",
-                "\u8A3C\u660E\u66F8\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093\u3067\u3057\u305F: {0}\u3002{1}\u306F\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u5C40\u306EX.509\u516C\u958B\u9375\u8A3C\u660E\u66F8\u304C\u542B\u307E\u308C\u3066\u3044\u308B\u6709\u52B9\u306AKeyStore\u30A8\u30F3\u30C8\u30EA\u3092\u53C2\u7167\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002"},
-        {"using.an.alternative.signing.mechanism",
-                "\u4EE3\u66FF\u7F72\u540D\u30E1\u30AB\u30CB\u30BA\u30E0\u306E\u4F7F\u7528"},
-        {"entry.was.signed.on", "\u30A8\u30F3\u30C8\u30EA\u306F{0}\u306B\u7F72\u540D\u3055\u308C\u307E\u3057\u305F"},
-        {"Warning.", "\u8B66\u544A: "},
-        {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
-                "\u3053\u306Ejar\u306B\u306F\u3001\u6574\u5408\u6027\u30C1\u30A7\u30C3\u30AF\u3092\u3057\u3066\u3044\u306A\u3044\u672A\u7F72\u540D\u306E\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002 "},
-        {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
-                "\u3053\u306Ejar\u306B\u306F\u3001\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u304C\u671F\u9650\u5207\u308C\u306E\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002 "},
-        {"This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months.",
-                "\u3053\u306Ejar\u306B\u306F\u3001\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u304C6\u304B\u6708\u4EE5\u5185\u306B\u671F\u9650\u5207\u308C\u3068\u306A\u308B\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002 "},
-        {"This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.",
-                "\u3053\u306Ejar\u306B\u306F\u3001\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u304C\u307E\u3060\u6709\u52B9\u306B\u306A\u3063\u3066\u3044\u306A\u3044\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002 "},
-        {"Re.run.with.the.verbose.option.for.more.details.",
-                "\u8A73\u7D30\u306F\u3001-verbose\u30AA\u30D7\u30B7\u30E7\u30F3\u3092\u4F7F\u7528\u3057\u3066\u518D\u5B9F\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
-        {"Re.run.with.the.verbose.and.certs.options.for.more.details.",
-                "\u8A73\u7D30\u306F\u3001-verbose\u304A\u3088\u3073-certs\u30AA\u30D7\u30B7\u30E7\u30F3\u3092\u4F7F\u7528\u3057\u3066\u518D\u5B9F\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
-        {"The.signer.certificate.has.expired.",
-                "\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u306F\u671F\u9650\u5207\u308C\u3067\u3059\u3002"},
-        {"The.signer.certificate.will.expire.within.six.months.",
-                "\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u306F6\u304B\u6708\u4EE5\u5185\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308A\u307E\u3059\u3002"},
-        {"The.signer.certificate.is.not.yet.valid.",
-                "\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u306F\u307E\u3060\u6709\u52B9\u306B\u306A\u3063\u3066\u3044\u307E\u305B\u3093\u3002"},
-        {"The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
-                 "\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306EKeyUsage\u62E1\u5F35\u6A5F\u80FD\u3067\u306F\u3001\u30B3\u30FC\u30C9\u7F72\u540D\u306F\u8A31\u53EF\u3055\u308C\u307E\u305B\u3093\u3002"},
-        {"The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.",
-                 "\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306EExtendedKeyUsage\u62E1\u5F35\u6A5F\u80FD\u3067\u306F\u3001\u30B3\u30FC\u30C9\u7F72\u540D\u306F\u8A31\u53EF\u3055\u308C\u307E\u305B\u3093\u3002"},
-        {"The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.",
-                 "\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306ENetscapeCertType\u62E1\u5F35\u6A5F\u80FD\u3067\u306F\u3001\u30B3\u30FC\u30C9\u7F72\u540D\u306F\u8A31\u53EF\u3055\u308C\u307E\u305B\u3093\u3002"},
-        {"This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
-                 "\u3053\u306Ejar\u306B\u306F\u3001\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306EKeyUsage\u62E1\u5F35\u6A5F\u80FD\u304C\u30B3\u30FC\u30C9\u7F72\u540D\u3092\u8A31\u53EF\u3057\u306A\u3044\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002"},
-        {"This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.",
-                 "\u3053\u306Ejar\u306B\u306F\u3001\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306EExtendedKeyUsage\u62E1\u5F35\u6A5F\u80FD\u304C\u30B3\u30FC\u30C9\u7F72\u540D\u3092\u8A31\u53EF\u3057\u306A\u3044\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002"},
-        {"This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.",
-                 "\u3053\u306Ejar\u306B\u306F\u3001\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306ENetscapeCertType\u62E1\u5F35\u6A5F\u80FD\u304C\u30B3\u30FC\u30C9\u7F72\u540D\u3092\u8A31\u53EF\u3057\u306A\u3044\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002"},
-        {".{0}.extension.does.not.support.code.signing.",
-                 "[{0}\u62E1\u5F35\u6A5F\u80FD\u306F\u30B3\u30FC\u30C9\u7F72\u540D\u3092\u30B5\u30DD\u30FC\u30C8\u3057\u3066\u3044\u307E\u305B\u3093]"},
-        {"The.signer.s.certificate.chain.is.not.validated.",
-                "\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u304C\u307E\u3060\u691C\u8A3C\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002"},
-        {"This.jar.contains.entries.whose.certificate.chain.is.not.validated.",
-                 "\u3053\u306Ejar\u306B\u306F\u3001\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u304C\u307E\u3060\u691C\u8A3C\u3055\u308C\u3066\u3044\u306A\u3044\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002"},
-    };
-
-    /**
-     * Returns the contents of this <code>ResourceBundle</code>.
-     *
-     * <p>
-     *
-     * @return the contents of this <code>ResourceBundle</code>.
-     */
-    public Object[][] getContents() {
-        return contents;
-    }
-}
--- a/src/share/classes/sun/security/tools/JarSignerResources_zh_CN.java	Sat Oct 13 10:15:57 2012 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,240 +0,0 @@
-/*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.tools;
-
-/**
- * <p> This class represents the <code>ResourceBundle</code>
- * for JarSigner.
- *
- */
-public class JarSignerResources_zh_CN extends java.util.ListResourceBundle {
-
-    private static final Object[][] contents = {
-
-        // shared (from jarsigner)
-        {"SPACE", " "},
-        {"2SPACE", "  "},
-        {"6SPACE", "      "},
-        {"COMMA", ", "},
-
-        {"provName.not.a.provider", "{0}\u4E0D\u662F\u63D0\u4F9B\u65B9"},
-        {"signerClass.is.not.a.signing.mechanism", "{0}\u4E0D\u662F\u7B7E\u540D\u673A\u5236"},
-        {"jarsigner.error.", "jarsigner \u9519\u8BEF: "},
-        {"Illegal.option.", "\u975E\u6CD5\u9009\u9879: "},
-        {".keystore.must.be.NONE.if.storetype.is.{0}",
-                "\u5982\u679C -storetype \u4E3A {0}, \u5219 -keystore \u5FC5\u987B\u4E3A NONE"},
-        {".keypass.can.not.be.specified.if.storetype.is.{0}",
-                "\u5982\u679C -storetype \u4E3A {0}, \u5219\u4E0D\u80FD\u6307\u5B9A -keypass"},
-        {"If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified",
-                "\u5982\u679C\u6307\u5B9A\u4E86 -protected, \u5219\u4E0D\u80FD\u6307\u5B9A -storepass \u548C -keypass"},
-        {"If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified",
-                 "\u5982\u679C\u5BC6\u94A5\u5E93\u672A\u53D7\u53E3\u4EE4\u4FDD\u62A4, \u5219\u4E0D\u80FD\u6307\u5B9A -storepass \u548C -keypass"},
-        {"Usage.jarsigner.options.jar.file.alias",
-                "\u7528\u6CD5: jarsigner [\u9009\u9879] jar\u6587\u4EF6 \u522B\u540D"},
-        {".jarsigner.verify.options.jar.file.alias.",
-                "       jarsigner -verify [\u9009\u9879] jar\u6587\u4EF6 [\u522B\u540D...]"},
-        {".keystore.url.keystore.location",
-                "[-keystore <url>]           \u5BC6\u94A5\u5E93\u4F4D\u7F6E"},
-        {".storepass.password.password.for.keystore.integrity",
-            "[-storepass <\u53E3\u4EE4>]         \u7528\u4E8E\u5BC6\u94A5\u5E93\u5B8C\u6574\u6027\u7684\u53E3\u4EE4"},
-        {".storetype.type.keystore.type",
-                "[-storetype <\u7C7B\u578B>]         \u5BC6\u94A5\u5E93\u7C7B\u578B"},
-        {".keypass.password.password.for.private.key.if.different.",
-                "[-keypass <\u53E3\u4EE4>]           \u79C1\u6709\u5BC6\u94A5\u7684\u53E3\u4EE4 (\u5982\u679C\u4E0D\u540C)"},
-        {".certchain.file.name.of.alternative.certchain.file",
-                "[-certchain <\u6587\u4EF6>]         \u66FF\u4EE3\u8BC1\u4E66\u94FE\u6587\u4EF6\u7684\u540D\u79F0"},
-        {".sigfile.file.name.of.SF.DSA.file",
-                "[-sigfile <\u6587\u4EF6>]           .SF/.DSA \u6587\u4EF6\u7684\u540D\u79F0"},
-        {".signedjar.file.name.of.signed.JAR.file",
-                "[-signedjar <\u6587\u4EF6>]         \u5DF2\u7B7E\u540D\u7684 JAR \u6587\u4EF6\u7684\u540D\u79F0"},
-        {".digestalg.algorithm.name.of.digest.algorithm",
-                "[-digestalg <\u7B97\u6CD5>]    \u6458\u8981\u7B97\u6CD5\u7684\u540D\u79F0"},
-        {".sigalg.algorithm.name.of.signature.algorithm",
-                "[-sigalg <\u7B97\u6CD5>]       \u7B7E\u540D\u7B97\u6CD5\u7684\u540D\u79F0"},
-        {".verify.verify.a.signed.JAR.file",
-                "[-verify]                   \u9A8C\u8BC1\u5DF2\u7B7E\u540D\u7684 JAR \u6587\u4EF6"},
-        {".verbose.suboptions.verbose.output.when.signing.verifying.",
-                "[-verbose[:\u5B50\u9009\u9879]]     \u7B7E\u540D/\u9A8C\u8BC1\u65F6\u8F93\u51FA\u8BE6\u7EC6\u4FE1\u606F\u3002"},
-        {".suboptions.can.be.all.grouped.or.summary",
-                "                            \u5B50\u9009\u9879\u53EF\u4EE5\u662F all, grouped \u6216 summary"},
-        {".certs.display.certificates.when.verbose.and.verifying",
-                "[-certs]                    \u8F93\u51FA\u8BE6\u7EC6\u4FE1\u606F\u548C\u9A8C\u8BC1\u65F6\u663E\u793A\u8BC1\u4E66"},
-        {".tsa.url.location.of.the.Timestamping.Authority",
-                "[-tsa <url>]                \u65F6\u95F4\u6233\u9881\u53D1\u673A\u6784\u7684\u4F4D\u7F6E"},
-        {".tsacert.alias.public.key.certificate.for.Timestamping.Authority",
-                "[-tsacert <\u522B\u540D>]           \u65F6\u95F4\u6233\u9881\u53D1\u673A\u6784\u7684\u516C\u5171\u5BC6\u94A5\u8BC1\u4E66"},
-        {".altsigner.class.class.name.of.an.alternative.signing.mechanism",
-                "[-altsigner <\u7C7B>]           \u66FF\u4EE3\u7684\u7B7E\u540D\u673A\u5236\u7684\u7C7B\u540D"},
-        {".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism",
-                "[-altsignerpath <\u8DEF\u5F84\u5217\u8868>] \u66FF\u4EE3\u7684\u7B7E\u540D\u673A\u5236\u7684\u4F4D\u7F6E"},
-        {".internalsf.include.the.SF.file.inside.the.signature.block",
-                "[-internalsf]               \u5728\u7B7E\u540D\u5757\u5185\u5305\u542B .SF \u6587\u4EF6"},
-        {".sectionsonly.don.t.compute.hash.of.entire.manifest",
-                "[-sectionsonly]             \u4E0D\u8BA1\u7B97\u6574\u4E2A\u6E05\u5355\u7684\u6563\u5217"},
-        {".protected.keystore.has.protected.authentication.path",
-                "[-protected]                \u5BC6\u94A5\u5E93\u5177\u6709\u53D7\u4FDD\u62A4\u9A8C\u8BC1\u8DEF\u5F84"},
-        {".providerName.name.provider.name",
-                "[-providerName <\u540D\u79F0>]      \u63D0\u4F9B\u65B9\u540D\u79F0"},
-        {".providerClass.class.name.of.cryptographic.service.provider.s",
-                "[-providerClass <\u7C7B>        \u52A0\u5BC6\u670D\u52A1\u63D0\u4F9B\u65B9\u7684\u540D\u79F0"},
-        {".providerArg.arg.master.class.file.and.constructor.argument",
-                "  [-providerArg <\u53C2\u6570>]]... \u4E3B\u7C7B\u6587\u4EF6\u548C\u6784\u9020\u5668\u53C2\u6570"},
-        {".strict.treat.warnings.as.errors",
-                "[-strict]                   \u5C06\u8B66\u544A\u89C6\u4E3A\u9519\u8BEF"},
-        {"Option.lacks.argument", "\u9009\u9879\u7F3A\u5C11\u53C2\u6570"},
-        {"Please.type.jarsigner.help.for.usage", "\u8BF7\u952E\u5165 jarsigner -help \u4EE5\u4E86\u89E3\u7528\u6CD5"},
-        {"Please.specify.jarfile.name", "\u8BF7\u6307\u5B9A jar \u6587\u4EF6\u7684\u540D\u79F0"},
-        {"Please.specify.alias.name", "\u8BF7\u6307\u5B9A\u522B\u540D"},
-        {"Only.one.alias.can.be.specified", "\u53EA\u80FD\u6307\u5B9A\u4E00\u4E2A\u522B\u540D"},
-        {"This.jar.contains.signed.entries.which.is.not.signed.by.the.specified.alias.es.",
-                 "\u6B64 jar \u5305\u542B\u672A\u7531\u6307\u5B9A\u522B\u540D\u7B7E\u540D\u7684\u5DF2\u7B7E\u540D\u6761\u76EE\u3002"},
-        {"This.jar.contains.signed.entries.that.s.not.signed.by.alias.in.this.keystore.",
-                  "\u6B64 jar \u5305\u542B\u672A\u7531\u6B64\u5BC6\u94A5\u5E93\u4E2D\u7684\u522B\u540D\u7B7E\u540D\u7684\u5DF2\u7B7E\u540D\u6761\u76EE\u3002"},
-        {"s", "s"},
-        {"m", "m"},
-        {"k", "k"},
-        {"i", "i"},
-        {".and.d.more.", "(%d \u53CA\u4EE5\u4E0A)"},
-        {".s.signature.was.verified.",
-                "  s = \u5DF2\u9A8C\u8BC1\u7B7E\u540D "},
-        {".m.entry.is.listed.in.manifest",
-                "  m = \u5728\u6E05\u5355\u4E2D\u5217\u51FA\u6761\u76EE"},
-        {".k.at.least.one.certificate.was.found.in.keystore",
-                "  k = \u5728\u5BC6\u94A5\u5E93\u4E2D\u81F3\u5C11\u627E\u5230\u4E86\u4E00\u4E2A\u8BC1\u4E66"},
-        {".i.at.least.one.certificate.was.found.in.identity.scope",
-                "  i = \u5728\u8EAB\u4EFD\u4F5C\u7528\u57DF\u5185\u81F3\u5C11\u627E\u5230\u4E86\u4E00\u4E2A\u8BC1\u4E66"},
-        {".X.not.signed.by.specified.alias.es.",
-                "  X = \u672A\u7531\u6307\u5B9A\u522B\u540D\u7B7E\u540D"},
-        {"no.manifest.", "\u6CA1\u6709\u6E05\u5355\u3002"},
-        {".Signature.related.entries.","(\u4E0E\u7B7E\u540D\u76F8\u5173\u7684\u6761\u76EE)"},
-        {".Unsigned.entries.", "(\u672A\u7B7E\u540D\u6761\u76EE)"},
-        {"jar.is.unsigned.signatures.missing.or.not.parsable.",
-                "jar \u672A\u7B7E\u540D\u3002(\u7F3A\u5C11\u7B7E\u540D\u6216\u65E0\u6CD5\u5BF9\u7B7E\u540D\u8FDB\u884C\u8BED\u6CD5\u5206\u6790)"},
-        {"jar.verified.", "jar \u5DF2\u9A8C\u8BC1\u3002"},
-        {"jarsigner.", "jarsigner: "},
-        {"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
-                "\u7B7E\u540D\u6587\u4EF6\u540D\u5FC5\u987B\u5305\u542B\u4EE5\u4E0B\u5B57\u7B26: A-Z, 0-9, _ \u6216 -"},
-        {"unable.to.open.jar.file.", "\u65E0\u6CD5\u6253\u5F00 jar \u6587\u4EF6: "},
-        {"unable.to.create.", "\u65E0\u6CD5\u521B\u5EFA: "},
-        {".adding.", "   \u6B63\u5728\u6DFB\u52A0: "},
-        {".updating.", " \u6B63\u5728\u66F4\u65B0: "},
-        {".signing.", "  \u6B63\u5728\u7B7E\u540D: "},
-        {"attempt.to.rename.signedJarFile.to.jarFile.failed",
-                "\u5C1D\u8BD5\u5C06{0}\u91CD\u547D\u540D\u4E3A{1}\u65F6\u5931\u8D25"},
-        {"attempt.to.rename.jarFile.to.origJar.failed",
-                "\u5C1D\u8BD5\u5C06{0}\u91CD\u547D\u540D\u4E3A{1}\u65F6\u5931\u8D25"},
-        {"unable.to.sign.jar.", "\u65E0\u6CD5\u5BF9 jar \u8FDB\u884C\u7B7E\u540D: "},
-        {"Enter.Passphrase.for.keystore.", "\u8F93\u5165\u5BC6\u94A5\u5E93\u7684\u5BC6\u7801\u77ED\u8BED: "},
-        {"keystore.load.", "\u5BC6\u94A5\u5E93\u52A0\u8F7D: "},
-        {"certificate.exception.", "\u8BC1\u4E66\u5F02\u5E38\u9519\u8BEF: "},
-        {"unable.to.instantiate.keystore.class.",
-                "\u65E0\u6CD5\u5B9E\u4F8B\u5316\u5BC6\u94A5\u5E93\u7C7B: "},
-        {"Certificate.chain.not.found.for.alias.alias.must.reference.a.valid.KeyStore.key.entry.containing.a.private.key.and",
-                "\u627E\u4E0D\u5230{0}\u7684\u8BC1\u4E66\u94FE\u3002{1}\u5FC5\u987B\u5F15\u7528\u5305\u542B\u79C1\u6709\u5BC6\u94A5\u548C\u76F8\u5E94\u7684\u516C\u5171\u5BC6\u94A5\u8BC1\u4E66\u94FE\u7684\u6709\u6548 KeyStore \u5BC6\u94A5\u6761\u76EE\u3002"},
-        {"File.specified.by.certchain.does.not.exist",
-                "\u7531 -certchain \u6307\u5B9A\u7684\u6587\u4EF6\u4E0D\u5B58\u5728"},
-        {"Cannot.restore.certchain.from.file.specified",
-                "\u65E0\u6CD5\u4ECE\u6307\u5B9A\u7684\u6587\u4EF6\u8FD8\u539F\u8BC1\u4E66\u94FE"},
-        {"Certificate.chain.not.found.in.the.file.specified.",
-                "\u5728\u6307\u5B9A\u7684\u6587\u4EF6\u4E2D\u627E\u4E0D\u5230\u8BC1\u4E66\u94FE\u3002"},
-        {"found.non.X.509.certificate.in.signer.s.chain",
-                "\u5728\u7B7E\u540D\u8005\u7684\u94FE\u4E2D\u627E\u5230\u975E X.509 \u8BC1\u4E66"},
-        {"incomplete.certificate.chain", "\u8BC1\u4E66\u94FE\u4E0D\u5B8C\u6574"},
-        {"Enter.key.password.for.alias.", "\u8F93\u5165{0}\u7684\u5BC6\u94A5\u53E3\u4EE4: "},
-        {"unable.to.recover.key.from.keystore",
-                "\u65E0\u6CD5\u4ECE\u5BC6\u94A5\u5E93\u4E2D\u6062\u590D\u5BC6\u94A5"},
-        {"key.associated.with.alias.not.a.private.key",
-                "\u4E0E{0}\u5173\u8054\u7684\u5BC6\u94A5\u4E0D\u662F\u79C1\u6709\u5BC6\u94A5"},
-        {"you.must.enter.key.password", "\u5FC5\u987B\u8F93\u5165\u5BC6\u94A5\u53E3\u4EE4"},
-        {"unable.to.read.password.", "\u65E0\u6CD5\u8BFB\u53D6\u53E3\u4EE4: "},
-        {"certificate.is.valid.from", "\u8BC1\u4E66\u7684\u6709\u6548\u671F\u4E3A{0}\u81F3{1}"},
-        {"certificate.expired.on", "\u8BC1\u4E66\u5230\u671F\u65E5\u671F\u4E3A {0}"},
-        {"certificate.is.not.valid.until",
-                "\u76F4\u5230{0}, \u8BC1\u4E66\u624D\u6709\u6548"},
-        {"certificate.will.expire.on", "\u8BC1\u4E66\u5C06\u5728{0}\u5230\u671F"},
-        {".CertPath.not.validated.", "[CertPath \u672A\u9A8C\u8BC1: "},
-        {"requesting.a.signature.timestamp",
-                "\u6B63\u5728\u8BF7\u6C42\u7B7E\u540D\u65F6\u95F4\u6233"},
-        {"TSA.location.", "TSA \u4F4D\u7F6E: "},
-        {"TSA.certificate.", "TSA \u8BC1\u4E66: "},
-        {"no.response.from.the.Timestamping.Authority.",
-                "\u65F6\u95F4\u6233\u9881\u53D1\u673A\u6784\u6CA1\u6709\u54CD\u5E94\u3002\u5982\u679C\u8981\u4ECE\u9632\u706B\u5899\u540E\u9762\u8FDE\u63A5, \u5219\u53EF\u80FD\u9700\u8981\u6307\u5B9A HTTP \u6216 HTTPS \u4EE3\u7406\u3002\u8BF7\u4E3A jarsigner \u63D0\u4F9B\u4EE5\u4E0B\u9009\u9879: "},
-        {"or", "\u6216"},
-        {"Certificate.not.found.for.alias.alias.must.reference.a.valid.KeyStore.entry.containing.an.X.509.public.key.certificate.for.the",
-                "\u627E\u4E0D\u5230{0}\u7684\u8BC1\u4E66\u3002{1}\u5FC5\u987B\u5F15\u7528\u5305\u542B\u65F6\u95F4\u6233\u9881\u53D1\u673A\u6784\u7684 X.509 \u516C\u5171\u5BC6\u94A5\u8BC1\u4E66\u7684\u6709\u6548 KeyStore \u6761\u76EE\u3002"},
-        {"using.an.alternative.signing.mechanism",
-                "\u6B63\u5728\u4F7F\u7528\u66FF\u4EE3\u7684\u7B7E\u540D\u673A\u5236"},
-        {"entry.was.signed.on", "\u6761\u76EE\u7684\u7B7E\u540D\u65E5\u671F\u4E3A {0}"},
-        {"Warning.", "\u8B66\u544A: "},
-        {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
-                "\u6B64 jar \u5305\u542B\u5C1A\u672A\u8FDB\u884C\u5B8C\u6574\u6027\u68C0\u67E5\u7684\u672A\u7B7E\u540D\u6761\u76EE\u3002 "},
-        {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
-                "\u6B64 jar \u5305\u542B\u7B7E\u540D\u8005\u8BC1\u4E66\u5DF2\u8FC7\u671F\u7684\u6761\u76EE\u3002 "},
-        {"This.jar.contains.entries.whose.signer.certificate.will.expire.within.six.months.",
-                "\u6B64 jar \u5305\u542B\u7B7E\u540D\u8005\u8BC1\u4E66\u5C06\u5728\u516D\u4E2A\u6708\u5185\u8FC7\u671F\u7684\u6761\u76EE\u3002 "},
-        {"This.jar.contains.entries.whose.signer.certificate.is.not.yet.valid.",
-                "\u6B64 jar \u5305\u542B\u7B7E\u540D\u8005\u8BC1\u4E66\u4ECD\u65E0\u6548\u7684\u6761\u76EE\u3002 "},
-        {"Re.run.with.the.verbose.option.for.more.details.",
-                "\u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u4F7F\u7528 -verbose \u9009\u9879\u91CD\u65B0\u8FD0\u884C\u3002"},
-        {"Re.run.with.the.verbose.and.certs.options.for.more.details.",
-                "\u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u4F7F\u7528 -verbose \u548C -certs \u9009\u9879\u91CD\u65B0\u8FD0\u884C\u3002"},
-        {"The.signer.certificate.has.expired.",
-                "\u7B7E\u540D\u8005\u8BC1\u4E66\u5DF2\u8FC7\u671F\u3002"},
-        {"The.signer.certificate.will.expire.within.six.months.",
-                "\u7B7E\u540D\u8005\u8BC1\u4E66\u5C06\u5728\u516D\u4E2A\u6708\u5185\u8FC7\u671F\u3002"},
-        {"The.signer.certificate.is.not.yet.valid.",
-                "\u7B7E\u540D\u8005\u8BC1\u4E66\u4ECD\u65E0\u6548\u3002"},
-        {"The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
-                 "\u7531\u4E8E\u7B7E\u540D\u8005\u8BC1\u4E66\u7684 KeyUsage \u6269\u5C55\u800C\u65E0\u6CD5\u8FDB\u884C\u4EE3\u7801\u7B7E\u540D\u3002"},
-        {"The.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.",
-                 "\u7531\u4E8E\u7B7E\u540D\u8005\u8BC1\u4E66\u7684 ExtendedKeyUsage \u6269\u5C55\u800C\u65E0\u6CD5\u8FDB\u884C\u4EE3\u7801\u7B7E\u540D\u3002"},
-        {"The.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.",
-                 "\u7531\u4E8E\u7B7E\u540D\u8005\u8BC1\u4E66\u7684 NetscapeCertType \u6269\u5C55\u800C\u65E0\u6CD5\u8FDB\u884C\u4EE3\u7801\u7B7E\u540D\u3002"},
-        {"This.jar.contains.entries.whose.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
-                 "\u6B64 jar \u5305\u542B\u7531\u4E8E\u7B7E\u540D\u8005\u8BC1\u4E66\u7684 KeyUsage \u6269\u5C55\u800C\u65E0\u6CD5\u8FDB\u884C\u4EE3\u7801\u7B7E\u540D\u7684\u6761\u76EE\u3002"},
-        {"This.jar.contains.entries.whose.signer.certificate.s.ExtendedKeyUsage.extension.doesn.t.allow.code.signing.",
-                 "\u6B64 jar \u5305\u542B\u7531\u4E8E\u7B7E\u540D\u8005\u8BC1\u4E66\u7684 ExtendedKeyUsage \u6269\u5C55\u800C\u65E0\u6CD5\u8FDB\u884C\u4EE3\u7801\u7B7E\u540D\u7684\u6761\u76EE\u3002"},
-        {"This.jar.contains.entries.whose.signer.certificate.s.NetscapeCertType.extension.doesn.t.allow.code.signing.",
-                 "\u6B64 jar \u5305\u542B\u7531\u4E8E\u7B7E\u540D\u8005\u8BC1\u4E66\u7684 NetscapeCertType \u6269\u5C55\u800C\u65E0\u6CD5\u8FDB\u884C\u4EE3\u7801\u7B7E\u540D\u7684\u6761\u76EE\u3002"},
-        {".{0}.extension.does.not.support.code.signing.",
-                 "[{0} \u6269\u5C55\u4E0D\u652F\u6301\u4EE3\u7801\u7B7E\u540D]"},
-        {"The.signer.s.certificate.chain.is.not.validated.",
-                "\u7B7E\u540D\u8005\u7684\u8BC1\u4E66\u94FE\u672A\u9A8C\u8BC1\u3002"},
-        {"This.jar.contains.entries.whose.certificate.chain.is.not.validated.",
-                 "\u6B64 jar \u5305\u542B\u8BC1\u4E66\u94FE\u672A\u9A8C\u8BC1\u7684\u6761\u76EE\u3002"},
-    };
-
-    /**
-     * Returns the contents of this <code>ResourceBundle</code>.
-     *
-     * <p>
-     *
-     * @return the contents of this <code>ResourceBundle</code>.
-     */
-    public Object[][] getContents() {
-        return contents;
-    }
-}
--- a/src/share/classes/sun/security/tools/KeyStoreUtil.java	Sat Oct 13 10:15:57 2012 +0100
+++ b/src/share/classes/sun/security/tools/KeyStoreUtil.java	Sun Oct 14 22:58:59 2012 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,18 @@
 
 package sun.security.tools;
 
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+import java.net.URL;
+
+import java.security.KeyStore;
+
+import java.text.Collator;
+
 import java.util.Locale;
 
 /**
@@ -34,18 +46,17 @@
  */
 public class KeyStoreUtil {
 
-    // Class and methods marked as public so that they can be
-    // accessed by JarSigner, which although lies in a package
-    // with the same name, but bundled in tools.jar and loaded
-    // by another class loader, hence in a different *runtime*
-    // package.
-    //
-    // See JVM Spec, 5.3 and 5.4.4
-
     private KeyStoreUtil() {
         // this class is not meant to be instantiated
     }
 
+    private static final String JKS = "jks";
+
+    private static final Collator collator = Collator.getInstance();
+    static {
+        // this is for case insensitive string comparisons
+        collator.setStrength(Collator.PRIMARY);
+    };
 
     /**
      * Returns true if KeyStore has a password. This is true except for
@@ -68,4 +79,76 @@
             return storetype.toUpperCase(Locale.ENGLISH);
         }
     }
+
+    /**
+     * Returns the keystore with the configured CA certificates.
+     */
+    public static KeyStore getCacertsKeyStore()
+        throws Exception
+    {
+        String sep = File.separator;
+        File file = new File(System.getProperty("java.home") + sep
+                             + "lib" + sep + "security" + sep
+                             + "cacerts");
+        if (!file.exists()) {
+            return null;
+        }
+        KeyStore caks = null;
+        try (FileInputStream fis = new FileInputStream(file)) {
+            caks = KeyStore.getInstance(JKS);
+            caks.load(fis, null);
+        }
+        return caks;
+    }
+
+    public static char[] getPassWithModifier(String modifier, String arg,
+                                             java.util.ResourceBundle rb) {
+        if (modifier == null) {
+            return arg.toCharArray();
+        } else if (collator.compare(modifier, "env") == 0) {
+            String value = System.getenv(arg);
+            if (value == null) {
+                System.err.println(rb.getString(
+                        "Cannot.find.environment.variable.") + arg);
+                return null;
+            } else {
+                return value.toCharArray();
+            }
+        } else if (collator.compare(modifier, "file") == 0) {
+            try {
+                URL url = null;
+                try {
+                    url = new URL(arg);
+                } catch (java.net.MalformedURLException mue) {
+                    File f = new File(arg);
+                    if (f.exists()) {
+                        url = f.toURI().toURL();
+                    } else {
+                        System.err.println(rb.getString(
+                                "Cannot.find.file.") + arg);
+                        return null;
+                    }
+                }
+
+                try (BufferedReader br =
+                     new BufferedReader(new InputStreamReader(
+                         url.openStream()))) {
+                    String value = br.readLine();
+
+                    if (value == null) {
+                        return new char[0];
+                    }
+
+                    return value.toCharArray();
+                }
+            } catch (IOException ioe) {
+                System.err.println(ioe);
+                return null;
+            }
+        } else {
+            System.err.println(rb.getString("Unknown.password.type.") +
+                    modifier);
+            return null;
+        }
+    }
 }
--- a/src/share/classes/sun/security/tools/KeyTool.java	Sat Oct 13 10:15:57 2012 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,4147 +0,0 @@
-/*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.tools;
-
-import java.io.*;
-import java.security.CodeSigner;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.MessageDigest;
-import java.security.Key;
-import java.security.PublicKey;
-import java.security.PrivateKey;
-import java.security.Security;
-import java.security.Signature;
-import java.security.Timestamp;
-import java.security.UnrecoverableEntryException;
-import java.security.UnrecoverableKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Principal;
-import java.security.Provider;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
-import java.security.cert.CertStoreException;
-import java.security.cert.CRL;
-import java.security.cert.X509Certificate;
-import java.security.cert.CertificateException;
-import java.text.Collator;
-import java.text.MessageFormat;
-import java.util.*;
-import java.util.jar.JarEntry;
-import java.util.jar.JarFile;
-import java.lang.reflect.Constructor;
-import java.math.BigInteger;
-import java.net.URI;
-import java.net.URL;
-import java.net.URLClassLoader;
-import java.security.cert.CertStore;
-
-import java.security.cert.X509CRL;
-import java.security.cert.X509CRLEntry;
-import java.security.cert.X509CRLSelector;
-import javax.security.auth.x500.X500Principal;
-import sun.misc.BASE64Encoder;
-import sun.security.util.ObjectIdentifier;
-import sun.security.pkcs10.PKCS10;
-import sun.security.pkcs10.PKCS10Attribute;
-import sun.security.provider.X509Factory;
-import sun.security.provider.certpath.CertStoreHelper;
-import sun.security.util.Password;
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
-
-import sun.misc.BASE64Decoder;
-import sun.security.pkcs.PKCS9Attribute;
-import sun.security.util.DerValue;
-import sun.security.x509.*;
-
-import static java.security.KeyStore.*;
-import static sun.security.tools.KeyTool.Command.*;
-import static sun.security.tools.KeyTool.Option.*;
-
-/**
- * This tool manages keystores.
- *
- * @author Jan Luehe
- *
- *
- * @see java.security.KeyStore
- * @see sun.security.provider.KeyProtector
- * @see sun.security.provider.JavaKeyStore
- *
- * @since 1.2
- */
-public final class KeyTool {
-
-    private boolean debug = false;
-    private Command command = null;
-    private String sigAlgName = null;
-    private String keyAlgName = null;
-    private boolean verbose = false;
-    private int keysize = -1;
-    private boolean rfc = false;
-    private long validity = (long)90;
-    private String alias = null;
-    private String dname = null;
-    private String dest = null;
-    private String filename = null;
-    private String infilename = null;
-    private String outfilename = null;
-    private String srcksfname = null;
-
-    // User-specified providers are added before any command is called.
-    // However, they are not removed before the end of the main() method.
-    // If you're calling KeyTool.main() directly in your own Java program,
-    // please programtically add any providers you need and do not specify
-    // them through the command line.
-
-    private Set<Pair <String, String>> providers = null;
-    private String storetype = null;
-    private String srcProviderName = null;
-    private String providerName = null;
-    private String pathlist = null;
-    private char[] storePass = null;
-    private char[] storePassNew = null;
-    private char[] keyPass = null;
-    private char[] keyPassNew = null;
-    private char[] newPass = null;
-    private char[] destKeyPass = null;
-    private char[] srckeyPass = null;
-    private String ksfname = null;
-    private File ksfile = null;
-    private InputStream ksStream = null; // keystore stream
-    private String sslserver = null;
-    private String jarfile = null;
-    private KeyStore keyStore = null;
-    private boolean token = false;
-    private boolean nullStream = false;
-    private boolean kssave = false;
-    private boolean noprompt = false;
-    private boolean trustcacerts = false;
-    private boolean protectedPath = false;
-    private boolean srcprotectedPath = false;
-    private CertificateFactory cf = null;
-    private KeyStore caks = null; // "cacerts" keystore
-    private char[] srcstorePass = null;
-    private String srcstoretype = null;
-    private Set<char[]> passwords = new HashSet<>();
-    private String startDate = null;
-
-    private List<String> ids = new ArrayList<>();   // used in GENCRL
-    private List<String> v3ext = new ArrayList<>();
-
-    enum Command {
-        CERTREQ("Generates.a.certificate.request",
-            ALIAS, SIGALG, FILEOUT, KEYPASS, KEYSTORE, DNAME,
-            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
-            PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        CHANGEALIAS("Changes.an.entry.s.alias",
-            ALIAS, DESTALIAS, KEYPASS, KEYSTORE, STOREPASS,
-            STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
-            PROVIDERPATH, V, PROTECTED),
-        DELETE("Deletes.an.entry",
-            ALIAS, KEYSTORE, STOREPASS, STORETYPE,
-            PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
-            PROVIDERPATH, V, PROTECTED),
-        EXPORTCERT("Exports.certificate",
-            RFC, ALIAS, FILEOUT, KEYSTORE, STOREPASS,
-            STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
-            PROVIDERPATH, V, PROTECTED),
-        GENKEYPAIR("Generates.a.key.pair",
-            ALIAS, KEYALG, KEYSIZE, SIGALG, DESTALIAS, DNAME,
-            STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,
-            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
-            PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        GENSECKEY("Generates.a.secret.key",
-            ALIAS, KEYPASS, KEYALG, KEYSIZE, KEYSTORE,
-            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
-            PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        GENCERT("Generates.certificate.from.a.certificate.request",
-            RFC, INFILE, OUTFILE, ALIAS, SIGALG, DNAME,
-            STARTDATE, EXT, VALIDITY, KEYPASS, KEYSTORE,
-            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
-            PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        IMPORTCERT("Imports.a.certificate.or.a.certificate.chain",
-            NOPROMPT, TRUSTCACERTS, PROTECTED, ALIAS, FILEIN,
-            KEYPASS, KEYSTORE, STOREPASS, STORETYPE,
-            PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
-            PROVIDERPATH, V),
-        IMPORTKEYSTORE("Imports.one.or.all.entries.from.another.keystore",
-            SRCKEYSTORE, DESTKEYSTORE, SRCSTORETYPE,
-            DESTSTORETYPE, SRCSTOREPASS, DESTSTOREPASS,
-            SRCPROTECTED, SRCPROVIDERNAME, DESTPROVIDERNAME,
-            SRCALIAS, DESTALIAS, SRCKEYPASS, DESTKEYPASS,
-            NOPROMPT, PROVIDERCLASS, PROVIDERARG, PROVIDERPATH,
-            V),
-        KEYPASSWD("Changes.the.key.password.of.an.entry",
-            ALIAS, KEYPASS, NEW, KEYSTORE, STOREPASS,
-            STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
-            PROVIDERPATH, V),
-        LIST("Lists.entries.in.a.keystore",
-            RFC, ALIAS, KEYSTORE, STOREPASS, STORETYPE,
-            PROVIDERNAME, PROVIDERCLASS, PROVIDERARG,
-            PROVIDERPATH, V, PROTECTED),
-        PRINTCERT("Prints.the.content.of.a.certificate",
-            RFC, FILEIN, SSLSERVER, JARFILE, V),
-        PRINTCERTREQ("Prints.the.content.of.a.certificate.request",
-            FILEIN, V),
-        PRINTCRL("Prints.the.content.of.a.CRL.file",
-            FILEIN, V),
-        STOREPASSWD("Changes.the.store.password.of.a.keystore",
-            NEW, KEYSTORE, STOREPASS, STORETYPE, PROVIDERNAME,
-            PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V),
-
-        // Undocumented start here, KEYCLONE is used a marker in -help;
-
-        KEYCLONE("Clones.a.key.entry",
-            ALIAS, DESTALIAS, KEYPASS, NEW, STORETYPE,
-            KEYSTORE, STOREPASS, PROVIDERNAME, PROVIDERCLASS,
-            PROVIDERARG, PROVIDERPATH, V),
-        SELFCERT("Generates.a.self.signed.certificate",
-            ALIAS, SIGALG, DNAME, STARTDATE, VALIDITY, KEYPASS,
-            STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME,
-            PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V),
-        GENCRL("Generates.CRL",
-            RFC, FILEOUT, ID,
-            ALIAS, SIGALG, EXT, KEYPASS, KEYSTORE,
-            STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS,
-            PROVIDERARG, PROVIDERPATH, V, PROTECTED),
-        IDENTITYDB("Imports.entries.from.a.JDK.1.1.x.style.identity.database",
-            FILEIN, STORETYPE, KEYSTORE, STOREPASS, PROVIDERNAME,
-            PROVIDERCLASS, PROVIDERARG, PROVIDERPATH, V);
-
-        final String description;
-        final Option[] options;
-        Command(String d, Option... o) {
-            description = d;
-            options = o;
-        }
-        @Override
-        public String toString() {
-            return "-" + name().toLowerCase(Locale.ENGLISH);
-        }
-    };
-
-    enum Option {
-        ALIAS("alias", "<alias>", "alias.name.of.the.entry.to.process"),
-        DESTALIAS("destalias", "<destalias>", "destination.alias"),
-        DESTKEYPASS("destkeypass", "<arg>", "destination.key.password"),
-        DESTKEYSTORE("destkeystore", "<destkeystore>", "destination.keystore.name"),
-        DESTPROTECTED("destprotected", null, "destination.keystore.password.protected"),
-        DESTPROVIDERNAME("destprovidername", "<destprovidername>", "destination.keystore.provider.name"),
-        DESTSTOREPASS("deststorepass", "<arg>", "destination.keystore.password"),
-        DESTSTORETYPE("deststoretype", "<deststoretype>", "destination.keystore.type"),
-        DNAME("dname", "<dname>", "distinguished.name"),
-        EXT("ext", "<value>", "X.509.extension"),
-        FILEOUT("file", "<filename>", "output.file.name"),
-        FILEIN("file", "<filename>", "input.file.name"),
-        ID("id", "<id:reason>", "Serial.ID.of.cert.to.revoke"),
-        INFILE("infile", "<filename>", "input.file.name"),
-        KEYALG("keyalg", "<keyalg>", "key.algorithm.name"),
-        KEYPASS("keypass", "<arg>", "key.password"),
-        KEYSIZE("keysize", "<keysize>", "key.bit.size"),
-        KEYSTORE("keystore", "<keystore>", "keystore.name"),
-        NEW("new", "<arg>", "new.password"),
-        NOPROMPT("noprompt", null, "do.not.prompt"),
-        OUTFILE("outfile", "<filename>", "output.file.name"),
-        PROTECTED("protected", null, "password.through.protected.mechanism"),
-        PROVIDERARG("providerarg", "<arg>", "provider.argument"),
-        PROVIDERCLASS("providerclass", "<providerclass>", "provider.class.name"),
-        PROVIDERNAME("providername", "<providername>", "provider.name"),
-        PROVIDERPATH("providerpath", "<pathlist>", "provider.classpath"),
-        RFC("rfc", null, "output.in.RFC.style"),
-        SIGALG("sigalg", "<sigalg>", "signature.algorithm.name"),
-        SRCALIAS("srcalias", "<srcalias>", "source.alias"),
-        SRCKEYPASS("srckeypass", "<arg>", "source.key.password"),
-        SRCKEYSTORE("srckeystore", "<srckeystore>", "source.keystore.name"),
-        SRCPROTECTED("srcprotected", null, "source.keystore.password.protected"),
-        SRCPROVIDERNAME("srcprovidername", "<srcprovidername>", "source.keystore.provider.name"),
-        SRCSTOREPASS("srcstorepass", "<arg>", "source.keystore.password"),
-        SRCSTORETYPE("srcstoretype", "<srcstoretype>", "source.keystore.type"),
-        SSLSERVER("sslserver", "<server[:port]>", "SSL.server.host.and.port"),
-        JARFILE("jarfile", "<filename>", "signed.jar.file"),
-        STARTDATE("startdate", "<startdate>", "certificate.validity.start.date.time"),
-        STOREPASS("storepass", "<arg>", "keystore.password"),
-        STORETYPE("storetype", "<storetype>", "keystore.type"),
-        TRUSTCACERTS("trustcacerts", null, "trust.certificates.from.cacerts"),
-        V("v", null, "verbose.output"),
-        VALIDITY("validity", "<valDays>", "validity.number.of.days");
-
-        final String name, arg, description;
-        Option(String name, String arg, String description) {
-            this.name = name;
-            this.arg = arg;
-            this.description = description;
-        }
-        @Override
-        public String toString() {
-            return "-" + name;
-        }
-    };
-
-    private static final Class[] PARAM_STRING = { String.class };
-
-    private static final String JKS = "jks";
-    private static final String NONE = "NONE";
-    private static final String P11KEYSTORE = "PKCS11";
-    private static final String P12KEYSTORE = "PKCS12";
-    private final String keyAlias = "mykey";
-
-    // for i18n
-    private static final java.util.ResourceBundle rb =
-        java.util.ResourceBundle.getBundle("sun.security.util.Resources");
-    private static final Collator collator = Collator.getInstance();
-    static {
-        // this is for case insensitive string comparisons
-        collator.setStrength(Collator.PRIMARY);
-    };
-
-    private KeyTool() { }
-
-    public static void main(String[] args) throws Exception {
-        KeyTool kt = new KeyTool();
-        kt.run(args, System.out);
-    }
-
-    private void run(String[] args, PrintStream out) throws Exception {
-        try {
-            parseArgs(args);
-            if (command != null) {
-                doCommands(out);
-            }
-        } catch (Exception e) {
-            System.out.println(rb.getString("keytool.error.") + e);
-            if (verbose) {
-                e.printStackTrace(System.out);
-            }
-            if (!debug) {
-                System.exit(1);
-            } else {
-                throw e;
-            }
-        } finally {
-            for (char[] pass : passwords) {
-                if (pass != null) {
-                    Arrays.fill(pass, ' ');
-                    pass = null;
-                }
-            }
-
-            if (ksStream != null) {
-                ksStream.close();
-            }
-        }
-    }
-
-    /**
-     * Parse command line arguments.
-     */
-    void parseArgs(String[] args) {
-
-        int i=0;
-        boolean help = args.length == 0;
-
-        for (i=0; (i < args.length) && args[i].startsWith("-"); i++) {
-
-            String flags = args[i];
-
-            // Check if the last option needs an arg
-            if (i == args.length - 1) {
-                for (Option option: Option.values()) {
-                    // Only options with an arg need to be checked
-                    if (collator.compare(flags, option.toString()) == 0) {
-                        if (option.arg != null) errorNeedArgument(flags);
-                        break;
-                    }
-                }
-            }
-
-            /*
-             * Check modifiers
-             */
-            String modifier = null;
-            int pos = flags.indexOf(':');
-            if (pos > 0) {
-                modifier = flags.substring(pos+1);
-                flags = flags.substring(0, pos);
-            }
-            /*
-             * command modes
-             */
-            boolean isCommand = false;
-            for (Command c: Command.values()) {
-                if (collator.compare(flags, c.toString()) == 0) {
-                    command = c;
-                    isCommand = true;
-                    break;
-                }
-            }
-
-            if (isCommand) {
-                // already recognized as a command
-            } else if (collator.compare(flags, "-export") == 0) {
-                command = EXPORTCERT;
-            } else if (collator.compare(flags, "-genkey") == 0) {
-                command = GENKEYPAIR;
-            } else if (collator.compare(flags, "-import") == 0) {
-                command = IMPORTCERT;
-            }
-            /*
-             * Help
-             */
-            else if (collator.compare(flags, "-help") == 0) {
-                help = true;
-            }
-
-            /*
-             * specifiers
-             */
-            else if (collator.compare(flags, "-keystore") == 0 ||
-                    collator.compare(flags, "-destkeystore") == 0) {
-                ksfname = args[++i];
-            } else if (collator.compare(flags, "-storepass") == 0 ||
-                    collator.compare(flags, "-deststorepass") == 0) {
-                storePass = getPass(modifier, args[++i]);
-                passwords.add(storePass);
-            } else if (collator.compare(flags, "-storetype") == 0 ||
-                    collator.compare(flags, "-deststoretype") == 0) {
-                storetype = args[++i];
-            } else if (collator.compare(flags, "-srcstorepass") == 0) {
-                srcstorePass = getPass(modifier, args[++i]);
-                passwords.add(srcstorePass);
-            } else if (collator.compare(flags, "-srcstoretype") == 0) {
-                srcstoretype = args[++i];
-            } else if (collator.compare(flags, "-srckeypass") == 0) {
-                srckeyPass = getPass(modifier, args[++i]);
-                passwords.add(srckeyPass);
-            } else if (collator.compare(flags, "-srcprovidername") == 0) {
-                srcProviderName = args[++i];
-            } else if (collator.compare(flags, "-providername") == 0 ||
-                    collator.compare(flags, "-destprovidername") == 0) {
-                providerName = args[++i];
-            } else if (collator.compare(flags, "-providerpath") == 0) {
-                pathlist = args[++i];
-            } else if (collator.compare(flags, "-keypass") == 0) {
-                keyPass = getPass(modifier, args[++i]);
-                passwords.add(keyPass);
-            } else if (collator.compare(flags, "-new") == 0) {
-                newPass = getPass(modifier, args[++i]);
-                passwords.add(newPass);
-            } else if (collator.compare(flags, "-destkeypass") == 0) {
-                destKeyPass = getPass(modifier, args[++i]);
-                passwords.add(destKeyPass);
-            } else if (collator.compare(flags, "-alias") == 0 ||
-                    collator.compare(flags, "-srcalias") == 0) {
-                alias = args[++i];
-            } else if (collator.compare(flags, "-dest") == 0 ||
-                    collator.compare(flags, "-destalias") == 0) {
-                dest = args[++i];
-            } else if (collator.compare(flags, "-dname") == 0) {
-                dname = args[++i];
-            } else if (collator.compare(flags, "-keysize") == 0) {
-                keysize = Integer.parseInt(args[++i]);
-            } else if (collator.compare(flags, "-keyalg") == 0) {
-                keyAlgName = args[++i];
-            } else if (collator.compare(flags, "-sigalg") == 0) {
-                sigAlgName = args[++i];
-            } else if (collator.compare(flags, "-startdate") == 0) {
-                startDate = args[++i];
-            } else if (collator.compare(flags, "-validity") == 0) {
-                validity = Long.parseLong(args[++i]);
-            } else if (collator.compare(flags, "-ext") == 0) {
-                v3ext.add(args[++i]);
-            } else if (collator.compare(flags, "-id") == 0) {
-                ids.add(args[++i]);
-            } else if (collator.compare(flags, "-file") == 0) {
-                filename = args[++i];
-            } else if (collator.compare(flags, "-infile") == 0) {
-                infilename = args[++i];
-            } else if (collator.compare(flags, "-outfile") == 0) {
-                outfilename = args[++i];
-            } else if (collator.compare(flags, "-sslserver") == 0) {
-                sslserver = args[++i];
-            } else if (collator.compare(flags, "-jarfile") == 0) {
-                jarfile = args[++i];
-            } else if (collator.compare(flags, "-srckeystore") == 0) {
-                srcksfname = args[++i];
-            } else if ((collator.compare(flags, "-provider") == 0) ||
-                        (collator.compare(flags, "-providerclass") == 0)) {
-                if (providers == null) {
-                    providers = new HashSet<Pair <String, String>> (3);
-                }
-                String providerClass = args[++i];
-                String providerArg = null;
-
-                if (args.length > (i+1)) {
-                    flags = args[i+1];
-                    if (collator.compare(flags, "-providerarg") == 0) {
-                        if (args.length == (i+2)) errorNeedArgument(flags);
-                        providerArg = args[i+2];
-                        i += 2;
-                    }
-                }
-                providers.add(
-                        Pair.of(providerClass, providerArg));
-            }
-
-            /*
-             * options
-             */
-            else if (collator.compare(flags, "-v") == 0) {
-                verbose = true;
-            } else if (collator.compare(flags, "-debug") == 0) {
-                debug = true;
-            } else if (collator.compare(flags, "-rfc") == 0) {
-                rfc = true;
-            } else if (collator.compare(flags, "-noprompt") == 0) {
-                noprompt = true;
-            } else if (collator.compare(flags, "-trustcacerts") == 0) {
-                trustcacerts = true;
-            } else if (collator.compare(flags, "-protected") == 0 ||
-                    collator.compare(flags, "-destprotected") == 0) {
-                protectedPath = true;
-            } else if (collator.compare(flags, "-srcprotected") == 0) {
-                srcprotectedPath = true;
-            } else  {
-                System.err.println(rb.getString("Illegal.option.") + flags);
-                tinyHelp();
-            }
-        }
-
-        if (i<args.length) {
-            System.err.println(rb.getString("Illegal.option.") + args[i]);
-            tinyHelp();
-        }
-
-        if (command == null) {
-            if (help) {
-                usage();
-            } else {
-                System.err.println(rb.getString("Usage.error.no.command.provided"));
-                tinyHelp();
-            }
-        } else if (help) {
-            usage();
-            command = null;
-        }
-    }
-
-    boolean isKeyStoreRelated(Command cmd) {
-        return cmd != PRINTCERT && cmd != PRINTCERTREQ;
-    }
-
-    /**
-     * Execute the commands.
-     */
-    void doCommands(PrintStream out) throws Exception {
-
-        if (storetype == null) {
-            storetype = KeyStore.getDefaultType();
-        }
-        storetype = KeyStoreUtil.niceStoreTypeName(storetype);
-
-        if (srcstoretype == null) {
-            srcstoretype = KeyStore.getDefaultType();
-        }
-        srcstoretype = KeyStoreUtil.niceStoreTypeName(srcstoretype);
-
-        if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
-                KeyStoreUtil.isWindowsKeyStore(storetype)) {
-            token = true;
-            if (ksfname == null) {
-                ksfname = NONE;
-            }
-        }
-        if (NONE.equals(ksfname)) {
-            nullStream = true;
-        }
-
-        if (token && !nullStream) {
-            System.err.println(MessageFormat.format(rb.getString
-                (".keystore.must.be.NONE.if.storetype.is.{0}"), storetype));
-            System.err.println();
-            tinyHelp();
-        }
-
-        if (token &&
-            (command == KEYPASSWD || command == STOREPASSWD)) {
-            throw new UnsupportedOperationException(MessageFormat.format(rb.getString
-                        (".storepasswd.and.keypasswd.commands.not.supported.if.storetype.is.{0}"), storetype));
-        }
-
-        if (P12KEYSTORE.equalsIgnoreCase(storetype) && command == KEYPASSWD) {
-            throw new UnsupportedOperationException(rb.getString
-                        (".keypasswd.commands.not.supported.if.storetype.is.PKCS12"));
-        }
-
-        if (token && (keyPass != null || newPass != null || destKeyPass != null)) {
-            throw new IllegalArgumentException(MessageFormat.format(rb.getString
-                (".keypass.and.new.can.not.be.specified.if.storetype.is.{0}"), storetype));
-        }
-
-        if (protectedPath) {
-            if (storePass != null || keyPass != null ||
-                    newPass != null || destKeyPass != null) {
-                throw new IllegalArgumentException(rb.getString
-                        ("if.protected.is.specified.then.storepass.keypass.and.new.must.not.be.specified"));
-            }
-        }
-
-        if (srcprotectedPath) {
-            if (srcstorePass != null || srckeyPass != null) {
-                throw new IllegalArgumentException(rb.getString
-                        ("if.srcprotected.is.specified.then.srcstorepass.and.srckeypass.must.not.be.specified"));
-            }
-        }
-
-        if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
-            if (storePass != null || keyPass != null ||
-                    newPass != null || destKeyPass != null) {
-                throw new IllegalArgumentException(rb.getString
-                        ("if.keystore.is.not.password.protected.then.storepass.keypass.and.new.must.not.be.specified"));
-            }
-        }
-
-        if (KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
-            if (srcstorePass != null || srckeyPass != null) {
-                throw new IllegalArgumentException(rb.getString
-                        ("if.source.keystore.is.not.password.protected.then.srcstorepass.and.srckeypass.must.not.be.specified"));
-            }
-        }
-
-        if (validity <= (long)0) {
-            throw new Exception
-                (rb.getString("Validity.must.be.greater.than.zero"));
-        }
-
-        // Try to load and install specified provider
-        if (providers != null) {
-            ClassLoader cl = null;
-            if (pathlist != null) {
-                String path = null;
-                path = PathList.appendPath(
-                        path, System.getProperty("java.class.path"));
-                path = PathList.appendPath(
-                        path, System.getProperty("env.class.path"));
-                path = PathList.appendPath(path, pathlist);
-
-                URL[] urls = PathList.pathToURLs(path);
-                cl = new URLClassLoader(urls);
-            } else {
-                cl = ClassLoader.getSystemClassLoader();
-            }
-
-            for (Pair <String, String> provider: providers) {
-                String provName = provider.fst;
-                Class<?> provClass;
-                if (cl != null) {
-                    provClass = cl.loadClass(provName);
-                } else {
-                    provClass = Class.forName(provName);
-                }
-
-                String provArg = provider.snd;
-                Object obj;
-                if (provArg == null) {
-                    obj = provClass.newInstance();
-                } else {
-                    Constructor<?> c = provClass.getConstructor(PARAM_STRING);
-                    obj = c.newInstance(provArg);
-                }
-                if (!(obj instanceof Provider)) {
-                    MessageFormat form = new MessageFormat
-                        (rb.getString("provName.not.a.provider"));
-                    Object[] source = {provName};
-                    throw new Exception(form.format(source));
-                }
-                Security.addProvider((Provider)obj);
-            }
-        }
-
-        if (command == LIST && verbose && rfc) {
-            System.err.println(rb.getString
-                ("Must.not.specify.both.v.and.rfc.with.list.command"));
-            tinyHelp();
-        }
-
-        // Make sure provided passwords are at least 6 characters long
-        if (command == GENKEYPAIR && keyPass!=null && keyPass.length < 6) {
-            throw new Exception(rb.getString
-                ("Key.password.must.be.at.least.6.characters"));
-        }
-        if (newPass != null && newPass.length < 6) {
-            throw new Exception(rb.getString
-                ("New.password.must.be.at.least.6.characters"));
-        }
-        if (destKeyPass != null && destKeyPass.length < 6) {
-            throw new Exception(rb.getString
-                ("New.password.must.be.at.least.6.characters"));
-        }
-
-        // Check if keystore exists.
-        // If no keystore has been specified at the command line, try to use
-        // the default, which is located in $HOME/.keystore.
-        // If the command is "genkey", "identitydb", "import", or "printcert",
-        // it is OK not to have a keystore.
-        if (isKeyStoreRelated(command)) {
-            if (ksfname == null) {
-                ksfname = System.getProperty("user.home") + File.separator
-                    + ".keystore";
-            }
-
-            if (!nullStream) {
-                try {
-                    ksfile = new File(ksfname);
-                    // Check if keystore file is empty
-                    if (ksfile.exists() && ksfile.length() == 0) {
-                        throw new Exception(rb.getString
-                        ("Keystore.file.exists.but.is.empty.") + ksfname);
-                    }
-                    ksStream = new FileInputStream(ksfile);
-                } catch (FileNotFoundException e) {
-                    if (command != GENKEYPAIR &&
-                        command != GENSECKEY &&
-                        command != IDENTITYDB &&
-                        command != IMPORTCERT &&
-                        command != IMPORTKEYSTORE &&
-                        command != PRINTCRL) {
-                        throw new Exception(rb.getString
-                                ("Keystore.file.does.not.exist.") + ksfname);
-                    }
-                }
-            }
-        }
-
-        if ((command == KEYCLONE || command == CHANGEALIAS)
-                && dest == null) {
-            dest = getAlias("destination");
-            if ("".equals(dest)) {
-                throw new Exception(rb.getString
-                        ("Must.specify.destination.alias"));
-            }
-        }
-
-        if (command == DELETE && alias == null) {
-            alias = getAlias(null);
-            if ("".equals(alias)) {
-                throw new Exception(rb.getString("Must.specify.alias"));
-            }
-        }
-
-        // Create new keystore
-        if (providerName == null) {
-            keyStore = KeyStore.getInstance(storetype);
-        } else {
-            keyStore = KeyStore.getInstance(storetype, providerName);
-        }
-
-        /*
-         * Load the keystore data.
-         *
-         * At this point, it's OK if no keystore password has been provided.
-         * We want to make sure that we can load the keystore data, i.e.,
-         * the keystore data has the right format. If we cannot load the
-         * keystore, why bother asking the user for his or her password?
-         * Only if we were able to load the keystore, and no keystore
-         * password has been provided, will we prompt the user for the
-         * keystore password to verify the keystore integrity.
-         * This means that the keystore is loaded twice: first load operation
-         * checks the keystore format, second load operation verifies the
-         * keystore integrity.
-         *
-         * If the keystore password has already been provided (at the
-         * command line), however, the keystore is loaded only once, and the
-         * keystore format and integrity are checked "at the same time".
-         *
-         * Null stream keystores are loaded later.
-         */
-        if (!nullStream) {
-            keyStore.load(ksStream, storePass);
-            if (ksStream != null) {
-                ksStream.close();
-            }
-        }
-
-        // All commands that create or modify the keystore require a keystore
-        // password.
-
-        if (nullStream && storePass != null) {
-            keyStore.load(null, storePass);
-        } else if (!nullStream && storePass != null) {
-            // If we are creating a new non nullStream-based keystore,
-            // insist that the password be at least 6 characters
-            if (ksStream == null && storePass.length < 6) {
-                throw new Exception(rb.getString
-                        ("Keystore.password.must.be.at.least.6.characters"));
-            }
-        } else if (storePass == null) {
-
-            // only prompt if (protectedPath == false)
-
-            if (!protectedPath && !KeyStoreUtil.isWindowsKeyStore(storetype) &&
-                (command == CERTREQ ||
-                        command == DELETE ||
-                        command == GENKEYPAIR ||
-                        command == GENSECKEY ||
-                        command == IMPORTCERT ||
-                        command == IMPORTKEYSTORE ||
-                        command == KEYCLONE ||
-                        command == CHANGEALIAS ||
-                        command == SELFCERT ||
-                        command == STOREPASSWD ||
-                        command == KEYPASSWD ||
-                        command == IDENTITYDB)) {
-                int count = 0;
-                do {
-                    if (command == IMPORTKEYSTORE) {
-                        System.err.print
-                                (rb.getString("Enter.destination.keystore.password."));
-                    } else {
-                        System.err.print
-                                (rb.getString("Enter.keystore.password."));
-                    }
-                    System.err.flush();
-                    storePass = Password.readPassword(System.in);
-                    passwords.add(storePass);
-
-                    // If we are creating a new non nullStream-based keystore,
-                    // insist that the password be at least 6 characters
-                    if (!nullStream && (storePass == null || storePass.length < 6)) {
-                        System.err.println(rb.getString
-                                ("Keystore.password.is.too.short.must.be.at.least.6.characters"));
-                        storePass = null;
-                    }
-
-                    // If the keystore file does not exist and needs to be
-                    // created, the storepass should be prompted twice.
-                    if (storePass != null && !nullStream && ksStream == null) {
-                        System.err.print(rb.getString("Re.enter.new.password."));
-                        char[] storePassAgain = Password.readPassword(System.in);
-                        passwords.add(storePassAgain);
-                        if (!Arrays.equals(storePass, storePassAgain)) {
-                            System.err.println
-                                (rb.getString("They.don.t.match.Try.again"));
-                            storePass = null;
-                        }
-                    }
-
-                    count++;
-                } while ((storePass == null) && count < 3);
-
-
-                if (storePass == null) {
-                    System.err.println
-                        (rb.getString("Too.many.failures.try.later"));
-                    return;
-                }
-            } else if (!protectedPath
-                    && !KeyStoreUtil.isWindowsKeyStore(storetype)
-                    && isKeyStoreRelated(command)) {
-                // here we have EXPORTCERT and LIST (info valid until STOREPASSWD)
-                if (command != PRINTCRL) {
-                    System.err.print(rb.getString("Enter.keystore.password."));
-                    System.err.flush();
-                    storePass = Password.readPassword(System.in);
-                    passwords.add(storePass);
-                }
-            }
-
-            // Now load a nullStream-based keystore,
-            // or verify the integrity of an input stream-based keystore
-            if (nullStream) {
-                keyStore.load(null, storePass);
-            } else if (ksStream != null) {
-                ksStream = new FileInputStream(ksfile);
-                keyStore.load(ksStream, storePass);
-                ksStream.close();
-            }
-        }
-
-        if (storePass != null && P12KEYSTORE.equalsIgnoreCase(storetype)) {
-            MessageFormat form = new MessageFormat(rb.getString(
-                "Warning.Different.store.and.key.passwords.not.supported.for.PKCS12.KeyStores.Ignoring.user.specified.command.value."));
-            if (keyPass != null && !Arrays.equals(storePass, keyPass)) {
-                Object[] source = {"-keypass"};
-                System.err.println(form.format(source));
-                keyPass = storePass;
-            }
-            if (newPass != null && !Arrays.equals(storePass, newPass)) {
-                Object[] source = {"-new"};
-                System.err.println(form.format(source));
-                newPass = storePass;
-            }
-            if (destKeyPass != null && !Arrays.equals(storePass, destKeyPass)) {
-                Object[] source = {"-destkeypass"};
-                System.err.println(form.format(source));
-                destKeyPass = storePass;
-            }
-        }
-
-        // Create a certificate factory
-        if (command == PRINTCERT || command == IMPORTCERT
-                || command == IDENTITYDB || command == PRINTCRL) {
-            cf = CertificateFactory.getInstance("X509");
-        }
-
-        if (trustcacerts) {
-            caks = getCacertsKeyStore();
-        }
-
-        // Perform the specified command
-        if (command == CERTREQ) {
-            if (filename != null) {
-                try (PrintStream ps = new PrintStream(new FileOutputStream
-                                                      (filename))) {
-                    doCertReq(alias, sigAlgName, ps);
-                }
-            } else {
-                doCertReq(alias, sigAlgName, out);
-            }
-            if (verbose && filename != null) {
-                MessageFormat form = new MessageFormat(rb.getString
-                        ("Certification.request.stored.in.file.filename."));
-                Object[] source = {filename};
-                System.err.println(form.format(source));
-                System.err.println(rb.getString("Submit.this.to.your.CA"));
-            }
-        } else if (command == DELETE) {
-            doDeleteEntry(alias);
-            kssave = true;
-        } else if (command == EXPORTCERT) {
-            if (filename != null) {
-                try (PrintStream ps = new PrintStream(new FileOutputStream
-                                                   (filename))) {
-                    doExportCert(alias, ps);
-                }
-            } else {
-                doExportCert(alias, out);
-            }
-            if (filename != null) {
-                MessageFormat form = new MessageFormat(rb.getString
-                        ("Certificate.stored.in.file.filename."));
-                Object[] source = {filename};
-                System.err.println(form.format(source));
-            }
-        } else if (command == GENKEYPAIR) {
-            if (keyAlgName == null) {
-                keyAlgName = "DSA";
-            }
-            doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName);
-            kssave = true;
-        } else if (command == GENSECKEY) {
-            if (keyAlgName == null) {
-                keyAlgName = "DES";
-            }
-            doGenSecretKey(alias, keyAlgName, keysize);
-            kssave = true;
-        } else if (command == IDENTITYDB) {
-            if (filename != null) {
-                try (InputStream inStream = new FileInputStream(filename)) {
-                    doImportIdentityDatabase(inStream);
-                }
-            } else {
-                doImportIdentityDatabase(System.in);
-            }
-        } else if (command == IMPORTCERT) {
-            InputStream inStream = System.in;
-            if (filename != null) {
-                inStream = new FileInputStream(filename);
-            }
-            String importAlias = (alias!=null)?alias:keyAlias;
-            try {
-                if (keyStore.entryInstanceOf(
-                        importAlias, KeyStore.PrivateKeyEntry.class)) {
-                    kssave = installReply(importAlias, inStream);
-                    if (kssave) {
-                        System.err.println(rb.getString
-                            ("Certificate.reply.was.installed.in.keystore"));
-                    } else {
-                        System.err.println(rb.getString
-                            ("Certificate.reply.was.not.installed.in.keystore"));
-                    }
-                } else if (!keyStore.containsAlias(importAlias) ||
-                        keyStore.entryInstanceOf(importAlias,
-                            KeyStore.TrustedCertificateEntry.class)) {
-                    kssave = addTrustedCert(importAlias, inStream);
-                    if (kssave) {
-                        System.err.println(rb.getString
-                            ("Certificate.was.added.to.keystore"));
-                    } else {
-                        System.err.println(rb.getString
-                            ("Certificate.was.not.added.to.keystore"));
-                    }
-                }
-            } finally {
-                if (inStream != System.in) {
-                    inStream.close();
-                }
-            }
-        } else if (command == IMPORTKEYSTORE) {
-            doImportKeyStore();
-            kssave = true;
-        } else if (command == KEYCLONE) {
-            keyPassNew = newPass;
-
-            // added to make sure only key can go thru
-            if (alias == null) {
-                alias = keyAlias;
-            }
-            if (keyStore.containsAlias(alias) == false) {
-                MessageFormat form = new MessageFormat
-                    (rb.getString("Alias.alias.does.not.exist"));
-                Object[] source = {alias};
-                throw new Exception(form.format(source));
-            }
-            if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
-                MessageFormat form = new MessageFormat(rb.getString(
-                        "Alias.alias.references.an.entry.type.that.is.not.a.private.key.entry.The.keyclone.command.only.supports.cloning.of.private.key"));
-                Object[] source = {alias};
-                throw new Exception(form.format(source));
-            }
-
-            doCloneEntry(alias, dest, true);  // Now everything can be cloned
-            kssave = true;
-        } else if (command == CHANGEALIAS) {
-            if (alias == null) {
-                alias = keyAlias;
-            }
-            doCloneEntry(alias, dest, false);
-            // in PKCS11, clone a PrivateKeyEntry will delete the old one
-            if (keyStore.containsAlias(alias)) {
-                doDeleteEntry(alias);
-            }
-            kssave = true;
-        } else if (command == KEYPASSWD) {
-            keyPassNew = newPass;
-            doChangeKeyPasswd(alias);
-            kssave = true;
-        } else if (command == LIST) {
-            if (alias != null) {
-                doPrintEntry(alias, out, true);
-            } else {
-                doPrintEntries(out);
-            }
-        } else if (command == PRINTCERT) {
-            doPrintCert(out);
-        } else if (command == SELFCERT) {
-            doSelfCert(alias, dname, sigAlgName);
-            kssave = true;
-        } else if (command == STOREPASSWD) {
-            storePassNew = newPass;
-            if (storePassNew == null) {
-                storePassNew = getNewPasswd("keystore password", storePass);
-            }
-            kssave = true;
-        } else if (command == GENCERT) {
-            if (alias == null) {
-                alias = keyAlias;
-            }
-            InputStream inStream = System.in;
-            if (infilename != null) {
-                inStream = new FileInputStream(infilename);
-            }
-            PrintStream ps = null;
-            if (outfilename != null) {
-                ps = new PrintStream(new FileOutputStream(outfilename));
-                out = ps;
-            }
-            try {
-                doGenCert(alias, sigAlgName, inStream, out);
-            } finally {
-                if (inStream != System.in) {
-                    inStream.close();
-                }
-                if (ps != null) {
-                    ps.close();
-                }
-            }
-        } else if (command == GENCRL) {
-            if (alias == null) {
-                alias = keyAlias;
-            }
-            if (filename != null) {
-                try (PrintStream ps =
-                         new PrintStream(new FileOutputStream(filename))) {
-                    doGenCRL(ps);
-                }
-            } else {
-                doGenCRL(out);
-            }
-        } else if (command == PRINTCERTREQ) {
-            if (filename != null) {
-                try (InputStream inStream = new FileInputStream(filename)) {
-                    doPrintCertReq(inStream, out);
-                }
-            } else {
-                doPrintCertReq(System.in, out);
-            }
-        } else if (command == PRINTCRL) {
-            doPrintCRL(filename, out);
-        }
-
-        // If we need to save the keystore, do so.
-        if (kssave) {
-            if (verbose) {
-                MessageFormat form = new MessageFormat
-                        (rb.getString(".Storing.ksfname."));
-                Object[] source = {nullStream ? "keystore" : ksfname};
-                System.err.println(form.format(source));
-            }
-
-            if (token) {
-                keyStore.store(null, null);
-            } else {
-                char[] pass = (storePassNew!=null) ? storePassNew : storePass;
-                if (nullStream) {
-                    keyStore.store(null, pass);
-                } else {
-                    ByteArrayOutputStream bout = new ByteArrayOutputStream();
-                    keyStore.store(bout, pass);
-                    try (FileOutputStream fout = new FileOutputStream(ksfname)) {
-                        fout.write(bout.toByteArray());
-                    }
-                }
-            }
-        }
-    }
-
-    /**
-     * Generate a certificate: Read PKCS10 request from in, and print
-     * certificate to out. Use alias as CA, sigAlgName as the signature
-     * type.
-     */
-    private void doGenCert(String alias, String sigAlgName, InputStream in, PrintStream out)
-            throws Exception {
-
-
-        Certificate signerCert = keyStore.getCertificate(alias);
-        byte[] encoded = signerCert.getEncoded();
-        X509CertImpl signerCertImpl = new X509CertImpl(encoded);
-        X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get(
-                X509CertImpl.NAME + "." + X509CertImpl.INFO);
-        X500Name issuer = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
-                                           CertificateSubjectName.DN_NAME);
-
-        Date firstDate = getStartDate(startDate);
-        Date lastDate = new Date();
-        lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L);
-        CertificateValidity interval = new CertificateValidity(firstDate,
-                                                               lastDate);
-
-        PrivateKey privateKey =
-                (PrivateKey)recoverKey(alias, storePass, keyPass).fst;
-        if (sigAlgName == null) {
-            sigAlgName = getCompatibleSigAlgName(privateKey.getAlgorithm());
-        }
-        Signature signature = Signature.getInstance(sigAlgName);
-        signature.initSign(privateKey);
-
-        X509CertInfo info = new X509CertInfo();
-        info.set(X509CertInfo.VALIDITY, interval);
-        info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
-                    new java.util.Random().nextInt() & 0x7fffffff));
-        info.set(X509CertInfo.VERSION,
-                    new CertificateVersion(CertificateVersion.V3));
-        info.set(X509CertInfo.ALGORITHM_ID,
-                    new CertificateAlgorithmId(
-                        AlgorithmId.get(sigAlgName)));
-        info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuer));
-
-        BufferedReader reader = new BufferedReader(new InputStreamReader(in));
-        boolean canRead = false;
-        StringBuffer sb = new StringBuffer();
-        while (true) {
-            String s = reader.readLine();
-            if (s == null) break;
-            // OpenSSL does not use NEW
-            //if (s.startsWith("-----BEGIN NEW CERTIFICATE REQUEST-----")) {
-            if (s.startsWith("-----BEGIN") && s.indexOf("REQUEST") >= 0) {
-                canRead = true;
-            //} else if (s.startsWith("-----END NEW CERTIFICATE REQUEST-----")) {
-            } else if (s.startsWith("-----END") && s.indexOf("REQUEST") >= 0) {
-                break;
-            } else if (canRead) {
-                sb.append(s);
-            }
-        }
-        byte[] rawReq = new BASE64Decoder().decodeBuffer(new String(sb));
-        PKCS10 req = new PKCS10(rawReq);
-
-        info.set(X509CertInfo.KEY, new CertificateX509Key(req.getSubjectPublicKeyInfo()));
-        info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(
-                dname==null?req.getSubjectName():new X500Name(dname)));
-        CertificateExtensions reqex = null;
-        Iterator<PKCS10Attribute> attrs = req.getAttributes().getAttributes().iterator();
-        while (attrs.hasNext()) {
-            PKCS10Attribute attr = attrs.next();
-            if (attr.getAttributeId().equals((Object)PKCS9Attribute.EXTENSION_REQUEST_OID)) {
-                reqex = (CertificateExtensions)attr.getAttributeValue();
-            }
-        }
-        CertificateExtensions ext = createV3Extensions(
-                reqex,
-                null,
-                v3ext,
-                req.getSubjectPublicKeyInfo(),
-                signerCert.getPublicKey());
-        info.set(X509CertInfo.EXTENSIONS, ext);
-        X509CertImpl cert = new X509CertImpl(info);
-        cert.sign(privateKey, sigAlgName);
-        dumpCert(cert, out);
-        for (Certificate ca: keyStore.getCertificateChain(alias)) {
-            if (ca instanceof X509Certificate) {
-                X509Certificate xca = (X509Certificate)ca;
-                if (!isSelfSigned(xca)) {
-                    dumpCert(xca, out);
-                }
-            }
-        }
-    }
-
-    private void doGenCRL(PrintStream out)
-            throws Exception {
-        if (ids == null) {
-            throw new Exception("Must provide -id when -gencrl");
-        }
-        Certificate signerCert = keyStore.getCertificate(alias);
-        byte[] encoded = signerCert.getEncoded();
-        X509CertImpl signerCertImpl = new X509CertImpl(encoded);
-        X509CertInfo signerCertInfo = (X509CertInfo)signerCertImpl.get(
-                X509CertImpl.NAME + "." + X509CertImpl.INFO);
-        X500Name owner = (X500Name)signerCertInfo.get(X509CertInfo.SUBJECT + "." +
-                                           CertificateSubjectName.DN_NAME);
-
-        Date firstDate = getStartDate(startDate);
-        Date lastDate = (Date) firstDate.clone();
-        lastDate.setTime(lastDate.getTime() + validity*1000*24*60*60);
-        CertificateValidity interval = new CertificateValidity(firstDate,
-                                                               lastDate);
-
-
-        PrivateKey privateKey =
-                (PrivateKey)recoverKey(alias, storePass, keyPass).fst;
-        if (sigAlgName == null) {
-            sigAlgName = getCompatibleSigAlgName(privateKey.getAlgorithm());
-        }
-
-        X509CRLEntry[] badCerts = new X509CRLEntry[ids.size()];
-        for (int i=0; i<ids.size(); i++) {
-            String id = ids.get(i);
-            int d = id.indexOf(':');
-            if (d >= 0) {
-                CRLExtensions ext = new CRLExtensions();
-                ext.set("Reason", new CRLReasonCodeExtension(Integer.parseInt(id.substring(d+1))));
-                badCerts[i] = new X509CRLEntryImpl(new BigInteger(id.substring(0, d)),
-                        firstDate, ext);
-            } else {
-                badCerts[i] = new X509CRLEntryImpl(new BigInteger(ids.get(i)), firstDate);
-            }
-        }
-        X509CRLImpl crl = new X509CRLImpl(owner, firstDate, lastDate, badCerts);
-        crl.sign(privateKey, sigAlgName);
-        if (rfc) {
-            out.println("-----BEGIN X509 CRL-----");
-            new BASE64Encoder().encodeBuffer(crl.getEncodedInternal(), out);
-            out.println("-----END X509 CRL-----");
-        } else {
-            out.write(crl.getEncodedInternal());
-        }
-    }
-
-    /**
-     * Creates a PKCS#10 cert signing request, corresponding to the
-     * keys (and name) associated with a given alias.
-     */
-    private void doCertReq(String alias, String sigAlgName, PrintStream out)
-        throws Exception
-    {
-        if (alias == null) {
-            alias = keyAlias;
-        }
-
-        Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass);
-        PrivateKey privKey = (PrivateKey)objs.fst;
-        if (keyPass == null) {
-            keyPass = objs.snd;
-        }
-
-        Certificate cert = keyStore.getCertificate(alias);
-        if (cert == null) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("alias.has.no.public.key.certificate."));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-        PKCS10 request = new PKCS10(cert.getPublicKey());
-        CertificateExtensions ext = createV3Extensions(null, null, v3ext, cert.getPublicKey(), null);
-        // Attribute name is not significant
-        request.getAttributes().setAttribute(X509CertInfo.EXTENSIONS,
-                new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, ext));
-
-        // Construct a Signature object, so that we can sign the request
-        if (sigAlgName == null) {
-            sigAlgName = getCompatibleSigAlgName(privKey.getAlgorithm());
-        }
-
-        Signature signature = Signature.getInstance(sigAlgName);
-        signature.initSign(privKey);
-        X500Name subject = dname == null?
-                new X500Name(((X509Certificate)cert).getSubjectDN().toString()):
-                new X500Name(dname);
-
-        // Sign the request and base-64 encode it
-        request.encodeAndSign(subject, signature);
-        request.print(out);
-    }
-
-    /**
-     * Deletes an entry from the keystore.
-     */
-    private void doDeleteEntry(String alias) throws Exception {
-        if (keyStore.containsAlias(alias) == false) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Alias.alias.does.not.exist"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-        keyStore.deleteEntry(alias);
-    }
-
-    /**
-     * Exports a certificate from the keystore.
-     */
-    private void doExportCert(String alias, PrintStream out)
-        throws Exception
-    {
-        if (storePass == null
-                && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
-            printWarning();
-        }
-        if (alias == null) {
-            alias = keyAlias;
-        }
-        if (keyStore.containsAlias(alias) == false) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Alias.alias.does.not.exist"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        X509Certificate cert = (X509Certificate)keyStore.getCertificate(alias);
-        if (cert == null) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Alias.alias.has.no.certificate"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-        dumpCert(cert, out);
-    }
-
-    /**
-     * Prompt the user for a keypass when generating a key entry.
-     * @param alias the entry we will set password for
-     * @param orig the original entry of doing a dup, null if generate new
-     * @param origPass the password to copy from if user press ENTER
-     */
-    private char[] promptForKeyPass(String alias, String orig, char[] origPass) throws Exception{
-        if (P12KEYSTORE.equalsIgnoreCase(storetype)) {
-            return origPass;
-        } else if (!token && !protectedPath) {
-            // Prompt for key password
-            int count;
-            for (count = 0; count < 3; count++) {
-                MessageFormat form = new MessageFormat(rb.getString
-                        ("Enter.key.password.for.alias."));
-                Object[] source = {alias};
-                System.err.println(form.format(source));
-                if (orig == null) {
-                    System.err.print(rb.getString
-                            (".RETURN.if.same.as.keystore.password."));
-                } else {
-                    form = new MessageFormat(rb.getString
-                            (".RETURN.if.same.as.for.otherAlias."));
-                    Object[] src = {orig};
-                    System.err.print(form.format(src));
-                }
-                System.err.flush();
-                char[] entered = Password.readPassword(System.in);
-                passwords.add(entered);
-                if (entered == null) {
-                    return origPass;
-                } else if (entered.length >= 6) {
-                    System.err.print(rb.getString("Re.enter.new.password."));
-                    char[] passAgain = Password.readPassword(System.in);
-                    passwords.add(passAgain);
-                    if (!Arrays.equals(entered, passAgain)) {
-                        System.err.println
-                            (rb.getString("They.don.t.match.Try.again"));
-                        continue;
-                    }
-                    return entered;
-                } else {
-                    System.err.println(rb.getString
-                        ("Key.password.is.too.short.must.be.at.least.6.characters"));
-                }
-            }
-            if (count == 3) {
-                if (command == KEYCLONE) {
-                    throw new Exception(rb.getString
-                        ("Too.many.failures.Key.entry.not.cloned"));
-                } else {
-                    throw new Exception(rb.getString
-                            ("Too.many.failures.key.not.added.to.keystore"));
-                }
-            }
-        }
-        return null;    // PKCS11, MSCAPI, or -protected
-    }
-    /**
-     * Creates a new secret key.
-     */
-    private void doGenSecretKey(String alias, String keyAlgName,
-                              int keysize)
-        throws Exception
-    {
-        if (alias == null) {
-            alias = keyAlias;
-        }
-        if (keyStore.containsAlias(alias)) {
-            MessageFormat form = new MessageFormat(rb.getString
-                ("Secret.key.not.generated.alias.alias.already.exists"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        SecretKey secKey = null;
-        KeyGenerator keygen = KeyGenerator.getInstance(keyAlgName);
-        if (keysize != -1) {
-            keygen.init(keysize);
-        } else if ("DES".equalsIgnoreCase(keyAlgName)) {
-            keygen.init(56);
-        } else if ("DESede".equalsIgnoreCase(keyAlgName)) {
-            keygen.init(168);
-        } else {
-            throw new Exception(rb.getString
-                ("Please.provide.keysize.for.secret.key.generation"));
-        }
-
-        secKey = keygen.generateKey();
-        if (keyPass == null) {
-            keyPass = promptForKeyPass(alias, null, storePass);
-        }
-        keyStore.setKeyEntry(alias, secKey, keyPass, null);
-    }
-
-    /**
-     * If no signature algorithm was specified at the command line,
-     * we choose one that is compatible with the selected private key
-     */
-    private static String getCompatibleSigAlgName(String keyAlgName)
-            throws Exception {
-        if ("DSA".equalsIgnoreCase(keyAlgName)) {
-            return "SHA1WithDSA";
-        } else if ("RSA".equalsIgnoreCase(keyAlgName)) {
-            return "SHA256WithRSA";
-        } else if ("EC".equalsIgnoreCase(keyAlgName)) {
-            return "SHA256withECDSA";
-        } else {
-            throw new Exception(rb.getString
-                    ("Cannot.derive.signature.algorithm"));
-        }
-    }
-    /**
-     * Creates a new key pair and self-signed certificate.
-     */
-    private void doGenKeyPair(String alias, String dname, String keyAlgName,
-                              int keysize, String sigAlgName)
-        throws Exception
-    {
-        if (keysize == -1) {
-            if ("EC".equalsIgnoreCase(keyAlgName)) {
-                keysize = 256;
-            } else if ("RSA".equalsIgnoreCase(keyAlgName)) {
-                keysize = 2048;
-            } else {
-                keysize = 1024;
-            }
-        }
-
-        if (alias == null) {
-            alias = keyAlias;
-        }
-
-        if (keyStore.containsAlias(alias)) {
-            MessageFormat form = new MessageFormat(rb.getString
-                ("Key.pair.not.generated.alias.alias.already.exists"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        if (sigAlgName == null) {
-            sigAlgName = getCompatibleSigAlgName(keyAlgName);
-        }
-        CertAndKeyGen keypair =
-                new CertAndKeyGen(keyAlgName, sigAlgName, providerName);
-
-
-        // If DN is provided, parse it. Otherwise, prompt the user for it.
-        X500Name x500Name;
-        if (dname == null) {
-            x500Name = getX500Name();
-        } else {
-            x500Name = new X500Name(dname);
-        }
-
-        keypair.generate(keysize);
-        PrivateKey privKey = keypair.getPrivateKey();
-
-        CertificateExtensions ext = createV3Extensions(
-                null,
-                null,
-                v3ext,
-                keypair.getPublicKeyAnyway(),
-                null);
-
-        X509Certificate[] chain = new X509Certificate[1];
-        chain[0] = keypair.getSelfCertificate(
-                x500Name, getStartDate(startDate), validity*24L*60L*60L, ext);
-
-        if (verbose) {
-            MessageFormat form = new MessageFormat(rb.getString
-                ("Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for"));
-            Object[] source = {new Integer(keysize),
-                                privKey.getAlgorithm(),
-                                chain[0].getSigAlgName(),
-                                new Long(validity),
-                                x500Name};
-            System.err.println(form.format(source));
-        }
-
-        if (keyPass == null) {
-            keyPass = promptForKeyPass(alias, null, storePass);
-        }
-        keyStore.setKeyEntry(alias, privKey, keyPass, chain);
-    }
-
-    /**
-     * Clones an entry
-     * @param orig original alias
-     * @param dest destination alias
-     * @changePassword if the password can be changed
-     */
-    private void doCloneEntry(String orig, String dest, boolean changePassword)
-        throws Exception
-    {
-        if (orig == null) {
-            orig = keyAlias;
-        }
-
-        if (keyStore.containsAlias(dest)) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Destination.alias.dest.already.exists"));
-            Object[] source = {dest};
-            throw new Exception(form.format(source));
-        }
-
-        Pair<Entry,char[]> objs = recoverEntry(keyStore, orig, storePass, keyPass);
-        Entry entry = objs.fst;
-        keyPass = objs.snd;
-
-        PasswordProtection pp = null;
-
-        if (keyPass != null) {  // protected
-            if (!changePassword || P12KEYSTORE.equalsIgnoreCase(storetype)) {
-                keyPassNew = keyPass;
-            } else {
-                if (keyPassNew == null) {
-                    keyPassNew = promptForKeyPass(dest, orig, keyPass);
-                }
-            }
-            pp = new PasswordProtection(keyPassNew);
-        }
-        keyStore.setEntry(dest, entry, pp);
-    }
-
-    /**
-     * Changes a key password.
-     */
-    private void doChangeKeyPasswd(String alias) throws Exception
-    {
-
-        if (alias == null) {
-            alias = keyAlias;
-        }
-        Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass);
-        Key privKey = objs.fst;
-        if (keyPass == null) {
-            keyPass = objs.snd;
-        }
-
-        if (keyPassNew == null) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("key.password.for.alias."));
-            Object[] source = {alias};
-            keyPassNew = getNewPasswd(form.format(source), keyPass);
-        }
-        keyStore.setKeyEntry(alias, privKey, keyPassNew,
-                             keyStore.getCertificateChain(alias));
-    }
-
-    /**
-     * Imports a JDK 1.1-style identity database. We can only store one
-     * certificate per identity, because we use the identity's name as the
-     * alias (which references a keystore entry), and aliases must be unique.
-     */
-    private void doImportIdentityDatabase(InputStream in)
-        throws Exception
-    {
-        System.err.println(rb.getString
-            ("No.entries.from.identity.database.added"));
-    }
-
-    /**
-     * Prints a single keystore entry.
-     */
-    private void doPrintEntry(String alias, PrintStream out,
-                              boolean printWarning)
-        throws Exception
-    {
-        if (storePass == null && printWarning
-                && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
-            printWarning();
-        }
-
-        if (keyStore.containsAlias(alias) == false) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Alias.alias.does.not.exist"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        if (verbose || rfc || debug) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Alias.name.alias"));
-            Object[] source = {alias};
-            out.println(form.format(source));
-
-            if (!token) {
-                form = new MessageFormat(rb.getString
-                    ("Creation.date.keyStore.getCreationDate.alias."));
-                Object[] src = {keyStore.getCreationDate(alias)};
-                out.println(form.format(src));
-            }
-        } else {
-            if (!token) {
-                MessageFormat form = new MessageFormat
-                    (rb.getString("alias.keyStore.getCreationDate.alias."));
-                Object[] source = {alias, keyStore.getCreationDate(alias)};
-                out.print(form.format(source));
-            } else {
-                MessageFormat form = new MessageFormat
-                    (rb.getString("alias."));
-                Object[] source = {alias};
-                out.print(form.format(source));
-            }
-        }
-
-        if (keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
-            if (verbose || rfc || debug) {
-                Object[] source = {"SecretKeyEntry"};
-                out.println(new MessageFormat(
-                        rb.getString("Entry.type.type.")).format(source));
-            } else {
-                out.println("SecretKeyEntry, ");
-            }
-        } else if (keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) {
-            if (verbose || rfc || debug) {
-                Object[] source = {"PrivateKeyEntry"};
-                out.println(new MessageFormat(
-                        rb.getString("Entry.type.type.")).format(source));
-            } else {
-                out.println("PrivateKeyEntry, ");
-            }
-
-            // Get the chain
-            Certificate[] chain = keyStore.getCertificateChain(alias);
-            if (chain != null) {
-                if (verbose || rfc || debug) {
-                    out.println(rb.getString
-                        ("Certificate.chain.length.") + chain.length);
-                    for (int i = 0; i < chain.length; i ++) {
-                        MessageFormat form = new MessageFormat
-                                (rb.getString("Certificate.i.1."));
-                        Object[] source = {new Integer((i + 1))};
-                        out.println(form.format(source));
-                        if (verbose && (chain[i] instanceof X509Certificate)) {
-                            printX509Cert((X509Certificate)(chain[i]), out);
-                        } else if (debug) {
-                            out.println(chain[i].toString());
-                        } else {
-                            dumpCert(chain[i], out);
-                        }
-                    }
-                } else {
-                    // Print the digest of the user cert only
-                    out.println
-                        (rb.getString("Certificate.fingerprint.SHA1.") +
-                        getCertFingerPrint("SHA1", chain[0]));
-                }
-            }
-        } else if (keyStore.entryInstanceOf(alias,
-                KeyStore.TrustedCertificateEntry.class)) {
-            // We have a trusted certificate entry
-            Certificate cert = keyStore.getCertificate(alias);
-            Object[] source = {"trustedCertEntry"};
-            String mf = new MessageFormat(
-                    rb.getString("Entry.type.type.")).format(source) + "\n";
-            if (verbose && (cert instanceof X509Certificate)) {
-                out.println(mf);
-                printX509Cert((X509Certificate)cert, out);
-            } else if (rfc) {
-                out.println(mf);
-                dumpCert(cert, out);
-            } else if (debug) {
-                out.println(cert.toString());
-            } else {
-                out.println("trustedCertEntry, ");
-                out.println(rb.getString("Certificate.fingerprint.SHA1.")
-                            + getCertFingerPrint("SHA1", cert));
-            }
-        } else {
-            out.println(rb.getString("Unknown.Entry.Type"));
-        }
-    }
-
-    /**
-     * Load the srckeystore from a stream, used in -importkeystore
-     * @returns the src KeyStore
-     */
-    KeyStore loadSourceKeyStore() throws Exception {
-        boolean isPkcs11 = false;
-
-        InputStream is = null;
-
-        if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) ||
-                KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
-            if (!NONE.equals(srcksfname)) {
-                System.err.println(MessageFormat.format(rb.getString
-                    (".keystore.must.be.NONE.if.storetype.is.{0}"), srcstoretype));
-                System.err.println();
-                tinyHelp();
-            }
-            isPkcs11 = true;
-        } else {
-            if (srcksfname != null) {
-                File srcksfile = new File(srcksfname);
-                    if (srcksfile.exists() && srcksfile.length() == 0) {
-                        throw new Exception(rb.getString
-                                ("Source.keystore.file.exists.but.is.empty.") +
-                                srcksfname);
-                }
-                is = new FileInputStream(srcksfile);
-            } else {
-                throw new Exception(rb.getString
-                        ("Please.specify.srckeystore"));
-            }
-        }
-
-        KeyStore store;
-        try {
-            if (srcProviderName == null) {
-                store = KeyStore.getInstance(srcstoretype);
-            } else {
-                store = KeyStore.getInstance(srcstoretype, srcProviderName);
-            }
-
-            if (srcstorePass == null
-                    && !srcprotectedPath
-                    && !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
-                System.err.print(rb.getString("Enter.source.keystore.password."));
-                System.err.flush();
-                srcstorePass = Password.readPassword(System.in);
-                passwords.add(srcstorePass);
-            }
-
-            // always let keypass be storepass when using pkcs12
-            if (P12KEYSTORE.equalsIgnoreCase(srcstoretype)) {
-                if (srckeyPass != null && srcstorePass != null &&
-                        !Arrays.equals(srcstorePass, srckeyPass)) {
-                    MessageFormat form = new MessageFormat(rb.getString(
-                        "Warning.Different.store.and.key.passwords.not.supported.for.PKCS12.KeyStores.Ignoring.user.specified.command.value."));
-                    Object[] source = {"-srckeypass"};
-                    System.err.println(form.format(source));
-                    srckeyPass = srcstorePass;
-                }
-            }
-
-            store.load(is, srcstorePass);   // "is" already null in PKCS11
-        } finally {
-            if (is != null) {
-                is.close();
-            }
-        }
-
-        if (srcstorePass == null
-                && !KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
-            // anti refactoring, copied from printWarning(),
-            // but change 2 lines
-            System.err.println();
-            System.err.println(rb.getString
-                (".WARNING.WARNING.WARNING."));
-            System.err.println(rb.getString
-                (".The.integrity.of.the.information.stored.in.the.srckeystore."));
-            System.err.println(rb.getString
-                (".WARNING.WARNING.WARNING."));
-            System.err.println();
-        }
-
-        return store;
-    }
-
-    /**
-     * import all keys and certs from importkeystore.
-     * keep alias unchanged if no name conflict, otherwise, prompt.
-     * keep keypass unchanged for keys
-     */
-    private void doImportKeyStore() throws Exception {
-
-        if (alias != null) {
-            doImportKeyStoreSingle(loadSourceKeyStore(), alias);
-        } else {
-            if (dest != null || srckeyPass != null || destKeyPass != null) {
-                throw new Exception(rb.getString(
-                        "if.alias.not.specified.destalias.srckeypass.and.destkeypass.must.not.be.specified"));
-            }
-            doImportKeyStoreAll(loadSourceKeyStore());
-        }
-        /*
-         * Information display rule of -importkeystore
-         * 1. inside single, shows failure
-         * 2. inside all, shows sucess
-         * 3. inside all where there is a failure, prompt for continue
-         * 4. at the final of all, shows summary
-         */
-    }
-
-    /**
-     * Import a single entry named alias from srckeystore
-     * @returns 1 if the import action succeed
-     *          0 if user choose to ignore an alias-dumplicated entry
-     *          2 if setEntry throws Exception
-     */
-    private int doImportKeyStoreSingle(KeyStore srckeystore, String alias)
-            throws Exception {
-
-        String newAlias = (dest==null) ? alias : dest;
-
-        if (keyStore.containsAlias(newAlias)) {
-            Object[] source = {alias};
-            if (noprompt) {
-                System.err.println(new MessageFormat(rb.getString(
-                        "Warning.Overwriting.existing.alias.alias.in.destination.keystore")).format(source));
-            } else {
-                String reply = getYesNoReply(new MessageFormat(rb.getString(
-                        "Existing.entry.alias.alias.exists.overwrite.no.")).format(source));
-                if ("NO".equals(reply)) {
-                    newAlias = inputStringFromStdin(rb.getString
-                            ("Enter.new.alias.name.RETURN.to.cancel.import.for.this.entry."));
-                    if ("".equals(newAlias)) {
-                        System.err.println(new MessageFormat(rb.getString(
-                                "Entry.for.alias.alias.not.imported.")).format(
-                                source));
-                        return 0;
-                    }
-                }
-            }
-        }
-
-        Pair<Entry,char[]> objs = recoverEntry(srckeystore, alias, srcstorePass, srckeyPass);
-        Entry entry = objs.fst;
-
-        PasswordProtection pp = null;
-
-        // According to keytool.html, "The destination entry will be protected
-        // using destkeypass. If destkeypass is not provided, the destination
-        // entry will be protected with the source entry password."
-        // so always try to protect with destKeyPass.
-        if (destKeyPass != null) {
-            pp = new PasswordProtection(destKeyPass);
-        } else if (objs.snd != null) {
-            pp = new PasswordProtection(objs.snd);
-        }
-
-        try {
-            keyStore.setEntry(newAlias, entry, pp);
-            return 1;
-        } catch (KeyStoreException kse) {
-            Object[] source2 = {alias, kse.toString()};
-            MessageFormat form = new MessageFormat(rb.getString(
-                    "Problem.importing.entry.for.alias.alias.exception.Entry.for.alias.alias.not.imported."));
-            System.err.println(form.format(source2));
-            return 2;
-        }
-    }
-
-    private void doImportKeyStoreAll(KeyStore srckeystore) throws Exception {
-
-        int ok = 0;
-        int count = srckeystore.size();
-        for (Enumeration<String> e = srckeystore.aliases();
-                                        e.hasMoreElements(); ) {
-            String alias = e.nextElement();
-            int result = doImportKeyStoreSingle(srckeystore, alias);
-            if (result == 1) {
-                ok++;
-                Object[] source = {alias};
-                MessageFormat form = new MessageFormat(rb.getString("Entry.for.alias.alias.successfully.imported."));
-                System.err.println(form.format(source));
-            } else if (result == 2) {
-                if (!noprompt) {
-                    String reply = getYesNoReply("Do you want to quit the import process? [no]:  ");
-                    if ("YES".equals(reply)) {
-                        break;
-                    }
-                }
-            }
-        }
-        Object[] source = {ok, count-ok};
-        MessageFormat form = new MessageFormat(rb.getString(
-                "Import.command.completed.ok.entries.successfully.imported.fail.entries.failed.or.cancelled"));
-        System.err.println(form.format(source));
-    }
-
-    /**
-     * Prints all keystore entries.
-     */
-    private void doPrintEntries(PrintStream out)
-        throws Exception
-    {
-        if (storePass == null
-                && !KeyStoreUtil.isWindowsKeyStore(storetype)) {
-            printWarning();
-        } else {
-            out.println();
-        }
-
-        out.println(rb.getString("Keystore.type.") + keyStore.getType());
-        out.println(rb.getString("Keystore.provider.") +
-                keyStore.getProvider().getName());
-        out.println();
-
-        MessageFormat form;
-        form = (keyStore.size() == 1) ?
-                new MessageFormat(rb.getString
-                        ("Your.keystore.contains.keyStore.size.entry")) :
-                new MessageFormat(rb.getString
-                        ("Your.keystore.contains.keyStore.size.entries"));
-        Object[] source = {new Integer(keyStore.size())};
-        out.println(form.format(source));
-        out.println();
-
-        for (Enumeration<String> e = keyStore.aliases();
-                                        e.hasMoreElements(); ) {
-            String alias = e.nextElement();
-            doPrintEntry(alias, out, false);
-            if (verbose || rfc) {
-                out.println(rb.getString("NEWLINE"));
-                out.println(rb.getString
-                        ("STAR"));
-                out.println(rb.getString
-                        ("STARNN"));
-            }
-        }
-    }
-
-    private static <T> Iterable<T> e2i(final Enumeration<T> e) {
-        return new Iterable<T>() {
-            @Override
-            public Iterator<T> iterator() {
-                return new Iterator<T>() {
-                    @Override
-                    public boolean hasNext() {
-                        return e.hasMoreElements();
-                    }
-                    @Override
-                    public T next() {
-                        return e.nextElement();
-                    }
-                    public void remove() {
-                        throw new UnsupportedOperationException("Not supported yet.");
-                    }
-                };
-            }
-        };
-    }
-
-    /**
-     * Loads CRLs from a source. This method is also called in JarSigner.
-     * @param src the source, which means System.in if null, or a URI,
-     *        or a bare file path name
-     */
-    public static Collection<? extends CRL> loadCRLs(String src) throws Exception {
-        InputStream in = null;
-        URI uri = null;
-        if (src == null) {
-            in = System.in;
-        } else {
-            try {
-                uri = new URI(src);
-                if (uri.getScheme().equals("ldap")) {
-                    // No input stream for LDAP
-                } else {
-                    in = uri.toURL().openStream();
-                }
-            } catch (Exception e) {
-                try {
-                    in = new FileInputStream(src);
-                } catch (Exception e2) {
-                    if (uri == null || uri.getScheme() == null) {
-                        throw e2;   // More likely a bare file path
-                    } else {
-                        throw e;    // More likely a protocol or network problem
-                    }
-                }
-            }
-        }
-        if (in != null) {
-            try {
-                // Read the full stream before feeding to X509Factory,
-                // otherwise, keytool -gencrl | keytool -printcrl
-                // might not work properly, since -gencrl is slow
-                // and there's no data in the pipe at the beginning.
-                ByteArrayOutputStream bout = new ByteArrayOutputStream();
-                byte[] b = new byte[4096];
-                while (true) {
-                    int len = in.read(b);
-                    if (len < 0) break;
-                    bout.write(b, 0, len);
-                }
-                return CertificateFactory.getInstance("X509").generateCRLs(
-                        new ByteArrayInputStream(bout.toByteArray()));
-            } finally {
-                if (in != System.in) {
-                    in.close();
-                }
-            }
-        } else {    // must be LDAP, and uri is not null
-            // Lazily load LDAPCertStoreHelper if present
-            CertStoreHelper helper = CertStoreHelper.getInstance("LDAP");
-            String path = uri.getPath();
-            if (path.charAt(0) == '/') path = path.substring(1);
-            CertStore s = helper.getCertStore(uri);
-            X509CRLSelector sel =
-                    helper.wrap(new X509CRLSelector(), null, path);
-            return s.getCRLs(sel);
-        }
-    }
-
-    /**
-     * Returns CRLs described in a X509Certificate's CRLDistributionPoints
-     * Extension. Only those containing a general name of type URI are read.
-     */
-    public static List<CRL> readCRLsFromCert(X509Certificate cert)
-            throws Exception {
-        List<CRL> crls = new ArrayList<>();
-        CRLDistributionPointsExtension ext =
-                X509CertImpl.toImpl(cert).getCRLDistributionPointsExtension();
-        if (ext == null) return crls;
-        List<DistributionPoint> distPoints =
-                ext.get(CRLDistributionPointsExtension.POINTS);
-        for (DistributionPoint o: distPoints) {
-            GeneralNames names = o.getFullName();
-            if (names != null) {
-                for (GeneralName name: names.names()) {
-                    if (name.getType() == GeneralNameInterface.NAME_URI) {
-                        URIName uriName = (URIName)name.getName();
-                        for (CRL crl: KeyTool.loadCRLs(uriName.getName())) {
-                            if (crl instanceof X509CRL) {
-                                crls.add((X509CRL)crl);
-                            }
-                        }
-                        break;  // Different name should point to same CRL
-                    }
-                }
-            }
-        }
-        return crls;
-    }
-
-    private static String verifyCRL(KeyStore ks, CRL crl)
-            throws Exception {
-        X509CRLImpl xcrl = (X509CRLImpl)crl;
-        X500Principal issuer = xcrl.getIssuerX500Principal();
-        for (String s: e2i(ks.aliases())) {
-            Certificate cert = ks.getCertificate(s);
-            if (cert instanceof X509Certificate) {
-                X509Certificate xcert = (X509Certificate)cert;
-                if (xcert.getSubjectX500Principal().equals(issuer)) {
-                    try {
-                        ((X509CRLImpl)crl).verify(cert.getPublicKey());
-                        return s;
-                    } catch (Exception e) {
-                    }
-                }
-            }
-        }
-        return null;
-    }
-
-    private void doPrintCRL(String src, PrintStream out)
-            throws Exception {
-        for (CRL crl: loadCRLs(src)) {
-            printCRL(crl, out);
-            String issuer = null;
-            if (caks != null) {
-                issuer = verifyCRL(caks, crl);
-                if (issuer != null) {
-                    out.printf(rb.getString(
-                            "verified.by.s.in.s"), issuer, "cacerts");
-                    out.println();
-                }
-            }
-            if (issuer == null && keyStore != null) {
-                issuer = verifyCRL(keyStore, crl);
-                if (issuer != null) {
-                    out.printf(rb.getString(
-                            "verified.by.s.in.s"), issuer, "keystore");
-                    out.println();
-                }
-            }
-            if (issuer == null) {
-                out.println(rb.getString
-                        ("STAR"));
-                out.println(rb.getString
-                        ("warning.not.verified.make.sure.keystore.is.correct"));
-                out.println(rb.getString
-                        ("STARNN"));
-            }
-        }
-    }
-
-    private void printCRL(CRL crl, PrintStream out)
-            throws Exception {
-        if (rfc) {
-            X509CRL xcrl = (X509CRL)crl;
-            out.println("-----BEGIN X509 CRL-----");
-            new BASE64Encoder().encodeBuffer(xcrl.getEncoded(), out);
-            out.println("-----END X509 CRL-----");
-        } else {
-            out.println(crl.toString());
-        }
-    }
-
-    private void doPrintCertReq(InputStream in, PrintStream out)
-            throws Exception {
-
-        BufferedReader reader = new BufferedReader(new InputStreamReader(in));
-        StringBuffer sb = new StringBuffer();
-        boolean started = false;
-        while (true) {
-            String s = reader.readLine();
-            if (s == null) break;
-            if (!started) {
-                if (s.startsWith("-----")) {
-                    started = true;
-                }
-            } else {
-                if (s.startsWith("-----")) {
-                    break;
-                }
-                sb.append(s);
-            }
-        }
-        PKCS10 req = new PKCS10(new BASE64Decoder().decodeBuffer(new String(sb)));
-
-        PublicKey pkey = req.getSubjectPublicKeyInfo();
-        out.printf(rb.getString("PKCS.10.Certificate.Request.Version.1.0.Subject.s.Public.Key.s.format.s.key."),
-                req.getSubjectName(), pkey.getFormat(), pkey.getAlgorithm());
-        for (PKCS10Attribute attr: req.getAttributes().getAttributes()) {
-            ObjectIdentifier oid = attr.getAttributeId();
-            if (oid.equals((Object)PKCS9Attribute.EXTENSION_REQUEST_OID)) {
-                CertificateExtensions exts = (CertificateExtensions)attr.getAttributeValue();
-                if (exts != null) {
-                    printExtensions(rb.getString("Extension.Request."), exts, out);
-                }
-            } else {
-                out.println(attr.getAttributeId());
-                out.println(attr.getAttributeValue());
-            }
-        }
-        if (debug) {
-            out.println(req);   // Just to see more, say, public key length...
-        }
-    }
-
-    /**
-     * Reads a certificate (or certificate chain) and prints its contents in
-     * a human readable format.
-     */
-    private void printCertFromStream(InputStream in, PrintStream out)
-        throws Exception
-    {
-        Collection<? extends Certificate> c = null;
-        try {
-            c = cf.generateCertificates(in);
-        } catch (CertificateException ce) {
-            throw new Exception(rb.getString("Failed.to.parse.input"), ce);
-        }
-        if (c.isEmpty()) {
-            throw new Exception(rb.getString("Empty.input"));
-        }
-        Certificate[] certs = c.toArray(new Certificate[c.size()]);
-        for (int i=0; i<certs.length; i++) {
-            X509Certificate x509Cert = null;
-            try {
-                x509Cert = (X509Certificate)certs[i];
-            } catch (ClassCastException cce) {
-                throw new Exception(rb.getString("Not.X.509.certificate"));
-            }
-            if (certs.length > 1) {
-                MessageFormat form = new MessageFormat
-                        (rb.getString("Certificate.i.1."));
-                Object[] source = {new Integer(i + 1)};
-                out.println(form.format(source));
-            }
-            if (rfc) dumpCert(x509Cert, out);
-            else printX509Cert(x509Cert, out);
-            if (i < (certs.length-1)) {
-                out.println();
-            }
-        }
-    }
-
-    private void doPrintCert(final PrintStream out) throws Exception {
-        if (jarfile != null) {
-            JarFile jf = new JarFile(jarfile, true);
-            Enumeration<JarEntry> entries = jf.entries();
-            Set<CodeSigner> ss = new HashSet<>();
-            byte[] buffer = new byte[8192];
-            int pos = 0;
-            while (entries.hasMoreElements()) {
-                JarEntry je = entries.nextElement();
-                try (InputStream is = jf.getInputStream(je)) {
-                    while (is.read(buffer) != -1) {
-                        // we just read. this will throw a SecurityException
-                        // if a signature/digest check fails. This also
-                        // populate the signers
-                    }
-                }
-                CodeSigner[] signers = je.getCodeSigners();
-                if (signers != null) {
-                    for (CodeSigner signer: signers) {
-                        if (!ss.contains(signer)) {
-                            ss.add(signer);
-                            out.printf(rb.getString("Signer.d."), ++pos);
-                            out.println();
-                            out.println();
-                            out.println(rb.getString("Signature."));
-                            out.println();
-                            for (Certificate cert: signer.getSignerCertPath().getCertificates()) {
-                                X509Certificate x = (X509Certificate)cert;
-                                if (rfc) {
-                                    out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
-                                    dumpCert(x, out);
-                                } else {
-                                    printX509Cert(x, out);
-                                }
-                                out.println();
-                            }
-                            Timestamp ts = signer.getTimestamp();
-                            if (ts != null) {
-                                out.println(rb.getString("Timestamp."));
-                                out.println();
-                                for (Certificate cert: ts.getSignerCertPath().getCertificates()) {
-                                    X509Certificate x = (X509Certificate)cert;
-                                    if (rfc) {
-                                        out.println(rb.getString("Certificate.owner.") + x.getSubjectDN() + "\n");
-                                        dumpCert(x, out);
-                                    } else {
-                                        printX509Cert(x, out);
-                                    }
-                                    out.println();
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-            jf.close();
-            if (ss.isEmpty()) {
-                out.println(rb.getString("Not.a.signed.jar.file"));
-            }
-        } else if (sslserver != null) {
-            // Lazily load SSLCertStoreHelper if present
-            CertStoreHelper helper = CertStoreHelper.getInstance("SSLServer");
-            CertStore cs = helper.getCertStore(new URI("https://" + sslserver));
-            Collection<? extends Certificate> chain;
-            try {
-                chain = cs.getCertificates(null);
-                if (chain.isEmpty()) {
-                    // If the certs are not retrieved, we consider it an error
-                    // even if the URL connection is successful.
-                    throw new Exception(rb.getString(
-                                        "No.certificate.from.the.SSL.server"));
-                }
-            } catch (CertStoreException cse) {
-                if (cse.getCause() instanceof IOException) {
-                    throw new Exception(rb.getString(
-                                        "No.certificate.from.the.SSL.server"),
-                                        cse.getCause());
-                } else {
-                    throw cse;
-                }
-            }
-
-            int i = 0;
-            for (Certificate cert : chain) {
-                try {
-                    if (rfc) {
-                        dumpCert(cert, out);
-                    } else {
-                        out.println("Certificate #" + i++);
-                        out.println("====================================");
-                        printX509Cert((X509Certificate)cert, out);
-                        out.println();
-                    }
-                } catch (Exception e) {
-                    if (debug) {
-                        e.printStackTrace();
-                    }
-                }
-            }
-        } else {
-            if (filename != null) {
-                try (FileInputStream inStream = new FileInputStream(filename)) {
-                    printCertFromStream(inStream, out);
-                }
-            } else {
-                printCertFromStream(System.in, out);
-            }
-        }
-    }
-    /**
-     * Creates a self-signed certificate, and stores it as a single-element
-     * certificate chain.
-     */
-    private void doSelfCert(String alias, String dname, String sigAlgName)
-        throws Exception
-    {
-        if (alias == null) {
-            alias = keyAlias;
-        }
-
-        Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass);
-        PrivateKey privKey = (PrivateKey)objs.fst;
-        if (keyPass == null)
-            keyPass = objs.snd;
-
-        // Determine the signature algorithm
-        if (sigAlgName == null) {
-            sigAlgName = getCompatibleSigAlgName(privKey.getAlgorithm());
-        }
-
-        // Get the old certificate
-        Certificate oldCert = keyStore.getCertificate(alias);
-        if (oldCert == null) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("alias.has.no.public.key"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-        if (!(oldCert instanceof X509Certificate)) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("alias.has.no.X.509.certificate"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        // convert to X509CertImpl, so that we can modify selected fields
-        // (no public APIs available yet)
-        byte[] encoded = oldCert.getEncoded();
-        X509CertImpl certImpl = new X509CertImpl(encoded);
-        X509CertInfo certInfo = (X509CertInfo)certImpl.get(X509CertImpl.NAME
-                                                           + "." +
-                                                           X509CertImpl.INFO);
-
-        // Extend its validity
-        Date firstDate = getStartDate(startDate);
-        Date lastDate = new Date();
-        lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L);
-        CertificateValidity interval = new CertificateValidity(firstDate,
-                                                               lastDate);
-        certInfo.set(X509CertInfo.VALIDITY, interval);
-
-        // Make new serial number
-        certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
-                    new java.util.Random().nextInt() & 0x7fffffff));
-
-        // Set owner and issuer fields
-        X500Name owner;
-        if (dname == null) {
-            // Get the owner name from the certificate
-            owner = (X500Name)certInfo.get(X509CertInfo.SUBJECT + "." +
-                                           CertificateSubjectName.DN_NAME);
-        } else {
-            // Use the owner name specified at the command line
-            owner = new X500Name(dname);
-            certInfo.set(X509CertInfo.SUBJECT + "." +
-                         CertificateSubjectName.DN_NAME, owner);
-        }
-        // Make issuer same as owner (self-signed!)
-        certInfo.set(X509CertInfo.ISSUER + "." +
-                     CertificateIssuerName.DN_NAME, owner);
-
-        // The inner and outer signature algorithms have to match.
-        // The way we achieve that is really ugly, but there seems to be no
-        // other solution: We first sign the cert, then retrieve the
-        // outer sigalg and use it to set the inner sigalg
-        X509CertImpl newCert = new X509CertImpl(certInfo);
-        newCert.sign(privKey, sigAlgName);
-        AlgorithmId sigAlgid = (AlgorithmId)newCert.get(X509CertImpl.SIG_ALG);
-        certInfo.set(CertificateAlgorithmId.NAME + "." +
-                     CertificateAlgorithmId.ALGORITHM, sigAlgid);
-
-        certInfo.set(X509CertInfo.VERSION,
-                        new CertificateVersion(CertificateVersion.V3));
-
-        CertificateExtensions ext = createV3Extensions(
-                null,
-                (CertificateExtensions)certInfo.get(X509CertInfo.EXTENSIONS),
-                v3ext,
-                oldCert.getPublicKey(),
-                null);
-        certInfo.set(X509CertInfo.EXTENSIONS, ext);
-        // Sign the new certificate
-        newCert = new X509CertImpl(certInfo);
-        newCert.sign(privKey, sigAlgName);
-
-        // Store the new certificate as a single-element certificate chain
-        keyStore.setKeyEntry(alias, privKey,
-                             (keyPass != null) ? keyPass : storePass,
-                             new Certificate[] { newCert } );
-
-        if (verbose) {
-            System.err.println(rb.getString("New.certificate.self.signed."));
-            System.err.print(newCert.toString());
-            System.err.println();
-        }
-    }
-
-    /**
-     * Processes a certificate reply from a certificate authority.
-     *
-     * <p>Builds a certificate chain on top of the certificate reply,
-     * using trusted certificates from the keystore. The chain is complete
-     * after a self-signed certificate has been encountered. The self-signed
-     * certificate is considered a root certificate authority, and is stored
-     * at the end of the chain.
-     *
-     * <p>The newly generated chain replaces the old chain associated with the
-     * key entry.
-     *
-     * @return true if the certificate reply was installed, otherwise false.
-     */
-    private boolean installReply(String alias, InputStream in)
-        throws Exception
-    {
-        if (alias == null) {
-            alias = keyAlias;
-        }
-
-        Pair<Key,char[]> objs = recoverKey(alias, storePass, keyPass);
-        PrivateKey privKey = (PrivateKey)objs.fst;
-        if (keyPass == null) {
-            keyPass = objs.snd;
-        }
-
-        Certificate userCert = keyStore.getCertificate(alias);
-        if (userCert == null) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("alias.has.no.public.key.certificate."));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        // Read the certificates in the reply
-        Collection<? extends Certificate> c = cf.generateCertificates(in);
-        if (c.isEmpty()) {
-            throw new Exception(rb.getString("Reply.has.no.certificates"));
-        }
-        Certificate[] replyCerts = c.toArray(new Certificate[c.size()]);
-        Certificate[] newChain;
-        if (replyCerts.length == 1) {
-            // single-cert reply
-            newChain = establishCertChain(userCert, replyCerts[0]);
-        } else {
-            // cert-chain reply (e.g., PKCS#7)
-            newChain = validateReply(alias, userCert, replyCerts);
-        }
-
-        // Now store the newly established chain in the keystore. The new
-        // chain replaces the old one.
-        if (newChain != null) {
-            keyStore.setKeyEntry(alias, privKey,
-                                 (keyPass != null) ? keyPass : storePass,
-                                 newChain);
-            return true;
-        } else {
-            return false;
-        }
-    }
-
-    /**
-     * Imports a certificate and adds it to the list of trusted certificates.
-     *
-     * @return true if the certificate was added, otherwise false.
-     */
-    private boolean addTrustedCert(String alias, InputStream in)
-        throws Exception
-    {
-        if (alias == null) {
-            throw new Exception(rb.getString("Must.specify.alias"));
-        }
-        if (keyStore.containsAlias(alias)) {
-            MessageFormat form = new MessageFormat(rb.getString
-                ("Certificate.not.imported.alias.alias.already.exists"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        // Read the certificate
-        X509Certificate cert = null;
-        try {
-            cert = (X509Certificate)cf.generateCertificate(in);
-        } catch (ClassCastException | CertificateException ce) {
-            throw new Exception(rb.getString("Input.not.an.X.509.certificate"));
-        }
-
-        // if certificate is self-signed, make sure it verifies
-        boolean selfSigned = false;
-        if (isSelfSigned(cert)) {
-            cert.verify(cert.getPublicKey());
-            selfSigned = true;
-        }
-
-        if (noprompt) {
-            keyStore.setCertificateEntry(alias, cert);
-            return true;
-        }
-
-        // check if cert already exists in keystore
-        String reply = null;
-        String trustalias = keyStore.getCertificateAlias(cert);
-        if (trustalias != null) {
-            MessageFormat form = new MessageFormat(rb.getString
-                ("Certificate.already.exists.in.keystore.under.alias.trustalias."));
-            Object[] source = {trustalias};
-            System.err.println(form.format(source));
-            reply = getYesNoReply
-                (rb.getString("Do.you.still.want.to.add.it.no."));
-        } else if (selfSigned) {
-            if (trustcacerts && (caks != null) &&
-                    ((trustalias=caks.getCertificateAlias(cert)) != null)) {
-                MessageFormat form = new MessageFormat(rb.getString
-                        ("Certificate.already.exists.in.system.wide.CA.keystore.under.alias.trustalias."));
-                Object[] source = {trustalias};
-                System.err.println(form.format(source));
-                reply = getYesNoReply
-                        (rb.getString("Do.you.still.want.to.add.it.to.your.own.keystore.no."));
-            }
-            if (trustalias == null) {
-                // Print the cert and ask user if they really want to add
-                // it to their keystore
-                printX509Cert(cert, System.out);
-                reply = getYesNoReply
-                        (rb.getString("Trust.this.certificate.no."));
-            }
-        }
-        if (reply != null) {
-            if ("YES".equals(reply)) {
-                keyStore.setCertificateEntry(alias, cert);
-                return true;
-            } else {
-                return false;
-            }
-        }
-
-        // Try to establish trust chain
-        try {
-            Certificate[] chain = establishCertChain(null, cert);
-            if (chain != null) {
-                keyStore.setCertificateEntry(alias, cert);
-                return true;
-            }
-        } catch (Exception e) {
-            // Print the cert and ask user if they really want to add it to
-            // their keystore
-            printX509Cert(cert, System.out);
-            reply = getYesNoReply
-                (rb.getString("Trust.this.certificate.no."));
-            if ("YES".equals(reply)) {
-                keyStore.setCertificateEntry(alias, cert);
-                return true;
-            } else {
-                return false;
-            }
-        }
-
-        return false;
-    }
-
-    /**
-     * Prompts user for new password. New password must be different from
-     * old one.
-     *
-     * @param prompt the message that gets prompted on the screen
-     * @param oldPasswd the current (i.e., old) password
-     */
-    private char[] getNewPasswd(String prompt, char[] oldPasswd)
-        throws Exception
-    {
-        char[] entered = null;
-        char[] reentered = null;
-
-        for (int count = 0; count < 3; count++) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("New.prompt."));
-            Object[] source = {prompt};
-            System.err.print(form.format(source));
-            entered = Password.readPassword(System.in);
-            passwords.add(entered);
-            if (entered == null || entered.length < 6) {
-                System.err.println(rb.getString
-                    ("Password.is.too.short.must.be.at.least.6.characters"));
-            } else if (Arrays.equals(entered, oldPasswd)) {
-                System.err.println(rb.getString("Passwords.must.differ"));
-            } else {
-                form = new MessageFormat
-                        (rb.getString("Re.enter.new.prompt."));
-                Object[] src = {prompt};
-                System.err.print(form.format(src));
-                reentered = Password.readPassword(System.in);
-                passwords.add(reentered);
-                if (!Arrays.equals(entered, reentered)) {
-                    System.err.println
-                        (rb.getString("They.don.t.match.Try.again"));
-                } else {
-                    Arrays.fill(reentered, ' ');
-                    return entered;
-                }
-            }
-            if (entered != null) {
-                Arrays.fill(entered, ' ');
-                entered = null;
-            }
-            if (reentered != null) {
-                Arrays.fill(reentered, ' ');
-                reentered = null;
-            }
-        }
-        throw new Exception(rb.getString("Too.many.failures.try.later"));
-    }
-
-    /**
-     * Prompts user for alias name.
-     * @param prompt the {0} of "Enter {0} alias name:  " in prompt line
-     * @returns the string entered by the user, without the \n at the end
-     */
-    private String getAlias(String prompt) throws Exception {
-        if (prompt != null) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Enter.prompt.alias.name."));
-            Object[] source = {prompt};
-            System.err.print(form.format(source));
-        } else {
-            System.err.print(rb.getString("Enter.alias.name."));
-        }
-        return (new BufferedReader(new InputStreamReader(
-                                        System.in))).readLine();
-    }
-
-    /**
-     * Prompts user for an input string from the command line (System.in)
-     * @prompt the prompt string printed
-     * @returns the string entered by the user, without the \n at the end
-     */
-    private String inputStringFromStdin(String prompt) throws Exception {
-        System.err.print(prompt);
-        return (new BufferedReader(new InputStreamReader(
-                                        System.in))).readLine();
-    }
-
-    /**
-     * Prompts user for key password. User may select to choose the same
-     * password (<code>otherKeyPass</code>) as for <code>otherAlias</code>.
-     */
-    private char[] getKeyPasswd(String alias, String otherAlias,
-                                char[] otherKeyPass)
-        throws Exception
-    {
-        int count = 0;
-        char[] keyPass = null;
-
-        do {
-            if (otherKeyPass != null) {
-                MessageFormat form = new MessageFormat(rb.getString
-                        ("Enter.key.password.for.alias."));
-                Object[] source = {alias};
-                System.err.println(form.format(source));
-
-                form = new MessageFormat(rb.getString
-                        (".RETURN.if.same.as.for.otherAlias."));
-                Object[] src = {otherAlias};
-                System.err.print(form.format(src));
-            } else {
-                MessageFormat form = new MessageFormat(rb.getString
-                        ("Enter.key.password.for.alias."));
-                Object[] source = {alias};
-                System.err.print(form.format(source));
-            }
-            System.err.flush();
-            keyPass = Password.readPassword(System.in);
-            passwords.add(keyPass);
-            if (keyPass == null) {
-                keyPass = otherKeyPass;
-            }
-            count++;
-        } while ((keyPass == null) && count < 3);
-
-        if (keyPass == null) {
-            throw new Exception(rb.getString("Too.many.failures.try.later"));
-        }
-
-        return keyPass;
-    }
-
-    /**
-     * Prints a certificate in a human readable format.
-     */
-    private void printX509Cert(X509Certificate cert, PrintStream out)
-        throws Exception
-    {
-        /*
-        out.println("Owner: "
-                    + cert.getSubjectDN().toString()
-                    + "\n"
-                    + "Issuer: "
-                    + cert.getIssuerDN().toString()
-                    + "\n"
-                    + "Serial number: " + cert.getSerialNumber().toString(16)
-                    + "\n"
-                    + "Valid from: " + cert.getNotBefore().toString()
-                    + " until: " + cert.getNotAfter().toString()
-                    + "\n"
-                    + "Certificate fingerprints:\n"
-                    + "\t MD5:  " + getCertFingerPrint("MD5", cert)
-                    + "\n"
-                    + "\t SHA1: " + getCertFingerPrint("SHA1", cert));
-        */
-
-        MessageFormat form = new MessageFormat
-                (rb.getString(".PATTERN.printX509Cert"));
-        Object[] source = {cert.getSubjectDN().toString(),
-                        cert.getIssuerDN().toString(),
-                        cert.getSerialNumber().toString(16),
-                        cert.getNotBefore().toString(),
-                        cert.getNotAfter().toString(),
-                        getCertFingerPrint("MD5", cert),
-                        getCertFingerPrint("SHA1", cert),
-                        getCertFingerPrint("SHA-256", cert),
-                        cert.getSigAlgName(),
-                        cert.getVersion()
-                        };
-        out.println(form.format(source));
-
-        if (cert instanceof X509CertImpl) {
-            X509CertImpl impl = (X509CertImpl)cert;
-            X509CertInfo certInfo = (X509CertInfo)impl.get(X509CertImpl.NAME
-                                                           + "." +
-                                                           X509CertImpl.INFO);
-            CertificateExtensions exts = (CertificateExtensions)
-                    certInfo.get(X509CertInfo.EXTENSIONS);
-            if (exts != null) {
-                printExtensions(rb.getString("Extensions."), exts, out);
-            }
-        }
-    }
-
-    private static void printExtensions(String title, CertificateExtensions exts, PrintStream out)
-            throws Exception {
-        int extnum = 0;
-        Iterator<Extension> i1 = exts.getAllExtensions().iterator();
-        Iterator<Extension> i2 = exts.getUnparseableExtensions().values().iterator();
-        while (i1.hasNext() || i2.hasNext()) {
-            Extension ext = i1.hasNext()?i1.next():i2.next();
-            if (extnum == 0) {
-                out.println();
-                out.println(title);
-                out.println();
-            }
-            out.print("#"+(++extnum)+": "+ ext);
-            if (ext.getClass() == Extension.class) {
-                byte[] v = ext.getExtensionValue();
-                if (v.length == 0) {
-                    out.println(rb.getString(".Empty.value."));
-                } else {
-                    new sun.misc.HexDumpEncoder().encodeBuffer(ext.getExtensionValue(), out);
-                    out.println();
-                }
-            }
-            out.println();
-        }
-    }
-
-    /**
-     * Returns true if the certificate is self-signed, false otherwise.
-     */
-    private boolean isSelfSigned(X509Certificate cert) {
-        return signedBy(cert, cert);
-    }
-
-    private boolean signedBy(X509Certificate end, X509Certificate ca) {
-        if (!ca.getSubjectDN().equals(end.getIssuerDN())) {
-            return false;
-        }
-        try {
-            end.verify(ca.getPublicKey());
-            return true;
-        } catch (Exception e) {
-            return false;
-        }
-    }
-
-    /**
-     * Locates a signer for a given certificate from a given keystore and
-     * returns the signer's certificate.
-     * @param cert the certificate whose signer is searched, not null
-     * @param ks the keystore to search with, not null
-     * @return <code>cert</code> itself if it's already inside <code>ks</code>,
-     * or a certificate inside <code>ks</code> who signs <code>cert</code>,
-     * or null otherwise.
-     */
-    private static Certificate getTrustedSigner(Certificate cert, KeyStore ks)
-            throws Exception {
-        if (ks.getCertificateAlias(cert) != null) {
-            return cert;
-        }
-        for (Enumeration<String> aliases = ks.aliases();
-                aliases.hasMoreElements(); ) {
-            String name = aliases.nextElement();
-            Certificate trustedCert = ks.getCertificate(name);
-            if (trustedCert != null) {
-                try {
-                    cert.verify(trustedCert.getPublicKey());
-                    return trustedCert;
-                } catch (Exception e) {
-                    // Not verified, skip to the next one
-                }
-            }
-        }
-        return null;
-    }
-
-    /**
-     * Gets an X.500 name suitable for inclusion in a certification request.
-     */
-    private X500Name getX500Name() throws IOException {
-        BufferedReader in;
-        in = new BufferedReader(new InputStreamReader(System.in));
-        String commonName = "Unknown";
-        String organizationalUnit = "Unknown";
-        String organization = "Unknown";
-        String city = "Unknown";
-        String state = "Unknown";
-        String country = "Unknown";
-        X500Name name;
-        String userInput = null;
-
-        int maxRetry = 20;
-        do {
-            if (maxRetry-- < 0) {
-                throw new RuntimeException(rb.getString(
-                        "Too.many.retries.program.terminated"));
-            }
-            commonName = inputString(in,
-                    rb.getString("What.is.your.first.and.last.name."),
-                    commonName);
-            organizationalUnit = inputString(in,
-                    rb.getString
-                        ("What.is.the.name.of.your.organizational.unit."),
-                    organizationalUnit);
-            organization = inputString(in,
-                    rb.getString("What.is.the.name.of.your.organization."),
-                    organization);
-            city = inputString(in,
-                    rb.getString("What.is.the.name.of.your.City.or.Locality."),
-                    city);
-            state = inputString(in,
-                    rb.getString("What.is.the.name.of.your.State.or.Province."),
-                    state);
-            country = inputString(in,
-                    rb.getString
-                        ("What.is.the.two.letter.country.code.for.this.unit."),
-                    country);
-            name = new X500Name(commonName, organizationalUnit, organization,
-                                city, state, country);
-            MessageFormat form = new MessageFormat
-                (rb.getString("Is.name.correct."));
-            Object[] source = {name};
-            userInput = inputString
-                (in, form.format(source), rb.getString("no"));
-        } while (collator.compare(userInput, rb.getString("yes")) != 0 &&
-                 collator.compare(userInput, rb.getString("y")) != 0);
-
-        System.err.println();
-        return name;
-    }
-
-    private String inputString(BufferedReader in, String prompt,
-                               String defaultValue)
-        throws IOException
-    {
-        System.err.println(prompt);
-        MessageFormat form = new MessageFormat
-                (rb.getString(".defaultValue."));
-        Object[] source = {defaultValue};
-        System.err.print(form.format(source));
-        System.err.flush();
-
-        String value = in.readLine();
-        if (value == null || collator.compare(value, "") == 0) {
-            value = defaultValue;
-        }
-        return value;
-    }
-
-    /**
-     * Writes an X.509 certificate in base64 or binary encoding to an output
-     * stream.
-     */
-    private void dumpCert(Certificate cert, PrintStream out)
-        throws IOException, CertificateException
-    {
-        if (rfc) {
-            BASE64Encoder encoder = new BASE64Encoder();
-            out.println(X509Factory.BEGIN_CERT);
-            encoder.encodeBuffer(cert.getEncoded(), out);
-            out.println(X509Factory.END_CERT);
-        } else {
-            out.write(cert.getEncoded()); // binary
-        }
-    }
-
-    /**
-     * Converts a byte to hex digit and writes to the supplied buffer
-     */
-    private void byte2hex(byte b, StringBuffer buf) {
-        char[] hexChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8',
-                            '9', 'A', 'B', 'C', 'D', 'E', 'F' };
-        int high = ((b & 0xf0) >> 4);
-        int low = (b & 0x0f);
-        buf.append(hexChars[high]);
-        buf.append(hexChars[low]);
-    }
-
-    /**
-     * Converts a byte array to hex string
-     */
-    private String toHexString(byte[] block) {
-        StringBuffer buf = new StringBuffer();
-        int len = block.length;
-        for (int i = 0; i < len; i++) {
-             byte2hex(block[i], buf);
-             if (i < len-1) {
-                 buf.append(":");
-             }
-        }
-        return buf.toString();
-    }
-
-    /**
-     * Recovers (private) key associated with given alias.
-     *
-     * @return an array of objects, where the 1st element in the array is the
-     * recovered private key, and the 2nd element is the password used to
-     * recover it.
-     */
-    private Pair<Key,char[]> recoverKey(String alias, char[] storePass,
-                                       char[] keyPass)
-        throws Exception
-    {
-        Key key = null;
-
-        if (keyStore.containsAlias(alias) == false) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Alias.alias.does.not.exist"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-        if (!keyStore.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class) &&
-                !keyStore.entryInstanceOf(alias, KeyStore.SecretKeyEntry.class)) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Alias.alias.has.no.key"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        if (keyPass == null) {
-            // Try to recover the key using the keystore password
-            try {
-                key = keyStore.getKey(alias, storePass);
-
-                keyPass = storePass;
-                passwords.add(keyPass);
-            } catch (UnrecoverableKeyException e) {
-                // Did not work out, so prompt user for key password
-                if (!token) {
-                    keyPass = getKeyPasswd(alias, null, null);
-                    key = keyStore.getKey(alias, keyPass);
-                } else {
-                    throw e;
-                }
-            }
-        } else {
-            key = keyStore.getKey(alias, keyPass);
-        }
-
-        return Pair.of(key, keyPass);
-    }
-
-    /**
-     * Recovers entry associated with given alias.
-     *
-     * @return an array of objects, where the 1st element in the array is the
-     * recovered entry, and the 2nd element is the password used to
-     * recover it (null if no password).
-     */
-    private Pair<Entry,char[]> recoverEntry(KeyStore ks,
-                            String alias,
-                            char[] pstore,
-                            char[] pkey) throws Exception {
-
-        if (ks.containsAlias(alias) == false) {
-            MessageFormat form = new MessageFormat
-                (rb.getString("Alias.alias.does.not.exist"));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        PasswordProtection pp = null;
-        Entry entry;
-
-        try {
-            // First attempt to access entry without key password
-            // (PKCS11 entry or trusted certificate entry, for example)
-
-            entry = ks.getEntry(alias, pp);
-            pkey = null;
-        } catch (UnrecoverableEntryException une) {
-
-            if(P11KEYSTORE.equalsIgnoreCase(ks.getType()) ||
-                KeyStoreUtil.isWindowsKeyStore(ks.getType())) {
-                // should not happen, but a possibility
-                throw une;
-            }
-
-            // entry is protected
-
-            if (pkey != null) {
-
-                // try provided key password
-
-                pp = new PasswordProtection(pkey);
-                entry = ks.getEntry(alias, pp);
-
-            } else {
-
-                // try store pass
-
-                try {
-                    pp = new PasswordProtection(pstore);
-                    entry = ks.getEntry(alias, pp);
-                    pkey = pstore;
-                } catch (UnrecoverableEntryException une2) {
-                    if (P12KEYSTORE.equalsIgnoreCase(ks.getType())) {
-
-                        // P12 keystore currently does not support separate
-                        // store and entry passwords
-
-                        throw une2;
-                    } else {
-
-                        // prompt for entry password
-
-                        pkey = getKeyPasswd(alias, null, null);
-                        pp = new PasswordProtection(pkey);
-                        entry = ks.getEntry(alias, pp);
-                    }
-                }
-            }
-        }
-
-        return Pair.of(entry, pkey);
-    }
-    /**
-     * Gets the requested finger print of the certificate.
-     */
-    private String getCertFingerPrint(String mdAlg, Certificate cert)
-        throws Exception
-    {
-        byte[] encCertInfo = cert.getEncoded();
-        MessageDigest md = MessageDigest.getInstance(mdAlg);
-        byte[] digest = md.digest(encCertInfo);
-        return toHexString(digest);
-    }
-
-    /**
-     * Prints warning about missing integrity check.
-     */
-    private void printWarning() {
-        System.err.println();
-        System.err.println(rb.getString
-            (".WARNING.WARNING.WARNING."));
-        System.err.println(rb.getString
-            (".The.integrity.of.the.information.stored.in.your.keystore."));
-        System.err.println(rb.getString
-            (".WARNING.WARNING.WARNING."));
-        System.err.println();
-    }
-
-    /**
-     * Validates chain in certification reply, and returns the ordered
-     * elements of the chain (with user certificate first, and root
-     * certificate last in the array).
-     *
-     * @param alias the alias name
-     * @param userCert the user certificate of the alias
-     * @param replyCerts the chain provided in the reply
-     */
-    private Certificate[] validateReply(String alias,
-                                        Certificate userCert,
-                                        Certificate[] replyCerts)
-        throws Exception
-    {
-        // order the certs in the reply (bottom-up).
-        // we know that all certs in the reply are of type X.509, because
-        // we parsed them using an X.509 certificate factory
-        int i;
-        PublicKey userPubKey = userCert.getPublicKey();
-        for (i=0; i<replyCerts.length; i++) {
-            if (userPubKey.equals(replyCerts[i].getPublicKey())) {
-                break;
-            }
-        }
-        if (i == replyCerts.length) {
-            MessageFormat form = new MessageFormat(rb.getString
-                ("Certificate.reply.does.not.contain.public.key.for.alias."));
-            Object[] source = {alias};
-            throw new Exception(form.format(source));
-        }
-
-        Certificate tmpCert = replyCerts[0];
-        replyCerts[0] = replyCerts[i];
-        replyCerts[i] = tmpCert;
-
-        X509Certificate thisCert = (X509Certificate)replyCerts[0];
-
-        for (i=1; i < replyCerts.length-1; i++) {
-            // find a cert in the reply who signs thisCert
-            int j;
-            for (j=i; j<replyCerts.length; j++) {
-                if (signedBy(thisCert, (X509Certificate)replyCerts[j])) {
-                    tmpCert = replyCerts[i];
-                    replyCerts[i] = replyCerts[j];
-                    replyCerts[j] = tmpCert;
-                    thisCert = (X509Certificate)replyCerts[i];
-                    break;
-                }
-            }
-            if (j == replyCerts.length) {
-                throw new Exception
-                    (rb.getString("Incomplete.certificate.chain.in.reply"));
-            }
-        }
-
-        if (noprompt) {
-            return replyCerts;
-        }
-
-        // do we trust the cert at the top?
-        Certificate topCert = replyCerts[replyCerts.length-1];
-        Certificate root = getTrustedSigner(topCert, keyStore);
-        if (root == null && trustcacerts && caks != null) {
-            root = getTrustedSigner(topCert, caks);
-        }
-        if (root == null) {
-            System.err.println();
-            System.err.println
-                    (rb.getString("Top.level.certificate.in.reply."));
-            printX509Cert((X509Certificate)topCert, System.out);
-            System.err.println();
-            System.err.print(rb.getString(".is.not.trusted."));
-            String reply = getYesNoReply
-                    (rb.getString("Install.reply.anyway.no."));
-            if ("NO".equals(reply)) {
-                return null;
-            }
-        } else {
-            if (root != topCert) {
-                // append the root CA cert to the chain
-                Certificate[] tmpCerts =
-                    new Certificate[replyCerts.length+1];
-                System.arraycopy(replyCerts, 0, tmpCerts, 0,
-                                 replyCerts.length);
-                tmpCerts[tmpCerts.length-1] = root;
-                replyCerts = tmpCerts;
-            }
-        }
-
-        return replyCerts;
-    }
-
-    /**
-     * Establishes a certificate chain (using trusted certificates in the
-     * keystore), starting with the user certificate
-     * and ending at a self-signed certificate found in the keystore.
-     *
-     * @param userCert the user certificate of the alias
-     * @param certToVerify the single certificate provided in the reply
-     */
-    private Certificate[] establishCertChain(Certificate userCert,
-                                             Certificate certToVerify)
-        throws Exception
-    {
-        if (userCert != null) {
-            // Make sure that the public key of the certificate reply matches
-            // the original public key in the keystore
-            PublicKey origPubKey = userCert.getPublicKey();
-            PublicKey replyPubKey = certToVerify.getPublicKey();
-            if (!origPubKey.equals(replyPubKey)) {
-                throw new Exception(rb.getString
-                        ("Public.keys.in.reply.and.keystore.don.t.match"));
-            }
-
-            // If the two certs are identical, we're done: no need to import
-            // anything
-            if (certToVerify.equals(userCert)) {
-                throw new Exception(rb.getString
-                        ("Certificate.reply.and.certificate.in.keystore.are.identical"));
-            }
-        }
-
-        // Build a hash table of all certificates in the keystore.
-        // Use the subject distinguished name as the key into the hash table.
-        // All certificates associated with the same subject distinguished
-        // name are stored in the same hash table entry as a vector.
-        Hashtable<Principal, Vector<Certificate>> certs = null;
-        if (keyStore.size() > 0) {
-            certs = new Hashtable<Principal, Vector<Certificate>>(11);
-            keystorecerts2Hashtable(keyStore, certs);
-        }
-        if (trustcacerts) {
-            if (caks!=null && caks.size()>0) {
-                if (certs == null) {
-                    certs = new Hashtable<Principal, Vector<Certificate>>(11);
-                }
-                keystorecerts2Hashtable(caks, certs);
-            }
-        }
-
-        // start building chain
-        Vector<Certificate> chain = new Vector<>(2);
-        if (buildChain((X509Certificate)certToVerify, chain, certs)) {
-            Certificate[] newChain = new Certificate[chain.size()];
-            // buildChain() returns chain with self-signed root-cert first and
-            // user-cert last, so we need to invert the chain before we store
-            // it
-            int j=0;
-            for (int i=chain.size()-1; i>=0; i--) {
-                newChain[j] = chain.elementAt(i);
-                j++;
-            }
-            return newChain;
-        } else {
-            throw new Exception
-                (rb.getString("Failed.to.establish.chain.from.reply"));
-        }
-    }
-
-    /**
-     * Recursively tries to establish chain from pool of trusted certs.
-     *
-     * @param certToVerify the cert that needs to be verified.
-     * @param chain the chain that's being built.
-     * @param certs the pool of trusted certs
-     *
-     * @return true if successful, false otherwise.
-     */
-    private boolean buildChain(X509Certificate certToVerify,
-                        Vector<Certificate> chain,
-                        Hashtable<Principal, Vector<Certificate>> certs) {
-        Principal issuer = certToVerify.getIssuerDN();
-        if (isSelfSigned(certToVerify)) {
-            // reached self-signed root cert;
-            // no verification needed because it's trusted.
-            chain.addElement(certToVerify);
-            return true;
-        }
-
-        // Get the issuer's certificate(s)
-        Vector<Certificate> vec = certs.get(issuer);
-        if (vec == null) {
-            return false;
-        }
-
-        // Try out each certificate in the vector, until we find one
-        // whose public key verifies the signature of the certificate
-        // in question.
-        for (Enumeration<Certificate> issuerCerts = vec.elements();
-             issuerCerts.hasMoreElements(); ) {
-            X509Certificate issuerCert
-                = (X509Certificate)issuerCerts.nextElement();
-            PublicKey issuerPubKey = issuerCert.getPublicKey();
-            try {
-                certToVerify.verify(issuerPubKey);
-            } catch (Exception e) {
-                continue;
-            }
-            if (buildChain(issuerCert, chain, certs)) {
-                chain.addElement(certToVerify);
-                return true;
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Prompts user for yes/no decision.
-     *
-     * @return the user's decision, can only be "YES" or "NO"
-     */
-    private String getYesNoReply(String prompt)
-        throws IOException
-    {
-        String reply = null;
-        int maxRetry = 20;
-        do {
-            if (maxRetry-- < 0) {
-                throw new RuntimeException(rb.getString(
-                        "Too.many.retries.program.terminated"));
-            }
-            System.err.print(prompt);
-            System.err.flush();
-            reply = (new BufferedReader(new InputStreamReader
-                                        (System.in))).readLine();
-            if (collator.compare(reply, "") == 0 ||
-                collator.compare(reply, rb.getString("n")) == 0 ||
-                collator.compare(reply, rb.getString("no")) == 0) {
-                reply = "NO";
-            } else if (collator.compare(reply, rb.getString("y")) == 0 ||
-                       collator.compare(reply, rb.getString("yes")) == 0) {
-                reply = "YES";
-            } else {
-                System.err.println(rb.getString("Wrong.answer.try.again"));
-                reply = null;
-            }
-        } while (reply == null);
-        return reply;
-    }
-
-    /**
-     * Returns the keystore with the configured CA certificates.
-     */
-    public static KeyStore getCacertsKeyStore()
-        throws Exception
-    {
-        String sep = File.separator;
-        File file = new File(System.getProperty("java.home") + sep
-                             + "lib" + sep + "security" + sep
-                             + "cacerts");
-        if (!file.exists()) {
-            return null;
-        }
-        KeyStore caks = null;
-        try (FileInputStream fis = new FileInputStream(file)) {
-            caks = KeyStore.getInstance(JKS);
-            caks.load(fis, null);
-        }
-        return caks;
-    }
-
-    /**
-     * Stores the (leaf) certificates of a keystore in a hashtable.
-     * All certs belonging to the same CA are stored in a vector that
-     * in turn is stored in the hashtable, keyed by the CA's subject DN
-     */
-    private void keystorecerts2Hashtable(KeyStore ks,
-                Hashtable<Principal, Vector<Certificate>> hash)
-        throws Exception {
-
-        for (Enumeration<String> aliases = ks.aliases();
-                                        aliases.hasMoreElements(); ) {
-            String alias = aliases.nextElement();
-            Certificate cert = ks.getCertificate(alias);
-            if (cert != null) {
-                Principal subjectDN = ((X509Certificate)cert).getSubjectDN();
-                Vector<Certificate> vec = hash.get(subjectDN);
-                if (vec == null) {
-                    vec = new Vector<Certificate>();
-                    vec.addElement(cert);
-                } else {
-                    if (!vec.contains(cert)) {
-                        vec.addElement(cert);
-                    }
-                }
-                hash.put(subjectDN, vec);
-            }
-        }
-    }
-
-    /**
-     * Returns the issue time that's specified the -startdate option
-     * @param s the value of -startdate option
-     */
-    private static Date getStartDate(String s) throws IOException {
-        Calendar c = new GregorianCalendar();
-        if (s != null) {
-            IOException ioe = new IOException(
-                    rb.getString("Illegal.startdate.value"));
-            int len = s.length();
-            if (len == 0) {
-                throw ioe;
-            }
-            if (s.charAt(0) == '-' || s.charAt(0) == '+') {
-                // Form 1: ([+-]nnn[ymdHMS])+
-                int start = 0;
-                while (start < len) {
-                    int sign = 0;
-                    switch (s.charAt(start)) {
-                        case '+': sign = 1; break;
-                        case '-': sign = -1; break;
-                        default: throw ioe;
-                    }
-                    int i = start+1;
-                    for (; i<len; i++) {
-                        char ch = s.charAt(i);
-                        if (ch < '0' || ch > '9') break;
-                    }
-                    if (i == start+1) throw ioe;
-                    int number = Integer.parseInt(s.substring(start+1, i));
-                    if (i >= len) throw ioe;
-                    int unit = 0;
-                    switch (s.charAt(i)) {
-                        case 'y': unit = Calendar.YEAR; break;
-                        case 'm': unit = Calendar.MONTH; break;
-                        case 'd': unit = Calendar.DATE; break;
-                        case 'H': unit = Calendar.HOUR; break;
-                        case 'M': unit = Calendar.MINUTE; break;
-                        case 'S': unit = Calendar.SECOND; break;
-                        default: throw ioe;
-                    }
-                    c.add(unit, sign * number);
-                    start = i + 1;
-                }
-            } else  {
-                // Form 2: [yyyy/mm/dd] [HH:MM:SS]
-                String date = null, time = null;
-                if (len == 19) {
-                    date = s.substring(0, 10);
-                    time = s.substring(11);
-                    if (s.charAt(10) != ' ')
-                        throw ioe;
-                } else if (len == 10) {
-                    date = s;
-                } else if (len == 8) {
-                    time = s;
-                } else {
-                    throw ioe;
-                }
-                if (date != null) {
-                    if (date.matches("\\d\\d\\d\\d\\/\\d\\d\\/\\d\\d")) {
-                        c.set(Integer.valueOf(date.substring(0, 4)),
-                                Integer.valueOf(date.substring(5, 7))-1,
-                                Integer.valueOf(date.substring(8, 10)));
-                    } else {
-                        throw ioe;
-                    }
-                }
-                if (time != null) {
-                    if (time.matches("\\d\\d:\\d\\d:\\d\\d")) {
-                        c.set(Calendar.HOUR_OF_DAY, Integer.valueOf(time.substring(0, 2)));
-                        c.set(Calendar.MINUTE, Integer.valueOf(time.substring(0, 2)));
-                        c.set(Calendar.SECOND, Integer.valueOf(time.substring(0, 2)));
-                        c.set(Calendar.MILLISECOND, 0);
-                    } else {
-                        throw ioe;
-                    }
-                }
-            }
-        }
-        return c.getTime();
-    }
-
-    /**
-     * Match a command (may be abbreviated) with a command set.
-     * @param s the command provided
-     * @param list the legal command set. If there is a null, commands after it
-     * are regarded experimental, which means they are supported but their
-     * existence should not be revealed to user.
-     * @return the position of a single match, or -1 if none matched
-     * @throws Exception if s is ambiguous
-     */
-    private static int oneOf(String s, String... list) throws Exception {
-        int[] match = new int[list.length];
-        int nmatch = 0;
-        int experiment = Integer.MAX_VALUE;
-        for (int i = 0; i<list.length; i++) {
-            String one = list[i];
-            if (one == null) {
-                experiment = i;
-                continue;
-            }
-            if (one.toLowerCase(Locale.ENGLISH)
-                    .startsWith(s.toLowerCase(Locale.ENGLISH))) {
-                match[nmatch++] = i;
-            } else {
-                StringBuffer sb = new StringBuffer();
-                boolean first = true;
-                for (char c: one.toCharArray()) {
-                    if (first) {
-                        sb.append(c);
-                        first = false;
-                    } else {
-                        if (!Character.isLowerCase(c)) {
-                            sb.append(c);
-                        }
-                    }
-                }
-                if (sb.toString().equalsIgnoreCase(s)) {
-                    match[nmatch++] = i;
-                }
-            }
-        }
-        if (nmatch == 0) {
-            return -1;
-        } else if (nmatch == 1) {
-            return match[0];
-        } else {
-            // If multiple matches is in experimental commands, ignore them
-            if (match[1] > experiment) {
-                return match[0];
-            }
-            StringBuffer sb = new StringBuffer();
-            MessageFormat form = new MessageFormat(rb.getString
-                ("command.{0}.is.ambiguous."));
-            Object[] source = {s};
-            sb.append(form.format(source));
-            sb.append("\n    ");
-            for (int i=0; i<nmatch && match[i]<experiment; i++) {
-                sb.append(' ');
-                sb.append(list[match[i]]);
-            }
-            throw new Exception(sb.toString());
-        }
-    }
-
-    /**
-     * Create a GeneralName object from known types
-     * @param t one of 5 known types
-     * @param v value
-     * @return which one
-     */
-    private GeneralName createGeneralName(String t, String v)
-            throws Exception {
-        GeneralNameInterface gn;
-        int p = oneOf(t, "EMAIL", "URI", "DNS", "IP", "OID");
-        if (p < 0) {
-            throw new Exception(rb.getString(
-                    "Unrecognized.GeneralName.type.") + t);
-        }
-        switch (p) {
-            case 0: gn = new RFC822Name(v); break;
-            case 1: gn = new URIName(v); break;
-            case 2: gn = new DNSName(v); break;
-            case 3: gn = new IPAddressName(v); break;
-            default: gn = new OIDName(v); break; //4
-        }
-        return new GeneralName(gn);
-    }
-
-    private static final String[] extSupported = {
-                        "BasicConstraints",
-                        "KeyUsage",
-                        "ExtendedKeyUsage",
-                        "SubjectAlternativeName",
-                        "IssuerAlternativeName",
-                        "SubjectInfoAccess",
-                        "AuthorityInfoAccess",
-                        null,
-                        "CRLDistributionPoints",
-    };
-
-    private ObjectIdentifier findOidForExtName(String type)
-            throws Exception {
-        switch (oneOf(type, extSupported)) {
-            case 0: return PKIXExtensions.BasicConstraints_Id;
-            case 1: return PKIXExtensions.KeyUsage_Id;
-            case 2: return PKIXExtensions.ExtendedKeyUsage_Id;
-            case 3: return PKIXExtensions.SubjectAlternativeName_Id;
-            case 4: return PKIXExtensions.IssuerAlternativeName_Id;
-            case 5: return PKIXExtensions.SubjectInfoAccess_Id;
-            case 6: return PKIXExtensions.AuthInfoAccess_Id;
-            case 8: return PKIXExtensions.CRLDistributionPoints_Id;
-            default: return new ObjectIdentifier(type);
-        }
-    }
-
-    /**
-     * Create X509v3 extensions from a string representation. Note that the
-     * SubjectKeyIdentifierExtension will always be created non-critical besides
-     * the extension requested in the <code>extstr</code> argument.
-     *
-     * @param reqex the requested extensions, can be null, used for -gencert
-     * @param ext the original extensions, can be null, used for -selfcert
-     * @param extstrs -ext values, Read keytool doc
-     * @param pkey the public key for the certificate
-     * @param akey the public key for the authority (issuer)
-     * @return the created CertificateExtensions
-     */
-    private CertificateExtensions createV3Extensions(
-            CertificateExtensions reqex,
-            CertificateExtensions ext,
-            List <String> extstrs,
-            PublicKey pkey,
-            PublicKey akey) throws Exception {
-
-        if (ext != null && reqex != null) {
-            // This should not happen
-            throw new Exception("One of request and original should be null.");
-        }
-        if (ext == null) ext = new CertificateExtensions();
-        try {
-            // name{:critical}{=value}
-            // Honoring requested extensions
-            if (reqex != null) {
-                for(String extstr: extstrs) {
-                    if (extstr.toLowerCase(Locale.ENGLISH).startsWith("honored=")) {
-                        List<String> list = Arrays.asList(
-                                extstr.toLowerCase(Locale.ENGLISH).substring(8).split(","));
-                        // First check existence of "all"
-                        if (list.contains("all")) {
-                            ext = reqex;    // we know ext was null
-                        }
-                        // one by one for others
-                        for (String item: list) {
-                            if (item.equals("all")) continue;
-
-                            // add or remove
-                            boolean add = true;
-                            // -1, unchanged, 0 crtical, 1 non-critical
-                            int action = -1;
-                            String type = null;
-                            if (item.startsWith("-")) {
-                                add = false;
-                                type = item.substring(1);
-                            } else {
-                                int colonpos = item.indexOf(':');
-                                if (colonpos >= 0) {
-                                    type = item.substring(0, colonpos);
-                                    action = oneOf(item.substring(colonpos+1),
-                                            "critical", "non-critical");
-                                    if (action == -1) {
-                                        throw new Exception(rb.getString
-                                            ("Illegal.value.") + item);
-                                    }
-                                }
-                            }
-                            String n = reqex.getNameByOid(findOidForExtName(type));
-                            if (add) {
-                                Extension e = reqex.get(n);
-                                if (!e.isCritical() && action == 0
-                                        || e.isCritical() && action == 1) {
-                                    e = Extension.newExtension(
-                                            e.getExtensionId(),
-                                            !e.isCritical(),
-                                            e.getExtensionValue());
-                                    ext.set(n, e);
-                                }
-                            } else {
-                                ext.delete(n);
-                            }
-                        }
-                        break;
-                    }
-                }
-            }
-            for(String extstr: extstrs) {
-                String name, value;
-                boolean isCritical = false;
-
-                int eqpos = extstr.indexOf('=');
-                if (eqpos >= 0) {
-                    name = extstr.substring(0, eqpos);
-                    value = extstr.substring(eqpos+1);
-                } else {
-                    name = extstr;
-                    value = null;
-                }
-
-                int colonpos = name.indexOf(':');
-                if (colonpos >= 0) {
-                    if (oneOf(name.substring(colonpos+1), "critical") == 0) {
-                        isCritical = true;
-                    }
-                    name = name.substring(0, colonpos);
-                }
-
-                if (name.equalsIgnoreCase("honored")) {
-                    continue;
-                }
-                int exttype = oneOf(name, extSupported);
-                switch (exttype) {
-                    case 0:     // BC
-                        int pathLen = -1;
-                        boolean isCA = false;
-                        if (value == null) {
-                            isCA = true;
-                        } else {
-                            try {   // the abbr format
-                                pathLen = Integer.parseInt(value);
-                                isCA = true;
-                            } catch (NumberFormatException ufe) {
-                                // ca:true,pathlen:1
-                                for (String part: value.split(",")) {
-                                    String[] nv = part.split(":");
-                                    if (nv.length != 2) {
-                                        throw new Exception(rb.getString
-                                                ("Illegal.value.") + extstr);
-                                    } else {
-                                        if (nv[0].equalsIgnoreCase("ca")) {
-                                            isCA = Boolean.parseBoolean(nv[1]);
-                                        } else if (nv[0].equalsIgnoreCase("pathlen")) {
-                                            pathLen = Integer.parseInt(nv[1]);
-                                        } else {
-                                            throw new Exception(rb.getString
-                                                ("Illegal.value.") + extstr);
-                                        }
-                                    }
-                                }
-                            }
-                        }
-                        ext.set(BasicConstraintsExtension.NAME,
-                                new BasicConstraintsExtension(isCritical, isCA,
-                                pathLen));
-                        break;
-                    case 1:     // KU
-                        if(value != null) {
-                            boolean[] ok = new boolean[9];
-                            for (String s: value.split(",")) {
-                                int p = oneOf(s,
-                                       "digitalSignature",  // (0),
-                                       "nonRepudiation",    // (1)
-                                       "keyEncipherment",   // (2),
-                                       "dataEncipherment",  // (3),
-                                       "keyAgreement",      // (4),
-                                       "keyCertSign",       // (5),
-                                       "cRLSign",           // (6),
-                                       "encipherOnly",      // (7),
-                                       "decipherOnly",      // (8)
-                                       "contentCommitment"  // also (1)
-                                       );
-                                if (p < 0) {
-                                    throw new Exception(rb.getString("Unknown.keyUsage.type.") + s);
-                                }
-                                if (p == 9) p = 1;
-                                ok[p] = true;
-                            }
-                            KeyUsageExtension kue = new KeyUsageExtension(ok);
-                            // The above KeyUsageExtension constructor does not
-                            // allow isCritical value, so...
-                            ext.set(KeyUsageExtension.NAME, Extension.newExtension(
-                                    kue.getExtensionId(),
-                                    isCritical,
-                                    kue.getExtensionValue()));
-                        } else {
-                            throw new Exception(rb.getString
-                                    ("Illegal.value.") + extstr);
-                        }
-                        break;
-                    case 2:     // EKU
-                        if(value != null) {
-                            Vector<ObjectIdentifier> v = new Vector<>();
-                            for (String s: value.split(",")) {
-                                int p = oneOf(s,
-                                        "anyExtendedKeyUsage",
-                                        "serverAuth",       //1
-                                        "clientAuth",       //2
-                                        "codeSigning",      //3
-                                        "emailProtection",  //4
-                                        "",                 //5
-                                        "",                 //6
-                                        "",                 //7
-                                        "timeStamping",     //8
-                                        "OCSPSigning"       //9
-                                       );
-                                if (p < 0) {
-                                    try {
-                                        v.add(new ObjectIdentifier(s));
-                                    } catch (Exception e) {
-                                        throw new Exception(rb.getString(
-                                                "Unknown.extendedkeyUsage.type.") + s);
-                                    }
-                                } else if (p == 0) {
-                                    v.add(new ObjectIdentifier("2.5.29.37.0"));
-                                } else {
-                                    v.add(new ObjectIdentifier("1.3.6.1.5.5.7.3." + p));
-                                }
-                            }
-                            ext.set(ExtendedKeyUsageExtension.NAME,
-                                    new ExtendedKeyUsageExtension(isCritical, v));
-                        } else {
-                            throw new Exception(rb.getString
-                                    ("Illegal.value.") + extstr);
-                        }
-                        break;
-                    case 3:     // SAN
-                    case 4:     // IAN
-                        if(value != null) {
-                            String[] ps = value.split(",");
-                            GeneralNames gnames = new GeneralNames();
-                            for(String item: ps) {
-                                colonpos = item.indexOf(':');
-                                if (colonpos < 0) {
-                                    throw new Exception("Illegal item " + item + " in " + extstr);
-                                }
-                                String t = item.substring(0, colonpos);
-                                String v = item.substring(colonpos+1);
-                                gnames.add(createGeneralName(t, v));
-                            }
-                            if (exttype == 3) {
-                                ext.set(SubjectAlternativeNameExtension.NAME,
-                                        new SubjectAlternativeNameExtension(
-                                            isCritical, gnames));
-                            } else {
-                                ext.set(IssuerAlternativeNameExtension.NAME,
-                                        new IssuerAlternativeNameExtension(
-                                            isCritical, gnames));
-                            }
-                        } else {
-                            throw new Exception(rb.getString
-                                    ("Illegal.value.") + extstr);
-                        }
-                        break;
-                    case 5:     // SIA, always non-critical
-                    case 6:     // AIA, always non-critical
-                        if (isCritical) {
-                            throw new Exception(rb.getString(
-                                    "This.extension.cannot.be.marked.as.critical.") + extstr);
-                        }
-                        if(value != null) {
-                            List<AccessDescription> accessDescriptions =
-                                    new ArrayList<>();
-                            String[] ps = value.split(",");
-                            for(String item: ps) {
-                                colonpos = item.indexOf(':');
-                                int colonpos2 = item.indexOf(':', colonpos+1);
-                                if (colonpos < 0 || colonpos2 < 0) {
-                                    throw new Exception(rb.getString
-                                            ("Illegal.value.") + extstr);
-                                }
-                                String m = item.substring(0, colonpos);
-                                String t = item.substring(colonpos+1, colonpos2);
-                                String v = item.substring(colonpos2+1);
-                                int p = oneOf(m,
-                                        "",
-                                        "ocsp",         //1
-                                        "caIssuers",    //2
-                                        "timeStamping", //3
-                                        "",
-                                        "caRepository"  //5
-                                        );
-                                ObjectIdentifier oid;
-                                if (p < 0) {
-                                    try {
-                                        oid = new ObjectIdentifier(m);
-                                    } catch (Exception e) {
-                                        throw new Exception(rb.getString(
-                                                "Unknown.AccessDescription.type.") + m);
-                                    }
-                                } else {
-                                    oid = new ObjectIdentifier("1.3.6.1.5.5.7.48." + p);
-                                }
-                                accessDescriptions.add(new AccessDescription(
-                                        oid, createGeneralName(t, v)));
-                            }
-                            if (exttype == 5) {
-                                ext.set(SubjectInfoAccessExtension.NAME,
-                                        new SubjectInfoAccessExtension(accessDescriptions));
-                            } else {
-                                ext.set(AuthorityInfoAccessExtension.NAME,
-                                        new AuthorityInfoAccessExtension(accessDescriptions));
-                            }
-                        } else {
-                            throw new Exception(rb.getString
-                                    ("Illegal.value.") + extstr);
-                        }
-                        break;
-                    case 8: // CRL, experimental, only support 1 distributionpoint
-                        if(value != null) {
-                            String[] ps = value.split(",");
-                            GeneralNames gnames = new GeneralNames();
-                            for(String item: ps) {
-                                colonpos = item.indexOf(':');
-                                if (colonpos < 0) {
-                                    throw new Exception("Illegal item " + item + " in " + extstr);
-                                }
-                                String t = item.substring(0, colonpos);
-                                String v = item.substring(colonpos+1);
-                                gnames.add(createGeneralName(t, v));
-                            }
-                            ext.set(CRLDistributionPointsExtension.NAME,
-                                    new CRLDistributionPointsExtension(
-                                        isCritical, Collections.singletonList(
-                                        new DistributionPoint(gnames, null, null))));
-                        } else {
-                            throw new Exception(rb.getString
-                                    ("Illegal.value.") + extstr);
-                        }
-                        break;
-                    case -1:
-                        ObjectIdentifier oid = new ObjectIdentifier(name);
-                        byte[] data = null;
-                        if (value != null) {
-                            data = new byte[value.length() / 2 + 1];
-                            int pos = 0;
-                            for (char c: value.toCharArray()) {
-                                int hex;
-                                if (c >= '0' && c <= '9') {
-                                    hex = c - '0' ;
-                                } else if (c >= 'A' && c <= 'F') {
-                                    hex = c - 'A' + 10;
-                                } else if (c >= 'a' && c <= 'f') {
-                                    hex = c - 'a' + 10;
-                                } else {
-                                    continue;
-                                }
-                                if (pos % 2 == 0) {
-                                    data[pos/2] = (byte)(hex << 4);
-                                } else {
-                                    data[pos/2] += hex;
-                                }
-                                pos++;
-                            }
-                            if (pos % 2 != 0) {
-                                throw new Exception(rb.getString(
-                                        "Odd.number.of.hex.digits.found.") + extstr);
-                            }
-                            data = Arrays.copyOf(data, pos/2);
-                        } else {
-                            data = new byte[0];
-                        }
-                        ext.set(oid.toString(), new Extension(oid, isCritical,
-                                new DerValue(DerValue.tag_OctetString, data)
-                                        .toByteArray()));
-                        break;
-                    default:
-                        throw new Exception(rb.getString(
-                                "Unknown.extension.type.") + extstr);
-                }
-            }
-            // always non-critical
-            ext.set(SubjectKeyIdentifierExtension.NAME,
-                    new SubjectKeyIdentifierExtension(
-                        new KeyIdentifier(pkey).getIdentifier()));
-            if (akey != null && !pkey.equals(akey)) {
-                ext.set(AuthorityKeyIdentifierExtension.NAME,
-                        new AuthorityKeyIdentifierExtension(
-                        new KeyIdentifier(akey), null, null));
-            }
-        } catch(IOException e) {
-            throw new RuntimeException(e);
-        }
-        return ext;
-    }
-
-    /**
-     * Prints the usage of this tool.
-     */
-    private void usage() {
-        if (command != null) {
-            System.err.println("keytool " + command +
-                    rb.getString(".OPTION."));
-            System.err.println();
-            System.err.println(rb.getString(command.description));
-            System.err.println();
-            System.err.println(rb.getString("Options."));
-            System.err.println();
-
-            // Left and right sides of the options list
-            String[] left = new String[command.options.length];
-            String[] right = new String[command.options.length];
-
-            // Check if there's an unknown option
-            boolean found = false;
-
-            // Length of left side of options list
-            int lenLeft = 0;
-            for (int j=0; j<left.length; j++) {
-                Option opt = command.options[j];
-                left[j] = opt.toString();
-                if (opt.arg != null) left[j] += " " + opt.arg;
-                if (left[j].length() > lenLeft) {
-                    lenLeft = left[j].length();
-                }
-                right[j] = rb.getString(opt.description);
-            }
-            for (int j=0; j<left.length; j++) {
-                System.err.printf(" %-" + lenLeft + "s  %s\n",
-                        left[j], right[j]);
-            }
-            System.err.println();
-            System.err.println(rb.getString(
-                    "Use.keytool.help.for.all.available.commands"));
-        } else {
-            System.err.println(rb.getString(
-                    "Key.and.Certificate.Management.Tool"));
-            System.err.println();
-            System.err.println(rb.getString("Commands."));
-            System.err.println();
-            for (Command c: Command.values()) {
-                if (c == KEYCLONE) break;
-                System.err.printf(" %-20s%s\n", c, rb.getString(c.description));
-            }
-            System.err.println();
-            System.err.println(rb.getString(
-                    "Use.keytool.command.name.help.for.usage.of.command.name"));
-        }
-    }
-
-    private void tinyHelp() {
-        usage();
-        if (debug) {
-            throw new RuntimeException("NO BIG ERROR, SORRY");
-        } else {
-            System.exit(1);
-        }
-    }
-
-    private void errorNeedArgument(String flag) {
-        Object[] source = {flag};
-        System.err.println(new MessageFormat(
-                rb.getString("Command.option.flag.needs.an.argument.")).format(source));
-        tinyHelp();
-    }
-
-    private char[] getPass(String modifier, String arg) {
-        char[] output = getPassWithModifier(modifier, arg);
-        if (output != null) return output;
-        tinyHelp();
-        return null;    // Useless, tinyHelp() already exits.
-    }
-
-    // This method also used by JarSigner
-    public static char[] getPassWithModifier(String modifier, String arg) {
-        if (modifier == null) {
-            return arg.toCharArray();
-        } else if (collator.compare(modifier, "env") == 0) {
-            String value = System.getenv(arg);
-            if (value == null) {
-                System.err.println(rb.getString(
-                        "Cannot.find.environment.variable.") + arg);
-                return null;
-            } else {
-                return value.toCharArray();
-            }
-        } else if (collator.compare(modifier, "file") == 0) {
-            try {
-                URL url = null;
-                try {
-                    url = new URL(arg);
-                } catch (java.net.MalformedURLException mue) {
-                    File f = new File(arg);
-                    if (f.exists()) {
-                        url = f.toURI().toURL();
-                    } else {
-                        System.err.println(rb.getString(
-                                "Cannot.find.file.") + arg);
-                        return null;
-                    }
-                }
-                BufferedReader br = new BufferedReader(new InputStreamReader(
-                            url.openStream()));
-                String value = br.readLine();
-                br.close();
-                if (value == null) {
-                    return new char[0];
-                } else {
-                    return value.toCharArray();
-                }
-            } catch (IOException ioe) {
-                System.err.println(ioe);
-                return null;
-            }
-        } else {
-            System.err.println(rb.getString("Unknown.password.type.") +
-                    modifier);
-            return null;
-        }
-    }
-}
-
-// This class is exactly the same as com.sun.tools.javac.util.Pair,
-// it's copied here since the original one is not included in JRE.
-class Pair<A, B> {
-
-    public final A fst;
-    public final B snd;
-
-    public Pair(A fst, B snd) {
-        this.fst = fst;
-        this.snd = snd;
-    }
-
-    public String toString() {
-        return "Pair[" + fst + "," + snd + "]";
-    }
-
-    public boolean equals(Object other) {
-        return
-            other instanceof Pair &&
-            Objects.equals(fst, ((Pair)other).fst) &&
-            Objects.equals(snd, ((Pair)other).snd);
-    }
-
-    public int hashCode() {
-        if (fst == null) return (snd == null) ? 0 : snd.hashCode() + 1;
-        else if (snd == null) return fst.hashCode() + 2;
-        else return fst.hashCode() * 17 + snd.hashCode();
-    }
-
-    public static <A,B> Pair<A,B> of(A a, B b) {
-        return new Pair<>(a,b);
-    }
-}
-
--- a/src/share/classes/sun/security/tools/TimestampedSigner.java	Sat Oct 13 10:15:57 2012 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,186 +0,0 @@
-/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.tools;
-
-import java.io.IOException;
-import java.net.URI;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
-import com.sun.jarsigner.*;
-import sun.security.pkcs.PKCS7;
-import sun.security.util.*;
-import sun.security.x509.*;
-
-/**
- * This class implements a content signing service.
- * It generates a timestamped signature for a given content according to
- * <a href="http://www.ietf.org/rfc/rfc3161.txt">RFC 3161</a>.
- * The signature along with a trusted timestamp and the signer's certificate
- * are all packaged into a standard PKCS #7 Signed Data message.
- *
- * @author Vincent Ryan
- */
-
-public final class TimestampedSigner extends ContentSigner {
-
-    /*
-     * Object identifier for the subject information access X.509 certificate
-     * extension.
-     */
-    private static final String SUBJECT_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.11";
-
-    /*
-     * Object identifier for the timestamping access descriptors.
-     */
-    private static final ObjectIdentifier AD_TIMESTAMPING_Id;
-    static {
-        ObjectIdentifier tmp = null;
-        try {
-            tmp = new ObjectIdentifier("1.3.6.1.5.5.7.48.3");
-        } catch (IOException e) {
-            // ignore
-        }
-        AD_TIMESTAMPING_Id = tmp;
-    }
-
-    /**
-     * Instantiates a content signer that supports timestamped signatures.
-     */
-    public TimestampedSigner() {
-    }
-
-    /**
-     * Generates a PKCS #7 signed data message that includes a signature
-     * timestamp.
-     * This method is used when a signature has already been generated.
-     * The signature, a signature timestamp, the signer's certificate chain,
-     * and optionally the content that was signed, are packaged into a PKCS #7
-     * signed data message.
-     *
-     * @param params The non-null input parameters.
-     * @param omitContent true if the content should be omitted from the
-     *        signed data message. Otherwise the content is included.
-     * @param applyTimestamp true if the signature should be timestamped.
-     *        Otherwise timestamping is not performed.
-     * @return A PKCS #7 signed data message including a signature timestamp.
-     * @throws NoSuchAlgorithmException The exception is thrown if the signature
-     *         algorithm is unrecognised.
-     * @throws CertificateException The exception is thrown if an error occurs
-     *         while processing the signer's certificate or the TSA's
-     *         certificate.
-     * @throws IOException The exception is thrown if an error occurs while
-     *         generating the signature timestamp or while generating the signed
-     *         data message.
-     * @throws NullPointerException The exception is thrown if parameters is
-     *         null.
-     */
-    public byte[] generateSignedData(ContentSignerParameters params,
-        boolean omitContent, boolean applyTimestamp)
-            throws NoSuchAlgorithmException, CertificateException, IOException {
-
-        if (params == null) {
-            throw new NullPointerException();
-        }
-
-        // Parse the signature algorithm to extract the digest
-        // algorithm. The expected format is:
-        //     "<digest>with<encryption>"
-        // or  "<digest>with<encryption>and<mgf>"
-        String signatureAlgorithm = params.getSignatureAlgorithm();
-
-        X509Certificate[] signerChain = params.getSignerCertificateChain();
-        byte[] signature = params.getSignature();
-
-        // Include or exclude content
-        byte[] content = (omitContent == true) ? null : params.getContent();
-
-        URI tsaURI = null;
-        if (applyTimestamp) {
-            tsaURI = params.getTimestampingAuthority();
-            if (tsaURI == null) {
-                // Examine TSA cert
-                tsaURI = getTimestampingURI(
-                    params.getTimestampingAuthorityCertificate());
-                if (tsaURI == null) {
-                    throw new CertificateException(
-                        "Subject Information Access extension not found");
-                }
-            }
-        }
-        return PKCS7.generateSignedData(signature, signerChain, content,
-                                        params.getSignatureAlgorithm(), tsaURI);
-    }
-
-    /**
-     * Examine the certificate for a Subject Information Access extension
-     * (<a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280</a>).
-     * The extension's <tt>accessMethod</tt> field should contain the object
-     * identifier defined for timestamping: 1.3.6.1.5.5.7.48.3 and its
-     * <tt>accessLocation</tt> field should contain an HTTP or HTTPS URL.
-     *
-     * @param tsaCertificate An X.509 certificate for the TSA.
-     * @return An HTTP or HTTPS URI or null if none was found.
-     */
-    public static URI getTimestampingURI(X509Certificate tsaCertificate) {
-
-        if (tsaCertificate == null) {
-            return null;
-        }
-        // Parse the extensions
-        try {
-            byte[] extensionValue =
-                tsaCertificate.getExtensionValue(SUBJECT_INFO_ACCESS_OID);
-            if (extensionValue == null) {
-                return null;
-            }
-            DerInputStream der = new DerInputStream(extensionValue);
-            der = new DerInputStream(der.getOctetString());
-            DerValue[] derValue = der.getSequence(5);
-            AccessDescription description;
-            GeneralName location;
-            URIName uri;
-            for (int i = 0; i < derValue.length; i++) {
-                description = new AccessDescription(derValue[i]);
-                if (description.getAccessMethod()
-                        .equals((Object)AD_TIMESTAMPING_Id)) {
-                    location = description.getAccessLocation();
-                    if (location.getType() == GeneralNameInterface.NAME_URI) {
-                        uri = (URIName) location.getName();
-                        if (uri.getScheme().equalsIgnoreCase("http") ||
-                                uri.getScheme().equalsIgnoreCase("https")) {
-                            return uri.getURI();
-                        }
-                    }
-                }
-            }
-        } catch (IOException ioe) {
-            // ignore
-        }
-        return null;
-    }
-}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/classes/sun/security/tools/jarsigner/Main.java	Sun Oct 14 22:58:59 2012 +0100
@@ -0,0 +1,2469 @@
+/*
+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.tools.jarsigner;
+
+import java.io.*;
+import java.util.*;
+import java.util.zip.*;
+import java.util.jar.*;
+import java.math.BigInteger;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.text.Collator;
+import java.text.MessageFormat;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+import java.security.*;
+import java.lang.reflect.Constructor;
+
+import com.sun.jarsigner.ContentSigner;
+import com.sun.jarsigner.ContentSignerParameters;
+import java.net.SocketTimeoutException;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.util.Map.Entry;
+import sun.security.tools.KeyStoreUtil;
+import sun.security.tools.PathList;
+import sun.security.x509.*;
+import sun.security.util.*;
+import sun.misc.BASE64Encoder;
+
+
+/**
+ * <p>The jarsigner utility.
+ *
+ * The exit codes for the main method are:
+ *
+ * 0: success
+ * 1: any error that the jar cannot be signed or verified, including:
+ *      keystore loading error
+ *      TSP communication error
+ *      jarsigner command line error...
+ * otherwise: error codes from -strict
+ *
+ * @author Roland Schemers
+ * @author Jan Luehe
+ */
+
+public class Main {
+
+    // for i18n
+    private static final java.util.ResourceBundle rb =
+        java.util.ResourceBundle.getBundle
+        ("sun.security.tools.jarsigner.Resources");
+    private static final Collator collator = Collator.getInstance();
+    static {
+        // this is for case insensitive string comparisions
+        collator.setStrength(Collator.PRIMARY);
+    }
+
+    private static final String META_INF = "META-INF/";
+
+    // prefix for new signature-related files in META-INF directory
+    private static final String SIG_PREFIX = META_INF + "SIG-";
+
+    private static final Class[] PARAM_STRING = { String.class };
+
+    private static final String NONE = "NONE";
+    private static final String P11KEYSTORE = "PKCS11";
+
+    private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds
+
+    // Attention:
+    // This is the entry that get launched by the security tool jarsigner.
+    public static void main(String args[]) throws Exception {
+        Main js = new Main();
+        js.run(args);
+    }
+
+    static final String VERSION = "1.0";
+
+    static final int IN_KEYSTORE = 0x01;        // signer is in keystore
+    static final int IN_SCOPE = 0x02;
+    static final int NOT_ALIAS = 0x04;          // alias list is NOT empty and
+                                                // signer is not in alias list
+    static final int SIGNED_BY_ALIAS = 0x08;    // signer is in alias list
+
+    X509Certificate[] certChain;    // signer's cert chain (when composing)
+    PrivateKey privateKey;          // private key
+    KeyStore store;                 // the keystore specified by -keystore
+                                    // or the default keystore, never null
+
+    String keystore; // key store file
+    boolean nullStream = false; // null keystore input stream (NONE)
+    boolean token = false; // token-based keystore
+    String jarfile;  // jar files to sign or verify
+    String alias;    // alias to sign jar with
+    List<String> ckaliases = new ArrayList<>(); // aliases in -verify
+    char[] storepass; // keystore password
+    boolean protectedPath; // protected authentication path
+    String storetype; // keystore type
+    String providerName; // provider name
+    Vector<String> providers = null; // list of providers
+    // arguments for provider constructors
+    HashMap<String,String> providerArgs = new HashMap<>();
+    char[] keypass; // private key password
+    String sigfile; // name of .SF file
+    String sigalg; // name of signature algorithm
+    String digestalg = "SHA-256"; // name of digest algorithm
+    String signedjar; // output filename
+    String tsaUrl; // location of the Timestamping Authority
+    String tsaAlias; // alias for the Timestamping Authority's certificate
+    String altCertChain; // file to read alternative cert chain from
+    boolean verify = false; // verify the jar
+    String verbose = null; // verbose output when signing/verifying
+    boolean showcerts = false; // show certs when verifying
+    boolean debug = false; // debug
+    boolean signManifest = true; // "sign" the whole manifest
+    boolean externalSF = true; // leave the .SF out of the PKCS7 block
+    boolean strict = false;  // treat warnings as error
+
+    // read zip entry raw bytes
+    private ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
+    private byte[] buffer = new byte[8192];
+    private ContentSigner signingMechanism = null;
+    private String altSignerClass = null;
+    private String altSignerClasspath = null;
+    private ZipFile zipFile = null;
+
+    private boolean hasExpiredCert = false;
+    private boolean hasExpiringCert = false;
+    private boolean notYetValidCert = false;
+    private boolean chainNotValidated = false;
+    private boolean notSignedByAlias = false;
+    private boolean aliasNotInStore = false;
+    private boolean hasUnsignedEntry = false;
+    private boolean badKeyUsage = false;
+    private boolean badExtendedKeyUsage = false;
+    private boolean badNetscapeCertType = false;
+
+    CertificateFactory certificateFactory;
+    CertPathValidator validator;
+    PKIXParameters pkixParameters;
+
+    public void run(String args[]) {
+        try {
+            parseArgs(args);
+
+            // Try to load and install the specified providers
+            if (providers != null) {
+                ClassLoader cl = ClassLoader.getSystemClassLoader();
+                Enumeration<String> e = providers.elements();
+                while (e.hasMoreElements()) {
+                    String provName = e.nextElement();
+                    Class<?> provClass;
+                    if (cl != null) {
+                        provClass = cl.loadClass(provName);
+                    } else {
+                        provClass = Class.forName(provName);
+                    }
+
+                    String provArg = providerArgs.get(provName);
+                    Object obj;
+                    if (provArg == null) {
+                        obj = provClass.newInstance();
+                    } else {
+                        Constructor<?> c =
+                                provClass.getConstructor(PARAM_STRING);
+                        obj = c.newInstance(provArg);
+                    }
+
+                    if (!(obj instanceof Provider)) {
+                        MessageFormat form = new MessageFormat(rb.getString
+                            ("provName.not.a.provider"));
+                        Object[] source = {provName};
+                        throw new Exception(form.format(source));
+                    }
+                    Security.addProvider((Provider)obj);
+                }
+            }
+
+            if (verify) {
+                try {
+                    loadKeyStore(keystore, false);
+                } catch (Exception e) {
+                    if ((keystore != null) || (storepass != null)) {
+                        System.out.println(rb.getString("jarsigner.error.") +
+                                        e.getMessage());
+                        System.exit(1);
+                    }
+                }
+                /*              if (debug) {
+                    SignatureFileVerifier.setDebug(true);
+                    ManifestEntryVerifier.setDebug(true);
+                }
+                */
+                verifyJar(jarfile);
+            } else {
+                loadKeyStore(keystore, true);
+                getAliasInfo(alias);
+
+                // load the alternative signing mechanism
+                if (altSignerClass != null) {
+                    signingMechanism = loadSigningMechanism(altSignerClass,
+                        altSignerClasspath);
+                }
+                signJar(jarfile, alias, args);
+            }
+        } catch (Exception e) {
+            System.out.println(rb.getString("jarsigner.error.") + e);
+            if (debug) {
+                e.printStackTrace();
+            }
+            System.exit(1);
+        } finally {
+            // zero-out private key password
+            if (keypass != null) {
+                Arrays.fill(keypass, ' ');
+                keypass = null;
+            }
+            // zero-out keystore password
+            if (storepass != null) {
+                Arrays.fill(storepass, ' ');
+                storepass = null;
+            }
+        }
+
+        if (strict) {
+            int exitCode = 0;
+            if (hasExpiringCert) {
+                exitCode |= 2;
+            }
+            if (chainNotValidated || hasExpiredCert || notYetValidCert) {
+                exitCode |= 4;
+            }
+            if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
+                exitCode |= 8;
+            }
+            if (hasUnsignedEntry) {
+                exitCode |= 16;
+            }
+            if (notSignedByAlias || aliasNotInStore) {
+                exitCode |= 32;
+            }
+            if (exitCode != 0) {
+                System.exit(exitCode);
+            }
+        }
+    }
+
+    /*
+     * Parse command line arguments.
+     */
+    void parseArgs(String args[]) {
+        /* parse flags */
+        int n = 0;
+
+        if (args.length == 0) fullusage();
+        for (n=0; n < args.length; n++) {
+
+            String flags = args[n];
+            String modifier = null;
+            if (flags.charAt(0) == '-') {
+                int pos = flags.indexOf(':');
+                if (pos > 0) {
+                    modifier = flags.substring(pos+1);
+                    flags = flags.substring(0, pos);
+                }
+            }
+
+            if (collator.compare(flags, "-keystore") == 0) {
+                if (++n == args.length) usageNoArg();
+                keystore = args[n];
+            } else if (collator.compare(flags, "-storepass") ==0) {
+                if (++n == args.length) usageNoArg();
+                storepass = getPass(modifier, args[n]);
+            } else if (collator.compare(flags, "-storetype") ==0) {
+                if (++n == args.length) usageNoArg();
+                storetype = args[n];
+            } else if (collator.compare(flags, "-providerName") ==0) {
+                if (++n == args.length) usageNoArg();
+                providerName = args[n];
+            } else if ((collator.compare(flags, "-provider") == 0) ||
+                        (collator.compare(flags, "-providerClass") == 0)) {
+                if (++n == args.length) usageNoArg();
+                if (providers == null) {
+                    providers = new Vector<String>(3);
+                }
+                providers.add(args[n]);
+
+                if (args.length > (n+1)) {
+                    flags = args[n+1];
+                    if (collator.compare(flags, "-providerArg") == 0) {
+                        if (args.length == (n+2)) usageNoArg();
+                        providerArgs.put(args[n], args[n+2]);
+                        n += 2;
+                    }
+                }
+            } else if (collator.compare(flags, "-protected") ==0) {
+                protectedPath = true;
+            } else if (collator.compare(flags, "-certchain") ==0) {
+                if (++n == args.length) usageNoArg();
+                altCertChain = args[n];
+            } else if (collator.compare(flags, "-debug") ==0) {
+                debug = true;
+            } else if (collator.compare(flags, "-keypass") ==0) {
+                if (++n == args.length) usageNoArg();
+                keypass = getPass(modifier, args[n]);
+            } else if (collator.compare(flags, "-sigfile") ==0) {
+                if (++n == args.length) usageNoArg();
+                sigfile = args[n];
+            } else if (collator.compare(flags, "-signedjar") ==0) {
+                if (++n == args.length) usageNoArg();
+                signedjar = args[n];
+            } else if (collator.compare(flags, "-tsa") ==0) {
+                if (++n == args.length) usageNoArg();
+                tsaUrl = args[n];
+            } else if (collator.compare(flags, "-tsacert") ==0) {
+                if (++n == args.length) usageNoArg();
+                tsaAlias = args[n];
+            } else if (collator.compare(flags, "-altsigner") ==0) {
+                if (++n == args.length) usageNoArg();
+                altSignerClass = args[n];
+            } else if (collator.compare(flags, "-altsignerpath") ==0) {
+                if (++n == args.length) usageNoArg();
+                altSignerClasspath = args[n];
+            } else if (collator.compare(flags, "-sectionsonly") ==0) {
+                signManifest = false;
+            } else if (collator.compare(flags, "-internalsf") ==0) {
+                externalSF = false;
+            } else if (collator.compare(flags, "-verify") ==0) {
+                verify = true;
+            } else if (collator.compare(flags, "-verbose") ==0) {
+                verbose = (modifier != null) ? modifier : "all";
+            } else if (collator.compare(flags, "-sigalg") ==0) {
+                if (++n == args.length) usageNoArg();
+                sigalg = args[n];
+            } else if (collator.compare(flags, "-digestalg") ==0) {
+                if (++n == args.length) usageNoArg();
+                digestalg = args[n];
+            } else if (collator.compare(flags, "-certs") ==0) {
+                showcerts = true;
+            } else if (collator.compare(flags, "-strict") ==0) {
+                strict = true;
+            } else if (collator.compare(flags, "-h") == 0 ||
+                        collator.compare(flags, "-help") == 0) {
+                fullusage();
+            } else {
+                if (!flags.startsWith("-")) {
+                    if (jarfile == null) {
+                        jarfile = flags;
+                    } else {
+                        alias = flags;
+                        ckaliases.add(alias);
+                    }
+                } else {
+                    System.err.println(
+                            rb.getString("Illegal.option.") + flags);
+                    usage();
+                }
+            }
+        }
+
+        // -certs must always be specified with -verbose
+        if (verbose == null) showcerts = false;
+
+        if (jarfile == null) {
+            System.err.println(rb.getString("Please.specify.jarfile.name"));
+            usage();
+        }
+        if (!verify && alias == null) {
+            System.err.println(rb.getString("Please.specify.alias.name"));
+            usage();
+        }
+        if (!verify && ckaliases.size() > 1) {
+            System.err.println(rb.getString("Only.one.alias.can.be.specified"));
+            usage();
+        }
+
+        if (storetype == null) {
+            storetype = KeyStore.getDefaultType();
+        }
+        storetype = KeyStoreUtil.niceStoreTypeName(storetype);
+
+        try {
+            if (signedjar != null && new File(signedjar).getCanonicalPath().equals(
+                    new File(jarfile).getCanonicalPath())) {
+                signedjar = null;
+            }
+        } catch (IOException ioe) {
+            // File system error?
+            // Just ignore it.
+        }
+
+        if (P11KEYSTORE.equalsIgnoreCase(storetype) ||
+                KeyStoreUtil.isWindowsKeyStore(storetype)) {
+            token = true;
+            if (keystore == null) {
+                keystore = NONE;
+            }
+        }
+
+        if (NONE.equals(keystore)) {
+            nullStream = true;
+        }
+
+        if (token && !nullStream) {
+            System.err.println(MessageFormat.format(rb.getString
+                (".keystore.must.be.NONE.if.storetype.is.{0}"), storetype));
+            usage();
+        }
+
+        if (token && keypass != null) {
+            System.err.println(MessageFormat.format(rb.getString
+                (".keypass.can.not.be.specified.if.storetype.is.{0}"), storetype));
+            usage();
+        }
+
+        if (protectedPath) {
+            if (storepass != null || keypass != null) {
+                System.err.println(rb.getString
+                        ("If.protected.is.specified.then.storepass.and.keypass.must.not.be.specified"));
+                usage();
+            }
+        }
+        if (KeyStoreUtil.isWindowsKeyStore(storetype)) {
+            if (storepass != null || keypass != null) {
+                System.err.println(rb.getString
+                        ("If.keystore.is.not.password.protected.then.storepass.and.keypass.must.not.be.specified"));
+                usage();
+            }
+        }
+    }
+
+    static char[] getPass(String modifier, String arg) {
+        char[] output = KeyStoreUtil.getPassWithModifier(modifier, arg, rb);
+        if (output != null) return output;
+        usage();
+        return null;    // Useless, usage() already exit
+    }
+
+    static void usageNoArg() {
+        System.out.println(rb.getString("Option.lacks.argument"));
+        usage();
+    }
+
+    static void usage() {
+        System.out.println();
+        System.out.println(rb.getString("Please.type.jarsigner.help.for.usage"));
+        System.exit(1);
+    }
+
+    static void fullusage() {
+        System.out.println(rb.getString
+                ("Usage.jarsigner.options.jar.file.alias"));
+        System.out.println(rb.getString
+                (".jarsigner.verify.options.jar.file.alias."));
+        System.out.println();
+        System.out.println(rb.getString
+                (".keystore.url.keystore.location"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".storepass.password.password.for.keystore.integrity"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".storetype.type.keystore.type"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".keypass.password.password.for.private.key.if.different."));
+        System.out.println();
+        System.out.println(rb.getString
+                (".certchain.file.name.of.alternative.certchain.file"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".sigfile.file.name.of.SF.DSA.file"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".signedjar.file.name.of.signed.JAR.file"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".digestalg.algorithm.name.of.digest.algorithm"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".sigalg.algorithm.name.of.signature.algorithm"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".verify.verify.a.signed.JAR.file"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".verbose.suboptions.verbose.output.when.signing.verifying."));
+        System.out.println(rb.getString
+                (".suboptions.can.be.all.grouped.or.summary"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".certs.display.certificates.when.verbose.and.verifying"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".tsa.url.location.of.the.Timestamping.Authority"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".tsacert.alias.public.key.certificate.for.Timestamping.Authority"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".altsigner.class.class.name.of.an.alternative.signing.mechanism"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".altsignerpath.pathlist.location.of.an.alternative.signing.mechanism"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".internalsf.include.the.SF.file.inside.the.signature.block"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".sectionsonly.don.t.compute.hash.of.entire.manifest"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".protected.keystore.has.protected.authentication.path"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".providerName.name.provider.name"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".providerClass.class.name.of.cryptographic.service.provider.s"));
+        System.out.println(rb.getString
+                (".providerArg.arg.master.class.file.and.constructor.argument"));
+        System.out.println();
+        System.out.println(rb.getString
+                (".strict.treat.warnings.as.errors"));
+        System.out.println();
+
+        System.exit(0);
+    }
+
+    void verifyJar(String jarName)
+        throws Exception
+    {
+        boolean anySigned = false;  // if there exists entry inside jar signed
+        JarFile jf = null;
+
+        try {
+            jf = new JarFile(jarName, true);
+            Vector<JarEntry> entriesVec = new Vector<>();
+            byte[] buffer = new byte[8192];
+
+            Enumeration<JarEntry> entries = jf.entries();
+            while (entries.hasMoreElements()) {
+                JarEntry je = entries.nextElement();
+                entriesVec.addElement(je);
+                InputStream is = null;
+                try {
+                    is = jf.getInputStream(je);
+                    int n;
+                    while ((n = is.read(buffer, 0, buffer.length)) != -1) {
+                        // we just read. this will throw a SecurityException
+                        // if  a signature/digest check fails.
+                    }
+                } finally {
+                    if (is != null) {
+                        is.close();
+                    }
+                }
+            }
+
+            Manifest man = jf.getManifest();
+
+            // The map to record display info, only used when -verbose provided
+            //      key: signer info string
+            //      value: the list of files with common key
+            Map<String,List<String>> output = new LinkedHashMap<>();
+
+            if (man != null) {
+                if (verbose != null) System.out.println();
+                Enumeration<JarEntry> e = entriesVec.elements();
+
+                String tab = rb.getString("6SPACE");
+
+                while (e.hasMoreElements()) {
+                    JarEntry je = e.nextElement();
+                    String name = je.getName();
+                    CodeSigner[] signers = je.getCodeSigners();
+                    boolean isSigned = (signers != null);
+                    anySigned |= isSigned;
+                    hasUnsignedEntry |= !je.isDirectory() && !isSigned
+                                        && !signatureRelated(name);
+
+                    int inStoreOrScope = inKeyStore(signers);
+
+                    boolean inStore = (inStoreOrScope & IN_KEYSTORE) != 0;
+                    boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
+
+                    notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0;
+                    if (keystore != null) {
+                        aliasNotInStore |= isSigned && (!inStore && !inScope);
+                    }
+
+                    // Only used when -verbose provided
+                    StringBuffer sb = null;
+                    if (verbose != null) {
+                        sb = new StringBuffer();
+                        boolean inManifest =
+                            ((man.getAttributes(name) != null) ||
+                             (man.getAttributes("./"+name) != null) ||
+                             (man.getAttributes("/"+name) != null));
+                        sb.append(
+                          (isSigned ? rb.getString("s") : rb.getString("SPACE")) +
+                          (inManifest ? rb.getString("m") : rb.getString("SPACE")) +
+                          (inStore ? rb.getString("k") : rb.getString("SPACE")) +
+                          (inScope ? rb.getString("i") : rb.getString("SPACE")) +
+                          ((inStoreOrScope & NOT_ALIAS) != 0 ?"X":" ") +
+                          rb.getString("SPACE"));
+                        sb.append("|");
+                    }
+
+                    // When -certs provided, display info has extra empty
+                    // lines at the beginning and end.
+                    if (isSigned) {
+                        if (showcerts) sb.append('\n');
+                        for (CodeSigner signer: signers) {
+                            // signerInfo() must be called even if -verbose
+                            // not provided. The method updates various
+                            // warning flags.
+                            String si = signerInfo(signer, tab);
+                            if (showcerts) {
+                                sb.append(si);
+                                sb.append('\n');
+                            }
+                        }
+                    } else if (showcerts && !verbose.equals("all")) {
+                        // Print no info for unsigned entries when -verbose:all,
+                        // to be consistent with old behavior.
+                        if (signatureRelated(name)) {
+                            sb.append("\n" + tab + rb.getString(
+                                    ".Signature.related.entries.") + "\n\n");
+                        } else {
+                            sb.append("\n" + tab + rb.getString(
+                                    ".Unsigned.entries.") + "\n\n");
+                        }
+                    }
+
+                    if (verbose != null) {
+                        String label = sb.toString();
+                        if (signatureRelated(name)) {
+                            // Entries inside META-INF and other unsigned
+                            // entries are grouped separately.
+                            label = "-" + label;
+                        }
+
+                        // The label finally contains 2 parts separated by '|':
+                        // The legend displayed before the entry names, and
+                        // the cert info (if -certs specfied).
+
+                        if (!output.containsKey(label)) {
+                            output.put(label, new ArrayList<String>());
+                        }
+
+                        StringBuffer fb = new StringBuffer();
+                        String s = Long.toString(je.getSize());
+                        for (int i = 6 - s.length(); i > 0; --i) {
+                            fb.append(' ');
+                        }
+                        fb.append(s).append(' ').
+                                append(new Date(je.getTime()).toString());
+                        fb.append(' ').append(name);
+
+                        output.get(label).add(fb.toString());
+                    }
+                }
+            }
+            if (verbose != null) {
+                for (Entry<String,List<String>> s: output.entrySet()) {
+                    List<String> files = s.getValue();
+                    String key = s.getKey();
+                    if (key.charAt(0) == '-') { // the signature-related group
+                        key = key.substring(1);
+                    }
+                    int pipe = key.indexOf('|');
+                    if (verbose.equals("all")) {
+                        for (String f: files) {
+                            System.out.println(key.substring(0, pipe) + f);
+                            System.out.printf(key.substring(pipe+1));
+                        }
+                    } else {
+                        if (verbose.equals("grouped")) {
+                            for (String f: files) {
+                                System.out.println(key.substring(0, pipe) + f);
+                            }
+                        } else if (verbose.equals("summary")) {
+                            System.out.print(key.substring(0, pipe));
+                            if (files.size() > 1) {
+                                System.out.println(files.get(0) + " " +
+                                        String.format(rb.getString(
+                                        ".and.d.more."), files.size()-1));
+                            } else {
+                                System.out.println(files.get(0));
+                            }
+                        }
+                        System.out.printf(key.substring(pipe+1));
+                    }
+                }
+                System.out.println();
+                System.out.println(rb.getString(
+                    ".s.signature.was.verified."));
+                System.out.println(rb.getString(
+                    ".m.entry.is.listed.in.manifest"));
+                System.out.println(rb.getString(
+                    ".k.at.least.one.certificate.was.found.in.keystore"));
+                System.out.println(rb.getString(
+                    ".i.at.least.one.certificate.was.found.in.identity.scope"));
+                if (ckaliases.size() > 0) {
+                    System.out.println(rb.getString(
+                        ".X.not.signed.by.specified.alias.es."));
+                }
+                System.out.println();
+            }
+            if (man == null)
+                System.out.println(rb.getString("no.manifest."));
+
+            if (!anySigned) {
+                System.out.println(rb.getString(
+                      "jar.is.unsigned.signatures.missing.or.not.parsable."));