From ff2fa308194dea4685a499f9ba39228cb056639c Mon Sep 17 00:00:00 2001 From: Sergey Bylokhov Date: Fri, 28 Oct 2016 21:33:09 +0300 Subject: [PATCH 001/269] 8165543: Better window framing Reviewed-by: prr, ssadetsky, mschoene --- .../windows/native/libawt/windows/awt.h | 48 +++++++----- .../native/libawt/windows/awt_Button.cpp | 10 +-- .../native/libawt/windows/awt_Canvas.cpp | 11 +-- .../native/libawt/windows/awt_Checkbox.cpp | 11 ++- .../native/libawt/windows/awt_Choice.cpp | 13 +--- .../native/libawt/windows/awt_Component.cpp | 69 ++++++++++------ .../native/libawt/windows/awt_Component.h | 1 + .../native/libawt/windows/awt_Dialog.cpp | 5 +- .../native/libawt/windows/awt_FileDialog.cpp | 2 +- .../native/libawt/windows/awt_Frame.cpp | 10 +-- .../native/libawt/windows/awt_Label.cpp | 5 +- .../native/libawt/windows/awt_List.cpp | 9 +-- .../native/libawt/windows/awt_ScrollPane.cpp | 6 +- .../native/libawt/windows/awt_Scrollbar.cpp | 78 +++++++++++++++---- .../native/libawt/windows/awt_Scrollbar.h | 2 + .../native/libawt/windows/awt_TextArea.cpp | 3 - .../libawt/windows/awt_TextComponent.cpp | 3 +- .../native/libawt/windows/awt_TextField.cpp | 3 - .../native/libawt/windows/awt_Window.cpp | 3 - 19 files changed, 167 insertions(+), 125 deletions(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt.h b/jdk/src/java.desktop/windows/native/libawt/windows/awt.h index 0a84f65e0a..90c9fe329b 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt.h @@ -57,15 +57,6 @@ typedef AwtObject* PDATA; } \ } -#define JNI_CHECK_PEER_GOTO(peer, where) { \ - JNI_CHECK_NULL_GOTO(peer, "peer", where); \ - pData = JNI_GET_PDATA(peer); \ - if (pData == NULL) { \ - THROW_NULL_PDATA_IF_NOT_DESTROYED(peer); \ - goto where; \ - } \ -} - #define JNI_CHECK_NULL_RETURN(obj, msg) { \ if (obj == NULL) { \ env->ExceptionClear(); \ @@ -74,15 +65,6 @@ typedef AwtObject* PDATA; } \ } -#define JNI_CHECK_PEER_RETURN(peer) { \ - JNI_CHECK_NULL_RETURN(peer, "peer"); \ - pData = JNI_GET_PDATA(peer); \ - if (pData == NULL) { \ - THROW_NULL_PDATA_IF_NOT_DESTROYED(peer); \ - return; \ - } \ -} - #define JNI_CHECK_PEER_CREATION_RETURN(peer) { \ if (peer == NULL ) { \ return; \ @@ -109,6 +91,33 @@ typedef AwtObject* PDATA; } \ } +/** + * This macros must be used under SyncCall or on the Toolkit thread. + */ +#define JNI_CHECK_PEER_GOTO(peer, where) { \ + JNI_CHECK_NULL_GOTO(peer, "peer", where); \ + pData = JNI_GET_PDATA(peer); \ + if (pData == NULL) { \ + THROW_NULL_PDATA_IF_NOT_DESTROYED(peer); \ + goto where; \ + } \ +} + +/** + * This macros must be used under SyncCall or on the Toolkit thread. + */ +#define JNI_CHECK_PEER_RETURN(peer) { \ + JNI_CHECK_NULL_RETURN(peer, "peer"); \ + pData = JNI_GET_PDATA(peer); \ + if (pData == NULL) { \ + THROW_NULL_PDATA_IF_NOT_DESTROYED(peer); \ + return; \ + } \ +} + +/** + * This macros must be used under SyncCall or on the Toolkit thread. + */ #define JNI_CHECK_PEER_RETURN_NULL(peer) { \ JNI_CHECK_NULL_RETURN_NULL(peer, "peer"); \ pData = JNI_GET_PDATA(peer); \ @@ -118,6 +127,9 @@ typedef AwtObject* PDATA; } \ } +/** + * This macros must be used under SyncCall or on the Toolkit thread. + */ #define JNI_CHECK_PEER_RETURN_VAL(peer, val) { \ JNI_CHECK_NULL_RETURN_VAL(peer, "peer", val); \ pData = JNI_GET_PDATA(peer); \ diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Button.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Button.cpp index e76582bf36..1a7a89fdef 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Button.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Button.cpp @@ -65,6 +65,7 @@ LPCTSTR AwtButton::GetClassName() { /* Create a new AwtButton object and window. */ AwtButton* AwtButton::Create(jobject self, jobject parent) { + DASSERT(AwtToolkit::IsMainThread()); JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); /* the result */ @@ -88,7 +89,6 @@ AwtButton* AwtButton::Create(jobject self, jobject parent) JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "awtParent", done); target = env->GetObjectField(self, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "target", done); @@ -375,9 +375,6 @@ Java_sun_awt_windows_WButtonPeer_setLabel(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(self); - SetLabelStruct *sls = new SetLabelStruct; sls->button = env->NewGlobalRef(self); sls->label = (label != NULL) ? (jstring)env->NewGlobalRef(label) : NULL; @@ -399,14 +396,9 @@ Java_sun_awt_windows_WButtonPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); - AwtToolkit::CreateComponent( self, parent, (AwtToolkit::ComponentFactory)AwtButton::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); - CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Canvas.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Canvas.cpp index fba055cb49..a152b8ebbd 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Canvas.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Canvas.cpp @@ -59,6 +59,7 @@ LPCTSTR AwtCanvas::GetClassName() { */ AwtCanvas* AwtCanvas::Create(jobject self, jobject hParent) { + DASSERT(AwtToolkit::IsMainThread()); TRY; JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); @@ -74,12 +75,11 @@ AwtCanvas* AwtCanvas::Create(jobject self, jobject hParent) return NULL; } + PDATA pData; AwtComponent* parent; - JNI_CHECK_NULL_GOTO(hParent, "null hParent", done); - - parent = (AwtComponent*)JNI_GET_PDATA(hParent); - JNI_CHECK_NULL_GOTO(parent, "null parent", done); + JNI_CHECK_PEER_GOTO(hParent, done); + parent = (AwtCanvas*)pData; target = env->GetObjectField(self, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -236,12 +236,9 @@ Java_sun_awt_windows_WCanvasPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtCanvas::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Checkbox.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Checkbox.cpp index 8e18d79eaa..d77ebb74a3 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Checkbox.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Checkbox.cpp @@ -70,6 +70,7 @@ LPCTSTR AwtCheckbox::GetClassName() { AwtCheckbox* AwtCheckbox::Create(jobject peer, jobject parent) { + DASSERT(AwtToolkit::IsMainThread()); JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); jstring label = NULL; @@ -81,11 +82,10 @@ AwtCheckbox* AwtCheckbox::Create(jobject peer, jobject parent) return NULL; } + PDATA pData; AwtComponent* awtParent; - JNI_CHECK_NULL_GOTO(parent, "null parent", done); - - awtParent = (AwtComponent*)JNI_GET_PDATA(parent); - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); + JNI_CHECK_PEER_GOTO(parent, done); + awtParent = (AwtCanvas*)pData; target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -669,11 +669,10 @@ Java_sun_awt_windows_WCheckboxPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtCheckbox::Create); + PDATA pData; JNI_CHECK_PEER_CREATION_RETURN(self); #ifdef DEBUG diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Choice.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Choice.cpp index 8376f0abc2..bfdf76f272 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Choice.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Choice.cpp @@ -104,7 +104,7 @@ void AwtChoice::Dispose() { } AwtChoice* AwtChoice::Create(jobject peer, jobject parent) { - + DASSERT(AwtToolkit::IsMainThread()); JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); jobject target = NULL; @@ -115,12 +115,10 @@ AwtChoice* AwtChoice::Create(jobject peer, jobject parent) { if (env->EnsureLocalCapacity(1) < 0) { return NULL; } + PDATA pData; AwtCanvas* awtParent; - - JNI_CHECK_NULL_GOTO(parent, "null parent", done); - - awtParent = (AwtCanvas*)JNI_GET_PDATA(parent); - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); + JNI_CHECK_PEER_GOTO(parent, done); + awtParent = (AwtCanvas*)pData; target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -830,12 +828,9 @@ Java_sun_awt_windows_WChoicePeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtChoice::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.cpp index d96fbb403a..d751f59fd8 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.cpp @@ -151,6 +151,11 @@ struct SetFocusStruct { jobject component; jboolean doSetFocus; }; +// Struct for _SetParent function +struct SetParentStruct { + jobject component; + jobject parentComp; +}; /************************************************************************/ ////////////////////////////////////////////////////////////////////////// @@ -265,9 +270,6 @@ AwtComponent::~AwtComponent() { DASSERT(AwtToolkit::IsMainThread()); - /* Disconnect all links. */ - UnlinkObjects(); - /* * All the messages for this component are processed, native * resources are freed, and Java object is not connected to @@ -279,6 +281,8 @@ AwtComponent::~AwtComponent() void AwtComponent::Dispose() { + DASSERT(AwtToolkit::IsMainThread()); + // NOTE: in case the component/toplevel was focused, Java should // have already taken care of proper transferring it or clearing. @@ -297,8 +301,10 @@ void AwtComponent::Dispose() /* Release global ref to input method */ SetInputMethod(NULL, TRUE); - if (m_childList != NULL) + if (m_childList != NULL) { delete m_childList; + m_childList = NULL; + } DestroyDropTarget(); ReleaseDragCapture(0); @@ -321,6 +327,9 @@ void AwtComponent::Dispose() m_brushBackground = NULL; } + /* Disconnect all links. */ + UnlinkObjects(); + if (m_bPauseDestroy) { // AwtComponent::WmNcDestroy could be released now m_bPauseDestroy = FALSE; @@ -6216,21 +6225,36 @@ ret: return result; } -void AwtComponent::SetParent(void * param) { +void AwtComponent::_SetParent(void * param) +{ if (AwtToolkit::IsMainThread()) { - AwtComponent** comps = (AwtComponent**)param; - if ((comps[0] != NULL) && (comps[1] != NULL)) { - HWND selfWnd = comps[0]->GetHWnd(); - HWND parentWnd = comps[1]->GetHWnd(); - if (::IsWindow(selfWnd) && ::IsWindow(parentWnd)) { - // Shouldn't trigger native focus change - // (only the proxy may be the native focus owner). - ::SetParent(selfWnd, parentWnd); - } + JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); + SetParentStruct *data = (SetParentStruct*) param; + jobject self = data->component; + jobject parent = data->parentComp; + + AwtComponent *awtComponent = NULL; + AwtComponent *awtParent = NULL; + + PDATA pData; + JNI_CHECK_PEER_GOTO(self, ret); + awtComponent = (AwtComponent *)pData; + JNI_CHECK_PEER_GOTO(parent, ret); + awtParent = (AwtComponent *)pData; + + HWND selfWnd = awtComponent->GetHWnd(); + HWND parentWnd = awtParent->GetHWnd(); + if (::IsWindow(selfWnd) && ::IsWindow(parentWnd)) { + // Shouldn't trigger native focus change + // (only the proxy may be the native focus owner). + ::SetParent(selfWnd, parentWnd); } - delete[] comps; +ret: + env->DeleteGlobalRef(self); + env->DeleteGlobalRef(parent); + delete data; } else { - AwtToolkit::GetInstance().InvokeFunction(AwtComponent::SetParent, param); + AwtToolkit::GetInstance().InvokeFunction(AwtComponent::_SetParent, param); } } @@ -7057,15 +7081,12 @@ JNIEXPORT void JNICALL Java_sun_awt_windows_WComponentPeer_pSetParent(JNIEnv* env, jobject self, jobject parent) { TRY; - typedef AwtComponent* PComponent; - AwtComponent** comps = new PComponent[2]; - AwtComponent* comp = (AwtComponent*)JNI_GET_PDATA(self); - AwtComponent* parentComp = (AwtComponent*)JNI_GET_PDATA(parent); - comps[0] = comp; - comps[1] = parentComp; + SetParentStruct * data = new SetParentStruct; + data->component = env->NewGlobalRef(self); + data->parentComp = env->NewGlobalRef(parent); - AwtToolkit::GetInstance().SyncCall(AwtComponent::SetParent, comps); - // comps is deleted in SetParent + AwtToolkit::GetInstance().SyncCall(AwtComponent::_SetParent, data); + // global refs and data are deleted in SetParent CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.h b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.h index d91df640d2..697c9d5044 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.h @@ -668,6 +668,7 @@ public: static void _RemoveNativeDropTarget(void *param); static jintArray _CreatePrintedPixels(void *param); static jboolean _NativeHandlesWheelScrolling(void *param); + static void _SetParent(void * param); static void _SetRectangularShape(void *param); static void _SetZOrder(void *param); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Dialog.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Dialog.cpp index e3413714b6..47b80a4ea0 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Dialog.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Dialog.cpp @@ -111,12 +111,13 @@ AwtDialog* AwtDialog::Create(jobject peer, jobject parent) PDATA pData; AwtWindow* awtParent = NULL; HWND hwndParent = NULL; + target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); if (parent != NULL) { JNI_CHECK_PEER_GOTO(parent, done); - awtParent = (AwtWindow *)(JNI_GET_PDATA(parent)); + awtParent = (AwtWindow *)pData; hwndParent = awtParent->GetHWnd(); } else { // There is no way to prevent a parentless dialog from showing on @@ -775,11 +776,9 @@ Java_sun_awt_windows_WDialogPeer_createAwtDialog(JNIEnv *env, jobject self, { TRY; - PDATA pData; AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtDialog::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_FileDialog.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_FileDialog.cpp index 7b2d703bb6..f5ce9015d0 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_FileDialog.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_FileDialog.cpp @@ -691,7 +691,7 @@ Java_sun_awt_windows_WFileDialogPeer_getLocationOnScreen(JNIEnv *env, jobject peerRef = env->NewGlobalRef(peer); jobject resultRef = (jobject)AwtToolkit::GetInstance().SyncCall( (void*(*)(void*))AwtFileDialog::_GetLocationOnScreen, (void *)peerRef); - env->DeleteLocalRef(peerRef); + env->DeleteGlobalRef(peerRef); if (resultRef != NULL) { diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Frame.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Frame.cpp index 9bc6366d17..788ece4735 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Frame.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Frame.cpp @@ -1580,12 +1580,12 @@ void AwtFrame::_NotifyModalBlocked(void *param) PDATA pData; - pData = JNI_GET_PDATA(peer); + JNI_CHECK_PEER_GOTO(peer, ret); AwtFrame *f = (AwtFrame *)pData; // dialog here may be NULL, for example, if the blocker is a native dialog // however, we need to install/unistall modal hooks anyway - pData = JNI_GET_PDATA(blockerPeer); + JNI_CHECK_PEER_GOTO(blockerPeer, ret); AwtDialog *d = (AwtDialog *)pData; if ((f != NULL) && ::IsWindow(f->GetHWnd())) @@ -1637,7 +1637,7 @@ void AwtFrame::_NotifyModalBlocked(void *param) } } } - +ret: env->DeleteGlobalRef(self); env->DeleteGlobalRef(peer); env->DeleteGlobalRef(blockerPeer); @@ -1809,8 +1809,6 @@ Java_sun_awt_windows_WFramePeer_createAwtFrame(JNIEnv *env, jobject self, AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtFrame::Create); - PDATA pData; - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } @@ -1924,8 +1922,6 @@ Java_sun_awt_windows_WEmbeddedFramePeer_create(JNIEnv *env, jobject self, AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtFrame::Create); - PDATA pData; - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Label.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Label.cpp index 722151cd86..4f43e0e3d0 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Label.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Label.cpp @@ -80,7 +80,7 @@ AwtLabel* AwtLabel::Create(jobject labelPeer, jobject parent) JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "awtParent", done); + target = env->GetObjectField(labelPeer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "target", done); @@ -392,12 +392,9 @@ Java_sun_awt_windows_WLabelPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtLabel::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_List.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_List.cpp index 4c32a47299..071ab2a0de 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_List.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_List.cpp @@ -89,10 +89,9 @@ AwtList* AwtList::Create(jobject peer, jobject parent) PDATA pData; AwtCanvas* awtParent; - JNI_CHECK_PEER_GOTO(parent, done); + JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); /* target is Hjava_awt_List * */ target = env->GetObjectField(peer, AwtObject::targetID); @@ -928,9 +927,6 @@ Java_sun_awt_windows_WListPeer_deselect(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(self); - SelectElementStruct *ses = new SelectElementStruct; ses->list = env->NewGlobalRef(self); ses->index = pos; @@ -994,11 +990,8 @@ Java_sun_awt_windows_WListPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory)AwtList::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_ScrollPane.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_ScrollPane.cpp index 04f463e642..7e351e134b 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_ScrollPane.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_ScrollPane.cpp @@ -96,10 +96,9 @@ AwtScrollPane* AwtScrollPane::Create(jobject self, jobject parent) PDATA pData; AwtComponent* awtParent; - JNI_CHECK_PEER_GOTO(parent, done); + JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtComponent*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); target = env->GetObjectField(self, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -679,11 +678,10 @@ Java_sun_awt_windows_WScrollPanePeer_create(JNIEnv *env, jobject self, DTRACE_PRINTLN2("%x: WScrollPanePeer.create(%x)", self, parent); - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtScrollPane::Create); + PDATA pData; JNI_CHECK_PEER_CREATION_RETURN(self); ((AwtScrollPane*)pData)->VerifyState(); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.cpp index 1e58f2ceb8..502b9a0d23 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.cpp @@ -38,7 +38,11 @@ struct SetValuesStruct { jint value; jint visible; jint min, max; - +}; +// struct for _SetLineIncrement()/_SetPageIncrement() methods +struct SetIncrementStruct { + jobject scrollbar; + jint increment; }; /************************************************************************ * AwtScrollbar fields @@ -108,10 +112,9 @@ AwtScrollbar::Create(jobject peer, jobject parent) PDATA pData; AwtCanvas* awtParent; - JNI_CHECK_PEER_GOTO(parent, done); + JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -471,6 +474,52 @@ ret: delete svs; } +void AwtScrollbar::_SetLineIncrement(void *param) +{ + JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); + + SetIncrementStruct *sis = (SetIncrementStruct *)param; + jobject self = sis->scrollbar; + jint increment = sis->increment; + + AwtScrollbar *sb = NULL; + + PDATA pData; + JNI_CHECK_PEER_GOTO(self, ret); + sb = (AwtScrollbar *)pData; + if (::IsWindow(sb->GetHWnd())) + { + sb->SetLineIncrement(increment); + } +ret: + env->DeleteGlobalRef(self); + + delete sis; +} + +void AwtScrollbar::_SetPageIncrement(void *param) +{ + JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); + + SetIncrementStruct *sis = (SetIncrementStruct *)param; + jobject self = sis->scrollbar; + jint increment = sis->increment; + + AwtScrollbar *sb = NULL; + + PDATA pData; + JNI_CHECK_PEER_GOTO(self, ret); + sb = (AwtScrollbar *)pData; + if (::IsWindow(sb->GetHWnd())) + { + sb->SetPageIncrement(increment); + } +ret: + env->DeleteGlobalRef(self); + + delete sis; +} + /************************************************************************ * Scrollbar native methods */ @@ -546,10 +595,12 @@ Java_sun_awt_windows_WScrollbarPeer_setLineIncrement(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(self); - AwtScrollbar* c = (AwtScrollbar*)pData; - c->SetLineIncrement(increment); + SetIncrementStruct *sis = new SetIncrementStruct; + sis->scrollbar = env->NewGlobalRef(self); + sis->increment = increment; + + AwtToolkit::GetInstance().SyncCall(AwtScrollbar::_SetLineIncrement, sis); + // global ref and svs are deleted in _SetValues CATCH_BAD_ALLOC; } @@ -565,10 +616,12 @@ Java_sun_awt_windows_WScrollbarPeer_setPageIncrement(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(self); - AwtScrollbar* c = (AwtScrollbar*)pData; - c->SetPageIncrement(increment); + SetIncrementStruct *sis = new SetIncrementStruct; + sis->scrollbar = env->NewGlobalRef(self); + sis->increment = increment; + + AwtToolkit::GetInstance().SyncCall(AwtScrollbar::_SetPageIncrement, sis); + // global ref and svs are deleted in _SetValues CATCH_BAD_ALLOC; } @@ -584,12 +637,9 @@ Java_sun_awt_windows_WScrollbarPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtScrollbar::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.h b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.h index 2a6b03a671..9369cab0e5 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.h @@ -77,6 +77,8 @@ public: INLINE virtual BOOL IsScrollbar() { return TRUE; } + static void _SetLineIncrement(void *param); + static void _SetPageIncrement(void *param); // invoked on Toolkit thread static void _SetValues(void *param); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextArea.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextArea.cpp index cd40b1f237..6dc21c5add 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextArea.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextArea.cpp @@ -505,12 +505,9 @@ Java_sun_awt_windows_WTextAreaPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtTextArea::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextComponent.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextComponent.cpp index de60f0ed70..38272959d7 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextComponent.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextComponent.cpp @@ -95,10 +95,9 @@ AwtTextComponent* AwtTextComponent::Create(jobject peer, jobject parent, BOOL is PDATA pData; AwtCanvas* awtParent; - JNI_CHECK_PEER_GOTO(parent, done); + JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextField.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextField.cpp index 01c73f068e..5518ab9114 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextField.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextField.cpp @@ -260,12 +260,9 @@ Java_sun_awt_windows_WTextFieldPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtTextField::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Window.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Window.cpp index 56f2bfdd0e..b1cb6ad2ce 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Window.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Window.cpp @@ -3400,12 +3400,9 @@ Java_sun_awt_windows_WWindowPeer_createAwtWindow(JNIEnv *env, jobject self, { TRY; - PDATA pData; -// JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtWindow::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } From ccbf19b1aa4093df3a5a5eee72769afd0ba03f14 Mon Sep 17 00:00:00 2001 From: Rob McKenna Date: Fri, 30 Jun 2017 18:09:15 +0100 Subject: [PATCH 002/269] 8183297: Allow duplicate bugid for changeset in jdk9 update forest Reviewed-by: coffeys --- jdk/.jcheck/conf | 1 + 1 file changed, 1 insertion(+) diff --git a/jdk/.jcheck/conf b/jdk/.jcheck/conf index 5c6f62dc12..9bd9e92741 100644 --- a/jdk/.jcheck/conf +++ b/jdk/.jcheck/conf @@ -1 +1,2 @@ project=jdk9 +bugids=dup From 884775ffefde73790de5bcc3c56ee6ce064bb05e Mon Sep 17 00:00:00 2001 From: Abhijit Saha Date: Wed, 5 Jul 2017 17:21:10 -0700 Subject: [PATCH 003/269] Added tag jdk-9.0.3+00 for changeset 59a43cd7f391 --- jdk/.hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/jdk/.hgtags b/jdk/.hgtags index 140c6960e0..48db96831b 100644 --- a/jdk/.hgtags +++ b/jdk/.hgtags @@ -417,3 +417,4 @@ ef9954f6896bb0b95ac62bf769f68b59a7a56ccd jdk-9+170 0ff9ad7d067cd4fa14450cf208bf019175a0aaba jdk-9+172 a5506b425f1bf91530d8417b57360e5d89328c0c jdk-9+173 42f18c931bd4fae5c206ccf6d8e591e4c4e69d31 jdk-9+174 +c31ac0b8a60e8f872d38ad251a25ad043adc0191 jdk-9.0.3+00 From a1ac07e8a5a468f252eb5c79fab7ad0bcd5ad44e Mon Sep 17 00:00:00 2001 From: Sergey Bylokhov Date: Fri, 28 Oct 2016 21:33:09 +0300 Subject: [PATCH 004/269] 8165543: Better window framing Reviewed-by: prr, ssadetsky, mschoene --- .../windows/native/libawt/windows/awt.h | 48 +++++++----- .../native/libawt/windows/awt_Button.cpp | 10 +-- .../native/libawt/windows/awt_Canvas.cpp | 11 +-- .../native/libawt/windows/awt_Checkbox.cpp | 11 ++- .../native/libawt/windows/awt_Choice.cpp | 13 +--- .../native/libawt/windows/awt_Component.cpp | 69 ++++++++++------ .../native/libawt/windows/awt_Component.h | 1 + .../native/libawt/windows/awt_Dialog.cpp | 5 +- .../native/libawt/windows/awt_FileDialog.cpp | 2 +- .../native/libawt/windows/awt_Frame.cpp | 10 +-- .../native/libawt/windows/awt_Label.cpp | 5 +- .../native/libawt/windows/awt_List.cpp | 9 +-- .../native/libawt/windows/awt_ScrollPane.cpp | 6 +- .../native/libawt/windows/awt_Scrollbar.cpp | 78 +++++++++++++++---- .../native/libawt/windows/awt_Scrollbar.h | 2 + .../native/libawt/windows/awt_TextArea.cpp | 3 - .../libawt/windows/awt_TextComponent.cpp | 3 +- .../native/libawt/windows/awt_TextField.cpp | 3 - .../native/libawt/windows/awt_Window.cpp | 3 - 19 files changed, 167 insertions(+), 125 deletions(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt.h b/jdk/src/java.desktop/windows/native/libawt/windows/awt.h index 0a84f65e0a..90c9fe329b 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt.h @@ -57,15 +57,6 @@ typedef AwtObject* PDATA; } \ } -#define JNI_CHECK_PEER_GOTO(peer, where) { \ - JNI_CHECK_NULL_GOTO(peer, "peer", where); \ - pData = JNI_GET_PDATA(peer); \ - if (pData == NULL) { \ - THROW_NULL_PDATA_IF_NOT_DESTROYED(peer); \ - goto where; \ - } \ -} - #define JNI_CHECK_NULL_RETURN(obj, msg) { \ if (obj == NULL) { \ env->ExceptionClear(); \ @@ -74,15 +65,6 @@ typedef AwtObject* PDATA; } \ } -#define JNI_CHECK_PEER_RETURN(peer) { \ - JNI_CHECK_NULL_RETURN(peer, "peer"); \ - pData = JNI_GET_PDATA(peer); \ - if (pData == NULL) { \ - THROW_NULL_PDATA_IF_NOT_DESTROYED(peer); \ - return; \ - } \ -} - #define JNI_CHECK_PEER_CREATION_RETURN(peer) { \ if (peer == NULL ) { \ return; \ @@ -109,6 +91,33 @@ typedef AwtObject* PDATA; } \ } +/** + * This macros must be used under SyncCall or on the Toolkit thread. + */ +#define JNI_CHECK_PEER_GOTO(peer, where) { \ + JNI_CHECK_NULL_GOTO(peer, "peer", where); \ + pData = JNI_GET_PDATA(peer); \ + if (pData == NULL) { \ + THROW_NULL_PDATA_IF_NOT_DESTROYED(peer); \ + goto where; \ + } \ +} + +/** + * This macros must be used under SyncCall or on the Toolkit thread. + */ +#define JNI_CHECK_PEER_RETURN(peer) { \ + JNI_CHECK_NULL_RETURN(peer, "peer"); \ + pData = JNI_GET_PDATA(peer); \ + if (pData == NULL) { \ + THROW_NULL_PDATA_IF_NOT_DESTROYED(peer); \ + return; \ + } \ +} + +/** + * This macros must be used under SyncCall or on the Toolkit thread. + */ #define JNI_CHECK_PEER_RETURN_NULL(peer) { \ JNI_CHECK_NULL_RETURN_NULL(peer, "peer"); \ pData = JNI_GET_PDATA(peer); \ @@ -118,6 +127,9 @@ typedef AwtObject* PDATA; } \ } +/** + * This macros must be used under SyncCall or on the Toolkit thread. + */ #define JNI_CHECK_PEER_RETURN_VAL(peer, val) { \ JNI_CHECK_NULL_RETURN_VAL(peer, "peer", val); \ pData = JNI_GET_PDATA(peer); \ diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Button.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Button.cpp index e76582bf36..1a7a89fdef 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Button.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Button.cpp @@ -65,6 +65,7 @@ LPCTSTR AwtButton::GetClassName() { /* Create a new AwtButton object and window. */ AwtButton* AwtButton::Create(jobject self, jobject parent) { + DASSERT(AwtToolkit::IsMainThread()); JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); /* the result */ @@ -88,7 +89,6 @@ AwtButton* AwtButton::Create(jobject self, jobject parent) JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "awtParent", done); target = env->GetObjectField(self, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "target", done); @@ -375,9 +375,6 @@ Java_sun_awt_windows_WButtonPeer_setLabel(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(self); - SetLabelStruct *sls = new SetLabelStruct; sls->button = env->NewGlobalRef(self); sls->label = (label != NULL) ? (jstring)env->NewGlobalRef(label) : NULL; @@ -399,14 +396,9 @@ Java_sun_awt_windows_WButtonPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); - AwtToolkit::CreateComponent( self, parent, (AwtToolkit::ComponentFactory)AwtButton::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); - CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Canvas.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Canvas.cpp index fba055cb49..a152b8ebbd 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Canvas.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Canvas.cpp @@ -59,6 +59,7 @@ LPCTSTR AwtCanvas::GetClassName() { */ AwtCanvas* AwtCanvas::Create(jobject self, jobject hParent) { + DASSERT(AwtToolkit::IsMainThread()); TRY; JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); @@ -74,12 +75,11 @@ AwtCanvas* AwtCanvas::Create(jobject self, jobject hParent) return NULL; } + PDATA pData; AwtComponent* parent; - JNI_CHECK_NULL_GOTO(hParent, "null hParent", done); - - parent = (AwtComponent*)JNI_GET_PDATA(hParent); - JNI_CHECK_NULL_GOTO(parent, "null parent", done); + JNI_CHECK_PEER_GOTO(hParent, done); + parent = (AwtCanvas*)pData; target = env->GetObjectField(self, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -236,12 +236,9 @@ Java_sun_awt_windows_WCanvasPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtCanvas::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Checkbox.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Checkbox.cpp index 8e18d79eaa..d77ebb74a3 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Checkbox.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Checkbox.cpp @@ -70,6 +70,7 @@ LPCTSTR AwtCheckbox::GetClassName() { AwtCheckbox* AwtCheckbox::Create(jobject peer, jobject parent) { + DASSERT(AwtToolkit::IsMainThread()); JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); jstring label = NULL; @@ -81,11 +82,10 @@ AwtCheckbox* AwtCheckbox::Create(jobject peer, jobject parent) return NULL; } + PDATA pData; AwtComponent* awtParent; - JNI_CHECK_NULL_GOTO(parent, "null parent", done); - - awtParent = (AwtComponent*)JNI_GET_PDATA(parent); - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); + JNI_CHECK_PEER_GOTO(parent, done); + awtParent = (AwtCanvas*)pData; target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -669,11 +669,10 @@ Java_sun_awt_windows_WCheckboxPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtCheckbox::Create); + PDATA pData; JNI_CHECK_PEER_CREATION_RETURN(self); #ifdef DEBUG diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Choice.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Choice.cpp index 8376f0abc2..bfdf76f272 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Choice.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Choice.cpp @@ -104,7 +104,7 @@ void AwtChoice::Dispose() { } AwtChoice* AwtChoice::Create(jobject peer, jobject parent) { - + DASSERT(AwtToolkit::IsMainThread()); JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); jobject target = NULL; @@ -115,12 +115,10 @@ AwtChoice* AwtChoice::Create(jobject peer, jobject parent) { if (env->EnsureLocalCapacity(1) < 0) { return NULL; } + PDATA pData; AwtCanvas* awtParent; - - JNI_CHECK_NULL_GOTO(parent, "null parent", done); - - awtParent = (AwtCanvas*)JNI_GET_PDATA(parent); - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); + JNI_CHECK_PEER_GOTO(parent, done); + awtParent = (AwtCanvas*)pData; target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -830,12 +828,9 @@ Java_sun_awt_windows_WChoicePeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtChoice::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.cpp index cf89de4046..f2db09fd34 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.cpp @@ -151,6 +151,11 @@ struct SetFocusStruct { jobject component; jboolean doSetFocus; }; +// Struct for _SetParent function +struct SetParentStruct { + jobject component; + jobject parentComp; +}; /************************************************************************/ ////////////////////////////////////////////////////////////////////////// @@ -265,9 +270,6 @@ AwtComponent::~AwtComponent() { DASSERT(AwtToolkit::IsMainThread()); - /* Disconnect all links. */ - UnlinkObjects(); - /* * All the messages for this component are processed, native * resources are freed, and Java object is not connected to @@ -279,6 +281,8 @@ AwtComponent::~AwtComponent() void AwtComponent::Dispose() { + DASSERT(AwtToolkit::IsMainThread()); + // NOTE: in case the component/toplevel was focused, Java should // have already taken care of proper transferring it or clearing. @@ -297,8 +301,10 @@ void AwtComponent::Dispose() /* Release global ref to input method */ SetInputMethod(NULL, TRUE); - if (m_childList != NULL) + if (m_childList != NULL) { delete m_childList; + m_childList = NULL; + } DestroyDropTarget(); ReleaseDragCapture(0); @@ -321,6 +327,9 @@ void AwtComponent::Dispose() m_brushBackground = NULL; } + /* Disconnect all links. */ + UnlinkObjects(); + if (m_bPauseDestroy) { // AwtComponent::WmNcDestroy could be released now m_bPauseDestroy = FALSE; @@ -6222,21 +6231,36 @@ ret: return result; } -void AwtComponent::SetParent(void * param) { +void AwtComponent::_SetParent(void * param) +{ if (AwtToolkit::IsMainThread()) { - AwtComponent** comps = (AwtComponent**)param; - if ((comps[0] != NULL) && (comps[1] != NULL)) { - HWND selfWnd = comps[0]->GetHWnd(); - HWND parentWnd = comps[1]->GetHWnd(); - if (::IsWindow(selfWnd) && ::IsWindow(parentWnd)) { - // Shouldn't trigger native focus change - // (only the proxy may be the native focus owner). - ::SetParent(selfWnd, parentWnd); - } + JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); + SetParentStruct *data = (SetParentStruct*) param; + jobject self = data->component; + jobject parent = data->parentComp; + + AwtComponent *awtComponent = NULL; + AwtComponent *awtParent = NULL; + + PDATA pData; + JNI_CHECK_PEER_GOTO(self, ret); + awtComponent = (AwtComponent *)pData; + JNI_CHECK_PEER_GOTO(parent, ret); + awtParent = (AwtComponent *)pData; + + HWND selfWnd = awtComponent->GetHWnd(); + HWND parentWnd = awtParent->GetHWnd(); + if (::IsWindow(selfWnd) && ::IsWindow(parentWnd)) { + // Shouldn't trigger native focus change + // (only the proxy may be the native focus owner). + ::SetParent(selfWnd, parentWnd); } - delete[] comps; +ret: + env->DeleteGlobalRef(self); + env->DeleteGlobalRef(parent); + delete data; } else { - AwtToolkit::GetInstance().InvokeFunction(AwtComponent::SetParent, param); + AwtToolkit::GetInstance().InvokeFunction(AwtComponent::_SetParent, param); } } @@ -7063,15 +7087,12 @@ JNIEXPORT void JNICALL Java_sun_awt_windows_WComponentPeer_pSetParent(JNIEnv* env, jobject self, jobject parent) { TRY; - typedef AwtComponent* PComponent; - AwtComponent** comps = new PComponent[2]; - AwtComponent* comp = (AwtComponent*)JNI_GET_PDATA(self); - AwtComponent* parentComp = (AwtComponent*)JNI_GET_PDATA(parent); - comps[0] = comp; - comps[1] = parentComp; + SetParentStruct * data = new SetParentStruct; + data->component = env->NewGlobalRef(self); + data->parentComp = env->NewGlobalRef(parent); - AwtToolkit::GetInstance().SyncCall(AwtComponent::SetParent, comps); - // comps is deleted in SetParent + AwtToolkit::GetInstance().SyncCall(AwtComponent::_SetParent, data); + // global refs and data are deleted in SetParent CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.h b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.h index d91df640d2..697c9d5044 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Component.h @@ -668,6 +668,7 @@ public: static void _RemoveNativeDropTarget(void *param); static jintArray _CreatePrintedPixels(void *param); static jboolean _NativeHandlesWheelScrolling(void *param); + static void _SetParent(void * param); static void _SetRectangularShape(void *param); static void _SetZOrder(void *param); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Dialog.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Dialog.cpp index e3413714b6..47b80a4ea0 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Dialog.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Dialog.cpp @@ -111,12 +111,13 @@ AwtDialog* AwtDialog::Create(jobject peer, jobject parent) PDATA pData; AwtWindow* awtParent = NULL; HWND hwndParent = NULL; + target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); if (parent != NULL) { JNI_CHECK_PEER_GOTO(parent, done); - awtParent = (AwtWindow *)(JNI_GET_PDATA(parent)); + awtParent = (AwtWindow *)pData; hwndParent = awtParent->GetHWnd(); } else { // There is no way to prevent a parentless dialog from showing on @@ -775,11 +776,9 @@ Java_sun_awt_windows_WDialogPeer_createAwtDialog(JNIEnv *env, jobject self, { TRY; - PDATA pData; AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtDialog::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_FileDialog.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_FileDialog.cpp index 7b2d703bb6..f5ce9015d0 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_FileDialog.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_FileDialog.cpp @@ -691,7 +691,7 @@ Java_sun_awt_windows_WFileDialogPeer_getLocationOnScreen(JNIEnv *env, jobject peerRef = env->NewGlobalRef(peer); jobject resultRef = (jobject)AwtToolkit::GetInstance().SyncCall( (void*(*)(void*))AwtFileDialog::_GetLocationOnScreen, (void *)peerRef); - env->DeleteLocalRef(peerRef); + env->DeleteGlobalRef(peerRef); if (resultRef != NULL) { diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Frame.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Frame.cpp index 9bc6366d17..788ece4735 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Frame.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Frame.cpp @@ -1580,12 +1580,12 @@ void AwtFrame::_NotifyModalBlocked(void *param) PDATA pData; - pData = JNI_GET_PDATA(peer); + JNI_CHECK_PEER_GOTO(peer, ret); AwtFrame *f = (AwtFrame *)pData; // dialog here may be NULL, for example, if the blocker is a native dialog // however, we need to install/unistall modal hooks anyway - pData = JNI_GET_PDATA(blockerPeer); + JNI_CHECK_PEER_GOTO(blockerPeer, ret); AwtDialog *d = (AwtDialog *)pData; if ((f != NULL) && ::IsWindow(f->GetHWnd())) @@ -1637,7 +1637,7 @@ void AwtFrame::_NotifyModalBlocked(void *param) } } } - +ret: env->DeleteGlobalRef(self); env->DeleteGlobalRef(peer); env->DeleteGlobalRef(blockerPeer); @@ -1809,8 +1809,6 @@ Java_sun_awt_windows_WFramePeer_createAwtFrame(JNIEnv *env, jobject self, AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtFrame::Create); - PDATA pData; - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } @@ -1924,8 +1922,6 @@ Java_sun_awt_windows_WEmbeddedFramePeer_create(JNIEnv *env, jobject self, AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtFrame::Create); - PDATA pData; - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Label.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Label.cpp index 722151cd86..4f43e0e3d0 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Label.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Label.cpp @@ -80,7 +80,7 @@ AwtLabel* AwtLabel::Create(jobject labelPeer, jobject parent) JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "awtParent", done); + target = env->GetObjectField(labelPeer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "target", done); @@ -392,12 +392,9 @@ Java_sun_awt_windows_WLabelPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtLabel::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_List.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_List.cpp index 4c32a47299..071ab2a0de 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_List.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_List.cpp @@ -89,10 +89,9 @@ AwtList* AwtList::Create(jobject peer, jobject parent) PDATA pData; AwtCanvas* awtParent; - JNI_CHECK_PEER_GOTO(parent, done); + JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); /* target is Hjava_awt_List * */ target = env->GetObjectField(peer, AwtObject::targetID); @@ -928,9 +927,6 @@ Java_sun_awt_windows_WListPeer_deselect(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(self); - SelectElementStruct *ses = new SelectElementStruct; ses->list = env->NewGlobalRef(self); ses->index = pos; @@ -994,11 +990,8 @@ Java_sun_awt_windows_WListPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory)AwtList::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_ScrollPane.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_ScrollPane.cpp index 04f463e642..7e351e134b 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_ScrollPane.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_ScrollPane.cpp @@ -96,10 +96,9 @@ AwtScrollPane* AwtScrollPane::Create(jobject self, jobject parent) PDATA pData; AwtComponent* awtParent; - JNI_CHECK_PEER_GOTO(parent, done); + JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtComponent*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); target = env->GetObjectField(self, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -679,11 +678,10 @@ Java_sun_awt_windows_WScrollPanePeer_create(JNIEnv *env, jobject self, DTRACE_PRINTLN2("%x: WScrollPanePeer.create(%x)", self, parent); - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtScrollPane::Create); + PDATA pData; JNI_CHECK_PEER_CREATION_RETURN(self); ((AwtScrollPane*)pData)->VerifyState(); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.cpp index 1e58f2ceb8..502b9a0d23 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.cpp @@ -38,7 +38,11 @@ struct SetValuesStruct { jint value; jint visible; jint min, max; - +}; +// struct for _SetLineIncrement()/_SetPageIncrement() methods +struct SetIncrementStruct { + jobject scrollbar; + jint increment; }; /************************************************************************ * AwtScrollbar fields @@ -108,10 +112,9 @@ AwtScrollbar::Create(jobject peer, jobject parent) PDATA pData; AwtCanvas* awtParent; - JNI_CHECK_PEER_GOTO(parent, done); + JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); @@ -471,6 +474,52 @@ ret: delete svs; } +void AwtScrollbar::_SetLineIncrement(void *param) +{ + JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); + + SetIncrementStruct *sis = (SetIncrementStruct *)param; + jobject self = sis->scrollbar; + jint increment = sis->increment; + + AwtScrollbar *sb = NULL; + + PDATA pData; + JNI_CHECK_PEER_GOTO(self, ret); + sb = (AwtScrollbar *)pData; + if (::IsWindow(sb->GetHWnd())) + { + sb->SetLineIncrement(increment); + } +ret: + env->DeleteGlobalRef(self); + + delete sis; +} + +void AwtScrollbar::_SetPageIncrement(void *param) +{ + JNIEnv *env = (JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2); + + SetIncrementStruct *sis = (SetIncrementStruct *)param; + jobject self = sis->scrollbar; + jint increment = sis->increment; + + AwtScrollbar *sb = NULL; + + PDATA pData; + JNI_CHECK_PEER_GOTO(self, ret); + sb = (AwtScrollbar *)pData; + if (::IsWindow(sb->GetHWnd())) + { + sb->SetPageIncrement(increment); + } +ret: + env->DeleteGlobalRef(self); + + delete sis; +} + /************************************************************************ * Scrollbar native methods */ @@ -546,10 +595,12 @@ Java_sun_awt_windows_WScrollbarPeer_setLineIncrement(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(self); - AwtScrollbar* c = (AwtScrollbar*)pData; - c->SetLineIncrement(increment); + SetIncrementStruct *sis = new SetIncrementStruct; + sis->scrollbar = env->NewGlobalRef(self); + sis->increment = increment; + + AwtToolkit::GetInstance().SyncCall(AwtScrollbar::_SetLineIncrement, sis); + // global ref and svs are deleted in _SetValues CATCH_BAD_ALLOC; } @@ -565,10 +616,12 @@ Java_sun_awt_windows_WScrollbarPeer_setPageIncrement(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(self); - AwtScrollbar* c = (AwtScrollbar*)pData; - c->SetPageIncrement(increment); + SetIncrementStruct *sis = new SetIncrementStruct; + sis->scrollbar = env->NewGlobalRef(self); + sis->increment = increment; + + AwtToolkit::GetInstance().SyncCall(AwtScrollbar::_SetPageIncrement, sis); + // global ref and svs are deleted in _SetValues CATCH_BAD_ALLOC; } @@ -584,12 +637,9 @@ Java_sun_awt_windows_WScrollbarPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtScrollbar::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.h b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.h index 2a6b03a671..9369cab0e5 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Scrollbar.h @@ -77,6 +77,8 @@ public: INLINE virtual BOOL IsScrollbar() { return TRUE; } + static void _SetLineIncrement(void *param); + static void _SetPageIncrement(void *param); // invoked on Toolkit thread static void _SetValues(void *param); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextArea.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextArea.cpp index cd40b1f237..6dc21c5add 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextArea.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextArea.cpp @@ -505,12 +505,9 @@ Java_sun_awt_windows_WTextAreaPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtTextArea::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextComponent.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextComponent.cpp index de60f0ed70..38272959d7 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextComponent.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextComponent.cpp @@ -95,10 +95,9 @@ AwtTextComponent* AwtTextComponent::Create(jobject peer, jobject parent, BOOL is PDATA pData; AwtCanvas* awtParent; - JNI_CHECK_PEER_GOTO(parent, done); + JNI_CHECK_PEER_GOTO(parent, done); awtParent = (AwtCanvas*)pData; - JNI_CHECK_NULL_GOTO(awtParent, "null awtParent", done); target = env->GetObjectField(peer, AwtObject::targetID); JNI_CHECK_NULL_GOTO(target, "null target", done); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextField.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextField.cpp index 01c73f068e..5518ab9114 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextField.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_TextField.cpp @@ -260,12 +260,9 @@ Java_sun_awt_windows_WTextFieldPeer_create(JNIEnv *env, jobject self, { TRY; - PDATA pData; - JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtTextField::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Window.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Window.cpp index 56f2bfdd0e..b1cb6ad2ce 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Window.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Window.cpp @@ -3400,12 +3400,9 @@ Java_sun_awt_windows_WWindowPeer_createAwtWindow(JNIEnv *env, jobject self, { TRY; - PDATA pData; -// JNI_CHECK_PEER_RETURN(parent); AwtToolkit::CreateComponent(self, parent, (AwtToolkit::ComponentFactory) AwtWindow::Create); - JNI_CHECK_PEER_CREATION_RETURN(self); CATCH_BAD_ALLOC; } From 70e06e0d073b1139d1af4bfb4f2e4616ba80453f Mon Sep 17 00:00:00 2001 From: Ivan Gerasimov Date: Thu, 17 Nov 2016 22:01:02 +0300 Subject: [PATCH 005/269] 8169026: Handle smartcard clean up better Reviewed-by: valeriep, ahgross --- .../share/classes/sun/security/smartcardio/CardImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/jdk/src/java.smartcardio/share/classes/sun/security/smartcardio/CardImpl.java b/jdk/src/java.smartcardio/share/classes/sun/security/smartcardio/CardImpl.java index d7e8f49fa8..019ea781a3 100644 --- a/jdk/src/java.smartcardio/share/classes/sun/security/smartcardio/CardImpl.java +++ b/jdk/src/java.smartcardio/share/classes/sun/security/smartcardio/CardImpl.java @@ -270,7 +270,7 @@ final class CardImpl extends Card { } public String toString() { - return "PC/SC card in " + terminal.getName() + return "PC/SC card in " + terminal.name + ", protocol " + getProtocol() + ", state " + state; } @@ -278,6 +278,7 @@ final class CardImpl extends Card { protected void finalize() throws Throwable { try { if (state == State.OK) { + state = State.DISCONNECTED; SCardDisconnect(cardId, SCARD_LEAVE_CARD); } } finally { From a4169a18a0ec048f0546384a7324b2ed8b48936f Mon Sep 17 00:00:00 2001 From: Ivan Gerasimov Date: Thu, 17 Nov 2016 22:01:02 +0300 Subject: [PATCH 006/269] 8169026: Handle smartcard clean up better Reviewed-by: valeriep, ahgross --- .../share/classes/sun/security/smartcardio/CardImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/jdk/src/java.smartcardio/share/classes/sun/security/smartcardio/CardImpl.java b/jdk/src/java.smartcardio/share/classes/sun/security/smartcardio/CardImpl.java index d7e8f49fa8..019ea781a3 100644 --- a/jdk/src/java.smartcardio/share/classes/sun/security/smartcardio/CardImpl.java +++ b/jdk/src/java.smartcardio/share/classes/sun/security/smartcardio/CardImpl.java @@ -270,7 +270,7 @@ final class CardImpl extends Card { } public String toString() { - return "PC/SC card in " + terminal.getName() + return "PC/SC card in " + terminal.name + ", protocol " + getProtocol() + ", state " + state; } @@ -278,6 +278,7 @@ final class CardImpl extends Card { protected void finalize() throws Throwable { try { if (state == State.OK) { + state = State.DISCONNECTED; SCardDisconnect(cardId, SCARD_LEAVE_CARD); } } finally { From cca7ee8245d7afc3eacd8fa51e49558781ce7de5 Mon Sep 17 00:00:00 2001 From: Harsha Wardhana B Date: Fri, 18 Nov 2016 13:26:15 +0530 Subject: [PATCH 007/269] 8159377: JMX Connections need white-list filters Reviewed-by: dfuchs, rriggs, jwilhelm --- .../classes/java/io/ObjectInputStream.java | 22 -- .../jdk/internal/misc/SharedSecrets.java | 12 - .../jmx/remote/internal/rmi/RMIExporter.java | 6 +- .../remote/rmi/RMIConnectorServer.java | 59 +++- .../remote/rmi/RMIJRMPServerImpl.java | 163 ++++----- .../sun/rmi/server/MarshalInputStream.java | 36 -- .../sun/rmi/server/UnicastServerRef.java | 90 +---- .../jmxremote/ConnectorBootstrap.java | 34 +- .../share/conf/management.properties | 39 ++ .../connection/DefaultAgentFilterTest.java | 333 ++++++++++++++++++ .../connection/NewRMIClientFilterTest.java | 147 ++++++++ .../mandatory/connection/mgmt1.properties | 38 ++ .../mandatory/connection/mgmt2.properties | 38 ++ .../connectorServer/RMIExporterTest.java | 6 +- 14 files changed, 755 insertions(+), 268 deletions(-) create mode 100644 jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java create mode 100644 jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java create mode 100644 jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties create mode 100644 jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java index 15d735e88c..195e192f0c 100644 --- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java +++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java @@ -44,8 +44,6 @@ import java.util.concurrent.ConcurrentMap; import static java.io.ObjectStreamClass.processQueue; -import jdk.internal.misc.ObjectStreamClassValidator; -import jdk.internal.misc.SharedSecrets; import jdk.internal.misc.Unsafe; import sun.reflect.misc.ReflectUtil; @@ -1739,9 +1737,6 @@ public class ObjectInputStream throw new StreamCorruptedException( String.format("invalid type code: %02X", tc)); } - if (descriptor != null) { - validateDescriptor(descriptor); - } return descriptor; } @@ -3976,21 +3971,4 @@ public class ObjectInputStream throw new AssertionError(); } } - - private void validateDescriptor(ObjectStreamClass descriptor) { - ObjectStreamClassValidator validating = validator; - if (validating != null) { - validating.validateDescriptor(descriptor); - } - } - - // controlled access to ObjectStreamClassValidator - private volatile ObjectStreamClassValidator validator; - - private static void setValidator(ObjectInputStream ois, ObjectStreamClassValidator validator) { - ois.validator = validator; - } - static { - SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::setValidator); - } } diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java index cd54d422c2..078e5018cc 100644 --- a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +++ b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java @@ -69,7 +69,6 @@ public class SharedSecrets { private static JavaAWTAccess javaAWTAccess; private static JavaAWTFontAccess javaAWTFontAccess; private static JavaBeansAccess javaBeansAccess; - private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; public static JavaUtilJarAccess javaUtilJarAccess() { @@ -304,17 +303,6 @@ public class SharedSecrets { javaUtilResourceBundleAccess = access; } - public static JavaObjectInputStreamAccess getJavaObjectInputStreamAccess() { - if (javaObjectInputStreamAccess == null) { - unsafe.ensureClassInitialized(ObjectInputStream.class); - } - return javaObjectInputStreamAccess; - } - - public static void setJavaObjectInputStreamAccess(JavaObjectInputStreamAccess access) { - javaObjectInputStreamAccess = access; - } - public static void setJavaIORandomAccessFileAccess(JavaIORandomAccessFileAccess jirafa) { javaIORandomAccessFileAccess = jirafa; } diff --git a/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java b/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java index cd292850a2..333c8f4a73 100644 --- a/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java +++ b/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,7 @@ package com.sun.jmx.remote.internal.rmi; +import java.io.ObjectInputFilter; import java.rmi.NoSuchObjectException; import java.rmi.Remote; import java.rmi.RemoteException; @@ -51,7 +52,8 @@ public interface RMIExporter { public Remote exportObject(Remote obj, int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf) + RMIServerSocketFactory ssf, + ObjectInputFilter filter) throws RemoteException; public boolean unexportObject(Remote obj, boolean force) diff --git a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java index a71bef5b40..0cda57065f 100644 --- a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java +++ b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java @@ -32,6 +32,7 @@ import com.sun.jmx.remote.util.EnvHelp; import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.ObjectInputFilter; import java.io.ObjectOutputStream; import java.net.MalformedURLException; import java.rmi.server.RMIClientSocketFactory; @@ -101,19 +102,59 @@ public class RMIConnectorServer extends JMXConnectorServer { "jmx.remote.rmi.server.socket.factory"; /** - * Name of the attribute that specifies a list of class names acceptable - * as parameters to the {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()} + * Name of the attribute that specifies an + * {@link ObjectInputFilter} pattern string to filter classes acceptable + * for {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()} * remote method call. *

- * This list of classes should correspond to the transitive closure of the - * credentials class (or classes) used by the installed {@linkplain JMXAuthenticator} - * associated with the {@linkplain RMIServer} implementation. + * The filter pattern must be in same format as used in + * {@link java.io.ObjectInputFilter.Config#createFilter} *

- * If the attribute is not set, or is null, then any class is - * deemed acceptable. + * This list of classes allowed by filter should correspond to the + * transitive closure of the credentials class (or classes) used by the + * installed {@linkplain JMXAuthenticator} associated with the + * {@linkplain RMIServer} implementation. + * If the attribute is not set then any class is deemed acceptable. + * @see ObjectInputFilter */ - public static final String CREDENTIAL_TYPES = - "jmx.remote.rmi.server.credential.types"; + public static final String CREDENTIALS_FILTER_PATTERN = + "jmx.remote.rmi.server.credentials.filter.pattern"; + + /** + * This attribute defines a pattern from which to create a + * {@link java.io.ObjectInputFilter} that will be used when deserializing + * objects sent to the {@code JMXConnectorServer} by any client. + *

+ * The filter will be called for any class found in the serialized + * stream sent to server by client, including all JMX defined classes + * (such as {@link javax.management.ObjectName}), all method parameters, + * and, if present in the stream, all classes transitively referred by + * the serial form of any deserialized object. + * The pattern must be in same format as used in + * {@link java.io.ObjectInputFilter.Config#createFilter}. + * It may define a white list of permitted classes, a black list of + * rejected classes, a maximum depth for the deserialized objects, + * etc. + *

+ * To be functional, the filter should allow at least all the + * concrete types in the transitive closure of all objects that + * might get serialized when serializing all JMX classes referred + * as parameters in the {@link + * javax.management.remote.rmi.RMIConnection} interface, + * plus all classes that a {@link javax.management.remote.rmi.RMIConnector client} + * might need to transmit wrapped in {@linkplain java.rmi.MarshalledObject + * marshalled objects} in order to interoperate with the MBeans registered + * in the {@code MBeanServer}. That would potentially include all the + * concrete {@linkplain javax.management.openmbean JMX OpenTypes} and the + * classes they use in their serial form. + *

+ * Care must be taken when defining such a filter, as defining + * a white list too restrictive or a too wide a black list may + * prevent legitimate clients from interoperating with the + * {@code JMXConnectorServer}. + */ + public static final String SERIAL_FILTER_PATTERN = + "jmx.remote.rmi.server.serial.filter.pattern"; /** *

Makes an RMIConnectorServer. diff --git a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java index 8bcbe1919a..e6787692ee 100644 --- a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java +++ b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java @@ -26,6 +26,7 @@ package javax.management.remote.rmi; import java.io.IOException; +import java.io.ObjectInputFilter; import java.rmi.NoSuchObjectException; import java.rmi.Remote; import java.rmi.RemoteException; @@ -39,15 +40,13 @@ import javax.security.auth.Subject; import com.sun.jmx.remote.internal.rmi.RMIExporter; import com.sun.jmx.remote.util.EnvHelp; -import java.io.ObjectStreamClass; -import java.lang.reflect.Method; -import java.util.ArrayList; import java.util.Arrays; -import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; import sun.reflect.misc.ReflectUtil; -import sun.rmi.server.DeserializationChecker; import sun.rmi.server.UnicastServerRef; import sun.rmi.server.UnicastServerRef2; +import sun.rmi.transport.LiveRef; /** *

An {@link RMIServer} object that is exported through JRMP and that @@ -60,8 +59,6 @@ import sun.rmi.server.UnicastServerRef2; */ public class RMIJRMPServerImpl extends RMIServerImpl { - private final ExportedWrapper exportedWrapper; - /** *

Creates a new {@link RMIServer} object that will be exported * on the given port using the given socket factories.

@@ -100,33 +97,48 @@ public class RMIJRMPServerImpl extends RMIServerImpl { this.ssf = ssf; this.env = (env == null) ? Collections.emptyMap() : env; + // This attribute was represented by RMIConnectorServer.CREDENTIALS_TYPES. + // This attribute is superceded by + // RMIConnectorServer.CREDENTIALS_FILTER_PATTERN. + // Retaining this for backward compatibility. String[] credentialsTypes - = (String[]) this.env.get(RMIConnectorServer.CREDENTIAL_TYPES); - List types = null; - if (credentialsTypes != null) { - types = new ArrayList<>(); - for (String type : credentialsTypes) { - if (type == null) { - throw new IllegalArgumentException("A credential type is null."); - } - ReflectUtil.checkPackageAccess(type); - types.add(type); - } + = (String[]) this.env.get("jmx.remote.rmi.server.credential.types"); + + String credentialsFilter + = (String) this.env.get(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN); + + // It is impossible for both attributes to be specified + if(credentialsTypes != null && credentialsFilter != null) + throw new IllegalArgumentException("Cannot specify both \"" + + "jmx.remote.rmi.server.credential.types" + "\" and \"" + + RMIConnectorServer.CREDENTIALS_FILTER_PATTERN + "\""); + else if(credentialsFilter != null){ + cFilter = ObjectInputFilter.Config.createFilter(credentialsFilter); + allowedTypes = null; } - exportedWrapper = types != null ? - new ExportedWrapper(this, types) : - null; + else if (credentialsTypes != null) { + allowedTypes = Arrays.stream(credentialsTypes).filter( + s -> s!= null).collect(Collectors.toSet()); + allowedTypes.stream().forEach(ReflectUtil::checkPackageAccess); + cFilter = this::newClientCheckInput; + } else { + allowedTypes = null; + cFilter = null; + } + + String userJmxFilter = + (String) this.env.get(RMIConnectorServer.SERIAL_FILTER_PATTERN); + if(userJmxFilter != null && !userJmxFilter.isEmpty()) + jmxRmiFilter = ObjectInputFilter.Config.createFilter(userJmxFilter); + else + jmxRmiFilter = null; } protected void export() throws IOException { - if (exportedWrapper != null) { - export(exportedWrapper); - } else { - export(this); - } + export(this, cFilter); } - private void export(Remote obj) throws RemoteException { + private void export(Remote obj, ObjectInputFilter typeFilter) throws RemoteException { final RMIExporter exporter = (RMIExporter) env.get(RMIExporter.EXPORTER_ATTRIBUTE); final boolean daemon = EnvHelp.isServerDaemon(env); @@ -137,16 +149,14 @@ public class RMIJRMPServerImpl extends RMIServerImpl { " cannot be used to specify an exporter!"); } - if (daemon) { - if (csf == null && ssf == null) { - new UnicastServerRef(port).exportObject(obj, null, true); - } else { - new UnicastServerRef2(port, csf, ssf).exportObject(obj, null, true); - } - } else if (exporter != null) { - exporter.exportObject(obj, port, csf, ssf); + if (exporter != null) { + exporter.exportObject(obj, port, csf, ssf, typeFilter); } else { - UnicastRemoteObject.exportObject(obj, port, csf, ssf); + if (csf == null && ssf == null) { + new UnicastServerRef(new LiveRef(port), typeFilter).exportObject(obj, null, daemon); + } else { + new UnicastServerRef2(port, csf, ssf, typeFilter).exportObject(obj, null, daemon); + } } } @@ -173,11 +183,7 @@ public class RMIJRMPServerImpl extends RMIServerImpl { * RMIJRMPServerImpl has not been exported yet. */ public Remote toStub() throws IOException { - if (exportedWrapper != null) { - return RemoteObject.toStub(exportedWrapper); - } else { - return RemoteObject.toStub(this); - } + return RemoteObject.toStub(this); } /** @@ -207,7 +213,7 @@ public class RMIJRMPServerImpl extends RMIServerImpl { RMIConnection client = new RMIConnectionImpl(this, connectionId, getDefaultClassLoader(), subject, env); - export(client); + export(client, jmxRmiFilter); return client; } @@ -224,56 +230,39 @@ public class RMIJRMPServerImpl extends RMIServerImpl { * server failed. */ protected void closeServer() throws IOException { - if (exportedWrapper != null) { - unexport(exportedWrapper, true); - } else { - unexport(this, true); + unexport(this, true); + } + + /** + * Check that a type in the remote invocation of {@link RMIServerImpl#newClient} + * is one of the {@code allowedTypes}. + * + * @param clazz the class; may be null + * @param size the size for arrays, otherwise is 0 + * @param nObjectRefs the current number of object references + * @param depth the current depth + * @param streamBytes the current number of bytes consumed + * @return {@code ObjectInputFilter.Status.ALLOWED} if the class is allowed, + * otherwise {@code ObjectInputFilter.Status.REJECTED} + */ + ObjectInputFilter.Status newClientCheckInput(ObjectInputFilter.FilterInfo filterInfo) { + ObjectInputFilter.Status status = ObjectInputFilter.Status.UNDECIDED; + if (allowedTypes != null && filterInfo.serialClass() != null) { + // If enabled, check type + String type = filterInfo.serialClass().getName(); + if (allowedTypes.contains(type)) + status = ObjectInputFilter.Status.ALLOWED; + else + status = ObjectInputFilter.Status.REJECTED; } + return status; } private final int port; private final RMIClientSocketFactory csf; private final RMIServerSocketFactory ssf; private final Map env; - - private static class ExportedWrapper implements RMIServer, DeserializationChecker { - private final RMIServer impl; - private final List allowedTypes; - - private ExportedWrapper(RMIServer impl, List credentialsTypes) { - this.impl = impl; - allowedTypes = credentialsTypes; - } - - @Override - public String getVersion() throws RemoteException { - return impl.getVersion(); - } - - @Override - public RMIConnection newClient(Object credentials) throws IOException { - return impl.newClient(credentials); - } - - @Override - public void check(Method method, ObjectStreamClass descriptor, - int paramIndex, int callID) { - String type = descriptor.getName(); - if (!allowedTypes.contains(type)) { - throw new ClassCastException("Unsupported type: " + type); - } - } - - @Override - public void checkProxyClass(Method method, String[] ifaces, - int paramIndex, int callID) { - if (ifaces != null && ifaces.length > 0) { - for (String iface : ifaces) { - if (!allowedTypes.contains(iface)) { - throw new ClassCastException("Unsupported type: " + iface); - } - } - } - } - } + private final Set allowedTypes; + private final ObjectInputFilter jmxRmiFilter; + private final ObjectInputFilter cFilter; } diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java index 2944e5d0f1..d04e9292fd 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java @@ -35,8 +35,6 @@ import java.security.AccessControlException; import java.security.Permission; import java.rmi.server.RMIClassLoader; import java.security.PrivilegedAction; -import jdk.internal.misc.ObjectStreamClassValidator; -import jdk.internal.misc.SharedSecrets; /** * MarshalInputStream is an extension of ObjectInputStream. When resolving @@ -54,11 +52,6 @@ import jdk.internal.misc.SharedSecrets; * @author Peter Jones */ public class MarshalInputStream extends ObjectInputStream { - interface StreamChecker extends ObjectStreamClassValidator { - void checkProxyInterfaceNames(String[] ifaces); - } - - private volatile StreamChecker streamChecker = null; /** * Value of "java.rmi.server.useCodebaseOnly" property, @@ -245,11 +238,6 @@ public class MarshalInputStream extends ObjectInputStream { protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException { - StreamChecker checker = streamChecker; - if (checker != null) { - checker.checkProxyInterfaceNames(interfaces); - } - /* * Always read annotation written by MarshalOutputStream. */ @@ -330,28 +318,4 @@ public class MarshalInputStream extends ObjectInputStream { void useCodebaseOnly() { useCodebaseOnly = true; } - - synchronized void setStreamChecker(StreamChecker checker) { - streamChecker = checker; - SharedSecrets.getJavaObjectInputStreamAccess().setValidator(this, checker); - } - @Override - protected ObjectStreamClass readClassDescriptor() throws IOException, - ClassNotFoundException { - ObjectStreamClass descriptor = super.readClassDescriptor(); - - validateDesc(descriptor); - - return descriptor; - } - - private void validateDesc(ObjectStreamClass descriptor) { - StreamChecker checker; - synchronized (this) { - checker = streamChecker; - } - if (checker != null) { - checker.validateDescriptor(descriptor); - } - } } diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java index 65437b7e16..b0ea348e3e 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java @@ -30,7 +30,6 @@ import java.io.ObjectInput; import java.io.ObjectInputFilter; import java.io.ObjectInputStream; import java.io.ObjectOutput; -import java.io.ObjectStreamClass; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.rmi.MarshalException; @@ -323,11 +322,16 @@ public class UnicastServerRef extends UnicastRef logCall(obj, method); // unmarshal parameters - Object[] params = null; + Class[] types = method.getParameterTypes(); + Object[] params = new Object[types.length]; try { unmarshalCustomCallData(in); - params = unmarshalParameters(obj, method, marshalStream); + // Unmarshal the parameters + for (int i = 0; i < types.length; i++) { + params[i] = unmarshalValue(types[i], in); + } + } catch (java.io.IOException e) { throw new UnmarshalException( "error unmarshalling arguments", e); @@ -603,84 +607,4 @@ public class UnicastServerRef extends UnicastRef } } - /** - * Unmarshal parameters for the given method of the given instance over - * the given marshalinputstream. Perform any necessary checks. - */ - private Object[] unmarshalParameters(Object obj, Method method, MarshalInputStream in) - throws IOException, ClassNotFoundException { - return (obj instanceof DeserializationChecker) ? - unmarshalParametersChecked((DeserializationChecker)obj, method, in) : - unmarshalParametersUnchecked(method, in); - } - - /** - * Unmarshal parameters for the given method of the given instance over - * the given marshalinputstream. Do not perform any additional checks. - */ - private Object[] unmarshalParametersUnchecked(Method method, ObjectInput in) - throws IOException, ClassNotFoundException { - Class[] types = method.getParameterTypes(); - Object[] params = new Object[types.length]; - for (int i = 0; i < types.length; i++) { - params[i] = unmarshalValue(types[i], in); - } - return params; - } - - /** - * Unmarshal parameters for the given method of the given instance over - * the given marshalinputstream. Do perform all additional checks. - */ - private Object[] unmarshalParametersChecked( - DeserializationChecker checker, - Method method, MarshalInputStream in) - throws IOException, ClassNotFoundException { - int callID = methodCallIDCount.getAndIncrement(); - MyChecker myChecker = new MyChecker(checker, method, callID); - in.setStreamChecker(myChecker); - try { - Class[] types = method.getParameterTypes(); - Object[] values = new Object[types.length]; - for (int i = 0; i < types.length; i++) { - myChecker.setIndex(i); - values[i] = unmarshalValue(types[i], in); - } - myChecker.end(callID); - return values; - } finally { - in.setStreamChecker(null); - } - } - - private static class MyChecker implements MarshalInputStream.StreamChecker { - private final DeserializationChecker descriptorCheck; - private final Method method; - private final int callID; - private int parameterIndex; - - MyChecker(DeserializationChecker descriptorCheck, Method method, int callID) { - this.descriptorCheck = descriptorCheck; - this.method = method; - this.callID = callID; - } - - @Override - public void validateDescriptor(ObjectStreamClass descriptor) { - descriptorCheck.check(method, descriptor, parameterIndex, callID); - } - - @Override - public void checkProxyInterfaceNames(String[] ifaces) { - descriptorCheck.checkProxyClass(method, ifaces, parameterIndex, callID); - } - - void setIndex(int parameterIndex) { - this.parameterIndex = parameterIndex; - } - - void end(int callId) { - descriptorCheck.end(callId); - } - } } diff --git a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java index 322b180eab..dae6b95c8b 100644 --- a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java +++ b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,7 +32,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; -import java.io.Serializable; +import java.io.ObjectInputFilter; import java.lang.management.ManagementFactory; import java.net.InetAddress; import java.net.MalformedURLException; @@ -45,14 +45,12 @@ import java.rmi.RemoteException; import java.rmi.registry.Registry; import java.rmi.server.RMIClientSocketFactory; import java.rmi.server.RMIServerSocketFactory; -import java.rmi.server.RMISocketFactory; import java.rmi.server.RemoteObject; import java.rmi.server.UnicastRemoteObject; import java.security.KeyStore; import java.security.Principal; import java.util.HashMap; import java.util.HashSet; -import java.util.Iterator; import java.util.Map; import java.util.Properties; import java.util.Set; @@ -84,6 +82,7 @@ import jdk.internal.agent.FileSystem; import sun.rmi.server.UnicastRef; import sun.rmi.server.UnicastServerRef; import sun.rmi.server.UnicastServerRef2; +import sun.rmi.transport.LiveRef; /** * This class initializes and starts the RMIConnectorServer for JSR 163 @@ -142,6 +141,8 @@ public final class ConnectorBootstrap { "com.sun.management.jmxremote.ssl.need.client.auth"; public static final String SSL_CONFIG_FILE_NAME = "com.sun.management.jmxremote.ssl.config.file"; + public static final String SERIAL_FILTER_PATTERN = + "com.sun.management.jmxremote.serial.filter.pattern"; } /** @@ -182,7 +183,8 @@ public final class ConnectorBootstrap { public Remote exportObject(Remote obj, int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf) + RMIServerSocketFactory ssf, + ObjectInputFilter filter) throws RemoteException { synchronized (this) { @@ -193,9 +195,9 @@ public final class ConnectorBootstrap { final UnicastServerRef ref; if (csf == null && ssf == null) { - ref = new UnicastServerRef(port); + ref = new UnicastServerRef(new LiveRef(port), filter); } else { - ref = new UnicastServerRef2(port, csf, ssf); + ref = new UnicastServerRef2(port, csf, ssf, filter); } return ref.exportObject(obj, null, true); } @@ -435,6 +437,7 @@ public final class ConnectorBootstrap { final String bindAddress = props.getProperty(PropertyNames.HOST); + final String jmxRmiFilter = props.getProperty(PropertyNames.SERIAL_FILTER_PATTERN); if (logger.isLoggable(Level.DEBUG)) { logger.log(Level.DEBUG, "startRemoteConnectorServer", @@ -471,7 +474,7 @@ public final class ConnectorBootstrap { sslConfigFileName, enabledCipherSuitesList, enabledProtocolsList, sslNeedClientAuth, useAuthentication, loginConfigName, - passwordFileName, accessFileName, bindAddress); + passwordFileName, accessFileName, bindAddress, jmxRmiFilter); cs = data.jmxConnectorServer; url = data.jmxRemoteURL; config("startRemoteConnectorServer", @@ -511,9 +514,7 @@ public final class ConnectorBootstrap { // This RMI server should not keep the VM alive Map env = new HashMap<>(); env.put(RMIExporter.EXPORTER_ATTRIBUTE, new PermanentExporter()); - env.put(RMIConnectorServer.CREDENTIAL_TYPES, new String[]{ - String[].class.getName(), String.class.getName() - }); + env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*"); // The local connector server need only be available via the // loopback connection. @@ -729,7 +730,8 @@ public final class ConnectorBootstrap { String loginConfigName, String passwordFileName, String accessFileName, - String bindAddress) + String bindAddress, + String jmxRmiFilter) throws IOException, MalformedURLException { /* Make sure we use non-guessable RMI object IDs. Otherwise @@ -744,9 +746,11 @@ public final class ConnectorBootstrap { PermanentExporter exporter = new PermanentExporter(); env.put(RMIExporter.EXPORTER_ATTRIBUTE, exporter); - env.put(RMIConnectorServer.CREDENTIAL_TYPES, new String[]{ - String[].class.getName(), String.class.getName() - }); + env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*"); + + if(jmxRmiFilter != null && !jmxRmiFilter.isEmpty()) { + env.put(RMIConnectorServer.SERIAL_FILTER_PATTERN, jmxRmiFilter); + } boolean useSocketFactory = bindAddress != null && !useSsl; diff --git a/jdk/src/jdk.management.agent/share/conf/management.properties b/jdk/src/jdk.management.agent/share/conf/management.properties index 02401d78be..3bf88daf63 100644 --- a/jdk/src/jdk.management.agent/share/conf/management.properties +++ b/jdk/src/jdk.management.agent/share/conf/management.properties @@ -329,3 +329,42 @@ # The format of the value for that property is any string accepted # by java.net.InetAddress.getByName(String). # + +# ################ Filter for ObjectInputStream ############################# +# com.sun.management.jmxremote.serial.filter.pattern= +# A filter, if configured, is used by java.io.ObjectInputStream during +# deserialization of parameters sent to the JMX default agent to validate the +# contents of the stream. +# A filter is configured as a sequence of patterns, each pattern is either +# matched against the name of a class in the stream or defines a limit. +# Patterns are separated by ";" (semicolon). +# Whitespace is significant and is considered part of the pattern. +# +# If a pattern includes a "=", it sets a limit. +# If a limit appears more than once the last value is used. +# Limits are checked before classes regardless of the order in the sequence of patterns. +# If any of the limits are exceeded, the filter status is REJECTED. +# +# maxdepth=value - the maximum depth of a graph +# maxrefs=value - the maximum number of internal references +# maxbytes=value - the maximum number of bytes in the input stream +# maxarray=value - the maximum array length allowed +# +# Other patterns, from left to right, match the class or package name as +# returned from Class.getName. +# If the class is an array type, the class or package to be matched is the element type. +# Arrays of any number of dimensions are treated the same as the element type. +# For example, a pattern of "!example.Foo", rejects creation of any instance or +# array of example.Foo. +# +# If the pattern starts with "!", the status is REJECTED if the remaining pattern +# is matched; otherwise the status is ALLOWED if the pattern matches. +# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; +# if the module name matches the module name of the class then +# the remaining pattern is matched with the class name. +# If there is no "/", the module name is not compared. +# If the pattern ends with ".**" it matches any class in the package and all subpackages. +# If the pattern ends with ".*" it matches any class in the package. +# If the pattern ends with "*", it matches any class with the pattern as a prefix. +# If the pattern is equal to the class name, it matches. +# Otherwise, the status is UNDECIDED. diff --git a/jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java b/jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java new file mode 100644 index 0000000000..4216545214 --- /dev/null +++ b/jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java @@ -0,0 +1,333 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + /* + * @test + * @bug 8159377 + * @library /lib/testlibrary + * @summary Tests ObjectFilter on default agent + * @author Harsha Wardhana B + * @modules java.management + * @build jdk.testlibrary.* DefaultAgentFilterTest + * @run main/othervm/timeout=600 -XX:+UsePerfData DefaultAgentFilterTest + */ +import java.io.EOFException; +import java.io.File; +import java.io.IOException; +import java.io.InvalidClassException; +import java.io.Serializable; +import java.lang.reflect.InvocationTargetException; +import java.net.BindException; +import java.rmi.UnmarshalException; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.concurrent.atomic.AtomicBoolean; +import javax.management.MBeanServerConnection; +import javax.management.ObjectName; +import javax.management.remote.JMXConnector; +import javax.management.remote.JMXConnectorFactory; +import javax.management.remote.JMXServiceURL; + +import jdk.testlibrary.ProcessTools; +import jdk.testlibrary.Utils; + +public class DefaultAgentFilterTest { + + public static class MyTestObject implements Serializable { + + String a; + int id; + } + + public interface TestMBean { + + public void op1(HashSet params); + + public void op2(String s, HashSet params); + + public void op3(MyTestObject obj, String s, HashMap param); + } + + public static class Test implements TestMBean { + + @Override + public void op1(HashSet params) { + System.out.println("Invoked op1"); + } + + @Override + public void op2(String s, HashSet params) { + System.out.println("Invoked op2"); + } + + @Override + public void op3(MyTestObject obj, String s, HashMap param) { + System.out.println("Invoked op3"); + } + } + + private static class TestAppRun implements AutoCloseable { + + private Process p; + private final ProcessBuilder pb; + private final String name; + private final AtomicBoolean started = new AtomicBoolean(false); + private volatile long pid = -1; + + public TestAppRun(ProcessBuilder pb, String name) { + this.pb = pb; + this.name = name; + } + + public synchronized void start() throws Exception { + if (started.compareAndSet(false, true)) { + try { + AtomicBoolean error = new AtomicBoolean(false); + AtomicBoolean bindError = new AtomicBoolean(false); + p = ProcessTools.startProcess( + TEST_APP_NAME + "{" + name + "}", + pb, + (line) -> { + if (line.toLowerCase().contains("exception") + || line.toLowerCase().contains("error")) { + error.set(true); + } + bindError.set(line.toLowerCase().contains("bindexception")); + return true; + }); + if (bindError.get()) { + throw new BindException("Process could not be started"); + } else if (error.get()) { + throw new RuntimeException(); + } + pid = p.pid(); + } catch (Exception ex) { + if (p != null) { + p.destroy(); + p.waitFor(); + } + throw ex; + } + } + } + + public long getPid() { + return pid; + } + + public synchronized void stop() + throws IOException, InterruptedException { + if (started.compareAndSet(true, false)) { + p.getOutputStream().write(0); + p.getOutputStream().flush(); + int ec = p.waitFor(); + if (ec != 0) { + StringBuilder msg = new StringBuilder(); + msg.append("Test application '").append(name); + msg.append("' failed with exit code: "); + msg.append(ec); + System.err.println(msg); + } + } + } + + @Override + public void close() throws Exception { + stop(); + } + } + + private static final String TEST_APP_NAME = "TestApp"; + + private static void testDefaultAgent(String propertyFile) throws Exception { + int port = Utils.getFreePort(); + String propFile = System.getProperty("test.src") + File.separator + propertyFile; + List pbArgs = new ArrayList<>(Arrays.asList( + "-cp", + System.getProperty("test.class.path"), + "-XX:+UsePerfData" + )); + String[] args = new String[]{ + "-Dcom.sun.management.jmxremote.port=" + port, + "-Dcom.sun.management.jmxremote.authenticate=false", + "-Dcom.sun.management.jmxremote.ssl=false", + "-Dcom.sun.management.config.file=" + propFile + }; + pbArgs.addAll(Arrays.asList(args)); + pbArgs.add(TEST_APP_NAME); + + ProcessBuilder pb = ProcessTools.createJavaProcessBuilder( + pbArgs.toArray(new String[pbArgs.size()]) + ); + + try (TestAppRun s = new TestAppRun(pb, DefaultAgentFilterTest.class.getSimpleName())) { + s.start(); + JMXServiceURL url = testConnect(port); + testMBeanOperations(url); + } + } + + private static JMXServiceURL testConnect(int port) throws Exception { + EOFException lastException = null; + JMXServiceURL url = null; + // factor adjusted timeout (5 seconds) for the RMI to become available + long timeout = System.currentTimeMillis() + Utils.adjustTimeout(5000); + do { + lastException = null; + try { + Registry registry = LocateRegistry.getRegistry(port); + String[] relist = registry.list(); + for (int i = 0; i < relist.length; ++i) { + System.out.println("Got registry: " + relist[i]); + } + String jmxUrlStr = String.format( + "service:jmx:rmi:///jndi/rmi://localhost:%d/jmxrmi", + port); + url = new JMXServiceURL(jmxUrlStr); + + try (JMXConnector c = JMXConnectorFactory.connect(url, null)) { + MBeanServerConnection conn = c.getMBeanServerConnection(); + ObjectName name = new ObjectName("jtreg:type=Test"); + conn.createMBean(Test.class.getName(), name); + } + } catch (Exception ex) { + if (ex instanceof EOFException) { + lastException = (EOFException) ex; + System.out.println("Error establishing RMI connection. Retrying in 500ms."); + Thread.sleep(500); + } else { + throw ex; + } + } + } while (lastException != null && System.currentTimeMillis() < timeout); + if (lastException != null) { + throw lastException; + } + return url; + } + + public static void main(String[] args) throws Exception { + System.out.println("---" + DefaultAgentFilterTest.class.getName() + "-main: starting ..."); + + boolean retry = false; + do { + try { + // blacklist String + testDefaultAgent("mgmt1.properties"); + System.out.println("----\tTest FAILED !!"); + throw new RuntimeException("---" + DefaultAgentFilterTest.class.getName() + " - No exception reported"); + } catch (Exception ex) { + if (ex instanceof InvocationTargetException) { + if (ex.getCause() instanceof BindException + || ex.getCause() instanceof java.rmi.ConnectException) { + System.out.println("Failed to allocate ports. Retrying ..."); + retry = true; + } + } else if (ex instanceof InvalidClassException) { + System.out.println("----\tTest PASSED !!"); + } else if (ex instanceof UnmarshalException + && ((UnmarshalException) ex).getCause() instanceof InvalidClassException) { + System.out.println("----\tTest PASSED !!"); + } else { + System.out.println(ex); + System.out.println("----\tTest FAILED !!"); + throw ex; + } + } + } while (retry); + retry = false; + do { + try { + // blacklist non-existent class + testDefaultAgent("mgmt2.properties"); + System.out.println("----\tTest PASSED !!"); + } catch (Exception ex) { + if (ex instanceof InvocationTargetException) { + if (ex.getCause() instanceof BindException + || ex.getCause() instanceof java.rmi.ConnectException) { + System.out.println("Failed to allocate ports. Retrying ..."); + retry = true; + } + } else { + System.out.println(ex); + System.out.println("----\tTest FAILED !!"); + throw ex; + } + } + } while (retry); + + System.out.println("---" + DefaultAgentFilterTest.class.getName() + "-main: finished ..."); + } + + private static void testMBeanOperations(JMXServiceURL serverUrl) throws Exception { + Map clientEnv = new HashMap<>(1); + ObjectName name = new ObjectName("jtreg:type=Test"); + try (JMXConnector client = JMXConnectorFactory.connect(serverUrl, clientEnv)) { + MBeanServerConnection conn = client.getMBeanServerConnection(); + + HashSet set = new HashSet<>(); + set.add("test1"); + set.add("test2"); + + String a = "A"; + + Object[] params1 = {set}; + String[] sig1 = {HashSet.class.getName()}; + conn.invoke(name, "op1", params1, sig1); + + Object[] params2 = {a, set}; + String[] sig2 = {String.class.getName(), HashSet.class.getName()}; + conn.invoke(name, "op2", params2, sig2); + + HashMap map = new HashMap<>(); + map.put("a", "A"); + map.put("b", "B"); + + Object[] params3 = {new MyTestObject(), a, map}; + String[] sig3 = {MyTestObject.class.getName(), String.class.getName(), + HashMap.class.getName()}; + conn.invoke(name, "op3", params3, sig3); + } + } +} + +class TestApp { + + private static void doSomething() throws IOException { + int r = System.in.read(); + System.out.println("read: " + r); + } + + public static void main(String args[]) throws Exception { + System.out.println("main enter"); + System.out.flush(); + doSomething(); + System.out.println("main exit"); + } +} diff --git a/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java b/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java new file mode 100644 index 0000000000..78ae27bb64 --- /dev/null +++ b/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java @@ -0,0 +1,147 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + /* + * @test + * @bug 8159377 + * @summary Tests ObjectInputFilter on RMIServer.newClient + * @author Harsha Wardhana B + * @modules java.management + * @run clean NewRMIClientFilterTest + * @run build NewRMIClientFilterTest + * @run main NewRMIClientFilterTest + */ +import java.io.InvalidClassException; +import java.io.Serializable; +import java.lang.management.ManagementFactory; +import java.util.HashMap; +import java.util.Map; +import javax.management.remote.JMXConnector; +import javax.management.remote.JMXConnectorFactory; +import javax.management.remote.JMXConnectorServer; +import javax.management.remote.JMXConnectorServerFactory; +import javax.management.remote.JMXServiceURL; +import javax.management.remote.rmi.RMIConnectorServer; + +public class NewRMIClientFilterTest { + + public static void main(String[] args) throws Exception { + System.out.println("---NewRMIClientFilterTest-main: starting ..."); + String filter1 = java.lang.String.class.getName() + ";!*"; + String filter2 = java.lang.String.class.getName() + ";" + MyCredentials.class.getName() + ";!*"; + + JMXServiceURL url = new JMXServiceURL("rmi", null, 0); + JMXServiceURL serverUrl = null; + Map env = new HashMap<>(1); + JMXConnectorServer server = null; + + System.out.println("\n---NewRMIClientFilterTest-main: testing types = null"); + server = newServer(url, null); + serverUrl = server.getAddress(); + doTest(serverUrl, null); + doTest(serverUrl, new String[]{"toto", "titi"}); + doTest(serverUrl, new Object[]{new MyCredentials(), "toto"}); + server.stop(); + + System.out.println("\n---NewRMIClientFilterTest-main: testing types = String[]"); + env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, + filter1); + server = newServer(url, env); + serverUrl = server.getAddress(); + doTest(serverUrl, null); + doTest(serverUrl, new String[]{"toto", "titi"}); + try { + doTest(serverUrl, new MyCredentials()); + throw new Error("Bad client is not refused!"); + } catch (Exception e) { + isInvalidClassEx(e); + } finally { + server.stop(); + } + + System.out.println("\n---NewRMIClientFilterTest-main: testing user specific types = String, MyCredentials"); + env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, + filter2); + server = newServer(url, env); + serverUrl = server.getAddress(); + doTest(serverUrl, null); + doTest(serverUrl, new String[]{"toto", "titi"}); + doTest(serverUrl, new MyCredentials[]{new MyCredentials(), (MyCredentials) null}); + try { + doTest(serverUrl, new Object[]{"toto", new byte[3]}); + throw new Error("Bad client is not refused!"); + } catch (Exception e) { + isInvalidClassEx(e); + } finally { + server.stop(); + } + + System.out.println("---NewRMIClientFilterTest-main PASSED!!!"); + } + + private static void doTest(JMXServiceURL serverAddr, Object credentials) throws Exception { + System.out.println("---NewRMIClientFilterTest-test:\n\tserver address: " + + serverAddr + "\n\tcredentials: " + credentials); + + Map env = new HashMap<>(1); + env.put("jmx.remote.credentials", credentials); + JMXConnector client = null; + try { + client = JMXConnectorFactory.connect(serverAddr, env); + client.getMBeanServerConnection().getDefaultDomain(); + } finally { + try { + client.close(); + } catch (Exception e) { + } + } + System.out.println("---NewRMIClientFilterTest-test: PASSED!"); + } + + private static JMXConnectorServer newServer(JMXServiceURL url, Map env) + throws Exception { + JMXConnectorServer server = JMXConnectorServerFactory.newJMXConnectorServer( + url, + env, + ManagementFactory.getPlatformMBeanServer()); + + server.start(); + return server; + } + + private static class MyCredentials implements Serializable { + } + + private static void isInvalidClassEx(Exception e) { + Throwable cause = e; + while (cause != null) { + if (cause instanceof InvalidClassException) { + System.out.println("---NewRMIClientFilterTest-InvalidClassException expected: " + cause); + return; + } + cause = cause.getCause(); + } + e.printStackTrace(); + throw new RuntimeException("Did not get expected InvalidClassException!"); + } +} diff --git a/jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties b/jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties new file mode 100644 index 0000000000..17f81fa2ec --- /dev/null +++ b/jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties @@ -0,0 +1,38 @@ +# ################ Filter for ObjectInputStream ############################# +com.sun.management.jmxremote.serial.filter.pattern=!DefaultAgentFilterTest$MyTestObject +# A filter, if configured, is used by java.io.ObjectInputStream during +# deserialization of parameters sent to the JMX default agent to validate the +# contents of the stream. +# A filter is configured as a sequence of patterns, each pattern is either +# matched against the name of a class in the stream or defines a limit. +# Patterns are separated by ";" (semicolon). +# Whitespace is significant and is considered part of the pattern. +# +# If a pattern includes a "=", it sets a limit. +# If a limit appears more than once the last value is used. +# Limits are checked before classes regardless of the order in the sequence of patterns. +# If any of the limits are exceeded, the filter status is REJECTED. +# +# maxdepth=value - the maximum depth of a graph +# maxrefs=value - the maximum number of internal references +# maxbytes=value - the maximum number of bytes in the input stream +# maxarray=value - the maximum array length allowed +# +# Other patterns, from left to right, match the class or package name as +# returned from Class.getName. +# If the class is an array type, the class or package to be matched is the element type. +# Arrays of any number of dimensions are treated the same as the element type. +# For example, a pattern of "!example.Foo", rejects creation of any instance or +# array of example.Foo. +# +# If the pattern starts with "!", the status is REJECTED if the remaining pattern +# is matched; otherwise the status is ALLOWED if the pattern matches. +# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; +# if the module name matches the module name of the class then +# the remaining pattern is matched with the class name. +# If there is no "/", the module name is not compared. +# If the pattern ends with ".**" it matches any class in the package and all subpackages. +# If the pattern ends with ".*" it matches any class in the package. +# If the pattern ends with "*", it matches any class with the pattern as a prefix. +# If the pattern is equal to the class name, it matches. +# Otherwise, the status is UNDECIDED. \ No newline at end of file diff --git a/jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties b/jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties new file mode 100644 index 0000000000..d29d746d92 --- /dev/null +++ b/jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties @@ -0,0 +1,38 @@ +# ################ Filter for ObjectInputStream ############################# +com.sun.management.jmxremote.serial.filter.pattern=!DefaultAgentFilterTest$ThisTypeIsNotUsed +# A filter, if configured, is used by java.io.ObjectInputStream during +# deserialization of parameters sent to the JMX default agent to validate the +# contents of the stream. +# A filter is configured as a sequence of patterns, each pattern is either +# matched against the name of a class in the stream or defines a limit. +# Patterns are separated by ";" (semicolon). +# Whitespace is significant and is considered part of the pattern. +# +# If a pattern includes a "=", it sets a limit. +# If a limit appears more than once the last value is used. +# Limits are checked before classes regardless of the order in the sequence of patterns. +# If any of the limits are exceeded, the filter status is REJECTED. +# +# maxdepth=value - the maximum depth of a graph +# maxrefs=value - the maximum number of internal references +# maxbytes=value - the maximum number of bytes in the input stream +# maxarray=value - the maximum array length allowed +# +# Other patterns, from left to right, match the class or package name as +# returned from Class.getName. +# If the class is an array type, the class or package to be matched is the element type. +# Arrays of any number of dimensions are treated the same as the element type. +# For example, a pattern of "!example.Foo", rejects creation of any instance or +# array of example.Foo. +# +# If the pattern starts with "!", the status is REJECTED if the remaining pattern +# is matched; otherwise the status is ALLOWED if the pattern matches. +# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; +# if the module name matches the module name of the class then +# the remaining pattern is matched with the class name. +# If there is no "/", the module name is not compared. +# If the pattern ends with ".**" it matches any class in the package and all subpackages. +# If the pattern ends with ".*" it matches any class in the package. +# If the pattern ends with "*", it matches any class with the pattern as a prefix. +# If the pattern is equal to the class name, it matches. +# Otherwise, the status is UNDECIDED. \ No newline at end of file diff --git a/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java b/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java index 3b010e38a1..5d79b06fd3 100644 --- a/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java +++ b/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -47,6 +47,7 @@ import javax.management.remote.JMXConnectorServer; import javax.management.remote.JMXConnectorServerFactory; import javax.management.remote.JMXServiceURL; import com.sun.jmx.remote.internal.rmi.RMIExporter; +import java.io.ObjectInputFilter; public class RMIExporterTest { @@ -60,7 +61,8 @@ public class RMIExporterTest { public Remote exportObject(Remote obj, int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf) + RMIServerSocketFactory ssf, + ObjectInputFilter unused) throws RemoteException { System.out.println("CustomRMIExporter::exportObject():: " + "Remote = " + obj); From 4e2b9383c18441a79dca41d323acae2f0b4c7dd2 Mon Sep 17 00:00:00 2001 From: Phil Race Date: Fri, 18 Nov 2016 10:27:13 -0800 Subject: [PATCH 008/269] 8169209: Improved image post-processing steps Reviewed-by: serb, vadim, mschoene --- .../imageio/plugins/jpeg/JPEGImageReader.java | 17 ++++++++++-- .../share/native/libjavajpeg/imageioJPEG.c | 27 +++++++++++++++---- 2 files changed, 37 insertions(+), 7 deletions(-) diff --git a/jdk/src/java.desktop/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java b/jdk/src/java.desktop/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java index 3a1b4c13f1..e744095d2f 100644 --- a/jdk/src/java.desktop/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java +++ b/jdk/src/java.desktop/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java @@ -392,6 +392,17 @@ public class JPEGImageReader extends ImageReader { } } + private void skipPastImage(int imageIndex) { + cbLock.lock(); + try { + gotoImage(imageIndex); + skipImage(); + } catch (IOException | IndexOutOfBoundsException e) { + } finally { + cbLock.unlock(); + } + } + @SuppressWarnings("fallthrough") private int getNumImagesOnThread(boolean allowSearch) throws IOException { @@ -1340,7 +1351,8 @@ public class JPEGImageReader extends ImageReader { * just a 1-line intermediate data transfer buffer that will not * affect the acceleration of the resulting image. */ - boolean aborted = readImage(structPointer, + boolean aborted = readImage(imageIndex, + structPointer, buffer.getData(), numRasterBands, srcBands, @@ -1502,7 +1514,8 @@ public class JPEGImageReader extends ImageReader { /** * Returns {@code true} if the read was aborted. */ - private native boolean readImage(long structPointer, + private native boolean readImage(int imageIndex, + long structPointer, byte [] buffer, int numRasterBands, int [] srcBands, diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c index 7fe4bd9847..d0c60b99e5 100644 --- a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c +++ b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c @@ -72,6 +72,7 @@ static jmethodID JPEGImageReader_acceptPixelsID; static jmethodID JPEGImageReader_pushBackID; static jmethodID JPEGImageReader_passStartedID; static jmethodID JPEGImageReader_passCompleteID; +static jmethodID JPEGImageReader_skipPastImageID; static jmethodID JPEGImageWriter_writeOutputDataID; static jmethodID JPEGImageWriter_warningOccurredID; static jmethodID JPEGImageWriter_warningWithMessageID; @@ -1472,6 +1473,10 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_initReaderIDs cls, "pushBack", "(I)V")); + CHECK_NULL(JPEGImageReader_skipPastImageID = (*env)->GetMethodID(env, + cls, + "skipPastImage", + "(I)V")); CHECK_NULL(JPEGQTable_tableID = (*env)->GetFieldID(env, qTableClass, "qTable", @@ -1853,6 +1858,7 @@ JNIEXPORT jboolean JNICALL Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage (JNIEnv *env, jobject this, + jint imageIndex, jlong ptr, jbyteArray buffer, jint numBands, @@ -2181,12 +2187,23 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage * We are done, but we might not have read all the lines, or all * the passes, so use jpeg_abort instead of jpeg_finish_decompress. */ - if (cinfo->output_scanline == cinfo->output_height) { - // if ((cinfo->output_scanline == cinfo->output_height) && - //(jpeg_input_complete(cinfo))) { // We read the whole file - jpeg_finish_decompress(cinfo); - } else { + if ((cinfo->output_scanline != cinfo->output_height) || + data->abortFlag == JNI_TRUE) + { jpeg_abort_decompress(cinfo); + } else if ((!jpeg_input_complete(cinfo)) && + (progressive && + (cinfo->input_scan_number > maxProgressivePass))) { + /* We haven't reached EOI, but we need to skip to there */ + (*cinfo->src->term_source) (cinfo); + /* We can use jpeg_abort to release memory and reset global_state */ + jpeg_abort((j_common_ptr) cinfo); + (*env)->CallVoidMethod(env, + this, + JPEGImageReader_skipPastImageID, + imageIndex); + } else { + jpeg_finish_decompress(cinfo); } free(scanLinePtr); From 410fb7a4c262765e5abc363e5bc148e9ca299bac Mon Sep 17 00:00:00 2001 From: Harold Seigel Date: Wed, 21 Dec 2016 10:15:49 -0500 Subject: [PATCH 009/269] 8170966: Right parenthesis issue Reviewed-by: acorn, ctornqvi, mschoene --- .../share/native/libverify/check_code.c | 40 ++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/jdk/src/java.base/share/native/libverify/check_code.c b/jdk/src/java.base/share/native/libverify/check_code.c index b278f2559f..e78627c863 100644 --- a/jdk/src/java.base/share/native/libverify/check_code.c +++ b/jdk/src/java.base/share/native/libverify/check_code.c @@ -459,6 +459,8 @@ static void *CCalloc(context_type *context, int size, jboolean zero); static fullinfo_type cp_index_to_class_fullinfo(context_type *, int, int); +static const char* get_result_signature(const char* signature); + static char signature_to_fieldtype(context_type *context, const char **signature_p, fullinfo_type *info); @@ -2789,7 +2791,7 @@ push_stack(context_type *context, unsigned int inumber, stack_info_type *new_sta operand); const char *result_signature; check_and_push(context, signature, VM_STRING_UTF); - result_signature = strchr(signature, JVM_SIGNATURE_ENDFUNC); + result_signature = get_result_signature(signature); if (result_signature++ == NULL) { CCerror(context, "Illegal signature %s", signature); } @@ -3712,6 +3714,42 @@ CFerror(context_type *context, char *format, ...) longjmp(context->jump_buffer, 1); } +/* + * Need to scan the entire signature to find the result type because + * types in the arg list and the result type could contain embedded ')'s. + */ +static const char* get_result_signature(const char* signature) { + const char *p; + for (p = signature; *p != JVM_SIGNATURE_ENDFUNC; p++) { + switch (*p) { + case JVM_SIGNATURE_BOOLEAN: + case JVM_SIGNATURE_BYTE: + case JVM_SIGNATURE_CHAR: + case JVM_SIGNATURE_SHORT: + case JVM_SIGNATURE_INT: + case JVM_SIGNATURE_FLOAT: + case JVM_SIGNATURE_DOUBLE: + case JVM_SIGNATURE_LONG: + case JVM_SIGNATURE_FUNC: /* ignore initial (, if given */ + break; + case JVM_SIGNATURE_CLASS: + while (*p != JVM_SIGNATURE_ENDCLASS) p++; + break; + case JVM_SIGNATURE_ARRAY: + while (*p == JVM_SIGNATURE_ARRAY) p++; + /* If an array of classes, skip over class name, too. */ + if (*p == JVM_SIGNATURE_CLASS) { + while (*p != JVM_SIGNATURE_ENDCLASS) p++; + } + break; + default: + /* Indicate an error. */ + return NULL; + } + } + return p++; /* skip over ')'. */ +} + static char signature_to_fieldtype(context_type *context, const char **signature_p, fullinfo_type *full_info_p) From 853772efcbeec07f3a584f4c7a2a4c0f4d590202 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Fri, 3 Feb 2017 10:32:58 +0800 Subject: [PATCH 010/269] 8169392: Additional jar validation steps Reviewed-by: mullan, herrick, ahgross --- .../share/classes/java/util/jar/JarVerifier.java | 12 +++++++----- .../sun/security/util/ManifestEntryVerifier.java | 9 +++++++-- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java b/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java index 2d0f5eb18e..240b174fc8 100644 --- a/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java +++ b/jdk/src/java.base/share/classes/java/util/jar/JarVerifier.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -180,10 +180,12 @@ class JarVerifier { // only set the jev object for entries that have a signature // (either verified or not) - if (sigFileSigners.get(name) != null || - verifiedSigners.get(name) != null) { - mev.setEntry(name, je); - return; + if (!name.equals(JarFile.MANIFEST_NAME)) { + if (sigFileSigners.get(name) != null || + verifiedSigners.get(name) != null) { + mev.setEntry(name, je); + return; + } } // don't compute the digest for this entry diff --git a/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java b/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java index 19cc730ce6..6284047c2e 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java +++ b/jdk/src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -107,6 +107,8 @@ public class ManifestEntryVerifier { /* get the headers from the manifest for this entry */ /* if there aren't any, we can't verify any digests for this entry */ + skip = false; + Attributes attr = man.getAttributes(name); if (attr == null) { // ugh. we should be able to remove this at some point. @@ -141,7 +143,6 @@ public class ManifestEntryVerifier { } if (digest != null) { - skip = false; digest.reset(); digests.add(digest); manifestHashes.add( @@ -197,6 +198,10 @@ public class ManifestEntryVerifier { return null; } + if (digests.isEmpty()) { + throw new SecurityException("digest missing for " + name); + } + if (signers != null) return signers; From a4add026e61671c4aa34c4911b9349df921589e7 Mon Sep 17 00:00:00 2001 From: Phil Race Date: Mon, 6 Feb 2017 15:31:37 -0800 Subject: [PATCH 011/269] 8172461: Service Registration Lifecycle Reviewed-by: serb, vadim, skoivu, shurailine --- .../javax/imageio/spi/ServiceRegistry.java | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/jdk/src/java.desktop/share/classes/javax/imageio/spi/ServiceRegistry.java b/jdk/src/java.desktop/share/classes/javax/imageio/spi/ServiceRegistry.java index 2df6e1ba03..9e75032310 100644 --- a/jdk/src/java.desktop/share/classes/javax/imageio/spi/ServiceRegistry.java +++ b/jdk/src/java.desktop/share/classes/javax/imageio/spi/ServiceRegistry.java @@ -26,6 +26,9 @@ package javax.imageio.spi; import java.io.File; +import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.HashMap; import java.util.Iterator; @@ -756,13 +759,14 @@ class SubRegistry { Class category; - // Provider Objects organized by partial oridering - PartiallyOrderedSet poset = new PartiallyOrderedSet<>(); + // Provider Objects organized by partial ordering + final PartiallyOrderedSet poset = new PartiallyOrderedSet<>(); // Class -> Provider Object of that class // No way to express heterogeneous map, we want // Map, T>, where T is ? - Map, Object> map = new HashMap<>(); + final Map, Object> map = new HashMap<>(); + final Map, AccessControlContext> accMap = new HashMap<>(); public SubRegistry(ServiceRegistry registry, Class category) { this.registry = registry; @@ -777,6 +781,7 @@ class SubRegistry { deregisterServiceProvider(oprovider); } map.put(provider.getClass(), provider); + accMap.put(provider.getClass(), AccessController.getContext()); poset.add(provider); if (provider instanceof RegisterableService) { RegisterableService rs = (RegisterableService)provider; @@ -801,6 +806,7 @@ class SubRegistry { if (provider == oprovider) { map.remove(provider.getClass()); + accMap.remove(provider.getClass()); poset.remove(provider); if (provider instanceof RegisterableService) { RegisterableService rs = (RegisterableService)provider; @@ -850,10 +856,17 @@ class SubRegistry { if (provider instanceof RegisterableService) { RegisterableService rs = (RegisterableService)provider; - rs.onDeregistration(registry, category); + AccessControlContext acc = accMap.get(provider.getClass()); + if (acc != null || System.getSecurityManager() == null) { + AccessController.doPrivileged((PrivilegedAction) () -> { + rs.onDeregistration(registry, category); + return null; + }, acc); + } } } poset.clear(); + accMap.clear(); } @SuppressWarnings("deprecation") From 0a40b59750667dbc49c0b64f965e4c7fa7cef6ee Mon Sep 17 00:00:00 2001 From: Phil Race Date: Sun, 12 Feb 2017 08:10:34 -0800 Subject: [PATCH 012/269] 8174098: Better image fetching Reviewed-by: serb, vadim, skoivu --- .../classes/sun/awt/image/ImageWatched.java | 33 +++++++++++++++++-- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/jdk/src/java.desktop/share/classes/sun/awt/image/ImageWatched.java b/jdk/src/java.desktop/share/classes/sun/awt/image/ImageWatched.java index b740aa1870..07d964659b 100644 --- a/jdk/src/java.desktop/share/classes/sun/awt/image/ImageWatched.java +++ b/jdk/src/java.desktop/share/classes/sun/awt/image/ImageWatched.java @@ -29,6 +29,10 @@ import java.lang.ref.WeakReference; import java.awt.Image; import java.awt.image.ImageObserver; +import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.PrivilegedAction; + public abstract class ImageWatched { public static Link endlink = new Link(); @@ -85,16 +89,26 @@ public abstract class ImageWatched { } } + static class AccWeakReference extends WeakReference { + + private final AccessControlContext acc; + + AccWeakReference(T ref) { + super(ref); + acc = AccessController.getContext(); + } + } + /* * Standard Link implementation to manage a Weak Reference * to an ImageObserver. */ public static class WeakLink extends Link { - private WeakReference myref; + private final AccWeakReference myref; private Link next; public WeakLink(ImageObserver obs, Link next) { - myref = new WeakReference(obs); + myref = new AccWeakReference(obs); this.next = next; } @@ -120,6 +134,19 @@ public abstract class ImageWatched { return this; } + private static boolean update(ImageObserver iw, AccessControlContext acc, + Image img, int info, + int x, int y, int w, int h) { + + if (acc != null || System.getSecurityManager() != null) { + return AccessController.doPrivileged( + (PrivilegedAction) () -> { + return iw.imageUpdate(img, info, x, y, w, h); + }, acc); + } + return false; + } + public boolean newInfo(Image img, int info, int x, int y, int w, int h) { @@ -129,7 +156,7 @@ public abstract class ImageWatched { if (myiw == null) { // My referent is null so we must prune in a second pass. ret = true; - } else if (myiw.imageUpdate(img, info, x, y, w, h) == false) { + } else if (update(myiw, myref.acc, img, info, x, y, w, h) == false) { // My referent has lost interest so clear it and ask // for a pruning pass to remove it later. myref.clear(); From 14e6885de54b29f21b321d9b350ebec42e1062fa Mon Sep 17 00:00:00 2001 From: Chris Hegarty Date: Mon, 13 Feb 2017 16:32:23 +0000 Subject: [PATCH 013/269] 8172204: Better Thread Pool execution Reviewed-by: alanb, skoivu, rriggs --- .../util/concurrent/ThreadPoolExecutor.java | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/jdk/src/java.base/share/classes/java/util/concurrent/ThreadPoolExecutor.java b/jdk/src/java.base/share/classes/java/util/concurrent/ThreadPoolExecutor.java index ceb9bf2022..092b1b296a 100644 --- a/jdk/src/java.base/share/classes/java/util/concurrent/ThreadPoolExecutor.java +++ b/jdk/src/java.base/share/classes/java/util/concurrent/ThreadPoolExecutor.java @@ -35,6 +35,9 @@ package java.util.concurrent; +import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.ConcurrentModificationException; import java.util.HashSet; @@ -584,6 +587,9 @@ public class ThreadPoolExecutor extends AbstractExecutorService { private static final RuntimePermission shutdownPerm = new RuntimePermission("modifyThread"); + /* The context to be used when executing the finalizer, or null. */ + private final AccessControlContext acc; + /** * Class Worker mainly maintains interrupt control state for * threads running tasks, along with other minor bookkeeping. @@ -1326,6 +1332,9 @@ public class ThreadPoolExecutor extends AbstractExecutorService { throw new IllegalArgumentException(); if (workQueue == null || threadFactory == null || handler == null) throw new NullPointerException(); + this.acc = System.getSecurityManager() == null ? + null : + AccessController.getContext(); this.corePoolSize = corePoolSize; this.maximumPoolSize = maximumPoolSize; this.workQueue = workQueue; @@ -1491,6 +1500,9 @@ public class ThreadPoolExecutor extends AbstractExecutorService { * Invokes {@code shutdown} when this executor is no longer * referenced and it has no threads. * + *

This method is invoked with privileges that are restricted by + * the security context of the caller that invokes the constructor. + * * @deprecated The {@code finalize} method has been deprecated. * Subclasses that override {@code finalize} in order to perform cleanup * should be modified to use alternative cleanup mechanisms and @@ -1502,7 +1514,13 @@ public class ThreadPoolExecutor extends AbstractExecutorService { */ @Deprecated(since="9") protected void finalize() { - shutdown(); + SecurityManager sm = System.getSecurityManager(); + if (sm == null || acc == null) { + shutdown(); + } else { + PrivilegedAction pa = () -> { shutdown(); return null; }; + AccessController.doPrivileged(pa, acc); + } } /** From 7ff8407ec03f962de92f7eb21e692d4d73053ae3 Mon Sep 17 00:00:00 2001 From: Brian Burkhalter Date: Mon, 13 Feb 2017 15:24:42 -0800 Subject: [PATCH 014/269] 8172465: Better handling of channel groups Reviewed-by: alanb, coffeys, skoivu, rhalade, chegar --- .../nio/ch/AsynchronousChannelGroupImpl.java | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/nio/ch/AsynchronousChannelGroupImpl.java b/jdk/src/java.base/share/classes/sun/nio/ch/AsynchronousChannelGroupImpl.java index 117df2452d..8a88ddcba9 100644 --- a/jdk/src/java.base/share/classes/sun/nio/ch/AsynchronousChannelGroupImpl.java +++ b/jdk/src/java.base/share/classes/sun/nio/ch/AsynchronousChannelGroupImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -246,13 +246,16 @@ abstract class AsynchronousChannelGroupImpl abstract void shutdownHandlerTasks(); private void shutdownExecutors() { - AccessController.doPrivileged(new PrivilegedAction<>() { - public Void run() { - pool.executor().shutdown(); - timeoutExecutor.shutdown(); - return null; - } - }); + AccessController.doPrivileged( + new PrivilegedAction<>() { + public Void run() { + pool.executor().shutdown(); + timeoutExecutor.shutdown(); + return null; + } + }, + null, + new RuntimePermission("modifyThread")); } @Override From 5f3774934e2ca94c82452a5ac1da6e2ded309486 Mon Sep 17 00:00:00 2001 From: Sergey Bylokhov Date: Tue, 21 Feb 2017 02:23:00 +0300 Subject: [PATCH 015/269] 8169966: Larger AWT menus Reviewed-by: azvegint, prr, rhalade, mschoene --- .../native/libawt/windows/CmdIDList.cpp | 39 +++++++++++-------- .../windows/native/libawt/windows/CmdIDList.h | 3 +- .../native/libawt/windows/awt_MenuItem.cpp | 6 ++- .../native/libawt/windows/awt_Toolkit.cpp | 7 +++- .../native/libawt/windows/awt_Toolkit.h | 4 +- 5 files changed, 39 insertions(+), 20 deletions(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.cpp index a71ede3d38..138f3e9807 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.cpp @@ -61,29 +61,36 @@ INLINE void AwtCmdIDList::BuildFreeList(UINT first_index) m_first_free = first_index; // head of the free list } + +jboolean AwtCmdIDList::isFreeIDAvailable() { + CriticalSection::Lock l(m_lock); + + if (m_first_free == -1) { // out of free ids + if (m_capacity == ARRAY_MAXIMUM_SIZE) { + return JNI_FALSE; + } + } + return JNI_TRUE; +} + // Assign an id to the object. Recycle the first free entry from the // head of the free list or allocate more memory for a new free list. UINT AwtCmdIDList::Add(AwtObject* obj) { CriticalSection::Lock l(m_lock); + if (!isFreeIDAvailable()) { + throw std::bad_alloc(); // fatal error + } if (m_first_free == -1) { // out of free ids - if (m_capacity == ARRAY_MAXIMUM_SIZE) { - // Really bad - out of ids. Since we hardly can have *so* - // many items simultaneously in existence, we have an id - // leak somewhere. - DASSERT(FALSE); - return 0; - } - else { // snarf a bigger arena - UINT old_capacity = m_capacity; // will be the first free entry - m_capacity += ARRAY_SIZE_INCREMENT; - if (m_capacity > ARRAY_MAXIMUM_SIZE) - m_capacity = ARRAY_MAXIMUM_SIZE; - m_array = (CmdIDEntry *)SAFE_SIZE_ARRAY_REALLOC(safe_Realloc, m_array, - m_capacity, sizeof(CmdIDEntry*)); - BuildFreeList(old_capacity); - } + // snarf a bigger arena + UINT old_capacity = m_capacity; // will be the first free entry + m_capacity += ARRAY_SIZE_INCREMENT; + if (m_capacity > ARRAY_MAXIMUM_SIZE) + m_capacity = ARRAY_MAXIMUM_SIZE; + m_array = (CmdIDEntry *)SAFE_SIZE_ARRAY_REALLOC(safe_Realloc, m_array, + m_capacity, sizeof(CmdIDEntry*)); + BuildFreeList(old_capacity); } DASSERT(m_first_free != -1); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.h b/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.h index 3677b6dcf0..15b032e625 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1999, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -38,6 +38,7 @@ public: UINT Add(AwtObject* obj); AwtObject* Lookup(UINT id); void Remove(UINT id); + jboolean isFreeIDAvailable(); CriticalSection m_lock; diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_MenuItem.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_MenuItem.cpp index f00d5ba31c..095db63eb3 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_MenuItem.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_MenuItem.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -217,6 +217,10 @@ AwtMenuItem* AwtMenuItem::Create(jobject peer, jobject menuPeer) if (env->EnsureLocalCapacity(1) < 0) { return NULL; } + if (!AwtToolkit::GetInstance().isFreeIDAvailable()) { + return NULL; + } + JNI_CHECK_NULL_RETURN_NULL(menuPeer, "peer"); /* target is a java.awt.MenuItem */ diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.cpp index 4a0ac907f6..25d9de8f9a 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1663,6 +1663,11 @@ void AwtToolkit::SyncCall(void (*ftn)(void)) { } } +jboolean AwtToolkit::isFreeIDAvailable() +{ + return m_cmdIDs->isFreeIDAvailable(); +} + UINT AwtToolkit::CreateCmdID(AwtObject* object) { return m_cmdIDs->Add(object); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.h b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.h index 05da58b1c5..a99fe963c0 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -320,6 +320,8 @@ public: BOOL PreProcessMouseMsg(class AwtComponent* p, MSG& msg); BOOL PreProcessKeyMsg(class AwtComponent* p, MSG& msg); + /* Checks that an free ID exists. */ + jboolean isFreeIDAvailable(); /* Create an ID which maps to an AwtObject pointer, such as a menu. */ UINT CreateCmdID(AwtObject* object); From d90f8d4d0f4f39c8eeaf562f3f722c7e60c5a295 Mon Sep 17 00:00:00 2001 From: Sergey Bylokhov Date: Tue, 21 Feb 2017 02:23:00 +0300 Subject: [PATCH 016/269] 8169966: Larger AWT menus Reviewed-by: azvegint, prr, rhalade, mschoene --- .../native/libawt/windows/CmdIDList.cpp | 39 +++++++++++-------- .../windows/native/libawt/windows/CmdIDList.h | 3 +- .../native/libawt/windows/awt_MenuItem.cpp | 6 ++- .../native/libawt/windows/awt_Toolkit.cpp | 7 +++- .../native/libawt/windows/awt_Toolkit.h | 4 +- 5 files changed, 39 insertions(+), 20 deletions(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.cpp index a71ede3d38..138f3e9807 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.cpp @@ -61,29 +61,36 @@ INLINE void AwtCmdIDList::BuildFreeList(UINT first_index) m_first_free = first_index; // head of the free list } + +jboolean AwtCmdIDList::isFreeIDAvailable() { + CriticalSection::Lock l(m_lock); + + if (m_first_free == -1) { // out of free ids + if (m_capacity == ARRAY_MAXIMUM_SIZE) { + return JNI_FALSE; + } + } + return JNI_TRUE; +} + // Assign an id to the object. Recycle the first free entry from the // head of the free list or allocate more memory for a new free list. UINT AwtCmdIDList::Add(AwtObject* obj) { CriticalSection::Lock l(m_lock); + if (!isFreeIDAvailable()) { + throw std::bad_alloc(); // fatal error + } if (m_first_free == -1) { // out of free ids - if (m_capacity == ARRAY_MAXIMUM_SIZE) { - // Really bad - out of ids. Since we hardly can have *so* - // many items simultaneously in existence, we have an id - // leak somewhere. - DASSERT(FALSE); - return 0; - } - else { // snarf a bigger arena - UINT old_capacity = m_capacity; // will be the first free entry - m_capacity += ARRAY_SIZE_INCREMENT; - if (m_capacity > ARRAY_MAXIMUM_SIZE) - m_capacity = ARRAY_MAXIMUM_SIZE; - m_array = (CmdIDEntry *)SAFE_SIZE_ARRAY_REALLOC(safe_Realloc, m_array, - m_capacity, sizeof(CmdIDEntry*)); - BuildFreeList(old_capacity); - } + // snarf a bigger arena + UINT old_capacity = m_capacity; // will be the first free entry + m_capacity += ARRAY_SIZE_INCREMENT; + if (m_capacity > ARRAY_MAXIMUM_SIZE) + m_capacity = ARRAY_MAXIMUM_SIZE; + m_array = (CmdIDEntry *)SAFE_SIZE_ARRAY_REALLOC(safe_Realloc, m_array, + m_capacity, sizeof(CmdIDEntry*)); + BuildFreeList(old_capacity); } DASSERT(m_first_free != -1); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.h b/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.h index 3677b6dcf0..15b032e625 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/CmdIDList.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 1999, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -38,6 +38,7 @@ public: UINT Add(AwtObject* obj); AwtObject* Lookup(UINT id); void Remove(UINT id); + jboolean isFreeIDAvailable(); CriticalSection m_lock; diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_MenuItem.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_MenuItem.cpp index f00d5ba31c..095db63eb3 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_MenuItem.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_MenuItem.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -217,6 +217,10 @@ AwtMenuItem* AwtMenuItem::Create(jobject peer, jobject menuPeer) if (env->EnsureLocalCapacity(1) < 0) { return NULL; } + if (!AwtToolkit::GetInstance().isFreeIDAvailable()) { + return NULL; + } + JNI_CHECK_NULL_RETURN_NULL(menuPeer, "peer"); /* target is a java.awt.MenuItem */ diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.cpp index 4a0ac907f6..25d9de8f9a 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1663,6 +1663,11 @@ void AwtToolkit::SyncCall(void (*ftn)(void)) { } } +jboolean AwtToolkit::isFreeIDAvailable() +{ + return m_cmdIDs->isFreeIDAvailable(); +} + UINT AwtToolkit::CreateCmdID(AwtObject* object) { return m_cmdIDs->Add(object); diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.h b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.h index 05da58b1c5..a99fe963c0 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.h +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Toolkit.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -320,6 +320,8 @@ public: BOOL PreProcessMouseMsg(class AwtComponent* p, MSG& msg); BOOL PreProcessKeyMsg(class AwtComponent* p, MSG& msg); + /* Checks that an free ID exists. */ + jboolean isFreeIDAvailable(); /* Create an ID which maps to an AwtObject pointer, such as a menu. */ UINT CreateCmdID(AwtObject* object); From 7ef301c401e9a095ee1290710985e7f9c9ed5fe2 Mon Sep 17 00:00:00 2001 From: Valerie Peng Date: Wed, 22 Feb 2017 00:14:32 +0000 Subject: [PATCH 017/269] 8171252: Improve exception checking Reviewed-by: ascarpino, mschoene --- .../com/sun/crypto/provider/AESCipher.java | 10 +- .../sun/crypto/provider/AESWrapCipher.java | 8 +- .../sun/crypto/provider/ARCFOURCipher.java | 4 +- .../sun/crypto/provider/BlowfishCipher.java | 4 +- .../com/sun/crypto/provider/CipherCore.java | 42 +- .../sun/crypto/provider/DESedeWrapCipher.java | 8 +- .../sun/crypto/provider/ISO10126Padding.java | 12 +- .../sun/crypto/provider/PBECipherCore.java | 535 ------------------ .../com/sun/crypto/provider/PBES1Core.java | 4 +- .../com/sun/crypto/provider/PKCS5Padding.java | 21 +- 10 files changed, 58 insertions(+), 590 deletions(-) delete mode 100644 jdk/src/java.base/share/classes/com/sun/crypto/provider/PBECipherCore.java diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESCipher.java index 9d11f0091d..1fefe6e1ad 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -156,7 +156,7 @@ abstract class AESCipher extends CipherSpi { throw new InvalidKeyException("Key encoding must not be null"); } else if (value.length != fixedKeySize) { throw new InvalidKeyException("The key must be " + - fixedKeySize*8 + " bits"); + fixedKeySize + " bytes"); } } } @@ -509,7 +509,7 @@ abstract class AESCipher extends CipherSpi { throw new InvalidKeyException("Invalid AES key length: " + encoded.length + " bytes"); } - return encoded.length * 8; + return Math.multiplyExact(encoded.length, 8); } /** @@ -628,9 +628,9 @@ abstract class AESCipher extends CipherSpi { } if (src != null) { int aadLen = src.limit() - src.position(); - if (aadLen != 0) { + if (aadLen > 0) { if (src.hasArray()) { - int aadOfs = src.arrayOffset() + src.position(); + int aadOfs = Math.addExact(src.arrayOffset(), src.position()); core.updateAAD(src.array(), aadOfs, aadLen); src.position(src.limit()); } else { diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESWrapCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESWrapCipher.java index 29a22ad64b..95a8c5a6fa 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESWrapCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESWrapCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -156,7 +156,7 @@ abstract class AESWrapCipher extends CipherSpi { if (decrypting) { result = inputLen - 8; } else { - result = inputLen + 8; + result = Math.addExact(inputLen, 8); } return (result < 0? 0:result); } @@ -378,7 +378,7 @@ abstract class AESWrapCipher extends CipherSpi { throw new InvalidKeyException("Invalid key length: " + encoded.length + " bytes"); } - return encoded.length * 8; + return Math.multiplyExact(encoded.length, 8); } /** @@ -404,7 +404,7 @@ abstract class AESWrapCipher extends CipherSpi { throw new InvalidKeyException("Cannot get an encoding of " + "the key to be wrapped"); } - byte[] out = new byte[keyVal.length + 8]; + byte[] out = new byte[Math.addExact(keyVal.length, 8)]; if (keyVal.length == 8) { System.arraycopy(IV, 0, out, 0, IV.length); diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/ARCFOURCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/ARCFOURCipher.java index f5b99c1ae5..cfa4835883 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/ARCFOURCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/ARCFOURCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -257,7 +257,7 @@ public final class ARCFOURCipher extends CipherSpi { // see JCE spec protected int engineGetKeySize(Key key) throws InvalidKeyException { byte[] encodedKey = getEncodedKey(key); - return encodedKey.length << 3; + return Math.multiplyExact(encodedKey.length, 8); } } diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/BlowfishCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/BlowfishCipher.java index 54de9984eb..e991108e8e 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/BlowfishCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/BlowfishCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -373,7 +373,7 @@ public final class BlowfishCipher extends CipherSpi { * @exception InvalidKeyException if key is invalid. */ protected int engineGetKeySize(Key key) throws InvalidKeyException { - return (key.getEncoded().length * 8); + return Math.multiplyExact(key.getEncoded().length, 8); } /** diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java index 106ee91392..87f47722e4 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -324,13 +324,14 @@ final class CipherCore { } private int getOutputSizeByOperation(int inputLen, boolean isDoFinal) { - int totalLen = buffered + inputLen + cipher.getBufferedLength(); + int totalLen = Math.addExact(buffered, cipher.getBufferedLength()); + totalLen = Math.addExact(totalLen, inputLen); switch (cipherMode) { case GCM_MODE: if (isDoFinal) { int tagLen = ((GaloisCounterMode) cipher).getTagLen(); if (!decrypting) { - totalLen += tagLen; + totalLen = Math.addExact(totalLen, tagLen); } else { totalLen -= tagLen; } @@ -346,10 +347,10 @@ final class CipherCore { totalLen = diffBlocksize; } else { int residue = (totalLen - diffBlocksize) % blockSize; - totalLen += (blockSize - residue); + totalLen = Math.addExact(totalLen, (blockSize - residue)); } } else { - totalLen += padding.padLength(totalLen); + totalLen = Math.addExact(totalLen, padding.padLength(totalLen)); } } break; @@ -711,7 +712,8 @@ final class CipherCore { } // figure out how much can be sent to crypto function - int len = buffered + inputLen - minBytes; + int len = Math.addExact(buffered, inputLen); + len -= minBytes; if (padding != null && decrypting) { // do not include the padding bytes when decrypting len -= blockSize; @@ -730,12 +732,12 @@ final class CipherCore { int outLen = 0; if (len != 0) { // there is some work to do if ((input == output) - && (outputOffset < (inputOffset + inputLen)) - && (inputOffset < (outputOffset + buffer.length))) { + && (outputOffset - inputOffset < inputLen) + && (inputOffset - outputOffset < buffer.length)) { // copy 'input' out to avoid its content being // overwritten prematurely. input = Arrays.copyOfRange(input, inputOffset, - inputOffset + inputLen); + Math.addExact(inputOffset, inputLen)); inputOffset = 0; } if (len <= buffered) { @@ -757,13 +759,13 @@ final class CipherCore { if (bufferCapacity != 0) { temp = Math.min(bufferCapacity, inputConsumed); if (unitBytes != blockSize) { - temp -= ((buffered + temp) % unitBytes); + temp -= (Math.addExact(buffered, temp) % unitBytes); } System.arraycopy(input, inputOffset, buffer, buffered, temp); - inputOffset += temp; + inputOffset = Math.addExact(inputOffset, temp); inputConsumed -= temp; inputLen -= temp; - buffered += temp; + buffered = Math.addExact(buffered, temp); } // process 'buffer' if (decrypting) { @@ -771,7 +773,7 @@ final class CipherCore { } else { outLen = cipher.encrypt(buffer, 0, buffered, output, outputOffset); } - outputOffset += outLen; + outputOffset = Math.addExact(outputOffset, outLen); buffered = 0; } if (inputConsumed > 0) { // still has input to process @@ -802,7 +804,7 @@ final class CipherCore { if (inputLen > 0) { System.arraycopy(input, inputOffset, buffer, buffered, inputLen); - buffered += inputLen; + buffered = Math.addExact(buffered, inputLen); } return outLen; } @@ -912,10 +914,10 @@ final class CipherCore { } // calculate total input length - int len = buffered + inputLen; + int len = Math.addExact(buffered, inputLen); // calculate padding length - int totalLen = len + cipher.getBufferedLength(); + int totalLen = Math.addExact(len, cipher.getBufferedLength()); int paddingLen = 0; // will the total input length be a multiple of blockSize? if (unitBytes != blockSize) { @@ -948,12 +950,12 @@ final class CipherCore { int finalBufLen = inputLen; if ((buffered != 0) || (!decrypting && padding != null) || ((input == output) - && (outputOffset < (inputOffset + inputLen)) - && (inputOffset < (outputOffset + buffer.length)))) { + && (outputOffset - inputOffset < inputLen) + && (inputOffset - outputOffset < buffer.length))) { if (decrypting || padding == null) { paddingLen = 0; } - finalBuf = new byte[len + paddingLen]; + finalBuf = new byte[Math.addExact(len, paddingLen)]; finalOffset = 0; if (buffered != 0) { System.arraycopy(buffer, 0, finalBuf, 0, buffered); @@ -963,7 +965,7 @@ final class CipherCore { buffered, inputLen); } if (paddingLen != 0) { - padding.padWithLen(finalBuf, (buffered+inputLen), paddingLen); + padding.padWithLen(finalBuf, Math.addExact(buffered, inputLen), paddingLen); } finalBufLen = finalBuf.length; } diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java index 68b2cbac64..df00ec2736 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -140,7 +140,7 @@ public final class DESedeWrapCipher extends CipherSpi { if (decrypting) { result = inputLen - 16; // CHECKSUM_LEN + IV_LEN; } else { - result = inputLen + 16; + result = Math.addExact(inputLen, 16); } return (result < 0? 0:result); } @@ -449,11 +449,11 @@ public final class DESedeWrapCipher extends CipherSpi { } byte[] cks = getChecksum(keyVal); - byte[] in = new byte[keyVal.length + CHECKSUM_LEN]; + byte[] in = new byte[Math.addExact(keyVal.length, CHECKSUM_LEN)]; System.arraycopy(keyVal, 0, in, 0, keyVal.length); System.arraycopy(cks, 0, in, keyVal.length, CHECKSUM_LEN); - byte[] out = new byte[iv.length + in.length]; + byte[] out = new byte[Math.addExact(iv.length, in.length)]; System.arraycopy(iv, 0, out, 0, iv.length); cipher.encrypt(in, 0, in.length, out, iv.length); diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/ISO10126Padding.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/ISO10126Padding.java index a7134238e1..6562a10760 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/ISO10126Padding.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/ISO10126Padding.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -63,7 +63,8 @@ final class ISO10126Padding implements Padding { if (in == null) return; - if ((off + len) > in.length) { + int idx = Math.addExact(off, len); + if (idx > in.length) { throw new ShortBufferException("Buffer too small to hold padding"); } @@ -71,7 +72,7 @@ final class ISO10126Padding implements Padding { byte[] padding = new byte[len - 1]; SunJCE.getRandom().nextBytes(padding); System.arraycopy(padding, 0, in, off, len - 1); - in[off + len - 1] = paddingOctet; + in[idx - 1] = paddingOctet; return; } @@ -94,14 +95,15 @@ final class ISO10126Padding implements Padding { return 0; } - byte lastByte = in[off + len - 1]; + int idx = Math.addExact(off, len); + byte lastByte = in[idx - 1]; int padValue = (int)lastByte & 0x0ff; if ((padValue < 0x01) || (padValue > blockSize)) { return -1; } - int start = off + len - padValue; + int start = idx - padValue; if (start < off) { return -1; } diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBECipherCore.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBECipherCore.java deleted file mode 100644 index 98f85cf04b..0000000000 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBECipherCore.java +++ /dev/null @@ -1,535 +0,0 @@ -/* - * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package com.sun.crypto.provider; - -import java.security.*; -import java.security.spec.*; -import javax.crypto.*; -import javax.crypto.spec.*; - -/** - * This class represents password-based encryption as defined by the PKCS #5 - * standard. - * - * @author Jan Luehe - * - * - * @see javax.crypto.Cipher - */ -final class PBECipherCore { - - // the encapsulated DES cipher - private CipherCore cipher; - private MessageDigest md; - private int blkSize; - private String algo = null; - private byte[] salt = null; - private int iCount = 10; - - /** - * Creates an instance of PBE Cipher using the specified CipherSpi - * instance. - * - */ - PBECipherCore(String cipherAlg) throws NoSuchAlgorithmException, - NoSuchPaddingException { - algo = cipherAlg; - if (algo.equals("DES")) { - cipher = new CipherCore(new DESCrypt(), - DESConstants.DES_BLOCK_SIZE); - } else if (algo.equals("DESede")) { - - cipher = new CipherCore(new DESedeCrypt(), - DESConstants.DES_BLOCK_SIZE); - } else { - throw new NoSuchAlgorithmException("No Cipher implementation " + - "for PBEWithMD5And" + algo); - } - cipher.setMode("CBC"); - cipher.setPadding("PKCS5Padding"); - // get instance of MD5 - md = MessageDigest.getInstance("MD5"); - } - - /** - * Sets the mode of this cipher. This algorithm can only be run in CBC - * mode. - * - * @param mode the cipher mode - * - * @exception NoSuchAlgorithmException if the requested cipher mode is - * invalid - */ - void setMode(String mode) throws NoSuchAlgorithmException { - cipher.setMode(mode); - } - - /** - * Sets the padding mechanism of this cipher. This algorithm only uses - * PKCS #5 padding. - * - * @param padding the padding mechanism - * - * @exception NoSuchPaddingException if the requested padding mechanism - * is invalid - */ - void setPadding(String paddingScheme) throws NoSuchPaddingException { - cipher.setPadding(paddingScheme); - } - - /** - * Returns the block size (in bytes). - * - * @return the block size (in bytes) - */ - int getBlockSize() { - return DESConstants.DES_BLOCK_SIZE; - } - - /** - * Returns the length in bytes that an output buffer would need to be in - * order to hold the result of the next update or - * doFinal operation, given the input length - * inputLen (in bytes). - * - *

This call takes into account any unprocessed (buffered) data from a - * previous update call, and padding. - * - *

The actual output length of the next update or - * doFinal call may be smaller than the length returned by - * this method. - * - * @param inputLen the input length (in bytes) - * - * @return the required output buffer size (in bytes) - * - */ - int getOutputSize(int inputLen) { - return cipher.getOutputSize(inputLen); - } - - /** - * Returns the initialization vector (IV) in a new buffer. - * - *

This is useful in the case where a random IV has been created - * (see init), - * or in the context of password-based encryption or - * decryption, where the IV is derived from a user-supplied password. - * - * @return the initialization vector in a new buffer, or null if the - * underlying algorithm does not use an IV, or if the IV has not yet - * been set. - */ - byte[] getIV() { - return cipher.getIV(); - } - - /** - * Returns the parameters used with this cipher. - * - *

The returned parameters may be the same that were used to initialize - * this cipher, or may contain the default set of parameters or a set of - * randomly generated parameters used by the underlying cipher - * implementation (provided that the underlying cipher implementation - * uses a default set of parameters or creates new parameters if it needs - * parameters but was not initialized with any). - * - * @return the parameters used with this cipher, or null if this cipher - * does not use any parameters. - */ - AlgorithmParameters getParameters() { - AlgorithmParameters params = null; - if (salt == null) { - salt = new byte[8]; - SunJCE.getRandom().nextBytes(salt); - } - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, iCount); - try { - params = AlgorithmParameters.getInstance("PBEWithMD5And" + - (algo.equalsIgnoreCase("DES")? "DES":"TripleDES"), - SunJCE.getInstance()); - params.init(pbeSpec); - } catch (NoSuchAlgorithmException nsae) { - // should never happen - throw new RuntimeException("SunJCE called, but not configured"); - } catch (InvalidParameterSpecException ipse) { - // should never happen - throw new RuntimeException("PBEParameterSpec not supported"); - } - return params; - } - - /** - * Initializes this cipher with a key, a set of - * algorithm parameters, and a source of randomness. - * The cipher is initialized for one of the following four operations: - * encryption, decryption, key wrapping or key unwrapping, depending on - * the value of opmode. - * - *

If this cipher (including its underlying feedback or padding scheme) - * requires any random bytes, it will get them from random. - * - * @param opmode the operation mode of this cipher (this is one of - * the following: - * ENCRYPT_MODE, DECRYPT_MODE), - * WRAP_MODE or UNWRAP_MODE) - * @param key the encryption key - * @param params the algorithm parameters - * @param random the source of randomness - * - * @exception InvalidKeyException if the given key is inappropriate for - * initializing this cipher - * @exception InvalidAlgorithmParameterException if the given algorithm - * parameters are inappropriate for this cipher - */ - void init(int opmode, Key key, AlgorithmParameterSpec params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - if (((opmode == Cipher.DECRYPT_MODE) || - (opmode == Cipher.UNWRAP_MODE)) && (params == null)) { - throw new InvalidAlgorithmParameterException("Parameters " - + "missing"); - } - if ((key == null) || - (key.getEncoded() == null) || - !(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3))) { - throw new InvalidKeyException("Missing password"); - } - - if (params == null) { - // create random salt and use default iteration count - salt = new byte[8]; - random.nextBytes(salt); - } else { - if (!(params instanceof PBEParameterSpec)) { - throw new InvalidAlgorithmParameterException - ("Wrong parameter type: PBE expected"); - } - salt = ((PBEParameterSpec) params).getSalt(); - // salt must be 8 bytes long (by definition) - if (salt.length != 8) { - throw new InvalidAlgorithmParameterException - ("Salt must be 8 bytes long"); - } - iCount = ((PBEParameterSpec) params).getIterationCount(); - if (iCount <= 0) { - throw new InvalidAlgorithmParameterException - ("IterationCount must be a positive number"); - } - } - - byte[] derivedKey = deriveCipherKey(key); - // use all but the last 8 bytes as the key value - SecretKeySpec cipherKey = new SecretKeySpec(derivedKey, 0, - derivedKey.length-8, algo); - // use the last 8 bytes as the IV - IvParameterSpec ivSpec = new IvParameterSpec(derivedKey, - derivedKey.length-8, - 8); - // initialize the underlying cipher - cipher.init(opmode, cipherKey, ivSpec, random); - } - - private byte[] deriveCipherKey(Key key) { - - byte[] result = null; - byte[] passwdBytes = key.getEncoded(); - - if (algo.equals("DES")) { - // P || S (password concatenated with salt) - byte[] concat = new byte[passwdBytes.length + salt.length]; - System.arraycopy(passwdBytes, 0, concat, 0, passwdBytes.length); - java.util.Arrays.fill(passwdBytes, (byte)0x00); - System.arraycopy(salt, 0, concat, passwdBytes.length, salt.length); - - // digest P || S with c iterations - byte[] toBeHashed = concat; - for (int i = 0; i < iCount; i++) { - md.update(toBeHashed); - toBeHashed = md.digest(); // this resets the digest - } - java.util.Arrays.fill(concat, (byte)0x00); - result = toBeHashed; - } else if (algo.equals("DESede")) { - // if the 2 salt halves are the same, invert one of them - int i; - for (i=0; i<4; i++) { - if (salt[i] != salt[i+4]) - break; - } - if (i==4) { // same, invert 1st half - for (i=0; i<2; i++) { - byte tmp = salt[i]; - salt[i] = salt[3-i]; - salt[3-1] = tmp; - } - } - - // Now digest each half (concatenated with password). For each - // half, go through the loop as many times as specified by the - // iteration count parameter (inner for loop). - // Concatenate the output from each digest round with the - // password, and use the result as the input to the next digest - // operation. - byte[] kBytes = null; - IvParameterSpec iv = null; - byte[] toBeHashed = null; - result = new byte[DESedeKeySpec.DES_EDE_KEY_LEN + - DESConstants.DES_BLOCK_SIZE]; - for (i = 0; i < 2; i++) { - toBeHashed = new byte[salt.length/2]; - System.arraycopy(salt, i*(salt.length/2), toBeHashed, 0, - toBeHashed.length); - for (int j=0; j < iCount; j++) { - md.update(toBeHashed); - md.update(passwdBytes); - toBeHashed = md.digest(); // this resets the digest - } - System.arraycopy(toBeHashed, 0, result, i*16, - toBeHashed.length); - } - } - return result; - } - - void init(int opmode, Key key, AlgorithmParameters params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - PBEParameterSpec pbeSpec = null; - if (params != null) { - try { - pbeSpec = params.getParameterSpec(PBEParameterSpec.class); - } catch (InvalidParameterSpecException ipse) { - throw new InvalidAlgorithmParameterException("Wrong parameter " - + "type: PBE " - + "expected"); - } - } - init(opmode, key, pbeSpec, random); - } - - /** - * Continues a multiple-part encryption or decryption operation - * (depending on how this cipher was initialized), processing another data - * part. - * - *

The first inputLen bytes in the input - * buffer, starting at inputOffset, are processed, and the - * result is stored in a new buffer. - * - * @param input the input buffer - * @param inputOffset the offset in input where the input - * starts - * @param inputLen the input length - * - * @return the new buffer with the result - * - */ - byte[] update(byte[] input, int inputOffset, int inputLen) { - return cipher.update(input, inputOffset, inputLen); - } - - /** - * Continues a multiple-part encryption or decryption operation - * (depending on how this cipher was initialized), processing another data - * part. - * - *

The first inputLen bytes in the input - * buffer, starting at inputOffset, are processed, and the - * result is stored in the output buffer, starting at - * outputOffset. - * - * @param input the input buffer - * @param inputOffset the offset in input where the input - * starts - * @param inputLen the input length - * @param output the buffer for the result - * @param outputOffset the offset in output where the result - * is stored - * - * @return the number of bytes stored in output - * - * @exception ShortBufferException if the given output buffer is too small - * to hold the result - */ - int update(byte[] input, int inputOffset, int inputLen, - byte[] output, int outputOffset) - throws ShortBufferException { - return cipher.update(input, inputOffset, inputLen, - output, outputOffset); - } - - /** - * Encrypts or decrypts data in a single-part operation, - * or finishes a multiple-part operation. - * The data is encrypted or decrypted, depending on how this cipher was - * initialized. - * - *

The first inputLen bytes in the input - * buffer, starting at inputOffset, and any input bytes that - * may have been buffered during a previous update operation, - * are processed, with padding (if requested) being applied. - * The result is stored in a new buffer. - * - *

The cipher is reset to its initial state (uninitialized) after this - * call. - * - * @param input the input buffer - * @param inputOffset the offset in input where the input - * starts - * @param inputLen the input length - * - * @return the new buffer with the result - * - * @exception IllegalBlockSizeException if this cipher is a block cipher, - * no padding has been requested (only in encryption mode), and the total - * input length of the data processed by this cipher is not a multiple of - * block size - * @exception BadPaddingException if decrypting and padding is chosen, - * but the last input data does not have proper padding bytes. - */ - byte[] doFinal(byte[] input, int inputOffset, int inputLen) - throws IllegalBlockSizeException, BadPaddingException { - return cipher.doFinal(input, inputOffset, inputLen); - } - - /** - * Encrypts or decrypts data in a single-part operation, - * or finishes a multiple-part operation. - * The data is encrypted or decrypted, depending on how this cipher was - * initialized. - * - *

The first inputLen bytes in the input - * buffer, starting at inputOffset, and any input bytes that - * may have been buffered during a previous update operation, - * are processed, with padding (if requested) being applied. - * The result is stored in the output buffer, starting at - * outputOffset. - * - *

The cipher is reset to its initial state (uninitialized) after this - * call. - * - * @param input the input buffer - * @param inputOffset the offset in input where the input - * starts - * @param inputLen the input length - * @param output the buffer for the result - * @param outputOffset the offset in output where the result - * is stored - * - * @return the number of bytes stored in output - * - * @exception IllegalBlockSizeException if this cipher is a block cipher, - * no padding has been requested (only in encryption mode), and the total - * input length of the data processed by this cipher is not a multiple of - * block size - * @exception ShortBufferException if the given output buffer is too small - * to hold the result - * @exception BadPaddingException if decrypting and padding is chosen, - * but the last input data does not have proper padding bytes. - */ - int doFinal(byte[] input, int inputOffset, int inputLen, - byte[] output, int outputOffset) - throws ShortBufferException, IllegalBlockSizeException, - BadPaddingException { - return cipher.doFinal(input, inputOffset, inputLen, - output, outputOffset); - } - - /** - * Wrap a key. - * - * @param key the key to be wrapped. - * - * @return the wrapped key. - * - * @exception IllegalBlockSizeException if this cipher is a block - * cipher, no padding has been requested, and the length of the - * encoding of the key to be wrapped is not a - * multiple of the block size. - * - * @exception InvalidKeyException if it is impossible or unsafe to - * wrap the key with this cipher (e.g., a hardware protected key is - * being passed to a software only cipher). - */ - byte[] wrap(Key key) - throws IllegalBlockSizeException, InvalidKeyException { - byte[] result = null; - - try { - byte[] encodedKey = key.getEncoded(); - if ((encodedKey == null) || (encodedKey.length == 0)) { - throw new InvalidKeyException("Cannot get an encoding of " + - "the key to be wrapped"); - } - - result = doFinal(encodedKey, 0, encodedKey.length); - } catch (BadPaddingException e) { - // Should never happen - } - - return result; - } - - /** - * Unwrap a previously wrapped key. - * - * @param wrappedKey the key to be unwrapped. - * - * @param wrappedKeyAlgorithm the algorithm the wrapped key is for. - * - * @param wrappedKeyType the type of the wrapped key. - * This is one of Cipher.SECRET_KEY, - * Cipher.PRIVATE_KEY, or Cipher.PUBLIC_KEY. - * - * @return the unwrapped key. - * - * @exception NoSuchAlgorithmException if no installed providers - * can create keys of type wrappedKeyType for the - * wrappedKeyAlgorithm. - * - * @exception InvalidKeyException if wrappedKey does not - * represent a wrapped key of type wrappedKeyType for - * the wrappedKeyAlgorithm. - */ - Key unwrap(byte[] wrappedKey, - String wrappedKeyAlgorithm, - int wrappedKeyType) - throws InvalidKeyException, NoSuchAlgorithmException { - byte[] encodedKey; - try { - encodedKey = doFinal(wrappedKey, 0, wrappedKey.length); - } catch (BadPaddingException ePadding) { - throw new InvalidKeyException("The wrapped key is not padded " + - "correctly"); - } catch (IllegalBlockSizeException eBlockSize) { - throw new InvalidKeyException("The wrapped key does not have " + - "the correct length"); - } - return ConstructKeys.constructKey(encodedKey, wrappedKeyAlgorithm, - wrappedKeyType); - } -} diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java index d5389ac40a..c54fa2d86e 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -260,7 +260,7 @@ final class PBES1Core { if (algo.equals("DES")) { // P || S (password concatenated with salt) - byte[] concat = new byte[passwdBytes.length + salt.length]; + byte[] concat = new byte[Math.addExact(passwdBytes.length, salt.length)]; System.arraycopy(passwdBytes, 0, concat, 0, passwdBytes.length); java.util.Arrays.fill(passwdBytes, (byte)0x00); System.arraycopy(salt, 0, concat, passwdBytes.length, salt.length); diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PKCS5Padding.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PKCS5Padding.java index ef6190e980..191d7308eb 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PKCS5Padding.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PKCS5Padding.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ package com.sun.crypto.provider; import javax.crypto.ShortBufferException; +import java.util.Arrays; /** * This class implements padding as specified in the PKCS#5 standard. @@ -63,14 +64,13 @@ final class PKCS5Padding implements Padding { if (in == null) return; - if ((off + len) > in.length) { + int idx = Math.addExact(off, len); + if (idx > in.length) { throw new ShortBufferException("Buffer too small to hold padding"); } byte paddingOctet = (byte) (len & 0xff); - for (int i = 0; i < len; i++) { - in[i + off] = paddingOctet; - } + Arrays.fill(in, off, idx, paddingOctet); return; } @@ -92,25 +92,24 @@ final class PKCS5Padding implements Padding { (len == 0)) { // this can happen if input is really a padded buffer return 0; } - - byte lastByte = in[off + len - 1]; + int idx = Math.addExact(off, len); + byte lastByte = in[idx - 1]; int padValue = (int)lastByte & 0x0ff; if ((padValue < 0x01) || (padValue > blockSize)) { return -1; } - int start = off + len - ((int)lastByte & 0x0ff); + int start = idx - padValue; if (start < off) { return -1; } - for (int i = 0; i < ((int)lastByte & 0x0ff); i++) { - if (in[start+i] != lastByte) { + for (int i = start; i < idx; i++) { + if (in[i] != lastByte) { return -1; } } - return start; } From 3750009648b748da31ff56ec5b8e7e85498c35ed Mon Sep 17 00:00:00 2001 From: Valerie Peng Date: Wed, 22 Feb 2017 00:14:32 +0000 Subject: [PATCH 018/269] 8171252: Improve exception checking Reviewed-by: ascarpino, mschoene --- .../com/sun/crypto/provider/AESCipher.java | 10 +- .../sun/crypto/provider/AESWrapCipher.java | 8 +- .../sun/crypto/provider/ARCFOURCipher.java | 4 +- .../sun/crypto/provider/BlowfishCipher.java | 4 +- .../com/sun/crypto/provider/CipherCore.java | 42 +- .../sun/crypto/provider/DESedeWrapCipher.java | 8 +- .../sun/crypto/provider/ISO10126Padding.java | 12 +- .../sun/crypto/provider/PBECipherCore.java | 535 ------------------ .../com/sun/crypto/provider/PBES1Core.java | 4 +- .../com/sun/crypto/provider/PKCS5Padding.java | 21 +- 10 files changed, 58 insertions(+), 590 deletions(-) delete mode 100644 jdk/src/java.base/share/classes/com/sun/crypto/provider/PBECipherCore.java diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESCipher.java index 9d11f0091d..1fefe6e1ad 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -156,7 +156,7 @@ abstract class AESCipher extends CipherSpi { throw new InvalidKeyException("Key encoding must not be null"); } else if (value.length != fixedKeySize) { throw new InvalidKeyException("The key must be " + - fixedKeySize*8 + " bits"); + fixedKeySize + " bytes"); } } } @@ -509,7 +509,7 @@ abstract class AESCipher extends CipherSpi { throw new InvalidKeyException("Invalid AES key length: " + encoded.length + " bytes"); } - return encoded.length * 8; + return Math.multiplyExact(encoded.length, 8); } /** @@ -628,9 +628,9 @@ abstract class AESCipher extends CipherSpi { } if (src != null) { int aadLen = src.limit() - src.position(); - if (aadLen != 0) { + if (aadLen > 0) { if (src.hasArray()) { - int aadOfs = src.arrayOffset() + src.position(); + int aadOfs = Math.addExact(src.arrayOffset(), src.position()); core.updateAAD(src.array(), aadOfs, aadLen); src.position(src.limit()); } else { diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESWrapCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESWrapCipher.java index 29a22ad64b..95a8c5a6fa 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESWrapCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/AESWrapCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -156,7 +156,7 @@ abstract class AESWrapCipher extends CipherSpi { if (decrypting) { result = inputLen - 8; } else { - result = inputLen + 8; + result = Math.addExact(inputLen, 8); } return (result < 0? 0:result); } @@ -378,7 +378,7 @@ abstract class AESWrapCipher extends CipherSpi { throw new InvalidKeyException("Invalid key length: " + encoded.length + " bytes"); } - return encoded.length * 8; + return Math.multiplyExact(encoded.length, 8); } /** @@ -404,7 +404,7 @@ abstract class AESWrapCipher extends CipherSpi { throw new InvalidKeyException("Cannot get an encoding of " + "the key to be wrapped"); } - byte[] out = new byte[keyVal.length + 8]; + byte[] out = new byte[Math.addExact(keyVal.length, 8)]; if (keyVal.length == 8) { System.arraycopy(IV, 0, out, 0, IV.length); diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/ARCFOURCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/ARCFOURCipher.java index f5b99c1ae5..cfa4835883 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/ARCFOURCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/ARCFOURCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -257,7 +257,7 @@ public final class ARCFOURCipher extends CipherSpi { // see JCE spec protected int engineGetKeySize(Key key) throws InvalidKeyException { byte[] encodedKey = getEncodedKey(key); - return encodedKey.length << 3; + return Math.multiplyExact(encodedKey.length, 8); } } diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/BlowfishCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/BlowfishCipher.java index 54de9984eb..e991108e8e 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/BlowfishCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/BlowfishCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -373,7 +373,7 @@ public final class BlowfishCipher extends CipherSpi { * @exception InvalidKeyException if key is invalid. */ protected int engineGetKeySize(Key key) throws InvalidKeyException { - return (key.getEncoded().length * 8); + return Math.multiplyExact(key.getEncoded().length, 8); } /** diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java index 106ee91392..87f47722e4 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/CipherCore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -324,13 +324,14 @@ final class CipherCore { } private int getOutputSizeByOperation(int inputLen, boolean isDoFinal) { - int totalLen = buffered + inputLen + cipher.getBufferedLength(); + int totalLen = Math.addExact(buffered, cipher.getBufferedLength()); + totalLen = Math.addExact(totalLen, inputLen); switch (cipherMode) { case GCM_MODE: if (isDoFinal) { int tagLen = ((GaloisCounterMode) cipher).getTagLen(); if (!decrypting) { - totalLen += tagLen; + totalLen = Math.addExact(totalLen, tagLen); } else { totalLen -= tagLen; } @@ -346,10 +347,10 @@ final class CipherCore { totalLen = diffBlocksize; } else { int residue = (totalLen - diffBlocksize) % blockSize; - totalLen += (blockSize - residue); + totalLen = Math.addExact(totalLen, (blockSize - residue)); } } else { - totalLen += padding.padLength(totalLen); + totalLen = Math.addExact(totalLen, padding.padLength(totalLen)); } } break; @@ -711,7 +712,8 @@ final class CipherCore { } // figure out how much can be sent to crypto function - int len = buffered + inputLen - minBytes; + int len = Math.addExact(buffered, inputLen); + len -= minBytes; if (padding != null && decrypting) { // do not include the padding bytes when decrypting len -= blockSize; @@ -730,12 +732,12 @@ final class CipherCore { int outLen = 0; if (len != 0) { // there is some work to do if ((input == output) - && (outputOffset < (inputOffset + inputLen)) - && (inputOffset < (outputOffset + buffer.length))) { + && (outputOffset - inputOffset < inputLen) + && (inputOffset - outputOffset < buffer.length)) { // copy 'input' out to avoid its content being // overwritten prematurely. input = Arrays.copyOfRange(input, inputOffset, - inputOffset + inputLen); + Math.addExact(inputOffset, inputLen)); inputOffset = 0; } if (len <= buffered) { @@ -757,13 +759,13 @@ final class CipherCore { if (bufferCapacity != 0) { temp = Math.min(bufferCapacity, inputConsumed); if (unitBytes != blockSize) { - temp -= ((buffered + temp) % unitBytes); + temp -= (Math.addExact(buffered, temp) % unitBytes); } System.arraycopy(input, inputOffset, buffer, buffered, temp); - inputOffset += temp; + inputOffset = Math.addExact(inputOffset, temp); inputConsumed -= temp; inputLen -= temp; - buffered += temp; + buffered = Math.addExact(buffered, temp); } // process 'buffer' if (decrypting) { @@ -771,7 +773,7 @@ final class CipherCore { } else { outLen = cipher.encrypt(buffer, 0, buffered, output, outputOffset); } - outputOffset += outLen; + outputOffset = Math.addExact(outputOffset, outLen); buffered = 0; } if (inputConsumed > 0) { // still has input to process @@ -802,7 +804,7 @@ final class CipherCore { if (inputLen > 0) { System.arraycopy(input, inputOffset, buffer, buffered, inputLen); - buffered += inputLen; + buffered = Math.addExact(buffered, inputLen); } return outLen; } @@ -912,10 +914,10 @@ final class CipherCore { } // calculate total input length - int len = buffered + inputLen; + int len = Math.addExact(buffered, inputLen); // calculate padding length - int totalLen = len + cipher.getBufferedLength(); + int totalLen = Math.addExact(len, cipher.getBufferedLength()); int paddingLen = 0; // will the total input length be a multiple of blockSize? if (unitBytes != blockSize) { @@ -948,12 +950,12 @@ final class CipherCore { int finalBufLen = inputLen; if ((buffered != 0) || (!decrypting && padding != null) || ((input == output) - && (outputOffset < (inputOffset + inputLen)) - && (inputOffset < (outputOffset + buffer.length)))) { + && (outputOffset - inputOffset < inputLen) + && (inputOffset - outputOffset < buffer.length))) { if (decrypting || padding == null) { paddingLen = 0; } - finalBuf = new byte[len + paddingLen]; + finalBuf = new byte[Math.addExact(len, paddingLen)]; finalOffset = 0; if (buffered != 0) { System.arraycopy(buffer, 0, finalBuf, 0, buffered); @@ -963,7 +965,7 @@ final class CipherCore { buffered, inputLen); } if (paddingLen != 0) { - padding.padWithLen(finalBuf, (buffered+inputLen), paddingLen); + padding.padWithLen(finalBuf, Math.addExact(buffered, inputLen), paddingLen); } finalBufLen = finalBuf.length; } diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java index 68b2cbac64..df00ec2736 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeWrapCipher.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -140,7 +140,7 @@ public final class DESedeWrapCipher extends CipherSpi { if (decrypting) { result = inputLen - 16; // CHECKSUM_LEN + IV_LEN; } else { - result = inputLen + 16; + result = Math.addExact(inputLen, 16); } return (result < 0? 0:result); } @@ -449,11 +449,11 @@ public final class DESedeWrapCipher extends CipherSpi { } byte[] cks = getChecksum(keyVal); - byte[] in = new byte[keyVal.length + CHECKSUM_LEN]; + byte[] in = new byte[Math.addExact(keyVal.length, CHECKSUM_LEN)]; System.arraycopy(keyVal, 0, in, 0, keyVal.length); System.arraycopy(cks, 0, in, keyVal.length, CHECKSUM_LEN); - byte[] out = new byte[iv.length + in.length]; + byte[] out = new byte[Math.addExact(iv.length, in.length)]; System.arraycopy(iv, 0, out, 0, iv.length); cipher.encrypt(in, 0, in.length, out, iv.length); diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/ISO10126Padding.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/ISO10126Padding.java index a7134238e1..6562a10760 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/ISO10126Padding.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/ISO10126Padding.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -63,7 +63,8 @@ final class ISO10126Padding implements Padding { if (in == null) return; - if ((off + len) > in.length) { + int idx = Math.addExact(off, len); + if (idx > in.length) { throw new ShortBufferException("Buffer too small to hold padding"); } @@ -71,7 +72,7 @@ final class ISO10126Padding implements Padding { byte[] padding = new byte[len - 1]; SunJCE.getRandom().nextBytes(padding); System.arraycopy(padding, 0, in, off, len - 1); - in[off + len - 1] = paddingOctet; + in[idx - 1] = paddingOctet; return; } @@ -94,14 +95,15 @@ final class ISO10126Padding implements Padding { return 0; } - byte lastByte = in[off + len - 1]; + int idx = Math.addExact(off, len); + byte lastByte = in[idx - 1]; int padValue = (int)lastByte & 0x0ff; if ((padValue < 0x01) || (padValue > blockSize)) { return -1; } - int start = off + len - padValue; + int start = idx - padValue; if (start < off) { return -1; } diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBECipherCore.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBECipherCore.java deleted file mode 100644 index 98f85cf04b..0000000000 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBECipherCore.java +++ /dev/null @@ -1,535 +0,0 @@ -/* - * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package com.sun.crypto.provider; - -import java.security.*; -import java.security.spec.*; -import javax.crypto.*; -import javax.crypto.spec.*; - -/** - * This class represents password-based encryption as defined by the PKCS #5 - * standard. - * - * @author Jan Luehe - * - * - * @see javax.crypto.Cipher - */ -final class PBECipherCore { - - // the encapsulated DES cipher - private CipherCore cipher; - private MessageDigest md; - private int blkSize; - private String algo = null; - private byte[] salt = null; - private int iCount = 10; - - /** - * Creates an instance of PBE Cipher using the specified CipherSpi - * instance. - * - */ - PBECipherCore(String cipherAlg) throws NoSuchAlgorithmException, - NoSuchPaddingException { - algo = cipherAlg; - if (algo.equals("DES")) { - cipher = new CipherCore(new DESCrypt(), - DESConstants.DES_BLOCK_SIZE); - } else if (algo.equals("DESede")) { - - cipher = new CipherCore(new DESedeCrypt(), - DESConstants.DES_BLOCK_SIZE); - } else { - throw new NoSuchAlgorithmException("No Cipher implementation " + - "for PBEWithMD5And" + algo); - } - cipher.setMode("CBC"); - cipher.setPadding("PKCS5Padding"); - // get instance of MD5 - md = MessageDigest.getInstance("MD5"); - } - - /** - * Sets the mode of this cipher. This algorithm can only be run in CBC - * mode. - * - * @param mode the cipher mode - * - * @exception NoSuchAlgorithmException if the requested cipher mode is - * invalid - */ - void setMode(String mode) throws NoSuchAlgorithmException { - cipher.setMode(mode); - } - - /** - * Sets the padding mechanism of this cipher. This algorithm only uses - * PKCS #5 padding. - * - * @param padding the padding mechanism - * - * @exception NoSuchPaddingException if the requested padding mechanism - * is invalid - */ - void setPadding(String paddingScheme) throws NoSuchPaddingException { - cipher.setPadding(paddingScheme); - } - - /** - * Returns the block size (in bytes). - * - * @return the block size (in bytes) - */ - int getBlockSize() { - return DESConstants.DES_BLOCK_SIZE; - } - - /** - * Returns the length in bytes that an output buffer would need to be in - * order to hold the result of the next update or - * doFinal operation, given the input length - * inputLen (in bytes). - * - *

This call takes into account any unprocessed (buffered) data from a - * previous update call, and padding. - * - *

The actual output length of the next update or - * doFinal call may be smaller than the length returned by - * this method. - * - * @param inputLen the input length (in bytes) - * - * @return the required output buffer size (in bytes) - * - */ - int getOutputSize(int inputLen) { - return cipher.getOutputSize(inputLen); - } - - /** - * Returns the initialization vector (IV) in a new buffer. - * - *

This is useful in the case where a random IV has been created - * (see init), - * or in the context of password-based encryption or - * decryption, where the IV is derived from a user-supplied password. - * - * @return the initialization vector in a new buffer, or null if the - * underlying algorithm does not use an IV, or if the IV has not yet - * been set. - */ - byte[] getIV() { - return cipher.getIV(); - } - - /** - * Returns the parameters used with this cipher. - * - *

The returned parameters may be the same that were used to initialize - * this cipher, or may contain the default set of parameters or a set of - * randomly generated parameters used by the underlying cipher - * implementation (provided that the underlying cipher implementation - * uses a default set of parameters or creates new parameters if it needs - * parameters but was not initialized with any). - * - * @return the parameters used with this cipher, or null if this cipher - * does not use any parameters. - */ - AlgorithmParameters getParameters() { - AlgorithmParameters params = null; - if (salt == null) { - salt = new byte[8]; - SunJCE.getRandom().nextBytes(salt); - } - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, iCount); - try { - params = AlgorithmParameters.getInstance("PBEWithMD5And" + - (algo.equalsIgnoreCase("DES")? "DES":"TripleDES"), - SunJCE.getInstance()); - params.init(pbeSpec); - } catch (NoSuchAlgorithmException nsae) { - // should never happen - throw new RuntimeException("SunJCE called, but not configured"); - } catch (InvalidParameterSpecException ipse) { - // should never happen - throw new RuntimeException("PBEParameterSpec not supported"); - } - return params; - } - - /** - * Initializes this cipher with a key, a set of - * algorithm parameters, and a source of randomness. - * The cipher is initialized for one of the following four operations: - * encryption, decryption, key wrapping or key unwrapping, depending on - * the value of opmode. - * - *

If this cipher (including its underlying feedback or padding scheme) - * requires any random bytes, it will get them from random. - * - * @param opmode the operation mode of this cipher (this is one of - * the following: - * ENCRYPT_MODE, DECRYPT_MODE), - * WRAP_MODE or UNWRAP_MODE) - * @param key the encryption key - * @param params the algorithm parameters - * @param random the source of randomness - * - * @exception InvalidKeyException if the given key is inappropriate for - * initializing this cipher - * @exception InvalidAlgorithmParameterException if the given algorithm - * parameters are inappropriate for this cipher - */ - void init(int opmode, Key key, AlgorithmParameterSpec params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - if (((opmode == Cipher.DECRYPT_MODE) || - (opmode == Cipher.UNWRAP_MODE)) && (params == null)) { - throw new InvalidAlgorithmParameterException("Parameters " - + "missing"); - } - if ((key == null) || - (key.getEncoded() == null) || - !(key.getAlgorithm().regionMatches(true, 0, "PBE", 0, 3))) { - throw new InvalidKeyException("Missing password"); - } - - if (params == null) { - // create random salt and use default iteration count - salt = new byte[8]; - random.nextBytes(salt); - } else { - if (!(params instanceof PBEParameterSpec)) { - throw new InvalidAlgorithmParameterException - ("Wrong parameter type: PBE expected"); - } - salt = ((PBEParameterSpec) params).getSalt(); - // salt must be 8 bytes long (by definition) - if (salt.length != 8) { - throw new InvalidAlgorithmParameterException - ("Salt must be 8 bytes long"); - } - iCount = ((PBEParameterSpec) params).getIterationCount(); - if (iCount <= 0) { - throw new InvalidAlgorithmParameterException - ("IterationCount must be a positive number"); - } - } - - byte[] derivedKey = deriveCipherKey(key); - // use all but the last 8 bytes as the key value - SecretKeySpec cipherKey = new SecretKeySpec(derivedKey, 0, - derivedKey.length-8, algo); - // use the last 8 bytes as the IV - IvParameterSpec ivSpec = new IvParameterSpec(derivedKey, - derivedKey.length-8, - 8); - // initialize the underlying cipher - cipher.init(opmode, cipherKey, ivSpec, random); - } - - private byte[] deriveCipherKey(Key key) { - - byte[] result = null; - byte[] passwdBytes = key.getEncoded(); - - if (algo.equals("DES")) { - // P || S (password concatenated with salt) - byte[] concat = new byte[passwdBytes.length + salt.length]; - System.arraycopy(passwdBytes, 0, concat, 0, passwdBytes.length); - java.util.Arrays.fill(passwdBytes, (byte)0x00); - System.arraycopy(salt, 0, concat, passwdBytes.length, salt.length); - - // digest P || S with c iterations - byte[] toBeHashed = concat; - for (int i = 0; i < iCount; i++) { - md.update(toBeHashed); - toBeHashed = md.digest(); // this resets the digest - } - java.util.Arrays.fill(concat, (byte)0x00); - result = toBeHashed; - } else if (algo.equals("DESede")) { - // if the 2 salt halves are the same, invert one of them - int i; - for (i=0; i<4; i++) { - if (salt[i] != salt[i+4]) - break; - } - if (i==4) { // same, invert 1st half - for (i=0; i<2; i++) { - byte tmp = salt[i]; - salt[i] = salt[3-i]; - salt[3-1] = tmp; - } - } - - // Now digest each half (concatenated with password). For each - // half, go through the loop as many times as specified by the - // iteration count parameter (inner for loop). - // Concatenate the output from each digest round with the - // password, and use the result as the input to the next digest - // operation. - byte[] kBytes = null; - IvParameterSpec iv = null; - byte[] toBeHashed = null; - result = new byte[DESedeKeySpec.DES_EDE_KEY_LEN + - DESConstants.DES_BLOCK_SIZE]; - for (i = 0; i < 2; i++) { - toBeHashed = new byte[salt.length/2]; - System.arraycopy(salt, i*(salt.length/2), toBeHashed, 0, - toBeHashed.length); - for (int j=0; j < iCount; j++) { - md.update(toBeHashed); - md.update(passwdBytes); - toBeHashed = md.digest(); // this resets the digest - } - System.arraycopy(toBeHashed, 0, result, i*16, - toBeHashed.length); - } - } - return result; - } - - void init(int opmode, Key key, AlgorithmParameters params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - PBEParameterSpec pbeSpec = null; - if (params != null) { - try { - pbeSpec = params.getParameterSpec(PBEParameterSpec.class); - } catch (InvalidParameterSpecException ipse) { - throw new InvalidAlgorithmParameterException("Wrong parameter " - + "type: PBE " - + "expected"); - } - } - init(opmode, key, pbeSpec, random); - } - - /** - * Continues a multiple-part encryption or decryption operation - * (depending on how this cipher was initialized), processing another data - * part. - * - *

The first inputLen bytes in the input - * buffer, starting at inputOffset, are processed, and the - * result is stored in a new buffer. - * - * @param input the input buffer - * @param inputOffset the offset in input where the input - * starts - * @param inputLen the input length - * - * @return the new buffer with the result - * - */ - byte[] update(byte[] input, int inputOffset, int inputLen) { - return cipher.update(input, inputOffset, inputLen); - } - - /** - * Continues a multiple-part encryption or decryption operation - * (depending on how this cipher was initialized), processing another data - * part. - * - *

The first inputLen bytes in the input - * buffer, starting at inputOffset, are processed, and the - * result is stored in the output buffer, starting at - * outputOffset. - * - * @param input the input buffer - * @param inputOffset the offset in input where the input - * starts - * @param inputLen the input length - * @param output the buffer for the result - * @param outputOffset the offset in output where the result - * is stored - * - * @return the number of bytes stored in output - * - * @exception ShortBufferException if the given output buffer is too small - * to hold the result - */ - int update(byte[] input, int inputOffset, int inputLen, - byte[] output, int outputOffset) - throws ShortBufferException { - return cipher.update(input, inputOffset, inputLen, - output, outputOffset); - } - - /** - * Encrypts or decrypts data in a single-part operation, - * or finishes a multiple-part operation. - * The data is encrypted or decrypted, depending on how this cipher was - * initialized. - * - *

The first inputLen bytes in the input - * buffer, starting at inputOffset, and any input bytes that - * may have been buffered during a previous update operation, - * are processed, with padding (if requested) being applied. - * The result is stored in a new buffer. - * - *

The cipher is reset to its initial state (uninitialized) after this - * call. - * - * @param input the input buffer - * @param inputOffset the offset in input where the input - * starts - * @param inputLen the input length - * - * @return the new buffer with the result - * - * @exception IllegalBlockSizeException if this cipher is a block cipher, - * no padding has been requested (only in encryption mode), and the total - * input length of the data processed by this cipher is not a multiple of - * block size - * @exception BadPaddingException if decrypting and padding is chosen, - * but the last input data does not have proper padding bytes. - */ - byte[] doFinal(byte[] input, int inputOffset, int inputLen) - throws IllegalBlockSizeException, BadPaddingException { - return cipher.doFinal(input, inputOffset, inputLen); - } - - /** - * Encrypts or decrypts data in a single-part operation, - * or finishes a multiple-part operation. - * The data is encrypted or decrypted, depending on how this cipher was - * initialized. - * - *

The first inputLen bytes in the input - * buffer, starting at inputOffset, and any input bytes that - * may have been buffered during a previous update operation, - * are processed, with padding (if requested) being applied. - * The result is stored in the output buffer, starting at - * outputOffset. - * - *

The cipher is reset to its initial state (uninitialized) after this - * call. - * - * @param input the input buffer - * @param inputOffset the offset in input where the input - * starts - * @param inputLen the input length - * @param output the buffer for the result - * @param outputOffset the offset in output where the result - * is stored - * - * @return the number of bytes stored in output - * - * @exception IllegalBlockSizeException if this cipher is a block cipher, - * no padding has been requested (only in encryption mode), and the total - * input length of the data processed by this cipher is not a multiple of - * block size - * @exception ShortBufferException if the given output buffer is too small - * to hold the result - * @exception BadPaddingException if decrypting and padding is chosen, - * but the last input data does not have proper padding bytes. - */ - int doFinal(byte[] input, int inputOffset, int inputLen, - byte[] output, int outputOffset) - throws ShortBufferException, IllegalBlockSizeException, - BadPaddingException { - return cipher.doFinal(input, inputOffset, inputLen, - output, outputOffset); - } - - /** - * Wrap a key. - * - * @param key the key to be wrapped. - * - * @return the wrapped key. - * - * @exception IllegalBlockSizeException if this cipher is a block - * cipher, no padding has been requested, and the length of the - * encoding of the key to be wrapped is not a - * multiple of the block size. - * - * @exception InvalidKeyException if it is impossible or unsafe to - * wrap the key with this cipher (e.g., a hardware protected key is - * being passed to a software only cipher). - */ - byte[] wrap(Key key) - throws IllegalBlockSizeException, InvalidKeyException { - byte[] result = null; - - try { - byte[] encodedKey = key.getEncoded(); - if ((encodedKey == null) || (encodedKey.length == 0)) { - throw new InvalidKeyException("Cannot get an encoding of " + - "the key to be wrapped"); - } - - result = doFinal(encodedKey, 0, encodedKey.length); - } catch (BadPaddingException e) { - // Should never happen - } - - return result; - } - - /** - * Unwrap a previously wrapped key. - * - * @param wrappedKey the key to be unwrapped. - * - * @param wrappedKeyAlgorithm the algorithm the wrapped key is for. - * - * @param wrappedKeyType the type of the wrapped key. - * This is one of Cipher.SECRET_KEY, - * Cipher.PRIVATE_KEY, or Cipher.PUBLIC_KEY. - * - * @return the unwrapped key. - * - * @exception NoSuchAlgorithmException if no installed providers - * can create keys of type wrappedKeyType for the - * wrappedKeyAlgorithm. - * - * @exception InvalidKeyException if wrappedKey does not - * represent a wrapped key of type wrappedKeyType for - * the wrappedKeyAlgorithm. - */ - Key unwrap(byte[] wrappedKey, - String wrappedKeyAlgorithm, - int wrappedKeyType) - throws InvalidKeyException, NoSuchAlgorithmException { - byte[] encodedKey; - try { - encodedKey = doFinal(wrappedKey, 0, wrappedKey.length); - } catch (BadPaddingException ePadding) { - throw new InvalidKeyException("The wrapped key is not padded " + - "correctly"); - } catch (IllegalBlockSizeException eBlockSize) { - throw new InvalidKeyException("The wrapped key does not have " + - "the correct length"); - } - return ConstructKeys.constructKey(encodedKey, wrappedKeyAlgorithm, - wrappedKeyType); - } -} diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java index d5389ac40a..c54fa2d86e 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -260,7 +260,7 @@ final class PBES1Core { if (algo.equals("DES")) { // P || S (password concatenated with salt) - byte[] concat = new byte[passwdBytes.length + salt.length]; + byte[] concat = new byte[Math.addExact(passwdBytes.length, salt.length)]; System.arraycopy(passwdBytes, 0, concat, 0, passwdBytes.length); java.util.Arrays.fill(passwdBytes, (byte)0x00); System.arraycopy(salt, 0, concat, passwdBytes.length, salt.length); diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PKCS5Padding.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PKCS5Padding.java index ef6190e980..191d7308eb 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PKCS5Padding.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PKCS5Padding.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ package com.sun.crypto.provider; import javax.crypto.ShortBufferException; +import java.util.Arrays; /** * This class implements padding as specified in the PKCS#5 standard. @@ -63,14 +64,13 @@ final class PKCS5Padding implements Padding { if (in == null) return; - if ((off + len) > in.length) { + int idx = Math.addExact(off, len); + if (idx > in.length) { throw new ShortBufferException("Buffer too small to hold padding"); } byte paddingOctet = (byte) (len & 0xff); - for (int i = 0; i < len; i++) { - in[i + off] = paddingOctet; - } + Arrays.fill(in, off, idx, paddingOctet); return; } @@ -92,25 +92,24 @@ final class PKCS5Padding implements Padding { (len == 0)) { // this can happen if input is really a padded buffer return 0; } - - byte lastByte = in[off + len - 1]; + int idx = Math.addExact(off, len); + byte lastByte = in[idx - 1]; int padValue = (int)lastByte & 0x0ff; if ((padValue < 0x01) || (padValue > blockSize)) { return -1; } - int start = off + len - ((int)lastByte & 0x0ff); + int start = idx - padValue; if (start < off) { return -1; } - for (int i = 0; i < ((int)lastByte & 0x0ff); i++) { - if (in[start+i] != lastByte) { + for (int i = start; i < idx; i++) { + if (in[i] != lastByte) { return -1; } } - return start; } From 11e602eaf56bdca5f227545f5ab58abbc3eb2076 Mon Sep 17 00:00:00 2001 From: Phil Race Date: Thu, 23 Feb 2017 03:43:29 -0800 Subject: [PATCH 019/269] 8170218: Improved Font Metrics Reviewed-by: vadim, serb, mschoene --- .../native/libawt/windows/awt_Font.cpp | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Font.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Font.cpp index b7e63628c2..dc64430b19 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Font.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Font.cpp @@ -878,11 +878,16 @@ Java_sun_awt_windows_WFontMetrics_charsWidth(JNIEnv *env, jobject self, if (str == NULL) { JNU_ThrowNullPointerException(env, "str argument"); - return NULL; + return 0; } - if ((len < 0) || (off < 0) || (len + off > (env->GetArrayLength(str)))) { + if ((len < 0) || (off < 0) || (len + off < 0) || + (len + off > (env->GetArrayLength(str)))) { JNU_ThrowArrayIndexOutOfBoundsException(env, "off/len argument"); - return NULL; + return 0; + } + + if (off == env->GetArrayLength(str)) { + return 0; } jchar *strp = new jchar[len]; @@ -914,12 +919,18 @@ Java_sun_awt_windows_WFontMetrics_bytesWidth(JNIEnv *env, jobject self, if (str == NULL) { JNU_ThrowNullPointerException(env, "bytes argument"); - return NULL; + return 0; } - if ((len < 0) || (off < 0) || (len + off > (env->GetArrayLength(str)))) { + if ((len < 0) || (off < 0) || (len + off < 0) || + (len + off > (env->GetArrayLength(str)))) { JNU_ThrowArrayIndexOutOfBoundsException(env, "off or len argument"); - return NULL; + return 0; } + + if (off == env->GetArrayLength(str)) { + return 0; + } + char *pStrBody = NULL; jint result = 0; try { @@ -927,12 +938,12 @@ Java_sun_awt_windows_WFontMetrics_bytesWidth(JNIEnv *env, jobject self, AwtFont::widthsID); if (array == NULL) { JNU_ThrowNullPointerException(env, "Can't access widths array."); - return NULL; + return 0; } pStrBody = (char *)env->GetPrimitiveArrayCritical(str, 0); if (pStrBody == NULL) { JNU_ThrowNullPointerException(env, "Can't access str bytes."); - return NULL; + return 0; } char *pStr = pStrBody + off; @@ -942,7 +953,7 @@ Java_sun_awt_windows_WFontMetrics_bytesWidth(JNIEnv *env, jobject self, if (widths == NULL) { env->ReleasePrimitiveArrayCritical(str, pStrBody, 0); JNU_ThrowNullPointerException(env, "Can't access widths."); - return NULL; + return 0; } for (; len; len--) { result += widths[*pStr++]; From b0c608d11ddf7c604595875476e53adb5f45c9a0 Mon Sep 17 00:00:00 2001 From: Phil Race Date: Thu, 23 Feb 2017 03:43:29 -0800 Subject: [PATCH 020/269] 8170218: Improved Font Metrics Reviewed-by: vadim, serb, mschoene --- .../native/libawt/windows/awt_Font.cpp | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Font.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Font.cpp index b7e63628c2..dc64430b19 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Font.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Font.cpp @@ -878,11 +878,16 @@ Java_sun_awt_windows_WFontMetrics_charsWidth(JNIEnv *env, jobject self, if (str == NULL) { JNU_ThrowNullPointerException(env, "str argument"); - return NULL; + return 0; } - if ((len < 0) || (off < 0) || (len + off > (env->GetArrayLength(str)))) { + if ((len < 0) || (off < 0) || (len + off < 0) || + (len + off > (env->GetArrayLength(str)))) { JNU_ThrowArrayIndexOutOfBoundsException(env, "off/len argument"); - return NULL; + return 0; + } + + if (off == env->GetArrayLength(str)) { + return 0; } jchar *strp = new jchar[len]; @@ -914,12 +919,18 @@ Java_sun_awt_windows_WFontMetrics_bytesWidth(JNIEnv *env, jobject self, if (str == NULL) { JNU_ThrowNullPointerException(env, "bytes argument"); - return NULL; + return 0; } - if ((len < 0) || (off < 0) || (len + off > (env->GetArrayLength(str)))) { + if ((len < 0) || (off < 0) || (len + off < 0) || + (len + off > (env->GetArrayLength(str)))) { JNU_ThrowArrayIndexOutOfBoundsException(env, "off or len argument"); - return NULL; + return 0; } + + if (off == env->GetArrayLength(str)) { + return 0; + } + char *pStrBody = NULL; jint result = 0; try { @@ -927,12 +938,12 @@ Java_sun_awt_windows_WFontMetrics_bytesWidth(JNIEnv *env, jobject self, AwtFont::widthsID); if (array == NULL) { JNU_ThrowNullPointerException(env, "Can't access widths array."); - return NULL; + return 0; } pStrBody = (char *)env->GetPrimitiveArrayCritical(str, 0); if (pStrBody == NULL) { JNU_ThrowNullPointerException(env, "Can't access str bytes."); - return NULL; + return 0; } char *pStr = pStrBody + off; @@ -942,7 +953,7 @@ Java_sun_awt_windows_WFontMetrics_bytesWidth(JNIEnv *env, jobject self, if (widths == NULL) { env->ReleasePrimitiveArrayCritical(str, pStrBody, 0); JNU_ThrowNullPointerException(env, "Can't access widths."); - return NULL; + return 0; } for (; len; len--) { result += widths[*pStr++]; From 1b6f409380b82f364cec544bfae7e64340ea2764 Mon Sep 17 00:00:00 2001 From: Phil Race Date: Fri, 24 Feb 2017 05:32:16 -0800 Subject: [PATCH 021/269] 8171261: Stability fixes for lcms Reviewed-by: serb, vadim, mschoene --- .../java.desktop/share/native/liblcms/cmscgats.c | 14 +++++++++----- .../java.desktop/share/native/liblcms/cmsnamed.c | 13 ++++++++++--- jdk/src/java.desktop/share/native/liblcms/cmsopt.c | 1 + .../java.desktop/share/native/liblcms/cmstypes.c | 9 ++++++++- jdk/src/java.desktop/share/native/liblcms/lcms2.h | 2 +- 5 files changed, 29 insertions(+), 10 deletions(-) diff --git a/jdk/src/java.desktop/share/native/liblcms/cmscgats.c b/jdk/src/java.desktop/share/native/liblcms/cmscgats.c index 9e033168f8..c4f4fb5d31 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmscgats.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmscgats.c @@ -900,7 +900,7 @@ void InSymbol(cmsIT8* it8) k = 0; NextCh(it8); - while (k < MAXSTR && it8->ch != sng) { + while (k < (MAXSTR-1) && it8->ch != sng) { if (it8->ch == '\n'|| it8->ch == '\r') k = MAXSTR+1; else { @@ -2053,14 +2053,18 @@ cmsBool HeaderSection(cmsIT8* it8) static void ReadType(cmsIT8* it8, char* SheetTypePtr) { + cmsInt32Number cnt = 0; + // First line is a very special case. while (isseparator(it8->ch)) NextCh(it8); - while (it8->ch != '\r' && it8 ->ch != '\n' && it8->ch != '\t' && it8 -> ch != -1) { + while (it8->ch != '\r' && it8 ->ch != '\n' && it8->ch != '\t' && it8 -> ch != 0) { *SheetTypePtr++= (char) it8 ->ch; + if (cnt++ < MAXSTR) + *SheetTypePtr++= (char) it8 ->ch; NextCh(it8); } @@ -2253,7 +2257,7 @@ void CookPointers(cmsIT8* it8) // that should be something like some printable characters plus a \n // returns 0 if this is not like a CGATS, or an integer otherwise. This integer is the number of words in first line? static -int IsMyBlock(cmsUInt8Number* Buffer, int n) +int IsMyBlock(const cmsUInt8Number* Buffer, int n) { int words = 1, space = 0, quot = 0; int i; @@ -2317,7 +2321,7 @@ cmsBool IsMyFile(const char* FileName) // ---------------------------------------------------------- Exported routines -cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, void *Ptr, cmsUInt32Number len) +cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, const void *Ptr, cmsUInt32Number len) { cmsHANDLE hIT8; cmsIT8* it8; @@ -2326,7 +2330,7 @@ cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, void *Ptr, cmsUInt3 _cmsAssert(Ptr != NULL); _cmsAssert(len != 0); - type = IsMyBlock((cmsUInt8Number*)Ptr, len); + type = IsMyBlock((const cmsUInt8Number*)Ptr, len); if (type == 0) return NULL; hIT8 = cmsIT8Alloc(ContextID); diff --git a/jdk/src/java.desktop/share/native/liblcms/cmsnamed.c b/jdk/src/java.desktop/share/native/liblcms/cmsnamed.c index 870936fddf..d1edeb4ce1 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmsnamed.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmsnamed.c @@ -546,7 +546,11 @@ cmsBool GrowNamedColorList(cmsNAMEDCOLORLIST* v) size = v ->Allocated * 2; // Keep a maximum color lists can grow, 100K entries seems reasonable - if (size > 1024*100) return FALSE; + if (size > 1024 * 100) { + _cmsFree(v->ContextID, (void*) v->List); + v->List = NULL; + return FALSE; + } NewPtr = (_cmsNAMEDCOLOR*) _cmsRealloc(v ->ContextID, v ->List, size * sizeof(_cmsNAMEDCOLOR)); if (NewPtr == NULL) @@ -568,8 +572,11 @@ cmsNAMEDCOLORLIST* CMSEXPORT cmsAllocNamedColorList(cmsContext ContextID, cmsUIn v ->nColors = 0; v ->ContextID = ContextID; - while (v -> Allocated < n){ - if (!GrowNamedColorList(v)) return NULL; + while (v -> Allocated < n) { + if (!GrowNamedColorList(v)) { + _cmsFree(ContextID, (void*) v); + return NULL; + } } strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix)-1); diff --git a/jdk/src/java.desktop/share/native/liblcms/cmsopt.c b/jdk/src/java.desktop/share/native/liblcms/cmsopt.c index d40993b083..a3ff2fc10e 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmsopt.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmsopt.c @@ -1483,6 +1483,7 @@ cmsBool OptimizeByJoiningCurves(cmsPipeline** Lut, cmsUInt32Number Intent, cmsUI // LUT optimizes to nothing. Set the identity LUT cmsStageFree(ObtainedCurves); + ObtainedCurves = NULL; if (!cmsPipelineInsertStage(Dest, cmsAT_BEGIN, cmsStageAllocIdentity(Dest ->ContextID, Src ->InputChannels))) goto Error; diff --git a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c index 3f8999f23f..61ea3a631e 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c @@ -4460,7 +4460,8 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans); if (NewLUT == NULL) return NULL; - if (!_cmsReadUInt32Number(io, &ElementCount)) return NULL; + if (!_cmsReadUInt32Number(io, &ElementCount)) goto Error; + if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) goto Error; if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) { if (NewLUT != NULL) cmsPipelineFree(NewLUT); @@ -4472,6 +4473,12 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU *nItems = 1; return NewLUT; + // Error +Error: + if (NewLUT != NULL) cmsPipelineFree(NewLUT); + *nItems = 0; + return NULL; + cmsUNUSED_PARAMETER(SizeOfTag); } diff --git a/jdk/src/java.desktop/share/native/liblcms/lcms2.h b/jdk/src/java.desktop/share/native/liblcms/lcms2.h index 9f148e54d1..cbca89421a 100644 --- a/jdk/src/java.desktop/share/native/liblcms/lcms2.h +++ b/jdk/src/java.desktop/share/native/liblcms/lcms2.h @@ -1836,7 +1836,7 @@ CMSAPI cmsInt32Number CMSEXPORT cmsIT8SetTable(cmsHANDLE hIT8, cmsUInt32Number // Persistence CMSAPI cmsHANDLE CMSEXPORT cmsIT8LoadFromFile(cmsContext ContextID, const char* cFileName); -CMSAPI cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, void *Ptr, cmsUInt32Number len); +CMSAPI cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, const void *Ptr, cmsUInt32Number len); // CMSAPI cmsHANDLE CMSEXPORT cmsIT8LoadFromIOhandler(cmsContext ContextID, cmsIOHANDLER* io); CMSAPI cmsBool CMSEXPORT cmsIT8SaveToFile(cmsHANDLE hIT8, const char* cFileName); From 92a4d686c122a69c6e71d6f2efe8ba097d4e81a0 Mon Sep 17 00:00:00 2001 From: Phil Race Date: Fri, 24 Feb 2017 05:32:16 -0800 Subject: [PATCH 022/269] 8171261: Stability fixes for lcms Reviewed-by: serb, vadim, mschoene --- .../java.desktop/share/native/liblcms/cmscgats.c | 14 +++++++++----- .../java.desktop/share/native/liblcms/cmsnamed.c | 13 ++++++++++--- jdk/src/java.desktop/share/native/liblcms/cmsopt.c | 1 + .../java.desktop/share/native/liblcms/cmstypes.c | 9 ++++++++- jdk/src/java.desktop/share/native/liblcms/lcms2.h | 2 +- 5 files changed, 29 insertions(+), 10 deletions(-) diff --git a/jdk/src/java.desktop/share/native/liblcms/cmscgats.c b/jdk/src/java.desktop/share/native/liblcms/cmscgats.c index 9e033168f8..c4f4fb5d31 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmscgats.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmscgats.c @@ -900,7 +900,7 @@ void InSymbol(cmsIT8* it8) k = 0; NextCh(it8); - while (k < MAXSTR && it8->ch != sng) { + while (k < (MAXSTR-1) && it8->ch != sng) { if (it8->ch == '\n'|| it8->ch == '\r') k = MAXSTR+1; else { @@ -2053,14 +2053,18 @@ cmsBool HeaderSection(cmsIT8* it8) static void ReadType(cmsIT8* it8, char* SheetTypePtr) { + cmsInt32Number cnt = 0; + // First line is a very special case. while (isseparator(it8->ch)) NextCh(it8); - while (it8->ch != '\r' && it8 ->ch != '\n' && it8->ch != '\t' && it8 -> ch != -1) { + while (it8->ch != '\r' && it8 ->ch != '\n' && it8->ch != '\t' && it8 -> ch != 0) { *SheetTypePtr++= (char) it8 ->ch; + if (cnt++ < MAXSTR) + *SheetTypePtr++= (char) it8 ->ch; NextCh(it8); } @@ -2253,7 +2257,7 @@ void CookPointers(cmsIT8* it8) // that should be something like some printable characters plus a \n // returns 0 if this is not like a CGATS, or an integer otherwise. This integer is the number of words in first line? static -int IsMyBlock(cmsUInt8Number* Buffer, int n) +int IsMyBlock(const cmsUInt8Number* Buffer, int n) { int words = 1, space = 0, quot = 0; int i; @@ -2317,7 +2321,7 @@ cmsBool IsMyFile(const char* FileName) // ---------------------------------------------------------- Exported routines -cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, void *Ptr, cmsUInt32Number len) +cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, const void *Ptr, cmsUInt32Number len) { cmsHANDLE hIT8; cmsIT8* it8; @@ -2326,7 +2330,7 @@ cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, void *Ptr, cmsUInt3 _cmsAssert(Ptr != NULL); _cmsAssert(len != 0); - type = IsMyBlock((cmsUInt8Number*)Ptr, len); + type = IsMyBlock((const cmsUInt8Number*)Ptr, len); if (type == 0) return NULL; hIT8 = cmsIT8Alloc(ContextID); diff --git a/jdk/src/java.desktop/share/native/liblcms/cmsnamed.c b/jdk/src/java.desktop/share/native/liblcms/cmsnamed.c index 870936fddf..d1edeb4ce1 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmsnamed.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmsnamed.c @@ -546,7 +546,11 @@ cmsBool GrowNamedColorList(cmsNAMEDCOLORLIST* v) size = v ->Allocated * 2; // Keep a maximum color lists can grow, 100K entries seems reasonable - if (size > 1024*100) return FALSE; + if (size > 1024 * 100) { + _cmsFree(v->ContextID, (void*) v->List); + v->List = NULL; + return FALSE; + } NewPtr = (_cmsNAMEDCOLOR*) _cmsRealloc(v ->ContextID, v ->List, size * sizeof(_cmsNAMEDCOLOR)); if (NewPtr == NULL) @@ -568,8 +572,11 @@ cmsNAMEDCOLORLIST* CMSEXPORT cmsAllocNamedColorList(cmsContext ContextID, cmsUIn v ->nColors = 0; v ->ContextID = ContextID; - while (v -> Allocated < n){ - if (!GrowNamedColorList(v)) return NULL; + while (v -> Allocated < n) { + if (!GrowNamedColorList(v)) { + _cmsFree(ContextID, (void*) v); + return NULL; + } } strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix)-1); diff --git a/jdk/src/java.desktop/share/native/liblcms/cmsopt.c b/jdk/src/java.desktop/share/native/liblcms/cmsopt.c index d40993b083..a3ff2fc10e 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmsopt.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmsopt.c @@ -1483,6 +1483,7 @@ cmsBool OptimizeByJoiningCurves(cmsPipeline** Lut, cmsUInt32Number Intent, cmsUI // LUT optimizes to nothing. Set the identity LUT cmsStageFree(ObtainedCurves); + ObtainedCurves = NULL; if (!cmsPipelineInsertStage(Dest, cmsAT_BEGIN, cmsStageAllocIdentity(Dest ->ContextID, Src ->InputChannels))) goto Error; diff --git a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c index 3f8999f23f..61ea3a631e 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c @@ -4460,7 +4460,8 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU NewLUT = cmsPipelineAlloc(self ->ContextID, InputChans, OutputChans); if (NewLUT == NULL) return NULL; - if (!_cmsReadUInt32Number(io, &ElementCount)) return NULL; + if (!_cmsReadUInt32Number(io, &ElementCount)) goto Error; + if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) goto Error; if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) { if (NewLUT != NULL) cmsPipelineFree(NewLUT); @@ -4472,6 +4473,12 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU *nItems = 1; return NewLUT; + // Error +Error: + if (NewLUT != NULL) cmsPipelineFree(NewLUT); + *nItems = 0; + return NULL; + cmsUNUSED_PARAMETER(SizeOfTag); } diff --git a/jdk/src/java.desktop/share/native/liblcms/lcms2.h b/jdk/src/java.desktop/share/native/liblcms/lcms2.h index 9f148e54d1..cbca89421a 100644 --- a/jdk/src/java.desktop/share/native/liblcms/lcms2.h +++ b/jdk/src/java.desktop/share/native/liblcms/lcms2.h @@ -1836,7 +1836,7 @@ CMSAPI cmsInt32Number CMSEXPORT cmsIT8SetTable(cmsHANDLE hIT8, cmsUInt32Number // Persistence CMSAPI cmsHANDLE CMSEXPORT cmsIT8LoadFromFile(cmsContext ContextID, const char* cFileName); -CMSAPI cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, void *Ptr, cmsUInt32Number len); +CMSAPI cmsHANDLE CMSEXPORT cmsIT8LoadFromMem(cmsContext ContextID, const void *Ptr, cmsUInt32Number len); // CMSAPI cmsHANDLE CMSEXPORT cmsIT8LoadFromIOhandler(cmsContext ContextID, cmsIOHANDLER* io); CMSAPI cmsBool CMSEXPORT cmsIT8SaveToFile(cmsHANDLE hIT8, const char* cFileName); From 5c02302af569e72e1150ae3a2618b374b4cb321d Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Thu, 2 Mar 2017 12:37:26 +0800 Subject: [PATCH 023/269] 8174113: Better sourcing of code Reviewed-by: mullan, ahgross --- .../share/classes/java/security/CodeSource.java | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/security/CodeSource.java b/jdk/src/java.base/share/classes/java/security/CodeSource.java index f710fe31fc..2cb5a0e2c8 100644 --- a/jdk/src/java.base/share/classes/java/security/CodeSource.java +++ b/jdk/src/java.base/share/classes/java/security/CodeSource.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -559,6 +559,7 @@ public class CodeSource implements java.io.Serializable { { CertificateFactory cf; Hashtable cfs = null; + List certList = null; ois.defaultReadObject(); // location @@ -568,7 +569,7 @@ public class CodeSource implements java.io.Serializable { // we know of 3 different cert types: X.509, PGP, SDSI, which // could all be present in the stream at the same time cfs = new Hashtable<>(3); - this.certs = new java.security.cert.Certificate[size]; + certList = new ArrayList<>(size > 20 ? 20 : size); } for (int i = 0; i < size; i++) { @@ -599,13 +600,17 @@ public class CodeSource implements java.io.Serializable { ois.readFully(encoded); ByteArrayInputStream bais = new ByteArrayInputStream(encoded); try { - this.certs[i] = cf.generateCertificate(bais); + certList.add(cf.generateCertificate(bais)); } catch (CertificateException ce) { throw new IOException(ce.getMessage()); } bais.close(); } + if (certList != null) { + this.certs = certList.toArray( + new java.security.cert.Certificate[size]); + } // Deserialize array of code signers (if any) try { this.signers = ((CodeSigner[])ois.readObject()).clone(); From d4f3f5e227e1aa4c76d103a3d9997c1e501e6fc7 Mon Sep 17 00:00:00 2001 From: Xue-Lei Andrew Fan Date: Thu, 2 Mar 2017 20:12:13 +0000 Subject: [PATCH 024/269] 8174873: Improved certificate procesing Reviewed-by: jnimeh, ahgross, rhalade --- .../sun/security/util/HostnameChecker.java | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/jdk/src/java.base/share/classes/sun/security/util/HostnameChecker.java b/jdk/src/java.base/share/classes/sun/security/util/HostnameChecker.java index 145dff297f..b14d36b8cd 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/HostnameChecker.java +++ b/jdk/src/java.base/share/classes/sun/security/util/HostnameChecker.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,6 +32,7 @@ import java.security.Principal; import java.security.cert.*; import java.util.*; import javax.security.auth.x500.X500Principal; +import javax.net.ssl.SNIHostName; import sun.net.util.IPAddressUtil; import sun.security.ssl.ClientKeyExchangeService; @@ -201,6 +202,15 @@ public class HostnameChecker { private void matchDNS(String expectedName, X509Certificate cert, boolean chainsToPublicCA) throws CertificateException { + // Check that the expected name is a valid domain name. + try { + // Using the checking implemented in SNIHostName + SNIHostName sni = new SNIHostName(expectedName); + } catch (IllegalArgumentException iae) { + throw new CertificateException( + "Illegal given domain name: " + expectedName, iae); + } + Collection> subjAltNames = cert.getSubjectAlternativeNames(); if (subjAltNames != null) { boolean foundDNS = false; @@ -277,6 +287,19 @@ public class HostnameChecker { if (hasIllegalWildcard(name, template, chainsToPublicCA)) { return false; } + + // check the validity of the domain name template. + try { + // Replacing wildcard character '*' with 'x' so as to check + // the domain name template validity. + // + // Using the checking implemented in SNIHostName + SNIHostName sni = new SNIHostName(template.replace('*', 'x')); + } catch (IllegalArgumentException iae) { + // It would be nice to add debug log if not matching. + return false; + } + if (checkType == TYPE_TLS) { return matchAllWildcards(name, template); } else if (checkType == TYPE_LDAP) { From 0e5fa646e13ab45524e4678fc2beb5a05b7be34a Mon Sep 17 00:00:00 2001 From: Vyom Tewari Date: Fri, 10 Mar 2017 08:29:10 +0530 Subject: [PATCH 025/269] 8174105: Better naming attribution Reviewed-by: chegar, dfuchs, rriggs --- .../share/classes/javax/naming/directory/BasicAttribute.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttribute.java b/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttribute.java index 41ab918445..868fac63dc 100644 --- a/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttribute.java +++ b/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttribute.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -515,7 +515,7 @@ public class BasicAttribute implements Attribute { throws java.io.IOException, ClassNotFoundException { s.defaultReadObject(); // read in the attrID int n = s.readInt(); // number of values - values = new Vector<>(n); + values = new Vector<>(Math.min(1024, n)); while (--n >= 0) { values.addElement(s.readObject()); } From 08a086d38b58f19d2bdc7dd025288e500a2e5674 Mon Sep 17 00:00:00 2001 From: Stuart Marks Date: Tue, 14 Mar 2017 19:15:42 -0700 Subject: [PATCH 026/269] 8173697: Less Active Activations Reviewed-by: skoivu, rhalade, rriggs, chegar, coffeys --- .../java/rmi/activation/ActivationID.java | 36 ++++++++++++++----- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/jdk/src/java.rmi/share/classes/java/rmi/activation/ActivationID.java b/jdk/src/java.rmi/share/classes/java/rmi/activation/ActivationID.java index 13b3a0689c..a7b2f998f7 100644 --- a/jdk/src/java.rmi/share/classes/java/rmi/activation/ActivationID.java +++ b/jdk/src/java.rmi/share/classes/java/rmi/activation/ActivationID.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,6 +40,12 @@ import java.rmi.server.RemoteObject; import java.rmi.server.RemoteObjectInvocationHandler; import java.rmi.server.RemoteRef; import java.rmi.server.UID; +import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.Permissions; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.security.ProtectionDomain; /** * Activation makes use of special identifiers to denote remote @@ -81,6 +87,14 @@ public class ActivationID implements Serializable { /** indicate compatibility with the Java 2 SDK v1.2 version of class */ private static final long serialVersionUID = -4608673054848209235L; + /** an AccessControlContext with no permissions */ + private static final AccessControlContext NOPERMS_ACC; + static { + Permissions perms = new Permissions(); + ProtectionDomain[] pd = { new ProtectionDomain(null, perms) }; + NOPERMS_ACC = new AccessControlContext(pd); + } + /** * The constructor for ActivationID takes a single * argument, activator, that specifies a remote reference to the @@ -116,13 +130,19 @@ public class ActivationID implements Serializable { try { MarshalledObject mobj = activator.activate(this, force); - return mobj.get(); - } catch (RemoteException e) { - throw e; - } catch (IOException e) { - throw new UnmarshalException("activation failed", e); - } catch (ClassNotFoundException e) { - throw new UnmarshalException("activation failed", e); + return AccessController.doPrivileged( + new PrivilegedExceptionAction() { + public Remote run() throws IOException, ClassNotFoundException { + return mobj.get(); + } + }, NOPERMS_ACC); + } catch (PrivilegedActionException pae) { + Exception ex = pae.getException(); + if (ex instanceof RemoteException) { + throw (RemoteException) ex; + } else { + throw new UnmarshalException("activation failed", ex); + } } } From 7f61205802d7ffc2eeb162e4a48f50aa25b0b958 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Wed, 15 Mar 2017 22:27:12 +0800 Subject: [PATCH 027/269] 8175940: More certificate subject checking Reviewed-by: ahgross, mullan --- .../classes/sun/security/x509/DNSName.java | 64 +++++++++++-------- 1 file changed, 39 insertions(+), 25 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java b/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java index c9aa54aa73..181e45a4c2 100644 --- a/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java +++ b/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -194,31 +194,45 @@ public class DNSName implements GeneralNameInterface { */ public int constrains(GeneralNameInterface inputName) throws UnsupportedOperationException { int constraintType; - if (inputName == null) - constraintType = NAME_DIFF_TYPE; - else if (inputName.getType() != NAME_DNS) - constraintType = NAME_DIFF_TYPE; - else { - String inName = - (((DNSName)inputName).getName()).toLowerCase(Locale.ENGLISH); - String thisName = name.toLowerCase(Locale.ENGLISH); - if (inName.equals(thisName)) - constraintType = NAME_MATCH; - else if (thisName.endsWith(inName)) { - int inNdx = thisName.lastIndexOf(inName); - if (thisName.charAt(inNdx-1) == '.' ) - constraintType = NAME_WIDENS; - else - constraintType = NAME_SAME_TYPE; - } else if (inName.endsWith(thisName)) { - int ndx = inName.lastIndexOf(thisName); - if (inName.charAt(ndx-1) == '.' ) - constraintType = NAME_NARROWS; - else - constraintType = NAME_SAME_TYPE; - } else { + if (inputName == null) { + return NAME_DIFF_TYPE; + } + String inName; + switch (inputName.getType()) { + case NAME_DNS: + inName = ((DNSName)inputName).getName(); + break; + case NAME_DIRECTORY: + try { + inName = ((X500Name) inputName).getCommonName(); + if (inName == null) { + return NAME_DIFF_TYPE; + } + } catch (IOException ioe) { + return NAME_DIFF_TYPE; + } + break; + default: + return NAME_DIFF_TYPE; + } + inName = inName.toLowerCase(Locale.ENGLISH); + String thisName = name.toLowerCase(Locale.ENGLISH); + if (inName.equals(thisName)) + constraintType = NAME_MATCH; + else if (thisName.endsWith(inName)) { + int inNdx = thisName.lastIndexOf(inName); + if (thisName.charAt(inNdx-1) == '.' ) + constraintType = NAME_WIDENS; + else constraintType = NAME_SAME_TYPE; - } + } else if (inName.endsWith(thisName)) { + int ndx = inName.lastIndexOf(thisName); + if (inName.charAt(ndx-1) == '.' ) + constraintType = NAME_NARROWS; + else + constraintType = NAME_SAME_TYPE; + } else { + constraintType = NAME_SAME_TYPE; } return constraintType; } From 30e59669bcd0e7c27bc1e8243ccb078f7c120345 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Wed, 15 Mar 2017 22:27:12 +0800 Subject: [PATCH 028/269] 8175940: More certificate subject checking Reviewed-by: ahgross, mullan --- .../classes/sun/security/x509/DNSName.java | 64 +++++++++++-------- 1 file changed, 39 insertions(+), 25 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java b/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java index c9aa54aa73..181e45a4c2 100644 --- a/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java +++ b/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -194,31 +194,45 @@ public class DNSName implements GeneralNameInterface { */ public int constrains(GeneralNameInterface inputName) throws UnsupportedOperationException { int constraintType; - if (inputName == null) - constraintType = NAME_DIFF_TYPE; - else if (inputName.getType() != NAME_DNS) - constraintType = NAME_DIFF_TYPE; - else { - String inName = - (((DNSName)inputName).getName()).toLowerCase(Locale.ENGLISH); - String thisName = name.toLowerCase(Locale.ENGLISH); - if (inName.equals(thisName)) - constraintType = NAME_MATCH; - else if (thisName.endsWith(inName)) { - int inNdx = thisName.lastIndexOf(inName); - if (thisName.charAt(inNdx-1) == '.' ) - constraintType = NAME_WIDENS; - else - constraintType = NAME_SAME_TYPE; - } else if (inName.endsWith(thisName)) { - int ndx = inName.lastIndexOf(thisName); - if (inName.charAt(ndx-1) == '.' ) - constraintType = NAME_NARROWS; - else - constraintType = NAME_SAME_TYPE; - } else { + if (inputName == null) { + return NAME_DIFF_TYPE; + } + String inName; + switch (inputName.getType()) { + case NAME_DNS: + inName = ((DNSName)inputName).getName(); + break; + case NAME_DIRECTORY: + try { + inName = ((X500Name) inputName).getCommonName(); + if (inName == null) { + return NAME_DIFF_TYPE; + } + } catch (IOException ioe) { + return NAME_DIFF_TYPE; + } + break; + default: + return NAME_DIFF_TYPE; + } + inName = inName.toLowerCase(Locale.ENGLISH); + String thisName = name.toLowerCase(Locale.ENGLISH); + if (inName.equals(thisName)) + constraintType = NAME_MATCH; + else if (thisName.endsWith(inName)) { + int inNdx = thisName.lastIndexOf(inName); + if (thisName.charAt(inNdx-1) == '.' ) + constraintType = NAME_WIDENS; + else constraintType = NAME_SAME_TYPE; - } + } else if (inName.endsWith(thisName)) { + int ndx = inName.lastIndexOf(thisName); + if (inName.charAt(ndx-1) == '.' ) + constraintType = NAME_NARROWS; + else + constraintType = NAME_SAME_TYPE; + } else { + constraintType = NAME_SAME_TYPE; } return constraintType; } From 89db982a74cdee84d3257def52688fb15fdd93b5 Mon Sep 17 00:00:00 2001 From: Roger Riggs Date: Thu, 16 Mar 2017 16:16:31 -0400 Subject: [PATCH 029/269] 8163958: Improved garbage collection Reviewed-by: smarks, chegar, skoivu, rhalade --- jdk/make/rmic/Rmic-java.rmi.gmk | 3 +- .../share/classes/java/util/Vector.java | 2 +- .../classes/sun/rmi/server/UnicastRef.java | 14 +- .../sun/rmi/server/UnicastServerRef.java | 10 +- .../rmi/transport/ConnectionInputStream.java | 10 +- .../classes/sun/rmi/transport/DGCClient.java | 10 + .../sun/rmi/transport/DGCImpl_Skel.java | 112 ++++ .../sun/rmi/transport/DGCImpl_Stub.java | 183 ++++++ .../sun/rmi/transport/StreamRemoteCall.java | 9 +- .../rmi/testlibrary/TestSocketFactory.java | 602 ++++++++++++++++++ 10 files changed, 936 insertions(+), 19 deletions(-) create mode 100644 jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Skel.java create mode 100644 jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Stub.java create mode 100644 jdk/test/java/rmi/testlibrary/TestSocketFactory.java diff --git a/jdk/make/rmic/Rmic-java.rmi.gmk b/jdk/make/rmic/Rmic-java.rmi.gmk index c9b024e4f3..9e4b2542b3 100644 --- a/jdk/make/rmic/Rmic-java.rmi.gmk +++ b/jdk/make/rmic/Rmic-java.rmi.gmk @@ -41,8 +41,7 @@ $(eval $(call SetupRMICompilation,RMI_12, \ GENCLASSES += $(RMI_12) $(eval $(call SetupRMICompilation,RMI_11, \ - CLASSES := sun.rmi.registry.RegistryImpl \ - sun.rmi.transport.DGCImpl, \ + CLASSES := sun.rmi.registry.RegistryImpl, \ CLASSES_DIR := $(CLASSES_DIR)/java.rmi, \ STUB_CLASSES_DIR := $(STUB_CLASSES_DIR)/java.rmi, \ RUN_V11 := true)) diff --git a/jdk/src/java.base/share/classes/java/util/Vector.java b/jdk/src/java.base/share/classes/java/util/Vector.java index fac073b111..16d8cbf4e2 100644 --- a/jdk/src/java.base/share/classes/java/util/Vector.java +++ b/jdk/src/java.base/share/classes/java/util/Vector.java @@ -154,7 +154,7 @@ public class Vector /** * Constructs an empty vector so that its internal data array - * has size {@code 10} and its standard capacity increment is + * has size {@code 10} and its standard capacBasity increment is * zero. */ public Vector() { diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java index a581235c0d..6b9aec54a7 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,7 +32,6 @@ import java.lang.reflect.Method; import java.rmi.MarshalException; import java.rmi.Remote; import java.rmi.RemoteException; -import java.rmi.ServerException; import java.rmi.UnmarshalException; import java.rmi.server.Operation; import java.rmi.server.RemoteCall; @@ -187,14 +186,11 @@ public class UnicastRef implements RemoteRef { return returnValue; - } catch (IOException e) { + } catch (IOException | ClassNotFoundException e) { + // disable saving any refs in the inputStream for GC + ((StreamRemoteCall)call).discardPendingRefs(); clientRefLog.log(Log.BRIEF, - "IOException unmarshalling return: ", e); - throw new UnmarshalException("error unmarshalling return", e); - } catch (ClassNotFoundException e) { - clientRefLog.log(Log.BRIEF, - "ClassNotFoundException unmarshalling return: ", e); - + e.getClass().getName() + " unmarshalling return: ", e); throw new UnmarshalException("error unmarshalling return", e); } finally { try { diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java index b0ea348e3e..f2863a960c 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -56,6 +56,7 @@ import java.util.WeakHashMap; import java.util.concurrent.atomic.AtomicInteger; import sun.rmi.runtime.Log; import sun.rmi.transport.LiveRef; +import sun.rmi.transport.StreamRemoteCall; import sun.rmi.transport.Target; import sun.rmi.transport.tcp.TCPTransport; @@ -332,10 +333,9 @@ public class UnicastServerRef extends UnicastRef params[i] = unmarshalValue(types[i], in); } - } catch (java.io.IOException e) { - throw new UnmarshalException( - "error unmarshalling arguments", e); - } catch (ClassNotFoundException e) { + } catch (java.io.IOException | ClassNotFoundException e) { + // disable saving any refs in the inputStream for GC + ((StreamRemoteCall) call).discardPendingRefs(); throw new UnmarshalException( "error unmarshalling arguments", e); } finally { diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/transport/ConnectionInputStream.java b/jdk/src/java.rmi/share/classes/sun/rmi/transport/ConnectionInputStream.java index c0ff825c2e..e6917f727c 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/ConnectionInputStream.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/ConnectionInputStream.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -81,6 +81,14 @@ class ConnectionInputStream extends MarshalInputStream { refList.add(ref); } + /** + * Discard the saved incoming refs so there is nothing to register + * when {@code registerRefs} is called. + */ + void discardRefs() { + incomingRefTable.clear(); + } + /** * Add references to DGC table (and possibly send dirty call). * RegisterRefs now calls DGCClient.referenced on all diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCClient.java b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCClient.java index 71fc403dd5..89144a2663 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCClient.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCClient.java @@ -24,9 +24,11 @@ */ package sun.rmi.transport; +import java.io.InvalidClassException; import java.lang.ref.PhantomReference; import java.lang.ref.ReferenceQueue; import java.net.SocketPermission; +import java.rmi.UnmarshalException; import java.security.AccessController; import java.security.PrivilegedAction; import java.util.HashMap; @@ -41,6 +43,8 @@ import java.rmi.dgc.DGC; import java.rmi.dgc.Lease; import java.rmi.dgc.VMID; import java.rmi.server.ObjID; + +import sun.rmi.runtime.Log; import sun.rmi.runtime.NewThreadAction; import sun.rmi.server.UnicastRef; import sun.rmi.server.Util; @@ -388,6 +392,12 @@ final class DGCClient { synchronized (this) { dirtyFailures++; + if (e instanceof UnmarshalException + && e.getCause() instanceof InvalidClassException) { + DGCImpl.dgcLog.log(Log.BRIEF, "InvalidClassException exception in DGC dirty call", e); + return; // protocol error, do not register these refs + } + if (dirtyFailures == 1) { /* * If this was the first recent failed dirty call, diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Skel.java b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Skel.java new file mode 100644 index 0000000000..f991a6e053 --- /dev/null +++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Skel.java @@ -0,0 +1,112 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.rmi.transport; + +/** + * Skeleton to dispatch DGC methods. + * Originally generated by RMIC but frozen to match the stubs. + */ +@SuppressWarnings({"deprecation", "serial"}) +public final class DGCImpl_Skel + implements java.rmi.server.Skeleton { + private static final java.rmi.server.Operation[] operations = { + new java.rmi.server.Operation("void clean(java.rmi.server.ObjID[], long, java.rmi.dgc.VMID, boolean)"), + new java.rmi.server.Operation("java.rmi.dgc.Lease dirty(java.rmi.server.ObjID[], long, java.rmi.dgc.Lease)") + }; + + private static final long interfaceHash = -669196253586618813L; + + public java.rmi.server.Operation[] getOperations() { + return operations.clone(); + } + + public void dispatch(java.rmi.Remote obj, java.rmi.server.RemoteCall call, int opnum, long hash) + throws java.lang.Exception { + if (hash != interfaceHash) + throw new java.rmi.server.SkeletonMismatchException("interface hash mismatch"); + + sun.rmi.transport.DGCImpl server = (sun.rmi.transport.DGCImpl) obj; + switch (opnum) { + case 0: // clean(ObjID[], long, VMID, boolean) + { + java.rmi.server.ObjID[] $param_arrayOf_ObjID_1; + long $param_long_2; + java.rmi.dgc.VMID $param_VMID_3; + boolean $param_boolean_4; + try { + java.io.ObjectInput in = call.getInputStream(); + $param_arrayOf_ObjID_1 = (java.rmi.server.ObjID[]) in.readObject(); + $param_long_2 = in.readLong(); + $param_VMID_3 = (java.rmi.dgc.VMID) in.readObject(); + $param_boolean_4 = in.readBoolean(); + } catch (java.io.IOException e) { + throw new java.rmi.UnmarshalException("error unmarshalling arguments", e); + } catch (java.lang.ClassNotFoundException e) { + throw new java.rmi.UnmarshalException("error unmarshalling arguments", e); + } finally { + call.releaseInputStream(); + } + server.clean($param_arrayOf_ObjID_1, $param_long_2, $param_VMID_3, $param_boolean_4); + try { + call.getResultStream(true); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling return", e); + } + break; + } + + case 1: // dirty(ObjID[], long, Lease) + { + java.rmi.server.ObjID[] $param_arrayOf_ObjID_1; + long $param_long_2; + java.rmi.dgc.Lease $param_Lease_3; + try { + java.io.ObjectInput in = call.getInputStream(); + $param_arrayOf_ObjID_1 = (java.rmi.server.ObjID[]) in.readObject(); + $param_long_2 = in.readLong(); + $param_Lease_3 = (java.rmi.dgc.Lease) in.readObject(); + } catch (java.io.IOException e) { + throw new java.rmi.UnmarshalException("error unmarshalling arguments", e); + } catch (java.lang.ClassNotFoundException e) { + throw new java.rmi.UnmarshalException("error unmarshalling arguments", e); + } finally { + call.releaseInputStream(); + } + java.rmi.dgc.Lease $result = server.dirty($param_arrayOf_ObjID_1, $param_long_2, $param_Lease_3); + try { + java.io.ObjectOutput out = call.getResultStream(true); + out.writeObject($result); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling return", e); + } + break; + } + + default: + throw new java.rmi.UnmarshalException("invalid method number"); + } + } +} diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Stub.java b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Stub.java new file mode 100644 index 0000000000..cc44ff845a --- /dev/null +++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl_Stub.java @@ -0,0 +1,183 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.rmi.transport; + +import java.io.ObjectInputFilter; +import java.io.ObjectInputStream; +import java.rmi.dgc.Lease; +import java.rmi.dgc.VMID; +import java.rmi.server.UID; +import java.security.AccessController; +import java.security.PrivilegedAction; + +import sun.rmi.server.UnicastRef; +import sun.rmi.transport.tcp.TCPConnection; + +/** + * Stubs to invoke DGC remote methods. + * Originally generated from RMIC but frozen to insert serialFilter. + */ +@SuppressWarnings({"deprecation", "serial"}) +public final class DGCImpl_Stub + extends java.rmi.server.RemoteStub + implements java.rmi.dgc.DGC { + private static final java.rmi.server.Operation[] operations = { + new java.rmi.server.Operation("void clean(java.rmi.server.ObjID[], long, java.rmi.dgc.VMID, boolean)"), + new java.rmi.server.Operation("java.rmi.dgc.Lease dirty(java.rmi.server.ObjID[], long, java.rmi.dgc.Lease)") + }; + + private static final long interfaceHash = -669196253586618813L; + + /** Registry max depth of remote invocations. **/ + private static int DGCCLIENT_MAX_DEPTH = 6; + + /** Registry maximum array size in remote invocations. **/ + private static int DGCCLIENT_MAX_ARRAY_SIZE = 10000; + + // constructors + public DGCImpl_Stub() { + super(); + } + + public DGCImpl_Stub(java.rmi.server.RemoteRef ref) { + super(ref); + } + + // methods from remote interfaces + + // implementation of clean(ObjID[], long, VMID, boolean) + public void clean(java.rmi.server.ObjID[] $param_arrayOf_ObjID_1, long $param_long_2, java.rmi.dgc.VMID $param_VMID_3, boolean $param_boolean_4) + throws java.rmi.RemoteException { + try { + java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 0, interfaceHash); + try { + java.io.ObjectOutput out = call.getOutputStream(); + out.writeObject($param_arrayOf_ObjID_1); + out.writeLong($param_long_2); + out.writeObject($param_VMID_3); + out.writeBoolean($param_boolean_4); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling arguments", e); + } + ref.invoke(call); + ref.done(call); + } catch (java.lang.RuntimeException e) { + throw e; + } catch (java.rmi.RemoteException e) { + throw e; + } catch (java.lang.Exception e) { + throw new java.rmi.UnexpectedException("undeclared checked exception", e); + } + } + + // implementation of dirty(ObjID[], long, Lease) + public java.rmi.dgc.Lease dirty(java.rmi.server.ObjID[] $param_arrayOf_ObjID_1, long $param_long_2, java.rmi.dgc.Lease $param_Lease_3) + throws java.rmi.RemoteException { + try { + java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 1, interfaceHash); + try { + java.io.ObjectOutput out = call.getOutputStream(); + out.writeObject($param_arrayOf_ObjID_1); + out.writeLong($param_long_2); + out.writeObject($param_Lease_3); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling arguments", e); + } + ref.invoke(call); + java.rmi.dgc.Lease $result; + Connection connection = ((StreamRemoteCall) call).getConnection(); + try { + java.io.ObjectInput in = call.getInputStream(); + + if (in instanceof ObjectInputStream) { + /** + * Set a filter on the stream for the return value. + */ + ObjectInputStream ois = (ObjectInputStream) in; + AccessController.doPrivileged((PrivilegedAction)() -> { + ois.setObjectInputFilter(DGCImpl_Stub::leaseFilter); + return null; + }); + } + $result = (java.rmi.dgc.Lease) in.readObject(); + } catch (java.io.IOException | java.lang.ClassNotFoundException e) { + if (connection instanceof TCPConnection) { + // Modified to prevent re-use of the connection after an exception + ((TCPConnection) connection).getChannel().free(connection, false); + } + throw new java.rmi.UnmarshalException("error unmarshalling return", e); + } finally { + ref.done(call); + } + return $result; + } catch (java.lang.RuntimeException e) { + throw e; + } catch (java.rmi.RemoteException e) { + throw e; + } catch (java.lang.Exception e) { + throw new java.rmi.UnexpectedException("undeclared checked exception", e); + } + } + + /** + * ObjectInputFilter to filter DGCClient return value (a Lease). + * The list of acceptable classes is very short and explicit. + * The depth and array sizes are limited. + * + * @param filterInfo access to class, arrayLength, etc. + * @return {@link ObjectInputFilter.Status#ALLOWED} if allowed, + * {@link ObjectInputFilter.Status#REJECTED} if rejected, + * otherwise {@link ObjectInputFilter.Status#UNDECIDED} + */ + private static ObjectInputFilter.Status leaseFilter(ObjectInputFilter.FilterInfo filterInfo) { + + if (filterInfo.depth() > DGCCLIENT_MAX_DEPTH) { + return ObjectInputFilter.Status.REJECTED; + } + Class clazz = filterInfo.serialClass(); + if (clazz != null) { + while (clazz.isArray()) { + if (filterInfo.arrayLength() >= 0 && filterInfo.arrayLength() > DGCCLIENT_MAX_ARRAY_SIZE) { + return ObjectInputFilter.Status.REJECTED; + } + // Arrays are allowed depending on the component type + clazz = clazz.getComponentType(); + } + if (clazz.isPrimitive()) { + // Arrays of primitives are allowed + return ObjectInputFilter.Status.ALLOWED; + } + return (clazz == UID.class || + clazz == VMID.class || + clazz == Lease.class) + ? ObjectInputFilter.Status.ALLOWED + : ObjectInputFilter.Status.REJECTED; + } + // Not a class, not size limited + return ObjectInputFilter.Status.UNDECIDED; + } + +} diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/transport/StreamRemoteCall.java b/jdk/src/java.rmi/share/classes/sun/rmi/transport/StreamRemoteCall.java index 915ed6f926..d0a0ced040 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/StreamRemoteCall.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/StreamRemoteCall.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -167,6 +167,13 @@ public class StreamRemoteCall implements RemoteCall { } } + /** + * Discard any post-processing of refs the InputStream. + */ + public void discardPendingRefs() { + in.discardRefs(); + } + /** * Returns an output stream (may put out header information * relating to the success of the call). diff --git a/jdk/test/java/rmi/testlibrary/TestSocketFactory.java b/jdk/test/java/rmi/testlibrary/TestSocketFactory.java new file mode 100644 index 0000000000..b320ef06d0 --- /dev/null +++ b/jdk/test/java/rmi/testlibrary/TestSocketFactory.java @@ -0,0 +1,602 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.io.ByteArrayOutputStream; +import java.io.FilterInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.io.Serializable; +import java.net.InetAddress; +import java.net.ServerSocket; +import java.net.Socket; +import java.net.SocketAddress; +import java.net.SocketException; +import java.net.SocketOption; +import java.nio.channels.ServerSocketChannel; +import java.nio.channels.SocketChannel; +import java.rmi.server.RMIClientSocketFactory; +import java.rmi.server.RMIServerSocketFactory; +import java.rmi.server.RMISocketFactory; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.Objects; +import java.util.Set; + +import org.testng.Assert; +import org.testng.TestNG; +import org.testng.annotations.Test; +import org.testng.annotations.DataProvider; + + +/** + * A RMISocketFactory utility factory to log RMI stream contents and to + * match and replace output stream contents to simulate failures. + */ +public class TestSocketFactory extends RMISocketFactory + implements RMIClientSocketFactory, RMIServerSocketFactory, Serializable { + + private static final long serialVersionUID = 1L; + + private volatile transient byte[] matchBytes; + + private volatile transient byte[] replaceBytes; + + private transient final List sockets = new ArrayList<>(); + + private transient final List serverSockets = new ArrayList<>(); + + public static final boolean DEBUG = false; + + /** + * Debugging output can be synchronized with logging of RMI actions. + * + * @param format a printf format + * @param args any args + */ + private static void DEBUG(String format, Object... args) { + if (DEBUG) { + System.err.printf(format, args); + } + } + + /** + * Create a socket factory that creates InputStreams that log + * and OutputStreams that log . + */ + public TestSocketFactory() { + this.matchBytes = new byte[0]; + this.replaceBytes = this.matchBytes; + System.out.printf("Creating TestSocketFactory()%n"); + } + + public void setMatchReplaceBytes(byte[] matchBytes, byte[] replaceBytes) { + this.matchBytes = Objects.requireNonNull(matchBytes, "matchBytes"); + this.replaceBytes = Objects.requireNonNull(replaceBytes, "replaceBytes"); + sockets.forEach( s -> s.setMatchReplaceBytes(matchBytes, replaceBytes)); + serverSockets.forEach( s -> s.setMatchReplaceBytes(matchBytes, replaceBytes)); + + } + + @Override + public Socket createSocket(String host, int port) throws IOException { + Socket socket = RMISocketFactory.getDefaultSocketFactory() + .createSocket(host, port); + InterposeSocket s = new InterposeSocket(socket, matchBytes, replaceBytes); + sockets.add(s); + return s; + } + + /** + * Return the current list of sockets. + * @return Return a snapshot of the current list of sockets + */ + public List getSockets() { + List snap = new ArrayList<>(sockets); + return snap; + } + + @Override + public ServerSocket createServerSocket(int port) throws IOException { + + ServerSocket serverSocket = RMISocketFactory.getDefaultSocketFactory() + .createServerSocket(port); + InterposeServerSocket ss = new InterposeServerSocket(serverSocket, matchBytes, replaceBytes); + serverSockets.add(ss); + return ss; + } + + /** + * Return the current list of server sockets. + * @return Return a snapshot of the current list of server sockets + */ + public List getServerSockets() { + List snap = new ArrayList<>(serverSockets); + return snap; + } + + /** + * An InterposeSocket wraps a socket that produces InputStreams + * and OutputStreams that log the traffic. + * The OutputStreams it produces match an array of bytes and replace them. + * Useful for injecting protocol and content errors. + */ + public static class InterposeSocket extends Socket { + private final Socket socket; + private InputStream in; + private MatchReplaceOutputStream out; + private volatile byte[] matchBytes; + private volatile byte[] replaceBytes; + private final ByteArrayOutputStream inLogStream; + private final ByteArrayOutputStream outLogStream; + private final String name; + private static volatile int num = 0; // index for created InterposeSockets + + public InterposeSocket(Socket socket, byte[] matchBytes, byte[] replaceBytes) { + this.socket = socket; + this.matchBytes = Objects.requireNonNull(matchBytes, "matchBytes"); + this.replaceBytes = Objects.requireNonNull(replaceBytes, "replaceBytes"); + this.inLogStream = new ByteArrayOutputStream(); + this.outLogStream = new ByteArrayOutputStream(); + this.name = "IS" + ++num + "::" + + Thread.currentThread().getName() + ": " + + socket.getLocalPort() + " < " + socket.getPort(); + } + + public void setMatchReplaceBytes(byte[] matchBytes, byte[] replaceBytes) { + this.matchBytes = matchBytes; + this.replaceBytes = replaceBytes; + out.setMatchReplaceBytes(matchBytes, replaceBytes); + } + + @Override + public void connect(SocketAddress endpoint) throws IOException { + socket.connect(endpoint); + } + + @Override + public void connect(SocketAddress endpoint, int timeout) throws IOException { + socket.connect(endpoint, timeout); + } + + @Override + public void bind(SocketAddress bindpoint) throws IOException { + socket.bind(bindpoint); + } + + @Override + public InetAddress getInetAddress() { + return socket.getInetAddress(); + } + + @Override + public InetAddress getLocalAddress() { + return socket.getLocalAddress(); + } + + @Override + public int getPort() { + return socket.getPort(); + } + + @Override + public int getLocalPort() { + return socket.getLocalPort(); + } + + @Override + public SocketAddress getRemoteSocketAddress() { + return socket.getRemoteSocketAddress(); + } + + @Override + public SocketAddress getLocalSocketAddress() { + return socket.getLocalSocketAddress(); + } + + @Override + public SocketChannel getChannel() { + return socket.getChannel(); + } + + @Override + public synchronized void close() throws IOException { + socket.close(); + } + + @Override + public String toString() { + return "InterposeSocket " + name + ": " + socket.toString(); + } + + @Override + public boolean isConnected() { + return socket.isConnected(); + } + + @Override + public boolean isBound() { + return socket.isBound(); + } + + @Override + public boolean isClosed() { + return socket.isClosed(); + } + + @Override + public Socket setOption(SocketOption name, T value) throws IOException { + return socket.setOption(name, value); + } + + @Override + public T getOption(SocketOption name) throws IOException { + return socket.getOption(name); + } + + @Override + public Set> supportedOptions() { + return socket.supportedOptions(); + } + + @Override + public synchronized InputStream getInputStream() throws IOException { + if (in == null) { + in = socket.getInputStream(); + String name = Thread.currentThread().getName() + ": " + + socket.getLocalPort() + " < " + socket.getPort(); + in = new LoggingInputStream(in, name, inLogStream); + DEBUG("Created new InterposeInputStream: %s%n", name); + } + return in; + } + + @Override + public synchronized OutputStream getOutputStream() throws IOException { + if (out == null) { + OutputStream o = socket.getOutputStream(); + String name = Thread.currentThread().getName() + ": " + + socket.getLocalPort() + " > " + socket.getPort(); + out = new MatchReplaceOutputStream(o, name, outLogStream, matchBytes, replaceBytes); + DEBUG("Created new MatchReplaceOutputStream: %s%n", name); + } + return out; + } + + /** + * Return the bytes logged from the input stream. + * @return Return the bytes logged from the input stream. + */ + public byte[] getInLogBytes() { + return inLogStream.toByteArray(); + } + + /** + * Return the bytes logged from the output stream. + * @return Return the bytes logged from the output stream. + */ + public byte[] getOutLogBytes() { + return outLogStream.toByteArray(); + } + + } + + /** + * InterposeServerSocket is a ServerSocket that wraps each Socket it accepts + * with an InterposeSocket so that its input and output streams can be monitored. + */ + public static class InterposeServerSocket extends ServerSocket { + private final ServerSocket socket; + private volatile byte[] matchBytes; + private volatile byte[] replaceBytes; + private final List sockets = new ArrayList<>(); + + public InterposeServerSocket(ServerSocket socket, byte[] matchBytes, byte[] replaceBytes) throws IOException { + this.socket = socket; + this.matchBytes = Objects.requireNonNull(matchBytes, "matchBytes"); + this.replaceBytes = Objects.requireNonNull(replaceBytes, "replaceBytes"); + } + + public void setMatchReplaceBytes(byte[] matchBytes, byte[] replaceBytes) { + this.matchBytes = matchBytes; + this.replaceBytes = replaceBytes; + sockets.forEach(s -> s.setMatchReplaceBytes(matchBytes, replaceBytes)); + } + /** + * Return a snapshot of the current list of sockets created from this server socket. + * @return Return a snapshot of the current list of sockets + */ + public List getSockets() { + List snap = new ArrayList<>(sockets); + return snap; + } + + @Override + public void bind(SocketAddress endpoint) throws IOException { + socket.bind(endpoint); + } + + @Override + public void bind(SocketAddress endpoint, int backlog) throws IOException { + socket.bind(endpoint, backlog); + } + + @Override + public InetAddress getInetAddress() { + return socket.getInetAddress(); + } + + @Override + public int getLocalPort() { + return socket.getLocalPort(); + } + + @Override + public SocketAddress getLocalSocketAddress() { + return socket.getLocalSocketAddress(); + } + + @Override + public Socket accept() throws IOException { + Socket s = socket.accept(); + InterposeSocket socket = new InterposeSocket(s, matchBytes, replaceBytes); + sockets.add(socket); + return socket; + } + + @Override + public void close() throws IOException { + socket.close(); + } + + @Override + public ServerSocketChannel getChannel() { + return socket.getChannel(); + } + + @Override + public boolean isClosed() { + return socket.isClosed(); + } + + @Override + public String toString() { + return socket.toString(); + } + + @Override + public ServerSocket setOption(SocketOption name, T value) throws IOException { + return socket.setOption(name, value); + } + + @Override + public T getOption(SocketOption name) throws IOException { + return socket.getOption(name); + } + + @Override + public Set> supportedOptions() { + return socket.supportedOptions(); + } + + @Override + public synchronized void setSoTimeout(int timeout) throws SocketException { + socket.setSoTimeout(timeout); + } + + @Override + public synchronized int getSoTimeout() throws IOException { + return socket.getSoTimeout(); + } + } + + /** + * LoggingInputStream is a stream and logs all bytes read to it. + * For identification it is given a name. + */ + public static class LoggingInputStream extends FilterInputStream { + private int bytesIn = 0; + private final String name; + private final OutputStream log; + + public LoggingInputStream(InputStream in, String name, OutputStream log) { + super(in); + this.name = name; + this.log = log; + } + + @Override + public int read() throws IOException { + int b = super.read(); + if (b >= 0) { + log.write(b); + bytesIn++; + } + return b; + } + + @Override + public int read(byte[] b, int off, int len) throws IOException { + int bytes = super.read(b, off, len); + if (bytes > 0) { + log.write(b, off, bytes); + bytesIn += bytes; + } + return bytes; + } + + @Override + public int read(byte[] b) throws IOException { + return read(b, 0, b.length); + } + + @Override + public void close() throws IOException { + super.close(); + } + + @Override + public String toString() { + return String.format("%s: In: (%d)", name, bytesIn); + } + } + + /** + * An OutputStream that replaces one string of bytes with another. + * If any range matches, the match starts after the partial match. + */ + static class MatchReplaceOutputStream extends OutputStream { + private final OutputStream out; + private final String name; + private volatile byte[] matchBytes; + private volatile byte[] replaceBytes; + int matchIndex; + private int bytesOut = 0; + private final OutputStream log; + + MatchReplaceOutputStream(OutputStream out, String name, OutputStream log, + byte[] matchBytes, byte[] replaceBytes) { + this.out = out; + this.name = name; + this.matchBytes = Objects.requireNonNull(matchBytes, "matchBytes"); + this.replaceBytes = Objects.requireNonNull(replaceBytes, "replaceBytes"); + matchIndex = 0; + this.log = log; + } + + public void setMatchReplaceBytes(byte[] matchBytes, byte[] replaceBytes) { + this.matchBytes = matchBytes; + this.replaceBytes = replaceBytes; + matchIndex = 0; + } + + + public void write(int b) throws IOException { + b = b & 0xff; + if (matchBytes.length == 0) { + out.write(b); + log.write(b); + bytesOut++; + return; + } + if (b == (matchBytes[matchIndex] & 0xff)) { + if (++matchIndex >= matchBytes.length) { + matchIndex = 0; + DEBUG( "TestSocketFactory MatchReplace %s replaced %d bytes at offset: %d (x%04x)%n", + name, replaceBytes.length, bytesOut, bytesOut); + out.write(replaceBytes); + log.write(replaceBytes); + bytesOut += replaceBytes.length; + } + } else { + if (matchIndex > 0) { + // mismatch, write out any that matched already + if (matchIndex > 0) // Only non-trivial matches + DEBUG( "Partial match %s matched %d bytes at offset: %d (0x%04x), expected: x%02x, actual: x%02x%n", + name, matchIndex, bytesOut, bytesOut, matchBytes[matchIndex], b); + out.write(matchBytes, 0, matchIndex); + log.write(matchBytes, 0, matchIndex); + bytesOut += matchIndex; + matchIndex = 0; + } + if (b == (matchBytes[matchIndex] & 0xff)) { + matchIndex++; + } else { + out.write(b); + log.write(b); + bytesOut++; + } + } + } + + @Override + public String toString() { + return String.format("%s: Out: (%d)", name, bytesOut); + } + } + + private static byte[] orig = new byte[]{ + (byte) 0x80, 0x05, + 0x73, 0x72, 0x00, 0x12, // TC_OBJECT, TC_CLASSDESC, length = 18 + 0x6A, 0x61, 0x76, 0x61, 0x2E, 0x72, 0x6D, 0x69, 0x2E, // "java.rmi." + 0x64, 0x67, 0x63, 0x2E, 0x4C, 0x65, 0x61, 0x73, 0x65 // "dgc.Lease" + }; + private static byte[] repl = new byte[]{ + (byte) 0x80, 0x05, + 0x73, 0x72, 0x00, 0x12, // TC_OBJECT, TC_CLASSDESC, length = 18 + 0x6A, 0x61, 0x76, 0x61, 0x2E, (byte) 'l', (byte) 'a', (byte) 'n', (byte) 'g', + 0x2E, (byte) 'R', (byte) 'u', (byte) 'n', (byte) 'n', (byte) 'a', (byte) 'b', (byte) 'l', + (byte) 'e' + }; + + @DataProvider(name = "MatchReplaceData") + static Object[][] matchReplaceData() { + byte[] empty = new byte[0]; + byte[] byte1 = new byte[]{1, 2, 3, 4, 5, 6}; + byte[] bytes2 = new byte[]{1, 2, 4, 3, 5, 6}; + byte[] bytes3 = new byte[]{6, 5, 4, 3, 2, 1}; + byte[] bytes4 = new byte[]{1, 2, 0x10, 0x20, 0x30, 0x40, 5, 6}; + byte[] bytes4a = new byte[]{1, 2, 0x10, 0x20, 0x30, 0x40, 5, 7}; // mostly matches bytes4 + byte[] bytes5 = new byte[]{0x30, 0x40, 5, 6}; + byte[] bytes6 = new byte[]{1, 2, 0x10, 0x20, 0x30}; + + return new Object[][]{ + {new byte[]{}, new byte[]{}, empty, empty}, + {new byte[]{}, new byte[]{}, byte1, byte1}, + {new byte[]{3, 4}, new byte[]{4, 3}, byte1, bytes2}, //swap bytes + {new byte[]{3, 4}, new byte[]{0x10, 0x20, 0x30, 0x40}, byte1, bytes4}, // insert + {new byte[]{1, 2, 0x10, 0x20}, new byte[]{}, bytes4, bytes5}, // delete head + {new byte[]{0x40, 5, 6}, new byte[]{}, bytes4, bytes6}, // delete tail + {new byte[]{0x40, 0x50}, new byte[]{0x60, 0x50}, bytes4, bytes4}, // partial match, replace nothing + {bytes4a, bytes3, bytes4, bytes4}, // long partial match, not replaced + {orig, repl, orig, repl}, + }; + } + + @Test(enabled = true, dataProvider = "MatchReplaceData") + static void test3(byte[] match, byte[] replace, + byte[] input, byte[] expected) { + System.out.printf("match: %s, replace: %s%n", Arrays.toString(match), Arrays.toString(replace)); + try (ByteArrayOutputStream output = new ByteArrayOutputStream(); + ByteArrayOutputStream log = new ByteArrayOutputStream(); + OutputStream out = new MatchReplaceOutputStream(output, "test3", + log, match, replace)) { + out.write(input); + byte[] actual = output.toByteArray(); + long index = Arrays.mismatch(actual, expected); + + if (index >= 0) { + System.out.printf("array mismatch, offset: %d%n", index); + System.out.printf("actual: %s%n", Arrays.toString(actual)); + System.out.printf("expected: %s%n", Arrays.toString(expected)); + } + Assert.assertEquals(actual, expected, "match/replace fail"); + } catch (IOException ioe) { + Assert.fail("unexpected exception", ioe); + } + } + + + +} From 45cff2b7ebe7fbddb36531043948fe9234684168 Mon Sep 17 00:00:00 2001 From: Harold Seigel Date: Mon, 20 Mar 2017 13:05:00 -0400 Subject: [PATCH 030/269] 8175932: Improve host instance supports Reviewed-by: coleenp, mschoene --- hotspot/src/share/vm/interpreter/interpreterRuntime.cpp | 4 ++-- hotspot/src/share/vm/oops/instanceKlass.hpp | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/hotspot/src/share/vm/interpreter/interpreterRuntime.cpp b/hotspot/src/share/vm/interpreter/interpreterRuntime.cpp index d053786f03..c9a684cc70 100644 --- a/hotspot/src/share/vm/interpreter/interpreterRuntime.cpp +++ b/hotspot/src/share/vm/interpreter/interpreterRuntime.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -795,7 +795,7 @@ void InterpreterRuntime::resolve_invoke(JavaThread* thread, Bytecodes::Code byte // it is not an interface. The receiver for invokespecial calls within interface // methods must be checked for every call. InstanceKlass* sender = pool->pool_holder(); - sender = sender->is_anonymous() ? sender->host_klass() : sender; + sender = sender->has_host_klass() ? sender->host_klass() : sender; switch (info.call_kind()) { case CallInfo::direct_call: diff --git a/hotspot/src/share/vm/oops/instanceKlass.hpp b/hotspot/src/share/vm/oops/instanceKlass.hpp index 1756b9fc86..2ae6511016 100644 --- a/hotspot/src/share/vm/oops/instanceKlass.hpp +++ b/hotspot/src/share/vm/oops/instanceKlass.hpp @@ -625,9 +625,11 @@ class InstanceKlass: public Klass { InstanceKlass* host_klass() const { InstanceKlass** hk = adr_host_klass(); if (hk == NULL) { + assert(!is_anonymous(), "Anonymous classes have host klasses"); return NULL; } else { assert(*hk != NULL, "host klass should always be set if the address is not null"); + assert(is_anonymous(), "Only anonymous classes have host klasses"); return *hk; } } @@ -639,6 +641,9 @@ class InstanceKlass: public Klass { *addr = host; } } + bool has_host_klass() const { + return adr_host_klass() != NULL; + } bool is_anonymous() const { return (_misc_flags & _misc_is_anonymous) != 0; } From 03a4b5c3d891d6a122afa28c4286e00272213dfb Mon Sep 17 00:00:00 2001 From: Prasanta Sadhukhan Date: Thu, 23 Mar 2017 10:52:00 +0530 Subject: [PATCH 031/269] 8176450: Revise default document styling Reviewed-by: prr, serb, mschoene --- .../share/classes/javax/swing/text/DefaultEditorKit.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jdk/src/java.desktop/share/classes/javax/swing/text/DefaultEditorKit.java b/jdk/src/java.desktop/share/classes/javax/swing/text/DefaultEditorKit.java index 355b76c0d1..c66f7c28ce 100644 --- a/jdk/src/java.desktop/share/classes/javax/swing/text/DefaultEditorKit.java +++ b/jdk/src/java.desktop/share/classes/javax/swing/text/DefaultEditorKit.java @@ -110,7 +110,7 @@ public class DefaultEditorKit extends EditorKit { * @return the command list */ public Action[] getActions() { - return defaultActions; + return defaultActions.clone(); } /** From 4c9155886f1c1a3b4e2392b918e4bbe98e945e0b Mon Sep 17 00:00:00 2001 From: Tobias Hartmann Date: Thu, 23 Mar 2017 15:14:18 +0100 Subject: [PATCH 032/269] 8173770: Image conversion improvements Reviewed-by: kvn, vlivanov, dlong, rhalade, mschoene, iignatyev --- hotspot/src/cpu/arm/vm/arm.ad | 216 ++++++++++++++++++++ hotspot/src/cpu/sparc/vm/sparc.ad | 134 ++++++++++++ hotspot/src/cpu/x86/vm/x86_32.ad | 152 +++++++++++++- hotspot/src/cpu/x86/vm/x86_64.ad | 42 ++++ hotspot/src/share/vm/adlc/archDesc.cpp | 1 + hotspot/src/share/vm/opto/classes.hpp | 1 + hotspot/src/share/vm/opto/loopPredicate.cpp | 155 +++++++++++--- hotspot/src/share/vm/opto/loopnode.hpp | 4 +- hotspot/src/share/vm/opto/output.cpp | 1 + hotspot/src/share/vm/opto/subnode.cpp | 54 +++++ hotspot/src/share/vm/opto/subnode.hpp | 9 + hotspot/src/share/vm/runtime/vmStructs.cpp | 1 + 12 files changed, 739 insertions(+), 31 deletions(-) diff --git a/hotspot/src/cpu/arm/vm/arm.ad b/hotspot/src/cpu/arm/vm/arm.ad index ef84124ef4..f4e5bd324c 100644 --- a/hotspot/src/cpu/arm/vm/arm.ad +++ b/hotspot/src/cpu/arm/vm/arm.ad @@ -2695,6 +2695,30 @@ operand flagsRegL_LEGT() %{ format %{ "apsr_L_LEGT" %} interface(REG_INTER); %} + +operand flagsRegUL_LTGE() %{ + constraint(ALLOC_IN_RC(int_flags)); + match(RegFlags); + + format %{ "apsr_UL_LTGE" %} + interface(REG_INTER); +%} + +operand flagsRegUL_EQNE() %{ + constraint(ALLOC_IN_RC(int_flags)); + match(RegFlags); + + format %{ "apsr_UL_EQNE" %} + interface(REG_INTER); +%} + +operand flagsRegUL_LEGT() %{ + constraint(ALLOC_IN_RC(int_flags)); + match(RegFlags); + + format %{ "apsr_UL_LEGT" %} + interface(REG_INTER); +%} #endif // Condition Code Register, floating comparisons, unordered same as "less". @@ -3249,6 +3273,39 @@ operand cmpOpL_commute() %{ %} %} +operand cmpOpUL() %{ + match(Bool); + + format %{ "UL" %} + interface(COND_INTER) %{ + equal(0x0); + not_equal(0x1); + less(0x3); + greater_equal(0x2); + less_equal(0x9); + greater(0x8); + overflow(0x0); // unsupported/unimplemented + no_overflow(0x0); // unsupported/unimplemented + %} +%} + +operand cmpOpUL_commute() %{ + match(Bool); + + format %{ "UL" %} + interface(COND_INTER) %{ + equal(0x0); + not_equal(0x1); + less(0x8); + greater_equal(0x9); + less_equal(0x2); + greater(0x3); + overflow(0x0); // unsupported/unimplemented + no_overflow(0x0); // unsupported/unimplemented + %} +%} + + //----------OPERAND CLASSES---------------------------------------------------- // Operand Classes are groups of operands that are used to simplify // instruction definitions by not requiring the AD writer to specify separate @@ -10467,6 +10524,17 @@ instruct compL_reg_reg(flagsReg xcc, iRegL op1, iRegL op2) %} ins_pipe(ialu_cconly_reg_reg); %} + +instruct compUL_iReg(flagsRegU xcc, iRegL op1, iRegL op2) %{ + match(Set xcc (CmpUL op1 op2)); + + size(4); + format %{ "CMP $op1,$op2\t! unsigned long" %} + ins_encode %{ + __ cmp($op1$$Register, $op2$$Register); + %} + ins_pipe(ialu_cconly_reg_reg); +%} #else instruct compL_reg_reg_LTGE(flagsRegL_LTGE xcc, iRegL op1, iRegL op2, iRegL tmp) %{ match(Set xcc (CmpL op1 op2)); @@ -10481,6 +10549,20 @@ instruct compL_reg_reg_LTGE(flagsRegL_LTGE xcc, iRegL op1, iRegL op2, iRegL tmp) %} ins_pipe(ialu_cconly_reg_reg); %} + +instruct compUL_reg_reg_LTGE(flagsRegUL_LTGE xcc, iRegL op1, iRegL op2, iRegL tmp) %{ + match(Set xcc (CmpUL op1 op2)); + effect(DEF xcc, USE op1, USE op2, TEMP tmp); + + size(8); + format %{ "SUBS $tmp,$op1.low,$op2.low\t\t! unsigned long\n\t" + "SBCS $tmp,$op1.hi,$op2.hi" %} + ins_encode %{ + __ subs($tmp$$Register, $op1$$Register, $op2$$Register); + __ sbcs($tmp$$Register->successor(), $op1$$Register->successor(), $op2$$Register->successor()); + %} + ins_pipe(ialu_cconly_reg_reg); +%} #endif #ifdef AARCH64 @@ -10496,6 +10578,19 @@ instruct compL_reg_con(flagsReg xcc, iRegL op1, aimmL con) %{ ins_pipe(ialu_cconly_reg_imm); %} + +instruct compUL_reg_con(flagsRegU xcc, iRegL op1, aimmL con) %{ + match(Set xcc (CmpUL op1 con)); + effect(DEF xcc, USE op1, USE con); + + size(8); + format %{ "CMP $op1,$con\t\t! unsigned long" %} + ins_encode %{ + __ cmp($op1$$Register, $con$$constant); + %} + + ins_pipe(ialu_cconly_reg_imm); +%} #else instruct compL_reg_reg_EQNE(flagsRegL_EQNE xcc, iRegL op1, iRegL op2) %{ match(Set xcc (CmpL op1 op2)); @@ -10575,6 +10670,85 @@ instruct compL_reg_con_LEGT(flagsRegL_LEGT xcc, iRegL op1, immLlowRot con, iRegL ins_pipe(ialu_cconly_reg_reg); %} + +instruct compUL_reg_reg_EQNE(flagsRegUL_EQNE xcc, iRegL op1, iRegL op2) %{ + match(Set xcc (CmpUL op1 op2)); + effect(DEF xcc, USE op1, USE op2); + + size(8); + format %{ "TEQ $op1.hi,$op2.hi\t\t! unsigned long\n\t" + "TEQ.eq $op1.lo,$op2.lo" %} + ins_encode %{ + __ teq($op1$$Register->successor(), $op2$$Register->successor()); + __ teq($op1$$Register, $op2$$Register, eq); + %} + ins_pipe(ialu_cconly_reg_reg); +%} + +instruct compUL_reg_reg_LEGT(flagsRegUL_LEGT xcc, iRegL op1, iRegL op2, iRegL tmp) %{ + match(Set xcc (CmpUL op1 op2)); + effect(DEF xcc, USE op1, USE op2, TEMP tmp); + + size(8); + format %{ "SUBS $tmp,$op2.low,$op1.low\t\t! unsigned long\n\t" + "SBCS $tmp,$op2.hi,$op1.hi" %} + ins_encode %{ + __ subs($tmp$$Register, $op2$$Register, $op1$$Register); + __ sbcs($tmp$$Register->successor(), $op2$$Register->successor(), $op1$$Register->successor()); + %} + ins_pipe(ialu_cconly_reg_reg); +%} + +// TODO: try immLRot2 instead, (0, $con$$constant) becomes +// (hi($con$$constant), lo($con$$constant)) becomes +instruct compUL_reg_con_LTGE(flagsRegUL_LTGE xcc, iRegL op1, immLlowRot con, iRegL tmp) %{ + match(Set xcc (CmpUL op1 con)); + effect(DEF xcc, USE op1, USE con, TEMP tmp); + + size(8); + format %{ "SUBS $tmp,$op1.low,$con\t\t! unsigned long\n\t" + "SBCS $tmp,$op1.hi,0" %} + ins_encode %{ + __ subs($tmp$$Register, $op1$$Register, $con$$constant); + __ sbcs($tmp$$Register->successor(), $op1$$Register->successor(), 0); + %} + + ins_pipe(ialu_cconly_reg_reg); +%} + +// TODO: try immLRot2 instead, (0, $con$$constant) becomes +// (hi($con$$constant), lo($con$$constant)) becomes +instruct compUL_reg_con_EQNE(flagsRegUL_EQNE xcc, iRegL op1, immLlowRot con) %{ + match(Set xcc (CmpUL op1 con)); + effect(DEF xcc, USE op1, USE con); + + size(8); + format %{ "TEQ $op1.hi,0\t\t! unsigned long\n\t" + "TEQ.eq $op1.lo,$con" %} + ins_encode %{ + __ teq($op1$$Register->successor(), 0); + __ teq($op1$$Register, $con$$constant, eq); + %} + + ins_pipe(ialu_cconly_reg_reg); +%} + +// TODO: try immLRot2 instead, (0, $con$$constant) becomes +// (hi($con$$constant), lo($con$$constant)) becomes +instruct compUL_reg_con_LEGT(flagsRegUL_LEGT xcc, iRegL op1, immLlowRot con, iRegL tmp) %{ + match(Set xcc (CmpUL op1 con)); + effect(DEF xcc, USE op1, USE con, TEMP tmp); + + size(8); + format %{ "RSBS $tmp,$op1.low,$con\t\t! unsigned long\n\t" + "RSCS $tmp,$op1.hi,0" %} + ins_encode %{ + __ rsbs($tmp$$Register, $op1$$Register, $con$$constant); + __ rscs($tmp$$Register->successor(), $op1$$Register->successor(), 0); + %} + + ins_pipe(ialu_cconly_reg_reg); +%} #endif /* instruct testL_reg_reg(flagsRegL xcc, iRegL op1, iRegL op2, immL0 zero) %{ */ @@ -11126,6 +11300,48 @@ instruct branchConL_LEGT(cmpOpL_commute cmp, flagsRegL_LEGT xcc, label labl) %{ %} ins_pipe(br_cc); %} + +instruct branchConUL_LTGE(cmpOpUL cmp, flagsRegUL_LTGE xcc, label labl) %{ + match(If cmp xcc); + effect(USE labl); + predicate(_kids[0]->_leaf->as_Bool()->_test._test == BoolTest::lt || _kids[0]->_leaf->as_Bool()->_test._test == BoolTest::ge); + + size(4); + ins_cost(BRANCH_COST); + format %{ "B$cmp $xcc,$labl" %} + ins_encode %{ + __ b(*($labl$$label), (AsmCondition)($cmp$$cmpcode)); + %} + ins_pipe(br_cc); +%} + +instruct branchConUL_EQNE(cmpOpUL cmp, flagsRegUL_EQNE xcc, label labl) %{ + match(If cmp xcc); + effect(USE labl); + predicate(_kids[0]->_leaf->as_Bool()->_test._test == BoolTest::eq || _kids[0]->_leaf->as_Bool()->_test._test == BoolTest::ne); + + size(4); + ins_cost(BRANCH_COST); + format %{ "B$cmp $xcc,$labl" %} + ins_encode %{ + __ b(*($labl$$label), (AsmCondition)($cmp$$cmpcode)); + %} + ins_pipe(br_cc); +%} + +instruct branchConUL_LEGT(cmpOpUL_commute cmp, flagsRegUL_LEGT xcc, label labl) %{ + match(If cmp xcc); + effect(USE labl); + predicate(_kids[0]->_leaf->as_Bool()->_test._test == BoolTest::gt || _kids[0]->_leaf->as_Bool()->_test._test == BoolTest::le); + + size(4); + ins_cost(BRANCH_COST); + format %{ "B$cmp $xcc,$labl" %} + ins_encode %{ + __ b(*($labl$$label), (AsmCondition)($cmp$$cmpcode)); + %} + ins_pipe(br_cc); +%} #endif instruct branchLoopEnd(cmpOp cmp, flagsReg icc, label labl) %{ diff --git a/hotspot/src/cpu/sparc/vm/sparc.ad b/hotspot/src/cpu/sparc/vm/sparc.ad index fa0bedae73..35e90204b6 100644 --- a/hotspot/src/cpu/sparc/vm/sparc.ad +++ b/hotspot/src/cpu/sparc/vm/sparc.ad @@ -3403,6 +3403,16 @@ operand immU12() %{ interface(CONST_INTER); %} +// Unsigned Long Immediate: 12-bit (non-negative that fits in simm13) +operand immUL12() %{ + predicate((0 <= n->get_long()) && (n->get_long() == (int)n->get_long()) && Assembler::is_simm13((int)n->get_long())); + match(ConL); + op_cost(0); + + format %{ %} + interface(CONST_INTER); +%} + // Integer Immediate non-negative operand immU31() %{ @@ -3936,6 +3946,15 @@ operand flagsRegL() %{ interface(REG_INTER); %} +// Condition Code Register, unsigned long comparisons. +operand flagsRegUL() %{ + constraint(ALLOC_IN_RC(int_flags)); + match(RegFlags); + + format %{ "xcc_UL" %} + interface(REG_INTER); +%} + // Condition Code Register, floating comparisons, unordered same as "less". operand flagsRegF() %{ constraint(ALLOC_IN_RC(float_flags)); @@ -8797,6 +8816,17 @@ instruct compU_iReg(flagsRegU icc, iRegI op1, iRegI op2) %{ ins_pipe(ialu_cconly_reg_reg); %} +instruct compUL_iReg(flagsRegUL xcc, iRegL op1, iRegL op2) %{ + match(Set xcc (CmpUL op1 op2)); + effect(DEF xcc, USE op1, USE op2); + + size(4); + format %{ "CMP $op1,$op2\t! unsigned long" %} + opcode(Assembler::subcc_op3, Assembler::arith_op); + ins_encode(form3_rs1_rs2_rd(op1, op2, R_G0)); + ins_pipe(ialu_cconly_reg_reg); +%} + instruct compI_iReg_imm13(flagsReg icc, iRegI op1, immI13 op2) %{ match(Set icc (CmpI op1 op2)); effect( DEF icc, USE op1 ); @@ -8883,6 +8913,17 @@ instruct compU_iReg_imm13(flagsRegU icc, iRegI op1, immU12 op2 ) %{ ins_pipe(ialu_cconly_reg_imm); %} +instruct compUL_iReg_imm13(flagsRegUL xcc, iRegL op1, immUL12 op2) %{ + match(Set xcc (CmpUL op1 op2)); + effect(DEF xcc, USE op1, USE op2); + + size(4); + format %{ "CMP $op1,$op2\t! unsigned long" %} + opcode(Assembler::subcc_op3, Assembler::arith_op); + ins_encode(form3_rs1_simm13_rd(op1, op2, R_G0)); + ins_pipe(ialu_cconly_reg_imm); +%} + // Compare Pointers instruct compP_iRegP(flagsRegP pcc, iRegP op1, iRegP op2 ) %{ match(Set pcc (CmpP op1 op2)); @@ -9256,6 +9297,44 @@ instruct cmpU_imm_branch(cmpOpU cmp, iRegI op1, immI5 op2, label labl, flagsRegU ins_pipe(cmp_br_reg_imm); %} +instruct cmpUL_reg_branch(cmpOpU cmp, iRegL op1, iRegL op2, label labl, flagsRegUL xcc) %{ + match(If cmp (CmpUL op1 op2)); + effect(USE labl, KILL xcc); + + size(12); + ins_cost(BRANCH_COST); + format %{ "CMP $op1,$op2\t! unsigned long\n\t" + "BP$cmp $labl" %} + ins_encode %{ + Label* L = $labl$$label; + Assembler::Predict predict_taken = + cbuf.is_backward_branch(*L) ? Assembler::pt : Assembler::pn; + __ cmp($op1$$Register, $op2$$Register); + __ bp((Assembler::Condition)($cmp$$cmpcode), false, Assembler::xcc, predict_taken, *L); + __ delayed()->nop(); + %} + ins_pipe(cmp_br_reg_reg); +%} + +instruct cmpUL_imm_branch(cmpOpU cmp, iRegL op1, immL5 op2, label labl, flagsRegUL xcc) %{ + match(If cmp (CmpUL op1 op2)); + effect(USE labl, KILL xcc); + + size(12); + ins_cost(BRANCH_COST); + format %{ "CMP $op1,$op2\t! unsigned long\n\t" + "BP$cmp $labl" %} + ins_encode %{ + Label* L = $labl$$label; + Assembler::Predict predict_taken = + cbuf.is_backward_branch(*L) ? Assembler::pt : Assembler::pn; + __ cmp($op1$$Register, $op2$$constant); + __ bp((Assembler::Condition)($cmp$$cmpcode), false, Assembler::xcc, predict_taken, *L); + __ delayed()->nop(); + %} + ins_pipe(cmp_br_reg_imm); +%} + instruct cmpL_reg_branch(cmpOp cmp, iRegL op1, iRegL op2, label labl, flagsRegL xcc) %{ match(If cmp (CmpL op1 op2)); effect(USE labl, KILL xcc); @@ -9484,6 +9563,42 @@ instruct cmpU_imm_branch_short(cmpOpU cmp, iRegI op1, immI5 op2, label labl, fla ins_pipe(cbcond_reg_imm); %} +instruct cmpUL_reg_branch_short(cmpOpU cmp, iRegL op1, iRegL op2, label labl, flagsRegUL xcc) %{ + match(If cmp (CmpUL op1 op2)); + predicate(UseCBCond); + effect(USE labl, KILL xcc); + + size(4); + ins_cost(BRANCH_COST); + format %{ "CXB$cmp $op1,$op2,$labl\t! unsigned long" %} + ins_encode %{ + Label* L = $labl$$label; + assert(__ use_cbcond(*L), "back to back cbcond"); + __ cbcond((Assembler::Condition)($cmp$$cmpcode), Assembler::xcc, $op1$$Register, $op2$$Register, *L); + %} + ins_short_branch(1); + ins_avoid_back_to_back(AVOID_BEFORE_AND_AFTER); + ins_pipe(cbcond_reg_reg); +%} + +instruct cmpUL_imm_branch_short(cmpOpU cmp, iRegL op1, immL5 op2, label labl, flagsRegUL xcc) %{ + match(If cmp (CmpUL op1 op2)); + predicate(UseCBCond); + effect(USE labl, KILL xcc); + + size(4); + ins_cost(BRANCH_COST); + format %{ "CXB$cmp $op1,$op2,$labl\t! unsigned long" %} + ins_encode %{ + Label* L = $labl$$label; + assert(__ use_cbcond(*L), "back to back cbcond"); + __ cbcond((Assembler::Condition)($cmp$$cmpcode), Assembler::xcc, $op1$$Register, $op2$$constant, *L); + %} + ins_short_branch(1); + ins_avoid_back_to_back(AVOID_BEFORE_AND_AFTER); + ins_pipe(cbcond_reg_imm); +%} + instruct cmpL_reg_branch_short(cmpOp cmp, iRegL op1, iRegL op2, label labl, flagsRegL xcc) %{ match(If cmp (CmpL op1 op2)); predicate(UseCBCond); @@ -9722,6 +9837,25 @@ instruct branchCon_long(cmpOp cmp, flagsRegL xcc, label labl) %{ ins_pipe(br_cc); %} +instruct branchConU_long(cmpOpU cmp, flagsRegUL xcc, label labl) %{ + match(If cmp xcc); + effect(USE labl); + + size(8); + ins_cost(BRANCH_COST); + format %{ "BP$cmp $xcc,$labl" %} + ins_encode %{ + Label* L = $labl$$label; + Assembler::Predict predict_taken = + cbuf.is_backward_branch(*L) ? Assembler::pt : Assembler::pn; + + __ bp((Assembler::Condition)($cmp$$cmpcode), false, Assembler::xcc, predict_taken, *L); + __ delayed()->nop(); + %} + ins_avoid_back_to_back(AVOID_BEFORE); + ins_pipe(br_cc); +%} + // Manifest a CmpL3 result in an integer register. Very painful. // This is the test to avoid. instruct cmpL3_reg_reg(iRegI dst, iRegL src1, iRegL src2, flagsReg ccr ) %{ diff --git a/hotspot/src/cpu/x86/vm/x86_32.ad b/hotspot/src/cpu/x86/vm/x86_32.ad index e82361ba81..3f045554ba 100644 --- a/hotspot/src/cpu/x86/vm/x86_32.ad +++ b/hotspot/src/cpu/x86/vm/x86_32.ad @@ -4030,6 +4030,26 @@ operand flagsReg_long_LEGT() %{ interface(REG_INTER); %} +// Condition Code Register used by unsigned long compare +operand flagsReg_ulong_LTGE() %{ + constraint(ALLOC_IN_RC(int_flags)); + match(RegFlags); + format %{ "FLAGS_U_LTGE" %} + interface(REG_INTER); +%} +operand flagsReg_ulong_EQNE() %{ + constraint(ALLOC_IN_RC(int_flags)); + match(RegFlags); + format %{ "FLAGS_U_EQNE" %} + interface(REG_INTER); +%} +operand flagsReg_ulong_LEGT() %{ + constraint(ALLOC_IN_RC(int_flags)); + match(RegFlags); + format %{ "FLAGS_U_LEGT" %} + interface(REG_INTER); +%} + // Float register operands operand regDPR() %{ predicate( UseSSE < 2 ); @@ -4588,7 +4608,7 @@ operand cmpOp_fcmov() %{ %} %} -// Comparision Code used in long compares +// Comparison Code used in long compares operand cmpOp_commute() %{ match(Bool); @@ -4605,6 +4625,23 @@ operand cmpOp_commute() %{ %} %} +// Comparison Code used in unsigned long compares +operand cmpOpU_commute() %{ + match(Bool); + + format %{ "" %} + interface(COND_INTER) %{ + equal(0x4, "e"); + not_equal(0x5, "ne"); + less(0x7, "nbe"); + greater_equal(0x6, "be"); + less_equal(0x3, "nb"); + greater(0x2, "b"); + overflow(0x0, "o"); + no_overflow(0x1, "no"); + %} +%} + //----------OPERAND CLASSES---------------------------------------------------- // Operand Classes are groups of operands that are used as to simplify // instruction definitions by not requiring the AD writer to specify separate @@ -12639,6 +12676,44 @@ instruct cmpL_LTGE(cmpOp cmp, flagsReg_long_LTGE flags, label labl) %{ %} %} +//====== +// Manifest a CmpUL result in the normal flags. Only good for LT or GE +// compares. Can be used for LE or GT compares by reversing arguments. +// NOT GOOD FOR EQ/NE tests. +instruct cmpUL_zero_flags_LTGE(flagsReg_ulong_LTGE flags, eRegL src, immL0 zero) %{ + match(Set flags (CmpUL src zero)); + ins_cost(100); + format %{ "TEST $src.hi,$src.hi" %} + opcode(0x85); + ins_encode(OpcP, RegReg_Hi2(src, src)); + ins_pipe(ialu_cr_reg_reg); +%} + +// Manifest a CmpUL result in the normal flags. Only good for LT or GE +// compares. Can be used for LE or GT compares by reversing arguments. +// NOT GOOD FOR EQ/NE tests. +instruct cmpUL_reg_flags_LTGE(flagsReg_ulong_LTGE flags, eRegL src1, eRegL src2, rRegI tmp) %{ + match(Set flags (CmpUL src1 src2)); + effect(TEMP tmp); + ins_cost(300); + format %{ "CMP $src1.lo,$src2.lo\t! Unsigned long compare; set flags for low bits\n\t" + "MOV $tmp,$src1.hi\n\t" + "SBB $tmp,$src2.hi\t! Compute flags for unsigned long compare" %} + ins_encode(long_cmp_flags2(src1, src2, tmp)); + ins_pipe(ialu_cr_reg_reg); +%} + +// Unsigned long compares reg < zero/req OR reg >= zero/req. +// Just a wrapper for a normal branch, plus the predicate test. +instruct cmpUL_LTGE(cmpOpU cmp, flagsReg_ulong_LTGE flags, label labl) %{ + match(If cmp flags); + effect(USE labl); + predicate(_kids[0]->_leaf->as_Bool()->_test._test == BoolTest::lt || _kids[0]->_leaf->as_Bool()->_test._test == BoolTest::ge); + expand %{ + jmpCon(cmp, flags, labl); // JLT or JGE... + %} +%} + // Compare 2 longs and CMOVE longs. instruct cmovLL_reg_LTGE(cmpOp cmp, flagsReg_long_LTGE flags, eRegL dst, eRegL src) %{ match(Set dst (CMoveL (Binary cmp flags) (Binary dst src))); @@ -12767,6 +12842,41 @@ instruct cmpL_EQNE(cmpOp cmp, flagsReg_long_EQNE flags, label labl) %{ %} %} +//====== +// Manifest a CmpUL result in the normal flags. Only good for EQ/NE compares. +instruct cmpUL_zero_flags_EQNE(flagsReg_ulong_EQNE flags, eRegL src, immL0 zero, rRegI tmp) %{ + match(Set flags (CmpUL src zero)); + effect(TEMP tmp); + ins_cost(200); + format %{ "MOV $tmp,$src.lo\n\t" + "OR $tmp,$src.hi\t! Unsigned long is EQ/NE 0?" %} + ins_encode(long_cmp_flags0(src, tmp)); + ins_pipe(ialu_reg_reg_long); +%} + +// Manifest a CmpUL result in the normal flags. Only good for EQ/NE compares. +instruct cmpUL_reg_flags_EQNE(flagsReg_ulong_EQNE flags, eRegL src1, eRegL src2) %{ + match(Set flags (CmpUL src1 src2)); + ins_cost(200+300); + format %{ "CMP $src1.lo,$src2.lo\t! Unsigned long compare; set flags for low bits\n\t" + "JNE,s skip\n\t" + "CMP $src1.hi,$src2.hi\n\t" + "skip:\t" %} + ins_encode(long_cmp_flags1(src1, src2)); + ins_pipe(ialu_cr_reg_reg); +%} + +// Unsigned long compare reg == zero/reg OR reg != zero/reg +// Just a wrapper for a normal branch, plus the predicate test. +instruct cmpUL_EQNE(cmpOpU cmp, flagsReg_ulong_EQNE flags, label labl) %{ + match(If cmp flags); + effect(USE labl); + predicate(_kids[0]->_leaf->as_Bool()->_test._test == BoolTest::eq || _kids[0]->_leaf->as_Bool()->_test._test == BoolTest::ne); + expand %{ + jmpCon(cmp, flags, labl); // JEQ or JNE... + %} +%} + // Compare 2 longs and CMOVE longs. instruct cmovLL_reg_EQNE(cmpOp cmp, flagsReg_long_EQNE flags, eRegL dst, eRegL src) %{ match(Set dst (CMoveL (Binary cmp flags) (Binary dst src))); @@ -12900,6 +13010,46 @@ instruct cmpL_LEGT(cmpOp_commute cmp, flagsReg_long_LEGT flags, label labl) %{ %} %} +//====== +// Manifest a CmpUL result in the normal flags. Only good for LE or GT compares. +// Same as cmpUL_reg_flags_LEGT except must negate src +instruct cmpUL_zero_flags_LEGT(flagsReg_ulong_LEGT flags, eRegL src, immL0 zero, rRegI tmp) %{ + match(Set flags (CmpUL src zero)); + effect(TEMP tmp); + ins_cost(300); + format %{ "XOR $tmp,$tmp\t# Unsigned long compare for -$src < 0, use commuted test\n\t" + "CMP $tmp,$src.lo\n\t" + "SBB $tmp,$src.hi\n\t" %} + ins_encode(long_cmp_flags3(src, tmp)); + ins_pipe(ialu_reg_reg_long); +%} + +// Manifest a CmpUL result in the normal flags. Only good for LE or GT compares. +// Same as cmpUL_reg_flags_LTGE except operands swapped. Swapping operands +// requires a commuted test to get the same result. +instruct cmpUL_reg_flags_LEGT(flagsReg_ulong_LEGT flags, eRegL src1, eRegL src2, rRegI tmp) %{ + match(Set flags (CmpUL src1 src2)); + effect(TEMP tmp); + ins_cost(300); + format %{ "CMP $src2.lo,$src1.lo\t! Unsigned long compare, swapped operands, use with commuted test\n\t" + "MOV $tmp,$src2.hi\n\t" + "SBB $tmp,$src1.hi\t! Compute flags for unsigned long compare" %} + ins_encode(long_cmp_flags2( src2, src1, tmp)); + ins_pipe(ialu_cr_reg_reg); +%} + +// Unsigned long compares reg < zero/req OR reg >= zero/req. +// Just a wrapper for a normal branch, plus the predicate test +instruct cmpUL_LEGT(cmpOpU_commute cmp, flagsReg_ulong_LEGT flags, label labl) %{ + match(If cmp flags); + effect(USE labl); + predicate(_kids[0]->_leaf->as_Bool()->_test._test == BoolTest::gt || _kids[0]->_leaf->as_Bool()->_test._test == BoolTest::le); + ins_cost(300); + expand %{ + jmpCon(cmp, flags, labl); // JGT or JLE... + %} +%} + // Compare 2 longs and CMOVE longs. instruct cmovLL_reg_LEGT(cmpOp_commute cmp, flagsReg_long_LEGT flags, eRegL dst, eRegL src) %{ match(Set dst (CMoveL (Binary cmp flags) (Binary dst src))); diff --git a/hotspot/src/cpu/x86/vm/x86_64.ad b/hotspot/src/cpu/x86/vm/x86_64.ad index 99ae5f5f73..41e3ab1fb9 100644 --- a/hotspot/src/cpu/x86/vm/x86_64.ad +++ b/hotspot/src/cpu/x86/vm/x86_64.ad @@ -11518,6 +11518,48 @@ instruct cmpL3_reg_reg(rRegI dst, rRegL src1, rRegL src2, rFlagsReg flags) ins_pipe(pipe_slow); %} +// Unsigned long compare Instructions; really, same as signed long except they +// produce an rFlagsRegU instead of rFlagsReg. +instruct compUL_rReg(rFlagsRegU cr, rRegL op1, rRegL op2) +%{ + match(Set cr (CmpUL op1 op2)); + + format %{ "cmpq $op1, $op2\t# unsigned" %} + opcode(0x3B); /* Opcode 3B /r */ + ins_encode(REX_reg_reg_wide(op1, op2), OpcP, reg_reg(op1, op2)); + ins_pipe(ialu_cr_reg_reg); +%} + +instruct compUL_rReg_imm(rFlagsRegU cr, rRegL op1, immL32 op2) +%{ + match(Set cr (CmpUL op1 op2)); + + format %{ "cmpq $op1, $op2\t# unsigned" %} + opcode(0x81, 0x07); /* Opcode 81 /7 */ + ins_encode(OpcSErm_wide(op1, op2), Con8or32(op2)); + ins_pipe(ialu_cr_reg_imm); +%} + +instruct compUL_rReg_mem(rFlagsRegU cr, rRegL op1, memory op2) +%{ + match(Set cr (CmpUL op1 (LoadL op2))); + + format %{ "cmpq $op1, $op2\t# unsigned" %} + opcode(0x3B); /* Opcode 3B /r */ + ins_encode(REX_reg_mem_wide(op1, op2), OpcP, reg_mem(op1, op2)); + ins_pipe(ialu_cr_reg_mem); +%} + +instruct testUL_reg(rFlagsRegU cr, rRegL src, immL0 zero) +%{ + match(Set cr (CmpUL src zero)); + + format %{ "testq $src, $src\t# unsigned" %} + opcode(0x85); + ins_encode(REX_reg_reg_wide(src, src), OpcP, reg_reg(src, src)); + ins_pipe(ialu_cr_reg_imm); +%} + //----------Max and Min-------------------------------------------------------- // Min Instructions diff --git a/hotspot/src/share/vm/adlc/archDesc.cpp b/hotspot/src/share/vm/adlc/archDesc.cpp index 18cfeb43cc..56a888224b 100644 --- a/hotspot/src/share/vm/adlc/archDesc.cpp +++ b/hotspot/src/share/vm/adlc/archDesc.cpp @@ -1166,6 +1166,7 @@ void ArchDesc::buildMustCloneMap(FILE *fp_hpp, FILE *fp_cpp) { || strcmp(idealName,"CmpP") == 0 || strcmp(idealName,"CmpN") == 0 || strcmp(idealName,"CmpL") == 0 + || strcmp(idealName,"CmpUL") == 0 || strcmp(idealName,"CmpD") == 0 || strcmp(idealName,"CmpF") == 0 || strcmp(idealName,"FastLock") == 0 diff --git a/hotspot/src/share/vm/opto/classes.hpp b/hotspot/src/share/vm/opto/classes.hpp index 06d754ffd7..06afc1f1e3 100644 --- a/hotspot/src/share/vm/opto/classes.hpp +++ b/hotspot/src/share/vm/opto/classes.hpp @@ -81,6 +81,7 @@ macro(CmpL3) macro(CmpLTMask) macro(CmpP) macro(CmpU) +macro(CmpUL) macro(CompareAndSwapB) macro(CompareAndSwapS) macro(CompareAndSwapI) diff --git a/hotspot/src/share/vm/opto/loopPredicate.cpp b/hotspot/src/share/vm/opto/loopPredicate.cpp index 7f10a7d980..243b20d017 100644 --- a/hotspot/src/share/vm/opto/loopPredicate.cpp +++ b/hotspot/src/share/vm/opto/loopPredicate.cpp @@ -29,6 +29,7 @@ #include "opto/connode.hpp" #include "opto/convertnode.hpp" #include "opto/loopnode.hpp" +#include "opto/matcher.hpp" #include "opto/mulnode.hpp" #include "opto/opaquenode.hpp" #include "opto/rootnode.hpp" @@ -629,45 +630,138 @@ bool IdealLoopTree::is_range_check_if(IfNode *iff, PhaseIdealLoop *phase, Invari // max(scale*i + offset) = scale*init + offset BoolNode* PhaseIdealLoop::rc_predicate(IdealLoopTree *loop, Node* ctrl, int scale, Node* offset, - Node* init, Node* limit, Node* stride, - Node* range, bool upper) { + Node* init, Node* limit, jint stride, + Node* range, bool upper, bool &overflow) { + jint con_limit = limit->is_Con() ? limit->get_int() : 0; + jint con_init = init->is_Con() ? init->get_int() : 0; + jint con_offset = offset->is_Con() ? offset->get_int() : 0; + stringStream* predString = NULL; if (TraceLoopPredicate) { predString = new stringStream(); predString->print("rc_predicate "); } - Node* max_idx_expr = init; - int stride_con = stride->get_int(); - if ((stride_con > 0) == (scale > 0) == upper) { - // Limit is not exact. - // Calculate exact limit here. - // Note, counted loop's test is '<' or '>'. - limit = exact_limit(loop); - max_idx_expr = new SubINode(limit, stride); + overflow = false; + Node* max_idx_expr = NULL; + const TypeInt* idx_type = TypeInt::INT; + if ((stride > 0) == (scale > 0) == upper) { + if (TraceLoopPredicate) { + predString->print(limit->is_Con() ? "(%d " : "(limit ", con_limit); + predString->print("- %d) ", stride); + } + // Check if (limit - stride) may overflow + const TypeInt* limit_type = _igvn.type(limit)->isa_int(); + jint limit_lo = limit_type->_lo; + jint limit_hi = limit_type->_hi; + if ((stride > 0 && (java_subtract(limit_lo, stride) < limit_lo)) || + (stride < 0 && (java_subtract(limit_hi, stride) > limit_hi))) { + // No overflow possible + ConINode* con_stride = _igvn.intcon(stride); + set_ctrl(con_stride, C->root()); + max_idx_expr = new SubINode(limit, con_stride); + idx_type = TypeInt::make(limit_lo - stride, limit_hi - stride, limit_type->_widen); + } else { + // May overflow + overflow = true; + limit = new ConvI2LNode(limit); + register_new_node(limit, ctrl); + ConLNode* con_stride = _igvn.longcon(stride); + set_ctrl(con_stride, C->root()); + max_idx_expr = new SubLNode(limit, con_stride); + } register_new_node(max_idx_expr, ctrl); - if (TraceLoopPredicate) predString->print("(limit - stride) "); } else { - if (TraceLoopPredicate) predString->print("init "); + if (TraceLoopPredicate) { + predString->print(init->is_Con() ? "%d " : "init ", con_init); + } + idx_type = _igvn.type(init)->isa_int(); + max_idx_expr = init; } if (scale != 1) { ConNode* con_scale = _igvn.intcon(scale); set_ctrl(con_scale, C->root()); - max_idx_expr = new MulINode(max_idx_expr, con_scale); + if (TraceLoopPredicate) { + predString->print("* %d ", scale); + } + // Check if (scale * max_idx_expr) may overflow + const TypeInt* scale_type = TypeInt::make(scale); + MulINode* mul = new MulINode(max_idx_expr, con_scale); + idx_type = (TypeInt*)mul->mul_ring(idx_type, scale_type); + if (overflow || TypeInt::INT->higher_equal(idx_type)) { + // May overflow + mul->destruct(); + if (!overflow) { + max_idx_expr = new ConvI2LNode(max_idx_expr); + register_new_node(max_idx_expr, ctrl); + } + overflow = true; + con_scale = _igvn.longcon(scale); + set_ctrl(con_scale, C->root()); + max_idx_expr = new MulLNode(max_idx_expr, con_scale); + } else { + // No overflow possible + max_idx_expr = mul; + } register_new_node(max_idx_expr, ctrl); - if (TraceLoopPredicate) predString->print("* %d ", scale); } - if (offset && (!offset->is_Con() || offset->get_int() != 0)){ - max_idx_expr = new AddINode(max_idx_expr, offset); + if (offset && (!offset->is_Con() || con_offset != 0)){ + if (TraceLoopPredicate) { + predString->print(offset->is_Con() ? "+ %d " : "+ offset", con_offset); + } + // Check if (max_idx_expr + offset) may overflow + const TypeInt* offset_type = _igvn.type(offset)->isa_int(); + jint lo = java_add(idx_type->_lo, offset_type->_lo); + jint hi = java_add(idx_type->_hi, offset_type->_hi); + if (overflow || (lo > hi) || + ((idx_type->_lo & offset_type->_lo) < 0 && lo >= 0) || + ((~(idx_type->_hi | offset_type->_hi)) < 0 && hi < 0)) { + // May overflow + if (!overflow) { + max_idx_expr = new ConvI2LNode(max_idx_expr); + register_new_node(max_idx_expr, ctrl); + } + overflow = true; + offset = new ConvI2LNode(offset); + register_new_node(offset, ctrl); + max_idx_expr = new AddLNode(max_idx_expr, offset); + } else { + // No overflow possible + max_idx_expr = new AddINode(max_idx_expr, offset); + } register_new_node(max_idx_expr, ctrl); - if (TraceLoopPredicate) - if (offset->is_Con()) predString->print("+ %d ", offset->get_int()); - else predString->print("+ offset "); } - CmpUNode* cmp = new CmpUNode(max_idx_expr, range); + CmpNode* cmp = NULL; + if (overflow) { + // Integer expressions may overflow, do long comparison + range = new ConvI2LNode(range); + register_new_node(range, ctrl); + if (!Matcher::has_match_rule(Op_CmpUL)) { + // We don't support unsigned long comparisons. Set 'max_idx_expr' + // to max_julong if < 0 to make the signed comparison fail. + ConINode* sign_pos = _igvn.intcon(BitsPerLong - 1); + set_ctrl(sign_pos, C->root()); + Node* sign_bit_mask = new RShiftLNode(max_idx_expr, sign_pos); + register_new_node(sign_bit_mask, ctrl); + // OR with sign bit to set all bits to 1 if negative (otherwise no change) + max_idx_expr = new OrLNode(max_idx_expr, sign_bit_mask); + register_new_node(max_idx_expr, ctrl); + // AND with 0x7ff... to unset the sign bit + ConLNode* remove_sign_mask = _igvn.longcon(max_jlong); + set_ctrl(remove_sign_mask, C->root()); + max_idx_expr = new AndLNode(max_idx_expr, remove_sign_mask); + register_new_node(max_idx_expr, ctrl); + + cmp = new CmpLNode(max_idx_expr, range); + } else { + cmp = new CmpULNode(max_idx_expr, range); + } + } else { + cmp = new CmpUNode(max_idx_expr, range); + } register_new_node(cmp, ctrl); BoolNode* bol = new BoolNode(cmp, BoolTest::lt); register_new_node(bol, ctrl); @@ -814,28 +908,30 @@ bool PhaseIdealLoop::loop_predication_impl(IdealLoopTree *loop) { assert(ok, "must be index expression"); Node* init = cl->init_trip(); - Node* limit = cl->limit(); - Node* stride = cl->stride(); + // Limit is not exact. + // Calculate exact limit here. + // Note, counted loop's test is '<' or '>'. + Node* limit = exact_limit(loop); + int stride = cl->stride()->get_int(); // Build if's for the upper and lower bound tests. The // lower_bound test will dominate the upper bound test and all // cloned or created nodes will use the lower bound test as // their declared control. - ProjNode* lower_bound_proj = create_new_if_for_predicate(predicate_proj, NULL, Deoptimization::Reason_predicate, iff->Opcode()); - ProjNode* upper_bound_proj = create_new_if_for_predicate(predicate_proj, NULL, Deoptimization::Reason_predicate, iff->Opcode()); - assert(upper_bound_proj->in(0)->as_If()->in(0) == lower_bound_proj, "should dominate"); - Node *ctrl = lower_bound_proj->in(0)->as_If()->in(0); // Perform cloning to keep Invariance state correct since the // late schedule will place invariant things in the loop. + Node *ctrl = predicate_proj->in(0)->as_If()->in(0); rng = invar.clone(rng, ctrl); if (offset && offset != zero) { assert(invar.is_invariant(offset), "offset must be loop invariant"); offset = invar.clone(offset, ctrl); } + // If predicate expressions may overflow in the integer range, longs are used. + bool overflow = false; // Test the lower bound - BoolNode* lower_bound_bol = rc_predicate(loop, ctrl, scale, offset, init, limit, stride, rng, false); + BoolNode* lower_bound_bol = rc_predicate(loop, ctrl, scale, offset, init, limit, stride, rng, false, overflow); // Negate test if necessary bool negated = false; if (proj->_con != predicate_proj->_con) { @@ -843,19 +939,22 @@ bool PhaseIdealLoop::loop_predication_impl(IdealLoopTree *loop) { register_new_node(lower_bound_bol, ctrl); negated = true; } + ProjNode* lower_bound_proj = create_new_if_for_predicate(predicate_proj, NULL, Deoptimization::Reason_predicate, overflow ? Op_If : iff->Opcode()); IfNode* lower_bound_iff = lower_bound_proj->in(0)->as_If(); _igvn.hash_delete(lower_bound_iff); lower_bound_iff->set_req(1, lower_bound_bol); if (TraceLoopPredicate) tty->print_cr("lower bound check if: %s %d ", negated ? " negated" : "", lower_bound_iff->_idx); // Test the upper bound - BoolNode* upper_bound_bol = rc_predicate(loop, lower_bound_proj, scale, offset, init, limit, stride, rng, true); + BoolNode* upper_bound_bol = rc_predicate(loop, lower_bound_proj, scale, offset, init, limit, stride, rng, true, overflow); negated = false; if (proj->_con != predicate_proj->_con) { upper_bound_bol = new BoolNode(upper_bound_bol->in(1), upper_bound_bol->_test.negate()); register_new_node(upper_bound_bol, ctrl); negated = true; } + ProjNode* upper_bound_proj = create_new_if_for_predicate(predicate_proj, NULL, Deoptimization::Reason_predicate, overflow ? Op_If : iff->Opcode()); + assert(upper_bound_proj->in(0)->as_If()->in(0) == lower_bound_proj, "should dominate"); IfNode* upper_bound_iff = upper_bound_proj->in(0)->as_If(); _igvn.hash_delete(upper_bound_iff); upper_bound_iff->set_req(1, upper_bound_bol); diff --git a/hotspot/src/share/vm/opto/loopnode.hpp b/hotspot/src/share/vm/opto/loopnode.hpp index 3419b786e0..70168186cc 100644 --- a/hotspot/src/share/vm/opto/loopnode.hpp +++ b/hotspot/src/share/vm/opto/loopnode.hpp @@ -983,8 +983,8 @@ public: // Construct a range check for a predicate if BoolNode* rc_predicate(IdealLoopTree *loop, Node* ctrl, int scale, Node* offset, - Node* init, Node* limit, Node* stride, - Node* range, bool upper); + Node* init, Node* limit, jint stride, + Node* range, bool upper, bool &overflow); // Implementation of the loop predication to promote checks outside the loop bool loop_predication_impl(IdealLoopTree *loop); diff --git a/hotspot/src/share/vm/opto/output.cpp b/hotspot/src/share/vm/opto/output.cpp index e0164274f2..cf9e4cf732 100644 --- a/hotspot/src/share/vm/opto/output.cpp +++ b/hotspot/src/share/vm/opto/output.cpp @@ -1982,6 +1982,7 @@ void Scheduling::AddNodeToAvailableList(Node *n) { if( last->is_MachIf() && last->in(1) == n && ( op == Op_CmpI || op == Op_CmpU || + op == Op_CmpUL || op == Op_CmpP || op == Op_CmpF || op == Op_CmpD || diff --git a/hotspot/src/share/vm/opto/subnode.cpp b/hotspot/src/share/vm/opto/subnode.cpp index 2e2597f607..694dda1736 100644 --- a/hotspot/src/share/vm/opto/subnode.cpp +++ b/hotspot/src/share/vm/opto/subnode.cpp @@ -738,6 +738,60 @@ const Type *CmpLNode::sub( const Type *t1, const Type *t2 ) const { return TypeInt::CC; // else use worst case results } + +// Simplify a CmpUL (compare 2 unsigned longs) node, based on local information. +// If both inputs are constants, compare them. +const Type* CmpULNode::sub(const Type* t1, const Type* t2) const { + assert(!t1->isa_ptr(), "obsolete usage of CmpUL"); + + // comparing two unsigned longs + const TypeLong* r0 = t1->is_long(); // Handy access + const TypeLong* r1 = t2->is_long(); + + // Current installed version + // Compare ranges for non-overlap + julong lo0 = r0->_lo; + julong hi0 = r0->_hi; + julong lo1 = r1->_lo; + julong hi1 = r1->_hi; + + // If either one has both negative and positive values, + // it therefore contains both 0 and -1, and since [0..-1] is the + // full unsigned range, the type must act as an unsigned bottom. + bool bot0 = ((jlong)(lo0 ^ hi0) < 0); + bool bot1 = ((jlong)(lo1 ^ hi1) < 0); + + if (bot0 || bot1) { + // All unsigned values are LE -1 and GE 0. + if (lo0 == 0 && hi0 == 0) { + return TypeInt::CC_LE; // 0 <= bot + } else if ((jlong)lo0 == -1 && (jlong)hi0 == -1) { + return TypeInt::CC_GE; // -1 >= bot + } else if (lo1 == 0 && hi1 == 0) { + return TypeInt::CC_GE; // bot >= 0 + } else if ((jlong)lo1 == -1 && (jlong)hi1 == -1) { + return TypeInt::CC_LE; // bot <= -1 + } + } else { + // We can use ranges of the form [lo..hi] if signs are the same. + assert(lo0 <= hi0 && lo1 <= hi1, "unsigned ranges are valid"); + // results are reversed, '-' > '+' for unsigned compare + if (hi0 < lo1) { + return TypeInt::CC_LT; // smaller + } else if (lo0 > hi1) { + return TypeInt::CC_GT; // greater + } else if (hi0 == lo1 && lo0 == hi1) { + return TypeInt::CC_EQ; // Equal results + } else if (lo0 >= hi1) { + return TypeInt::CC_GE; + } else if (hi0 <= lo1) { + return TypeInt::CC_LE; + } + } + + return TypeInt::CC; // else use worst case results +} + //============================================================================= //------------------------------sub-------------------------------------------- // Simplify an CmpP (compare 2 pointers) node, based on local information. diff --git a/hotspot/src/share/vm/opto/subnode.hpp b/hotspot/src/share/vm/opto/subnode.hpp index 63bcd3cc2b..a4adbcf5a4 100644 --- a/hotspot/src/share/vm/opto/subnode.hpp +++ b/hotspot/src/share/vm/opto/subnode.hpp @@ -198,6 +198,15 @@ public: virtual const Type *sub( const Type *, const Type * ) const; }; +//------------------------------CmpULNode--------------------------------------- +// Compare 2 unsigned long values, returning condition codes (-1, 0 or 1). +class CmpULNode : public CmpNode { +public: + CmpULNode(Node* in1, Node* in2) : CmpNode(in1, in2) { } + virtual int Opcode() const; + virtual const Type* sub(const Type*, const Type*) const; +}; + //------------------------------CmpL3Node-------------------------------------- // Compare 2 long values, returning integer value (-1, 0 or 1). class CmpL3Node : public CmpLNode { diff --git a/hotspot/src/share/vm/runtime/vmStructs.cpp b/hotspot/src/share/vm/runtime/vmStructs.cpp index d5b9e3db03..5dfe21a764 100644 --- a/hotspot/src/share/vm/runtime/vmStructs.cpp +++ b/hotspot/src/share/vm/runtime/vmStructs.cpp @@ -2008,6 +2008,7 @@ typedef CompactHashtable SymbolCompactHashTable; declare_c2_type(CmpPNode, CmpNode) \ declare_c2_type(CmpNNode, CmpNode) \ declare_c2_type(CmpLNode, CmpNode) \ + declare_c2_type(CmpULNode, CmpNode) \ declare_c2_type(CmpL3Node, CmpLNode) \ declare_c2_type(CmpFNode, CmpNode) \ declare_c2_type(CmpF3Node, CmpFNode) \ From 75e7444bd9462e7ab759eaa85fe9f07cb1916c3f Mon Sep 17 00:00:00 2001 From: Daniel Fuchs Date: Thu, 23 Mar 2017 15:07:26 +0000 Subject: [PATCH 033/269] 8176751: Better URL connections Reviewed-by: chegar, michaelm, rhalade, rpatil, vtewari --- .../https/HttpsURLConnectionOldImpl.java | 11 +++++++- .../www/protocol/http/HttpURLConnection.java | 28 +++++++++++++++---- .../https/HttpsURLConnectionImpl.java | 11 +++++++- 3 files changed, 43 insertions(+), 7 deletions(-) diff --git a/jdk/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnectionOldImpl.java b/jdk/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnectionOldImpl.java index fc9f7ce861..eb7c11b21f 100644 --- a/jdk/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnectionOldImpl.java +++ b/jdk/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnectionOldImpl.java @@ -38,6 +38,7 @@ package com.sun.net.ssl.internal.www.protocol.https; import java.net.URL; import java.net.Proxy; import java.net.ProtocolException; +import java.net.MalformedURLException; import java.io.*; import java.net.Authenticator; import javax.net.ssl.*; @@ -78,10 +79,18 @@ public class HttpsURLConnectionOldImpl this(u, null, handler); } + static URL checkURL(URL u) throws IOException { + if (u != null) { + if (u.toExternalForm().indexOf('\n') > -1) { + throw new MalformedURLException("Illegal character in URL"); + } + } + return u; + } // For both copies of the file, uncomment one line and comment the other // HttpsURLConnectionImpl(URL u, Handler handler) throws IOException { HttpsURLConnectionOldImpl(URL u, Proxy p, Handler handler) throws IOException { - super(u); + super(checkURL(u)); delegate = new DelegateHttpsURLConnection(url, p, handler, this); } diff --git a/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java index 5e23b043a6..17e158541c 100644 --- a/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java +++ b/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java @@ -843,18 +843,36 @@ public class HttpURLConnection extends java.net.HttpURLConnection { this(u, null, handler); } - public HttpURLConnection(URL u, String host, int port) { - this(u, new Proxy(Proxy.Type.HTTP, InetSocketAddress.createUnresolved(host, port))); + private static String checkHost(String h) throws IOException { + if (h != null) { + if (h.indexOf('\n') > -1) { + throw new MalformedURLException("Illegal character in host"); + } + } + return h; + } + public HttpURLConnection(URL u, String host, int port) throws IOException { + this(u, new Proxy(Proxy.Type.HTTP, + InetSocketAddress.createUnresolved(checkHost(host), port))); } /** this constructor is used by other protocol handlers such as ftp that want to use http to fetch urls on their behalf.*/ - public HttpURLConnection(URL u, Proxy p) { + public HttpURLConnection(URL u, Proxy p) throws IOException { this(u, p, new Handler()); } - protected HttpURLConnection(URL u, Proxy p, Handler handler) { - super(u); + private static URL checkURL(URL u) throws IOException { + if (u != null) { + if (u.toExternalForm().indexOf('\n') > -1) { + throw new MalformedURLException("Illegal character in URL"); + } + } + return u; + } + protected HttpURLConnection(URL u, Proxy p, Handler handler) + throws IOException { + super(checkURL(u)); requests = new MessageHeader(); responses = new MessageHeader(); userHeaders = new MessageHeader(); diff --git a/jdk/src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java b/jdk/src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java index 792af78675..8b49800c78 100644 --- a/jdk/src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java +++ b/jdk/src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java @@ -38,6 +38,7 @@ package sun.net.www.protocol.https; import java.net.URL; import java.net.Proxy; import java.net.ProtocolException; +import java.net.MalformedURLException; import java.io.*; import java.net.Authenticator; import javax.net.ssl.*; @@ -80,10 +81,18 @@ public class HttpsURLConnectionImpl this(u, null, handler); } + static URL checkURL(URL u) throws IOException { + if (u != null) { + if (u.toExternalForm().indexOf('\n') > -1) { + throw new MalformedURLException("Illegal character in URL"); + } + } + return u; + } // For both copies of the file, uncomment one line and comment the other HttpsURLConnectionImpl(URL u, Proxy p, Handler handler) throws IOException { // HttpsURLConnectionOldImpl(URL u, Proxy p, Handler handler) throws IOException { - super(u); + super(checkURL(u)); delegate = new DelegateHttpsURLConnection(url, p, handler, this); } From 60f53427527d38e98353dd9d82fdc4f441a3829b Mon Sep 17 00:00:00 2001 From: Daniel Fuchs Date: Thu, 23 Mar 2017 15:07:26 +0000 Subject: [PATCH 034/269] 8176751: Better URL connections Reviewed-by: chegar, michaelm, rhalade, rpatil, vtewari --- .../https/HttpsURLConnectionOldImpl.java | 11 +++++++- .../www/protocol/http/HttpURLConnection.java | 28 +++++++++++++++---- .../https/HttpsURLConnectionImpl.java | 11 +++++++- 3 files changed, 43 insertions(+), 7 deletions(-) diff --git a/jdk/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnectionOldImpl.java b/jdk/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnectionOldImpl.java index fc9f7ce861..eb7c11b21f 100644 --- a/jdk/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnectionOldImpl.java +++ b/jdk/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnectionOldImpl.java @@ -38,6 +38,7 @@ package com.sun.net.ssl.internal.www.protocol.https; import java.net.URL; import java.net.Proxy; import java.net.ProtocolException; +import java.net.MalformedURLException; import java.io.*; import java.net.Authenticator; import javax.net.ssl.*; @@ -78,10 +79,18 @@ public class HttpsURLConnectionOldImpl this(u, null, handler); } + static URL checkURL(URL u) throws IOException { + if (u != null) { + if (u.toExternalForm().indexOf('\n') > -1) { + throw new MalformedURLException("Illegal character in URL"); + } + } + return u; + } // For both copies of the file, uncomment one line and comment the other // HttpsURLConnectionImpl(URL u, Handler handler) throws IOException { HttpsURLConnectionOldImpl(URL u, Proxy p, Handler handler) throws IOException { - super(u); + super(checkURL(u)); delegate = new DelegateHttpsURLConnection(url, p, handler, this); } diff --git a/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java index 5e23b043a6..17e158541c 100644 --- a/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java +++ b/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java @@ -843,18 +843,36 @@ public class HttpURLConnection extends java.net.HttpURLConnection { this(u, null, handler); } - public HttpURLConnection(URL u, String host, int port) { - this(u, new Proxy(Proxy.Type.HTTP, InetSocketAddress.createUnresolved(host, port))); + private static String checkHost(String h) throws IOException { + if (h != null) { + if (h.indexOf('\n') > -1) { + throw new MalformedURLException("Illegal character in host"); + } + } + return h; + } + public HttpURLConnection(URL u, String host, int port) throws IOException { + this(u, new Proxy(Proxy.Type.HTTP, + InetSocketAddress.createUnresolved(checkHost(host), port))); } /** this constructor is used by other protocol handlers such as ftp that want to use http to fetch urls on their behalf.*/ - public HttpURLConnection(URL u, Proxy p) { + public HttpURLConnection(URL u, Proxy p) throws IOException { this(u, p, new Handler()); } - protected HttpURLConnection(URL u, Proxy p, Handler handler) { - super(u); + private static URL checkURL(URL u) throws IOException { + if (u != null) { + if (u.toExternalForm().indexOf('\n') > -1) { + throw new MalformedURLException("Illegal character in URL"); + } + } + return u; + } + protected HttpURLConnection(URL u, Proxy p, Handler handler) + throws IOException { + super(checkURL(u)); requests = new MessageHeader(); responses = new MessageHeader(); userHeaders = new MessageHeader(); diff --git a/jdk/src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java b/jdk/src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java index 792af78675..8b49800c78 100644 --- a/jdk/src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java +++ b/jdk/src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java @@ -38,6 +38,7 @@ package sun.net.www.protocol.https; import java.net.URL; import java.net.Proxy; import java.net.ProtocolException; +import java.net.MalformedURLException; import java.io.*; import java.net.Authenticator; import javax.net.ssl.*; @@ -80,10 +81,18 @@ public class HttpsURLConnectionImpl this(u, null, handler); } + static URL checkURL(URL u) throws IOException { + if (u != null) { + if (u.toExternalForm().indexOf('\n') > -1) { + throw new MalformedURLException("Illegal character in URL"); + } + } + return u; + } // For both copies of the file, uncomment one line and comment the other HttpsURLConnectionImpl(URL u, Proxy p, Handler handler) throws IOException { // HttpsURLConnectionOldImpl(URL u, Proxy p, Handler handler) throws IOException { - super(u); + super(checkURL(u)); delegate = new DelegateHttpsURLConnection(url, p, handler, this); } From 589737e480b130850a8d0a22fed24a6af1150a28 Mon Sep 17 00:00:00 2001 From: Roger Riggs Date: Fri, 24 Mar 2017 15:41:33 -0400 Subject: [PATCH 035/269] 8177549: Typo in Vector.java Reviewed-by: coffeys --- jdk/src/java.base/share/classes/java/util/Vector.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jdk/src/java.base/share/classes/java/util/Vector.java b/jdk/src/java.base/share/classes/java/util/Vector.java index 16d8cbf4e2..fac073b111 100644 --- a/jdk/src/java.base/share/classes/java/util/Vector.java +++ b/jdk/src/java.base/share/classes/java/util/Vector.java @@ -154,7 +154,7 @@ public class Vector /** * Constructs an empty vector so that its internal data array - * has size {@code 10} and its standard capacBasity increment is + * has size {@code 10} and its standard capacity increment is * zero. */ public Vector() { From 83077e1e41fe434edca79fdc29d23e406bc03eb1 Mon Sep 17 00:00:00 2001 From: Stuart Marks Date: Tue, 28 Mar 2017 12:10:20 -0700 Subject: [PATCH 036/269] 8174966: Unreferenced references Reviewed-by: rriggs, skoivu, rhalade, robm --- .../classes/sun/rmi/transport/Target.java | 33 +++++++------------ 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/transport/Target.java b/jdk/src/java.rmi/share/classes/sun/rmi/transport/Target.java index 82c849e269..e9150ed62a 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/Target.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/Target.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ import java.rmi.server.ObjID; import java.rmi.server.Unreferenced; import java.security.AccessControlContext; import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.*; import sun.rmi.runtime.Log; import sun.rmi.runtime.NewThreadAction; @@ -322,27 +323,15 @@ public final class Target { Remote obj = getImpl(); if (obj instanceof Unreferenced) { final Unreferenced unrefObj = (Unreferenced) obj; - final Thread t = - java.security.AccessController.doPrivileged( - new NewThreadAction(new Runnable() { - public void run() { - unrefObj.unreferenced(); - } - }, "Unreferenced-" + nextThreadNum++, false, true)); - // REMIND: access to nextThreadNum not synchronized; you care? - /* - * We must manually set the context class loader appropriately - * for threads that may invoke user code (see bugid 4171278). - */ - java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction() { - public Void run() { - t.setContextClassLoader(ccl); - return null; - } - }); - - t.start(); + AccessController.doPrivileged( + new NewThreadAction(() -> { + Thread.currentThread().setContextClassLoader(ccl); + AccessController.doPrivileged((PrivilegedAction) () -> { + unrefObj.unreferenced(); + return null; + }, acc); + }, "Unreferenced-" + nextThreadNum++, false, true)).start(); + // REMIND: access to nextThreadNum not synchronized; you care? } unpinImpl(); From 6b3d1c4216e61ed90551fd33da7aa992dc2b7695 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Thu, 18 May 2017 08:52:50 +0800 Subject: [PATCH 037/269] 8178714: PKIX validator nameConstraints check failing after change 8175940 Reviewed-by: mullan, ahgross --- .../classes/sun/security/x509/DNSName.java | 64 +++++-------- .../x509/NameConstraintsExtension.java | 93 +++++++++++-------- 2 files changed, 81 insertions(+), 76 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java b/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java index 181e45a4c2..c9aa54aa73 100644 --- a/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java +++ b/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -194,45 +194,31 @@ public class DNSName implements GeneralNameInterface { */ public int constrains(GeneralNameInterface inputName) throws UnsupportedOperationException { int constraintType; - if (inputName == null) { - return NAME_DIFF_TYPE; - } - String inName; - switch (inputName.getType()) { - case NAME_DNS: - inName = ((DNSName)inputName).getName(); - break; - case NAME_DIRECTORY: - try { - inName = ((X500Name) inputName).getCommonName(); - if (inName == null) { - return NAME_DIFF_TYPE; - } - } catch (IOException ioe) { - return NAME_DIFF_TYPE; - } - break; - default: - return NAME_DIFF_TYPE; - } - inName = inName.toLowerCase(Locale.ENGLISH); - String thisName = name.toLowerCase(Locale.ENGLISH); - if (inName.equals(thisName)) - constraintType = NAME_MATCH; - else if (thisName.endsWith(inName)) { - int inNdx = thisName.lastIndexOf(inName); - if (thisName.charAt(inNdx-1) == '.' ) - constraintType = NAME_WIDENS; - else + if (inputName == null) + constraintType = NAME_DIFF_TYPE; + else if (inputName.getType() != NAME_DNS) + constraintType = NAME_DIFF_TYPE; + else { + String inName = + (((DNSName)inputName).getName()).toLowerCase(Locale.ENGLISH); + String thisName = name.toLowerCase(Locale.ENGLISH); + if (inName.equals(thisName)) + constraintType = NAME_MATCH; + else if (thisName.endsWith(inName)) { + int inNdx = thisName.lastIndexOf(inName); + if (thisName.charAt(inNdx-1) == '.' ) + constraintType = NAME_WIDENS; + else + constraintType = NAME_SAME_TYPE; + } else if (inName.endsWith(thisName)) { + int ndx = inName.lastIndexOf(thisName); + if (inName.charAt(ndx-1) == '.' ) + constraintType = NAME_NARROWS; + else + constraintType = NAME_SAME_TYPE; + } else { constraintType = NAME_SAME_TYPE; - } else if (inName.endsWith(thisName)) { - int ndx = inName.lastIndexOf(thisName); - if (inName.charAt(ndx-1) == '.' ) - constraintType = NAME_NARROWS; - else - constraintType = NAME_SAME_TYPE; - } else { - constraintType = NAME_SAME_TYPE; + } } return constraintType; } diff --git a/jdk/src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java b/jdk/src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java index eafe3eefe7..88f787e070 100644 --- a/jdk/src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java +++ b/jdk/src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ import java.util.*; import javax.security.auth.x500.X500Principal; +import sun.net.util.IPAddressUtil; import sun.security.util.*; import sun.security.pkcs.PKCS9Attribute; @@ -440,6 +441,7 @@ implements CertAttrSet, Cloneable { X500Principal subjectPrincipal = cert.getSubjectX500Principal(); X500Name subject = X500Name.asX500Name(subjectPrincipal); + // Check subject as an X500Name if (subject.isEmpty() == false) { if (verify(subject) == false) { return false; @@ -465,12 +467,51 @@ implements CertAttrSet, Cloneable { "certificate: " + ce.getMessage()); } - // If there are no subjectAlternativeNames, perform the special-case - // check where if the subjectName contains any EMAILADDRESS - // attributes, they must be checked against RFC822 constraints. - // If that passes, we're fine. if (altNames == null) { - return verifyRFC822SpecialCase(subject); + altNames = new GeneralNames(); + + // RFC 5280 4.2.1.10: + // When constraints are imposed on the rfc822Name name form, + // but the certificate does not include a subject alternative name, + // the rfc822Name constraint MUST be applied to the attribute of + // type emailAddress in the subject distinguished name. + for (AVA ava : subject.allAvas()) { + ObjectIdentifier attrOID = ava.getObjectIdentifier(); + if (attrOID.equals(PKCS9Attribute.EMAIL_ADDRESS_OID)) { + String attrValue = ava.getValueString(); + if (attrValue != null) { + try { + altNames.add(new GeneralName( + new RFC822Name(attrValue))); + } catch (IOException ioe) { + continue; + } + } + } + } + } + + // If there is no IPAddressName or DNSName in subjectAlternativeNames, + // see if the last CN inside subjectName can be used instead. + DerValue derValue = subject.findMostSpecificAttribute + (X500Name.commonName_oid); + String cn = derValue == null ? null : derValue.getAsString(); + + if (cn != null) { + try { + if (IPAddressUtil.isIPv4LiteralAddress(cn) || + IPAddressUtil.isIPv6LiteralAddress(cn)) { + if (!hasNameType(altNames, GeneralNameInterface.NAME_IP)) { + altNames.add(new GeneralName(new IPAddressName(cn))); + } + } else { + if (!hasNameType(altNames, GeneralNameInterface.NAME_DNS)) { + altNames.add(new GeneralName(new DNSName(cn))); + } + } + } catch (IOException ioe) { + // OK, cn is neither IP nor DNS + } } // verify each subjectAltName @@ -485,6 +526,15 @@ implements CertAttrSet, Cloneable { return true; } + private static boolean hasNameType(GeneralNames names, int type) { + for (GeneralName name : names.names()) { + if (name.getType() == type) { + return true; + } + } + return false; + } + /** * check whether a name conforms to these NameConstraints. * This involves verifying that the name is consistent with the @@ -566,37 +616,6 @@ implements CertAttrSet, Cloneable { return true; } - /** - * Perform the RFC 822 special case check. We have a certificate - * that does not contain any subject alternative names. Check that - * any EMAILADDRESS attributes in its subject name conform to these - * NameConstraints. - * - * @param subject the certificate's subject name - * @return true if certificate verifies successfully - * @throws IOException on error - */ - public boolean verifyRFC822SpecialCase(X500Name subject) throws IOException { - for (AVA ava : subject.allAvas()) { - ObjectIdentifier attrOID = ava.getObjectIdentifier(); - if (attrOID.equals(PKCS9Attribute.EMAIL_ADDRESS_OID)) { - String attrValue = ava.getValueString(); - if (attrValue != null) { - RFC822Name emailName; - try { - emailName = new RFC822Name(attrValue); - } catch (IOException ioe) { - continue; - } - if (!verify(emailName)) { - return(false); - } - } - } - } - return true; - } - /** * Clone all objects that may be modified during certificate validation. */ From ee97f6c5b5eee9fa98763d24e98c4fd5f2a138e4 Mon Sep 17 00:00:00 2001 From: Daniel Fuchs Date: Fri, 19 May 2017 11:17:27 +0100 Subject: [PATCH 038/269] 8180024: Improve construction of objects during deserialization Reviewed-by: rriggs, skoivu, ahgross, rhalade --- .../classes/java/io/ObjectStreamClass.java | 103 +++++++++++++++++- .../sun/reflect/ReflectionFactory.java | 66 ++++++++++- 2 files changed, 166 insertions(+), 3 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/io/ObjectStreamClass.java b/jdk/src/java.base/share/classes/java/io/ObjectStreamClass.java index e5a323830e..ebca26e276 100644 --- a/jdk/src/java.base/share/classes/java/io/ObjectStreamClass.java +++ b/jdk/src/java.base/share/classes/java/io/ObjectStreamClass.java @@ -32,14 +32,19 @@ import java.lang.ref.WeakReference; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.UndeclaredThrowableException; import java.lang.reflect.Member; import java.lang.reflect.Method; import java.lang.reflect.Modifier; import java.lang.reflect.Proxy; +import java.security.AccessControlContext; import java.security.AccessController; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.security.PermissionCollection; +import java.security.Permissions; import java.security.PrivilegedAction; +import java.security.ProtectionDomain; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -53,7 +58,8 @@ import jdk.internal.reflect.CallerSensitive; import jdk.internal.reflect.Reflection; import jdk.internal.reflect.ReflectionFactory; import sun.reflect.misc.ReflectUtil; - +import jdk.internal.misc.SharedSecrets; +import jdk.internal.misc.JavaSecurityAccess; import static java.io.ObjectStreamField.*; /** @@ -176,6 +182,9 @@ public class ObjectStreamClass implements Serializable { /** serialization-appropriate constructor, or null if none */ private Constructor cons; + /** protection domains that need to be checked when calling the constructor */ + private ProtectionDomain[] domains; + /** class-defined writeObject method, or null if none */ private Method writeObjectMethod; /** class-defined readObject method, or null if none */ @@ -508,6 +517,7 @@ public class ObjectStreamClass implements Serializable { cl, "readObjectNoData", null, Void.TYPE); hasWriteObjectData = (writeObjectMethod != null); } + domains = getProtectionDomains(cons, cl); writeReplaceMethod = getInheritableMethod( cl, "writeReplace", null, Object.class); readResolveMethod = getInheritableMethod( @@ -550,6 +560,65 @@ public class ObjectStreamClass implements Serializable { ObjectStreamClass() { } + /** + * Creates a PermissionDomain that grants no permission. + */ + private ProtectionDomain noPermissionsDomain() { + PermissionCollection perms = new Permissions(); + perms.setReadOnly(); + return new ProtectionDomain(null, perms); + } + + /** + * Aggregate the ProtectionDomains of all the classes that separate + * a concrete class {@code cl} from its ancestor's class declaring + * a constructor {@code cons}. + * + * If {@code cl} is defined by the boot loader, or the constructor + * {@code cons} is declared by {@code cl}, or if there is no security + * manager, then this method does nothing and {@code null} is returned. + * + * @param cons A constructor declared by {@code cl} or one of its + * ancestors. + * @param cl A concrete class, which is either the class declaring + * the constructor {@code cons}, or a serializable subclass + * of that class. + * @return An array of ProtectionDomain representing the set of + * ProtectionDomain that separate the concrete class {@code cl} + * from its ancestor's declaring {@code cons}, or {@code null}. + */ + private ProtectionDomain[] getProtectionDomains(Constructor cons, + Class cl) { + ProtectionDomain[] domains = null; + if (cons != null && cl.getClassLoader() != null + && System.getSecurityManager() != null) { + Class cls = cl; + Class fnscl = cons.getDeclaringClass(); + Set pds = null; + while (cls != fnscl) { + ProtectionDomain pd = cls.getProtectionDomain(); + if (pd != null) { + if (pds == null) pds = new HashSet<>(); + pds.add(pd); + } + cls = cls.getSuperclass(); + if (cls == null) { + // that's not supposed to happen + // make a ProtectionDomain with no permission. + // should we throw instead? + if (pds == null) pds = new HashSet<>(); + else pds.clear(); + pds.add(noPermissionsDomain()); + break; + } + } + if (pds != null) { + domains = pds.toArray(new ProtectionDomain[0]); + } + } + return domains; + } + /** * Initializes class descriptor representing a proxy class. */ @@ -580,6 +649,7 @@ public class ObjectStreamClass implements Serializable { writeReplaceMethod = localDesc.writeReplaceMethod; readResolveMethod = localDesc.readResolveMethod; deserializeEx = localDesc.deserializeEx; + domains = localDesc.domains; cons = localDesc.cons; } fieldRefl = getReflector(fields, localDesc); @@ -666,6 +736,7 @@ public class ObjectStreamClass implements Serializable { if (deserializeEx == null) { deserializeEx = localDesc.deserializeEx; } + domains = localDesc.domains; cons = localDesc.cons; } @@ -1006,7 +1077,35 @@ public class ObjectStreamClass implements Serializable { requireInitialized(); if (cons != null) { try { - return cons.newInstance(); + if (domains == null || domains.length == 0) { + return cons.newInstance(); + } else { + JavaSecurityAccess jsa = SharedSecrets.getJavaSecurityAccess(); + PrivilegedAction pea = () -> { + try { + return cons.newInstance(); + } catch (InstantiationException + | InvocationTargetException + | IllegalAccessException x) { + throw new UndeclaredThrowableException(x); + } + }; // Can't use PrivilegedExceptionAction with jsa + try { + return jsa.doIntersectionPrivilege(pea, + AccessController.getContext(), + new AccessControlContext(domains)); + } catch (UndeclaredThrowableException x) { + Throwable cause = x.getCause(); + if (cause instanceof InstantiationException) + throw (InstantiationException) cause; + if (cause instanceof InvocationTargetException) + throw (InvocationTargetException) cause; + if (cause instanceof IllegalAccessException) + throw (IllegalAccessException) cause; + // not supposed to happen + throw x; + } + } } catch (IllegalAccessException ex) { // should not occur, as access checks have been suppressed throw new InternalError(ex); diff --git a/jdk/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java b/jdk/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java index 6ac09603a1..a260cfae28 100644 --- a/jdk/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java +++ b/jdk/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java @@ -29,9 +29,14 @@ import java.io.OptionalDataException; import java.lang.invoke.MethodHandle; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.UndeclaredThrowableException; +import java.security.AccessControlContext; import java.security.AccessController; import java.security.Permission; +import java.security.ProtectionDomain; import java.security.PrivilegedAction; +import jdk.internal.misc.SharedSecrets; +import jdk.internal.misc.JavaSecurityAccess; /** * ReflectionFactory supports custom serialization. @@ -139,6 +144,66 @@ public class ReflectionFactory { return delegate.readObjectForSerialization(cl); } + /** + * Invokes the supplied constructor, adding the provided protection domains + * to the invocation stack before invoking {@code Constructor::newInstance}. + * If no {@linkplain System#getSecurityManager() security manager} is present, + * or no domains are provided, then this method simply calls + * {@code cons.newInstance()}. Otherwise, it invokes the provided constructor + * with privileges at the intersection of the current context and the provided + * protection domains. + * + * @param cons A constructor obtained from {@code + * newConstructorForSerialization} or {@code + * newConstructorForExternalization}. + * @param domains An array of protection domains that limit the privileges + * with which the constructor is invoked. Can be {@code null} + * or empty, in which case privileges are only limited by the + * {@linkplain AccessController#getContext() current context}. + * + * @return A new object built from the provided constructor. + * + * @throws NullPointerException if {@code cons} is {@code null}. + * @throws InstantiationException if thrown by {@code cons.newInstance()}. + * @throws InvocationTargetException if thrown by {@code cons.newInstance()}. + * @throws IllegalAccessException if thrown by {@code cons.newInstance()}. + */ + public final Object newInstanceForSerialization(Constructor cons, + ProtectionDomain[] domains) + throws InstantiationException, InvocationTargetException, IllegalAccessException + { + SecurityManager sm = System.getSecurityManager(); + if (sm == null || domains == null || domains.length == 0) { + return cons.newInstance(); + } else { + JavaSecurityAccess jsa = SharedSecrets.getJavaSecurityAccess(); + PrivilegedAction pea = () -> { + try { + return cons.newInstance(); + } catch (InstantiationException + | InvocationTargetException + | IllegalAccessException x) { + throw new UndeclaredThrowableException(x); + } + }; // Can't use PrivilegedExceptionAction with jsa + try { + return jsa.doIntersectionPrivilege(pea, + AccessController.getContext(), + new AccessControlContext(domains)); + } catch (UndeclaredThrowableException x) { + Throwable cause = x.getCause(); + if (cause instanceof InstantiationException) + throw (InstantiationException) cause; + if (cause instanceof InvocationTargetException) + throw (InvocationTargetException) cause; + if (cause instanceof IllegalAccessException) + throw (IllegalAccessException) cause; + // not supposed to happen + throw x; + } + } + } + /** * Returns a direct MethodHandle for the {@code readObjectNoData} method on * a Serializable class. @@ -224,4 +289,3 @@ public class ReflectionFactory { } } } - From cdef8ce119672f5870e3efc8af1b1409b0669fa4 Mon Sep 17 00:00:00 2001 From: Phil Race Date: Thu, 6 Jul 2017 09:43:27 -0700 Subject: [PATCH 039/269] 8183028: Improve CMS header processing Reviewed-by: serb, rhalade, mschoene --- jdk/src/java.desktop/share/native/liblcms/cmstypes.c | 1 + 1 file changed, 1 insertion(+) diff --git a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c index 61ea3a631e..95fe4d1a5a 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c @@ -1489,6 +1489,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU // Check for overflow if (Offset < (SizeOfHeader + 8)) goto Error; + if (((Offset + Len) < Len) || ((Offset + Len) > SizeOfTag + 8)) goto Error; // True begin of the string BeginOfThisString = Offset - SizeOfHeader - 8; From f1e7d5616efb2a8ab75fee88d75f7ad1f2ea6a87 Mon Sep 17 00:00:00 2001 From: Bhanu Prakash Gopularam Date: Thu, 6 Jul 2017 23:54:47 -0700 Subject: [PATCH 040/269] 8179564: Missing @bug for tests added with JDK-8165367 Updated bugid in tests Reviewed-by: robm --- .../sun/security/ssl/CertPathRestrictions/TLSRestrictions.java | 1 + 1 file changed, 1 insertion(+) diff --git a/jdk/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java b/jdk/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java index 2a6ffb2d13..ecb060cc7d 100644 --- a/jdk/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java +++ b/jdk/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java @@ -48,6 +48,7 @@ import jdk.test.lib.process.ProcessTools; /* * @test + * @bug 8165367 * @summary Verify the restrictions for certificate path on JSSE with custom trust store. * @library /test/lib * @compile JSSEClient.java From 7149aadb44df7911579e017632d664f677902696 Mon Sep 17 00:00:00 2001 From: Abhijit Saha Date: Tue, 18 Jul 2017 11:30:16 -0700 Subject: [PATCH 041/269] Added tag jdk-9.0.3+1 for changeset 1f563db1cf68 --- jdk/.hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/jdk/.hgtags b/jdk/.hgtags index e3aa4fc9a2..c33cd6c84e 100644 --- a/jdk/.hgtags +++ b/jdk/.hgtags @@ -421,3 +421,4 @@ c31ac0b8a60e8f872d38ad251a25ad043adc0191 jdk-9.0.3+00 e6c4f6ef717d104dba880e2dae538690c993b46f jdk-9+175 9f27d513658d5375b0e26846857d92563f279073 jdk-9+176 80acf577b7d0b886fb555c9916552844f6cc72af jdk-9+177 +383a0001f6a0981aa061bf62d7562240abec0b18 jdk-9.0.3+1 From b46932febb220b27652fd19411f099e5aed2e9e2 Mon Sep 17 00:00:00 2001 From: Roger Riggs Date: Mon, 19 Jun 2017 17:38:33 -0400 Subject: [PATCH 042/269] 8181597: Process Proxy presentation Reviewed-by: dfuchs, ahgross, rhalade, skoivu --- .../java.base/share/classes/java/io/ObjectInputStream.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java index bffc5a81ee..11e33b4e5d 100644 --- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java +++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java @@ -1770,6 +1770,10 @@ public class ObjectInputStream passHandle = NULL_HANDLE; int numIfaces = bin.readInt(); + if (numIfaces > 65535) { + throw new InvalidObjectException("interface limit exceeded: " + + numIfaces); + } String[] ifaces = new String[numIfaces]; for (int i = 0; i < numIfaces; i++) { ifaces[i] = bin.readUTF(); From a989620c09187e622463a59eafae631f60f8a9fa Mon Sep 17 00:00:00 2001 From: Vinnie Ryan Date: Wed, 28 Jun 2017 16:52:36 +0100 Subject: [PATCH 043/269] 8181370: Better keystore handling Reviewed-by: weijun, igerasim --- .../com/sun/crypto/provider/JceKeyStore.java | 44 ++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java index ccf49b7a80..f3190b39a2 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,12 +27,14 @@ package com.sun.crypto.provider; import java.io.*; import java.util.*; +import java.security.AccessController; import java.security.DigestInputStream; import java.security.DigestOutputStream; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.Key; import java.security.PrivateKey; +import java.security.PrivilegedAction; import java.security.KeyStoreSpi; import java.security.KeyStoreException; import java.security.UnrecoverableKeyException; @@ -835,11 +837,21 @@ public final class JceKeyStore extends KeyStoreSpi { // read the sealed key try { ois = new ObjectInputStream(dis); + final ObjectInputStream ois2 = ois; + // Set a deserialization checker + AccessController.doPrivileged( + (PrivilegedAction)() -> { + ois2.setObjectInputFilter( + new DeserializationChecker()); + return null; + }); entry.sealedKey = (SealedObject)ois.readObject(); // NOTE: don't close ois here since we are still // using dis!!! } catch (ClassNotFoundException cnfe) { throw new IOException(cnfe.getMessage()); + } catch (InvalidClassException ice) { + throw new IOException("Invalid secret key format"); } // Add the entry to the list @@ -916,4 +928,34 @@ public final class JceKeyStore extends KeyStoreSpi { return JCEKS_MAGIC == dataStream.readInt(); } + + /* + * An ObjectInputFilter that checks the format of the secret key being + * deserialized. + */ + private static class DeserializationChecker implements ObjectInputFilter { + private static final int MAX_NESTED_DEPTH = 2; + + @Override + public ObjectInputFilter.Status + checkInput(ObjectInputFilter.FilterInfo info) { + + // First run a custom filter + long nestedDepth = info.depth(); + if ((nestedDepth == 1 && + info.serialClass() != SealedObjectForKeyProtector.class) || + nestedDepth > MAX_NESTED_DEPTH) { + return Status.REJECTED; + } + + // Next run the default filter, if available + ObjectInputFilter defaultFilter = + ObjectInputFilter.Config.getSerialFilter(); + if (defaultFilter != null) { + return defaultFilter.checkInput(info); + } + + return Status.UNDECIDED; + } + } } From bf10b5af1887bd036371ba237b0142908b1bea53 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Thu, 6 Jul 2017 09:20:21 +0800 Subject: [PATCH 044/269] 8181432: Better processing of unresolved permissions Reviewed-by: mullan --- .../classes/java/security/CodeSource.java | 11 +++----- .../java/security/UnresolvedPermission.java | 25 +++++++++++-------- .../cert/CertificateRevokedException.java | 11 ++++---- .../classes/sun/security/util/IOUtils.java | 22 ++++++++++++++-- .../sun/security/util/ObjectIdentifier.java | 8 ++++-- 5 files changed, 51 insertions(+), 26 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/security/CodeSource.java b/jdk/src/java.base/share/classes/java/security/CodeSource.java index 818716fa39..a1f98eeb55 100644 --- a/jdk/src/java.base/share/classes/java/security/CodeSource.java +++ b/jdk/src/java.base/share/classes/java/security/CodeSource.java @@ -35,6 +35,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.cert.*; import sun.net.util.URLUtil; +import sun.security.util.IOUtils; /** * @@ -571,6 +572,8 @@ public class CodeSource implements java.io.Serializable { // could all be present in the stream at the same time cfs = new Hashtable<>(3); certList = new ArrayList<>(size > 20 ? 20 : size); + } else if (size < 0) { + throw new IOException("size cannot be negative"); } for (int i = 0; i < size; i++) { @@ -592,13 +595,7 @@ public class CodeSource implements java.io.Serializable { cfs.put(certType, cf); } // parse the certificate - byte[] encoded = null; - try { - encoded = new byte[ois.readInt()]; - } catch (OutOfMemoryError oome) { - throw new IOException("Certificate too big"); - } - ois.readFully(encoded); + byte[] encoded = IOUtils.readNBytes(ois, ois.readInt()); ByteArrayInputStream bais = new ByteArrayInputStream(encoded); try { certList.add(cf.generateCertificate(bais)); diff --git a/jdk/src/java.base/share/classes/java/security/UnresolvedPermission.java b/jdk/src/java.base/share/classes/java/security/UnresolvedPermission.java index b5dc02dcb3..d75c24cbf7 100644 --- a/jdk/src/java.base/share/classes/java/security/UnresolvedPermission.java +++ b/jdk/src/java.base/share/classes/java/security/UnresolvedPermission.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,12 +25,16 @@ package java.security; +import sun.security.util.IOUtils; + import java.io.IOException; import java.io.ByteArrayInputStream; +import java.security.cert.Certificate; import java.util.ArrayList; import java.util.Hashtable; import java.lang.reflect.*; import java.security.cert.*; +import java.util.List; /** * The UnresolvedPermission class is used to hold Permissions that @@ -550,6 +554,7 @@ implements java.io.Serializable { CertificateFactory cf; Hashtable cfs = null; + List certList = null; ois.defaultReadObject(); @@ -562,7 +567,9 @@ implements java.io.Serializable // we know of 3 different cert types: X.509, PGP, SDSI, which // could all be present in the stream at the same time cfs = new Hashtable<>(3); - this.certs = new java.security.cert.Certificate[size]; + certList = new ArrayList<>(size > 20 ? 20 : size); + } else if (size < 0) { + throw new IOException("size cannot be negative"); } for (int i=0; i(size); + extensions = new HashMap<>(size > 20 ? 20 : size); } // Read in the extensions and put the mappings in the extensions map for (int i = 0; i < size; i++) { String oid = (String) ois.readObject(); boolean critical = ois.readBoolean(); - int length = ois.readInt(); - byte[] extVal = new byte[length]; - ois.readFully(extVal); + byte[] extVal = IOUtils.readNBytes(ois, ois.readInt()); Extension ext = sun.security.x509.Extension.newExtension (new ObjectIdentifier(oid), critical, extVal); extensions.put(oid, ext); diff --git a/jdk/src/java.base/share/classes/sun/security/util/IOUtils.java b/jdk/src/java.base/share/classes/sun/security/util/IOUtils.java index 6918a501ea..1fb2badf52 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/IOUtils.java +++ b/jdk/src/java.base/share/classes/sun/security/util/IOUtils.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,7 +37,7 @@ import java.util.Arrays; public class IOUtils { /** - * Read up to length of bytes from in + * Read up to {@code length} of bytes from {@code in} * until EOF is detected. * @param is input stream, must not be null * @param length number of bytes to read, -1 or Integer.MAX_VALUE means @@ -77,4 +77,22 @@ public class IOUtils { } return output; } + + /** + * Read {@code length} of bytes from {@code in}. An exception is + * thrown if there are not enough bytes in the stream. + * + * @param is input stream, must not be null + * @param length number of bytes to read, must not be negative + * @return bytes read + * @throws IOException if any IO error or a premature EOF is detected, or + * if {@code length} is negative since this length is usually also + * read from {@code is}. + */ + public static byte[] readNBytes(InputStream is, int length) throws IOException { + if (length < 0) { + throw new IOException("length cannot be negative: " + length); + } + return readFully(is, length, true); + } } diff --git a/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java b/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java index 12aabe6f07..514b993849 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java +++ b/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -111,7 +111,11 @@ class ObjectIdentifier implements Serializable is.defaultReadObject(); if (encoding == null) { // from an old version - init((int[])components, componentLen); + int[] comp = (int[])components; + if (componentLen > comp.length) { + componentLen = comp.length; + } + init(comp, componentLen); } } From f8e925394eec50028daee0d0db1017dc722bfa2c Mon Sep 17 00:00:00 2001 From: Abhijit Saha Date: Wed, 19 Jul 2017 14:37:14 -0700 Subject: [PATCH 045/269] Added tag jdk-9.0.3+2 for changeset d97c005af384 --- jdk/.hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/jdk/.hgtags b/jdk/.hgtags index c33cd6c84e..5f1ab82292 100644 --- a/jdk/.hgtags +++ b/jdk/.hgtags @@ -422,3 +422,4 @@ e6c4f6ef717d104dba880e2dae538690c993b46f jdk-9+175 9f27d513658d5375b0e26846857d92563f279073 jdk-9+176 80acf577b7d0b886fb555c9916552844f6cc72af jdk-9+177 383a0001f6a0981aa061bf62d7562240abec0b18 jdk-9.0.3+1 +77eba1b12ee981b9d7e6b10b33b233669a1cb23e jdk-9.0.3+2 From c3643f9c52a62545834bdd4c938e6a38fa6d95cc Mon Sep 17 00:00:00 2001 From: Vinnie Ryan Date: Wed, 5 Jul 2017 17:27:46 +0100 Subject: [PATCH 046/269] 8181692: Update storage implementations Reviewed-by: weijun, igerasim --- .../com/sun/crypto/provider/KeyProtector.java | 21 ++- .../com/sun/crypto/provider/PBES1Core.java | 2 +- .../sun/security/pkcs12/PKCS12KeyStore.java | 125 ++++++++++++------ 3 files changed, 106 insertions(+), 42 deletions(-) diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java index 53fea3053c..823d7bdb8d 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -38,6 +38,7 @@ import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.UnrecoverableKeyException; import java.security.AlgorithmParameters; +import java.security.spec.InvalidParameterSpecException; import java.security.spec.PKCS8EncodedKeySpec; import javax.crypto.Cipher; @@ -74,6 +75,8 @@ final class KeyProtector { // keys in the keystore implementation that comes with JDK 1.2) private static final String KEY_PROTECTOR_OID = "1.3.6.1.4.1.42.2.17.1.1"; + private static final int MAX_ITERATION_COUNT = 5000000; + private static final int ITERATION_COUNT = 200000; private static final int SALT_LEN = 20; // the salt length private static final int DIGEST_LEN = 20; @@ -100,7 +103,7 @@ final class KeyProtector { SunJCE.getRandom().nextBytes(salt); // create PBE parameters from salt and iteration count - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); + PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, ITERATION_COUNT); // create PBE key from password PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); @@ -155,6 +158,9 @@ final class KeyProtector { pbeParams.init(encodedParams); PBEParameterSpec pbeSpec = pbeParams.getParameterSpec(PBEParameterSpec.class); + if (pbeSpec.getIterationCount() > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } // create PBE key from password PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); @@ -285,7 +291,7 @@ final class KeyProtector { SunJCE.getRandom().nextBytes(salt); // create PBE parameters from salt and iteration count - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); + PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, ITERATION_COUNT); // create PBE key from password PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); @@ -326,6 +332,15 @@ final class KeyProtector { throw new UnrecoverableKeyException("Cannot get " + "algorithm parameters"); } + PBEParameterSpec pbeSpec; + try { + pbeSpec = params.getParameterSpec(PBEParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + throw new IOException("Invalid PBE algorithm parameters"); + } + if (pbeSpec.getIterationCount() > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } PBEWithMD5AndTripleDESCipher cipherSpi; cipherSpi = new PBEWithMD5AndTripleDESCipher(); Cipher cipher = new CipherForKeyProtector(cipherSpi, diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java index c54fa2d86e..86ea35c8b0 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java @@ -284,7 +284,7 @@ final class PBES1Core { for (i=0; i<2; i++) { byte tmp = salt[i]; salt[i] = salt[3-i]; - salt[3-1] = tmp; + salt[3-i] = tmp; } } diff --git a/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java index 9c0e0b7dc0..23f8df52e3 100644 --- a/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java +++ b/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java @@ -46,6 +46,7 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.InvalidParameterSpecException; import java.security.spec.KeySpec; import java.security.spec.PKCS8EncodedKeySpec; import java.util.*; @@ -147,6 +148,11 @@ public final class PKCS12KeyStore extends KeyStoreSpi { "keystore.PKCS12.keyProtectionAlgorithm" }; + private static final int MAX_ITERATION_COUNT = 5000000; + private static final int PBE_ITERATION_COUNT = 50000; // default + private static final int MAC_ITERATION_COUNT = 100000; // default + private static final int SALT_LEN = 20; + // friendlyName, localKeyId, trustedKeyUsage private static final String[] CORE_ATTRIBUTES = { "1.2.840.113549.1.9.20", @@ -192,8 +198,6 @@ public final class PKCS12KeyStore extends KeyStoreSpi { private static ObjectIdentifier[] AnyUsage; private int counter = 0; - private static final int iterationCount = 1024; - private static final int SALT_LEN = 20; // private key count // Note: This is a workaround to allow null localKeyID attribute @@ -327,6 +331,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { byte[] encryptedKey; AlgorithmParameters algParams; ObjectIdentifier algOid; + try { // get the encrypted private key EncryptedPrivateKeyInfo encrInfo = @@ -347,7 +352,24 @@ public final class PKCS12KeyStore extends KeyStoreSpi { throw uke; } - try { + try { + PBEParameterSpec pbeSpec; + int ic = 0; + + if (algParams != null) { + try { + pbeSpec = + algParams.getParameterSpec(PBEParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + throw new IOException("Invalid PBE algorithm parameters"); + } + ic = pbeSpec.getIterationCount(); + + if (ic > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } + } + byte[] keyInfo; while (true) { try { @@ -387,9 +409,10 @@ public final class PKCS12KeyStore extends KeyStoreSpi { key = kfac.generatePrivate(kspec); if (debug != null) { - debug.println("Retrieved a protected private key (" + - key.getClass().getName() + ") at alias '" + alias + - "'"); + debug.println("Retrieved a protected private key at alias" + + " '" + alias + "' (" + + new AlgorithmId(algOid).getName() + + " iterations: " + ic + ")"); } // decode secret key @@ -410,9 +433,10 @@ public final class PKCS12KeyStore extends KeyStoreSpi { } if (debug != null) { - debug.println("Retrieved a protected secret key (" + - key.getClass().getName() + ") at alias '" + alias + - "'"); + debug.println("Retrieved a protected secret key at alias " + + "'" + alias + "' (" + + new AlgorithmId(algOid).getName() + + " iterations: " + ic + ")"); } } } catch (Exception e) { @@ -590,9 +614,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { (key.getFormat().equals("PKCS8"))) { if (debug != null) { - debug.println("Setting a protected private key (" + - key.getClass().getName() + ") at alias '" + alias + - "'"); + debug.println( + "Setting a protected private key at alias '" + + alias + "'"); } // Encrypt the private key @@ -638,9 +662,8 @@ public final class PKCS12KeyStore extends KeyStoreSpi { encryptPrivateKey(pkcs8.toByteArray(), passwordProtection); if (debug != null) { - debug.println("Setting a protected secret key (" + - key.getClass().getName() + ") at alias '" + alias + - "'"); + debug.println("Setting a protected secret key at alias '" + + alias + "'"); } secretKeyCount++; entry = keyEntry; @@ -761,19 +784,19 @@ public final class PKCS12KeyStore extends KeyStoreSpi { /* * Generate PBE Algorithm Parameters */ - private AlgorithmParameters getAlgorithmParameters(String algorithm) + private AlgorithmParameters getPBEAlgorithmParameters(String algorithm) throws IOException { AlgorithmParameters algParams = null; // create PBE parameters from salt and iteration count PBEParameterSpec paramSpec = - new PBEParameterSpec(getSalt(), iterationCount); + new PBEParameterSpec(getSalt(), PBE_ITERATION_COUNT); try { algParams = AlgorithmParameters.getInstance(algorithm); algParams.init(paramSpec); } catch (Exception e) { - throw new IOException("getAlgorithmParameters failed: " + + throw new IOException("getPBEAlgorithmParameters failed: " + e.getMessage(), e); } return algParams; @@ -859,7 +882,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { algParams = AlgorithmParameters.getInstance(algorithm); algParams.init(algParamSpec); } else { - algParams = getAlgorithmParameters(algorithm); + algParams = getPBEAlgorithmParameters(algorithm); } } else { // Check default key protection algorithm for PKCS12 keystores @@ -879,7 +902,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (algorithm == null || algorithm.isEmpty()) { algorithm = "PBEWithSHA1AndDESede"; } - algParams = getAlgorithmParameters(algorithm); + algParams = getPBEAlgorithmParameters(algorithm); } ObjectIdentifier pbeOID = mapPBEAlgorithmToOID(algorithm); @@ -1194,7 +1217,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (debug != null) { debug.println("Storing " + (privateKeyCount + secretKeyCount) + - " protected key(s) in a PKCS#7 data content-type"); + " protected key(s) in a PKCS#7 data"); } byte[] safeContentData = createSafeContent(); @@ -1207,7 +1230,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (debug != null) { debug.println("Storing " + certificateCount + - " certificate(s) in a PKCS#7 encryptedData content-type"); + " certificate(s) in a PKCS#7 encryptedData"); } byte[] encrData = createEncryptedData(password); @@ -1478,7 +1501,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // generate MAC (MAC key is generated within JCE) Mac m = Mac.getInstance("HmacPBESHA1"); PBEParameterSpec params = - new PBEParameterSpec(salt, iterationCount); + new PBEParameterSpec(salt, MAC_ITERATION_COUNT); SecretKey key = getPBEKey(passwd); m.init(key, params); m.update(data); @@ -1486,7 +1509,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // encode as MacData MacData macData = new MacData(algName, macResult, salt, - iterationCount); + MAC_ITERATION_COUNT); DerOutputStream bytes = new DerOutputStream(); bytes.write(macData.getEncoded()); mData = bytes.toByteArray(); @@ -1878,7 +1901,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // create AlgorithmParameters AlgorithmParameters algParams = - getAlgorithmParameters("PBEWithSHA1AndRC2_40"); + getPBEAlgorithmParameters("PBEWithSHA1AndRC2_40"); DerOutputStream bytes = new DerOutputStream(); AlgorithmId algId = new AlgorithmId(pbeWithSHAAnd40BitRC2CBC_OID, algParams); @@ -1998,7 +2021,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (contentType.equals(ContentInfo.DATA_OID)) { if (debug != null) { - debug.println("Loading PKCS#7 data content-type"); + debug.println("Loading PKCS#7 data"); } safeContentsData = safeContents.getData(); @@ -2007,15 +2030,11 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (debug != null) { debug.println("Warning: skipping PKCS#7 encryptedData" + - " content-type - no password was supplied"); + " - no password was supplied"); } continue; } - if (debug != null) { - debug.println("Loading PKCS#7 encryptedData content-type"); - } - DerInputStream edi = safeContents.getContent().toDerInputStream(); int edVersion = edi.getInteger(); @@ -2036,6 +2055,30 @@ public final class PKCS12KeyStore extends KeyStoreSpi { ObjectIdentifier algOid = in.getOID(); AlgorithmParameters algParams = parseAlgParameters(algOid, in); + PBEParameterSpec pbeSpec; + int ic = 0; + + if (algParams != null) { + try { + pbeSpec = + algParams.getParameterSpec(PBEParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + throw new IOException( + "Invalid PBE algorithm parameters"); + } + ic = pbeSpec.getIterationCount(); + + if (ic > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } + } + + if (debug != null) { + debug.println("Loading PKCS#7 encryptedData " + + "(" + new AlgorithmId(algOid).getName() + + " iterations: " + ic + ")"); + } + while (true) { try { // Use JCE @@ -2066,8 +2109,15 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // The MacData is optional. if (password != null && s.available() > 0) { - MacData macData = new MacData(s); - try { + MacData macData = new MacData(s); + int ic = macData.getIterations(); + + try { + if (ic > MAX_ITERATION_COUNT) { + throw new InvalidAlgorithmParameterException( + "MAC iteration count too large: " + ic); + } + String algName = macData.getDigestAlgName().toUpperCase(Locale.ENGLISH); @@ -2077,8 +2127,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // generate MAC (MAC key is created within JCE) Mac m = Mac.getInstance("HmacPBE" + algName); PBEParameterSpec params = - new PBEParameterSpec(macData.getSalt(), - macData.getIterations()); + new PBEParameterSpec(macData.getSalt(), ic); SecretKey key = getPBEKey(password); m.init(key, params); m.update(authSafeData); @@ -2086,16 +2135,16 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (debug != null) { debug.println("Checking keystore integrity " + - "(MAC algorithm: " + m.getAlgorithm() + ")"); + "(" + m.getAlgorithm() + " iterations: " + ic + ")"); } if (!MessageDigest.isEqual(macData.getDigest(), macResult)) { throw new UnrecoverableKeyException("Failed PKCS12" + " integrity checking"); } - } catch (Exception e) { + } catch (Exception e) { throw new IOException("Integrity check failed: " + e, e); - } + } } /* From 0435ba2562d049ebec33413daa2563b0b8e42491 Mon Sep 17 00:00:00 2001 From: Naoto Sato Date: Thu, 15 Jun 2017 09:57:15 -0700 Subject: [PATCH 047/269] 8181323: Better timezone processing Reviewed-by: rriggs --- .../classes/java/util/SimpleTimeZone.java | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/util/SimpleTimeZone.java b/jdk/src/java.base/share/classes/java/util/SimpleTimeZone.java index d7555a0db0..7ed6e71753 100644 --- a/jdk/src/java.base/share/classes/java/util/SimpleTimeZone.java +++ b/jdk/src/java.base/share/classes/java/util/SimpleTimeZone.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,6 +41,7 @@ package java.util; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.IOException; +import java.io.InvalidObjectException; import sun.util.calendar.CalendarSystem; import sun.util.calendar.CalendarUtils; import sun.util.calendar.BaseCalendar; @@ -1278,6 +1279,9 @@ public class SimpleTimeZone extends TimeZone { */ private int serialVersionOnStream = currentSerialVersion; + // Maximum number of rules. + private static final int MAX_RULE_NUM = 6; + private synchronized void invalidateCache() { cacheYear = startYear - 1; cacheStart = cacheEnd = 0; @@ -1569,7 +1573,7 @@ public class SimpleTimeZone extends TimeZone { */ private byte[] packRules() { - byte[] rules = new byte[6]; + byte[] rules = new byte[MAX_RULE_NUM]; rules[0] = (byte)startDay; rules[1] = (byte)startDayOfWeek; rules[2] = (byte)endDay; @@ -1594,7 +1598,7 @@ public class SimpleTimeZone extends TimeZone { endDayOfWeek = rules[3]; // As of serial version 2, include time modes - if (rules.length >= 6) { + if (rules.length >= MAX_RULE_NUM) { startTimeMode = rules[4]; endTimeMode = rules[5]; } @@ -1691,9 +1695,13 @@ public class SimpleTimeZone extends TimeZone { // store the actual rules (which have not be made compatible with 1.1) // in the optional area. Read them in here and parse them. int length = stream.readInt(); - byte[] rules = new byte[length]; - stream.readFully(rules); - unpackRules(rules); + if (length <= MAX_RULE_NUM) { + byte[] rules = new byte[length]; + stream.readFully(rules); + unpackRules(rules); + } else { + throw new InvalidObjectException("Too many rules: " + length); + } } if (serialVersionOnStream >= 2) { From 67709100bf0d1585f70b7e78dbba91a9c1ee3019 Mon Sep 17 00:00:00 2001 From: Abhijit Saha Date: Tue, 25 Jul 2017 22:25:18 -0700 Subject: [PATCH 048/269] Added tag jdk-9.0.3+3 for changeset 7d774ec3b936 --- jdk/.hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/jdk/.hgtags b/jdk/.hgtags index 5f1ab82292..0c082a1ee5 100644 --- a/jdk/.hgtags +++ b/jdk/.hgtags @@ -423,3 +423,4 @@ e6c4f6ef717d104dba880e2dae538690c993b46f jdk-9+175 80acf577b7d0b886fb555c9916552844f6cc72af jdk-9+177 383a0001f6a0981aa061bf62d7562240abec0b18 jdk-9.0.3+1 77eba1b12ee981b9d7e6b10b33b233669a1cb23e jdk-9.0.3+2 +f13da3f2da08667ff74541440bb5d67b2dad1aa9 jdk-9.0.3+3 From 5e6cafcf2155e383651029d9ef0783c83baf1a05 Mon Sep 17 00:00:00 2001 From: Stuart Marks Date: Tue, 28 Mar 2017 12:10:20 -0700 Subject: [PATCH 049/269] 8174966: Unreferenced references Reviewed-by: rriggs, skoivu, rhalade, robm --- .../classes/sun/rmi/transport/Target.java | 33 +++++++------------ 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/transport/Target.java b/jdk/src/java.rmi/share/classes/sun/rmi/transport/Target.java index 82c849e269..e9150ed62a 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/Target.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/Target.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ import java.rmi.server.ObjID; import java.rmi.server.Unreferenced; import java.security.AccessControlContext; import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.*; import sun.rmi.runtime.Log; import sun.rmi.runtime.NewThreadAction; @@ -322,27 +323,15 @@ public final class Target { Remote obj = getImpl(); if (obj instanceof Unreferenced) { final Unreferenced unrefObj = (Unreferenced) obj; - final Thread t = - java.security.AccessController.doPrivileged( - new NewThreadAction(new Runnable() { - public void run() { - unrefObj.unreferenced(); - } - }, "Unreferenced-" + nextThreadNum++, false, true)); - // REMIND: access to nextThreadNum not synchronized; you care? - /* - * We must manually set the context class loader appropriately - * for threads that may invoke user code (see bugid 4171278). - */ - java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction() { - public Void run() { - t.setContextClassLoader(ccl); - return null; - } - }); - - t.start(); + AccessController.doPrivileged( + new NewThreadAction(() -> { + Thread.currentThread().setContextClassLoader(ccl); + AccessController.doPrivileged((PrivilegedAction) () -> { + unrefObj.unreferenced(); + return null; + }, acc); + }, "Unreferenced-" + nextThreadNum++, false, true)).start(); + // REMIND: access to nextThreadNum not synchronized; you care? } unpinImpl(); From 7366609b7d85cc327b4dd7217b081c196a7a8d79 Mon Sep 17 00:00:00 2001 From: Valerie Peng Date: Thu, 30 Mar 2017 01:59:20 +0000 Subject: [PATCH 050/269] 8176760: Better handling of PKCS8 material Reviewed-by: ascarpino, ahgross --- .../classes/sun/security/pkcs/PKCS8Key.java | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java b/jdk/src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java index 7cdc167fd5..ee2c6e3195 100644 --- a/jdk/src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java +++ b/jdk/src/java.base/share/classes/sun/security/pkcs/PKCS8Key.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,6 +32,7 @@ import java.security.Key; import java.security.KeyRep; import java.security.PrivateKey; import java.security.KeyFactory; +import java.security.MessageDigest; import java.security.Security; import java.security.Provider; import java.security.InvalidKeyException; @@ -419,18 +420,9 @@ public class PKCS8Key implements PrivateKey { // that encoding byte[] b2 = ((Key)object).getEncoded(); - // do the comparison - int i; - if (b1.length != b2.length) - return false; - for (i = 0; i < b1.length; i++) { - if (b1[i] != b2[i]) { - return false; - } - } - return true; + // time-constant comparison + return MessageDigest.isEqual(b1, b2); } - return false; } From b30c81c3f0acbf47cbc067cb913e6ab42076b2ed Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Fri, 31 Mar 2017 11:24:23 +0800 Subject: [PATCH 051/269] 8176067: Proper directory lookup processing Reviewed-by: ahgross, mullan, vinnie --- .../classes/com/sun/jndi/ldap/LdapClient.java | 1 + .../classes/com/sun/jndi/ldap/LdapCtx.java | 22 +++++++++++++++++-- .../sun/jndi/ldap/LdapReferralException.java | 5 +++-- .../certpath/ldap/LDAPCertStoreImpl.java | 4 ++-- 4 files changed, 26 insertions(+), 6 deletions(-) diff --git a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapClient.java b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapClient.java index c6159711d1..125530f2c0 100644 --- a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapClient.java +++ b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapClient.java @@ -1234,6 +1234,7 @@ public final class LdapClient implements PooledConnection { static final int LDAP_REF_FOLLOW = 0x01; // follow referrals static final int LDAP_REF_THROW = 0x02; // throw referral ex. static final int LDAP_REF_IGNORE = 0x03; // ignore referrals + static final int LDAP_REF_FOLLOW_SCHEME = 0x04; // follow referrals of the same scheme static final String LDAP_URL = "ldap://"; // LDAPv3 static final String LDAPS_URL = "ldaps://"; // LDAPv3 diff --git a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtx.java b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtx.java index 6484c3945a..88185a06d2 100644 --- a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtx.java +++ b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtx.java @@ -2414,6 +2414,9 @@ final public class LdapCtx extends ComponentDirContext // First determine the referral mode if (ref != null) { switch (ref) { + case "follow-scheme": + handleReferrals = LdapClient.LDAP_REF_FOLLOW_SCHEME; + break; case "follow": handleReferrals = LdapClient.LDAP_REF_FOLLOW; break; @@ -2979,8 +2982,23 @@ final public class LdapCtx extends ComponentDirContext r = new LdapReferralException(resolvedName, resolvedObj, remainName, msg, envprops, fullDN, handleReferrals, reqCtls); // only one set of URLs is present - r.setReferralInfo(res.referrals == null ? null : - res.referrals.elementAt(0), false); + Vector refs; + if (res.referrals == null) { + refs = null; + } else if (handleReferrals == LdapClient.LDAP_REF_FOLLOW_SCHEME) { + refs = new Vector<>(); + for (String s : res.referrals.elementAt(0)) { + if (s.startsWith("ldap:")) { + refs.add(s); + } + } + if (refs.isEmpty()) { + refs = null; + } + } else { + refs = res.referrals.elementAt(0); + } + r.setReferralInfo(refs, false); if (hopCount > 1) { r.setHopCount(hopCount); diff --git a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapReferralException.java b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapReferralException.java index 62437c7765..eb74e63057 100644 --- a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapReferralException.java +++ b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapReferralException.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -117,7 +117,8 @@ final public class LdapReferralException extends // If following referral, request controls are passed to referral ctx this.reqCtls = - (handleReferrals == LdapClient.LDAP_REF_FOLLOW ? reqCtls : null); + (handleReferrals == LdapClient.LDAP_REF_FOLLOW || + handleReferrals == LdapClient.LDAP_REF_FOLLOW_SCHEME ? reqCtls : null); } /** diff --git a/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java b/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java index 1b9a2b0b75..8813ff6e33 100644 --- a/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java +++ b/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -186,7 +186,7 @@ final class LDAPCertStoreImpl { */ Hashtable currentEnv = ctx.getEnvironment(); if (currentEnv.get(Context.REFERRAL) == null) { - ctx.addToEnvironment(Context.REFERRAL, "follow"); + ctx.addToEnvironment(Context.REFERRAL, "follow-scheme"); } } catch (NamingException e) { if (debug != null) { From 7d98478b61d79a934b655fdef669516311999ee3 Mon Sep 17 00:00:00 2001 From: Anthony Scarpino Date: Wed, 26 Apr 2017 10:34:32 -0700 Subject: [PATCH 052/269] 8179101: Improve algorithm constraints implementation Reviewed-by: mullan, ahgross, rhalade, igerasim --- .../sun/security/util/DisabledAlgorithmConstraints.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java index 9051b39297..b763f7a35e 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java +++ b/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java @@ -703,7 +703,6 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { private int minSize; // the minimal available key size private int maxSize; // the maximal available key size private int prohibitedSize = -1; // unavailable key sizes - private int size; public KeySizeConstraint(String algo, Operator operator, int length) { algorithm = algo; @@ -761,8 +760,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { return; } throw new CertPathValidatorException( - "Algorithm constraints check failed on keysize limits. " - + algorithm + " " + size + "bit key" + extendedMsg(cp), + "Algorithm constraints check failed on keysize limits. " + + algorithm + " " + KeyUtil.getKeySize(key) + "bit key" + + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } @@ -789,7 +789,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { return true; } - size = KeyUtil.getKeySize(key); + int size = KeyUtil.getKeySize(key); if (size == 0) { return false; // we don't allow any key of size 0. } else if (size > 0) { From d70778bebd6aaedd45860bdf55911221a47d9ddd Mon Sep 17 00:00:00 2001 From: Adam Petcher Date: Fri, 28 Apr 2017 10:17:46 -0400 Subject: [PATCH 053/269] 8172525: Improve key keying case Reviewed-by: mullan, valeriep, rhalade, ahgross --- .../classes/com/sun/crypto/provider/DESKey.java | 8 +++++++- .../classes/com/sun/crypto/provider/DESedeKey.java | 7 ++++++- .../classes/com/sun/crypto/provider/PBEKey.java | 7 ++++++- .../com/sun/crypto/provider/PBKDF2KeyImpl.java | 13 +++++++++++-- 4 files changed, 30 insertions(+), 5 deletions(-) diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESKey.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESKey.java index d3f1c99df2..bcc911675c 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESKey.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESKey.java @@ -25,6 +25,7 @@ package com.sun.crypto.provider; +import java.lang.ref.Reference; import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; @@ -79,7 +80,12 @@ final class DESKey implements SecretKey { public byte[] getEncoded() { // Return a copy of the key, rather than a reference, // so that the key data cannot be modified from outside - return this.key.clone(); + + // The key is zeroized by finalize() + // The reachability fence ensures finalize() isn't called early + byte[] result = key.clone(); + Reference.reachabilityFence(this); + return result; } public String getAlgorithm() { diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeKey.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeKey.java index 9695ba39e6..14c4e4f14e 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeKey.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DESedeKey.java @@ -25,6 +25,7 @@ package com.sun.crypto.provider; +import java.lang.ref.Reference; import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; @@ -79,7 +80,11 @@ final class DESedeKey implements SecretKey { } public byte[] getEncoded() { - return this.key.clone(); + // The key is zeroized by finalize() + // The reachability fence ensures finalize() isn't called early + byte[] result = key.clone(); + Reference.reachabilityFence(this); + return result; } public String getAlgorithm() { diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java index 72e7452ace..99414e68ec 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBEKey.java @@ -25,6 +25,7 @@ package com.sun.crypto.provider; +import java.lang.ref.Reference; import java.security.MessageDigest; import java.security.KeyRep; import java.security.spec.InvalidKeySpecException; @@ -73,7 +74,11 @@ final class PBEKey implements SecretKey { } public byte[] getEncoded() { - return this.key.clone(); + // The key is zeroized by finalize() + // The reachability fence ensures finalize() isn't called early + byte[] result = key.clone(); + Reference.reachabilityFence(this); + return result; } public String getAlgorithm() { diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java index 1bf5156616..f68af499de 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java @@ -26,6 +26,7 @@ package com.sun.crypto.provider; import java.io.ObjectStreamException; +import java.lang.ref.Reference; import java.nio.ByteBuffer; import java.nio.CharBuffer; import java.nio.charset.Charset; @@ -196,7 +197,11 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey { } public byte[] getEncoded() { - return key.clone(); + // The key is zeroized by finalize() + // The reachability fence ensures finalize() isn't called early + byte[] result = key.clone(); + Reference.reachabilityFence(this); + return result; } public String getAlgorithm() { @@ -208,7 +213,11 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey { } public char[] getPassword() { - return passwd.clone(); + // The password is zeroized by finalize() + // The reachability fence ensures finalize() isn't called early + char[] result = passwd.clone(); + Reference.reachabilityFence(this); + return result; } public byte[] getSalt() { From b45c8f3a3538c0cd346c668000c6a5f996ece3e4 Mon Sep 17 00:00:00 2001 From: Roger Riggs Date: Wed, 3 May 2017 12:56:02 -0400 Subject: [PATCH 054/269] 8174770: Check registry registration location Reviewed-by: dfuchs, smarks, chegar --- jdk/make/rmic/Rmic-java.rmi.gmk | 8 +- .../sun/rmi/registry/RegistryImpl.java | 36 +++- .../sun/rmi/registry/RegistryImpl_Skel.java | 177 ++++++++++++++++ .../sun/rmi/registry/RegistryImpl_Stub.java | 189 ++++++++++++++++++ .../classes/sun/rmi/server/Activation.java | 68 +++++-- .../sun/rmi/server/UnicastServerRef.java | 103 +++++----- .../jmxremote/SingleEntryRegistry.java | 20 +- .../NonLocalActivationTest.java | 181 +++++++++++++++++ .../NonLocalRegistryTest.java | 120 +++++++++++ .../nonLocalAccess/NonLocalJMXRemoteTest.java | 133 ++++++++++++ 10 files changed, 951 insertions(+), 84 deletions(-) create mode 100644 jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Skel.java create mode 100644 jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Stub.java create mode 100644 jdk/test/java/rmi/activation/nonLocalActivation/NonLocalActivationTest.java create mode 100644 jdk/test/java/rmi/registry/nonLocalRegistry/NonLocalRegistryTest.java create mode 100644 jdk/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java diff --git a/jdk/make/rmic/Rmic-java.rmi.gmk b/jdk/make/rmic/Rmic-java.rmi.gmk index 9e4b2542b3..7a7a464e8e 100644 --- a/jdk/make/rmic/Rmic-java.rmi.gmk +++ b/jdk/make/rmic/Rmic-java.rmi.gmk @@ -40,15 +40,9 @@ $(eval $(call SetupRMICompilation,RMI_12, \ RUN_V12 := true)) GENCLASSES += $(RMI_12) -$(eval $(call SetupRMICompilation,RMI_11, \ - CLASSES := sun.rmi.registry.RegistryImpl, \ - CLASSES_DIR := $(CLASSES_DIR)/java.rmi, \ - STUB_CLASSES_DIR := $(STUB_CLASSES_DIR)/java.rmi, \ - RUN_V11 := true)) -GENCLASSES += $(RMI_11) ################################################################################ -all: $(RMI_11) $(RMI_12) +all: $(RMI_12) .PHONY: all diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java index d45cfac685..7aca99f075 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java @@ -75,6 +75,10 @@ import sun.rmi.transport.LiveRef; * registry. * * The LocateRegistry class is used to obtain registry for different hosts. + *

+ * The default RegistryImpl exported restricts access to clients on the local host + * for the methods {@link #bind}, {@link #rebind}, {@link #unbind} by checking + * the client host in the skeleton. * * @see java.rmi.registry.LocateRegistry */ @@ -143,6 +147,20 @@ public class RegistryImpl extends java.rmi.server.RemoteServer RMIClientSocketFactory csf, RMIServerSocketFactory ssf) throws RemoteException + { + this(port, csf, ssf, RegistryImpl::registryFilter); + } + + + /** + * Construct a new RegistryImpl on the specified port with the + * given custom socket factory pair and ObjectInputFilter. + */ + public RegistryImpl(int port, + RMIClientSocketFactory csf, + RMIServerSocketFactory ssf, + ObjectInputFilter serialFilter) + throws RemoteException { if (port == Registry.REGISTRY_PORT && System.getSecurityManager() != null) { // grant permission for default port only. @@ -150,7 +168,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer AccessController.doPrivileged(new PrivilegedExceptionAction() { public Void run() throws RemoteException { LiveRef lref = new LiveRef(id, port, csf, ssf); - setup(new UnicastServerRef2(lref, RegistryImpl::registryFilter)); + setup(new UnicastServerRef2(lref, serialFilter)); return null; } }, null, new SocketPermission("localhost:"+port, "listen,accept")); @@ -226,7 +244,8 @@ public class RegistryImpl extends java.rmi.server.RemoteServer public void bind(String name, Remote obj) throws RemoteException, AlreadyBoundException, AccessException { - checkAccess("Registry.bind"); + // The access check preventing remote access is done in the skeleton + // and is not applicable to local access. synchronized (bindings) { Remote curr = bindings.get(name); if (curr != null) @@ -243,7 +262,8 @@ public class RegistryImpl extends java.rmi.server.RemoteServer public void unbind(String name) throws RemoteException, NotBoundException, AccessException { - checkAccess("Registry.unbind"); + // The access check preventing remote access is done in the skeleton + // and is not applicable to local access. synchronized (bindings) { Remote obj = bindings.get(name); if (obj == null) @@ -259,7 +279,8 @@ public class RegistryImpl extends java.rmi.server.RemoteServer public void rebind(String name, Remote obj) throws RemoteException, AccessException { - checkAccess("Registry.rebind"); + // The access check preventing remote access is done in the skeleton + // and is not applicable to local access. bindings.put(name, obj); } @@ -312,7 +333,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer if (clientHost.isAnyLocalAddress()) { throw new AccessException( - "Registry." + op + " disallowed; origin unknown"); + op + " disallowed; origin unknown"); } try { @@ -335,7 +356,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer // must have been an IOException throw new AccessException( - "Registry." + op + " disallowed; origin " + + op + " disallowed; origin " + clientHost + " is non-local host"); } } @@ -344,8 +365,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer * Local call from this VM: allow access. */ } catch (java.net.UnknownHostException ex) { - throw new AccessException("Registry." + op + - " disallowed; origin is unknown host"); + throw new AccessException(op + " disallowed; origin is unknown host"); } } diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Skel.java b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Skel.java new file mode 100644 index 0000000000..842d477195 --- /dev/null +++ b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Skel.java @@ -0,0 +1,177 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + +package sun.rmi.registry; + +import java.io.IOException; +import java.io.InputStream; +import java.rmi.AccessException; +import java.rmi.server.RemoteCall; + +import sun.rmi.transport.Connection; +import sun.rmi.transport.StreamRemoteCall; +import sun.rmi.transport.tcp.TCPConnection; + +/** + * Skeleton to dispatch RegistryImpl methods. + * Originally generated by RMIC but frozen to match the stubs. + */ +@SuppressWarnings({"deprecation", "serial"}) +public final class RegistryImpl_Skel + implements java.rmi.server.Skeleton { + private static final java.rmi.server.Operation[] operations = { + new java.rmi.server.Operation("void bind(java.lang.String, java.rmi.Remote)"), + new java.rmi.server.Operation("java.lang.String list()[]"), + new java.rmi.server.Operation("java.rmi.Remote lookup(java.lang.String)"), + new java.rmi.server.Operation("void rebind(java.lang.String, java.rmi.Remote)"), + new java.rmi.server.Operation("void unbind(java.lang.String)") + }; + + private static final long interfaceHash = 4905912898345647071L; + + public java.rmi.server.Operation[] getOperations() { + return operations.clone(); + } + + public void dispatch(java.rmi.Remote obj, java.rmi.server.RemoteCall call, int opnum, long hash) + throws java.lang.Exception { + if (hash != interfaceHash) + throw new java.rmi.server.SkeletonMismatchException("interface hash mismatch"); + + sun.rmi.registry.RegistryImpl server = (sun.rmi.registry.RegistryImpl) obj; + switch (opnum) { + case 0: // bind(String, Remote) + { + // Check access before reading the arguments + RegistryImpl.checkAccess("Registry.bind"); + + java.lang.String $param_String_1; + java.rmi.Remote $param_Remote_2; + try { + java.io.ObjectInput in = call.getInputStream(); + $param_String_1 = (java.lang.String) in.readObject(); + $param_Remote_2 = (java.rmi.Remote) in.readObject(); + } catch (java.io.IOException | java.lang.ClassNotFoundException e) { + throw new java.rmi.UnmarshalException("error unmarshalling arguments", e); + } finally { + call.releaseInputStream(); + } + server.bind($param_String_1, $param_Remote_2); + try { + call.getResultStream(true); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling return", e); + } + break; + } + + case 1: // list() + { + call.releaseInputStream(); + java.lang.String[] $result = server.list(); + try { + java.io.ObjectOutput out = call.getResultStream(true); + out.writeObject($result); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling return", e); + } + break; + } + + case 2: // lookup(String) + { + java.lang.String $param_String_1; + try { + java.io.ObjectInput in = call.getInputStream(); + $param_String_1 = (java.lang.String) in.readObject(); + } catch (java.io.IOException | java.lang.ClassNotFoundException e) { + throw new java.rmi.UnmarshalException("error unmarshalling arguments", e); + } finally { + call.releaseInputStream(); + } + java.rmi.Remote $result = server.lookup($param_String_1); + try { + java.io.ObjectOutput out = call.getResultStream(true); + out.writeObject($result); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling return", e); + } + break; + } + + case 3: // rebind(String, Remote) + { + // Check access before reading the arguments + RegistryImpl.checkAccess("Registry.rebind"); + + java.lang.String $param_String_1; + java.rmi.Remote $param_Remote_2; + try { + java.io.ObjectInput in = call.getInputStream(); + $param_String_1 = (java.lang.String) in.readObject(); + $param_Remote_2 = (java.rmi.Remote) in.readObject(); + } catch (java.io.IOException | java.lang.ClassNotFoundException e) { + throw new java.rmi.UnmarshalException("error unmarshalling arguments", e); + } finally { + call.releaseInputStream(); + } + server.rebind($param_String_1, $param_Remote_2); + try { + call.getResultStream(true); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling return", e); + } + break; + } + + case 4: // unbind(String) + { + // Check access before reading the arguments + RegistryImpl.checkAccess("Registry.unbind"); + + java.lang.String $param_String_1; + try { + java.io.ObjectInput in = call.getInputStream(); + $param_String_1 = (java.lang.String) in.readObject(); + } catch (java.io.IOException | java.lang.ClassNotFoundException e) { + throw new java.rmi.UnmarshalException("error unmarshalling arguments", e); + } finally { + call.releaseInputStream(); + } + server.unbind($param_String_1); + try { + call.getResultStream(true); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling return", e); + } + break; + } + + default: + throw new java.rmi.UnmarshalException("invalid method number"); + } + } +} diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Stub.java b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Stub.java new file mode 100644 index 0000000000..f857486914 --- /dev/null +++ b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl_Stub.java @@ -0,0 +1,189 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.rmi.registry; +/** + * Stubs to invoke RegistryImpl remote methods. + * Originally generated from RMIC but frozen to match RegistryImpl_Skel. + */ +@SuppressWarnings({"deprecation", "serial"}) +public final class RegistryImpl_Stub + extends java.rmi.server.RemoteStub + implements java.rmi.registry.Registry, java.rmi.Remote { + private static final java.rmi.server.Operation[] operations = { + new java.rmi.server.Operation("void bind(java.lang.String, java.rmi.Remote)"), + new java.rmi.server.Operation("java.lang.String list()[]"), + new java.rmi.server.Operation("java.rmi.Remote lookup(java.lang.String)"), + new java.rmi.server.Operation("void rebind(java.lang.String, java.rmi.Remote)"), + new java.rmi.server.Operation("void unbind(java.lang.String)") + }; + + private static final long interfaceHash = 4905912898345647071L; + + // constructors + public RegistryImpl_Stub() { + super(); + } + + public RegistryImpl_Stub(java.rmi.server.RemoteRef ref) { + super(ref); + } + + // methods from remote interfaces + + // implementation of bind(String, Remote) + public void bind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2) + throws java.rmi.AccessException, java.rmi.AlreadyBoundException, java.rmi.RemoteException { + try { + java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 0, interfaceHash); + try { + java.io.ObjectOutput out = call.getOutputStream(); + out.writeObject($param_String_1); + out.writeObject($param_Remote_2); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling arguments", e); + } + ref.invoke(call); + ref.done(call); + } catch (java.lang.RuntimeException e) { + throw e; + } catch (java.rmi.RemoteException e) { + throw e; + } catch (java.rmi.AlreadyBoundException e) { + throw e; + } catch (java.lang.Exception e) { + throw new java.rmi.UnexpectedException("undeclared checked exception", e); + } + } + + // implementation of list() + public java.lang.String[] list() + throws java.rmi.AccessException, java.rmi.RemoteException { + try { + java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 1, interfaceHash); + ref.invoke(call); + java.lang.String[] $result; + try { + java.io.ObjectInput in = call.getInputStream(); + $result = (java.lang.String[]) in.readObject(); + } catch (java.io.IOException e) { + throw new java.rmi.UnmarshalException("error unmarshalling return", e); + } catch (java.lang.ClassNotFoundException e) { + throw new java.rmi.UnmarshalException("error unmarshalling return", e); + } finally { + ref.done(call); + } + return $result; + } catch (java.lang.RuntimeException e) { + throw e; + } catch (java.rmi.RemoteException e) { + throw e; + } catch (java.lang.Exception e) { + throw new java.rmi.UnexpectedException("undeclared checked exception", e); + } + } + + // implementation of lookup(String) + public java.rmi.Remote lookup(java.lang.String $param_String_1) + throws java.rmi.AccessException, java.rmi.NotBoundException, java.rmi.RemoteException { + try { + java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 2, interfaceHash); + try { + java.io.ObjectOutput out = call.getOutputStream(); + out.writeObject($param_String_1); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling arguments", e); + } + ref.invoke(call); + java.rmi.Remote $result; + try { + java.io.ObjectInput in = call.getInputStream(); + $result = (java.rmi.Remote) in.readObject(); + } catch (java.io.IOException e) { + throw new java.rmi.UnmarshalException("error unmarshalling return", e); + } catch (java.lang.ClassNotFoundException e) { + throw new java.rmi.UnmarshalException("error unmarshalling return", e); + } finally { + ref.done(call); + } + return $result; + } catch (java.lang.RuntimeException e) { + throw e; + } catch (java.rmi.RemoteException e) { + throw e; + } catch (java.rmi.NotBoundException e) { + throw e; + } catch (java.lang.Exception e) { + throw new java.rmi.UnexpectedException("undeclared checked exception", e); + } + } + + // implementation of rebind(String, Remote) + public void rebind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2) + throws java.rmi.AccessException, java.rmi.RemoteException { + try { + java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 3, interfaceHash); + try { + java.io.ObjectOutput out = call.getOutputStream(); + out.writeObject($param_String_1); + out.writeObject($param_Remote_2); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling arguments", e); + } + ref.invoke(call); + ref.done(call); + } catch (java.lang.RuntimeException e) { + throw e; + } catch (java.rmi.RemoteException e) { + throw e; + } catch (java.lang.Exception e) { + throw new java.rmi.UnexpectedException("undeclared checked exception", e); + } + } + + // implementation of unbind(String) + public void unbind(java.lang.String $param_String_1) + throws java.rmi.AccessException, java.rmi.NotBoundException, java.rmi.RemoteException { + try { + java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 4, interfaceHash); + try { + java.io.ObjectOutput out = call.getOutputStream(); + out.writeObject($param_String_1); + } catch (java.io.IOException e) { + throw new java.rmi.MarshalException("error marshalling arguments", e); + } + ref.invoke(call); + ref.done(call); + } catch (java.lang.RuntimeException e) { + throw e; + } catch (java.rmi.RemoteException e) { + throw e; + } catch (java.rmi.NotBoundException e) { + throw e; + } catch (java.lang.Exception e) { + throw new java.rmi.UnexpectedException("undeclared checked exception", e); + } + } +} diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/Activation.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/Activation.java index a6ebbca80c..6c60f46c60 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/Activation.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/Activation.java @@ -30,6 +30,7 @@ import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; +import java.io.ObjectInput; import java.io.ObjectInputStream; import java.io.OutputStream; import java.io.PrintStream; @@ -105,7 +106,6 @@ import sun.rmi.log.LogHandler; import sun.rmi.log.ReliableLog; import sun.rmi.registry.RegistryImpl; import sun.rmi.runtime.NewThreadAction; -import sun.rmi.server.UnicastServerRef; import sun.rmi.transport.LiveRef; import sun.security.provider.PolicyFile; import com.sun.rmi.rmid.ExecPermission; @@ -375,6 +375,7 @@ public class Activation implements Serializable { throw new AccessException( "binding ActivationSystem is disallowed"); } else { + RegistryImpl.checkAccess("ActivationSystem.bind"); super.bind(name, obj); } } @@ -386,6 +387,7 @@ public class Activation implements Serializable { throw new AccessException( "unbinding ActivationSystem is disallowed"); } else { + RegistryImpl.checkAccess("ActivationSystem.unbind"); super.unbind(name); } } @@ -398,6 +400,7 @@ public class Activation implements Serializable { throw new AccessException( "binding ActivationSystem is disallowed"); } else { + RegistryImpl.checkAccess("ActivationSystem.rebind"); super.rebind(name, obj); } } @@ -488,6 +491,33 @@ public class Activation implements Serializable { } + /** + * SameHostOnlyServerRef checks that access is from a local client + * before the parameters are deserialized. The unmarshalCustomCallData + * hook is used to check the network address of the caller + * with RegistryImpl.checkAccess(). + * The kind of access is retained for an exception if one is thrown. + */ + static class SameHostOnlyServerRef extends UnicastServerRef { + private static final long serialVersionUID = 1234L; + private String accessKind; // an exception message + + /** + * Construct a new SameHostOnlyServerRef from a LiveRef. + * @param lref a LiveRef + */ + SameHostOnlyServerRef(LiveRef lref, String accessKind) { + super(lref); + this.accessKind = accessKind; + } + + @Override + protected void unmarshalCustomCallData(ObjectInput in) throws IOException, ClassNotFoundException { + RegistryImpl.checkAccess(accessKind); + super.unmarshalCustomCallData(in); + } + } + class ActivationSystemImpl extends RemoteServer implements ActivationSystem @@ -505,7 +535,8 @@ public class Activation implements Serializable { * 'this' can be exported. */ LiveRef lref = new LiveRef(new ObjID(4), port, null, ssf); - UnicastServerRef uref = new UnicastServerRef(lref); + UnicastServerRef uref = new SameHostOnlyServerRef(lref, + "ActivationSystem.nonLocalAccess"); ref = uref; uref.exportObject(this, null); } @@ -514,8 +545,8 @@ public class Activation implements Serializable { throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.registerObject"); - + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. ActivationGroupID groupID = desc.getGroupID(); ActivationID id = new ActivationID(activatorStub); getGroupEntry(groupID).registerObject(id, desc, true); @@ -526,7 +557,8 @@ public class Activation implements Serializable { throws ActivationException, UnknownObjectException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.unregisterObject"); + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. getGroupEntry(id).unregisterObject(id, true); } @@ -534,7 +566,8 @@ public class Activation implements Serializable { throws ActivationException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.registerGroup"); + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. checkArgs(desc, null); ActivationGroupID id = new ActivationGroupID(systemStub); @@ -551,7 +584,8 @@ public class Activation implements Serializable { throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.activeGroup"); + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. getGroupEntry(id).activeGroup(group, incarnation); return monitor; @@ -561,7 +595,8 @@ public class Activation implements Serializable { throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.unregisterGroup"); + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. // remove entry before unregister so state is updated before // logged @@ -573,7 +608,8 @@ public class Activation implements Serializable { throws ActivationException, UnknownObjectException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.setActivationDesc"); + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. if (!getGroupID(id).equals(desc.getGroupID())) { throw new ActivationException( @@ -587,8 +623,8 @@ public class Activation implements Serializable { throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess( - "ActivationSystem.setActivationGroupDesc"); + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. checkArgs(desc, null); return getGroupEntry(id).setActivationGroupDesc(id, desc, true); @@ -598,7 +634,8 @@ public class Activation implements Serializable { throws ActivationException, UnknownObjectException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.getActivationDesc"); + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. return getGroupEntry(id).getActivationDesc(id); } @@ -607,8 +644,8 @@ public class Activation implements Serializable { throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess - ("ActivationSystem.getActivationGroupDesc"); + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. return getGroupEntry(id).desc; } @@ -618,7 +655,8 @@ public class Activation implements Serializable { * the activation daemon and exits the activation daemon. */ public void shutdown() throws AccessException { - RegistryImpl.checkAccess("ActivationSystem.shutdown"); + // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef + // during unmarshallCustomData and is not applicable to local access. Object lock = startupLock; if (lock != null) { diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java index f2863a960c..9dbaed70c5 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java @@ -32,6 +32,7 @@ import java.io.ObjectInputStream; import java.io.ObjectOutput; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.rmi.AccessException; import java.rmi.MarshalException; import java.rmi.Remote; import java.rmi.RemoteException; @@ -287,21 +288,26 @@ public class UnicastServerRef extends UnicastRef try { in = call.getInputStream(); num = in.readInt(); - if (num >= 0) { - if (skel != null) { - oldDispatch(obj, call, num); - return; - } else { - throw new UnmarshalException( - "skeleton class not found but required " + - "for client version"); - } - } - op = in.readLong(); } catch (Exception readEx) { throw new UnmarshalException("error unmarshalling call header", readEx); } + if (num >= 0) { + if (skel != null) { + oldDispatch(obj, call, num); + return; + } else { + throw new UnmarshalException( + "skeleton class not found but required " + + "for client version"); + } + } + try { + op = in.readLong(); + } catch (Exception readEx) { + throw new UnmarshalException("error unmarshalling call header", + readEx); + } /* * Since only system classes (with null class loaders) will be on @@ -333,6 +339,11 @@ public class UnicastServerRef extends UnicastRef params[i] = unmarshalValue(types[i], in); } + } catch (AccessException aex) { + // For compatibility, AccessException is not wrapped in UnmarshalException + // disable saving any refs in the inputStream for GC + ((StreamRemoteCall) call).discardPendingRefs(); + throw aex; } catch (java.io.IOException | ClassNotFoundException e) { // disable saving any refs in the inputStream for GC ((StreamRemoteCall) call).discardPendingRefs(); @@ -369,6 +380,7 @@ public class UnicastServerRef extends UnicastRef */ } } catch (Throwable e) { + Throwable origEx = e; logCallException(e); ObjectOutput out = call.getResultStream(false); @@ -384,6 +396,12 @@ public class UnicastServerRef extends UnicastRef clearStackTraces(e); } out.writeObject(e); + + // AccessExceptions should cause Transport.serviceCall + // to flag the connection as unusable. + if (origEx instanceof AccessException) { + throw new IOException("Connection is not reusable", origEx); + } } finally { call.releaseInputStream(); // in case skeleton doesn't call.releaseOutputStream(); @@ -412,62 +430,41 @@ public class UnicastServerRef extends UnicastRef * Handle server-side dispatch using the RMI 1.1 stub/skeleton * protocol, given a non-negative operation number that has * already been read from the call stream. + * Exceptions are handled by the caller to be sent to the remote client. * * @param obj the target remote object for the call * @param call the "remote call" from which operation and * method arguments can be obtained. * @param op the operation number - * @exception IOException if unable to marshal return result or + * @throws Exception if unable to marshal return result or * release input or output streams */ - public void oldDispatch(Remote obj, RemoteCall call, int op) - throws IOException + private void oldDispatch(Remote obj, RemoteCall call, int op) + throws Exception { long hash; // hash for matching stub with skeleton + // read remote call header + ObjectInput in; + in = call.getInputStream(); try { - // read remote call header - ObjectInput in; - try { - in = call.getInputStream(); - try { - Class clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel"); - if (clazz.isAssignableFrom(skel.getClass())) { - ((MarshalInputStream)in).useCodebaseOnly(); - } - } catch (ClassNotFoundException ignore) { } - hash = in.readLong(); - } catch (Exception readEx) { - throw new UnmarshalException("error unmarshalling call header", - readEx); + Class clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel"); + if (clazz.isAssignableFrom(skel.getClass())) { + ((MarshalInputStream)in).useCodebaseOnly(); } + } catch (ClassNotFoundException ignore) { } - // if calls are being logged, write out object id and operation - logCall(obj, skel.getOperations()[op]); - unmarshalCustomCallData(in); - // dispatch to skeleton for remote object - skel.dispatch(obj, call, op, hash); - - } catch (Throwable e) { - logCallException(e); - - ObjectOutput out = call.getResultStream(false); - if (e instanceof Error) { - e = new ServerError( - "Error occurred in server thread", (Error) e); - } else if (e instanceof RemoteException) { - e = new ServerException( - "RemoteException occurred in server thread", - (Exception) e); - } - if (suppressStackTraces) { - clearStackTraces(e); - } - out.writeObject(e); - } finally { - call.releaseInputStream(); // in case skeleton doesn't - call.releaseOutputStream(); + try { + hash = in.readLong(); + } catch (Exception ioe) { + throw new UnmarshalException("error unmarshalling call header", ioe); } + + // if calls are being logged, write out object id and operation + logCall(obj, skel.getOperations()[op]); + unmarshalCustomCallData(in); + // dispatch to skeleton for remote object + skel.dispatch(obj, call, op, hash); } /** diff --git a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java index 998b00ab14..c29df19c1a 100644 --- a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java +++ b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java @@ -32,6 +32,7 @@ package sun.management.jmxremote; +import java.io.ObjectInputFilter; import java.rmi.AccessException; import java.rmi.NotBoundException; import java.rmi.Remote; @@ -56,7 +57,7 @@ public class SingleEntryRegistry extends RegistryImpl { String name, Remote object) throws RemoteException { - super(port, csf, ssf); + super(port, csf, ssf, SingleEntryRegistry::singleRegistryFilter); this.name = name; this.object = object; } @@ -84,6 +85,23 @@ public class SingleEntryRegistry extends RegistryImpl { throw new AccessException("Cannot modify this registry"); } + /** + * ObjectInputFilter to check parameters to SingleEntryRegistry. + * Since it is a read-only Registry, no classes are accepted. + * String arguments are accepted without passing them to the serialFilter. + * + * @param info a reference to the serialization filter information + * @return Status.REJECTED if parameters are out of range + */ + private static ObjectInputFilter.Status singleRegistryFilter(ObjectInputFilter.FilterInfo info) { + return (info.serialClass() != null || + info.depth() > 2 || + info.references() > 4 || + info.arrayLength() >= 0) + ? ObjectInputFilter.Status.REJECTED + : ObjectInputFilter.Status.ALLOWED; + } + private final String name; private final Remote object; diff --git a/jdk/test/java/rmi/activation/nonLocalActivation/NonLocalActivationTest.java b/jdk/test/java/rmi/activation/nonLocalActivation/NonLocalActivationTest.java new file mode 100644 index 0000000000..55cea96a0d --- /dev/null +++ b/jdk/test/java/rmi/activation/nonLocalActivation/NonLocalActivationTest.java @@ -0,0 +1,181 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.net.InetAddress; +import java.rmi.AccessException; +import java.rmi.activation.ActivationSystem; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.util.Set; + +/* + * @test + * @bug 8174770 + * @summary Verify that ActivationSystem rejects non-local access. + * The test is manual because the (non-local) host running rmid must be supplied as a property. + * @run main/manual/othervm -Dactivation.host=rmid-host NonLocalActivationTest + */ + +/** + * Lookup the ActivationSystem on a different host and invoke its remote interface methods. + * They should all throw an exception, non-local access is prohibited. + * + * This test is a manual test and uses rmid running on a *different* host. + * The default port (1098) for the Activation System is ok and expected. + * Login or ssh to the different host and invoke {@code $JDK_HOME/bin/rmid}. + * It will not show any output. + * + * On the first host modify the @run command above to replace "rmid-host" + * with the hostname or IP address of the different host and run the test with jtreg. + */ +public class NonLocalActivationTest +{ + public static void main(String[] args) throws Exception { + + String host = System.getProperty("activation.host"); + if (host == null || host.isEmpty()) { + throw new RuntimeException("Specify host with system property: -Dactivation.host="); + } + + // Check if running the test on a local system; it only applies to remote + String myHostName = InetAddress.getLocalHost().getHostName(); + Set myAddrs = Set.of(InetAddress.getAllByName(myHostName)); + Set hostAddrs = Set.of(InetAddress.getAllByName(host)); + if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i)) + || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) { + throw new RuntimeException("Error: property 'activation.host' must not be the local host%n"); + } + + // Locate the registry operated by the ActivationSystem + // Test SystemRegistryImpl + Registry registry = LocateRegistry.getRegistry(host, ActivationSystem.SYSTEM_PORT); + try { + // Verify it is an ActivationSystem registry + registry.lookup("java.rmi.activation.ActivationSystem"); + } catch (Exception nf) { + throw new RuntimeException("Not a ActivationSystem registry, does not contain java.rmi.activation.ActivationSystem", nf); + } + + try { + registry.bind("foo", null); + throw new RuntimeException("Remote access should not succeed for method: bind"); + } catch (Exception e) { + assertIsAccessException(e, "Registry.bind"); + } + + try { + registry.rebind("foo", null); + throw new RuntimeException("Remote access should not succeed for method: rebind"); + } catch (Exception e) { + assertIsAccessException(e, "Registry.rebind"); + } + + try { + registry.unbind("foo"); + throw new RuntimeException("Remote access should not succeed for method: unbind"); + } catch (Exception e) { + assertIsAccessException(e, "Registry.unbind"); + } + + + // Locate the ActivationSystem on the specified host and default port. + // Test each of the ActivationSystem methods + ActivationSystem as = (ActivationSystem) registry.lookup("java.rmi.activation.ActivationSystem"); + + // Argument is not material, access check is before arg processing + + try { + as.registerGroup(null); + } catch (Exception aex) { + assertIsAccessException(aex, "ActivationSystem.nonLocalAccess"); + } + + try { + as.getActivationDesc(null); + } catch (Exception aex) { + assertIsAccessException(aex, "ActivationSystem.nonLocalAccess"); + } + + try { + as.getActivationGroupDesc(null); + } catch (Exception aex) { + assertIsAccessException(aex, "ActivationSystem.nonLocalAccess"); + } + + try { + as.registerObject(null); + } catch (Exception aex) { + assertIsAccessException(aex, "ActivationSystem.nonLocalAccess"); + } + + try { + as.unregisterGroup(null); + } catch (Exception aex) { + assertIsAccessException(aex, "ActivationSystem.nonLocalAccess"); + } + + try { + as.unregisterObject(null); + } catch (Exception aex) { + assertIsAccessException(aex, "ActivationSystem.nonLocalAccess"); + } + + try { + as.setActivationDesc(null, null); + } catch (Exception aex) { + assertIsAccessException(aex, "ActivationSystem.nonLocalAccess"); + } + + try { + as.setActivationGroupDesc(null, null); + } catch (Exception aex) { + assertIsAccessException(aex, "ActivationSystem.nonLocalAccess"); + } + } + + /** + * Check the exception chain for the expected AccessException and message. + * @param ex the exception from the remote invocation. + */ + private static void assertIsAccessException(Exception ex, String msg1) { + Throwable t = ex; + System.out.println(); + while (!(t instanceof AccessException) && t.getCause() != null) { + t = t.getCause(); + } + if (t instanceof AccessException) { + String msg = t.getMessage(); + int asIndex = msg.indexOf(msg1); + int disallowIndex = msg.indexOf("disallowed"); + int nonLocalHostIndex = msg.indexOf("non-local host"); + if (asIndex < 0 || + disallowIndex < 0 || + nonLocalHostIndex < 0 ) { + throw new RuntimeException("exception message is malformed", t); + } + System.out.printf("Found expected AccessException: %s%n", t); + } else { + throw new RuntimeException("AccessException did not occur", ex); + } + } +} diff --git a/jdk/test/java/rmi/registry/nonLocalRegistry/NonLocalRegistryTest.java b/jdk/test/java/rmi/registry/nonLocalRegistry/NonLocalRegistryTest.java new file mode 100644 index 0000000000..7dd1476823 --- /dev/null +++ b/jdk/test/java/rmi/registry/nonLocalRegistry/NonLocalRegistryTest.java @@ -0,0 +1,120 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.net.InetAddress; +import java.rmi.AccessException; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.util.Set; + +/* @test + * @bug 8174770 + * @summary Verify that Registry rejects non-local access for bind, unbind, rebind. + * The test is manual because the (non-local) host running rmiregistry must be supplied as a property. + * @run main/othervm/manual -Dregistry.host=rmi-registry-host NonLocalRegistryTest + */ + +/** + * Verify that access checks for Registry.bind(), .rebind(), and .unbind() + * are prevented on remote access to the registry. + * + * This test is a manual test and uses a standard rmiregistry running + * on a *different* host. + * The test verifies that the access check is performed *before* the object to be + * bound or rebound is deserialized. + * + * Login or ssh to the different host and invoke {@code $JDK_HOME/bin/rmiregistry}. + * It will not show any output. + * + * On the first host modify the @run command above to replace "rmi-registry-host" + * with the hostname or IP address of the different host and run the test with jtreg. + */ +public class NonLocalRegistryTest { + + public static void main(String[] args) throws Exception { + + String host = System.getProperty("registry.host"); + if (host == null || host.isEmpty()) { + throw new RuntimeException("Specify host with system property: -Dregistry.host="); + } + + // Check if running the test on a local system; it only applies to remote + String myHostName = InetAddress.getLocalHost().getHostName(); + Set myAddrs = Set.of(InetAddress.getAllByName(myHostName)); + Set hostAddrs = Set.of(InetAddress.getAllByName(host)); + if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i)) + || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) { + throw new RuntimeException("Error: property 'registry.host' must not be the local host%n"); + } + + Registry registry = LocateRegistry.getRegistry(host, Registry.REGISTRY_PORT); + + try { + registry.bind("foo", null); + throw new RuntimeException("Remote access should not succeed for method: bind"); + } catch (Exception e) { + assertIsAccessException(e); + } + + try { + registry.rebind("foo", null); + throw new RuntimeException("Remote access should not succeed for method: rebind"); + } catch (Exception e) { + assertIsAccessException(e); + } + + try { + registry.unbind("foo"); + throw new RuntimeException("Remote access should not succeed for method: unbind"); + } catch (Exception e) { + assertIsAccessException(e); + } + } + + /** + * Check the exception chain for the expected AccessException and message. + * @param ex the exception from the remote invocation. + */ + private static void assertIsAccessException(Throwable ex) { + Throwable t = ex; + while (!(t instanceof AccessException) && t.getCause() != null) { + t = t.getCause(); + } + if (t instanceof AccessException) { + String msg = t.getMessage(); + int asIndex = msg.indexOf("Registry"); + int rrIndex = msg.indexOf("Registry.Registry"); // Obsolete error text + int disallowIndex = msg.indexOf("disallowed"); + int nonLocalHostIndex = msg.indexOf("non-local host"); + if (asIndex < 0 || + rrIndex != -1 || + disallowIndex < 0 || + nonLocalHostIndex < 0 ) { + throw new RuntimeException("exception message is malformed", t); + } + System.out.printf("Found expected AccessException: %s%n%n", t); + } else { + throw new RuntimeException("AccessException did not occur when expected", ex); + } + } +} diff --git a/jdk/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java b/jdk/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java new file mode 100644 index 0000000000..d05aff18f5 --- /dev/null +++ b/jdk/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java @@ -0,0 +1,133 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.net.InetAddress; +import java.rmi.AccessException; +import java.rmi.NotBoundException; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.util.Set; + +/* @test + * @bug 8174770 + * @summary Verify that JMX Registry rejects non-local access for bind, unbind, rebind. + * The test is manual because the (non-local) host and port running JMX must be supplied as properties. + * @run main/othervm/manual -Djmx-registry.host=jmx-registry-host -Djmx-registry.port=jmx-registry-port NonLocalJMXRemoteTest + */ + +/** + * Verify that access checks for the Registry exported by JMX Registry.bind(), + * .rebind(), and .unbind() are prevented on remote access to the registry. + * The test verifies that the access check is performed *before* the object to be + * bound or rebound is deserialized. + * This tests the SingleEntryRegistry implemented by JMX. + * This test is a manual test and uses JMX running on a *different* host. + * JMX can be enabled in any Java runtime; for example: + * login or ssh to the different host and invoke rmiregistry with arguments below. + * It will not show any output. + * {@code $JDK_HOME/bin/rmiregistry \ + * -J-Dcom.sun.management.jmxremote.port=8888 \ + * -J-Dcom.sun.management.jmxremote.local.only=false \ + * -J-Dcom.sun.management.jmxremote.ssl=false \ + * -J-Dcom.sun.management.jmxremote.authenticate=false + * } + * On the first host modify the @run command above to replace "jmx-registry-host" + * with the hostname or IP address of the different host and run the test with jtreg. + */ +public class NonLocalJMXRemoteTest { + + public static void main(String[] args) throws Exception { + + String host = System.getProperty("jmx-registry.host"); + if (host == null || host.isEmpty()) { + throw new RuntimeException("Specify host with system property: -Djmx-registry.host="); + } + int port = Integer.getInteger("jmx-registry.port", -1); + if (port <= 0) { + throw new RuntimeException("Specify port with system property: -Djmx-registry.port="); + } + + // Check if running the test on a local system; it only applies to remote + String myHostName = InetAddress.getLocalHost().getHostName(); + Set myAddrs = Set.of(InetAddress.getAllByName(myHostName)); + Set hostAddrs = Set.of(InetAddress.getAllByName(host)); + if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i)) + || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) { + throw new RuntimeException("Error: property 'jmx-registry.host' must not be the local host%n"); + } + + Registry registry = LocateRegistry.getRegistry(host, port); + try { + // Verify it is a JMX Registry + registry.lookup("jmxrmi"); + } catch (NotBoundException nf) { + throw new RuntimeException("Not a JMX registry, jmxrmi is not bound", nf); + } + + try { + registry.bind("foo", null); + throw new RuntimeException("Remote access should not succeed for method: bind"); + } catch (Exception e) { + assertIsAccessException(e); + } + + try { + registry.rebind("foo", null); + throw new RuntimeException("Remote access should not succeed for method: rebind"); + } catch (Exception e) { + assertIsAccessException(e); + } + + try { + registry.unbind("foo"); + throw new RuntimeException("Remote access should not succeed for method: unbind"); + } catch (Exception e) { + assertIsAccessException(e); + } + } + + /** + * Check the exception chain for the expected AccessException and message. + * @param ex the exception from the remote invocation. + */ + private static void assertIsAccessException(Throwable ex) { + Throwable t = ex; + while (!(t instanceof AccessException) && t.getCause() != null) { + t = t.getCause(); + } + if (t instanceof AccessException) { + String msg = t.getMessage(); + int asIndex = msg.indexOf("Registry"); + int disallowIndex = msg.indexOf("disallowed"); + int nonLocalHostIndex = msg.indexOf("non-local host"); + if (asIndex < 0 || + disallowIndex < 0 || + nonLocalHostIndex < 0 ) { + throw new RuntimeException("exception message is malformed", t); + } + System.out.printf("Found expected AccessException: %s%n%n", t); + } else { + throw new RuntimeException("AccessException did not occur when expected", ex); + } + } +} From c9c3dd968f2a1c6a186831b6b400573d839cf5b8 Mon Sep 17 00:00:00 2001 From: Adam Petcher Date: Thu, 11 May 2017 17:21:16 +0000 Subject: [PATCH 055/269] 8175106: Higher quality DSA operations Reviewed-by: vinnie, valeriep, rhalade, ahgross, xuelei --- .../classes/sun/security/provider/DSA.java | 57 +++++++------------ 1 file changed, 20 insertions(+), 37 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/provider/DSA.java b/jdk/src/java.base/share/classes/sun/security/provider/DSA.java index 5763e65028..9fc47851ba 100644 --- a/jdk/src/java.base/share/classes/sun/security/provider/DSA.java +++ b/jdk/src/java.base/share/classes/sun/security/provider/DSA.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -64,6 +64,13 @@ abstract class DSA extends SignatureSpi { /* Are we debugging? */ private static final boolean debug = false; + /* The number of bits used in exponent blinding */ + private static final int BLINDING_BITS = 7; + + /* The constant component of the exponent blinding value */ + private static final BigInteger BLINDING_CONSTANT = + BigInteger.valueOf(1 << BLINDING_BITS); + /* The parameter object */ private DSAParams params; @@ -368,8 +375,19 @@ abstract class DSA extends SignatureSpi { return null; } + private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g, BigInteger k) { + + // exponent blinding to hide information from timing channel + SecureRandom random = getSigningRandom(); + // start with a random blinding component + BigInteger blindingValue = new BigInteger(BLINDING_BITS, random); + // add the fixed blinding component + blindingValue = blindingValue.add(BLINDING_CONSTANT); + // replace k with a blinded value that is congruent (mod q) + k = k.add(q.multiply(blindingValue)); + BigInteger temp = g.modPow(k, p); return temp.mod(q); } @@ -434,43 +452,8 @@ abstract class DSA extends SignatureSpi { byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8]; random.nextBytes(kValue); - BigInteger k = new BigInteger(1, kValue).mod( + return new BigInteger(1, kValue).mod( q.subtract(BigInteger.ONE)).add(BigInteger.ONE); - - // Using an equivalent exponent of fixed length (same as q or 1 bit - // less than q) to keep the kG timing relatively constant. - // - // Note that this is an extra step on top of the approach defined in - // FIPS 186-4 AppendixB.2.1 so as to make a fixed length K. - k = k.add(q).divide(BigInteger.TWO); - - // An alternative implementation based on FIPS 186-4 AppendixB2.2 - // with fixed-length K. - // - // Please keep it here as we may need to switch to it in the future. - // - // SecureRandom random = getSigningRandom(); - // byte[] kValue = new byte[(q.bitLength() + 7)/8]; - // BigInteger d = q.subtract(BigInteger.TWO); - // BigInteger k; - // do { - // random.nextBytes(kValue); - // BigInteger c = new BigInteger(1, kValue); - // if (c.compareTo(d) <= 0) { - // k = c.add(BigInteger.ONE); - // // Using an equivalent exponent of fixed length to keep - // // the g^k timing relatively constant. - // // - // // Note that this is an extra step on top of the approach - // // defined in FIPS 186-4 AppendixB.2.2 so as to make a - // // fixed length K. - // if (k.bitLength() >= q.bitLength()) { - // break; - // } - // } - // } while (true); - - return k; } // Use the application-specified SecureRandom Object if provided. From 9298095560bba0fa6733372fc26b088fd2023969 Mon Sep 17 00:00:00 2001 From: Harsha Wardhana B Date: Fri, 12 May 2017 18:21:13 +0530 Subject: [PATCH 056/269] 8176055: JMX diagnostic improvements Reviewed-by: dfuchs, mchung, ahgross, rhalade, jwilhelm --- .../com/sun/management/HotSpotDiagnosticMXBean.java | 5 +++-- .../sun/management/internal/HotSpotDiagnostic.java | 13 +++++++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/jdk/src/jdk.management/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java b/jdk/src/jdk.management/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java index 40d79a2800..c79d511b47 100644 --- a/jdk/src/jdk.management/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java +++ b/jdk/src/jdk.management/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -61,9 +61,10 @@ public interface HotSpotDiagnosticMXBean extends PlatformManagedObject { * @param outputFile the system-dependent filename * @param live if {@code true} dump only live objects * i.e. objects that are reachable from others - * @throws IOException if the {@code outputFile} + * @throws IOException if the {@code outputFile} already exists, * cannot be created, opened, or written to. * @throws UnsupportedOperationException if this operation is not supported. + * @throws IllegalArgumentException if {@code outputFile} does not end with ".hprof" suffix. * @throws NullPointerException if {@code outputFile} is {@code null}. * @throws SecurityException * If a security manager exists and its {@link diff --git a/jdk/src/jdk.management/share/classes/com/sun/management/internal/HotSpotDiagnostic.java b/jdk/src/jdk.management/share/classes/com/sun/management/internal/HotSpotDiagnostic.java index 5b9d8efdaf..4edf6ad2e3 100644 --- a/jdk/src/jdk.management/share/classes/com/sun/management/internal/HotSpotDiagnostic.java +++ b/jdk/src/jdk.management/share/classes/com/sun/management/internal/HotSpotDiagnostic.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -22,7 +22,6 @@ * or visit www.oracle.com if you need additional information or have any * questions. */ - package com.sun.management.internal; import java.io.IOException; @@ -32,6 +31,8 @@ import javax.management.ObjectName; import com.sun.management.HotSpotDiagnosticMXBean; import com.sun.management.VMOption; +import java.security.AccessController; +import java.security.PrivilegedAction; import sun.management.Util; /** @@ -43,6 +44,14 @@ public class HotSpotDiagnostic implements HotSpotDiagnosticMXBean { @Override public void dumpHeap(String outputFile, boolean live) throws IOException { + + String propertyName = "jdk.management.heapdump.allowAnyFileSuffix"; + PrivilegedAction pa = () -> Boolean.parseBoolean(System.getProperty(propertyName, "false")); + boolean allowAnyFileSuffix = AccessController.doPrivileged(pa); + if (!allowAnyFileSuffix && !outputFile.endsWith(".hprof")) { + throw new IllegalArgumentException("heapdump file must have .hprof extention"); + } + SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkWrite(outputFile); From 30a43fa0a4d321cc463533ce9da5d8186d3f8884 Mon Sep 17 00:00:00 2001 From: Anthony Scarpino Date: Fri, 12 May 2017 08:20:11 -0700 Subject: [PATCH 057/269] 8179998: Clear certificate chain connections Reviewed-by: mullan, ahgross, rhalade, igerasim --- .../classes/sun/security/pkcs/SignerInfo.java | 6 ++++++ .../provider/certpath/SunCertPathBuilder.java | 2 +- .../java.base/share/conf/security/java.security | 14 +++++++------- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java b/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java index 6efd90d067..18e32fc7dd 100644 --- a/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java +++ b/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java @@ -323,6 +323,12 @@ public class SignerInfo implements DerEncoder { data = content.getContentBytes(); } + Timestamp timestamp = null; + try { + timestamp = getTimestamp(); + } catch (Exception ignore) { + } + ConstraintsParameters cparams = new ConstraintsParameters(timestamp); String digestAlgname = getDigestAlgorithmId().getName(); diff --git a/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java b/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java index 11d8a06732..5f825ff44b 100644 --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java @@ -344,7 +344,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { // add the algorithm checker checkers.add(new AlgorithmChecker(builder.trustAnchor, - buildParams.date(), null)); + buildParams.date(), buildParams.variant())); BasicChecker basicChecker = null; if (nextState.keyParamsNeeded()) { diff --git a/jdk/src/java.base/share/conf/security/java.security b/jdk/src/java.base/share/conf/security/java.security index a564f7c367..5ddf619881 100644 --- a/jdk/src/java.base/share/conf/security/java.security +++ b/jdk/src/java.base/share/conf/security/java.security @@ -545,21 +545,21 @@ krb5.kdc.bad.policy = tryLast # jdkCA # This constraint prohibits the specified algorithm only if the # algorithm is used in a certificate chain that terminates at a marked -# trust anchor in the lib/security/cacerts keystore. If the jdkCA -# constraint is not set, then all chains using the specified algorithm +# trust anchor in the lib/security/cacerts keystore. If the jdkCA +# constraint is not set, then all chains using the specified algorithm # are restricted. jdkCA may only be used once in a DisabledAlgorithm # expression. -# Example:  To apply this constraint to SHA-1 certificates, include -# the following:  "SHA1 jdkCA" +# Example: To apply this constraint to SHA-1 certificates, include +# the following: "SHA1 jdkCA" # # DenyAfterConstraint: # denyAfter YYYY-MM-DD # This constraint prohibits a certificate with the specified algorithm # from being used after the date regardless of the certificate's -# validity.  JAR files that are signed and timestamped before the +# validity. JAR files that are signed and timestamped before the # constraint date with certificates containing the disabled algorithm -# will not be restricted.  The date is processed in the UTC timezone. -# This constraint can only be used once in a DisabledAlgorithm +# will not be restricted. The date is processed in the UTC timezone. +# This constraint can only be used once in a DisabledAlgorithm # expression. # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" From 5b3e8585b57a0ae8e264b21d9860195d2541407e Mon Sep 17 00:00:00 2001 From: Adam Petcher Date: Fri, 12 May 2017 17:30:47 +0100 Subject: [PATCH 058/269] 8175110: Higher quality ECDSA operations Reviewed-by: jnimeh, valeriep, vinnie, xuelei --- .../sun/security/ec/ECDSASignature.java | 20 +++++- .../share/native/libsunec/ECC_JNI.cpp | 6 +- .../share/native/libsunec/impl/ec.c | 38 +++++------ .../share/native/libsunec/impl/ec2.h | 5 +- .../share/native/libsunec/impl/ec2_aff.c | 6 +- .../share/native/libsunec/impl/ec2_mont.c | 9 ++- .../share/native/libsunec/impl/ecc_impl.h | 6 +- .../share/native/libsunec/impl/ecl-priv.h | 14 ++-- .../share/native/libsunec/impl/ecl.h | 8 ++- .../share/native/libsunec/impl/ecl_mult.c | 36 ++++++----- .../share/native/libsunec/impl/ecp.h | 13 ++-- .../share/native/libsunec/impl/ecp_aff.c | 6 +- .../share/native/libsunec/impl/ecp_jac.c | 9 +-- .../share/native/libsunec/impl/ecp_jm.c | 64 +++++++++++++++++-- 14 files changed, 162 insertions(+), 78 deletions(-) diff --git a/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java b/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java index 3b743388bd..f2ac54407e 100644 --- a/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java +++ b/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -370,9 +370,15 @@ abstract class ECDSASignature extends SignatureSpi { } random.nextBytes(seed); + // random bits needed for timing countermeasures + int timingArgument = random.nextInt(); + // values must be non-zero to enable countermeasures + timingArgument |= 1; + byte[] sig; try { - sig = signDigest(getDigestValue(), s, encodedParams, seed); + sig = signDigest(getDigestValue(), s, encodedParams, seed, + timingArgument); } catch (GeneralSecurityException e) { throw new SignatureException("Could not sign data", e); } @@ -509,11 +515,19 @@ abstract class ECDSASignature extends SignatureSpi { * @param s the private key's S value. * @param encodedParams the curve's DER encoded object identifier. * @param seed the random seed. + * @param timing When non-zero, the implmentation will use timing + * countermeasures to hide secrets from timing channels. The EC + * implementation will disable the countermeasures when this value is + * zero, because the underlying EC functions are shared by several + * crypto operations, some of which do not use the countermeasures. + * The high-order 31 bits must be uniformly random. The entropy from + * these bits is used by the countermeasures. * * @return byte[] the signature. */ private static native byte[] signDigest(byte[] digest, byte[] s, - byte[] encodedParams, byte[] seed) throws GeneralSecurityException; + byte[] encodedParams, byte[] seed, int timing) + throws GeneralSecurityException; /** * Verifies the signed digest using the public key. diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp b/jdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp index 31c2d07489..1cec7835a8 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -196,7 +196,7 @@ cleanup: */ JNIEXPORT jbyteArray JNICALL Java_sun_security_ec_ECDSASignature_signDigest - (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed) + (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing) { jbyte* pDigestBuffer = NULL; jint jDigestLength = env->GetArrayLength(digest); @@ -256,7 +256,7 @@ JNICALL Java_sun_security_ec_ECDSASignature_signDigest // Sign the digest (using the supplied seed) if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item, - (unsigned char *) pSeedBuffer, jSeedLength, 0) != SECSuccess) { + (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) { ThrowException(env, KEY_EXCEPTION); goto cleanup; } diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec.c b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec.c index 4f3cab36b8..c439eb702b 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec.c +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -34,7 +34,7 @@ * Dr Vipul Gupta and * Douglas Stebila , Sun Microsystems Laboratories * - * Last Modified Date from the Original Code: November 2016 + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #include "mplogic.h" @@ -87,7 +87,7 @@ ec_point_at_infinity(SECItem *pointP) */ SECStatus ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2, - const SECItem *pointP, SECItem *pointQ, int kmflag) + const SECItem *pointP, SECItem *pointQ, int kmflag, int timing) { mp_int Px, Py, Qx, Qy; mp_int Gx, Gy, order, irreducible, a, b; @@ -199,9 +199,9 @@ ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2, goto cleanup; if ((k2 != NULL) && (pointP != NULL)) { - CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy) ); + CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy, timing) ); } else { - CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy) ); + CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy, timing) ); } /* Construct the SECItem representation of point Q */ @@ -333,7 +333,8 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey, CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data, (mp_size) len) ); - rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue), kmflag); + /* key generation does not support timing mitigation */ + rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue), kmflag, /*timing*/ 0); if (rv != SECSuccess) goto cleanup; *privKey = key; @@ -610,7 +611,8 @@ ECDH_Derive(SECItem *publicValue, } /* Multiply our private key and peer's public point */ - if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ, kmflag) != SECSuccess) || + /* ECDH doesn't support timing mitigation */ + if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ, kmflag, /*timing*/ 0) != SECSuccess) || ec_point_at_infinity(&pointQ)) goto cleanup; @@ -645,7 +647,8 @@ cleanup: */ SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, - const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag) + const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag, + int timing) { SECStatus rv = SECFailure; mp_int x1; @@ -714,16 +717,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, goto cleanup; } - /* - * Using an equivalent exponent of fixed length (same as n or 1 bit less - * than n) to keep the kG timing relatively constant. - * - * Note that this is an extra step on top of the approach defined in - * ANSI X9.62 so as to make a fixed length K. - */ - CHECK_MPI_OK( mp_add(&k, &n, &k) ); - CHECK_MPI_OK( mp_div_2(&k, &k) ); - /* ** ANSI X9.62, Section 5.3.2, Step 2 ** @@ -732,7 +725,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, kGpoint.len = 2*flen + 1; kGpoint.data = PORT_Alloc(2*flen + 1, kmflag); if ((kGpoint.data == NULL) || - (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag) + (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag, timing) != SECSuccess)) goto cleanup; @@ -854,7 +847,7 @@ cleanup: */ SECStatus ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest, - const unsigned char* random, int randomLen, int kmflag) + const unsigned char* random, int randomLen, int kmflag, int timing) { SECStatus rv = SECFailure; int len; @@ -872,7 +865,7 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest, if (kBytes == NULL) goto cleanup; /* Generate ECDSA signature with the specified k value */ - rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len, kmflag); + rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len, kmflag, timing); cleanup: if (kBytes) { @@ -1018,7 +1011,8 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, ** Here, A = u1.G B = u2.Q and C = A + B ** If the result, C, is the point at infinity, reject the signature */ - if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC, kmflag) + /* verification does not support timing mitigation */ + if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC, kmflag, /*timing*/ 0) != SECSuccess) { rv = SECFailure; goto cleanup; diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2.h b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2.h index aa5f2bba44..72df04ef41 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2.h +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -33,6 +33,7 @@ * Contributor(s): * Douglas Stebila , Sun Microsystems Laboratories * + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #ifndef _EC2_H @@ -79,7 +80,7 @@ mp_err ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px, * determines the field GF2m. Uses Montgomery projective coordinates. */ mp_err ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group); + const ECGroup *group, int timing); #ifdef ECL_ENABLE_GF2M_PROJ /* Converts a point P(px, py) from affine coordinates to projective diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_aff.c b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_aff.c index 5a546c0544..8d0f5460f6 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_aff.c +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_aff.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -33,6 +33,7 @@ * Contributor(s): * Douglas Stebila , Sun Microsystems Laboratories * + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #include "ec2.h" @@ -329,7 +330,8 @@ ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group) /* 4: Verify that the order of the curve times the publicValue * is the point at infinity. */ - MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) ); + /* timing mitigation is not supported */ + MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt, /*timing*/ 0) ); if (ec_GF2m_pt_is_inf_aff(&pxt, &pyt) != MP_YES) { res = MP_NO; goto CLEANUP; diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_mont.c b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_mont.c index b91e65ea08..bb605536f0 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_mont.c +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ec2_mont.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -35,6 +35,7 @@ * Stephen Fung , and * Douglas Stebila , Sun Microsystems Laboratories. * + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #include "ec2.h" @@ -181,10 +182,12 @@ gf2m_Mxy(const mp_int *x, const mp_int *y, mp_int *x1, mp_int *z1, /* Computes R = nP based on algorithm 2P of Lopex, J. and Dahab, R. "Fast * multiplication on elliptic curves over GF(2^m) without * precomputation". Elliptic curve points P and R can be identical. Uses - * Montgomery projective coordinates. */ + * Montgomery projective coordinates. The timing parameter is ignored + * because this algorithm resists timing attacks by default. */ mp_err ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px, const mp_int *py, - mp_int *rx, mp_int *ry, const ECGroup *group) + mp_int *rx, mp_int *ry, const ECGroup *group, + int timing) { mp_err res = MP_OKAY; mp_int x1, x2, z1, z2; diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h index 0739f4c888..48aa13a4b0 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -34,7 +34,7 @@ * Dr Vipul Gupta and * Douglas Stebila , Sun Microsystems Laboratories * - * Last Modified Date from the Original Code: November 2013 + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #ifndef _ECC_IMPL_H @@ -258,7 +258,7 @@ extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey, const unsigned char* random, int randomlen, int); /* This function has been modified to accept an array of random bytes */ extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *, - const unsigned char* random, int randomlen, int); + const unsigned char* random, int randomlen, int, int timing); extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *, const SECItem *, int); extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t, diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl-priv.h b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl-priv.h index fa232ddfec..bdfe61547b 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl-priv.h +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl-priv.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -34,6 +34,7 @@ * Stephen Fung and * Douglas Stebila , Sun Microsystems Laboratories * + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #ifndef _ECL_PRIV_H @@ -193,12 +194,13 @@ struct ECGroupStr { mp_int *ry, const ECGroup *group); mp_err (*point_mul) (const mp_int *n, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group); + const ECGroup *group, int timing); mp_err (*base_point_mul) (const mp_int *n, mp_int *rx, mp_int *ry, const ECGroup *group); mp_err (*points_mul) (const mp_int *k1, const mp_int *k2, const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, const ECGroup *group); + mp_int *ry, const ECGroup *group, + int timing); mp_err (*validate_point) (const mp_int *px, const mp_int *py, const ECGroup *group); /* Extra storage for implementation-specific data. Any memory * allocated to these extra fields will be cleared by extra_free. */ @@ -262,10 +264,12 @@ void ec_GFp_extra_free_mont(GFMethod *meth); /* point multiplication */ mp_err ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, const ECGroup *group); + mp_int *ry, const ECGroup *group, + int timing); mp_err ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px, const mp_int *py, mp_int *rx, - mp_int *ry, const ECGroup *group); + mp_int *ry, const ECGroup *group, + int timing); /* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should * be an array of signed char's to output to, bitsize should be the number diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl.h b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl.h index 3a83a9e1f3..deff0aa119 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl.h +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -33,6 +33,7 @@ * Contributor(s): * Douglas Stebila , Sun Microsystems Laboratories * + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #ifndef _ECL_H @@ -70,7 +71,8 @@ void EC_FreeCurveParams(ECCurveParams * params); * of the group of points on the elliptic curve. Input and output values * are assumed to be NOT field-encoded. */ mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px, - const mp_int *py, mp_int *qx, mp_int *qy); + const mp_int *py, mp_int *qx, mp_int *qy, + int timing); /* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k1 * G + * k2 * P(x, y), where G is the generator (base point) of the group of @@ -78,7 +80,7 @@ mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px, * be NOT field-encoded. */ mp_err ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2, const mp_int *px, const mp_int *py, - mp_int *qx, mp_int *qy); + mp_int *qx, mp_int *qy, int timing); /* Validates an EC public key as described in Section 5.2.2 of X9.62. * Returns MP_YES if the public key is valid, MP_NO if the public key diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl_mult.c b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl_mult.c index 92dd0eccbe..16f259271f 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl_mult.c +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecl_mult.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -33,7 +33,7 @@ * Contributor(s): * Douglas Stebila , Sun Microsystems Laboratories * - * Last Modified Date from the Original Code: Nov 2016 + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #include "mpi.h" @@ -50,7 +50,8 @@ * are assumed to be NOT field-encoded. */ mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry) + const mp_int *py, mp_int *rx, mp_int *ry, + int timing) { mp_err res = MP_OKAY; mp_int kt; @@ -76,16 +77,16 @@ ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px, kt.flag = (mp_sign)0; MP_CHECKOK(group-> point_mul(&kt, &group->genx, &group->geny, rx, ry, - group)); + group, timing)); } } else { if (group->meth->field_enc) { MP_CHECKOK(group->meth->field_enc(px, rx, group->meth)); MP_CHECKOK(group->meth->field_enc(py, ry, group->meth)); - MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group)); + MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group, timing)); } else { kt.flag = (mp_sign)0; - MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group)); + MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group, timing)); } } if (group->meth->field_dec) { @@ -107,7 +108,7 @@ ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px, mp_err ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group) + const ECGroup *group, int timing) { mp_err res = MP_OKAY; mp_int sx, sy; @@ -119,9 +120,9 @@ ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px, /* if some arguments are not defined used ECPoint_mul */ if (k1 == NULL) { - return ECPoint_mul(group, k2, px, py, rx, ry); + return ECPoint_mul(group, k2, px, py, rx, ry, timing); } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) { - return ECPoint_mul(group, k1, NULL, NULL, rx, ry); + return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing); } MP_DIGITS(&sx) = 0; @@ -129,8 +130,8 @@ ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px, MP_CHECKOK(mp_init(&sx, FLAG(k1))); MP_CHECKOK(mp_init(&sy, FLAG(k1))); - MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy)); - MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry)); + MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy, timing)); + MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry, timing)); if (group->meth->field_enc) { MP_CHECKOK(group->meth->field_enc(&sx, &sx, group->meth)); @@ -162,7 +163,7 @@ ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px, mp_err ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group) + const ECGroup *group, int timing) { mp_err res = MP_OKAY; mp_int precomp[4][4][2]; @@ -177,9 +178,9 @@ ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px, /* if some arguments are not defined used ECPoint_mul */ if (k1 == NULL) { - return ECPoint_mul(group, k2, px, py, rx, ry); + return ECPoint_mul(group, k2, px, py, rx, ry, timing); } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) { - return ECPoint_mul(group, k1, NULL, NULL, rx, ry); + return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing); } /* initialize precomputation table */ @@ -311,7 +312,8 @@ ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px, * Input and output values are assumed to be NOT field-encoded. */ mp_err ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2, - const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry) + const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, + int timing) { mp_err res = MP_OKAY; mp_int k1t, k2t; @@ -348,9 +350,9 @@ ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2, /* if points_mul is defined, then use it */ if (group->points_mul) { - res = group->points_mul(k1p, k2p, px, py, rx, ry, group); + res = group->points_mul(k1p, k2p, px, py, rx, ry, group, timing); } else { - res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group); + res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group, timing); } CLEANUP: diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp.h b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp.h index c2aad8e83c..b367b909e8 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp.h +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -33,6 +33,7 @@ * Contributor(s): * Douglas Stebila , Sun Microsystems Laboratories * + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #ifndef _ECP_H @@ -122,7 +123,7 @@ mp_err ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px, mp_err ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group); + const ECGroup *group, int timing); /* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic * curve points P and R can be identical. Uses mixed Modified-Jacobian @@ -131,9 +132,13 @@ mp_err * returns output that is still field-encoded. Uses 5-bit window NAF * method (algorithm 11) for scalar-point multiplication from Brown, * Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic - * Curves Over Prime Fields. */ + * Curves Over Prime Fields. The implementation includes a countermeasure + * that attempts to hide the size of n from timing channels. This counter- + * measure is enabled using the timing argument. The high-rder bits of timing + * must be uniformly random in order for this countermeasure to work. */ mp_err ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py, - mp_int *rx, mp_int *ry, const ECGroup *group); + mp_int *rx, mp_int *ry, const ECGroup *group, + int timing); #endif /* _ECP_H */ diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_aff.c b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_aff.c index f150ca16f1..c9d9232717 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_aff.c +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_aff.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -38,6 +38,7 @@ * Nils Larsch , and * Lenka Fibikova , the OpenSSL Project * + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #include "ecp.h" @@ -340,7 +341,8 @@ ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group) /* 4: Verify that the order of the curve times the publicValue * is the point at infinity. */ - MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) ); + /* timing mitigation is not supported */ + MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt, /*timing*/ 0) ); if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) { res = MP_NO; goto CLEANUP; diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c index 12410bea62..6326895ea2 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -38,6 +38,7 @@ * Nils Larsch , and * Lenka Fibikova , the OpenSSL Project * + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #include "ecp.h" @@ -406,7 +407,7 @@ ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px, const mp_int *py, mp_err ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry, - const ECGroup *group) + const ECGroup *group, int timing) { mp_err res = MP_OKAY; mp_int precomp[4][4][2]; @@ -430,9 +431,9 @@ ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px, /* if some arguments are not defined used ECPoint_mul */ if (k1 == NULL) { - return ECPoint_mul(group, k2, px, py, rx, ry); + return ECPoint_mul(group, k2, px, py, rx, ry, timing); } else if ((k2 == NULL) || (px == NULL) || (py == NULL)) { - return ECPoint_mul(group, k1, NULL, NULL, rx, ry); + return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing); } /* initialize precomputation table */ diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c index cdee87a59d..ca7658807c 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved. * Use is subject to license terms. * * This library is free software; you can redistribute it and/or @@ -33,6 +33,7 @@ * Contributor(s): * Stephen Fung , Sun Microsystems Laboratories * + * Last Modified Date from the Original Code: May 2017 *********************************************************************** */ #include "ecp.h" @@ -213,19 +214,23 @@ CLEANUP: * Curves Over Prime Fields. */ mp_err ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py, - mp_int *rx, mp_int *ry, const ECGroup *group) + mp_int *rx, mp_int *ry, const ECGroup *group, + int timing) { mp_err res = MP_OKAY; - mp_int precomp[16][2], rz, tpx, tpy; - mp_int raz4; + mp_int precomp[16][2], rz, tpx, tpy, tpz; + mp_int raz4, tpaz4; mp_int scratch[MAX_SCRATCH]; signed char *naf = NULL; int i, orderBitSize; + int numDoubles, numAdds, extraDoubles, extraAdds; MP_DIGITS(&rz) = 0; MP_DIGITS(&raz4) = 0; MP_DIGITS(&tpx) = 0; MP_DIGITS(&tpy) = 0; + MP_DIGITS(&tpz) = 0; + MP_DIGITS(&tpaz4) = 0; for (i = 0; i < 16; i++) { MP_DIGITS(&precomp[i][0]) = 0; MP_DIGITS(&precomp[i][1]) = 0; @@ -239,7 +244,9 @@ ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py, /* initialize precomputation table */ MP_CHECKOK(mp_init(&tpx, FLAG(n))); - MP_CHECKOK(mp_init(&tpy, FLAG(n)));; + MP_CHECKOK(mp_init(&tpy, FLAG(n))); + MP_CHECKOK(mp_init(&tpz, FLAG(n))); + MP_CHECKOK(mp_init(&tpaz4, FLAG(n))); MP_CHECKOK(mp_init(&rz, FLAG(n))); MP_CHECKOK(mp_init(&raz4, FLAG(n))); @@ -295,19 +302,64 @@ ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py, /* Compute 5NAF */ ec_compute_wNAF(naf, orderBitSize, n, 5); + numAdds = 0; + numDoubles = orderBitSize; /* wNAF method */ for (i = orderBitSize; i >= 0; i--) { + + if (ec_GFp_pt_is_inf_jac(rx, ry, &rz) == MP_YES) { + numDoubles--; + } + /* R = 2R */ ec_GFp_pt_dbl_jm(rx, ry, &rz, &raz4, rx, ry, &rz, &raz4, scratch, group); + if (naf[i] != 0) { ec_GFp_pt_add_jm_aff(rx, ry, &rz, &raz4, &precomp[(naf[i] + 15) / 2][0], &precomp[(naf[i] + 15) / 2][1], rx, ry, &rz, &raz4, scratch, group); + numAdds++; } } + /* extra operations to make timing less dependent on secrets */ + if (timing) { + /* low-order bit of timing argument contains no entropy */ + timing >>= 1; + + MP_CHECKOK(ec_GFp_pt_set_inf_jac(&tpx, &tpy, &tpz)); + mp_zero(&tpaz4); + + /* Set the temp value to a non-infinite point */ + ec_GFp_pt_add_jm_aff(&tpx, &tpy, &tpz, &tpaz4, + &precomp[8][0], + &precomp[8][1], &tpx, &tpy, + &tpz, &tpaz4, scratch, group); + + /* two bits of extra adds */ + extraAdds = timing & 0x3; + timing >>= 2; + /* Window size is 5, so the maximum number of additions is ceil(orderBitSize/5) */ + /* This is the same as (orderBitSize + 4) / 5 */ + for(i = numAdds; i <= (orderBitSize + 4) / 5 + extraAdds; i++) { + ec_GFp_pt_add_jm_aff(&tpx, &tpy, &tpz, &tpaz4, + &precomp[9 + (i % 3)][0], + &precomp[9 + (i % 3)][1], &tpx, &tpy, + &tpz, &tpaz4, scratch, group); + } + + /* two bits of extra doubles */ + extraDoubles = timing & 0x3; + timing >>= 2; + for(i = numDoubles; i <= orderBitSize + extraDoubles; i++) { + ec_GFp_pt_dbl_jm(&tpx, &tpy, &tpz, &tpaz4, &tpx, &tpy, &tpz, + &tpaz4, scratch, group); + } + + } + /* convert result S to affine coordinates */ MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group)); @@ -321,6 +373,8 @@ ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py, } mp_clear(&tpx); mp_clear(&tpy); + mp_clear(&tpz); + mp_clear(&tpaz4); mp_clear(&rz); mp_clear(&raz4); #ifdef _KERNEL From 8e51c0bcc1d8d06185fe908eb1a1dc33797deefe Mon Sep 17 00:00:00 2001 From: Phil Race Date: Wed, 17 May 2017 14:52:09 -0700 Subject: [PATCH 059/269] 8179533: Cleaner print job handling Reviewed-by: serb, mschoene, rhalade --- .../windows/native/libawt/windows/WPrinterJob.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/WPrinterJob.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/WPrinterJob.cpp index 5a73e1f1c4..6413816fcd 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/WPrinterJob.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/WPrinterJob.cpp @@ -508,14 +508,14 @@ jobjectArray getAllDCNames(JNIEnv *env, jobject peer, jstring printer, names = env->NewObjectArray(cReturned, cls, NULL); } if (names == NULL || cls == NULL) { - delete buf; + delete[] buf; return names; } for (int i = 0; i < cReturned; i++) { utf_str = JNU_NewStringPlatform(env, buf+(buf_len*i)); if (utf_str == NULL) { - delete buf; + delete[] buf; return names; } env->SetObjectArrayElement(names, i, utf_str); From 7205393b69f9ddbc796ee6d0825b06dc28ceee65 Mon Sep 17 00:00:00 2001 From: Phil Race Date: Wed, 17 May 2017 14:57:10 -0700 Subject: [PATCH 060/269] 8180011: Cleaner native graphics device handling Reviewed-by: serb, mschoene, rhalade --- .../windows/native/libawt/java2d/d3d/D3DGraphicsDevice.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/java2d/d3d/D3DGraphicsDevice.cpp b/jdk/src/java.desktop/windows/native/libawt/java2d/d3d/D3DGraphicsDevice.cpp index b20bd9c278..2e7e5c33ff 100644 --- a/jdk/src/java.desktop/windows/native/libawt/java2d/d3d/D3DGraphicsDevice.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/java2d/d3d/D3DGraphicsDevice.cpp @@ -98,7 +98,7 @@ JNIEXPORT jstring JNICALL Java_sun_java2d_d3d_D3DGraphicsDevice_getDeviceIdNativ jstring ret = JNU_NewStringPlatform(env, pAdapterId); - delete pAdapterId; + delete[] pAdapterId; return ret; } From a3b1b689268ea6834b261386aea3f330a54925af Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Thu, 18 May 2017 08:52:50 +0800 Subject: [PATCH 061/269] 8178714: PKIX validator nameConstraints check failing after change 8175940 Reviewed-by: mullan, ahgross --- .../classes/sun/security/x509/DNSName.java | 64 +++++-------- .../x509/NameConstraintsExtension.java | 93 +++++++++++-------- 2 files changed, 81 insertions(+), 76 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java b/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java index 181e45a4c2..c9aa54aa73 100644 --- a/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java +++ b/jdk/src/java.base/share/classes/sun/security/x509/DNSName.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -194,45 +194,31 @@ public class DNSName implements GeneralNameInterface { */ public int constrains(GeneralNameInterface inputName) throws UnsupportedOperationException { int constraintType; - if (inputName == null) { - return NAME_DIFF_TYPE; - } - String inName; - switch (inputName.getType()) { - case NAME_DNS: - inName = ((DNSName)inputName).getName(); - break; - case NAME_DIRECTORY: - try { - inName = ((X500Name) inputName).getCommonName(); - if (inName == null) { - return NAME_DIFF_TYPE; - } - } catch (IOException ioe) { - return NAME_DIFF_TYPE; - } - break; - default: - return NAME_DIFF_TYPE; - } - inName = inName.toLowerCase(Locale.ENGLISH); - String thisName = name.toLowerCase(Locale.ENGLISH); - if (inName.equals(thisName)) - constraintType = NAME_MATCH; - else if (thisName.endsWith(inName)) { - int inNdx = thisName.lastIndexOf(inName); - if (thisName.charAt(inNdx-1) == '.' ) - constraintType = NAME_WIDENS; - else + if (inputName == null) + constraintType = NAME_DIFF_TYPE; + else if (inputName.getType() != NAME_DNS) + constraintType = NAME_DIFF_TYPE; + else { + String inName = + (((DNSName)inputName).getName()).toLowerCase(Locale.ENGLISH); + String thisName = name.toLowerCase(Locale.ENGLISH); + if (inName.equals(thisName)) + constraintType = NAME_MATCH; + else if (thisName.endsWith(inName)) { + int inNdx = thisName.lastIndexOf(inName); + if (thisName.charAt(inNdx-1) == '.' ) + constraintType = NAME_WIDENS; + else + constraintType = NAME_SAME_TYPE; + } else if (inName.endsWith(thisName)) { + int ndx = inName.lastIndexOf(thisName); + if (inName.charAt(ndx-1) == '.' ) + constraintType = NAME_NARROWS; + else + constraintType = NAME_SAME_TYPE; + } else { constraintType = NAME_SAME_TYPE; - } else if (inName.endsWith(thisName)) { - int ndx = inName.lastIndexOf(thisName); - if (inName.charAt(ndx-1) == '.' ) - constraintType = NAME_NARROWS; - else - constraintType = NAME_SAME_TYPE; - } else { - constraintType = NAME_SAME_TYPE; + } } return constraintType; } diff --git a/jdk/src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java b/jdk/src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java index eafe3eefe7..88f787e070 100644 --- a/jdk/src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java +++ b/jdk/src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ import java.util.*; import javax.security.auth.x500.X500Principal; +import sun.net.util.IPAddressUtil; import sun.security.util.*; import sun.security.pkcs.PKCS9Attribute; @@ -440,6 +441,7 @@ implements CertAttrSet, Cloneable { X500Principal subjectPrincipal = cert.getSubjectX500Principal(); X500Name subject = X500Name.asX500Name(subjectPrincipal); + // Check subject as an X500Name if (subject.isEmpty() == false) { if (verify(subject) == false) { return false; @@ -465,12 +467,51 @@ implements CertAttrSet, Cloneable { "certificate: " + ce.getMessage()); } - // If there are no subjectAlternativeNames, perform the special-case - // check where if the subjectName contains any EMAILADDRESS - // attributes, they must be checked against RFC822 constraints. - // If that passes, we're fine. if (altNames == null) { - return verifyRFC822SpecialCase(subject); + altNames = new GeneralNames(); + + // RFC 5280 4.2.1.10: + // When constraints are imposed on the rfc822Name name form, + // but the certificate does not include a subject alternative name, + // the rfc822Name constraint MUST be applied to the attribute of + // type emailAddress in the subject distinguished name. + for (AVA ava : subject.allAvas()) { + ObjectIdentifier attrOID = ava.getObjectIdentifier(); + if (attrOID.equals(PKCS9Attribute.EMAIL_ADDRESS_OID)) { + String attrValue = ava.getValueString(); + if (attrValue != null) { + try { + altNames.add(new GeneralName( + new RFC822Name(attrValue))); + } catch (IOException ioe) { + continue; + } + } + } + } + } + + // If there is no IPAddressName or DNSName in subjectAlternativeNames, + // see if the last CN inside subjectName can be used instead. + DerValue derValue = subject.findMostSpecificAttribute + (X500Name.commonName_oid); + String cn = derValue == null ? null : derValue.getAsString(); + + if (cn != null) { + try { + if (IPAddressUtil.isIPv4LiteralAddress(cn) || + IPAddressUtil.isIPv6LiteralAddress(cn)) { + if (!hasNameType(altNames, GeneralNameInterface.NAME_IP)) { + altNames.add(new GeneralName(new IPAddressName(cn))); + } + } else { + if (!hasNameType(altNames, GeneralNameInterface.NAME_DNS)) { + altNames.add(new GeneralName(new DNSName(cn))); + } + } + } catch (IOException ioe) { + // OK, cn is neither IP nor DNS + } } // verify each subjectAltName @@ -485,6 +526,15 @@ implements CertAttrSet, Cloneable { return true; } + private static boolean hasNameType(GeneralNames names, int type) { + for (GeneralName name : names.names()) { + if (name.getType() == type) { + return true; + } + } + return false; + } + /** * check whether a name conforms to these NameConstraints. * This involves verifying that the name is consistent with the @@ -566,37 +616,6 @@ implements CertAttrSet, Cloneable { return true; } - /** - * Perform the RFC 822 special case check. We have a certificate - * that does not contain any subject alternative names. Check that - * any EMAILADDRESS attributes in its subject name conform to these - * NameConstraints. - * - * @param subject the certificate's subject name - * @return true if certificate verifies successfully - * @throws IOException on error - */ - public boolean verifyRFC822SpecialCase(X500Name subject) throws IOException { - for (AVA ava : subject.allAvas()) { - ObjectIdentifier attrOID = ava.getObjectIdentifier(); - if (attrOID.equals(PKCS9Attribute.EMAIL_ADDRESS_OID)) { - String attrValue = ava.getValueString(); - if (attrValue != null) { - RFC822Name emailName; - try { - emailName = new RFC822Name(attrValue); - } catch (IOException ioe) { - continue; - } - if (!verify(emailName)) { - return(false); - } - } - } - } - return true; - } - /** * Clone all objects that may be modified during certificate validation. */ From 6b083528bfa2bf27021a776d45f5166b46718a90 Mon Sep 17 00:00:00 2001 From: Sergey Bylokhov Date: Wed, 17 May 2017 18:22:54 -0700 Subject: [PATCH 062/269] 8179990: Cleaner palette entry handling Reviewed-by: prr, mschoene, rhalade --- .../windows/native/libawt/windows/awt_Palette.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Palette.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Palette.cpp index 51b51a0e36..aba339fa46 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Palette.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Palette.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2008, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -148,7 +148,7 @@ int AwtPalette::FetchPaletteEntries(HDC hDC, PALETTEENTRY* pPalEntries) pEntry->peFlags = PC_EXPLICIT; } hPal = ::CreatePalette(pLogPal); - delete pLogPal; + delete[] pLogPal; if ( hPal == 0 ) { return 0; } From c9cfdf6a1201ab9d1ae963029f9f2b61000aa1a1 Mon Sep 17 00:00:00 2001 From: Daniel Fuchs Date: Fri, 19 May 2017 11:17:27 +0100 Subject: [PATCH 063/269] 8180024: Improve construction of objects during deserialization Reviewed-by: rriggs, skoivu, ahgross, rhalade --- .../classes/java/io/ObjectStreamClass.java | 103 +++++++++++++++++- .../sun/reflect/ReflectionFactory.java | 66 ++++++++++- 2 files changed, 166 insertions(+), 3 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/io/ObjectStreamClass.java b/jdk/src/java.base/share/classes/java/io/ObjectStreamClass.java index e5a323830e..ebca26e276 100644 --- a/jdk/src/java.base/share/classes/java/io/ObjectStreamClass.java +++ b/jdk/src/java.base/share/classes/java/io/ObjectStreamClass.java @@ -32,14 +32,19 @@ import java.lang.ref.WeakReference; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.UndeclaredThrowableException; import java.lang.reflect.Member; import java.lang.reflect.Method; import java.lang.reflect.Modifier; import java.lang.reflect.Proxy; +import java.security.AccessControlContext; import java.security.AccessController; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.security.PermissionCollection; +import java.security.Permissions; import java.security.PrivilegedAction; +import java.security.ProtectionDomain; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -53,7 +58,8 @@ import jdk.internal.reflect.CallerSensitive; import jdk.internal.reflect.Reflection; import jdk.internal.reflect.ReflectionFactory; import sun.reflect.misc.ReflectUtil; - +import jdk.internal.misc.SharedSecrets; +import jdk.internal.misc.JavaSecurityAccess; import static java.io.ObjectStreamField.*; /** @@ -176,6 +182,9 @@ public class ObjectStreamClass implements Serializable { /** serialization-appropriate constructor, or null if none */ private Constructor cons; + /** protection domains that need to be checked when calling the constructor */ + private ProtectionDomain[] domains; + /** class-defined writeObject method, or null if none */ private Method writeObjectMethod; /** class-defined readObject method, or null if none */ @@ -508,6 +517,7 @@ public class ObjectStreamClass implements Serializable { cl, "readObjectNoData", null, Void.TYPE); hasWriteObjectData = (writeObjectMethod != null); } + domains = getProtectionDomains(cons, cl); writeReplaceMethod = getInheritableMethod( cl, "writeReplace", null, Object.class); readResolveMethod = getInheritableMethod( @@ -550,6 +560,65 @@ public class ObjectStreamClass implements Serializable { ObjectStreamClass() { } + /** + * Creates a PermissionDomain that grants no permission. + */ + private ProtectionDomain noPermissionsDomain() { + PermissionCollection perms = new Permissions(); + perms.setReadOnly(); + return new ProtectionDomain(null, perms); + } + + /** + * Aggregate the ProtectionDomains of all the classes that separate + * a concrete class {@code cl} from its ancestor's class declaring + * a constructor {@code cons}. + * + * If {@code cl} is defined by the boot loader, or the constructor + * {@code cons} is declared by {@code cl}, or if there is no security + * manager, then this method does nothing and {@code null} is returned. + * + * @param cons A constructor declared by {@code cl} or one of its + * ancestors. + * @param cl A concrete class, which is either the class declaring + * the constructor {@code cons}, or a serializable subclass + * of that class. + * @return An array of ProtectionDomain representing the set of + * ProtectionDomain that separate the concrete class {@code cl} + * from its ancestor's declaring {@code cons}, or {@code null}. + */ + private ProtectionDomain[] getProtectionDomains(Constructor cons, + Class cl) { + ProtectionDomain[] domains = null; + if (cons != null && cl.getClassLoader() != null + && System.getSecurityManager() != null) { + Class cls = cl; + Class fnscl = cons.getDeclaringClass(); + Set pds = null; + while (cls != fnscl) { + ProtectionDomain pd = cls.getProtectionDomain(); + if (pd != null) { + if (pds == null) pds = new HashSet<>(); + pds.add(pd); + } + cls = cls.getSuperclass(); + if (cls == null) { + // that's not supposed to happen + // make a ProtectionDomain with no permission. + // should we throw instead? + if (pds == null) pds = new HashSet<>(); + else pds.clear(); + pds.add(noPermissionsDomain()); + break; + } + } + if (pds != null) { + domains = pds.toArray(new ProtectionDomain[0]); + } + } + return domains; + } + /** * Initializes class descriptor representing a proxy class. */ @@ -580,6 +649,7 @@ public class ObjectStreamClass implements Serializable { writeReplaceMethod = localDesc.writeReplaceMethod; readResolveMethod = localDesc.readResolveMethod; deserializeEx = localDesc.deserializeEx; + domains = localDesc.domains; cons = localDesc.cons; } fieldRefl = getReflector(fields, localDesc); @@ -666,6 +736,7 @@ public class ObjectStreamClass implements Serializable { if (deserializeEx == null) { deserializeEx = localDesc.deserializeEx; } + domains = localDesc.domains; cons = localDesc.cons; } @@ -1006,7 +1077,35 @@ public class ObjectStreamClass implements Serializable { requireInitialized(); if (cons != null) { try { - return cons.newInstance(); + if (domains == null || domains.length == 0) { + return cons.newInstance(); + } else { + JavaSecurityAccess jsa = SharedSecrets.getJavaSecurityAccess(); + PrivilegedAction pea = () -> { + try { + return cons.newInstance(); + } catch (InstantiationException + | InvocationTargetException + | IllegalAccessException x) { + throw new UndeclaredThrowableException(x); + } + }; // Can't use PrivilegedExceptionAction with jsa + try { + return jsa.doIntersectionPrivilege(pea, + AccessController.getContext(), + new AccessControlContext(domains)); + } catch (UndeclaredThrowableException x) { + Throwable cause = x.getCause(); + if (cause instanceof InstantiationException) + throw (InstantiationException) cause; + if (cause instanceof InvocationTargetException) + throw (InvocationTargetException) cause; + if (cause instanceof IllegalAccessException) + throw (IllegalAccessException) cause; + // not supposed to happen + throw x; + } + } } catch (IllegalAccessException ex) { // should not occur, as access checks have been suppressed throw new InternalError(ex); diff --git a/jdk/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java b/jdk/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java index 6ac09603a1..a260cfae28 100644 --- a/jdk/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java +++ b/jdk/src/jdk.unsupported/share/classes/sun/reflect/ReflectionFactory.java @@ -29,9 +29,14 @@ import java.io.OptionalDataException; import java.lang.invoke.MethodHandle; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.UndeclaredThrowableException; +import java.security.AccessControlContext; import java.security.AccessController; import java.security.Permission; +import java.security.ProtectionDomain; import java.security.PrivilegedAction; +import jdk.internal.misc.SharedSecrets; +import jdk.internal.misc.JavaSecurityAccess; /** * ReflectionFactory supports custom serialization. @@ -139,6 +144,66 @@ public class ReflectionFactory { return delegate.readObjectForSerialization(cl); } + /** + * Invokes the supplied constructor, adding the provided protection domains + * to the invocation stack before invoking {@code Constructor::newInstance}. + * If no {@linkplain System#getSecurityManager() security manager} is present, + * or no domains are provided, then this method simply calls + * {@code cons.newInstance()}. Otherwise, it invokes the provided constructor + * with privileges at the intersection of the current context and the provided + * protection domains. + * + * @param cons A constructor obtained from {@code + * newConstructorForSerialization} or {@code + * newConstructorForExternalization}. + * @param domains An array of protection domains that limit the privileges + * with which the constructor is invoked. Can be {@code null} + * or empty, in which case privileges are only limited by the + * {@linkplain AccessController#getContext() current context}. + * + * @return A new object built from the provided constructor. + * + * @throws NullPointerException if {@code cons} is {@code null}. + * @throws InstantiationException if thrown by {@code cons.newInstance()}. + * @throws InvocationTargetException if thrown by {@code cons.newInstance()}. + * @throws IllegalAccessException if thrown by {@code cons.newInstance()}. + */ + public final Object newInstanceForSerialization(Constructor cons, + ProtectionDomain[] domains) + throws InstantiationException, InvocationTargetException, IllegalAccessException + { + SecurityManager sm = System.getSecurityManager(); + if (sm == null || domains == null || domains.length == 0) { + return cons.newInstance(); + } else { + JavaSecurityAccess jsa = SharedSecrets.getJavaSecurityAccess(); + PrivilegedAction pea = () -> { + try { + return cons.newInstance(); + } catch (InstantiationException + | InvocationTargetException + | IllegalAccessException x) { + throw new UndeclaredThrowableException(x); + } + }; // Can't use PrivilegedExceptionAction with jsa + try { + return jsa.doIntersectionPrivilege(pea, + AccessController.getContext(), + new AccessControlContext(domains)); + } catch (UndeclaredThrowableException x) { + Throwable cause = x.getCause(); + if (cause instanceof InstantiationException) + throw (InstantiationException) cause; + if (cause instanceof InvocationTargetException) + throw (InvocationTargetException) cause; + if (cause instanceof IllegalAccessException) + throw (IllegalAccessException) cause; + // not supposed to happen + throw x; + } + } + } + /** * Returns a direct MethodHandle for the {@code readObjectNoData} method on * a Serializable class. @@ -224,4 +289,3 @@ public class ReflectionFactory { } } } - From 179fd61ac3bb8c1962713197e1114c56c42b55b1 Mon Sep 17 00:00:00 2001 From: Daniel Fuchs Date: Fri, 19 May 2017 11:18:49 +0100 Subject: [PATCH 064/269] 8180024: Improve construction of objects during deserialization Reviewed-by: rriggs, skoivu, ahgross, rhalade --- .../corba/se/impl/io/ObjectStreamClass.java | 71 ++++++++++++++++++- .../share/classes/sun/corba/Bridge.java | 36 +++++++++- 2 files changed, 104 insertions(+), 3 deletions(-) diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java index b875d25cb3..62c0a62a22 100644 --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java @@ -38,7 +38,10 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.DigestOutputStream; import java.security.AccessController; +import java.security.PermissionCollection; +import java.security.Permissions; import java.security.PrivilegedAction; +import java.security.ProtectionDomain; import java.lang.reflect.Modifier; import java.lang.reflect.Field; @@ -57,6 +60,8 @@ import java.io.Serializable; import java.util.Arrays; import java.util.Comparator; +import java.util.HashSet; +import java.util.Set; import com.sun.corba.se.impl.util.RepositoryId; @@ -443,6 +448,65 @@ public class ObjectStreamClass implements java.io.Serializable { private static final PersistentFieldsValue persistentFieldsValue = new PersistentFieldsValue(); + /** + * Creates a PermissionDomain that grants no permission. + */ + private ProtectionDomain noPermissionsDomain() { + PermissionCollection perms = new Permissions(); + perms.setReadOnly(); + return new ProtectionDomain(null, perms); + } + + /** + * Aggregate the ProtectionDomains of all the classes that separate + * a concrete class {@code cl} from its ancestor's class declaring + * a constructor {@code cons}. + * + * If {@code cl} is defined by the boot loader, or the constructor + * {@code cons} is declared by {@code cl}, or if there is no security + * manager, then this method does nothing and {@code null} is returned. + * + * @param cons A constructor declared by {@code cl} or one of its + * ancestors. + * @param cl A concrete class, which is either the class declaring + * the constructor {@code cons}, or a serializable subclass + * of that class. + * @return An array of ProtectionDomain representing the set of + * ProtectionDomain that separate the concrete class {@code cl} + * from its ancestor's declaring {@code cons}, or {@code null}. + */ + private ProtectionDomain[] getProtectionDomains(Constructor cons, + Class cl) { + ProtectionDomain[] domains = null; + if (cons != null && cl.getClassLoader() != null + && System.getSecurityManager() != null) { + Class cls = cl; + Class fnscl = cons.getDeclaringClass(); + Set pds = null; + while (cls != fnscl) { + ProtectionDomain pd = cls.getProtectionDomain(); + if (pd != null) { + if (pds == null) pds = new HashSet<>(); + pds.add(pd); + } + cls = cls.getSuperclass(); + if (cls == null) { + // that's not supposed to happen + // make a ProtectionDomain with no permission. + // should we throw instead? + if (pds == null) pds = new HashSet<>(); + else pds.clear(); + pds.add(noPermissionsDomain()); + break; + } + } + if (pds != null) { + domains = pds.toArray(new ProtectionDomain[0]); + } + } + return domains; + } + /* * Initialize class descriptor. This method is only invoked on class * descriptors created via calls to lookupInternal(). This method is kept @@ -568,11 +632,15 @@ public class ObjectStreamClass implements java.io.Serializable { readResolveObjectMethod = bridge.readResolveForSerialization(cl); + domains = new ProtectionDomain[] {noPermissionsDomain()}; + if (externalizable) cons = getExternalizableConstructor(cl) ; else cons = getSerializableConstructor(cl) ; + domains = getProtectionDomains(cons, cl); + if (serializable && !forProxyClass) { writeObjectMethod = bridge.writeObjectForSerialization(cl) ; readObjectMethod = bridge.readObjectForSerialization(cl); @@ -910,7 +978,7 @@ public class ObjectStreamClass implements java.io.Serializable { { if (cons != null) { try { - return cons.newInstance(); + return bridge.newInstanceForSerialization(cons, domains); } catch (IllegalAccessException ex) { // should not occur, as access checks have been suppressed InternalError ie = new InternalError(); @@ -1506,6 +1574,7 @@ public class ObjectStreamClass implements java.io.Serializable { private transient MethodHandle writeReplaceObjectMethod; private transient MethodHandle readResolveObjectMethod; private transient Constructor cons; + private transient ProtectionDomain[] domains; /** * Beginning in Java to IDL ptc/02-01-12, RMI-IIOP has a diff --git a/corba/src/java.corba/share/classes/sun/corba/Bridge.java b/corba/src/java.corba/share/classes/sun/corba/Bridge.java index e22240e2a9..38fb8da656 100644 --- a/corba/src/java.corba/share/classes/sun/corba/Bridge.java +++ b/corba/src/java.corba/share/classes/sun/corba/Bridge.java @@ -27,8 +27,9 @@ package sun.corba ; import java.io.OptionalDataException; import java.lang.invoke.MethodHandle; -import java.lang.reflect.Field ; -import java.lang.reflect.Constructor ; +import java.lang.reflect.Field; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; import java.lang.StackWalker; import java.lang.StackWalker.StackFrame; import java.util.Optional; @@ -37,6 +38,7 @@ import java.util.stream.Stream; import java.security.AccessController; import java.security.Permission; import java.security.PrivilegedAction; +import java.security.ProtectionDomain; import sun.misc.Unsafe; import sun.reflect.ReflectionFactory; @@ -340,6 +342,36 @@ public final class Bridge return reflectionFactory.newConstructorForExternalization( cl ) ; } + /** + * Invokes the supplied constructor, adding the provided protection domains + * to the invocation stack before invoking {@code Constructor::newInstance}. + * + * This is equivalent to calling + * {@code ReflectionFactory.newInstanceForSerialization(cons,domains)}. + * + * @param cons A constructor obtained from {@code + * newConstructorForSerialization} or {@code + * newConstructorForExternalization}. + * + * @param domains An array of protection domains that limit the privileges + * with which the constructor is invoked. Can be {@code null} + * or empty, in which case privileges are only limited by the + * {@linkplain AccessController#getContext() current context}. + * + * @return A new object built from the provided constructor. + * + * @throws NullPointerException if {@code cons} is {@code null}. + * @throws InstantiationException if thrown by {@code cons.newInstance()}. + * @throws InvocationTargetException if thrown by {@code cons.newInstance()}. + * @throws IllegalAccessException if thrown by {@code cons.newInstance()}. + */ + public final Object newInstanceForSerialization(Constructor cons, + ProtectionDomain[] domains) + throws InstantiationException, InvocationTargetException, IllegalAccessException + { + return reflectionFactory.newInstanceForSerialization(cons, domains); + } + /** * Returns true if the given class defines a static initializer method, * false otherwise. From 3907fd153314679b052da179063dec77c32c9f9b Mon Sep 17 00:00:00 2001 From: Rob McKenna Date: Fri, 30 Jun 2017 18:07:57 +0100 Subject: [PATCH 065/269] 8183297: Allow duplicate bugid for changeset in jdk9 update forest Reviewed-by: coffeys --- corba/.jcheck/conf | 1 + 1 file changed, 1 insertion(+) diff --git a/corba/.jcheck/conf b/corba/.jcheck/conf index 5c6f62dc12..9bd9e92741 100644 --- a/corba/.jcheck/conf +++ b/corba/.jcheck/conf @@ -1 +1,2 @@ project=jdk9 +bugids=dup From dbfa3a2ad0abf09b20e8ed9f724c5145ba497078 Mon Sep 17 00:00:00 2001 From: Abhijit Saha Date: Wed, 5 Jul 2017 17:20:10 -0700 Subject: [PATCH 066/269] Added tag jdk-9.0.3+00 for changeset 0f0a67ad90e1 --- corba/.hgtags | 1 + 1 file changed, 1 insertion(+) diff --git a/corba/.hgtags b/corba/.hgtags index 0cb7bc2e8c..374042325c 100644 --- a/corba/.hgtags +++ b/corba/.hgtags @@ -417,3 +417,4 @@ c62e5964cfcf144d8f72e9ba69757897785349a9 jdk-9+171 95ed14547ca9246baed34f90ef3ca13217538a8c jdk-9+172 534ba4f8cfcf12accc5b9adb943103f2ff79fe16 jdk-9+173 3615768c12904e29bb2ec1b506cd4633cd8a9ced jdk-9+174 +6a33ed67219134933d276bd7575a84511a48c384 jdk-9.0.3+00 From b1fbcbe52b62ec0737142f4d7bcfb8c5eb4e50ca Mon Sep 17 00:00:00 2001 From: Daniel Fuchs Date: Fri, 19 May 2017 11:18:49 +0100 Subject: [PATCH 067/269] 8180024: Improve construction of objects during deserialization Reviewed-by: rriggs, skoivu, ahgross, rhalade --- .../corba/se/impl/io/ObjectStreamClass.java | 71 ++++++++++++++++++- .../share/classes/sun/corba/Bridge.java | 36 +++++++++- 2 files changed, 104 insertions(+), 3 deletions(-) diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java index b875d25cb3..62c0a62a22 100644 --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/io/ObjectStreamClass.java @@ -38,7 +38,10 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.DigestOutputStream; import java.security.AccessController; +import java.security.PermissionCollection; +import java.security.Permissions; import java.security.PrivilegedAction; +import java.security.ProtectionDomain; import java.lang.reflect.Modifier; import java.lang.reflect.Field; @@ -57,6 +60,8 @@ import java.io.Serializable; import java.util.Arrays; import java.util.Comparator; +import java.util.HashSet; +import java.util.Set; import com.sun.corba.se.impl.util.RepositoryId; @@ -443,6 +448,65 @@ public class ObjectStreamClass implements java.io.Serializable { private static final PersistentFieldsValue persistentFieldsValue = new PersistentFieldsValue(); + /** + * Creates a PermissionDomain that grants no permission. + */ + private ProtectionDomain noPermissionsDomain() { + PermissionCollection perms = new Permissions(); + perms.setReadOnly(); + return new ProtectionDomain(null, perms); + } + + /** + * Aggregate the ProtectionDomains of all the classes that separate + * a concrete class {@code cl} from its ancestor's class declaring + * a constructor {@code cons}. + * + * If {@code cl} is defined by the boot loader, or the constructor + * {@code cons} is declared by {@code cl}, or if there is no security + * manager, then this method does nothing and {@code null} is returned. + * + * @param cons A constructor declared by {@code cl} or one of its + * ancestors. + * @param cl A concrete class, which is either the class declaring + * the constructor {@code cons}, or a serializable subclass + * of that class. + * @return An array of ProtectionDomain representing the set of + * ProtectionDomain that separate the concrete class {@code cl} + * from its ancestor's declaring {@code cons}, or {@code null}. + */ + private ProtectionDomain[] getProtectionDomains(Constructor cons, + Class cl) { + ProtectionDomain[] domains = null; + if (cons != null && cl.getClassLoader() != null + && System.getSecurityManager() != null) { + Class cls = cl; + Class fnscl = cons.getDeclaringClass(); + Set pds = null; + while (cls != fnscl) { + ProtectionDomain pd = cls.getProtectionDomain(); + if (pd != null) { + if (pds == null) pds = new HashSet<>(); + pds.add(pd); + } + cls = cls.getSuperclass(); + if (cls == null) { + // that's not supposed to happen + // make a ProtectionDomain with no permission. + // should we throw instead? + if (pds == null) pds = new HashSet<>(); + else pds.clear(); + pds.add(noPermissionsDomain()); + break; + } + } + if (pds != null) { + domains = pds.toArray(new ProtectionDomain[0]); + } + } + return domains; + } + /* * Initialize class descriptor. This method is only invoked on class * descriptors created via calls to lookupInternal(). This method is kept @@ -568,11 +632,15 @@ public class ObjectStreamClass implements java.io.Serializable { readResolveObjectMethod = bridge.readResolveForSerialization(cl); + domains = new ProtectionDomain[] {noPermissionsDomain()}; + if (externalizable) cons = getExternalizableConstructor(cl) ; else cons = getSerializableConstructor(cl) ; + domains = getProtectionDomains(cons, cl); + if (serializable && !forProxyClass) { writeObjectMethod = bridge.writeObjectForSerialization(cl) ; readObjectMethod = bridge.readObjectForSerialization(cl); @@ -910,7 +978,7 @@ public class ObjectStreamClass implements java.io.Serializable { { if (cons != null) { try { - return cons.newInstance(); + return bridge.newInstanceForSerialization(cons, domains); } catch (IllegalAccessException ex) { // should not occur, as access checks have been suppressed InternalError ie = new InternalError(); @@ -1506,6 +1574,7 @@ public class ObjectStreamClass implements java.io.Serializable { private transient MethodHandle writeReplaceObjectMethod; private transient MethodHandle readResolveObjectMethod; private transient Constructor cons; + private transient ProtectionDomain[] domains; /** * Beginning in Java to IDL ptc/02-01-12, RMI-IIOP has a diff --git a/corba/src/java.corba/share/classes/sun/corba/Bridge.java b/corba/src/java.corba/share/classes/sun/corba/Bridge.java index e22240e2a9..38fb8da656 100644 --- a/corba/src/java.corba/share/classes/sun/corba/Bridge.java +++ b/corba/src/java.corba/share/classes/sun/corba/Bridge.java @@ -27,8 +27,9 @@ package sun.corba ; import java.io.OptionalDataException; import java.lang.invoke.MethodHandle; -import java.lang.reflect.Field ; -import java.lang.reflect.Constructor ; +import java.lang.reflect.Field; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; import java.lang.StackWalker; import java.lang.StackWalker.StackFrame; import java.util.Optional; @@ -37,6 +38,7 @@ import java.util.stream.Stream; import java.security.AccessController; import java.security.Permission; import java.security.PrivilegedAction; +import java.security.ProtectionDomain; import sun.misc.Unsafe; import sun.reflect.ReflectionFactory; @@ -340,6 +342,36 @@ public final class Bridge return reflectionFactory.newConstructorForExternalization( cl ) ; } + /** + * Invokes the supplied constructor, adding the provided protection domains + * to the invocation stack before invoking {@code Constructor::newInstance}. + * + * This is equivalent to calling + * {@code ReflectionFactory.newInstanceForSerialization(cons,domains)}. + * + * @param cons A constructor obtained from {@code + * newConstructorForSerialization} or {@code + * newConstructorForExternalization}. + * + * @param domains An array of protection domains that limit the privileges + * with which the constructor is invoked. Can be {@code null} + * or empty, in which case privileges are only limited by the + * {@linkplain AccessController#getContext() current context}. + * + * @return A new object built from the provided constructor. + * + * @throws NullPointerException if {@code cons} is {@code null}. + * @throws InstantiationException if thrown by {@code cons.newInstance()}. + * @throws InvocationTargetException if thrown by {@code cons.newInstance()}. + * @throws IllegalAccessException if thrown by {@code cons.newInstance()}. + */ + public final Object newInstanceForSerialization(Constructor cons, + ProtectionDomain[] domains) + throws InstantiationException, InvocationTargetException, IllegalAccessException + { + return reflectionFactory.newInstanceForSerialization(cons, domains); + } + /** * Returns true if the given class defines a static initializer method, * false otherwise. From b911dc7175b8a90b2a90610f7120a85aeafbfe50 Mon Sep 17 00:00:00 2001 From: Vinnie Ryan Date: Tue, 23 May 2017 16:59:50 +0100 Subject: [PATCH 068/269] 8178135: Additional elliptic curve support Reviewed-by: mullan --- .../jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c | 9 +++++++++ .../jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c | 10 ++++++++++ 2 files changed, 19 insertions(+) diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c index 6326895ea2..9e1bdf20f6 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jac.c @@ -181,6 +181,15 @@ ec_GFp_pt_add_jac_aff(const mp_int *px, const mp_int *py, const mp_int *pz, MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth)); MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth)); + /* + * Additional checks for point equality and point at infinity + */ + if (mp_cmp(px, &A) == 0 && mp_cmp(py, &B) == 0) { + /* POINT_DOUBLE(P) */ + MP_CHECKOK(ec_GFp_pt_dbl_jac(px, py, pz, rx, ry, rz, group)); + goto CLEANUP; + } + /* C = A - px, D = B - py */ MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth)); MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth)); diff --git a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c index ca7658807c..c5cdef9bf4 100644 --- a/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c +++ b/jdk/src/jdk.crypto.ec/share/native/libsunec/impl/ecp_jm.c @@ -166,6 +166,16 @@ ec_GFp_pt_add_jm_aff(const mp_int *px, const mp_int *py, const mp_int *pz, MP_CHECKOK(group->meth->field_mul(A, qx, A, group->meth)); MP_CHECKOK(group->meth->field_mul(B, qy, B, group->meth)); + /* + * Additional checks for point equality and point at infinity + */ + if (mp_cmp(px, A) == 0 && mp_cmp(py, B) == 0) { + /* POINT_DOUBLE(P) */ + MP_CHECKOK(ec_GFp_pt_dbl_jm(px, py, pz, paz4, rx, ry, rz, raz4, + scratch, group)); + goto CLEANUP; + } + /* C = A - px, D = B - py */ MP_CHECKOK(group->meth->field_sub(A, px, C, group->meth)); MP_CHECKOK(group->meth->field_sub(B, py, D, group->meth)); From d9635c75984a7700ed14fd4ed91bd26cb7c9f23c Mon Sep 17 00:00:00 2001 From: Rachel Protacio Date: Thu, 25 May 2017 15:39:32 -0400 Subject: [PATCH 069/269] 8180020: Improve SymbolHashMap entry handling Reviewed-by: mschoene, coleenp, rhalade --- hotspot/src/share/vm/oops/constantPool.hpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hotspot/src/share/vm/oops/constantPool.hpp b/hotspot/src/share/vm/oops/constantPool.hpp index 86cfa19217..173108fd09 100644 --- a/hotspot/src/share/vm/oops/constantPool.hpp +++ b/hotspot/src/share/vm/oops/constantPool.hpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -958,7 +958,7 @@ class SymbolHashMap: public CHeapObj { delete(cur); } } - delete _buckets; + FREE_C_HEAP_ARRAY(SymbolHashMapBucket, _buckets); } }; // End SymbolHashMap class From 7c87415225969b0fab4be74132bfc2dd7556e014 Mon Sep 17 00:00:00 2001 From: Ivan Gerasimov Date: Thu, 25 May 2017 23:31:47 -0700 Subject: [PATCH 070/269] 8140436: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS Reviewed-by: valeriep, jnimeh, apetcher --- .../classes/sun/security/ssl/CipherSuite.java | 43 +- .../sun/security/ssl/CipherSuiteList.java | 46 +- .../sun/security/ssl/ClientHandshaker.java | 38 +- .../classes/sun/security/ssl/DHCrypt.java | 281 +--------- .../classes/sun/security/ssl/ECDHCrypt.java | 10 +- .../security/ssl/EllipticCurvesExtension.java | 400 -------------- .../sun/security/ssl/ExtensionType.java | 8 +- .../sun/security/ssl/HandshakeMessage.java | 48 +- .../classes/sun/security/ssl/Handshaker.java | 124 ++--- .../sun/security/ssl/HelloExtensions.java | 8 +- .../classes/sun/security/ssl/NamedGroup.java | 169 ++++++ .../sun/security/ssl/NamedGroupType.java | 32 ++ .../ssl/PredefinedDHParameterSpecs.java | 314 +++++++++++ .../sun/security/ssl/ServerHandshaker.java | 155 ++++-- .../ssl/SupportedGroupsExtension.java | 491 ++++++++++++++++++ .../ssl/DHKeyExchange/DHEKeySizing.java | 37 +- .../ssl/DHKeyExchange/UseStrongDHSizes.java | 93 ++++ 17 files changed, 1430 insertions(+), 867 deletions(-) delete mode 100644 jdk/src/java.base/share/classes/sun/security/ssl/EllipticCurvesExtension.java create mode 100644 jdk/src/java.base/share/classes/sun/security/ssl/NamedGroup.java create mode 100644 jdk/src/java.base/share/classes/sun/security/ssl/NamedGroupType.java create mode 100644 jdk/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java create mode 100644 jdk/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java create mode 100644 jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuite.java b/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuite.java index 2ffb5f32b4..c8080ca9a6 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuite.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuite.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -44,6 +44,7 @@ import static sun.security.ssl.CipherSuite.CipherType.*; import static sun.security.ssl.CipherSuite.MacAlg.*; import static sun.security.ssl.CipherSuite.BulkCipher.*; import static sun.security.ssl.JsseJce.*; +import static sun.security.ssl.NamedGroupType.*; /** * An SSL/TLS CipherSuite. Constants for the standard key exchange, cipher, @@ -376,38 +377,38 @@ final class CipherSuite implements Comparable { static enum KeyExchange { // key exchange algorithms - K_NULL ("NULL", false, false), - K_RSA ("RSA", true, false), - K_RSA_EXPORT ("RSA_EXPORT", true, false), - K_DH_RSA ("DH_RSA", false, false), - K_DH_DSS ("DH_DSS", false, false), - K_DHE_DSS ("DHE_DSS", true, false), - K_DHE_RSA ("DHE_RSA", true, false), - K_DH_ANON ("DH_anon", true, false), + K_NULL ("NULL", false, NAMED_GROUP_NONE), + K_RSA ("RSA", true, NAMED_GROUP_NONE), + K_RSA_EXPORT ("RSA_EXPORT", true, NAMED_GROUP_NONE), + K_DH_RSA ("DH_RSA", false, NAMED_GROUP_NONE), + K_DH_DSS ("DH_DSS", false, NAMED_GROUP_NONE), + K_DHE_DSS ("DHE_DSS", true, NAMED_GROUP_FFDHE), + K_DHE_RSA ("DHE_RSA", true, NAMED_GROUP_FFDHE), + K_DH_ANON ("DH_anon", true, NAMED_GROUP_FFDHE), - K_ECDH_ECDSA ("ECDH_ECDSA", ALLOW_ECC, true), - K_ECDH_RSA ("ECDH_RSA", ALLOW_ECC, true), - K_ECDHE_ECDSA("ECDHE_ECDSA", ALLOW_ECC, true), - K_ECDHE_RSA ("ECDHE_RSA", ALLOW_ECC, true), - K_ECDH_ANON ("ECDH_anon", ALLOW_ECC, true), + K_ECDH_ECDSA ("ECDH_ECDSA", ALLOW_ECC, NAMED_GROUP_ECDHE), + K_ECDH_RSA ("ECDH_RSA", ALLOW_ECC, NAMED_GROUP_ECDHE), + K_ECDHE_ECDSA("ECDHE_ECDSA", ALLOW_ECC, NAMED_GROUP_ECDHE), + K_ECDHE_RSA ("ECDHE_RSA", ALLOW_ECC, NAMED_GROUP_ECDHE), + K_ECDH_ANON ("ECDH_anon", ALLOW_ECC, NAMED_GROUP_ECDHE), // Kerberos cipher suites - K_KRB5 ("KRB5", true, false), - K_KRB5_EXPORT("KRB5_EXPORT", true, false), + K_KRB5 ("KRB5", true, NAMED_GROUP_NONE), + K_KRB5_EXPORT("KRB5_EXPORT", true, NAMED_GROUP_NONE), // renegotiation protection request signaling cipher suite - K_SCSV ("SCSV", true, false); + K_SCSV ("SCSV", true, NAMED_GROUP_NONE); // name of the key exchange algorithm, e.g. DHE_DSS final String name; final boolean allowed; - final boolean isEC; + final NamedGroupType groupType; private final boolean alwaysAvailable; - KeyExchange(String name, boolean allowed, boolean isEC) { + KeyExchange(String name, boolean allowed, NamedGroupType groupType) { this.name = name; this.allowed = allowed; - this.isEC = isEC; + this.groupType = groupType; this.alwaysAvailable = allowed && (!name.startsWith("EC")) && (!name.startsWith("KRB")); } @@ -417,7 +418,7 @@ final class CipherSuite implements Comparable { return true; } - if (isEC) { + if (groupType == NAMED_GROUP_ECDHE) { return (allowed && JsseJce.isEcAvailable()); } else if (name.startsWith("KRB")) { return (allowed && JsseJce.isKerberosAvailable()); diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuiteList.java b/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuiteList.java index a114f4acb8..025f40bda6 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuiteList.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/CipherSuiteList.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,6 +30,7 @@ import java.io.*; import java.util.*; import javax.net.ssl.SSLException; +import static sun.security.ssl.NamedGroupType.*; /** * A list of CipherSuites. Also maintains the lists of supported and @@ -42,15 +43,16 @@ final class CipherSuiteList { private final Collection cipherSuites; private String[] suiteNames; - - // flag indicating whether this list contains any ECC ciphersuites. - // null if not yet checked. - private volatile Boolean containsEC; + private final EnumSet groupsTypes = + EnumSet.noneOf(NamedGroupType.class); // for use by buildAvailableCache() and // Handshaker.getKickstartMessage() only CipherSuiteList(Collection cipherSuites) { this.cipherSuites = cipherSuites; + for (CipherSuite suite : cipherSuites) { + updateGroupTypes(suite); + } } /** @@ -59,6 +61,7 @@ final class CipherSuiteList { CipherSuiteList(CipherSuite suite) { cipherSuites = new ArrayList(1); cipherSuites.add(suite); + updateGroupTypes(suite); } /** @@ -82,6 +85,7 @@ final class CipherSuiteList { + suiteName + " with currently installed providers"); } cipherSuites.add(suite); + updateGroupTypes(suite); } } @@ -97,7 +101,20 @@ final class CipherSuiteList { } cipherSuites = new ArrayList(bytes.length >> 1); for (int i = 0; i < bytes.length; i += 2) { - cipherSuites.add(CipherSuite.valueOf(bytes[i], bytes[i+1])); + CipherSuite suite = CipherSuite.valueOf(bytes[i], bytes[i+1]); + cipherSuites.add(suite); + updateGroupTypes(suite); + } + } + + // Please don't use this method except constructors. + private void updateGroupTypes(CipherSuite cipherSuite) { + if (cipherSuite.keyExchange != null && (!cipherSuite.exportable)) { + NamedGroupType groupType = cipherSuite.keyExchange.groupType; + if ((groupType != NAMED_GROUP_NONE) && + (!groupsTypes.contains(groupType))) { + groupsTypes.add(groupType); + } } } @@ -108,20 +125,9 @@ final class CipherSuiteList { return cipherSuites.contains(suite); } - // Return whether this list contains any ECC ciphersuites - boolean containsEC() { - if (containsEC == null) { - for (CipherSuite c : cipherSuites) { - if (c.keyExchange.isEC) { - containsEC = true; - return true; - } - } - - containsEC = false; - } - - return containsEC; + // Return whether this list contains cipher suites of a named group type. + boolean contains(NamedGroupType groupType) { + return groupsTypes.contains(groupType); } /** diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java b/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java index b95de5ecde..1d6c74eab3 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -148,6 +148,10 @@ final class ClientHandshaker extends Handshaker { private static final boolean enableMFLExtension = Debug.getBooleanProperty("jsse.enableMFLExtension", false); + // To switch off the supported_groups extension for DHE cipher suite. + private static final boolean enableFFDHE = + Debug.getBooleanProperty("jsse.enableFFDHE", true); + // Whether an ALPN extension was sent in the ClientHello private boolean alpnActive = false; @@ -767,13 +771,15 @@ final class ClientHandshaker extends Handshaker { fatalSE(Alerts.alert_unexpected_message, "Server set " + type + " extension when not requested by client"); } - } else if ((type != ExtensionType.EXT_ELLIPTIC_CURVES) + } else if ((type != ExtensionType.EXT_SUPPORTED_GROUPS) && (type != ExtensionType.EXT_EC_POINT_FORMATS) && (type != ExtensionType.EXT_SERVER_NAME) && (type != ExtensionType.EXT_ALPN) && (type != ExtensionType.EXT_RENEGOTIATION_INFO) && (type != ExtensionType.EXT_STATUS_REQUEST) && (type != ExtensionType.EXT_STATUS_REQUEST_V2)) { + // Note: Better to check client requested extensions rather + // than all supported extensions. fatalSE(Alerts.alert_unsupported_extension, "Server sent an unsupported extension: " + type); } @@ -823,6 +829,17 @@ final class ClientHandshaker extends Handshaker { * our own D-H algorithm object so we can defer key calculations * until after we've sent the client key exchange message (which * gives client and server some useful parallelism). + * + * Note per section 3 of RFC 7919, if the server is not compatible with + * FFDHE specification, the client MAY decide to continue the connection + * if the selected DHE group is acceptable under local policy, or it MAY + * decide to terminate the connection with a fatal insufficient_security + * (71) alert. The algorithm constraints mechanism is JDK local policy + * used for additional DHE parameters checking. So this implementation + * does not check the server compatibility and just pass to the local + * algorithm constraints checking. The client will continue the + * connection if the server selected DHE group is acceptable by the + * specified algorithm constraints. */ private void serverKeyExchange(DH_ServerKeyExchange mesg) throws IOException { @@ -1495,14 +1512,17 @@ final class ClientHandshaker extends Handshaker { sslContext.getSecureRandom(), maxProtocolVersion, sessionId, cipherSuites, isDTLS); - // add elliptic curves and point format extensions - if (cipherSuites.containsEC()) { - EllipticCurvesExtension ece = - EllipticCurvesExtension.createExtension(algorithmConstraints); - if (ece != null) { - clientHelloMessage.extensions.add(ece); + // Add named groups extension for ECDHE and FFDHE if necessary. + SupportedGroupsExtension sge = + SupportedGroupsExtension.createExtension( + algorithmConstraints, + cipherSuites, enableFFDHE); + if (sge != null) { + clientHelloMessage.extensions.add(sge); + // Add elliptic point format extensions + if (cipherSuites.contains(NamedGroupType.NAMED_GROUP_ECDHE)) { clientHelloMessage.extensions.add( - EllipticPointFormatsExtension.DEFAULT); + EllipticPointFormatsExtension.DEFAULT); } } diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/DHCrypt.java b/jdk/src/java.base/share/classes/sun/security/ssl/DHCrypt.java index f7dadcaf66..a9d4c2a37e 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/DHCrypt.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/DHCrypt.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,14 +26,8 @@ package sun.security.ssl; -import java.util.Map; -import java.util.HashMap; -import java.util.Collections; -import java.util.regex.Pattern; -import java.util.regex.Matcher; import java.math.BigInteger; import java.security.*; -import java.io.IOException; import javax.net.ssl.SSLHandshakeException; import javax.crypto.SecretKey; import javax.crypto.KeyAgreement; @@ -101,7 +95,7 @@ final class DHCrypt { */ DHCrypt(int keyLength, SecureRandom random) { this(keyLength, - ParametersHolder.definedParams.get(keyLength), random); + PredefinedDHParameterSpecs.definedParams.get(keyLength), random); } /** @@ -115,6 +109,14 @@ final class DHCrypt { new DHParameterSpec(modulus, base), random); } + /** + * Generate a Diffie-Hellman keypair using the named group. + */ + DHCrypt(NamedGroup namedGroup, SecureRandom random) { + this(-1, // The length (-1) is not used in the implementation. + SupportedGroupsExtension.getDHParameterSpec(namedGroup), random); + } + /** * Generate a Diffie-Hellman keypair using the specified size and * parameters. @@ -272,266 +274,5 @@ final class DHCrypt { return null; } - - // lazy initialization holder class idiom for static default parameters - // - // See Effective Java Second Edition: Item 71. - private static class ParametersHolder { - private final static boolean debugIsOn = - (Debug.getInstance("ssl") != null) && Debug.isOn("sslctx"); - - // - // Default DH ephemeral parameters - // - private static final BigInteger p512 = new BigInteger( // generated - "D87780E15FF50B4ABBE89870188B049406B5BEA98AB23A02" + - "41D88EA75B7755E669C08093D3F0CA7FC3A5A25CF067DCB9" + - "A43DD89D1D90921C6328884461E0B6D3", 16); - private static final BigInteger p768 = new BigInteger( // RFC 2409 - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + - "E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF", 16); - - private static final BigInteger p1024 = new BigInteger( // RFC 2409 - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" + - "FFFFFFFFFFFFFFFF", 16); - private static final BigInteger p1536 = new BigInteger( // RFC 3526 - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + - "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", 16); - private static final BigInteger p2048 = new BigInteger( // TLS FFDHE - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + - "886B423861285C97FFFFFFFFFFFFFFFF", 16); - private static final BigInteger p3072 = new BigInteger( // TLS FFDHE - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + - "3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF", 16); - private static final BigInteger p4096 = new BigInteger( // TLS FFDHE - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + - "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + - "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + - "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + - "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + - "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + - "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" + - "FFFFFFFFFFFFFFFF", 16); - private static final BigInteger p6144 = new BigInteger( // TLS FFDHE - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + - "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + - "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + - "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + - "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + - "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + - "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" + - "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" + - "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" + - "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" + - "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" + - "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" + - "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" + - "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" + - "D72B03746AE77F5E62292C311562A846505DC82DB854338A" + - "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" + - "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" + - "A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF", 16); - private static final BigInteger p8192 = new BigInteger( // TLS FFDHE - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + - "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + - "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + - "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + - "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + - "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + - "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" + - "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" + - "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" + - "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" + - "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" + - "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" + - "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" + - "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" + - "D72B03746AE77F5E62292C311562A846505DC82DB854338A" + - "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" + - "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" + - "A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C838" + - "1E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E" + - "0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665" + - "CB2C0F1CC01BD70229388839D2AF05E454504AC78B758282" + - "2846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022" + - "BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C" + - "51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9" + - "D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA457" + - "1EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30" + - "FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D" + - "97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" + - "D68C8BB7C5C6424CFFFFFFFFFFFFFFFF", 16); - - private static final BigInteger[] supportedPrimes = { - p512, p768, p1024, p1536, p2048, p3072, p4096, p6144, p8192}; - - // a measure of the uncertainty that prime modulus p is not a prime - // - // see BigInteger.isProbablePrime(int certainty) - private final static int PRIME_CERTAINTY = 120; - - // the known security property, jdk.tls.server.defaultDHEParameters - private final static String PROPERTY_NAME = - "jdk.tls.server.defaultDHEParameters"; - - private static final Pattern spacesPattern = Pattern.compile("\\s+"); - - private final static Pattern syntaxPattern = Pattern.compile( - "(\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})" + - "(,\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})*"); - - private static final Pattern paramsPattern = Pattern.compile( - "\\{([0-9A-Fa-f]+),([0-9A-Fa-f]+)\\}"); - - // cache of predefined default DH ephemeral parameters - private final static Map definedParams; - - static { - String property = AccessController.doPrivileged( - new PrivilegedAction() { - public String run() { - return Security.getProperty(PROPERTY_NAME); - } - }); - - if (property != null && !property.isEmpty()) { - // remove double quote marks from beginning/end of the property - if (property.length() >= 2 && property.charAt(0) == '"' && - property.charAt(property.length() - 1) == '"') { - property = property.substring(1, property.length() - 1); - } - - property = property.trim(); - } - - if (property != null && !property.isEmpty()) { - Matcher spacesMatcher = spacesPattern.matcher(property); - property = spacesMatcher.replaceAll(""); - - if (debugIsOn) { - System.out.println("The Security Property " + - PROPERTY_NAME + ": " + property); - } - } - - Map defaultParams = new HashMap<>(); - if (property != null && !property.isEmpty()) { - Matcher syntaxMatcher = syntaxPattern.matcher(property); - if (syntaxMatcher.matches()) { - Matcher paramsFinder = paramsPattern.matcher(property); - while(paramsFinder.find()) { - String primeModulus = paramsFinder.group(1); - BigInteger p = new BigInteger(primeModulus, 16); - if (!p.isProbablePrime(PRIME_CERTAINTY)) { - if (debugIsOn) { - System.out.println( - "Prime modulus p in Security Property, " + - PROPERTY_NAME + ", is not a prime: " + - primeModulus); - } - - continue; - } - - String baseGenerator = paramsFinder.group(2); - BigInteger g = new BigInteger(baseGenerator, 16); - - DHParameterSpec spec = new DHParameterSpec(p, g); - int primeLen = p.bitLength(); - defaultParams.put(primeLen, spec); - } - } else if (debugIsOn) { - System.out.println("Invalid Security Property, " + - PROPERTY_NAME + ", definition"); - } - } - - for (BigInteger p : supportedPrimes) { - int primeLen = p.bitLength(); - defaultParams.putIfAbsent(primeLen, - new DHParameterSpec(p, BigInteger.TWO)); - } - - definedParams = - Collections.unmodifiableMap( - defaultParams); - } - } } + diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/ECDHCrypt.java b/jdk/src/java.base/share/classes/sun/security/ssl/ECDHCrypt.java index 929c592d69..7e4f5932a5 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/ECDHCrypt.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/ECDHCrypt.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -56,17 +56,17 @@ final class ECDHCrypt { } // Called by ServerHandshaker for ephemeral ECDH - ECDHCrypt(int curveId, SecureRandom random) { + ECDHCrypt(NamedGroup namedGroup, SecureRandom random) { try { KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC"); ECGenParameterSpec params = - EllipticCurvesExtension.getECGenParamSpec(curveId); + SupportedGroupsExtension.getECGenParamSpec(namedGroup); kpg.initialize(params, random); KeyPair kp = kpg.generateKeyPair(); privateKey = kp.getPrivate(); publicKey = (ECPublicKey)kp.getPublic(); } catch (GeneralSecurityException e) { - throw new RuntimeException("Could not generate DH keypair", e); + throw new RuntimeException("Could not generate ECDH keypair", e); } } @@ -79,7 +79,7 @@ final class ECDHCrypt { privateKey = kp.getPrivate(); publicKey = (ECPublicKey)kp.getPublic(); } catch (GeneralSecurityException e) { - throw new RuntimeException("Could not generate DH keypair", e); + throw new RuntimeException("Could not generate ECDH keypair", e); } } diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/EllipticCurvesExtension.java b/jdk/src/java.base/share/classes/sun/security/ssl/EllipticCurvesExtension.java deleted file mode 100644 index c91b25e72e..0000000000 --- a/jdk/src/java.base/share/classes/sun/security/ssl/EllipticCurvesExtension.java +++ /dev/null @@ -1,400 +0,0 @@ -/* - * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.ssl; - -import java.io.IOException; -import java.security.spec.ECParameterSpec; -import java.security.spec.ECGenParameterSpec; -import java.security.spec.InvalidParameterSpecException; -import java.security.AlgorithmParameters; -import java.security.AlgorithmConstraints; -import java.security.CryptoPrimitive; -import java.security.AccessController; -import java.util.EnumSet; -import java.util.HashMap; -import java.util.Map; -import java.util.ArrayList; -import javax.net.ssl.SSLProtocolException; - -import sun.security.action.GetPropertyAction; - -final class EllipticCurvesExtension extends HelloExtension { - - /* Class and subclass dynamic debugging support */ - private static final Debug debug = Debug.getInstance("ssl"); - - private static final int ARBITRARY_PRIME = 0xff01; - private static final int ARBITRARY_CHAR2 = 0xff02; - - // speed up the searching - private static final Map oidToIdMap = new HashMap<>(); - private static final Map idToOidMap = new HashMap<>(); - - // speed up the parameters construction - private static final Map idToParams = new HashMap<>(); - - // the supported elliptic curves - private static final int[] supportedCurveIds; - - // the curves of the extension - private final int[] curveIds; - - // See sun.security.util.CurveDB for the OIDs - private static enum NamedEllipticCurve { - T163_K1(1, "sect163k1", "1.3.132.0.1", true), // NIST K-163 - T163_R1(2, "sect163r1", "1.3.132.0.2", false), - T163_R2(3, "sect163r2", "1.3.132.0.15", true), // NIST B-163 - T193_R1(4, "sect193r1", "1.3.132.0.24", false), - T193_R2(5, "sect193r2", "1.3.132.0.25", false), - T233_K1(6, "sect233k1", "1.3.132.0.26", true), // NIST K-233 - T233_R1(7, "sect233r1", "1.3.132.0.27", true), // NIST B-233 - T239_K1(8, "sect239k1", "1.3.132.0.3", false), - T283_K1(9, "sect283k1", "1.3.132.0.16", true), // NIST K-283 - T283_R1(10, "sect283r1", "1.3.132.0.17", true), // NIST B-283 - T409_K1(11, "sect409k1", "1.3.132.0.36", true), // NIST K-409 - T409_R1(12, "sect409r1", "1.3.132.0.37", true), // NIST B-409 - T571_K1(13, "sect571k1", "1.3.132.0.38", true), // NIST K-571 - T571_R1(14, "sect571r1", "1.3.132.0.39", true), // NIST B-571 - - P160_K1(15, "secp160k1", "1.3.132.0.9", false), - P160_R1(16, "secp160r1", "1.3.132.0.8", false), - P160_R2(17, "secp160r2", "1.3.132.0.30", false), - P192_K1(18, "secp192k1", "1.3.132.0.31", false), - P192_R1(19, "secp192r1", "1.2.840.10045.3.1.1", true), // NIST P-192 - P224_K1(20, "secp224k1", "1.3.132.0.32", false), - P224_R1(21, "secp224r1", "1.3.132.0.33", true), // NIST P-224 - P256_K1(22, "secp256k1", "1.3.132.0.10", false), - P256_R1(23, "secp256r1", "1.2.840.10045.3.1.7", true), // NIST P-256 - P384_R1(24, "secp384r1", "1.3.132.0.34", true), // NIST P-384 - P521_R1(25, "secp521r1", "1.3.132.0.35", true); // NIST P-521 - - int id; - String name; - String oid; - boolean isFips; - - NamedEllipticCurve(int id, String name, String oid, boolean isFips) { - this.id = id; - this.name = name; - this.oid = oid; - this.isFips = isFips; - - if (oidToIdMap.put(oid, id) != null || - idToOidMap.put(id, oid) != null) { - - throw new RuntimeException( - "Duplicate named elliptic curve definition: " + name); - } - } - - static NamedEllipticCurve getCurve(String name, boolean requireFips) { - for (NamedEllipticCurve curve : NamedEllipticCurve.values()) { - if (curve.name.equals(name) && (!requireFips || curve.isFips)) { - return curve; - } - } - - return null; - } - } - - static { - boolean requireFips = SunJSSE.isFIPS(); - - // hack code to initialize NamedEllipticCurve - NamedEllipticCurve nec = - NamedEllipticCurve.getCurve("secp256r1", false); - - // The value of the System Property defines a list of enabled named - // curves in preference order, separated with comma. For example: - // - // jdk.tls.namedGroups="secp521r1, secp256r1, secp384r1" - // - // If the System Property is not defined or the value is empty, the - // default curves and preferences will be used. - String property = AccessController.doPrivileged( - new GetPropertyAction("jdk.tls.namedGroups")); - if (property != null && property.length() != 0) { - // remove double quote marks from beginning/end of the property - if (property.length() > 1 && property.charAt(0) == '"' && - property.charAt(property.length() - 1) == '"') { - property = property.substring(1, property.length() - 1); - } - } - - ArrayList idList; - if (property != null && property.length() != 0) { // customized curves - String[] curves = property.split(","); - idList = new ArrayList<>(curves.length); - for (String curve : curves) { - curve = curve.trim(); - if (!curve.isEmpty()) { - NamedEllipticCurve namedCurve = - NamedEllipticCurve.getCurve(curve, requireFips); - if (namedCurve != null) { - if (isAvailableCurve(namedCurve.id)) { - idList.add(namedCurve.id); - } - } // ignore unknown curves - } - } - if (idList.isEmpty() && JsseJce.isEcAvailable()) { - throw new IllegalArgumentException( - "System property jdk.tls.namedGroups(" + property + ") " + - "contains no supported elliptic curves"); - } - } else { // default curves - int[] ids; - if (requireFips) { - ids = new int[] { - // only NIST curves in FIPS mode - 23, 24, 25, 9, 10, 11, 12, 13, 14, - }; - } else { - ids = new int[] { - // NIST curves first - 23, 24, 25, 9, 10, 11, 12, 13, 14, - // non-NIST curves - 22, - }; - } - - idList = new ArrayList<>(ids.length); - for (int curveId : ids) { - if (isAvailableCurve(curveId)) { - idList.add(curveId); - } - } - } - - if (debug != null && idList.isEmpty()) { - Debug.log( - "Initialized [jdk.tls.namedGroups|default] list contains " + - "no available elliptic curves. " + - (property != null ? "(" + property + ")" : "[Default]")); - } - - supportedCurveIds = new int[idList.size()]; - int i = 0; - for (Integer id : idList) { - supportedCurveIds[i++] = id; - } - } - - // check whether the curve is supported by the underlying providers - private static boolean isAvailableCurve(int curveId) { - String oid = idToOidMap.get(curveId); - if (oid != null) { - AlgorithmParameters params = null; - try { - params = JsseJce.getAlgorithmParameters("EC"); - params.init(new ECGenParameterSpec(oid)); - } catch (Exception e) { - return false; - } - - // cache the parameters - idToParams.put(curveId, params); - - return true; - } - - return false; - } - - private EllipticCurvesExtension(int[] curveIds) { - super(ExtensionType.EXT_ELLIPTIC_CURVES); - - this.curveIds = curveIds; - } - - EllipticCurvesExtension(HandshakeInStream s, int len) - throws IOException { - super(ExtensionType.EXT_ELLIPTIC_CURVES); - - int k = s.getInt16(); - if (((len & 1) != 0) || (k + 2 != len)) { - throw new SSLProtocolException("Invalid " + type + " extension"); - } - - // Note: unknown curves will be ignored later. - curveIds = new int[k >> 1]; - for (int i = 0; i < curveIds.length; i++) { - curveIds[i] = s.getInt16(); - } - } - - // get the preferred active curve - static int getActiveCurves(AlgorithmConstraints constraints) { - return getPreferredCurve(supportedCurveIds, constraints); - } - - static boolean hasActiveCurves(AlgorithmConstraints constraints) { - return getActiveCurves(constraints) >= 0; - } - - static EllipticCurvesExtension createExtension( - AlgorithmConstraints constraints) { - - ArrayList idList = new ArrayList<>(supportedCurveIds.length); - for (int curveId : supportedCurveIds) { - if (constraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - "EC", idToParams.get(curveId))) { - idList.add(curveId); - } - } - - if (!idList.isEmpty()) { - int[] ids = new int[idList.size()]; - int i = 0; - for (Integer id : idList) { - ids[i++] = id; - } - - return new EllipticCurvesExtension(ids); - } - - return null; - } - - // get the preferred activated curve - int getPreferredCurve(AlgorithmConstraints constraints) { - return getPreferredCurve(curveIds, constraints); - } - - // get a preferred activated curve - private static int getPreferredCurve(int[] curves, - AlgorithmConstraints constraints) { - for (int curveId : curves) { - if (isSupported(curveId) && constraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - "EC", idToParams.get(curveId))) { - return curveId; - } - } - - return -1; - } - - boolean contains(int index) { - for (int curveId : curveIds) { - if (index == curveId) { - return true; - } - } - return false; - } - - @Override - int length() { - return 6 + (curveIds.length << 1); - } - - @Override - void send(HandshakeOutStream s) throws IOException { - s.putInt16(type.id); - int k = curveIds.length << 1; - s.putInt16(k + 2); - s.putInt16(k); - for (int curveId : curveIds) { - s.putInt16(curveId); - } - } - - @Override - public String toString() { - StringBuilder sb = new StringBuilder(); - sb.append("Extension " + type + ", curve names: {"); - boolean first = true; - for (int curveId : curveIds) { - if (first) { - first = false; - } else { - sb.append(", "); - } - // first check if it is a known named curve, then try other cases. - String curveName = getCurveName(curveId); - if (curveName != null) { - sb.append(curveName); - } else if (curveId == ARBITRARY_PRIME) { - sb.append("arbitrary_explicit_prime_curves"); - } else if (curveId == ARBITRARY_CHAR2) { - sb.append("arbitrary_explicit_char2_curves"); - } else { - sb.append("unknown curve " + curveId); - } - } - sb.append("}"); - return sb.toString(); - } - - // Test whether the given curve is supported. - static boolean isSupported(int index) { - for (int curveId : supportedCurveIds) { - if (index == curveId) { - return true; - } - } - - return false; - } - - static int getCurveIndex(ECParameterSpec params) { - String oid = JsseJce.getNamedCurveOid(params); - if (oid == null) { - return -1; - } - Integer n = oidToIdMap.get(oid); - return (n == null) ? -1 : n; - } - - static String getCurveOid(int index) { - return idToOidMap.get(index); - } - - static ECGenParameterSpec getECGenParamSpec(int index) { - AlgorithmParameters params = idToParams.get(index); - try { - return params.getParameterSpec(ECGenParameterSpec.class); - } catch (InvalidParameterSpecException ipse) { - // should be unlikely - String curveOid = getCurveOid(index); - return new ECGenParameterSpec(curveOid); - } - } - - private static String getCurveName(int index) { - for (NamedEllipticCurve namedCurve : NamedEllipticCurve.values()) { - if (namedCurve.id == index) { - return namedCurve.name; - } - } - - return null; - } -} diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java b/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java index be64dfde62..5338807bbd 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -82,9 +82,9 @@ final class ExtensionType { static final ExtensionType EXT_CERT_TYPE = e(0x0009, "cert_type"); // IANA registry value: 9 - // extensions defined in RFC 4492 (ECC) - static final ExtensionType EXT_ELLIPTIC_CURVES = - e(0x000A, "elliptic_curves"); // IANA registry value: 10 + // extensions defined in RFC 4492 (ECC) and RFC 7919 (FFDHE) + static final ExtensionType EXT_SUPPORTED_GROUPS = + e(0x000A, "supported_groups"); // IANA registry value: 10 static final ExtensionType EXT_EC_POINT_FORMATS = e(0x000B, "ec_point_formats"); // IANA registry value: 11 diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java b/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java index 4717fbba17..8477456c4d 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1369,8 +1369,9 @@ class ECDH_ServerKeyExchange extends ServerKeyExchange { private static final int CURVE_EXPLICIT_CHAR2 = 2; private static final int CURVE_NAMED_CURVE = 3; - // id of the curve we are using - private int curveId; + // id of the named group we are using + private int groupId; + // encoded public point private byte[] pointBytes; @@ -1389,7 +1390,8 @@ class ECDH_ServerKeyExchange extends ServerKeyExchange { ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey, byte[] clntNonce, byte[] svrNonce, SecureRandom sr, SignatureAndHashAlgorithm signAlgorithm, - ProtocolVersion protocolVersion) throws GeneralSecurityException { + ProtocolVersion protocolVersion) + throws SSLHandshakeException, GeneralSecurityException { this.protocolVersion = protocolVersion; @@ -1397,7 +1399,14 @@ class ECDH_ServerKeyExchange extends ServerKeyExchange { ECParameterSpec params = publicKey.getParams(); ECPoint point = publicKey.getW(); pointBytes = JsseJce.encodePoint(point, params.getCurve()); - curveId = EllipticCurvesExtension.getCurveIndex(params); + + NamedGroup namedGroup = NamedGroup.valueOf(params); + if ((namedGroup == null) || (namedGroup.oid == null) ){ + // unlikely + throw new SSLHandshakeException( + "Unnamed EC parameter spec: " + params); + } + groupId = namedGroup.id; if (privateKey == null) { // ECDH_anon @@ -1434,20 +1443,27 @@ class ECDH_ServerKeyExchange extends ServerKeyExchange { // These parsing errors should never occur as we negotiated // the supported curves during the exchange of the Hello messages. if (curveType == CURVE_NAMED_CURVE) { - curveId = input.getInt16(); - if (!EllipticCurvesExtension.isSupported(curveId)) { + groupId = input.getInt16(); + NamedGroup namedGroup = NamedGroup.valueOf(groupId); + if (namedGroup == null) { throw new SSLHandshakeException( - "Unsupported curveId: " + curveId); + "Unknown named group ID: " + groupId); } - String curveOid = EllipticCurvesExtension.getCurveOid(curveId); - if (curveOid == null) { + + if (!SupportedGroupsExtension.supports(namedGroup)) { throw new SSLHandshakeException( - "Unknown named curve: " + curveId); + "Unsupported named group: " + namedGroup); } - parameters = JsseJce.getECParameterSpec(curveOid); + + if (namedGroup.oid == null) { + throw new SSLHandshakeException( + "Unknown named EC curve: " + namedGroup); + } + + parameters = JsseJce.getECParameterSpec(namedGroup.oid); if (parameters == null) { throw new SSLHandshakeException( - "Unsupported curve: " + curveOid); + "No supported EC parameter for named group: " + namedGroup); } } else { throw new SSLHandshakeException( @@ -1530,8 +1546,8 @@ class ECDH_ServerKeyExchange extends ServerKeyExchange { sig.update(svrNonce); sig.update((byte)CURVE_NAMED_CURVE); - sig.update((byte)(curveId >> 8)); - sig.update((byte)curveId); + sig.update((byte)(groupId >> 8)); + sig.update((byte)groupId); sig.update((byte)pointBytes.length); sig.update(pointBytes); } @@ -1552,7 +1568,7 @@ class ECDH_ServerKeyExchange extends ServerKeyExchange { @Override void send(HandshakeOutStream s) throws IOException { s.putInt8(CURVE_NAMED_CURVE); - s.putInt16(curveId); + s.putInt16(groupId); s.putBytes8(pointBytes); if (signatureBytes != null) { diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java b/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java index f830bc70ce..e26495b3c5 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -52,6 +52,7 @@ import sun.security.ssl.CipherSuite.*; import static sun.security.ssl.CipherSuite.PRF.*; import static sun.security.ssl.CipherSuite.CipherType.*; +import static sun.security.ssl.NamedGroupType.*; /** * Handshaker ... processes handshake records from an SSL V3.0 @@ -685,42 +686,14 @@ abstract class Handshaker { ArrayList suites = new ArrayList<>(); if (!(activeProtocols.collection().isEmpty()) && activeProtocols.min.v != ProtocolVersion.NONE.v) { - boolean checkedCurves = false; - boolean hasCurves = false; + Map cachedStatus = + new EnumMap<>(NamedGroupType.class); for (CipherSuite suite : enabledCipherSuites.collection()) { - if (!activeProtocols.min.obsoletes(suite) && + if (suite.isAvailable() && + (!activeProtocols.min.obsoletes(suite)) && activeProtocols.max.supports(suite)) { - if (algorithmConstraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - suite.name, null)) { - - boolean available = true; - if (suite.keyExchange.isEC) { - if (!checkedCurves) { - hasCurves = EllipticCurvesExtension - .hasActiveCurves(algorithmConstraints); - checkedCurves = true; - - if (!hasCurves && debug != null && - Debug.isOn("verbose")) { - System.out.println( - "No available elliptic curves"); - } - } - - available = hasCurves; - - if (!available && debug != null && - Debug.isOn("verbose")) { - System.out.println( - "No active elliptic curves, ignore " + - suite); - } - } - - if (available) { - suites.add(suite); - } + if (isActivatable(suite, cachedStatus)) { + suites.add(suite); } } else if (debug != null && Debug.isOn("verbose")) { if (activeProtocols.min.obsoletes(suite)) { @@ -779,46 +752,15 @@ abstract class Handshaker { } boolean found = false; + Map cachedStatus = + new EnumMap<>(NamedGroupType.class); for (CipherSuite suite : enabledCipherSuites.collection()) { if (suite.isAvailable() && (!protocol.obsoletes(suite)) && protocol.supports(suite)) { - if (algorithmConstraints.permits( - EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), - suite.name, null)) { - - boolean available = true; - if (suite.keyExchange.isEC) { - if (!checkedCurves) { - hasCurves = EllipticCurvesExtension - .hasActiveCurves(algorithmConstraints); - checkedCurves = true; - - if (!hasCurves && debug != null && - Debug.isOn("verbose")) { - System.out.println( - "No activated elliptic curves"); - } - } - - available = hasCurves; - - if (!available && debug != null && - Debug.isOn("verbose")) { - System.out.println( - "No active elliptic curves, ignore " + - suite + " for " + protocol); - } - } - - if (available) { - protocols.add(protocol); - found = true; - break; - } - } else if (debug != null && Debug.isOn("verbose")) { - System.out.println( - "Ignoring disabled cipher suite: " + suite + - " for " + protocol); + if (isActivatable(suite, cachedStatus)) { + protocols.add(protocol); + found = true; + break; } } else if (debug != null && Debug.isOn("verbose")) { System.out.println( @@ -826,6 +768,7 @@ abstract class Handshaker { " for " + protocol); } } + if (!found && (debug != null) && Debug.isOn("handshake")) { System.out.println( "No available cipher suite for " + protocol); @@ -842,6 +785,43 @@ abstract class Handshaker { return activeProtocols; } + private boolean isActivatable(CipherSuite suite, + Map cachedStatus) { + + if (algorithmConstraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) { + boolean available = true; + NamedGroupType groupType = suite.keyExchange.groupType; + if (groupType != NAMED_GROUP_NONE) { + Boolean checkedStatus = cachedStatus.get(groupType); + if (checkedStatus == null) { + available = SupportedGroupsExtension.isActivatable( + algorithmConstraints, groupType); + cachedStatus.put(groupType, available); + + if (!available && debug != null && Debug.isOn("verbose")) { + System.out.println("No activated named group"); + } + } else { + available = checkedStatus.booleanValue(); + } + + if (!available && debug != null && Debug.isOn("verbose")) { + System.out.println( + "No active named group, ignore " + suite); + } + + return available; + } else { + return true; + } + } else if (debug != null && Debug.isOn("verbose")) { + System.out.println("Ignoring disabled cipher suite: " + suite); + } + + return false; + } + /** * As long as handshaking has not activated, we can * change whether session creations are allowed. diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java b/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java index f831db1239..82975c962f 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -49,7 +49,7 @@ import javax.net.ssl.*; * explicitly support. * . ServerNameExtension: the server_name extension. * . SignatureAlgorithmsExtension: the signature_algorithms extension. - * . EllipticCurvesExtension: the ECC supported curves extension. + * . SupportedGroupsExtension: the supported groups extension. * . EllipticPointFormatsExtension: the ECC supported point formats * (compressed/uncompressed) extension. * . ALPNExtension: the application_layer_protocol_negotiation extension. @@ -79,8 +79,8 @@ final class HelloExtensions { extension = new ServerNameExtension(s, extlen); } else if (extType == ExtensionType.EXT_SIGNATURE_ALGORITHMS) { extension = new SignatureAlgorithmsExtension(s, extlen); - } else if (extType == ExtensionType.EXT_ELLIPTIC_CURVES) { - extension = new EllipticCurvesExtension(s, extlen); + } else if (extType == ExtensionType.EXT_SUPPORTED_GROUPS) { + extension = new SupportedGroupsExtension(s, extlen); } else if (extType == ExtensionType.EXT_EC_POINT_FORMATS) { extension = new EllipticPointFormatsExtension(s, extlen); } else if (extType == ExtensionType.EXT_RENEGOTIATION_INFO) { diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/NamedGroup.java b/jdk/src/java.base/share/classes/sun/security/ssl/NamedGroup.java new file mode 100644 index 0000000000..452e839a20 --- /dev/null +++ b/jdk/src/java.base/share/classes/sun/security/ssl/NamedGroup.java @@ -0,0 +1,169 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.ssl; + +import java.security.spec.ECParameterSpec; +import java.security.spec.ECGenParameterSpec; +import static sun.security.ssl.NamedGroupType.*; + +enum NamedGroup { + // Elliptic Curves (RFC 4492) + // + // See sun.security.util.CurveDB for the OIDs + + // NIST K-163 + SECT163_K1(1, NAMED_GROUP_ECDHE, "sect163k1", "1.3.132.0.1", true), + + SECT163_R1(2, NAMED_GROUP_ECDHE, "sect163r1", "1.3.132.0.2", false), + + // NIST B-163 + SECT163_R2(3, NAMED_GROUP_ECDHE, "sect163r2", "1.3.132.0.15", true), + + SECT193_R1(4, NAMED_GROUP_ECDHE, "sect193r1", "1.3.132.0.24", false), + SECT193_R2(5, NAMED_GROUP_ECDHE, "sect193r2", "1.3.132.0.25", false), + + // NIST K-233 + SECT233_K1(6, NAMED_GROUP_ECDHE, "sect233k1", "1.3.132.0.26", true), + + // NIST B-233 + SECT233_R1(7, NAMED_GROUP_ECDHE, "sect233r1", "1.3.132.0.27", true), + + SECT239_K1(8, NAMED_GROUP_ECDHE, "sect239k1", "1.3.132.0.3", false), + + // NIST K-283 + SECT283_K1(9, NAMED_GROUP_ECDHE, "sect283k1", "1.3.132.0.16", true), + + // NIST B-283 + SECT283_R1(10, NAMED_GROUP_ECDHE, "sect283r1", "1.3.132.0.17", true), + + // NIST K-409 + SECT409_K1(11, NAMED_GROUP_ECDHE, "sect409k1", "1.3.132.0.36", true), + + // NIST B-409 + SECT409_R1(12, NAMED_GROUP_ECDHE, "sect409r1", "1.3.132.0.37", true), + + // NIST K-571 + SECT571_K1(13, NAMED_GROUP_ECDHE, "sect571k1", "1.3.132.0.38", true), + + // NIST B-571 + SECT571_R1(14, NAMED_GROUP_ECDHE, "sect571r1", "1.3.132.0.39", true), + + SECP160_K1(15, NAMED_GROUP_ECDHE, "secp160k1", "1.3.132.0.9", false), + SECP160_R1(16, NAMED_GROUP_ECDHE, "secp160r1", "1.3.132.0.8", false), + SECP160_R2(17, NAMED_GROUP_ECDHE, "secp160r2", "1.3.132.0.30", false), + SECP192_K1(18, NAMED_GROUP_ECDHE, "secp192k1", "1.3.132.0.31", false), + + // NIST P-192 + SECP192_R1(19, NAMED_GROUP_ECDHE, "secp192r1", "1.2.840.10045.3.1.1", true), + + SECP224_K1(20, NAMED_GROUP_ECDHE, "secp224k1", "1.3.132.0.32", false), + // NIST P-224 + SECP224_R1(21, NAMED_GROUP_ECDHE, "secp224r1", "1.3.132.0.33", true), + + SECP256_K1(22, NAMED_GROUP_ECDHE, "secp256k1", "1.3.132.0.10", false), + + // NIST P-256 + SECP256_R1(23, NAMED_GROUP_ECDHE, "secp256r1", "1.2.840.10045.3.1.7", true), + + // NIST P-384 + SECP384_R1(24, NAMED_GROUP_ECDHE, "secp384r1", "1.3.132.0.34", true), + + // NIST P-521 + SECP521_R1(25, NAMED_GROUP_ECDHE, "secp521r1", "1.3.132.0.35", true), + + // Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919) + FFDHE_2048(256, NAMED_GROUP_FFDHE, "ffdhe2048", true), + FFDHE_3072(257, NAMED_GROUP_FFDHE, "ffdhe3072", true), + FFDHE_4096(258, NAMED_GROUP_FFDHE, "ffdhe4096", true), + FFDHE_6144(259, NAMED_GROUP_FFDHE, "ffdhe6144", true), + FFDHE_8192(260, NAMED_GROUP_FFDHE, "ffdhe8192", true); + + int id; + NamedGroupType type; + String name; + String oid; + String algorithm; + boolean isFips; + + // Constructor used for Elliptic Curve Groups (ECDHE) + NamedGroup(int id, NamedGroupType type, + String name, String oid, boolean isFips) { + this.id = id; + this.type = type; + this.name = name; + this.oid = oid; + this.algorithm = "EC"; + this.isFips = isFips; + } + + // Constructor used for Finite Field Diffie-Hellman Groups (FFDHE) + NamedGroup(int id, NamedGroupType type, String name, boolean isFips) { + this.id = id; + this.type = type; + this.name = name; + this.oid = null; + this.algorithm = "DiffieHellman"; + this.isFips = isFips; + } + + static NamedGroup valueOf(int id) { + for (NamedGroup group : NamedGroup.values()) { + if (group.id == id) { + return group; + } + } + + return null; + } + + static NamedGroup nameOf(String name) { + for (NamedGroup group : NamedGroup.values()) { + if (group.name.equals(name)) { + return group; + } + } + + return null; + } + + static NamedGroup valueOf(ECParameterSpec params) { + String oid = JsseJce.getNamedCurveOid(params); + if ((oid != null) && (!oid.isEmpty())) { + for (NamedGroup group : NamedGroup.values()) { + if (oid.equals(group.oid)) { + return group; + } + } + } + + return null; + } + + @Override + public String toString() { + return this.name; + } +} diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/NamedGroupType.java b/jdk/src/java.base/share/classes/sun/security/ssl/NamedGroupType.java new file mode 100644 index 0000000000..0e0c982e4a --- /dev/null +++ b/jdk/src/java.base/share/classes/sun/security/ssl/NamedGroupType.java @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.ssl; + +enum NamedGroupType { + NAMED_GROUP_ECDHE, // Elliptic Curve Groups (ECDHE) + NAMED_GROUP_FFDHE, // Finite Field Groups (DHE) + NAMED_GROUP_NONE // No predefined named group +} diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java b/jdk/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java new file mode 100644 index 0000000000..54d8c7d310 --- /dev/null +++ b/jdk/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java @@ -0,0 +1,314 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.ssl; + +import java.security.*; +import java.math.BigInteger; +import java.util.regex.Pattern; +import java.util.regex.Matcher; +import java.util.Map; +import java.util.HashMap; +import java.util.Collections; +import javax.crypto.spec.DHParameterSpec; + +/** + * Predefined default DH ephemeral parameters. + */ +final class PredefinedDHParameterSpecs { + private final static boolean debugIsOn = + (Debug.getInstance("ssl") != null) && Debug.isOn("sslctx"); + + // + // Default DH ephemeral parameters + // + private static final BigInteger p512 = new BigInteger( // generated + "D87780E15FF50B4ABBE89870188B049406B5BEA98AB23A02" + + "41D88EA75B7755E669C08093D3F0CA7FC3A5A25CF067DCB9" + + "A43DD89D1D90921C6328884461E0B6D3", 16); + private static final BigInteger p768 = new BigInteger( // RFC 2409 + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + + "E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF", 16); + + private static final BigInteger p1024 = new BigInteger( // RFC 2409 + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" + + "FFFFFFFFFFFFFFFF", 16); + private static final BigInteger p1536 = new BigInteger( // RFC 3526 + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + + "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", 16); + private static final BigInteger p2048 = new BigInteger( // TLS FFDHE + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + + "886B423861285C97FFFFFFFFFFFFFFFF", 16); + private static final BigInteger p3072 = new BigInteger( // TLS FFDHE + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + + "3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF", 16); + private static final BigInteger p4096 = new BigInteger( // TLS FFDHE + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + + "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + + "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + + "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + + "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + + "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + + "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" + + "FFFFFFFFFFFFFFFF", 16); + private static final BigInteger p6144 = new BigInteger( // TLS FFDHE + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + + "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + + "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + + "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + + "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + + "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + + "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" + + "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" + + "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" + + "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" + + "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" + + "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" + + "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" + + "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" + + "D72B03746AE77F5E62292C311562A846505DC82DB854338A" + + "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" + + "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" + + "A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF", 16); + private static final BigInteger p8192 = new BigInteger( // TLS FFDHE + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + + "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + + "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + + "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + + "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + + "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + + "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" + + "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" + + "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" + + "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" + + "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" + + "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" + + "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" + + "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" + + "D72B03746AE77F5E62292C311562A846505DC82DB854338A" + + "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" + + "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" + + "A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C838" + + "1E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E" + + "0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665" + + "CB2C0F1CC01BD70229388839D2AF05E454504AC78B758282" + + "2846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022" + + "BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C" + + "51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9" + + "D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA457" + + "1EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30" + + "FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D" + + "97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" + + "D68C8BB7C5C6424CFFFFFFFFFFFFFFFF", 16); + + private static final BigInteger[] supportedPrimes = { + p512, p768, p1024, p1536, p2048, p3072, p4096, p6144, p8192}; + + private static final BigInteger[] ffdhePrimes = { + p2048, p3072, p4096, p6144, p8192}; + + // a measure of the uncertainty that prime modulus p is not a prime + // + // see BigInteger.isProbablePrime(int certainty) + private final static int PRIME_CERTAINTY = 120; + + // the known security property, jdk.tls.server.defaultDHEParameters + private final static String PROPERTY_NAME = + "jdk.tls.server.defaultDHEParameters"; + + private static final Pattern spacesPattern = Pattern.compile("\\s+"); + + private final static Pattern syntaxPattern = Pattern.compile( + "(\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})" + + "(,\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})*"); + + private static final Pattern paramsPattern = Pattern.compile( + "\\{([0-9A-Fa-f]+),([0-9A-Fa-f]+)\\}"); + + // cache of predefined default DH ephemeral parameters + final static Map definedParams; + + // cache of Finite Field DH Ephemeral parameters (RFC 7919/FFDHE) + final static Map ffdheParams; + + static { + String property = AccessController.doPrivileged( + new PrivilegedAction() { + public String run() { + return Security.getProperty(PROPERTY_NAME); + } + }); + + if (property != null && !property.isEmpty()) { + // remove double quote marks from beginning/end of the property + if (property.length() >= 2 && property.charAt(0) == '"' && + property.charAt(property.length() - 1) == '"') { + property = property.substring(1, property.length() - 1); + } + + property = property.trim(); + } + + if (property != null && !property.isEmpty()) { + Matcher spacesMatcher = spacesPattern.matcher(property); + property = spacesMatcher.replaceAll(""); + + if (debugIsOn) { + System.out.println("The Security Property " + + PROPERTY_NAME + ": " + property); + } + } + + Map defaultParams = new HashMap<>(); + if (property != null && !property.isEmpty()) { + Matcher syntaxMatcher = syntaxPattern.matcher(property); + if (syntaxMatcher.matches()) { + Matcher paramsFinder = paramsPattern.matcher(property); + while(paramsFinder.find()) { + String primeModulus = paramsFinder.group(1); + BigInteger p = new BigInteger(primeModulus, 16); + if (!p.isProbablePrime(PRIME_CERTAINTY)) { + if (debugIsOn) { + System.out.println( + "Prime modulus p in Security Property, " + + PROPERTY_NAME + ", is not a prime: " + + primeModulus); + } + + continue; + } + + String baseGenerator = paramsFinder.group(2); + BigInteger g = new BigInteger(baseGenerator, 16); + + DHParameterSpec spec = new DHParameterSpec(p, g); + int primeLen = p.bitLength(); + defaultParams.put(primeLen, spec); + } + } else if (debugIsOn) { + System.out.println("Invalid Security Property, " + + PROPERTY_NAME + ", definition"); + } + } + + Map tempFFDHEs = new HashMap<>(); + for (BigInteger p : ffdhePrimes) { + int primeLen = p.bitLength(); + DHParameterSpec dhps = new DHParameterSpec(p, BigInteger.TWO); + tempFFDHEs.put(primeLen, dhps); + defaultParams.putIfAbsent(primeLen, dhps); + } + + for (BigInteger p : supportedPrimes) { + int primeLen = p.bitLength(); + if (defaultParams.get(primeLen) == null) { + defaultParams.put(primeLen, + new DHParameterSpec(p, BigInteger.TWO)); + } + } + + ffdheParams = + Collections.unmodifiableMap(tempFFDHEs); + definedParams = + Collections.unmodifiableMap(defaultParams); + } +} diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java b/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java index 4ad18b163e..85b96cd3f8 100644 --- a/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java +++ b/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -96,7 +96,7 @@ final class ServerHandshaker extends Handshaker { private ProtocolVersion clientRequestedVersion; // client supported elliptic curves - private EllipticCurvesExtension requestedCurves; + private SupportedGroupsExtension requestedGroups; // the preferable signature algorithm used by ServerKeyExchange message SignatureAndHashAlgorithm preferableSignatureAlgorithm; @@ -751,8 +751,8 @@ final class ServerHandshaker extends Handshaker { throw new SSLException("Client did not resume a session"); } - requestedCurves = (EllipticCurvesExtension) - mesg.extensions.get(ExtensionType.EXT_ELLIPTIC_CURVES); + requestedGroups = (SupportedGroupsExtension) + mesg.extensions.get(ExtensionType.EXT_SUPPORTED_GROUPS); // We only need to handle the "signature_algorithm" extension // for full handshakes and TLS 1.2 or later. @@ -1341,6 +1341,8 @@ final class ServerHandshaker extends Handshaker { } } + // The named group used for ECDHE and FFDHE. + NamedGroup namedGroup = null; switch (keyExchange) { case K_RSA: // need RSA certs for authentication @@ -1366,6 +1368,37 @@ final class ServerHandshaker extends Handshaker { } break; case K_DHE_RSA: + // Is ephemeral DH cipher suite usable for the connection? + // + // [RFC 7919] If a compatible TLS server receives a Supported + // Groups extension from a client that includes any FFDHE group + // (i.e., any codepoint between 256 and 511, inclusive, even if + // unknown to the server), and if none of the client-proposed + // FFDHE groups are known and acceptable to the server, then + // the server MUST NOT select an FFDHE cipher suite. In this + // case, the server SHOULD select an acceptable non-FFDHE cipher + // suite from the client's offered list. If the extension is + // present with FFDHE groups, none of the client's offered + // groups are acceptable by the server, and none of the client's + // proposed non-FFDHE cipher suites are acceptable to the server, + // the server MUST end the connection with a fatal TLS alert + // of type insufficient_security(71). + // + // Note: For compatibility, if an application is customized to + // use legacy sizes (512 bits for exportable cipher suites and + // 768 bits for others), or the cipher suite is exportable, the + // FFDHE extension will not be used. + if ((!useLegacyEphemeralDHKeys) && (!suite.exportable) && + (requestedGroups != null) && requestedGroups.hasFFDHEGroup()) { + + namedGroup = requestedGroups.getPreferredGroup( + algorithmConstraints, NamedGroupType.NAMED_GROUP_FFDHE); + if (namedGroup == null) { + // no match found, cannot use this cipher suite. + return false; + } + } + // need RSA certs for authentication if (setupPrivateKeyAndChain("RSA") == false) { return false; @@ -1386,9 +1419,20 @@ final class ServerHandshaker extends Handshaker { } } - setupEphemeralDHKeys(suite.exportable, privateKey); + setupEphemeralDHKeys(namedGroup, suite.exportable, privateKey); break; case K_ECDHE_RSA: + // Is ECDHE cipher suite usable for the connection? + namedGroup = (requestedGroups != null) ? + requestedGroups.getPreferredGroup( + algorithmConstraints, NamedGroupType.NAMED_GROUP_ECDHE) : + SupportedGroupsExtension.getPreferredECGroup( + algorithmConstraints); + if (namedGroup == null) { + // no match found, cannot use this ciphersuite + return false; + } + // need RSA certs for authentication if (setupPrivateKeyAndChain("RSA") == false) { return false; @@ -1409,11 +1453,23 @@ final class ServerHandshaker extends Handshaker { } } - if (setupEphemeralECDHKeys() == false) { - return false; - } + setupEphemeralECDHKeys(namedGroup); break; case K_DHE_DSS: + // Is ephemeral DH cipher suite usable for the connection? + // + // See comment in K_DHE_RSA case. + if ((!useLegacyEphemeralDHKeys) && (!suite.exportable) && + (requestedGroups != null) && requestedGroups.hasFFDHEGroup()) { + + namedGroup = requestedGroups.getPreferredGroup( + algorithmConstraints, NamedGroupType.NAMED_GROUP_FFDHE); + if (namedGroup == null) { + // no match found, cannot use this cipher suite. + return false; + } + } + // get preferable peer signature algorithm for server key exchange if (protocolVersion.useTLS12PlusSpec()) { preferableSignatureAlgorithm = @@ -1434,9 +1490,20 @@ final class ServerHandshaker extends Handshaker { return false; } - setupEphemeralDHKeys(suite.exportable, privateKey); + setupEphemeralDHKeys(namedGroup, suite.exportable, privateKey); break; case K_ECDHE_ECDSA: + // Is ECDHE cipher suite usable for the connection? + namedGroup = (requestedGroups != null) ? + requestedGroups.getPreferredGroup( + algorithmConstraints, NamedGroupType.NAMED_GROUP_ECDHE) : + SupportedGroupsExtension.getPreferredECGroup( + algorithmConstraints); + if (namedGroup == null) { + // no match found, cannot use this ciphersuite + return false; + } + // get preferable peer signature algorithm for server key exchange if (protocolVersion.useTLS12PlusSpec()) { preferableSignatureAlgorithm = @@ -1456,9 +1523,8 @@ final class ServerHandshaker extends Handshaker { if (setupPrivateKeyAndChain("EC") == false) { return false; } - if (setupEphemeralECDHKeys() == false) { - return false; - } + + setupEphemeralECDHKeys(namedGroup); break; case K_ECDH_RSA: // need EC cert @@ -1475,14 +1541,36 @@ final class ServerHandshaker extends Handshaker { setupStaticECDHKeys(); break; case K_DH_ANON: + // Is ephemeral DH cipher suite usable for the connection? + // + // See comment in K_DHE_RSA case. + if ((!useLegacyEphemeralDHKeys) && (!suite.exportable) && + (requestedGroups != null) && requestedGroups.hasFFDHEGroup()) { + namedGroup = requestedGroups.getPreferredGroup( + algorithmConstraints, NamedGroupType.NAMED_GROUP_FFDHE); + if (namedGroup == null) { + // no match found, cannot use this cipher suite. + return false; + } + } + // no certs needed for anonymous - setupEphemeralDHKeys(suite.exportable, null); + setupEphemeralDHKeys(namedGroup, suite.exportable, null); break; case K_ECDH_ANON: - // no certs needed for anonymous - if (setupEphemeralECDHKeys() == false) { + // Is ECDHE cipher suite usable for the connection? + namedGroup = (requestedGroups != null) ? + requestedGroups.getPreferredGroup( + algorithmConstraints, NamedGroupType.NAMED_GROUP_ECDHE) : + SupportedGroupsExtension.getPreferredECGroup( + algorithmConstraints); + if (namedGroup == null) { + // no match found, cannot use this ciphersuite return false; } + + // no certs needed for anonymous + setupEphemeralECDHKeys(namedGroup); break; default: ClientKeyExchangeService p = @@ -1544,7 +1632,15 @@ final class ServerHandshaker extends Handshaker { * Acquire some "ephemeral" Diffie-Hellman keys for this handshake. * We don't reuse these, for improved forward secrecy. */ - private void setupEphemeralDHKeys(boolean export, Key key) { + private void setupEphemeralDHKeys( + NamedGroup namedGroup, boolean export, Key key) { + // Are the client and server willing to negotiate FFDHE groups? + if ((!useLegacyEphemeralDHKeys) && (!export) && (namedGroup != null)) { + dh = new DHCrypt(namedGroup, sslContext.getSecureRandom()); + + return; + } // Otherwise, the client is not compatible with FFDHE extension. + /* * 768 bits ephemeral DH private keys were used to be used in * ServerKeyExchange except that exportable ciphers max out at 512 @@ -1613,20 +1709,11 @@ final class ServerHandshaker extends Handshaker { dh = new DHCrypt(keySize, sslContext.getSecureRandom()); } - // Setup the ephemeral ECDH parameters. - // If we cannot continue because we do not support any of the curves that - // the client requested, return false. Otherwise (all is well), return true. - private boolean setupEphemeralECDHKeys() { - int index = (requestedCurves != null) ? - requestedCurves.getPreferredCurve(algorithmConstraints) : - EllipticCurvesExtension.getActiveCurves(algorithmConstraints); - if (index < 0) { - // no match found, cannot use this ciphersuite - return false; - } - - ecdh = new ECDHCrypt(index, sslContext.getSecureRandom()); - return true; + /** + * Setup the ephemeral ECDH parameters. + */ + private void setupEphemeralECDHKeys(NamedGroup namedGroup) { + ecdh = new ECDHCrypt(namedGroup, sslContext.getSecureRandom()); } private void setupStaticECDHKeys() { @@ -1674,9 +1761,11 @@ final class ServerHandshaker extends Handshaker { return false; } ECParameterSpec params = ((ECPublicKey)publicKey).getParams(); - int id = EllipticCurvesExtension.getCurveIndex(params); - if ((id <= 0) || !EllipticCurvesExtension.isSupported(id) || - ((requestedCurves != null) && !requestedCurves.contains(id))) { + NamedGroup namedGroup = NamedGroup.valueOf(params); + if ((namedGroup == null) || + (!SupportedGroupsExtension.supports(namedGroup)) || + ((requestedGroups != null) && + !requestedGroups.contains(namedGroup.id))) { return false; } } diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java b/jdk/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java new file mode 100644 index 0000000000..b33cc1e6e5 --- /dev/null +++ b/jdk/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java @@ -0,0 +1,491 @@ +/* + * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.ssl; + +import java.io.IOException; +import java.security.spec.ECGenParameterSpec; +import java.security.spec.InvalidParameterSpecException; +import java.security.AlgorithmParameters; +import java.security.AlgorithmConstraints; +import java.security.CryptoPrimitive; +import java.security.AccessController; +import java.security.spec.AlgorithmParameterSpec; +import javax.crypto.spec.DHParameterSpec; +import java.util.EnumSet; +import java.util.HashMap; +import java.util.Map; +import java.util.ArrayList; +import javax.net.ssl.SSLProtocolException; + +import sun.security.action.GetPropertyAction; + +// +// Note: Since RFC 7919, the extension's semantics are expanded from +// "Supported Elliptic Curves" to "Supported Groups". The enum datatype +// used in the extension has been renamed from NamedCurve to NamedGroup. +// Its semantics are likewise expanded from "named curve" to "named group". +// +final class SupportedGroupsExtension extends HelloExtension { + + /* Class and subclass dynamic debugging support */ + private static final Debug debug = Debug.getInstance("ssl"); + + private static final int ARBITRARY_PRIME = 0xff01; + private static final int ARBITRARY_CHAR2 = 0xff02; + + // cache to speed up the parameters construction + private static final Map namedGroupParams = new HashMap<>(); + + // the supported named groups + private static final NamedGroup[] supportedNamedGroups; + + // the named group presented in the extension + private final int[] requestedNamedGroupIds; + + static { + boolean requireFips = SunJSSE.isFIPS(); + + // The value of the System Property defines a list of enabled named + // groups in preference order, separated with comma. For example: + // + // jdk.tls.namedGroups="secp521r1, secp256r1, ffdhe2048" + // + // If the System Property is not defined or the value is empty, the + // default groups and preferences will be used. + String property = AccessController.doPrivileged( + new GetPropertyAction("jdk.tls.namedGroups")); + if (property != null && property.length() != 0) { + // remove double quote marks from beginning/end of the property + if (property.length() > 1 && property.charAt(0) == '"' && + property.charAt(property.length() - 1) == '"') { + property = property.substring(1, property.length() - 1); + } + } + + ArrayList groupList; + if (property != null && property.length() != 0) { // customized groups + String[] groups = property.split(","); + groupList = new ArrayList<>(groups.length); + for (String group : groups) { + group = group.trim(); + if (!group.isEmpty()) { + NamedGroup namedGroup = NamedGroup.nameOf(group); + if (namedGroup != null && + (!requireFips || namedGroup.isFips)) { + if (isAvailableGroup(namedGroup)) { + groupList.add(namedGroup); + } + } // ignore unknown groups + } + } + + if (groupList.isEmpty() && JsseJce.isEcAvailable()) { + throw new IllegalArgumentException( + "System property jdk.tls.namedGroups(" + property + ") " + + "contains no supported elliptic curves"); + } + } else { // default groups + NamedGroup[] groups; + if (requireFips) { + groups = new NamedGroup[] { + // only NIST curves in FIPS mode + NamedGroup.SECP256_R1, + NamedGroup.SECP384_R1, + NamedGroup.SECP521_R1, + NamedGroup.SECT283_K1, + NamedGroup.SECT283_R1, + NamedGroup.SECT409_K1, + NamedGroup.SECT409_R1, + NamedGroup.SECT571_K1, + NamedGroup.SECT571_R1, + + // FFDHE 2048 + NamedGroup.FFDHE_2048, + NamedGroup.FFDHE_3072, + NamedGroup.FFDHE_4096, + NamedGroup.FFDHE_6144, + NamedGroup.FFDHE_8192, + }; + } else { + groups = new NamedGroup[] { + // NIST curves first + NamedGroup.SECP256_R1, + NamedGroup.SECP384_R1, + NamedGroup.SECP521_R1, + NamedGroup.SECT283_K1, + NamedGroup.SECT283_R1, + NamedGroup.SECT409_K1, + NamedGroup.SECT409_R1, + NamedGroup.SECT571_K1, + NamedGroup.SECT571_R1, + + // non-NIST curves + NamedGroup.SECP256_K1, + + // FFDHE 2048 + NamedGroup.FFDHE_2048, + NamedGroup.FFDHE_3072, + NamedGroup.FFDHE_4096, + NamedGroup.FFDHE_6144, + NamedGroup.FFDHE_8192, + }; + } + + groupList = new ArrayList<>(groups.length); + for (NamedGroup group : groups) { + if (isAvailableGroup(group)) { + groupList.add(group); + } + } + } + + if (debug != null && groupList.isEmpty()) { + Debug.log( + "Initialized [jdk.tls.namedGroups|default] list contains " + + "no available elliptic curves. " + + (property != null ? "(" + property + ")" : "[Default]")); + } + + supportedNamedGroups = new NamedGroup[groupList.size()]; + int i = 0; + for (NamedGroup namedGroup : groupList) { + supportedNamedGroups[i++] = namedGroup; + } + } + + // check whether the group is supported by the underlying providers + private static boolean isAvailableGroup(NamedGroup namedGroup) { + AlgorithmParameters params = null; + AlgorithmParameterSpec spec = null; + if ("EC".equals(namedGroup.algorithm)) { + if (namedGroup.oid != null) { + try { + params = JsseJce.getAlgorithmParameters("EC"); + spec = new ECGenParameterSpec(namedGroup.oid); + } catch (Exception e) { + return false; + } + } + } else if ("DiffieHellman".equals(namedGroup.algorithm)) { + try { + params = JsseJce.getAlgorithmParameters("DiffieHellman"); + spec = getFFDHEDHParameterSpec(namedGroup); + } catch (Exception e) { + return false; + } + } + + if ((params != null) && (spec != null)) { + try { + params.init(spec); + } catch (Exception e) { + return false; + } + + // cache the parameters + namedGroupParams.put(namedGroup, params); + + return true; + } + + return false; + } + + private static DHParameterSpec getFFDHEDHParameterSpec( + NamedGroup namedGroup) { + DHParameterSpec spec = null; + switch (namedGroup) { + case FFDHE_2048: + spec = PredefinedDHParameterSpecs.ffdheParams.get(2048); + break; + case FFDHE_3072: + spec = PredefinedDHParameterSpecs.ffdheParams.get(3072); + break; + case FFDHE_4096: + spec = PredefinedDHParameterSpecs.ffdheParams.get(4096); + break; + case FFDHE_6144: + spec = PredefinedDHParameterSpecs.ffdheParams.get(6144); + break; + case FFDHE_8192: + spec = PredefinedDHParameterSpecs.ffdheParams.get(8192); + } + + return spec; + } + + private static DHParameterSpec getPredefinedDHParameterSpec( + NamedGroup namedGroup) { + DHParameterSpec spec = null; + switch (namedGroup) { + case FFDHE_2048: + spec = PredefinedDHParameterSpecs.definedParams.get(2048); + break; + case FFDHE_3072: + spec = PredefinedDHParameterSpecs.definedParams.get(3072); + break; + case FFDHE_4096: + spec = PredefinedDHParameterSpecs.definedParams.get(4096); + break; + case FFDHE_6144: + spec = PredefinedDHParameterSpecs.definedParams.get(6144); + break; + case FFDHE_8192: + spec = PredefinedDHParameterSpecs.definedParams.get(8192); + } + + return spec; + } + + private SupportedGroupsExtension(int[] requestedNamedGroupIds) { + super(ExtensionType.EXT_SUPPORTED_GROUPS); + + this.requestedNamedGroupIds = requestedNamedGroupIds; + } + + SupportedGroupsExtension(HandshakeInStream s, int len) throws IOException { + super(ExtensionType.EXT_SUPPORTED_GROUPS); + + int k = s.getInt16(); + if (((len & 1) != 0) || (k == 0) || (k + 2 != len)) { + throw new SSLProtocolException("Invalid " + type + " extension"); + } + + // Note: unknown named group will be ignored later. + requestedNamedGroupIds = new int[k >> 1]; + for (int i = 0; i < requestedNamedGroupIds.length; i++) { + requestedNamedGroupIds[i] = s.getInt16(); + } + } + + // Get a local preferred supported ECDHE group permitted by the constraints. + static NamedGroup getPreferredECGroup(AlgorithmConstraints constraints) { + for (NamedGroup namedGroup : supportedNamedGroups) { + if ((namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) && + constraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + namedGroup.algorithm, namedGroupParams.get(namedGroup))) { + + return namedGroup; + } + } + + return null; + } + + // Is there any supported group permitted by the constraints? + static boolean isActivatable( + AlgorithmConstraints constraints, NamedGroupType type) { + + boolean hasFFDHEGroups = false; + for (NamedGroup namedGroup : supportedNamedGroups) { + if (namedGroup.type == type) { + if (constraints.permits( + EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + namedGroup.algorithm, + namedGroupParams.get(namedGroup))) { + + return true; + } + + if (!hasFFDHEGroups && + (type == NamedGroupType.NAMED_GROUP_FFDHE)) { + + hasFFDHEGroups = true; + } + } + } + + // For compatibility, if no FFDHE groups are defined, the non-FFDHE + // compatible mode (using DHE cipher suite without FFDHE extension) + // is allowed. + // + // Note that the constraints checking on DHE parameters will be + // performed during key exchanging in a handshake. + if (!hasFFDHEGroups && (type == NamedGroupType.NAMED_GROUP_FFDHE)) { + return true; + } + + return false; + } + + // Create the default supported groups extension. + static SupportedGroupsExtension createExtension( + AlgorithmConstraints constraints, + CipherSuiteList cipherSuites, boolean enableFFDHE) { + + ArrayList groupList = + new ArrayList<>(supportedNamedGroups.length); + for (NamedGroup namedGroup : supportedNamedGroups) { + if ((!enableFFDHE) && + (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE)) { + continue; + } + + if (cipherSuites.contains(namedGroup.type) && + constraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + namedGroup.algorithm, namedGroupParams.get(namedGroup))) { + + groupList.add(namedGroup.id); + } + } + + if (!groupList.isEmpty()) { + int[] ids = new int[groupList.size()]; + int i = 0; + for (Integer id : groupList) { + ids[i++] = id; + } + + return new SupportedGroupsExtension(ids); + } + + return null; + } + + // get the preferred activated named group + NamedGroup getPreferredGroup( + AlgorithmConstraints constraints, NamedGroupType type) { + + for (int groupId : requestedNamedGroupIds) { + NamedGroup namedGroup = NamedGroup.valueOf(groupId); + if ((namedGroup != null) && (namedGroup.type == type) && + SupportedGroupsExtension.supports(namedGroup) && + constraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), + namedGroup.algorithm, namedGroupParams.get(namedGroup))) { + + return namedGroup; + } + } + + return null; + } + + boolean hasFFDHEGroup() { + for (int groupId : requestedNamedGroupIds) { + /* + * [RFC 7919] Codepoints in the "Supported Groups Registry" + * with a high byte of 0x01 (that is, between 256 and 511, + * inclusive) are set aside for FFDHE groups. + */ + if ((groupId >= 256) && (groupId <= 511)) { + return true; + } + } + + return false; + } + + boolean contains(int index) { + for (int groupId : requestedNamedGroupIds) { + if (index == groupId) { + return true; + } + } + return false; + } + + @Override + int length() { + return 6 + (requestedNamedGroupIds.length << 1); + } + + @Override + void send(HandshakeOutStream s) throws IOException { + s.putInt16(type.id); + int k = requestedNamedGroupIds.length << 1; + s.putInt16(k + 2); + s.putInt16(k); + for (int groupId : requestedNamedGroupIds) { + s.putInt16(groupId); + } + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("Extension " + type + ", group names: {"); + boolean first = true; + for (int groupId : requestedNamedGroupIds) { + if (first) { + first = false; + } else { + sb.append(", "); + } + // first check if it is a known named group, then try other cases. + NamedGroup namedGroup = NamedGroup.valueOf(groupId); + if (namedGroup != null) { + sb.append(namedGroup.name); + } else if (groupId == ARBITRARY_PRIME) { + sb.append("arbitrary_explicit_prime_curves"); + } else if (groupId == ARBITRARY_CHAR2) { + sb.append("arbitrary_explicit_char2_curves"); + } else { + sb.append("unknown named group " + groupId); + } + } + sb.append("}"); + return sb.toString(); + } + + static boolean supports(NamedGroup namedGroup) { + for (NamedGroup group : supportedNamedGroups) { + if (namedGroup.id == group.id) { + return true; + } + } + + return false; + } + + static ECGenParameterSpec getECGenParamSpec(NamedGroup namedGroup) { + if (namedGroup.type != NamedGroupType.NAMED_GROUP_ECDHE) { + throw new RuntimeException("Not a named EC group: " + namedGroup); + } + + AlgorithmParameters params = namedGroupParams.get(namedGroup); + try { + return params.getParameterSpec(ECGenParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + // should be unlikely + return new ECGenParameterSpec(namedGroup.oid); + } + } + + static DHParameterSpec getDHParameterSpec(NamedGroup namedGroup) { + if (namedGroup.type != NamedGroupType.NAMED_GROUP_FFDHE) { + throw new RuntimeException("Not a named DH group: " + namedGroup); + } + + AlgorithmParameters params = namedGroupParams.get(namedGroup); + try { + return params.getParameterSpec(DHParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + // should be unlikely + return getPredefinedDHParameterSpec(namedGroup); + } + } +} diff --git a/jdk/test/sun/security/ssl/DHKeyExchange/DHEKeySizing.java b/jdk/test/sun/security/ssl/DHKeyExchange/DHEKeySizing.java index 3b449315e1..c00337789f 100644 --- a/jdk/test/sun/security/ssl/DHKeyExchange/DHEKeySizing.java +++ b/jdk/test/sun/security/ssl/DHKeyExchange/DHEKeySizing.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,33 +31,44 @@ * @bug 6956398 * @summary make ephemeral DH key match the length of the certificate key * @run main/othervm + * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1639 267 + * @run main/othervm -Djsse.enableFFDHE=false * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1255 75 - * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched + * @run main/othervm -Djsse.enableFFDHE=false + * -Djdk.tls.ephemeralDHKeySize=matched * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1255 75 - * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy + * @run main/othervm -Djsse.enableFFDHE=false + * -Djdk.tls.ephemeralDHKeySize=legacy * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1255 75 - * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024 + * @run main/othervm -Djsse.enableFFDHE=false + * -Djdk.tls.ephemeralDHKeySize=1024 * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1255 75 * - * @run main/othervm + * @run main/othervm -Djsse.enableFFDHE=false * DHEKeySizing SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA true 229 75 * - * @run main/othervm + * @run main/othervm -Djsse.enableFFDHE=false * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1383 139 - * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy + * @run main/othervm -Djsse.enableFFDHE=false + * -Djdk.tls.ephemeralDHKeySize=legacy * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1319 107 - * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched + * @run main/othervm -Djsse.enableFFDHE=false + * -Djdk.tls.ephemeralDHKeySize=matched * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1639 267 - * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024 + * @run main/othervm -Djsse.enableFFDHE=false + * -Djdk.tls.ephemeralDHKeySize=1024 * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1383 139 * - * @run main/othervm + * @run main/othervm -Djsse.enableFFDHE=false * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 357 139 - * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy + * @run main/othervm -Djsse.enableFFDHE=false + * -Djdk.tls.ephemeralDHKeySize=legacy * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 293 107 - * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched + * @run main/othervm -Djsse.enableFFDHE=false + * -Djdk.tls.ephemeralDHKeySize=matched * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 357 139 - * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024 + * @run main/othervm -Djsse.enableFFDHE=false + * -Djdk.tls.ephemeralDHKeySize=1024 * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 357 139 */ diff --git a/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java b/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java new file mode 100644 index 0000000000..5706f5cc7a --- /dev/null +++ b/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. +// + +/* + * @test + * @bug 8140436 + * @modules jdk.crypto.ec + * @library /javax/net/ssl/templates + * @summary Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS + * @run main/othervm UseStrongDHSizes 2048 + */ + +import java.io.InputStream; +import java.io.OutputStream; +import java.security.Security; +import javax.net.ssl.SSLSocket; + +public class UseStrongDHSizes extends SSLSocketTemplate { + /* + * Run the test case. + */ + public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled unexpectedly. + String constraint = "DH keySize < " + Integer.valueOf(args[0]); + Security.setProperty("jdk.tls.disabledAlgorithms", constraint); + Security.setProperty("jdk.certpath.disabledAlgorithms", ""); + + (new UseStrongDHSizes()).run(); + } + + @Override + protected void runServerApplication(SSLSocket socket) throws Exception { + String ciphers[] = { + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"}; + + socket.setEnabledCipherSuites(ciphers); + socket.setWantClientAuth(true); + + InputStream sslIS = socket.getInputStream(); + OutputStream sslOS = socket.getOutputStream(); + + sslIS.read(); + sslOS.write(85); + sslOS.flush(); + } + + @Override + protected void runClientApplication(SSLSocket socket) throws Exception { + String ciphers[] = { + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"}; + socket.setEnabledCipherSuites(ciphers); + socket.setUseClientMode(true); + + InputStream sslIS = socket.getInputStream(); + OutputStream sslOS = socket.getOutputStream(); + + sslOS.write(280); + sslOS.flush(); + sslIS.read(); + } +} From 13159fbb1acb1ca61786957d90b53fa9bdab43e9 Mon Sep 17 00:00:00 2001 From: Vladimir Ivanov Date: Fri, 26 May 2017 18:39:51 +0300 Subject: [PATCH 071/269] 8174962: Better interface invocations Reviewed-by: jrose, coleenp, ahgross, acorn, iignatyev --- .../java/lang/invoke/DirectMethodHandle.java | 57 ++++++++++++++++--- 1 file changed, 48 insertions(+), 9 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/lang/invoke/DirectMethodHandle.java b/jdk/src/java.base/share/classes/java/lang/invoke/DirectMethodHandle.java index ce1f938583..7bcb52311d 100644 --- a/jdk/src/java.base/share/classes/java/lang/invoke/DirectMethodHandle.java +++ b/jdk/src/java.base/share/classes/java/lang/invoke/DirectMethodHandle.java @@ -80,13 +80,20 @@ class DirectMethodHandle extends MethodHandle { mtype = mtype.insertParameterTypes(0, receiver); } if (!member.isField()) { - if (refKind == REF_invokeSpecial) { - member = member.asSpecial(); - LambdaForm lform = preparedLambdaForm(member); - return new Special(mtype, lform, member); - } else { - LambdaForm lform = preparedLambdaForm(member); - return new DirectMethodHandle(mtype, lform, member); + switch (refKind) { + case REF_invokeSpecial: { + member = member.asSpecial(); + LambdaForm lform = preparedLambdaForm(member); + return new Special(mtype, lform, member); + } + case REF_invokeInterface: { + LambdaForm lform = preparedLambdaForm(member); + return new Interface(mtype, lform, member, receiver); + } + default: { + LambdaForm lform = preparedLambdaForm(member); + return new DirectMethodHandle(mtype, lform, member); + } } } else { LambdaForm lform = preparedFieldLambdaForm(member); @@ -190,6 +197,7 @@ class DirectMethodHandle extends MethodHandle { static LambdaForm makePreparedLambdaForm(MethodType mtype, int which) { boolean needsInit = (which == LF_INVSTATIC_INIT); boolean doesAlloc = (which == LF_NEWINVSPECIAL); + boolean needsReceiverCheck = (which == LF_INVINTERFACE); String linkerName; LambdaForm.Kind kind; switch (which) { @@ -219,6 +227,7 @@ class DirectMethodHandle extends MethodHandle { int nameCursor = ARG_LIMIT; final int NEW_OBJ = (doesAlloc ? nameCursor++ : -1); final int GET_MEMBER = nameCursor++; + final int CHECK_RECEIVER = (needsReceiverCheck ? nameCursor++ : -1); final int LINKER_CALL = nameCursor++; Name[] names = arguments(nameCursor - ARG_LIMIT, mtype.invokerType()); assert(names.length == nameCursor); @@ -233,6 +242,10 @@ class DirectMethodHandle extends MethodHandle { } assert(findDirectMethodHandle(names[GET_MEMBER]) == names[DMH_THIS]); Object[] outArgs = Arrays.copyOfRange(names, ARG_BASE, GET_MEMBER+1, Object[].class); + if (needsReceiverCheck) { + names[CHECK_RECEIVER] = new Name(NF_checkReceiver, names[DMH_THIS], names[ARG_BASE]); + outArgs[0] = names[CHECK_RECEIVER]; + } assert(outArgs[outArgs.length-1] == names[GET_MEMBER]); // look, shifted args! int result = LAST_RESULT; if (doesAlloc) { @@ -377,6 +390,29 @@ class DirectMethodHandle extends MethodHandle { } } + /** This subclass represents invokeinterface instructions. */ + static class Interface extends DirectMethodHandle { + private final Class refc; + private Interface(MethodType mtype, LambdaForm form, MemberName member, Class refc) { + super(mtype, form, member); + assert refc.isInterface() : refc; + this.refc = refc; + } + @Override + MethodHandle copyWith(MethodType mt, LambdaForm lf) { + return new Interface(mt, lf, member, refc); + } + + Object checkReceiver(Object recv) { + if (!refc.isInstance(recv)) { + String msg = String.format("Class %s does not implement the requested interface %s", + recv.getClass().getName(), refc.getName()); + throw new IncompatibleClassChangeError(msg); + } + return recv; + } + } + /** This subclass handles constructor references. */ static class Constructor extends DirectMethodHandle { final MemberName initMethod; @@ -729,7 +765,8 @@ class DirectMethodHandle extends MethodHandle { NF_checkCast, NF_allocateInstance, NF_constructorMethod, - NF_UNSAFE; + NF_UNSAFE, + NF_checkReceiver; static { try { NamedFunction nfs[] = { @@ -754,7 +791,9 @@ class DirectMethodHandle extends MethodHandle { NF_constructorMethod = new NamedFunction(DirectMethodHandle.class .getDeclaredMethod("constructorMethod", Object.class)), NF_UNSAFE = new NamedFunction(new MemberName(MethodHandleStatics.class - .getDeclaredField("UNSAFE"))) + .getDeclaredField("UNSAFE"))), + NF_checkReceiver = new NamedFunction(new MemberName(Interface.class + .getDeclaredMethod("checkReceiver", Object.class))) }; // Each nf must be statically invocable or we get tied up in our bootstraps. assert(InvokerBytecodeGenerator.isStaticallyInvocable(nfs)); From 3e5041453cb2a6de0f169f9a8ffa4fe2772d4006 Mon Sep 17 00:00:00 2001 From: Sergey Bylokhov Date: Thu, 1 Jun 2017 15:15:26 -0700 Subject: [PATCH 072/269] 8180015: Cleaner AWT robot handling Reviewed-by: prr, mschoene, rhalade --- .../java.desktop/windows/native/libawt/windows/awt_Robot.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp index 12432ebf14..4db3de5ad8 100644 --- a/jdk/src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp +++ b/jdk/src/java.desktop/windows/native/libawt/windows/awt_Robot.cpp @@ -285,7 +285,7 @@ void AwtRobot::GetRGBPixels(jint x, jint y, jint width, jint height, jintArray p // copy pixels into Java array env->SetIntArrayRegion(pixelArray, 0, numPixels, (jint *)pixelData); - delete pinfo; + delete[] pinfo; // free all the GDI objects we made ::SelectObject(hdcMem, hOldBitmap); From fc03837a3f54990beda7db091505a248d633f682 Mon Sep 17 00:00:00 2001 From: James Laskey Date: Mon, 5 Jun 2017 12:36:15 -0300 Subject: [PATCH 073/269] 8180869: Cleaner image file reading handling Reviewed-by: ahgross, rriggs, rhalade --- .../java.base/share/native/libjimage/imageFile.cpp | 11 +++++++++-- .../java.base/share/native/libjimage/imageFile.hpp | 1 + 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/jdk/src/java.base/share/native/libjimage/imageFile.cpp b/jdk/src/java.base/share/native/libjimage/imageFile.cpp index 6572498c4d..c56b3732a7 100644 --- a/jdk/src/java.base/share/native/libjimage/imageFile.cpp +++ b/jdk/src/java.base/share/native/libjimage/imageFile.cpp @@ -205,12 +205,19 @@ const char* ImageModuleData::package_to_module(const char* package_name) { // Manage a table of open image files. This table allows multiple access points // to share an open image. ImageFileReaderTable::ImageFileReaderTable() : _count(0), _max(_growth) { - _table = new ImageFileReader*[_max]; + _table = static_cast(calloc(_max, sizeof(ImageFileReader*))); assert(_table != NULL && "allocation failed"); } ImageFileReaderTable::~ImageFileReaderTable() { - delete[] _table; + for (u4 i = 0; i < _count; i++) { + ImageFileReader* image = _table[i]; + + if (image != NULL) { + delete image; + } + } + free(_table); } // Add a new image entry to the table. diff --git a/jdk/src/java.base/share/native/libjimage/imageFile.hpp b/jdk/src/java.base/share/native/libjimage/imageFile.hpp index c32d2fed8c..699f2fffe7 100644 --- a/jdk/src/java.base/share/native/libjimage/imageFile.hpp +++ b/jdk/src/java.base/share/native/libjimage/imageFile.hpp @@ -402,6 +402,7 @@ public: // 'opened' by reference point and decremented when 'closed'. Use of zero // leads the ImageFileReader to be actually closed and discarded. class ImageFileReader { +friend class ImageFileReaderTable; private: // Manage a number of image files such that an image can be shared across // multiple uses (ex. loader.) From 5dd8992fcedb235fa85a15484049f9e480784681 Mon Sep 17 00:00:00 2001 From: Ivan Gerasimov Date: Wed, 7 Jun 2017 13:08:39 -0700 Subject: [PATCH 074/269] 8181439: Test the jdk.tls.namedGroups System Property Reviewed-by: valeriep --- .../sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java b/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java index 5706f5cc7a..993d087683 100644 --- a/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java +++ b/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java @@ -33,6 +33,11 @@ * @library /javax/net/ssl/templates * @summary Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS * @run main/othervm UseStrongDHSizes 2048 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe2048 UseStrongDHSizes 2048 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe3072 UseStrongDHSizes 2048 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe4096 UseStrongDHSizes 2048 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe6144 UseStrongDHSizes 2048 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe8192 UseStrongDHSizes 2048 */ import java.io.InputStream; From 4e276d241cadcd958719abfb70dec15336c5c0b0 Mon Sep 17 00:00:00 2001 From: Ivan Gerasimov Date: Wed, 7 Jun 2017 13:09:08 -0700 Subject: [PATCH 075/269] 8178728: Check the AlgorithmParameters in algorithm constraints Reviewed-by: valeriep, ascarpino --- .../security/util/AlgorithmDecomposer.java | 21 +- .../util/DisabledAlgorithmConstraints.java | 248 ++++++++++++------ .../classes/sun/security/util/KeyUtil.java | 58 ++++ .../ssl/DHKeyExchange/UseStrongDHSizes.java | 14 + 4 files changed, 255 insertions(+), 86 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java b/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java index 1774cabb8f..4e1e6241dc 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java +++ b/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,6 +27,8 @@ package sun.security.util; import java.util.HashSet; import java.util.Set; +import java.util.Arrays; +import java.util.Collection; import java.util.regex.Pattern; /** @@ -134,6 +136,23 @@ public class AlgorithmDecomposer { return elements; } + /** + * Get aliases of the specified algorithm. + * + * May support more algorithms in the future. + */ + public static Collection getAliases(String algorithm) { + String[] aliases; + if (algorithm.equalsIgnoreCase("DH") || + algorithm.equalsIgnoreCase("DiffieHellman")) { + aliases = new String[] {"DH", "DiffieHellman"}; + } else { + aliases = new String[] {algorithm}; + } + + return Arrays.asList(aliases); + } + private static void hasLoop(Set elements, String find, String replace) { if (elements.contains(find)) { if (!elements.contains(replace)) { diff --git a/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java index b763f7a35e..dc6a46c3ed 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java +++ b/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java @@ -45,6 +45,7 @@ import java.util.List; import java.util.Locale; import java.util.Map; import java.util.Set; +import java.util.Collection; import java.util.StringTokenizer; import java.util.TimeZone; import java.util.regex.Pattern; @@ -106,7 +107,15 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { @Override public final boolean permits(Set primitives, String algorithm, AlgorithmParameters parameters) { - return checkAlgorithm(disabledAlgorithms, algorithm, decomposer); + if (!checkAlgorithm(disabledAlgorithms, algorithm, decomposer)) { + return false; + } + + if (parameters != null) { + return algorithmConstraints.permits(algorithm, parameters); + } + + return true; } /* @@ -242,7 +251,12 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { List constraintList = constraintsMap.getOrDefault(algorithm, new ArrayList<>(1)); - constraintsMap.putIfAbsent(algorithm, constraintList); + + // Consider the impact of algorithm aliases. + for (String alias : AlgorithmDecomposer.getAliases(algorithm)) { + constraintsMap.putIfAbsent(alias, constraintList); + } + if (space <= 0) { constraintList.add(new DisabledConstraint(algorithm)); continue; @@ -351,6 +365,27 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { return true; } + // Check if constraints permit this AlgorithmParameters. + public boolean permits(String algorithm, AlgorithmParameters aps) { + List list = getConstraints(algorithm); + if (list == null) { + return true; + } + + for (Constraint constraint : list) { + if (!constraint.permits(aps)) { + if (debug != null) { + debug.println("keySizeConstraint: failed algorithm " + + "parameters constraint check " + aps); + } + + return false; + } + } + + return true; + } + // Check if constraints permit this cert. public void permits(String algorithm, ConstraintsParameters cp) throws CertPathValidatorException { @@ -444,6 +479,18 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { return true; } + /** + * Check if the algorithm constraint permits a given cryptographic + * parameters. + * + * @param parameters the cryptographic parameters + * @return 'true' if the cryptographic parameters is allowed, + * 'false' ortherwise. + */ + public boolean permits(AlgorithmParameters parameters) { + return true; + } + /** * Check if an algorithm constraint is permitted with a given * ConstraintsParameters. @@ -528,6 +575,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { * call next() for any following constraints. If it does not, exit * as this constraint(s) does not restrict the operation. */ + @Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { if (debug != null) { @@ -551,100 +599,101 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { * This class handles the denyAfter constraint. The date is in the UTC/GMT * timezone. */ - private static class DenyAfterConstraint extends Constraint { - private Date denyAfterDate; - private static final SimpleDateFormat dateFormat = - new SimpleDateFormat("EEE, MMM d HH:mm:ss z yyyy"); + private static class DenyAfterConstraint extends Constraint { + private Date denyAfterDate; + private static final SimpleDateFormat dateFormat = + new SimpleDateFormat("EEE, MMM d HH:mm:ss z yyyy"); - DenyAfterConstraint(String algo, int year, int month, int day) { - Calendar c; + DenyAfterConstraint(String algo, int year, int month, int day) { + Calendar c; - algorithm = algo; + algorithm = algo; - if (debug != null) { - debug.println("DenyAfterConstraint read in as: year " + - year + ", month = " + month + ", day = " + day); - } + if (debug != null) { + debug.println("DenyAfterConstraint read in as: year " + + year + ", month = " + month + ", day = " + day); + } - c = new Calendar.Builder().setTimeZone(TimeZone.getTimeZone("GMT")) - .setDate(year, month - 1, day).build(); + c = new Calendar.Builder().setTimeZone(TimeZone.getTimeZone("GMT")) + .setDate(year, month - 1, day).build(); - if (year > c.getActualMaximum(Calendar.YEAR) || - year < c.getActualMinimum(Calendar.YEAR)) { - throw new IllegalArgumentException( - "Invalid year given in constraint: " + year); - } - if ((month - 1) > c.getActualMaximum(Calendar.MONTH) || - (month - 1) < c.getActualMinimum(Calendar.MONTH)) { - throw new IllegalArgumentException( - "Invalid month given in constraint: " + month); - } - if (day > c.getActualMaximum(Calendar.DAY_OF_MONTH) || - day < c.getActualMinimum(Calendar.DAY_OF_MONTH)) { - throw new IllegalArgumentException( - "Invalid Day of Month given in constraint: " + day); - } + if (year > c.getActualMaximum(Calendar.YEAR) || + year < c.getActualMinimum(Calendar.YEAR)) { + throw new IllegalArgumentException( + "Invalid year given in constraint: " + year); + } + if ((month - 1) > c.getActualMaximum(Calendar.MONTH) || + (month - 1) < c.getActualMinimum(Calendar.MONTH)) { + throw new IllegalArgumentException( + "Invalid month given in constraint: " + month); + } + if (day > c.getActualMaximum(Calendar.DAY_OF_MONTH) || + day < c.getActualMinimum(Calendar.DAY_OF_MONTH)) { + throw new IllegalArgumentException( + "Invalid Day of Month given in constraint: " + day); + } - denyAfterDate = c.getTime(); - if (debug != null) { - debug.println("DenyAfterConstraint date set to: " + - dateFormat.format(denyAfterDate)); - } - } + denyAfterDate = c.getTime(); + if (debug != null) { + debug.println("DenyAfterConstraint date set to: " + + dateFormat.format(denyAfterDate)); + } + } - /* - * Checking that the provided date is not beyond the constraint date. - * The provided date can be the PKIXParameter date if given, - * otherwise it is the current date. - * - * If the constraint disallows, call next() for any following - * constraints. Throw an exception if this is the last constraint. - */ - @Override - public void permits(ConstraintsParameters cp) - throws CertPathValidatorException { - Date currentDate; - String errmsg; + /* + * Checking that the provided date is not beyond the constraint date. + * The provided date can be the PKIXParameter date if given, + * otherwise it is the current date. + * + * If the constraint disallows, call next() for any following + * constraints. Throw an exception if this is the last constraint. + */ + @Override + public void permits(ConstraintsParameters cp) + throws CertPathValidatorException { + Date currentDate; + String errmsg; - if (cp.getJARTimestamp() != null) { - currentDate = cp.getJARTimestamp().getTimestamp(); - errmsg = "JAR Timestamp date: "; - } else if (cp.getPKIXParamDate() != null) { - currentDate = cp.getPKIXParamDate(); - errmsg = "PKIXParameter date: "; - } else { - currentDate = new Date(); - errmsg = "Current date: "; - } + if (cp.getJARTimestamp() != null) { + currentDate = cp.getJARTimestamp().getTimestamp(); + errmsg = "JAR Timestamp date: "; + } else if (cp.getPKIXParamDate() != null) { + currentDate = cp.getPKIXParamDate(); + errmsg = "PKIXParameter date: "; + } else { + currentDate = new Date(); + errmsg = "Current date: "; + } - if (!denyAfterDate.after(currentDate)) { - if (next(cp)) { - return; - } - throw new CertPathValidatorException( - "denyAfter constraint check failed: " + algorithm + - " used with Constraint date: " + - dateFormat.format(denyAfterDate) + "; " + errmsg + - dateFormat.format(currentDate) + extendedMsg(cp), - null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); - } - } + if (!denyAfterDate.after(currentDate)) { + if (next(cp)) { + return; + } + throw new CertPathValidatorException( + "denyAfter constraint check failed: " + algorithm + + " used with Constraint date: " + + dateFormat.format(denyAfterDate) + "; " + errmsg + + dateFormat.format(currentDate) + extendedMsg(cp), + null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); + } + } - /* - * Return result if the constraint's date is beyond the current date - * in UTC timezone. - */ - public boolean permits(Key key) { - if (next(key)) { - return true; - } - if (debug != null) { - debug.println("DenyAfterConstraints.permits(): " + algorithm); - } + /* + * Return result if the constraint's date is beyond the current date + * in UTC timezone. + */ + @Override + public boolean permits(Key key) { + if (next(key)) { + return true; + } + if (debug != null) { + debug.println("DenyAfterConstraints.permits(): " + algorithm); + } - return denyAfterDate.after(new Date()); - } - } + return denyAfterDate.after(new Date()); + } + } /* * The usage constraint is for the "usage" keyword. It checks against the @@ -658,6 +707,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { this.usages = usages; } + @Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { for (String usage : usages) { @@ -746,6 +796,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { * constraint Any permitted constraint will exit the linked list * to allow the operation. */ + @Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { Key key = null; @@ -770,6 +821,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { // Check if key constraint disable the specified key // Uses old style permit() + @Override public boolean permits(Key key) { // If we recursively find a constraint that permits us to use // this key, return true and skip any other constraint checks. @@ -783,6 +835,30 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { return permitsImpl(key); } + @Override + public boolean permits(AlgorithmParameters parameters) { + String paramAlg = parameters.getAlgorithm(); + if (!algorithm.equalsIgnoreCase(parameters.getAlgorithm())) { + // Consider the impact of the algorithm aliases. + Collection aliases = + AlgorithmDecomposer.getAliases(algorithm); + if (!aliases.contains(paramAlg)) { + return true; + } + } + + int keySize = KeyUtil.getKeySize(parameters); + if (keySize == 0) { + return false; + } else if (keySize > 0) { + return !((keySize < minSize) || (keySize > maxSize) || + (prohibitedSize == keySize)); + } // Otherwise, the key size is not accessible or determined. + // Conservatively, please don't disable such keys. + + return true; + } + private boolean permitsImpl(Key key) { // Verify this constraint is for this public key algorithm if (algorithm.compareToIgnoreCase(key.getAlgorithm()) != 0) { @@ -810,6 +886,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { algorithm = algo; } + @Override public void permits(ConstraintsParameters cp) throws CertPathValidatorException { throw new CertPathValidatorException( @@ -818,6 +895,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } + @Override public boolean permits(Key key) { return false; } diff --git a/jdk/src/java.base/share/classes/sun/security/util/KeyUtil.java b/jdk/src/java.base/share/classes/sun/security/util/KeyUtil.java index 906d59cdb9..e477b9f8db 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/KeyUtil.java +++ b/jdk/src/java.base/share/classes/sun/security/util/KeyUtil.java @@ -25,6 +25,7 @@ package sun.security.util; +import java.security.AlgorithmParameters; import java.security.Key; import java.security.PrivilegedAction; import java.security.AccessController; @@ -35,6 +36,8 @@ import java.security.interfaces.DSAKey; import java.security.interfaces.DSAParams; import java.security.SecureRandom; import java.security.spec.KeySpec; +import java.security.spec.ECParameterSpec; +import java.security.spec.InvalidParameterSpecException; import javax.crypto.SecretKey; import javax.crypto.interfaces.DHKey; import javax.crypto.interfaces.DHPublicKey; @@ -99,6 +102,61 @@ public final class KeyUtil { return size; } + /** + * Returns the key size of the given cryptographic parameters in bits. + * + * @param parameters the cryptographic parameters, cannot be null + * @return the key size of the given cryptographic parameters in bits, + * or -1 if the key size is not accessible + */ + public static final int getKeySize(AlgorithmParameters parameters) { + + String algorithm = parameters.getAlgorithm(); + switch (algorithm) { + case "EC": + try { + ECKeySizeParameterSpec ps = parameters.getParameterSpec( + ECKeySizeParameterSpec.class); + if (ps != null) { + return ps.getKeySize(); + } + } catch (InvalidParameterSpecException ipse) { + // ignore + } + + try { + ECParameterSpec ps = parameters.getParameterSpec( + ECParameterSpec.class); + if (ps != null) { + return ps.getOrder().bitLength(); + } + } catch (InvalidParameterSpecException ipse) { + // ignore + } + + // Note: the ECGenParameterSpec case should be covered by the + // ECParameterSpec case above. + // See ECUtil.getECParameterSpec(Provider, String). + + break; + case "DiffieHellman": + try { + DHParameterSpec ps = parameters.getParameterSpec( + DHParameterSpec.class); + if (ps != null) { + return ps.getP().bitLength(); + } + } catch (InvalidParameterSpecException ipse) { + // ignore + } + break; + + // May support more AlgorithmParameters algorithms in the future. + } + + return -1; + } + /** * Returns whether the key is valid or not. *

diff --git a/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java b/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java index 993d087683..209db9d746 100644 --- a/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java +++ b/jdk/test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java @@ -38,6 +38,20 @@ * @run main/othervm -Djdk.tls.namedGroups=ffdhe4096 UseStrongDHSizes 2048 * @run main/othervm -Djdk.tls.namedGroups=ffdhe6144 UseStrongDHSizes 2048 * @run main/othervm -Djdk.tls.namedGroups=ffdhe8192 UseStrongDHSizes 2048 + * @run main/othervm UseStrongDHSizes 3072 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe3072 UseStrongDHSizes 3072 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe4096 UseStrongDHSizes 3072 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe6144 UseStrongDHSizes 3072 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe8192 UseStrongDHSizes 3072 + * @run main/othervm UseStrongDHSizes 4096 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe4096 UseStrongDHSizes 4096 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe6144 UseStrongDHSizes 4096 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe8192 UseStrongDHSizes 4096 + * @run main/othervm UseStrongDHSizes 6144 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe6144 UseStrongDHSizes 6144 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe8192 UseStrongDHSizes 6144 + * @run main/othervm UseStrongDHSizes 8192 + * @run main/othervm -Djdk.tls.namedGroups=ffdhe8192 UseStrongDHSizes 8192 */ import java.io.InputStream; From 016c5f5cfa02a12525df1375ed763611f10983a4 Mon Sep 17 00:00:00 2001 From: Naoto Sato Date: Thu, 15 Jun 2017 09:57:15 -0700 Subject: [PATCH 076/269] 8181323: Better timezone processing Reviewed-by: rriggs --- .../classes/java/util/SimpleTimeZone.java | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/util/SimpleTimeZone.java b/jdk/src/java.base/share/classes/java/util/SimpleTimeZone.java index d7555a0db0..7ed6e71753 100644 --- a/jdk/src/java.base/share/classes/java/util/SimpleTimeZone.java +++ b/jdk/src/java.base/share/classes/java/util/SimpleTimeZone.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,6 +41,7 @@ package java.util; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.IOException; +import java.io.InvalidObjectException; import sun.util.calendar.CalendarSystem; import sun.util.calendar.CalendarUtils; import sun.util.calendar.BaseCalendar; @@ -1278,6 +1279,9 @@ public class SimpleTimeZone extends TimeZone { */ private int serialVersionOnStream = currentSerialVersion; + // Maximum number of rules. + private static final int MAX_RULE_NUM = 6; + private synchronized void invalidateCache() { cacheYear = startYear - 1; cacheStart = cacheEnd = 0; @@ -1569,7 +1573,7 @@ public class SimpleTimeZone extends TimeZone { */ private byte[] packRules() { - byte[] rules = new byte[6]; + byte[] rules = new byte[MAX_RULE_NUM]; rules[0] = (byte)startDay; rules[1] = (byte)startDayOfWeek; rules[2] = (byte)endDay; @@ -1594,7 +1598,7 @@ public class SimpleTimeZone extends TimeZone { endDayOfWeek = rules[3]; // As of serial version 2, include time modes - if (rules.length >= 6) { + if (rules.length >= MAX_RULE_NUM) { startTimeMode = rules[4]; endTimeMode = rules[5]; } @@ -1691,9 +1695,13 @@ public class SimpleTimeZone extends TimeZone { // store the actual rules (which have not be made compatible with 1.1) // in the optional area. Read them in here and parse them. int length = stream.readInt(); - byte[] rules = new byte[length]; - stream.readFully(rules); - unpackRules(rules); + if (length <= MAX_RULE_NUM) { + byte[] rules = new byte[length]; + stream.readFully(rules); + unpackRules(rules); + } else { + throw new InvalidObjectException("Too many rules: " + length); + } } if (serialVersionOnStream >= 2) { From c99ca11e31203c35a93e8362c7c5717a51249eda Mon Sep 17 00:00:00 2001 From: Roger Riggs Date: Mon, 19 Jun 2017 17:38:33 -0400 Subject: [PATCH 077/269] 8181597: Process Proxy presentation Reviewed-by: dfuchs, ahgross, rhalade, skoivu --- .../java.base/share/classes/java/io/ObjectInputStream.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java index 3bae41c5fb..8310b65d9f 100644 --- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java +++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java @@ -1765,6 +1765,10 @@ public class ObjectInputStream passHandle = NULL_HANDLE; int numIfaces = bin.readInt(); + if (numIfaces > 65535) { + throw new InvalidObjectException("interface limit exceeded: " + + numIfaces); + } String[] ifaces = new String[numIfaces]; for (int i = 0; i < numIfaces; i++) { ifaces[i] = bin.readUTF(); From 72711cb57e97307c5d9defb5cbc59b011d0ab16b Mon Sep 17 00:00:00 2001 From: Vinnie Ryan Date: Wed, 28 Jun 2017 16:52:36 +0100 Subject: [PATCH 078/269] 8181370: Better keystore handling Reviewed-by: weijun, igerasim --- .../com/sun/crypto/provider/JceKeyStore.java | 44 ++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java index ccf49b7a80..f3190b39a2 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,12 +27,14 @@ package com.sun.crypto.provider; import java.io.*; import java.util.*; +import java.security.AccessController; import java.security.DigestInputStream; import java.security.DigestOutputStream; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.Key; import java.security.PrivateKey; +import java.security.PrivilegedAction; import java.security.KeyStoreSpi; import java.security.KeyStoreException; import java.security.UnrecoverableKeyException; @@ -835,11 +837,21 @@ public final class JceKeyStore extends KeyStoreSpi { // read the sealed key try { ois = new ObjectInputStream(dis); + final ObjectInputStream ois2 = ois; + // Set a deserialization checker + AccessController.doPrivileged( + (PrivilegedAction)() -> { + ois2.setObjectInputFilter( + new DeserializationChecker()); + return null; + }); entry.sealedKey = (SealedObject)ois.readObject(); // NOTE: don't close ois here since we are still // using dis!!! } catch (ClassNotFoundException cnfe) { throw new IOException(cnfe.getMessage()); + } catch (InvalidClassException ice) { + throw new IOException("Invalid secret key format"); } // Add the entry to the list @@ -916,4 +928,34 @@ public final class JceKeyStore extends KeyStoreSpi { return JCEKS_MAGIC == dataStream.readInt(); } + + /* + * An ObjectInputFilter that checks the format of the secret key being + * deserialized. + */ + private static class DeserializationChecker implements ObjectInputFilter { + private static final int MAX_NESTED_DEPTH = 2; + + @Override + public ObjectInputFilter.Status + checkInput(ObjectInputFilter.FilterInfo info) { + + // First run a custom filter + long nestedDepth = info.depth(); + if ((nestedDepth == 1 && + info.serialClass() != SealedObjectForKeyProtector.class) || + nestedDepth > MAX_NESTED_DEPTH) { + return Status.REJECTED; + } + + // Next run the default filter, if available + ObjectInputFilter defaultFilter = + ObjectInputFilter.Config.getSerialFilter(); + if (defaultFilter != null) { + return defaultFilter.checkInput(info); + } + + return Status.UNDECIDED; + } + } } From 26cae938cfcca170202e179d4b17809a2a9a0f6c Mon Sep 17 00:00:00 2001 From: Phil Race Date: Thu, 29 Jun 2017 11:53:19 -0700 Subject: [PATCH 079/269] 8180877: More deeply colored ICC spaces Reviewed-by: serb, rhalade, mschoene --- .../share/classes/java/awt/color/ICC_ColorSpace.java | 12 ++++++++++++ jdk/src/java.desktop/share/native/liblcms/LCMS.c | 7 ++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/jdk/src/java.desktop/share/classes/java/awt/color/ICC_ColorSpace.java b/jdk/src/java.desktop/share/classes/java/awt/color/ICC_ColorSpace.java index cf6f640f1e..5b0e8a55f8 100644 --- a/jdk/src/java.desktop/share/classes/java/awt/color/ICC_ColorSpace.java +++ b/jdk/src/java.desktop/share/classes/java/awt/color/ICC_ColorSpace.java @@ -127,6 +127,18 @@ public class ICC_ColorSpace extends ColorSpace { setMinMax(); } + /** + * Validate an ICC_ColorSpace read from an object input stream + */ + private void readObject(java.io.ObjectInputStream s) + throws ClassNotFoundException, java.io.IOException { + + s.defaultReadObject(); + if (thisProfile == null) { + thisProfile = ICC_Profile.getInstance(ColorSpace.CS_sRGB); + } + } + /** * Returns the ICC_Profile for this ICC_ColorSpace. * @return the ICC_Profile for this ICC_ColorSpace. diff --git a/jdk/src/java.desktop/share/native/liblcms/LCMS.c b/jdk/src/java.desktop/share/native/liblcms/LCMS.c index 97dc17593e..17c49ad826 100644 --- a/jdk/src/java.desktop/share/native/liblcms/LCMS.c +++ b/jdk/src/java.desktop/share/native/liblcms/LCMS.c @@ -644,7 +644,12 @@ JNIEXPORT jobject JNICALL Java_sun_java2d_cmm_lcms_LCMS_getProfileID { jclass clsLcmsProfile; jobject cmmProfile; - jfieldID fid = (*env)->GetFieldID (env, + jfieldID fid; + + if (pf == NULL) { + return NULL; + } + fid = (*env)->GetFieldID (env, (*env)->GetObjectClass(env, pf), "cmmProfile", "Lsun/java2d/cmm/Profile;"); if (fid == NULL) { From 1da73bf74ac9dac8d134a589db3b94386797f4bd Mon Sep 17 00:00:00 2001 From: Adam Petcher Date: Tue, 4 Jul 2017 01:52:53 +0000 Subject: [PATCH 080/269] 8174756: Extra validation for public keys Reviewed-by: valeriep --- .../sun/security/rsa/RSAPublicKeyImpl.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/jdk/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java b/jdk/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java index 5f2afac4df..b2739171e0 100644 --- a/jdk/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java +++ b/jdk/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java @@ -48,6 +48,7 @@ import sun.security.x509.X509Key; public final class RSAPublicKeyImpl extends X509Key implements RSAPublicKey { private static final long serialVersionUID = 2644735423591199609L; + private static final BigInteger THREE = BigInteger.valueOf(3); private BigInteger n; // modulus private BigInteger e; // public exponent @@ -61,6 +62,7 @@ public final class RSAPublicKeyImpl extends X509Key implements RSAPublicKey { this.n = n; this.e = e; RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e); + checkExponentRange(); // generate the encoding algid = RSAPrivateCrtKeyImpl.rsaId; try { @@ -83,6 +85,19 @@ public final class RSAPublicKeyImpl extends X509Key implements RSAPublicKey { public RSAPublicKeyImpl(byte[] encoded) throws InvalidKeyException { decode(encoded); RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e); + checkExponentRange(); + } + + private void checkExponentRange() throws InvalidKeyException { + // the exponent should be smaller than the modulus + if (e.compareTo(n) >= 0) { + throw new InvalidKeyException("exponent is larger than modulus"); + } + + // the exponent should be at least 3 + if (e.compareTo(THREE) < 0) { + throw new InvalidKeyException("exponent is smaller than 3"); + } } // see JCA doc From 2131a7118134279d4e089e0cc152515358bf28dd Mon Sep 17 00:00:00 2001 From: Vinnie Ryan Date: Wed, 5 Jul 2017 17:27:46 +0100 Subject: [PATCH 081/269] 8181692: Update storage implementations Reviewed-by: weijun, igerasim --- .../com/sun/crypto/provider/KeyProtector.java | 21 ++- .../com/sun/crypto/provider/PBES1Core.java | 2 +- .../sun/security/pkcs12/PKCS12KeyStore.java | 125 ++++++++++++------ 3 files changed, 106 insertions(+), 42 deletions(-) diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java index 53fea3053c..823d7bdb8d 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/KeyProtector.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -38,6 +38,7 @@ import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.UnrecoverableKeyException; import java.security.AlgorithmParameters; +import java.security.spec.InvalidParameterSpecException; import java.security.spec.PKCS8EncodedKeySpec; import javax.crypto.Cipher; @@ -74,6 +75,8 @@ final class KeyProtector { // keys in the keystore implementation that comes with JDK 1.2) private static final String KEY_PROTECTOR_OID = "1.3.6.1.4.1.42.2.17.1.1"; + private static final int MAX_ITERATION_COUNT = 5000000; + private static final int ITERATION_COUNT = 200000; private static final int SALT_LEN = 20; // the salt length private static final int DIGEST_LEN = 20; @@ -100,7 +103,7 @@ final class KeyProtector { SunJCE.getRandom().nextBytes(salt); // create PBE parameters from salt and iteration count - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); + PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, ITERATION_COUNT); // create PBE key from password PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); @@ -155,6 +158,9 @@ final class KeyProtector { pbeParams.init(encodedParams); PBEParameterSpec pbeSpec = pbeParams.getParameterSpec(PBEParameterSpec.class); + if (pbeSpec.getIterationCount() > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } // create PBE key from password PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); @@ -285,7 +291,7 @@ final class KeyProtector { SunJCE.getRandom().nextBytes(salt); // create PBE parameters from salt and iteration count - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); + PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, ITERATION_COUNT); // create PBE key from password PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); @@ -326,6 +332,15 @@ final class KeyProtector { throw new UnrecoverableKeyException("Cannot get " + "algorithm parameters"); } + PBEParameterSpec pbeSpec; + try { + pbeSpec = params.getParameterSpec(PBEParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + throw new IOException("Invalid PBE algorithm parameters"); + } + if (pbeSpec.getIterationCount() > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } PBEWithMD5AndTripleDESCipher cipherSpi; cipherSpi = new PBEWithMD5AndTripleDESCipher(); Cipher cipher = new CipherForKeyProtector(cipherSpi, diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java index c54fa2d86e..86ea35c8b0 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/PBES1Core.java @@ -284,7 +284,7 @@ final class PBES1Core { for (i=0; i<2; i++) { byte tmp = salt[i]; salt[i] = salt[3-i]; - salt[3-1] = tmp; + salt[3-i] = tmp; } } diff --git a/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java index 9c0e0b7dc0..23f8df52e3 100644 --- a/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java +++ b/jdk/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java @@ -46,6 +46,7 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.InvalidParameterSpecException; import java.security.spec.KeySpec; import java.security.spec.PKCS8EncodedKeySpec; import java.util.*; @@ -147,6 +148,11 @@ public final class PKCS12KeyStore extends KeyStoreSpi { "keystore.PKCS12.keyProtectionAlgorithm" }; + private static final int MAX_ITERATION_COUNT = 5000000; + private static final int PBE_ITERATION_COUNT = 50000; // default + private static final int MAC_ITERATION_COUNT = 100000; // default + private static final int SALT_LEN = 20; + // friendlyName, localKeyId, trustedKeyUsage private static final String[] CORE_ATTRIBUTES = { "1.2.840.113549.1.9.20", @@ -192,8 +198,6 @@ public final class PKCS12KeyStore extends KeyStoreSpi { private static ObjectIdentifier[] AnyUsage; private int counter = 0; - private static final int iterationCount = 1024; - private static final int SALT_LEN = 20; // private key count // Note: This is a workaround to allow null localKeyID attribute @@ -327,6 +331,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { byte[] encryptedKey; AlgorithmParameters algParams; ObjectIdentifier algOid; + try { // get the encrypted private key EncryptedPrivateKeyInfo encrInfo = @@ -347,7 +352,24 @@ public final class PKCS12KeyStore extends KeyStoreSpi { throw uke; } - try { + try { + PBEParameterSpec pbeSpec; + int ic = 0; + + if (algParams != null) { + try { + pbeSpec = + algParams.getParameterSpec(PBEParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + throw new IOException("Invalid PBE algorithm parameters"); + } + ic = pbeSpec.getIterationCount(); + + if (ic > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } + } + byte[] keyInfo; while (true) { try { @@ -387,9 +409,10 @@ public final class PKCS12KeyStore extends KeyStoreSpi { key = kfac.generatePrivate(kspec); if (debug != null) { - debug.println("Retrieved a protected private key (" + - key.getClass().getName() + ") at alias '" + alias + - "'"); + debug.println("Retrieved a protected private key at alias" + + " '" + alias + "' (" + + new AlgorithmId(algOid).getName() + + " iterations: " + ic + ")"); } // decode secret key @@ -410,9 +433,10 @@ public final class PKCS12KeyStore extends KeyStoreSpi { } if (debug != null) { - debug.println("Retrieved a protected secret key (" + - key.getClass().getName() + ") at alias '" + alias + - "'"); + debug.println("Retrieved a protected secret key at alias " + + "'" + alias + "' (" + + new AlgorithmId(algOid).getName() + + " iterations: " + ic + ")"); } } } catch (Exception e) { @@ -590,9 +614,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi { (key.getFormat().equals("PKCS8"))) { if (debug != null) { - debug.println("Setting a protected private key (" + - key.getClass().getName() + ") at alias '" + alias + - "'"); + debug.println( + "Setting a protected private key at alias '" + + alias + "'"); } // Encrypt the private key @@ -638,9 +662,8 @@ public final class PKCS12KeyStore extends KeyStoreSpi { encryptPrivateKey(pkcs8.toByteArray(), passwordProtection); if (debug != null) { - debug.println("Setting a protected secret key (" + - key.getClass().getName() + ") at alias '" + alias + - "'"); + debug.println("Setting a protected secret key at alias '" + + alias + "'"); } secretKeyCount++; entry = keyEntry; @@ -761,19 +784,19 @@ public final class PKCS12KeyStore extends KeyStoreSpi { /* * Generate PBE Algorithm Parameters */ - private AlgorithmParameters getAlgorithmParameters(String algorithm) + private AlgorithmParameters getPBEAlgorithmParameters(String algorithm) throws IOException { AlgorithmParameters algParams = null; // create PBE parameters from salt and iteration count PBEParameterSpec paramSpec = - new PBEParameterSpec(getSalt(), iterationCount); + new PBEParameterSpec(getSalt(), PBE_ITERATION_COUNT); try { algParams = AlgorithmParameters.getInstance(algorithm); algParams.init(paramSpec); } catch (Exception e) { - throw new IOException("getAlgorithmParameters failed: " + + throw new IOException("getPBEAlgorithmParameters failed: " + e.getMessage(), e); } return algParams; @@ -859,7 +882,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { algParams = AlgorithmParameters.getInstance(algorithm); algParams.init(algParamSpec); } else { - algParams = getAlgorithmParameters(algorithm); + algParams = getPBEAlgorithmParameters(algorithm); } } else { // Check default key protection algorithm for PKCS12 keystores @@ -879,7 +902,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (algorithm == null || algorithm.isEmpty()) { algorithm = "PBEWithSHA1AndDESede"; } - algParams = getAlgorithmParameters(algorithm); + algParams = getPBEAlgorithmParameters(algorithm); } ObjectIdentifier pbeOID = mapPBEAlgorithmToOID(algorithm); @@ -1194,7 +1217,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (debug != null) { debug.println("Storing " + (privateKeyCount + secretKeyCount) + - " protected key(s) in a PKCS#7 data content-type"); + " protected key(s) in a PKCS#7 data"); } byte[] safeContentData = createSafeContent(); @@ -1207,7 +1230,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (debug != null) { debug.println("Storing " + certificateCount + - " certificate(s) in a PKCS#7 encryptedData content-type"); + " certificate(s) in a PKCS#7 encryptedData"); } byte[] encrData = createEncryptedData(password); @@ -1478,7 +1501,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // generate MAC (MAC key is generated within JCE) Mac m = Mac.getInstance("HmacPBESHA1"); PBEParameterSpec params = - new PBEParameterSpec(salt, iterationCount); + new PBEParameterSpec(salt, MAC_ITERATION_COUNT); SecretKey key = getPBEKey(passwd); m.init(key, params); m.update(data); @@ -1486,7 +1509,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // encode as MacData MacData macData = new MacData(algName, macResult, salt, - iterationCount); + MAC_ITERATION_COUNT); DerOutputStream bytes = new DerOutputStream(); bytes.write(macData.getEncoded()); mData = bytes.toByteArray(); @@ -1878,7 +1901,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // create AlgorithmParameters AlgorithmParameters algParams = - getAlgorithmParameters("PBEWithSHA1AndRC2_40"); + getPBEAlgorithmParameters("PBEWithSHA1AndRC2_40"); DerOutputStream bytes = new DerOutputStream(); AlgorithmId algId = new AlgorithmId(pbeWithSHAAnd40BitRC2CBC_OID, algParams); @@ -1998,7 +2021,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (contentType.equals(ContentInfo.DATA_OID)) { if (debug != null) { - debug.println("Loading PKCS#7 data content-type"); + debug.println("Loading PKCS#7 data"); } safeContentsData = safeContents.getData(); @@ -2007,15 +2030,11 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (debug != null) { debug.println("Warning: skipping PKCS#7 encryptedData" + - " content-type - no password was supplied"); + " - no password was supplied"); } continue; } - if (debug != null) { - debug.println("Loading PKCS#7 encryptedData content-type"); - } - DerInputStream edi = safeContents.getContent().toDerInputStream(); int edVersion = edi.getInteger(); @@ -2036,6 +2055,30 @@ public final class PKCS12KeyStore extends KeyStoreSpi { ObjectIdentifier algOid = in.getOID(); AlgorithmParameters algParams = parseAlgParameters(algOid, in); + PBEParameterSpec pbeSpec; + int ic = 0; + + if (algParams != null) { + try { + pbeSpec = + algParams.getParameterSpec(PBEParameterSpec.class); + } catch (InvalidParameterSpecException ipse) { + throw new IOException( + "Invalid PBE algorithm parameters"); + } + ic = pbeSpec.getIterationCount(); + + if (ic > MAX_ITERATION_COUNT) { + throw new IOException("PBE iteration count too large"); + } + } + + if (debug != null) { + debug.println("Loading PKCS#7 encryptedData " + + "(" + new AlgorithmId(algOid).getName() + + " iterations: " + ic + ")"); + } + while (true) { try { // Use JCE @@ -2066,8 +2109,15 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // The MacData is optional. if (password != null && s.available() > 0) { - MacData macData = new MacData(s); - try { + MacData macData = new MacData(s); + int ic = macData.getIterations(); + + try { + if (ic > MAX_ITERATION_COUNT) { + throw new InvalidAlgorithmParameterException( + "MAC iteration count too large: " + ic); + } + String algName = macData.getDigestAlgName().toUpperCase(Locale.ENGLISH); @@ -2077,8 +2127,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi { // generate MAC (MAC key is created within JCE) Mac m = Mac.getInstance("HmacPBE" + algName); PBEParameterSpec params = - new PBEParameterSpec(macData.getSalt(), - macData.getIterations()); + new PBEParameterSpec(macData.getSalt(), ic); SecretKey key = getPBEKey(password); m.init(key, params); m.update(authSafeData); @@ -2086,16 +2135,16 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (debug != null) { debug.println("Checking keystore integrity " + - "(MAC algorithm: " + m.getAlgorithm() + ")"); + "(" + m.getAlgorithm() + " iterations: " + ic + ")"); } if (!MessageDigest.isEqual(macData.getDigest(), macResult)) { throw new UnrecoverableKeyException("Failed PKCS12" + " integrity checking"); } - } catch (Exception e) { + } catch (Exception e) { throw new IOException("Integrity check failed: " + e, e); - } + } } /* From c33e540ee11eaf294e2e3d18d58fd99f1c985bbc Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Thu, 6 Jul 2017 09:20:21 +0800 Subject: [PATCH 082/269] 8181432: Better processing of unresolved permissions Reviewed-by: mullan --- .../classes/java/security/CodeSource.java | 11 +++----- .../java/security/UnresolvedPermission.java | 25 +++++++++++-------- .../cert/CertificateRevokedException.java | 11 ++++---- .../classes/sun/security/util/IOUtils.java | 22 ++++++++++++++-- .../sun/security/util/ObjectIdentifier.java | 8 ++++-- 5 files changed, 51 insertions(+), 26 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/security/CodeSource.java b/jdk/src/java.base/share/classes/java/security/CodeSource.java index 818716fa39..a1f98eeb55 100644 --- a/jdk/src/java.base/share/classes/java/security/CodeSource.java +++ b/jdk/src/java.base/share/classes/java/security/CodeSource.java @@ -35,6 +35,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.cert.*; import sun.net.util.URLUtil; +import sun.security.util.IOUtils; /** * @@ -571,6 +572,8 @@ public class CodeSource implements java.io.Serializable { // could all be present in the stream at the same time cfs = new Hashtable<>(3); certList = new ArrayList<>(size > 20 ? 20 : size); + } else if (size < 0) { + throw new IOException("size cannot be negative"); } for (int i = 0; i < size; i++) { @@ -592,13 +595,7 @@ public class CodeSource implements java.io.Serializable { cfs.put(certType, cf); } // parse the certificate - byte[] encoded = null; - try { - encoded = new byte[ois.readInt()]; - } catch (OutOfMemoryError oome) { - throw new IOException("Certificate too big"); - } - ois.readFully(encoded); + byte[] encoded = IOUtils.readNBytes(ois, ois.readInt()); ByteArrayInputStream bais = new ByteArrayInputStream(encoded); try { certList.add(cf.generateCertificate(bais)); diff --git a/jdk/src/java.base/share/classes/java/security/UnresolvedPermission.java b/jdk/src/java.base/share/classes/java/security/UnresolvedPermission.java index b5dc02dcb3..d75c24cbf7 100644 --- a/jdk/src/java.base/share/classes/java/security/UnresolvedPermission.java +++ b/jdk/src/java.base/share/classes/java/security/UnresolvedPermission.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,12 +25,16 @@ package java.security; +import sun.security.util.IOUtils; + import java.io.IOException; import java.io.ByteArrayInputStream; +import java.security.cert.Certificate; import java.util.ArrayList; import java.util.Hashtable; import java.lang.reflect.*; import java.security.cert.*; +import java.util.List; /** * The UnresolvedPermission class is used to hold Permissions that @@ -550,6 +554,7 @@ implements java.io.Serializable { CertificateFactory cf; Hashtable cfs = null; + List certList = null; ois.defaultReadObject(); @@ -562,7 +567,9 @@ implements java.io.Serializable // we know of 3 different cert types: X.509, PGP, SDSI, which // could all be present in the stream at the same time cfs = new Hashtable<>(3); - this.certs = new java.security.cert.Certificate[size]; + certList = new ArrayList<>(size > 20 ? 20 : size); + } else if (size < 0) { + throw new IOException("size cannot be negative"); } for (int i=0; i(size); + extensions = new HashMap<>(size > 20 ? 20 : size); } // Read in the extensions and put the mappings in the extensions map for (int i = 0; i < size; i++) { String oid = (String) ois.readObject(); boolean critical = ois.readBoolean(); - int length = ois.readInt(); - byte[] extVal = new byte[length]; - ois.readFully(extVal); + byte[] extVal = IOUtils.readNBytes(ois, ois.readInt()); Extension ext = sun.security.x509.Extension.newExtension (new ObjectIdentifier(oid), critical, extVal); extensions.put(oid, ext); diff --git a/jdk/src/java.base/share/classes/sun/security/util/IOUtils.java b/jdk/src/java.base/share/classes/sun/security/util/IOUtils.java index 6918a501ea..1fb2badf52 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/IOUtils.java +++ b/jdk/src/java.base/share/classes/sun/security/util/IOUtils.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,7 +37,7 @@ import java.util.Arrays; public class IOUtils { /** - * Read up to length of bytes from in + * Read up to {@code length} of bytes from {@code in} * until EOF is detected. * @param is input stream, must not be null * @param length number of bytes to read, -1 or Integer.MAX_VALUE means @@ -77,4 +77,22 @@ public class IOUtils { } return output; } + + /** + * Read {@code length} of bytes from {@code in}. An exception is + * thrown if there are not enough bytes in the stream. + * + * @param is input stream, must not be null + * @param length number of bytes to read, must not be negative + * @return bytes read + * @throws IOException if any IO error or a premature EOF is detected, or + * if {@code length} is negative since this length is usually also + * read from {@code is}. + */ + public static byte[] readNBytes(InputStream is, int length) throws IOException { + if (length < 0) { + throw new IOException("length cannot be negative: " + length); + } + return readFully(is, length, true); + } } diff --git a/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java b/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java index 12aabe6f07..514b993849 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java +++ b/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -111,7 +111,11 @@ class ObjectIdentifier implements Serializable is.defaultReadObject(); if (encoding == null) { // from an old version - init((int[])components, componentLen); + int[] comp = (int[])components; + if (componentLen > comp.length) { + componentLen = comp.length; + } + init(comp, componentLen); } } From f83db13f67f7b262730a9db731a1136650116e14 Mon Sep 17 00:00:00 2001 From: Phil Race Date: Thu, 6 Jul 2017 09:43:27 -0700 Subject: [PATCH 083/269] 8183028: Improve CMS header processing Reviewed-by: serb, rhalade, mschoene --- jdk/src/java.desktop/share/native/liblcms/cmstypes.c | 1 + 1 file changed, 1 insertion(+) diff --git a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c index 61ea3a631e..95fe4d1a5a 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c @@ -1489,6 +1489,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU // Check for overflow if (Offset < (SizeOfHeader + 8)) goto Error; + if (((Offset + Len) < Len) || ((Offset + Len) > SizeOfTag + 8)) goto Error; // True begin of the string BeginOfThisString = Offset - SizeOfHeader - 8; From 3381f8b2eca06fb95d114bbd87fe8813f20b76c6 Mon Sep 17 00:00:00 2001 From: Bhanu Prakash Gopularam Date: Thu, 6 Jul 2017 23:54:47 -0700 Subject: [PATCH 084/269] 8179564: Missing @bug for tests added with JDK-8165367 Updated bugid in tests Reviewed-by: robm --- .../sun/security/ssl/CertPathRestrictions/TLSRestrictions.java | 1 + 1 file changed, 1 insertion(+) diff --git a/jdk/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java b/jdk/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java index 2a6ffb2d13..ecb060cc7d 100644 --- a/jdk/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java +++ b/jdk/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java @@ -48,6 +48,7 @@ import jdk.test.lib.process.ProcessTools; /* * @test + * @bug 8165367 * @summary Verify the restrictions for certificate path on JSSE with custom trust store. * @library /test/lib * @compile JSSEClient.java From 69386b5e93349fec25e135f05f473cb6bc3e64b6 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Wed, 12 Jul 2017 10:55:40 +0800 Subject: [PATCH 085/269] 8182879: Add warnings to keytool when using JKS and JCEKS Reviewed-by: vinnie, ahgross, mullan --- .../sun/security/tools/keytool/Main.java | 187 ++++++++++++++---- .../sun/security/tools/keytool/Resources.java | 6 +- .../sun/security/tools/keytool/WeakAlg.java | 181 +++++++++++++++-- 3 files changed, 319 insertions(+), 55 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java index 53ea970620..3fc3769cff 100644 --- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java @@ -26,6 +26,8 @@ package sun.security.tools.keytool; import java.io.*; +import java.nio.file.Files; +import java.nio.file.Paths; import java.security.CodeSigner; import java.security.CryptoPrimitive; import java.security.KeyStore; @@ -168,7 +170,12 @@ public final class Main { private List ids = new ArrayList<>(); // used in GENCRL private List v3ext = new ArrayList<>(); - // Warnings on weak algorithms + // In-place importkeystore is special. + // A backup is needed, and no need to prompt for deststorepass. + private boolean inplaceImport = false; + private String inplaceBackupName = null; + + // Warnings on weak algorithms etc private List weakWarnings = new ArrayList<>(); private static final DisabledAlgorithmConstraints DISABLED_CHECK = @@ -812,37 +819,52 @@ public final class Main { ("New.password.must.be.at.least.6.characters")); } + // Set this before inplaceImport check so we can compare name. + if (ksfname == null) { + ksfname = System.getProperty("user.home") + File.separator + + ".keystore"; + } + + KeyStore srcKeyStore = null; + if (command == IMPORTKEYSTORE) { + inplaceImport = inplaceImportCheck(); + if (inplaceImport) { + // We load srckeystore first so we have srcstorePass that + // can be assigned to storePass + srcKeyStore = loadSourceKeyStore(); + if (storePass == null) { + storePass = srcstorePass; + } + } + } + // Check if keystore exists. // If no keystore has been specified at the command line, try to use // the default, which is located in $HOME/.keystore. // If the command is "genkey", "identitydb", "import", or "printcert", // it is OK not to have a keystore. - if (isKeyStoreRelated(command)) { - if (ksfname == null) { - ksfname = System.getProperty("user.home") + File.separator - + ".keystore"; - } - if (!nullStream) { - try { - ksfile = new File(ksfname); - // Check if keystore file is empty - if (ksfile.exists() && ksfile.length() == 0) { - throw new Exception(rb.getString - ("Keystore.file.exists.but.is.empty.") + ksfname); - } - ksStream = new FileInputStream(ksfile); - } catch (FileNotFoundException e) { - if (command != GENKEYPAIR && + // DO NOT open the existing keystore if this is an in-place import. + // The keystore should be created as brand new. + if (isKeyStoreRelated(command) && !nullStream && !inplaceImport) { + try { + ksfile = new File(ksfname); + // Check if keystore file is empty + if (ksfile.exists() && ksfile.length() == 0) { + throw new Exception(rb.getString + ("Keystore.file.exists.but.is.empty.") + ksfname); + } + ksStream = new FileInputStream(ksfile); + } catch (FileNotFoundException e) { + if (command != GENKEYPAIR && command != GENSECKEY && command != IDENTITYDB && command != IMPORTCERT && command != IMPORTPASS && command != IMPORTKEYSTORE && command != PRINTCRL) { - throw new Exception(rb.getString - ("Keystore.file.does.not.exist.") + ksfname); - } + throw new Exception(rb.getString + ("Keystore.file.does.not.exist.") + ksfname); } } } @@ -866,7 +888,7 @@ public final class Main { // Create new keystore // Probe for keystore type when filename is available if (ksfile != null && ksStream != null && providerName == null && - hasStoretypeOption == false) { + hasStoretypeOption == false && !inplaceImport) { keyStore = KeyStore.getInstance(ksfile, storePass); } else { if (providerName == null) { @@ -896,7 +918,11 @@ public final class Main { * Null stream keystores are loaded later. */ if (!nullStream) { - keyStore.load(ksStream, storePass); + if (inplaceImport) { + keyStore.load(null, storePass); + } else { + keyStore.load(ksStream, storePass); + } if (ksStream != null) { ksStream.close(); } @@ -1133,7 +1159,11 @@ public final class Main { } } } else if (command == IMPORTKEYSTORE) { - doImportKeyStore(); + // When not in-place import, srcKeyStore is not loaded yet. + if (srcKeyStore == null) { + srcKeyStore = loadSourceKeyStore(); + } + doImportKeyStore(srcKeyStore); kssave = true; } else if (command == KEYCLONE) { keyPassNew = newPass; @@ -1264,6 +1294,51 @@ public final class Main { } } } + + if (isKeyStoreRelated(command) + && !token && !nullStream && ksfname != null) { + + // JKS storetype warning on the final result keystore + File f = new File(ksfname); + char[] pass = (storePassNew!=null) ? storePassNew : storePass; + if (f.exists()) { + // Probe for real type. A JKS can be loaded as PKCS12 because + // DualFormat support, vice versa. + keyStore = KeyStore.getInstance(f, pass); + String realType = keyStore.getType(); + if (realType.equalsIgnoreCase("JKS") + || realType.equalsIgnoreCase("JCEKS")) { + boolean allCerts = true; + for (String a : Collections.list(keyStore.aliases())) { + if (!keyStore.entryInstanceOf( + a, TrustedCertificateEntry.class)) { + allCerts = false; + break; + } + } + // Don't warn for "cacerts" style keystore. + if (!allCerts) { + weakWarnings.add(String.format( + rb.getString("jks.storetype.warning"), + realType, ksfname)); + } + } + if (inplaceImport) { + String realSourceStoreType = KeyStore.getInstance( + new File(inplaceBackupName), srcstorePass).getType(); + String format = + realType.equalsIgnoreCase(realSourceStoreType) ? + rb.getString("backup.keystore.warning") : + rb.getString("migrate.keystore.warning"); + weakWarnings.add( + String.format(format, + srcksfname, + realSourceStoreType, + inplaceBackupName, + realType)); + } + } + } } /** @@ -1955,12 +2030,40 @@ public final class Main { } } + boolean inplaceImportCheck() throws Exception { + if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) || + KeyStoreUtil.isWindowsKeyStore(srcstoretype)) { + return false; + } + + if (srcksfname != null) { + File srcksfile = new File(srcksfname); + if (srcksfile.exists() && srcksfile.length() == 0) { + throw new Exception(rb.getString + ("Source.keystore.file.exists.but.is.empty.") + + srcksfname); + } + if (srcksfile.getCanonicalFile() + .equals(new File(ksfname).getCanonicalFile())) { + return true; + } else { + // Informational, especially if destkeystore is not + // provided, which default to ~/.keystore. + System.err.println(String.format(rb.getString( + "importing.keystore.status"), srcksfname, ksfname)); + return false; + } + } else { + throw new Exception(rb.getString + ("Please.specify.srckeystore")); + } + } + /** * Load the srckeystore from a stream, used in -importkeystore * @return the src KeyStore */ KeyStore loadSourceKeyStore() throws Exception { - boolean isPkcs11 = false; InputStream is = null; File srcksfile = null; @@ -1973,20 +2076,9 @@ public final class Main { System.err.println(); tinyHelp(); } - isPkcs11 = true; } else { - if (srcksfname != null) { - srcksfile = new File(srcksfname); - if (srcksfile.exists() && srcksfile.length() == 0) { - throw new Exception(rb.getString - ("Source.keystore.file.exists.but.is.empty.") + - srcksfname); - } - is = new FileInputStream(srcksfile); - } else { - throw new Exception(rb.getString - ("Please.specify.srckeystore")); - } + srcksfile = new File(srcksfname); + is = new FileInputStream(srcksfile); } KeyStore store; @@ -2053,17 +2145,32 @@ public final class Main { * keep alias unchanged if no name conflict, otherwise, prompt. * keep keypass unchanged for keys */ - private void doImportKeyStore() throws Exception { + private void doImportKeyStore(KeyStore srcKS) throws Exception { if (alias != null) { - doImportKeyStoreSingle(loadSourceKeyStore(), alias); + doImportKeyStoreSingle(srcKS, alias); } else { if (dest != null || srckeyPass != null) { throw new Exception(rb.getString( "if.alias.not.specified.destalias.and.srckeypass.must.not.be.specified")); } - doImportKeyStoreAll(loadSourceKeyStore()); + doImportKeyStoreAll(srcKS); } + + if (inplaceImport) { + // Backup to file.old or file.old2... + // The keystore is not rewritten yet now. + for (int n = 1; /* forever */; n++) { + inplaceBackupName = srcksfname + ".old" + (n == 1 ? "" : n); + File bkFile = new File(inplaceBackupName); + if (!bkFile.exists()) { + Files.copy(Paths.get(srcksfname), bkFile.toPath()); + break; + } + } + + } + /* * Information display rule of -importkeystore * 1. inside single, shows failure diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java index 522449c366..6503ee3b82 100644 --- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java +++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -468,6 +468,10 @@ public class Resources extends java.util.ListResourceBundle { {"verified.by.s.in.s.weak", "Verified by %s in %s with a %s"}, {"whose.sigalg.risk", "%s uses the %s signature algorithm which is considered a security risk."}, {"whose.key.risk", "%s uses a %s which is considered a security risk."}, + {"jks.storetype.warning", "The %1$s keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."}, + {"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."}, + {"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."}, + {"importing.keystore.status", "Importing keystore %1$s to %2$s..."}, }; diff --git a/jdk/test/sun/security/tools/keytool/WeakAlg.java b/jdk/test/sun/security/tools/keytool/WeakAlg.java index bb7ae77737..1f725096b8 100644 --- a/jdk/test/sun/security/tools/keytool/WeakAlg.java +++ b/jdk/test/sun/security/tools/keytool/WeakAlg.java @@ -23,7 +23,7 @@ /* * @test - * @bug 8171319 8177569 + * @bug 8171319 8177569 8182879 * @summary keytool should print out warnings when reading or generating * cert/cert req using weak algorithms * @library /test/lib @@ -33,6 +33,7 @@ * @run main/othervm/timeout=600 -Duser.language=en -Duser.country=US WeakAlg */ +import jdk.test.lib.Asserts; import jdk.test.lib.SecurityTools; import jdk.test.lib.process.OutputAnalyzer; import sun.security.tools.KeyStoreUtil; @@ -40,6 +41,7 @@ import sun.security.util.DisabledAlgorithmConstraints; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; +import java.io.File; import java.io.IOException; import java.io.InputStream; import java.io.PrintStream; @@ -134,25 +136,164 @@ public class WeakAlg { kt("-delete -alias b"); kt("-printcrl -file b.crl") .shouldContain("WARNING: not verified"); + + jksTypeCheck(); + + checkInplaceImportKeyStore(); + } + + static void jksTypeCheck() throws Exception { + + // No warning for cacerts, all certs + kt0("-cacerts -list -storepass changeit") + .shouldNotContain("Warning:"); + + rm("ks"); + rm("ks2"); + + kt("-genkeypair -alias a -dname CN=A") + .shouldNotContain("Warning:"); + kt("-list") + .shouldNotContain("Warning:"); + kt("-list -storetype jks") // no warning if PKCS12 used as JKS + .shouldNotContain("Warning:"); + kt("-exportcert -alias a -file a.crt") + .shouldNotContain("Warning:"); + + // warn if migrating to JKS + importkeystore("ks", "ks2", "-deststoretype jks") + .shouldContain("JKS keystore uses a proprietary format"); + + rm("ks"); + rm("ks2"); + rm("ks3"); + + // no warning if all certs + kt("-importcert -alias b -file a.crt -storetype jks -noprompt") + .shouldNotContain("Warning:"); + kt("-genkeypair -alias a -dname CN=A") + .shouldContain("JKS keystore uses a proprietary format"); + kt("-list") + .shouldContain("JKS keystore uses a proprietary format"); + kt("-list -storetype pkcs12") // warn if JKS used as PKCS12 + .shouldContain("JKS keystore uses a proprietary format"); + kt("-exportcert -alias a -file a.crt") + .shouldContain("JKS keystore uses a proprietary format"); + kt("-printcert -file a.crt") // no warning if keystore not touched + .shouldNotContain("Warning:"); + kt("-certreq -alias a -file a.req") + .shouldContain("JKS keystore uses a proprietary format"); + kt("-printcertreq -file a.req") // no warning if keystore not touched + .shouldNotContain("Warning:"); + + // No warning if migrating from JKS + importkeystore("ks", "ks2", "") + .shouldNotContain("Warning:"); + + importkeystore("ks", "ks3", "-deststoretype pkcs12") + .shouldNotContain("Warning:"); + + rm("ks"); + + kt("-genkeypair -alias a -dname CN=A -storetype jceks") + .shouldContain("JCEKS keystore uses a proprietary format"); + kt("-list") + .shouldContain("JCEKS keystore uses a proprietary format"); + kt("-importcert -alias b -file a.crt -noprompt") + .shouldContain("JCEKS keystore uses a proprietary format"); + kt("-exportcert -alias a -file a.crt") + .shouldContain("JCEKS keystore uses a proprietary format"); + kt("-printcert -file a.crt") + .shouldNotContain("Warning:"); + kt("-certreq -alias a -file a.req") + .shouldContain("JCEKS keystore uses a proprietary format"); + kt("-printcertreq -file a.req") + .shouldNotContain("Warning:"); + kt("-genseckey -alias c -keyalg AES -keysize 128") + .shouldContain("JCEKS keystore uses a proprietary format"); } static void checkImportKeyStore() throws Exception { - saveStore(); + rm("ks2"); + rm("ks3"); - rm("ks"); - kt("-importkeystore -srckeystore ks2 -srcstorepass changeit") + importkeystore("ks", "ks2", "") .shouldContain("3 entries successfully imported") .shouldContain("Warning") .shouldMatch(".*512-bit RSA key.*risk") .shouldMatch(".*MD5withRSA.*risk"); - rm("ks"); - kt("-importkeystore -srckeystore ks2 -srcstorepass changeit -srcalias a") + importkeystore("ks", "ks3", "-srcalias a") .shouldContain("Warning") .shouldMatch(".*MD5withRSA.*risk"); + } - reStore(); + static void checkInplaceImportKeyStore() throws Exception { + + rm("ks"); + genkeypair("a", ""); + + // Same type backup + importkeystore("ks", "ks", "") + .shouldContain("Warning:") + .shouldMatch("original.*ks.old"); + + importkeystore("ks", "ks", "") + .shouldContain("Warning:") + .shouldMatch("original.*ks.old2"); + + importkeystore("ks", "ks", "-srcstoretype jks") // it knows real type + .shouldContain("Warning:") + .shouldMatch("original.*ks.old3"); + + String cPath = new File("ks").getCanonicalPath(); + + importkeystore("ks", cPath, "") + .shouldContain("Warning:") + .shouldMatch("original.*ks.old4"); + + // Migration + importkeystore("ks", "ks", "-deststoretype jks") + .shouldContain("Warning:") + .shouldContain("JKS keystore uses a proprietary format") + .shouldMatch("Migrated.*JKS.*PKCS12.*ks.old5"); + + Asserts.assertEQ( + KeyStore.getInstance( + new File("ks"), "changeit".toCharArray()).getType(), + "JKS"); + + importkeystore("ks", "ks", "-srcstoretype PKCS12") + .shouldContain("Warning:") + .shouldNotContain("proprietary format") + .shouldMatch("Migrated.*PKCS12.*JKS.*ks.old6"); + + Asserts.assertEQ( + KeyStore.getInstance( + new File("ks"), "changeit".toCharArray()).getType(), + "PKCS12"); + + Asserts.assertEQ( + KeyStore.getInstance( + new File("ks.old6"), "changeit".toCharArray()).getType(), + "JKS"); + + // One password prompt is enough for migration + kt0("-importkeystore -srckeystore ks -destkeystore ks", "changeit") + .shouldMatch("original.*ks.old7"); + + // But three if importing to a different keystore + rm("ks2"); + kt0("-importkeystore -srckeystore ks -destkeystore ks2", + "changeit") + .shouldContain("Keystore password is too short"); + + kt0("-importkeystore -srckeystore ks -destkeystore ks2", + "changeit", "changeit", "changeit") + .shouldContain("Importing keystore ks to ks2...") + .shouldNotContain("original") + .shouldNotContain("Migrated"); } static void checkImport() throws Exception { @@ -518,17 +659,22 @@ public class WeakAlg { } } - // Fast keytool execution by directly calling its main() method static OutputAnalyzer kt(String cmd, String... input) { + return kt0("-keystore ks -storepass changeit " + + "-keypass changeit " + cmd, input); + } + + // Fast keytool execution by directly calling its main() method + static OutputAnalyzer kt0(String cmd, String... input) { PrintStream out = System.out; PrintStream err = System.err; InputStream ins = System.in; ByteArrayOutputStream bout = new ByteArrayOutputStream(); ByteArrayOutputStream berr = new ByteArrayOutputStream(); boolean succeed = true; + String sout; + String serr; try { - cmd = "-keystore ks -storepass changeit " + - "-keypass changeit " + cmd; System.out.println("---------------------------------------------"); System.out.println("$ keytool " + cmd); System.out.println(); @@ -552,19 +698,26 @@ public class WeakAlg { System.setOut(out); System.setErr(err); System.setIn(ins); + sout = new String(bout.toByteArray()); + serr = new String(berr.toByteArray()); + System.out.println("STDOUT:\n" + sout + "\nSTDERR:\n" + serr); } - String sout = new String(bout.toByteArray()); - String serr = new String(berr.toByteArray()); - System.out.println("STDOUT:\n" + sout + "\nSTDERR:\n" + serr); if (!succeed) { throw new RuntimeException(); } return new OutputAnalyzer(sout, serr); } + static OutputAnalyzer importkeystore(String src, String dest, + String options) { + return kt0("-importkeystore " + + "-srckeystore " + src + " -destkeystore " + dest + + " -srcstorepass changeit -deststorepass changeit " + options); + } + static OutputAnalyzer genkeypair(String alias, String options) { return kt("-genkeypair -alias " + alias + " -dname CN=" + alias - + " -keyalg RSA -storetype JKS " + options); + + " -keyalg RSA -storetype PKCS12 " + options); } static OutputAnalyzer certreq(String alias, String options) { From 0db2538e176eacce2e7be312daf0653b8a32bbb0 Mon Sep 17 00:00:00 2001 From: Valerie Peng Date: Thu, 13 Jul 2017 20:41:59 +0000 Subject: [PATCH 086/269] 8181048: Refactor existing providers to refer to the same constants for default values for key length Reviewed-by: mullan, ahgross --- .../crypto/provider/DHKeyPairGenerator.java | 8 +- .../crypto/provider/DHParameterGenerator.java | 7 +- .../provider/DSAKeyPairGenerator.java | 139 ++++++++++-------- .../provider/DSAParameterGenerator.java | 46 +++--- .../sun/security/provider/SunEntries.java | 12 +- .../sun/security/rsa/RSAKeyPairGenerator.java | 5 +- .../sun/security/tools/keytool/Main.java | 10 +- .../util/SecurityProviderConstants.java | 131 +++++++++++++++++ .../security/pkcs11/P11KeyPairGenerator.java | 16 +- .../sun/security/ec/ECKeyPairGenerator.java | 6 +- .../security/mscapi/RSAKeyPairGenerator.java | 8 +- jdk/test/java/security/Signature/Offsets.java | 11 +- .../java/security/SignedObject/Chain.java | 23 ++- .../DSA/TestAlgParameterGenerator.java | 5 +- .../provider/DSA/TestKeyPairGenerator.java | 7 +- .../DSA/TestLegacyDSAKeyPairGenerator.java | 84 +++++++++++ 16 files changed, 380 insertions(+), 138 deletions(-) create mode 100644 jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java create mode 100644 jdk/test/sun/security/provider/DSA/TestLegacyDSAKeyPairGenerator.java diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java index 2322741110..3399cc5a3a 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ import javax.crypto.spec.DHParameterSpec; import javax.crypto.spec.DHGenParameterSpec; import sun.security.provider.ParameterCache; +import static sun.security.util.SecurityProviderConstants.DEF_DH_KEY_SIZE; /** * This class represents the key pair generator for Diffie-Hellman key pairs. @@ -42,8 +43,7 @@ import sun.security.provider.ParameterCache; *

* @@ -68,7 +68,7 @@ public final class DHKeyPairGenerator extends KeyPairGeneratorSpi { public DHKeyPairGenerator() { super(); - initialize(2048, null); + initialize(DEF_DH_KEY_SIZE, null); } private static void checkKeySize(int keysize) diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java index f8001b5ab2..293dfd895a 100644 --- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java +++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,8 @@ import java.security.spec.*; import javax.crypto.spec.DHParameterSpec; import javax.crypto.spec.DHGenParameterSpec; +import static sun.security.util.SecurityProviderConstants.DEF_DH_KEY_SIZE; + /* * This class generates parameters for the Diffie-Hellman algorithm. * The parameters are a prime, a base, and optionally the length in bits of @@ -38,7 +40,6 @@ import javax.crypto.spec.DHGenParameterSpec; * *

The Diffie-Hellman parameter generation accepts the size in bits of the * prime modulus and the size in bits of the random exponent as input. - * The size of the prime modulus defaults to 2048 bits. * * @author Jan Luehe * @@ -50,7 +51,7 @@ import javax.crypto.spec.DHGenParameterSpec; public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi { // The size in bits of the prime modulus - private int primeSize = 2048; + private int primeSize = DEF_DH_KEY_SIZE; // The size in bits of the random exponent (private value) private int exponentSize = 0; diff --git a/jdk/src/java.base/share/classes/sun/security/provider/DSAKeyPairGenerator.java b/jdk/src/java.base/share/classes/sun/security/provider/DSAKeyPairGenerator.java index f162b595f4..50d9bcc2bc 100644 --- a/jdk/src/java.base/share/classes/sun/security/provider/DSAKeyPairGenerator.java +++ b/jdk/src/java.base/share/classes/sun/security/provider/DSAKeyPairGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -35,6 +35,8 @@ import java.security.spec.InvalidParameterSpecException; import java.security.spec.DSAParameterSpec; import sun.security.jca.JCAUtil; +import static sun.security.util.SecurityProviderConstants.DEF_DSA_KEY_SIZE; +import static sun.security.util.SecurityProviderConstants.getDefDSASubprimeSize; /** * This class generates DSA key parameters and public/private key @@ -45,15 +47,14 @@ import sun.security.jca.JCAUtil; * @author Andreas Sterbenz * */ -public class DSAKeyPairGenerator extends KeyPairGenerator - implements java.security.interfaces.DSAKeyPairGenerator { +class DSAKeyPairGenerator extends KeyPairGenerator { /* Length for prime P and subPrime Q in bits */ private int plen; private int qlen; /* whether to force new parameters to be generated for each KeyPair */ - private boolean forceNewParameters; + boolean forceNewParameters; /* preset algorithm parameters. */ private DSAParameterSpec params; @@ -61,9 +62,9 @@ public class DSAKeyPairGenerator extends KeyPairGenerator /* The source of random bits to use */ private SecureRandom random; - public DSAKeyPairGenerator() { + DSAKeyPairGenerator(int defaultKeySize) { super("DSA"); - initialize(1024, null); + initialize(defaultKeySize, null); } private static void checkStrength(int sizeP, int sizeQ) { @@ -84,61 +85,7 @@ public class DSAKeyPairGenerator extends KeyPairGenerator } public void initialize(int modlen, SecureRandom random) { - // generate new parameters when no precomputed ones available. - initialize(modlen, true, random); - this.forceNewParameters = false; - } - - /** - * Initializes the DSA key pair generator. If genParams - * is false, a set of pre-computed parameters is used. - */ - @Override - public void initialize(int modlen, boolean genParams, SecureRandom random) - throws InvalidParameterException { - - int subPrimeLen = -1; - if (modlen <= 1024) { - subPrimeLen = 160; - } else if (modlen == 2048) { - subPrimeLen = 224; - } else if (modlen == 3072) { - subPrimeLen = 256; - } - checkStrength(modlen, subPrimeLen); - if (genParams) { - params = null; - } else { - params = ParameterCache.getCachedDSAParameterSpec(modlen, - subPrimeLen); - if (params == null) { - throw new InvalidParameterException - ("No precomputed parameters for requested modulus size " - + "available"); - } - - } - this.plen = modlen; - this.qlen = subPrimeLen; - this.random = random; - this.forceNewParameters = genParams; - } - - /** - * Initializes the DSA object using a DSA parameter object. - * - * @param params a fully initialized DSA parameter object. - */ - @Override - public void initialize(DSAParams params, SecureRandom random) - throws InvalidParameterException { - - if (params == null) { - throw new InvalidParameterException("Params must not be null"); - } - DSAParameterSpec spec = new DSAParameterSpec - (params.getP(), params.getQ(), params.getG()); - initialize0(spec, random); + init(modlen, random, false); } /** @@ -157,10 +104,21 @@ public class DSAKeyPairGenerator extends KeyPairGenerator throw new InvalidAlgorithmParameterException ("Inappropriate parameter"); } - initialize0((DSAParameterSpec)params, random); + init((DSAParameterSpec)params, random, false); } - private void initialize0(DSAParameterSpec params, SecureRandom random) { + void init(int modlen, SecureRandom random, boolean forceNew) { + int subPrimeLen = getDefDSASubprimeSize(modlen); + checkStrength(modlen, subPrimeLen); + this.plen = modlen; + this.qlen = subPrimeLen; + this.params = null; + this.random = random; + this.forceNewParameters = forceNew; + } + + void init(DSAParameterSpec params, SecureRandom random, + boolean forceNew) { int sizeP = params.getP().bitLength(); int sizeQ = params.getQ().bitLength(); checkStrength(sizeP, sizeQ); @@ -168,7 +126,7 @@ public class DSAKeyPairGenerator extends KeyPairGenerator this.qlen = sizeQ; this.params = params; this.random = random; - this.forceNewParameters = false; + this.forceNewParameters = forceNew; } /** @@ -197,7 +155,7 @@ public class DSAKeyPairGenerator extends KeyPairGenerator return generateKeyPair(spec.getP(), spec.getQ(), spec.getG(), random); } - public KeyPair generateKeyPair(BigInteger p, BigInteger q, BigInteger g, + private KeyPair generateKeyPair(BigInteger p, BigInteger q, BigInteger g, SecureRandom random) { BigInteger x = generateX(random, q); @@ -252,4 +210,55 @@ public class DSAKeyPairGenerator extends KeyPairGenerator return y; } + public static final class Current extends DSAKeyPairGenerator { + public Current() { + super(DEF_DSA_KEY_SIZE); + } + } + + public static final class Legacy extends DSAKeyPairGenerator + implements java.security.interfaces.DSAKeyPairGenerator { + + public Legacy() { + super(1024); + } + + /** + * Initializes the DSA key pair generator. If genParams + * is false, a set of pre-computed parameters is used. + */ + @Override + public void initialize(int modlen, boolean genParams, + SecureRandom random) throws InvalidParameterException { + if (genParams) { + super.init(modlen, random, true); + } else { + DSAParameterSpec cachedParams = + ParameterCache.getCachedDSAParameterSpec(modlen, + getDefDSASubprimeSize(modlen)); + if (cachedParams == null) { + throw new InvalidParameterException + ("No precomputed parameters for requested modulus" + + " size available"); + } + super.init(cachedParams, random, false); + } + } + + /** + * Initializes the DSA object using a DSA parameter object. + * + * @param params a fully initialized DSA parameter object. + */ + @Override + public void initialize(DSAParams params, SecureRandom random) + throws InvalidParameterException { + if (params == null) { + throw new InvalidParameterException("Params must not be null"); + } + DSAParameterSpec spec = new DSAParameterSpec + (params.getP(), params.getQ(), params.getG()); + super.init(spec, random, false); + } + } } diff --git a/jdk/src/java.base/share/classes/sun/security/provider/DSAParameterGenerator.java b/jdk/src/java.base/share/classes/sun/security/provider/DSAParameterGenerator.java index 220b5989f5..8c8ca9b42d 100644 --- a/jdk/src/java.base/share/classes/sun/security/provider/DSAParameterGenerator.java +++ b/jdk/src/java.base/share/classes/sun/security/provider/DSAParameterGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,15 +34,18 @@ import java.security.NoSuchProviderException; import java.security.InvalidParameterException; import java.security.MessageDigest; import java.security.SecureRandom; +import java.security.ProviderException; import java.security.spec.AlgorithmParameterSpec; import java.security.spec.InvalidParameterSpecException; import java.security.spec.DSAParameterSpec; import java.security.spec.DSAGenParameterSpec; +import static sun.security.util.SecurityProviderConstants.DEF_DSA_KEY_SIZE; +import static sun.security.util.SecurityProviderConstants.getDefDSASubprimeSize; + + /** - * This class generates parameters for the DSA algorithm. It uses a default - * prime modulus size of 1024 bits, which can be overwritten during - * initialization. + * This class generates parameters for the DSA algorithm. * * @author Jan Luehe * @@ -56,10 +59,6 @@ import java.security.spec.DSAGenParameterSpec; public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi { - // the default parameters - private static final DSAGenParameterSpec DEFAULTS = - new DSAGenParameterSpec(1024, 160, 160); - // the length of prime P, subPrime Q, and seed in bits private int valueL = -1; private int valueN = -1; @@ -80,18 +79,14 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi { */ @Override protected void engineInit(int strength, SecureRandom random) { - if ((strength >= 512) && (strength <= 1024) && (strength % 64 == 0)) { - this.valueN = 160; - } else if (strength == 2048) { - this.valueN = 224; - } else if (strength == 3072) { - this.valueN = 256; - } else { + if ((strength != 2048) && (strength != 3072) && + ((strength < 512) || (strength > 1024) || (strength % 64 != 0))) { throw new InvalidParameterException( - "Unexpected strength (size of prime): " + strength + ". " + - "Prime size should be 512 - 1024, or 2048, 3072"); + "Unexpected strength (size of prime): " + strength + + ". Prime size should be 512-1024, 2048, or 3072"); } this.valueL = strength; + this.valueN = getDefDSASubprimeSize(strength); this.seedLen = valueN; this.random = random; } @@ -110,7 +105,6 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi { @Override protected void engineInit(AlgorithmParameterSpec genParamSpec, SecureRandom random) throws InvalidAlgorithmParameterException { - if (!(genParamSpec instanceof DSAGenParameterSpec)) { throw new InvalidAlgorithmParameterException("Invalid parameter"); } @@ -136,11 +130,7 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi { this.random = new SecureRandom(); } if (valueL == -1) { - try { - engineInit(DEFAULTS, this.random); - } catch (InvalidAlgorithmParameterException iape) { - // should never happen - } + engineInit(DEF_DSA_KEY_SIZE, this.random); } BigInteger[] pAndQ = generatePandQ(this.random, valueL, valueN, seedLen); @@ -206,13 +196,17 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi { int b = (valueL - 1) % outLen; byte[] seedBytes = new byte[seedLen/8]; BigInteger twoSl = BigInteger.TWO.pow(seedLen); - int primeCertainty = 80; // for 1024-bit prime P - if (valueL == 2048) { + int primeCertainty = -1; + if (valueL <= 1024) { + primeCertainty = 80; + } else if (valueL == 2048) { primeCertainty = 112; } else if (valueL == 3072) { primeCertainty = 128; } - + if (primeCertainty < 0) { + throw new ProviderException("Invalid valueL: " + valueL); + } BigInteger resultP, resultQ, seed = null; int counter; while (true) { diff --git a/jdk/src/java.base/share/classes/sun/security/provider/SunEntries.java b/jdk/src/java.base/share/classes/sun/security/provider/SunEntries.java index 31164695ec..f440f1556c 100644 --- a/jdk/src/java.base/share/classes/sun/security/provider/SunEntries.java +++ b/jdk/src/java.base/share/classes/sun/security/provider/SunEntries.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ import java.io.*; import java.net.*; import java.util.Map; import java.security.*; +import sun.security.action.GetPropertyAction; /** * Defines the entries of the SUN provider. @@ -74,6 +75,10 @@ import java.security.*; final class SunEntries { + private static final boolean useLegacyDSA = + Boolean.parseBoolean(GetPropertyAction.privilegedGetProperty + ("jdk.security.legacyDSAKeyPairGenerator")); + private SunEntries() { // empty } @@ -174,8 +179,9 @@ final class SunEntries { /* * Key Pair Generator engines */ - map.put("KeyPairGenerator.DSA", - "sun.security.provider.DSAKeyPairGenerator"); + String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$"; + dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current"); + map.put("KeyPairGenerator.DSA", dsaKPGImplClass); map.put("Alg.Alias.KeyPairGenerator.OID.1.2.840.10040.4.1", "DSA"); map.put("Alg.Alias.KeyPairGenerator.1.2.840.10040.4.1", "DSA"); map.put("Alg.Alias.KeyPairGenerator.1.3.14.3.2.12", "DSA"); diff --git a/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java b/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java index 0901e4c7af..6ad77b5236 100644 --- a/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java +++ b/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,6 +32,7 @@ import java.security.spec.AlgorithmParameterSpec; import java.security.spec.RSAKeyGenParameterSpec; import sun.security.jca.JCAUtil; +import static sun.security.util.SecurityProviderConstants.DEF_RSA_KEY_SIZE; /** * RSA keypair generation. Standard algorithm, minimum key length 512 bit. @@ -55,7 +56,7 @@ public final class RSAKeyPairGenerator extends KeyPairGeneratorSpi { public RSAKeyPairGenerator() { // initialize to default in case the app does not call initialize() - initialize(2048, null); + initialize(DEF_RSA_KEY_SIZE, null); } // initialize the generator. See JCA doc diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java index 3fc3769cff..f9188dd787 100644 --- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java @@ -74,6 +74,7 @@ import sun.security.pkcs10.PKCS10Attribute; import sun.security.provider.X509Factory; import sun.security.provider.certpath.ssl.SSLServerCertStore; import sun.security.util.Password; +import sun.security.util.SecurityProviderConstants; import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; @@ -1783,9 +1784,12 @@ public final class Main { { if (keysize == -1) { if ("EC".equalsIgnoreCase(keyAlgName)) { - keysize = 256; - } else { - keysize = 2048; // RSA and DSA + keysize = SecurityProviderConstants.DEF_EC_KEY_SIZE; + } else if ("RSA".equalsIgnoreCase(keyAlgName)) { + keysize = SecurityProviderConstants.DEF_RSA_KEY_SIZE; + } else if ("DSA".equalsIgnoreCase(keyAlgName)) { + // hardcode for now as DEF_DSA_KEY_SIZE is still 1024 + keysize = 2048; // SecurityProviderConstants.DEF_DSA_KEY_SIZE; } } diff --git a/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java b/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java new file mode 100644 index 0000000000..16499519b5 --- /dev/null +++ b/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java @@ -0,0 +1,131 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.util; + +import java.util.regex.PatternSyntaxException; +import java.security.InvalidParameterException; +import sun.security.action.GetPropertyAction; + +/** + * Various constants such as version number, default key length, used by + * the JDK security/crypto providers. + */ +public final class SecurityProviderConstants { + private static final Debug debug = + Debug.getInstance("jca", "ProviderConfig"); + + // Cannot create one of these + private SecurityProviderConstants () { + } + + public static final int getDefDSASubprimeSize(int primeSize) { + if (primeSize <= 1024) { + return 160; + } else if (primeSize == 2048) { + return 224; + } else if (primeSize == 3072) { + return 256; + } else { + throw new InvalidParameterException("Invalid DSA Prime Size: " + + primeSize); + } + } + + public static final int DEF_DSA_KEY_SIZE; + public static final int DEF_RSA_KEY_SIZE; + public static final int DEF_DH_KEY_SIZE; + public static final int DEF_EC_KEY_SIZE; + + private static final String KEY_LENGTH_PROP = + "jdk.security.defaultKeySize"; + static { + String keyLengthStr = GetPropertyAction.privilegedGetProperty + (KEY_LENGTH_PROP); + int dsaKeySize = 1024; + int rsaKeySize = 2048; + int dhKeySize = 2048; + int ecKeySize = 256; + + if (keyLengthStr != null) { + try { + String[] pairs = keyLengthStr.split(","); + for (String p : pairs) { + String[] algoAndValue = p.split(":"); + if (algoAndValue.length != 2) { + // invalid pair, skip to next pair + if (debug != null) { + debug.println("Ignoring invalid pair in " + + KEY_LENGTH_PROP + " property: " + p); + } + continue; + } + String algoName = algoAndValue[0].trim().toUpperCase(); + int value = -1; + try { + value = Integer.parseInt(algoAndValue[1].trim()); + } catch (NumberFormatException nfe) { + // invalid value, skip to next pair + if (debug != null) { + debug.println("Ignoring invalid value in " + + KEY_LENGTH_PROP + " property: " + p); + } + continue; + } + if (algoName.equals("DSA")) { + dsaKeySize = value; + } else if (algoName.equals("RSA")) { + rsaKeySize = value; + } else if (algoName.equals("DH")) { + dhKeySize = value; + } else if (algoName.equals("EC")) { + ecKeySize = value; + } else { + if (debug != null) { + debug.println("Ignoring unsupported algo in " + + KEY_LENGTH_PROP + " property: " + p); + } + continue; + } + if (debug != null) { + debug.println("Overriding default " + algoName + + " keysize with value from " + + KEY_LENGTH_PROP + " property: " + value); + } + } + } catch (PatternSyntaxException pse) { + // if property syntax is not followed correctly + if (debug != null) { + debug.println("Unexpected exception while parsing " + + KEY_LENGTH_PROP + " property: " + pse); + } + } + } + DEF_DSA_KEY_SIZE = dsaKeySize; + DEF_RSA_KEY_SIZE = rsaKeySize; + DEF_DH_KEY_SIZE = dhKeySize; + DEF_EC_KEY_SIZE = ecKeySize; + } +} diff --git a/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java b/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java index 3aa2e69103..e3f867248b 100644 --- a/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java +++ b/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,11 +33,13 @@ import java.security.spec.*; import javax.crypto.spec.DHParameterSpec; import sun.security.provider.ParameterCache; +import static sun.security.util.SecurityProviderConstants.*; import static sun.security.pkcs11.TemplateManager.*; import sun.security.pkcs11.wrapper.*; import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + import sun.security.rsa.RSAKeyFactory; /** @@ -98,7 +100,7 @@ final class P11KeyPairGenerator extends KeyPairGeneratorSpi { // override lower limit to disallow unsecure keys being generated // override upper limit to deter DOS attack if (algorithm.equals("EC")) { - keySize = 256; + keySize = DEF_EC_KEY_SIZE; if ((minKeyLen == -1) || (minKeyLen < 112)) { minKeyLen = 112; } @@ -107,13 +109,11 @@ final class P11KeyPairGenerator extends KeyPairGeneratorSpi { } } else { if (algorithm.equals("DSA")) { - // keep default keysize at 1024 since larger keysizes may be - // incompatible with SHA1withDSA and SHA-2 Signature algs - // may not be supported by native pkcs11 implementations - keySize = 1024; + keySize = DEF_DSA_KEY_SIZE; + } else if (algorithm.equals("RSA")) { + keySize = DEF_RSA_KEY_SIZE; } else { - // RSA and DH - keySize = 2048; + keySize = DEF_DH_KEY_SIZE; } if ((minKeyLen == -1) || (minKeyLen < 512)) { minKeyLen = 512; diff --git a/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECKeyPairGenerator.java b/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECKeyPairGenerator.java index 2df53fb60e..c96806ab8c 100644 --- a/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECKeyPairGenerator.java +++ b/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECKeyPairGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,6 +37,7 @@ import sun.security.ec.ECPublicKeyImpl; import sun.security.jca.JCAUtil; import sun.security.util.ECParameters; import sun.security.util.ECUtil; +import static sun.security.util.SecurityProviderConstants.DEF_EC_KEY_SIZE; /** * EC keypair generator. @@ -48,7 +49,6 @@ public final class ECKeyPairGenerator extends KeyPairGeneratorSpi { private static final int KEY_SIZE_MIN = 112; // min bits (see ecc_impl.h) private static final int KEY_SIZE_MAX = 571; // max bits (see ecc_impl.h) - private static final int KEY_SIZE_DEFAULT = 256; // used to seed the keypair generator private SecureRandom random; @@ -64,7 +64,7 @@ public final class ECKeyPairGenerator extends KeyPairGeneratorSpi { */ public ECKeyPairGenerator() { // initialize to default in case the app does not call initialize() - initialize(KEY_SIZE_DEFAULT, null); + initialize(DEF_EC_KEY_SIZE, null); } // initialize the generator. See JCA doc diff --git a/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java b/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java index f28e5cb513..d4f509058f 100644 --- a/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java +++ b/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ import java.security.spec.AlgorithmParameterSpec; import java.security.spec.RSAKeyGenParameterSpec; import sun.security.rsa.RSAKeyFactory; +import static sun.security.util.SecurityProviderConstants.DEF_RSA_KEY_SIZE; /** * RSA keypair generator. @@ -45,14 +46,13 @@ public final class RSAKeyPairGenerator extends KeyPairGeneratorSpi { // Supported by Microsoft Base, Strong and Enhanced Cryptographic Providers static final int KEY_SIZE_MIN = 512; // disallow MSCAPI min. of 384 static final int KEY_SIZE_MAX = 16384; - private static final int KEY_SIZE_DEFAULT = 2048; // size of the key to generate, KEY_SIZE_MIN <= keySize <= KEY_SIZE_MAX private int keySize; public RSAKeyPairGenerator() { // initialize to default in case the app does not call initialize() - initialize(KEY_SIZE_DEFAULT, null); + initialize(DEF_RSA_KEY_SIZE, null); } // initialize the generator. See JCA doc @@ -76,7 +76,7 @@ public final class RSAKeyPairGenerator extends KeyPairGeneratorSpi { int tmpSize; if (params == null) { - tmpSize = KEY_SIZE_DEFAULT; + tmpSize = DEF_RSA_KEY_SIZE; } else if (params instanceof RSAKeyGenParameterSpec) { if (((RSAKeyGenParameterSpec) params).getPublicExponent() != null) { diff --git a/jdk/test/java/security/Signature/Offsets.java b/jdk/test/java/security/Signature/Offsets.java index 9e71690ea4..1db510dd6c 100644 --- a/jdk/test/java/security/Signature/Offsets.java +++ b/jdk/test/java/security/Signature/Offsets.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,7 +34,7 @@ import jdk.testlibrary.RandomFactory; /* * @test - * @bug 8050374 + * @bug 8050374 8181048 * @key randomness * @summary This test validates signature verification * Signature.verify(byte[], int, int). The test uses RandomFactory to @@ -105,18 +105,25 @@ public class Offsets { Signature signature = Signature.getInstance(algorithm, provider); String keyAlgo; + int keySize = 2048; if (algorithm.contains("RSA")) { keyAlgo = "RSA"; } else if (algorithm.contains("ECDSA")) { keyAlgo = "EC"; + keySize = 256; } else if (algorithm.contains("DSA")) { keyAlgo = "DSA"; + if (algorithm.startsWith("SHAwith") || + algorithm.startsWith("SHA1with")) { + keySize = 1024; + } } else { throw new RuntimeException("Test doesn't support this signature " + "algorithm: " + algorithm); } KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyAlgo, provider); + kpg.initialize(keySize); KeyPair kp = kpg.generateKeyPair(); PublicKey pubkey = kp.getPublic(); PrivateKey privkey = kp.getPrivate(); diff --git a/jdk/test/java/security/SignedObject/Chain.java b/jdk/test/java/security/SignedObject/Chain.java index 65e1ebbd7f..3c9bad3dd1 100644 --- a/jdk/test/java/security/SignedObject/Chain.java +++ b/jdk/test/java/security/SignedObject/Chain.java @@ -32,7 +32,7 @@ import java.util.Arrays; /* * @test - * @bug 8050374 + * @bug 8050374 8181048 * @summary Verify a chain of signed objects */ public class Chain { @@ -97,22 +97,28 @@ public class Chain { final Provider provider; final KeyAlg keyAlg; final SigAlg sigAlg; + final int keySize; - Test(SigAlg sigAlg, KeyAlg keyAlg, Provider privider) { - this.provider = privider; + Test(SigAlg sigAlg, KeyAlg keyAlg, Provider provider) { + this(sigAlg, keyAlg, provider, -1); + } + + Test(SigAlg sigAlg, KeyAlg keyAlg, Provider provider, int keySize) { + this.provider = provider; this.keyAlg = keyAlg; this.sigAlg = sigAlg; + this.keySize = keySize; } } private static final Test[] tests = { - new Test(SigAlg.SHA1withDSA, KeyAlg.DSA, Provider.Default), + new Test(SigAlg.SHA1withDSA, KeyAlg.DSA, Provider.Default, 1024), new Test(SigAlg.MD2withRSA, KeyAlg.RSA, Provider.Default), new Test(SigAlg.MD5withRSA, KeyAlg.RSA, Provider.Default), new Test(SigAlg.SHA1withRSA, KeyAlg.RSA, Provider.Default), - new Test(SigAlg.SHA1withDSA, KeyAlg.DSA, Provider.Sun), - new Test(SigAlg.SHA224withDSA, KeyAlg.DSA, Provider.Sun), - new Test(SigAlg.SHA256withDSA, KeyAlg.DSA, Provider.Sun), + new Test(SigAlg.SHA1withDSA, KeyAlg.DSA, Provider.Sun, 1024), + new Test(SigAlg.SHA224withDSA, KeyAlg.DSA, Provider.Sun, 2048), + new Test(SigAlg.SHA256withDSA, KeyAlg.DSA, Provider.Sun, 2048), }; private static final String str = "to-be-signed"; @@ -148,6 +154,9 @@ public class Chain { kpg = KeyPairGenerator.getInstance(test.keyAlg.name); } for (int j=0; j < N; j++) { + if (test.keySize != -1) { + kpg.initialize(test.keySize); + } KeyPair kp = kpg.genKeyPair(); KeyPair anotherKp = kpg.genKeyPair(); privKeys[j] = kp.getPrivate(); diff --git a/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java b/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java index 10af679486..cf39a5bab5 100644 --- a/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java +++ b/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ /* * @test - * @bug 7044060 8055351 + * @bug 7044060 8055351 8181048 * @summary verify that DSA parameter generation works * @run main/timeout=600 TestAlgParameterGenerator */ @@ -81,7 +81,6 @@ public class TestAlgParameterGenerator { AlgorithmParameters param = apg.generateParameters(); stop = System.currentTimeMillis(); System.out.println("Time: " + (stop - start) + " ms."); - checkParamStrength(param, 1024); // make sure the old model works int[] strengths = {512, 768, 1024}; diff --git a/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java b/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java index bfd47b23ad..105c50015d 100644 --- a/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java +++ b/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ /* * @test - * @bug 4800108 8072452 + * @bug 4800108 8072452 8181048 * @summary verify that precomputed DSA parameters are always used (512, 768, * 1024, 2048, 3072 bit) * @run main/othervm/timeout=15 TestKeyPairGenerator @@ -59,15 +59,12 @@ public class TestKeyPairGenerator { // on JDKs that do not have the fix kpg = KeyPairGenerator.getInstance("DSA", "SUN"); kp = kpg.generateKeyPair(); - checkKeyLength(kp, 1024); kpg = KeyPairGenerator.getInstance("DSA", "SUN"); kp = kpg.generateKeyPair(); - checkKeyLength(kp, 1024); // some other basic tests kp = kpg.generateKeyPair(); - checkKeyLength(kp, 1024); kpg.initialize(1024); kp = kpg.generateKeyPair(); diff --git a/jdk/test/sun/security/provider/DSA/TestLegacyDSAKeyPairGenerator.java b/jdk/test/sun/security/provider/DSA/TestLegacyDSAKeyPairGenerator.java new file mode 100644 index 0000000000..5b4f902aff --- /dev/null +++ b/jdk/test/sun/security/provider/DSA/TestLegacyDSAKeyPairGenerator.java @@ -0,0 +1,84 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8181048 + * @summary verify that when the returned DSA KeyPairGenerator is + * an instance of java.security.interfaces.DSAKeyPairGenerator, + * the behavior is compliant with the javadoc spec. + * @run main/othervm -Djdk.security.legacyDSAKeyPairGenerator=tRUe TestLegacyDSAKeyPairGenerator + */ + +import java.security.*; +import java.security.interfaces.*; + +public class TestLegacyDSAKeyPairGenerator { + + private static void checkKeyLength(KeyPair kp, int len) throws Exception { + DSAPublicKey key = (DSAPublicKey)kp.getPublic(); + int n = key.getParams().getP().bitLength(); + System.out.println("Key length: " + n); + if (len != n) { + throw new Exception("Wrong key length"); + } + } + + public static void main(String[] args) throws Exception { + KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA", "SUN"); + // check the returned object implements the legacy interface + if (!(kpg instanceof DSAKeyPairGenerator)) { + throw new Exception("Should be an instance of DSAKeyPairGenerator"); + } + System.out.println("Returned an instance of DSAKeyPairGenerator"); + // check the default key size is 1024 when initiaize(..) is not called + KeyPair kp1 = kpg.generateKeyPair(); + checkKeyLength(kp1, 1024); + KeyPair kp2 = kpg.generateKeyPair(); + checkKeyLength(kp2, 1024); + System.out.println("Used 1024 default key size"); + + // check kp1 and kp2 uses the same DSA parameters p, q, g + DSAParams param1 = ((DSAPublicKey)kp1.getPublic()).getParams(); + DSAParams param2 = ((DSAPublicKey)kp2.getPublic()).getParams(); + if ((param1.getP().compareTo(param2.getP()) != 0) || + (param1.getQ().compareTo(param2.getQ()) != 0) || + (param1.getG().compareTo(param2.getG()) != 0)) { + throw new RuntimeException("Key params mismatch"); + } + System.out.println("Used same default params"); + + // check that the documented exception is thrown if no cached parameters + int sizeNotInCache = (1024 - 64); + try { + ((DSAKeyPairGenerator)kpg).initialize(sizeNotInCache, false, null); + throw new RuntimeException("Expected IPE not thrown"); + } catch (InvalidParameterException ipe) { + System.out.println("Throwed expected IPE"); + } + ((DSAKeyPairGenerator)kpg).initialize(sizeNotInCache, true, null); + KeyPair kp = kpg.generateKeyPair(); + checkKeyLength(kp, sizeNotInCache); + System.out.println("Generated requested key size"); + } +} From 2e0ac64ee84c1cb0e911b62c017feab493c29b23 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Fri, 26 May 2017 08:06:22 +0800 Subject: [PATCH 087/269] 8178794: krb5 client should ignore sname in incoming tickets Reviewed-by: mullan, ahgross, valeriep --- .../classes/sun/security/krb5/KrbAsRep.java | 4 +- .../classes/sun/security/krb5/KrbTgsRep.java | 4 +- jdk/test/sun/security/krb5/auto/KDC.java | 6 +- .../sun/security/krb5/auto/TicketSName.java | 58 +++++++++++++++++++ 4 files changed, 66 insertions(+), 6 deletions(-) create mode 100644 jdk/test/sun/security/krb5/auto/TicketSName.java diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbAsRep.java b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbAsRep.java index bf7a562eb4..b03276fd09 100644 --- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbAsRep.java +++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbAsRep.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -160,7 +160,7 @@ class KrbAsRep extends KrbKdcRep { creds = new Credentials( rep.ticket, req.reqBody.cname, - rep.ticket.sname, + enc_part.sname, enc_part.key, enc_part.flags, enc_part.authtime, diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java index 6fc6cebaa7..4f5c2d6ed9 100644 --- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java +++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -88,7 +88,7 @@ public class KrbTgsRep extends KrbKdcRep { this.creds = new Credentials(rep.ticket, rep.cname, - rep.ticket.sname, + enc_part.sname, enc_part.key, enc_part.flags, enc_part.authtime, diff --git a/jdk/test/sun/security/krb5/auto/KDC.java b/jdk/test/sun/security/krb5/auto/KDC.java index e47c3e9e5c..c9059ab237 100644 --- a/jdk/test/sun/security/krb5/auto/KDC.java +++ b/jdk/test/sun/security/krb5/auto/KDC.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -828,7 +828,9 @@ public class KDC { throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO } Ticket t = new Ticket( - service, + System.getProperty("test.kdc.diff.sname") != null ? + new PrincipalName("xx" + service.toString()) : + service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) ); EncTGSRepPart enc_part = new EncTGSRepPart( diff --git a/jdk/test/sun/security/krb5/auto/TicketSName.java b/jdk/test/sun/security/krb5/auto/TicketSName.java new file mode 100644 index 0000000000..458d478af1 --- /dev/null +++ b/jdk/test/sun/security/krb5/auto/TicketSName.java @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8178794 + * @summary krb5 client should ignore sname in incoming tickets + * @compile -XDignore.symbol.file TicketSName.java + * @run main/othervm -Dtest.kdc.diff.sname TicketSName + */ + +import sun.security.jgss.GSSUtil; +import javax.security.auth.kerberos.KerberosTicket; + +public class TicketSName { + + public static void main(String[] args) throws Exception { + + new OneKDC(null).writeJAASConf(); + + Context c, s; + c = Context.fromJAAS("client"); + s = Context.fromJAAS("server"); + + c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + + Context.handshake(c, s); + + String expected = OneKDC.SERVER + "@" + OneKDC.REALM; + if (!c.s().getPrivateCredentials(KerberosTicket.class) + .stream() + .anyMatch(t -> t.getServer().toString().equals(expected))) { + c.status(); + throw new Exception("no " + expected); + } + } +} From 06d86a3d1f3b3c7dff8b55ba0abb9c02464e486b Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Fri, 26 May 2017 08:06:22 +0800 Subject: [PATCH 088/269] 8178794: Correct Kerberos ticket grants Reviewed-by: mullan, ahgross, valeriep --- .../classes/sun/security/krb5/KrbAsRep.java | 4 +- .../classes/sun/security/krb5/KrbTgsRep.java | 4 +- jdk/test/sun/security/krb5/auto/KDC.java | 6 +- .../sun/security/krb5/auto/TicketSName.java | 58 +++++++++++++++++++ 4 files changed, 66 insertions(+), 6 deletions(-) create mode 100644 jdk/test/sun/security/krb5/auto/TicketSName.java diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbAsRep.java b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbAsRep.java index bf7a562eb4..b03276fd09 100644 --- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbAsRep.java +++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbAsRep.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -160,7 +160,7 @@ class KrbAsRep extends KrbKdcRep { creds = new Credentials( rep.ticket, req.reqBody.cname, - rep.ticket.sname, + enc_part.sname, enc_part.key, enc_part.flags, enc_part.authtime, diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java index 6fc6cebaa7..4f5c2d6ed9 100644 --- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java +++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -88,7 +88,7 @@ public class KrbTgsRep extends KrbKdcRep { this.creds = new Credentials(rep.ticket, rep.cname, - rep.ticket.sname, + enc_part.sname, enc_part.key, enc_part.flags, enc_part.authtime, diff --git a/jdk/test/sun/security/krb5/auto/KDC.java b/jdk/test/sun/security/krb5/auto/KDC.java index e47c3e9e5c..c9059ab237 100644 --- a/jdk/test/sun/security/krb5/auto/KDC.java +++ b/jdk/test/sun/security/krb5/auto/KDC.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -828,7 +828,9 @@ public class KDC { throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO } Ticket t = new Ticket( - service, + System.getProperty("test.kdc.diff.sname") != null ? + new PrincipalName("xx" + service.toString()) : + service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) ); EncTGSRepPart enc_part = new EncTGSRepPart( diff --git a/jdk/test/sun/security/krb5/auto/TicketSName.java b/jdk/test/sun/security/krb5/auto/TicketSName.java new file mode 100644 index 0000000000..458d478af1 --- /dev/null +++ b/jdk/test/sun/security/krb5/auto/TicketSName.java @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8178794 + * @summary krb5 client should ignore sname in incoming tickets + * @compile -XDignore.symbol.file TicketSName.java + * @run main/othervm -Dtest.kdc.diff.sname TicketSName + */ + +import sun.security.jgss.GSSUtil; +import javax.security.auth.kerberos.KerberosTicket; + +public class TicketSName { + + public static void main(String[] args) throws Exception { + + new OneKDC(null).writeJAASConf(); + + Context c, s; + c = Context.fromJAAS("client"); + s = Context.fromJAAS("server"); + + c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + + Context.handshake(c, s); + + String expected = OneKDC.SERVER + "@" + OneKDC.REALM; + if (!c.s().getPrivateCredentials(KerberosTicket.class) + .stream() + .anyMatch(t -> t.getServer().toString().equals(expected))) { + c.status(); + throw new Exception("no " + expected); + } + } +} From 244fc20379d654d68cf5415542e169fad45e08f0 Mon Sep 17 00:00:00 2001 From: Vladimir Ivanov Date: Fri, 26 May 2017 18:39:27 +0300 Subject: [PATCH 089/269] 8174962: Better interface invocations Reviewed-by: jrose, coleenp, ahgross, acorn, iignatyev --- .../cpu/aarch64/vm/sharedRuntime_aarch64.cpp | 2 +- hotspot/src/cpu/arm/vm/macroAssembler_arm.cpp | 78 +++++++++------- hotspot/src/cpu/arm/vm/macroAssembler_arm.hpp | 2 +- hotspot/src/cpu/arm/vm/sharedRuntime_arm.cpp | 2 +- hotspot/src/cpu/arm/vm/templateTable_arm.cpp | 70 ++++++-------- hotspot/src/cpu/arm/vm/vtableStubs_arm.cpp | 70 ++++++-------- hotspot/src/cpu/ppc/vm/sharedRuntime_ppc.cpp | 2 +- .../src/cpu/s390/vm/sharedRuntime_s390.cpp | 8 +- .../src/cpu/sparc/vm/macroAssembler_sparc.cpp | 31 ++++--- .../src/cpu/sparc/vm/macroAssembler_sparc.hpp | 3 +- .../src/cpu/sparc/vm/sharedRuntime_sparc.cpp | 2 +- .../src/cpu/sparc/vm/templateTable_sparc.cpp | 75 +++++++-------- .../src/cpu/sparc/vm/vtableStubs_sparc.cpp | 26 ++++-- hotspot/src/cpu/x86/vm/macroAssembler_x86.cpp | 25 +++-- hotspot/src/cpu/x86/vm/macroAssembler_x86.hpp | 3 +- .../src/cpu/x86/vm/sharedRuntime_x86_32.cpp | 2 +- .../src/cpu/x86/vm/sharedRuntime_x86_64.cpp | 2 +- hotspot/src/cpu/x86/vm/templateTable_x86.cpp | 26 +++++- hotspot/src/cpu/x86/vm/vtableStubs_x86_32.cpp | 53 +++++++---- hotspot/src/cpu/x86/vm/vtableStubs_x86_64.cpp | 61 +++++++----- .../jvm/hotspot/oops/CompiledICHolder.java | 14 +-- .../src/share/vm/aot/aotCompiledMethod.cpp | 2 +- hotspot/src/share/vm/code/compiledIC.cpp | 16 +++- hotspot/src/share/vm/code/compiledIC.hpp | 6 +- hotspot/src/share/vm/code/compiledMethod.cpp | 3 +- hotspot/src/share/vm/code/nmethod.cpp | 2 +- .../vm/interpreter/interpreterRuntime.cpp | 1 + .../src/share/vm/oops/compiledICHolder.cpp | 26 +++++- .../src/share/vm/oops/compiledICHolder.hpp | 20 ++-- hotspot/src/share/vm/oops/cpCache.cpp | 92 ++++++++----------- hotspot/src/share/vm/oops/cpCache.hpp | 4 +- hotspot/src/share/vm/oops/klassVtable.cpp | 7 +- hotspot/src/share/vm/oops/method.hpp | 1 + hotspot/src/share/vm/runtime/vmStructs.cpp | 2 +- hotspot/test/native/code/test_vtableStub.cpp | 52 +++++++++++ .../RedefineTests/RedefineInterfaceCall.java | 83 +++++++++++++++++ .../TransformTestCommon.java | 4 +- 37 files changed, 546 insertions(+), 332 deletions(-) create mode 100644 hotspot/test/native/code/test_vtableStub.cpp create mode 100644 hotspot/test/runtime/RedefineTests/RedefineInterfaceCall.java diff --git a/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp b/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp index a286102e7b..f12334291e 100644 --- a/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp +++ b/hotspot/src/cpu/aarch64/vm/sharedRuntime_aarch64.cpp @@ -773,7 +773,7 @@ AdapterHandlerEntry* SharedRuntime::generate_i2c2i_adapters(MacroAssembler *masm __ load_klass(rscratch1, receiver); __ ldr(tmp, Address(holder, CompiledICHolder::holder_klass_offset())); __ cmp(rscratch1, tmp); - __ ldr(rmethod, Address(holder, CompiledICHolder::holder_method_offset())); + __ ldr(rmethod, Address(holder, CompiledICHolder::holder_metadata_offset())); __ br(Assembler::EQ, ok); __ far_jump(RuntimeAddress(SharedRuntime::get_ic_miss_stub())); diff --git a/hotspot/src/cpu/arm/vm/macroAssembler_arm.cpp b/hotspot/src/cpu/arm/vm/macroAssembler_arm.cpp index 2eb2a55100..d09c84b85f 100644 --- a/hotspot/src/cpu/arm/vm/macroAssembler_arm.cpp +++ b/hotspot/src/cpu/arm/vm/macroAssembler_arm.cpp @@ -2475,49 +2475,65 @@ void MacroAssembler::store_sized_value(Register src, Address dst, size_t size_in // On success, the result will be in method_result, and execution falls through. // On failure, execution transfers to the given label. void MacroAssembler::lookup_interface_method(Register Rklass, - Register Rinterf, - Register Rindex, + Register Rintf, + RegisterOrConstant itable_index, Register method_result, - Register temp_reg1, - Register temp_reg2, + Register Rscan, + Register Rtmp, Label& L_no_such_interface) { - assert_different_registers(Rklass, Rinterf, temp_reg1, temp_reg2, Rindex); + assert_different_registers(Rklass, Rintf, Rscan, Rtmp); - Register Ritable = temp_reg1; + const int entry_size = itableOffsetEntry::size() * HeapWordSize; + assert(itableOffsetEntry::interface_offset_in_bytes() == 0, "not added for convenience"); // Compute start of first itableOffsetEntry (which is at the end of the vtable) const int base = in_bytes(Klass::vtable_start_offset()); const int scale = exact_log2(vtableEntry::size_in_bytes()); - ldr_s32(temp_reg2, Address(Rklass, Klass::vtable_length_offset())); // Get length of vtable - add(Ritable, Rklass, base); - add(Ritable, Ritable, AsmOperand(temp_reg2, lsl, scale)); + ldr_s32(Rtmp, Address(Rklass, Klass::vtable_length_offset())); // Get length of vtable + add(Rscan, Rklass, base); + add(Rscan, Rscan, AsmOperand(Rtmp, lsl, scale)); - Label entry, search; + // Search through the itable for an interface equal to incoming Rintf + // itable looks like [intface][offset][intface][offset][intface][offset] - b(entry); + Label loop; + bind(loop); + ldr(Rtmp, Address(Rscan, entry_size, post_indexed)); +#ifdef AARCH64 + Label found; + cmp(Rtmp, Rintf); + b(found, eq); + cbnz(Rtmp, loop); +#else + cmp(Rtmp, Rintf); // set ZF and CF if interface is found + cmn(Rtmp, 0, ne); // check if tmp == 0 and clear CF if it is + b(loop, ne); +#endif // AARCH64 - bind(search); - add(Ritable, Ritable, itableOffsetEntry::size() * HeapWordSize); +#ifdef AARCH64 + b(L_no_such_interface); + bind(found); +#else + // CF == 0 means we reached the end of itable without finding icklass + b(L_no_such_interface, cc); +#endif // !AARCH64 - bind(entry); - - // Check that the entry is non-null. A null entry means that the receiver - // class doesn't implement the interface, and wasn't the same as the - // receiver class checked when the interface was resolved. - - ldr(temp_reg2, Address(Ritable, itableOffsetEntry::interface_offset_in_bytes())); - cbz(temp_reg2, L_no_such_interface); - - cmp(Rinterf, temp_reg2); - b(search, ne); - - ldr_s32(temp_reg2, Address(Ritable, itableOffsetEntry::offset_offset_in_bytes())); - add(temp_reg2, temp_reg2, Rklass); // Add offset to Klass* - assert(itableMethodEntry::size() * HeapWordSize == wordSize, "adjust the scaling in the code below"); - assert(itableMethodEntry::method_offset_in_bytes() == 0, "adjust the offset in the code below"); - - ldr(method_result, Address::indexed_ptr(temp_reg2, Rindex)); + if (method_result != noreg) { + // Interface found at previous position of Rscan, now load the method + ldr_s32(Rtmp, Address(Rscan, itableOffsetEntry::offset_offset_in_bytes() - entry_size)); + if (itable_index.is_register()) { + add(Rtmp, Rtmp, Rklass); // Add offset to Klass* + assert(itableMethodEntry::size() * HeapWordSize == wordSize, "adjust the scaling in the code below"); + assert(itableMethodEntry::method_offset_in_bytes() == 0, "adjust the offset in the code below"); + ldr(method_result, Address::indexed_ptr(Rtmp, itable_index.as_register())); + } else { + int method_offset = itableMethodEntry::size() * HeapWordSize * itable_index.as_constant() + + itableMethodEntry::method_offset_in_bytes(); + add_slow(method_result, Rklass, method_offset); + ldr(method_result, Address(method_result, Rtmp)); + } + } } #ifdef COMPILER2 diff --git a/hotspot/src/cpu/arm/vm/macroAssembler_arm.hpp b/hotspot/src/cpu/arm/vm/macroAssembler_arm.hpp index e6f73353cb..1a098fdbfb 100644 --- a/hotspot/src/cpu/arm/vm/macroAssembler_arm.hpp +++ b/hotspot/src/cpu/arm/vm/macroAssembler_arm.hpp @@ -1316,7 +1316,7 @@ public: void lookup_interface_method(Register recv_klass, Register intf_klass, - Register itable_index, + RegisterOrConstant itable_index, Register method_result, Register temp_reg1, Register temp_reg2, diff --git a/hotspot/src/cpu/arm/vm/sharedRuntime_arm.cpp b/hotspot/src/cpu/arm/vm/sharedRuntime_arm.cpp index 48f096473c..f2413d01a3 100644 --- a/hotspot/src/cpu/arm/vm/sharedRuntime_arm.cpp +++ b/hotspot/src/cpu/arm/vm/sharedRuntime_arm.cpp @@ -987,7 +987,7 @@ AdapterHandlerEntry* SharedRuntime::generate_i2c2i_adapters(MacroAssembler *masm __ load_klass(receiver_klass, receiver); __ ldr(holder_klass, Address(Ricklass, CompiledICHolder::holder_klass_offset())); - __ ldr(Rmethod, Address(Ricklass, CompiledICHolder::holder_method_offset())); + __ ldr(Rmethod, Address(Ricklass, CompiledICHolder::holder_metadata_offset())); __ cmp(receiver_klass, holder_klass); #ifdef AARCH64 diff --git a/hotspot/src/cpu/arm/vm/templateTable_arm.cpp b/hotspot/src/cpu/arm/vm/templateTable_arm.cpp index c8711b830e..b5acc286f9 100644 --- a/hotspot/src/cpu/arm/vm/templateTable_arm.cpp +++ b/hotspot/src/cpu/arm/vm/templateTable_arm.cpp @@ -4192,7 +4192,7 @@ void TemplateTable::invokeinterface(int byte_no) { const Register Rflags = R3_tmp; const Register Rklass = R3_tmp; - prepare_invoke(byte_no, Rinterf, Rindex, Rrecv, Rflags); + prepare_invoke(byte_no, Rinterf, Rmethod, Rrecv, Rflags); // Special case of invokeinterface called for virtual method of // java.lang.Object. See cpCacheOop.cpp for details. @@ -4201,56 +4201,39 @@ void TemplateTable::invokeinterface(int byte_no) { Label notMethod; __ tbz(Rflags, ConstantPoolCacheEntry::is_forced_virtual_shift, notMethod); - __ mov(Rmethod, Rindex); invokevirtual_helper(Rmethod, Rrecv, Rflags); __ bind(notMethod); // Get receiver klass into Rklass - also a null check __ load_klass(Rklass, Rrecv); + Label no_such_interface; + + // Receiver subtype check against REFC. + __ lookup_interface_method(// inputs: rec. class, interface + Rklass, Rinterf, noreg, + // outputs: scan temp. reg1, scan temp. reg2 + noreg, Ritable, Rtemp, + no_such_interface); + // profile this call __ profile_virtual_call(R0_tmp, Rklass); - // Compute start of first itableOffsetEntry (which is at the end of the vtable) - const int base = in_bytes(Klass::vtable_start_offset()); - assert(vtableEntry::size() == 1, "adjust the scaling in the code below"); - __ ldr_s32(Rtemp, Address(Rklass, Klass::vtable_length_offset())); // Get length of vtable - __ add(Ritable, Rklass, base); - __ add(Ritable, Ritable, AsmOperand(Rtemp, lsl, LogBytesPerWord)); + // Get declaring interface class from method + __ ldr(Rtemp, Address(Rmethod, Method::const_offset())); + __ ldr(Rtemp, Address(Rtemp, ConstMethod::constants_offset())); + __ ldr(Rinterf, Address(Rtemp, ConstantPool::pool_holder_offset_in_bytes())); - Label entry, search, interface_ok; + // Get itable index from method + __ ldr_s32(Rtemp, Address(Rmethod, Method::itable_index_offset())); + __ add(Rtemp, Rtemp, (-Method::itable_index_max)); // small negative constant is too large for an immediate on arm32 + __ neg(Rindex, Rtemp); - __ b(entry); - - __ bind(search); - __ add(Ritable, Ritable, itableOffsetEntry::size() * HeapWordSize); - - __ bind(entry); - - // Check that the entry is non-null. A null entry means that the receiver - // class doesn't implement the interface, and wasn't the same as the - // receiver class checked when the interface was resolved. - - __ ldr(Rtemp, Address(Ritable, itableOffsetEntry::interface_offset_in_bytes())); - __ cbnz(Rtemp, interface_ok); - - // throw exception - __ call_VM(noreg, CAST_FROM_FN_PTR(address, - InterpreterRuntime::throw_IncompatibleClassChangeError)); - - // the call_VM checks for exception, so we should never return here. - __ should_not_reach_here(); - - __ bind(interface_ok); - - __ cmp(Rinterf, Rtemp); - __ b(search, ne); - - __ ldr_s32(Rtemp, Address(Ritable, itableOffsetEntry::offset_offset_in_bytes())); - __ add(Rtemp, Rtemp, Rklass); // Add offset to Klass* - assert(itableMethodEntry::size() == 1, "adjust the scaling in the code below"); - - __ ldr(Rmethod, Address::indexed_ptr(Rtemp, Rindex)); + __ lookup_interface_method(// inputs: rec. class, interface + Rklass, Rinterf, Rindex, + // outputs: scan temp. reg1, scan temp. reg2 + Rmethod, Ritable, Rtemp, + no_such_interface); // Rmethod: Method* to call @@ -4272,6 +4255,13 @@ void TemplateTable::invokeinterface(int byte_no) { // do the call __ jump_from_interpreted(Rmethod); + + // throw exception + __ bind(no_such_interface); + __ restore_method(); + __ call_VM(noreg, CAST_FROM_FN_PTR(address, InterpreterRuntime::throw_IncompatibleClassChangeError)); + // the call_VM checks for exception, so we should never return here. + __ should_not_reach_here(); } void TemplateTable::invokehandle(int byte_no) { diff --git a/hotspot/src/cpu/arm/vm/vtableStubs_arm.cpp b/hotspot/src/cpu/arm/vm/vtableStubs_arm.cpp index 8b980aba56..06432c1ee8 100644 --- a/hotspot/src/cpu/arm/vm/vtableStubs_arm.cpp +++ b/hotspot/src/cpu/arm/vm/vtableStubs_arm.cpp @@ -28,6 +28,7 @@ #include "code/vtableStubs.hpp" #include "interp_masm_arm.hpp" #include "memory/resourceArea.hpp" +#include "oops/compiledICHolder.hpp" #include "oops/instanceKlass.hpp" #include "oops/klassVtable.hpp" #include "runtime/sharedRuntime.hpp" @@ -118,67 +119,48 @@ VtableStub* VtableStubs::create_itable_stub(int itable_index) { // R0-R3 / R0-R7 registers hold the arguments and cannot be spoiled const Register Rclass = AARCH64_ONLY(R9) NOT_AARCH64(R4); - const Register Rlength = AARCH64_ONLY(R10) NOT_AARCH64(R5); + const Register Rintf = AARCH64_ONLY(R10) NOT_AARCH64(R5); const Register Rscan = AARCH64_ONLY(R11) NOT_AARCH64(R6); - const Register tmp = Rtemp; - assert_different_registers(Ricklass, Rclass, Rlength, Rscan, tmp); + assert_different_registers(Ricklass, Rclass, Rintf, Rscan, Rtemp); // Calculate the start of itable (itable goes after vtable) const int scale = exact_log2(vtableEntry::size_in_bytes()); address npe_addr = __ pc(); __ load_klass(Rclass, R0); - __ ldr_s32(Rlength, Address(Rclass, Klass::vtable_length_offset())); - __ add(Rscan, Rclass, in_bytes(Klass::vtable_start_offset())); - __ add(Rscan, Rscan, AsmOperand(Rlength, lsl, scale)); + Label L_no_such_interface; - // Search through the itable for an interface equal to incoming Ricklass - // itable looks like [intface][offset][intface][offset][intface][offset] - const int entry_size = itableOffsetEntry::size() * HeapWordSize; - assert(itableOffsetEntry::interface_offset_in_bytes() == 0, "not added for convenience"); + // Receiver subtype check against REFC. + __ ldr(Rintf, Address(Ricklass, CompiledICHolder::holder_klass_offset())); + __ lookup_interface_method(// inputs: rec. class, interface, itable index + Rclass, Rintf, noreg, + // outputs: temp reg1, temp reg2 + noreg, Rscan, Rtemp, + L_no_such_interface); - Label loop; - __ bind(loop); - __ ldr(tmp, Address(Rscan, entry_size, post_indexed)); -#ifdef AARCH64 - Label found; - __ cmp(tmp, Ricklass); - __ b(found, eq); - __ cbnz(tmp, loop); -#else - __ cmp(tmp, Ricklass); // set ZF and CF if interface is found - __ cmn(tmp, 0, ne); // check if tmp == 0 and clear CF if it is - __ b(loop, ne); -#endif // AARCH64 - - assert(StubRoutines::throw_IncompatibleClassChangeError_entry() != NULL, "Check initialization order"); -#ifdef AARCH64 - __ jump(StubRoutines::throw_IncompatibleClassChangeError_entry(), relocInfo::runtime_call_type, tmp); - __ bind(found); -#else - // CF == 0 means we reached the end of itable without finding icklass - __ jump(StubRoutines::throw_IncompatibleClassChangeError_entry(), relocInfo::runtime_call_type, noreg, cc); -#endif // !AARCH64 - - // Interface found at previous position of Rscan, now load the method oop - __ ldr_s32(tmp, Address(Rscan, itableOffsetEntry::offset_offset_in_bytes() - entry_size)); - { - const int method_offset = itableMethodEntry::size() * HeapWordSize * itable_index + - itableMethodEntry::method_offset_in_bytes(); - __ add_slow(Rmethod, Rclass, method_offset); - } - __ ldr(Rmethod, Address(Rmethod, tmp)); + // Get Method* and entry point for compiler + __ ldr(Rintf, Address(Ricklass, CompiledICHolder::holder_metadata_offset())); + __ lookup_interface_method(// inputs: rec. class, interface, itable index + Rclass, Rintf, itable_index, + // outputs: temp reg1, temp reg2, temp reg3 + Rmethod, Rscan, Rtemp, + L_no_such_interface); address ame_addr = __ pc(); #ifdef AARCH64 - __ ldr(tmp, Address(Rmethod, Method::from_compiled_offset())); - __ br(tmp); + __ ldr(Rtemp, Address(Rmethod, Method::from_compiled_offset())); + __ br(Rtemp); #else __ ldr(PC, Address(Rmethod, Method::from_compiled_offset())); #endif // AARCH64 + __ bind(L_no_such_interface); + + assert(StubRoutines::throw_IncompatibleClassChangeError_entry() != NULL, "check initialization order"); + __ jump(StubRoutines::throw_IncompatibleClassChangeError_entry(), relocInfo::runtime_call_type, Rtemp); + masm->flush(); if (PrintMiscellaneous && (WizardMode || Verbose)) { @@ -205,7 +187,7 @@ int VtableStub::pd_code_size_limit(bool is_vtable_stub) { instr_count = NOT_AARCH64(4) AARCH64_ONLY(5); } else { // itable stub size - instr_count = NOT_AARCH64(20) AARCH64_ONLY(20); + instr_count = NOT_AARCH64(31) AARCH64_ONLY(31); } #ifdef AARCH64 diff --git a/hotspot/src/cpu/ppc/vm/sharedRuntime_ppc.cpp b/hotspot/src/cpu/ppc/vm/sharedRuntime_ppc.cpp index dc36aa77da..66d2846a08 100644 --- a/hotspot/src/cpu/ppc/vm/sharedRuntime_ppc.cpp +++ b/hotspot/src/cpu/ppc/vm/sharedRuntime_ppc.cpp @@ -1185,7 +1185,7 @@ AdapterHandlerEntry* SharedRuntime::generate_i2c2i_adapters(MacroAssembler *masm // Argument is valid and klass is as expected, continue. // Extract method from inline cache, verified entry point needs it. - __ ld(R19_method, CompiledICHolder::holder_method_offset(), ic); + __ ld(R19_method, CompiledICHolder::holder_metadata_offset(), ic); assert(R19_method == ic, "the inline cache register is dead here"); __ ld(code, method_(code)); diff --git a/hotspot/src/cpu/s390/vm/sharedRuntime_s390.cpp b/hotspot/src/cpu/s390/vm/sharedRuntime_s390.cpp index 89c3ae4032..fefa0411d9 100644 --- a/hotspot/src/cpu/s390/vm/sharedRuntime_s390.cpp +++ b/hotspot/src/cpu/s390/vm/sharedRuntime_s390.cpp @@ -2628,9 +2628,9 @@ AdapterHandlerEntry* SharedRuntime::generate_i2c2i_adapters(MacroAssembler *masm Label skip_fixup; { Label ic_miss; - const int klass_offset = oopDesc::klass_offset_in_bytes(); - const int holder_klass_offset = CompiledICHolder::holder_klass_offset(); - const int holder_method_offset = CompiledICHolder::holder_method_offset(); + const int klass_offset = oopDesc::klass_offset_in_bytes(); + const int holder_klass_offset = CompiledICHolder::holder_klass_offset(); + const int holder_metadata_offset = CompiledICHolder::holder_metadata_offset(); // Out-of-line call to ic_miss handler. __ call_ic_miss_handler(ic_miss, 0x11, 0, Z_R1_scratch); @@ -2659,7 +2659,7 @@ AdapterHandlerEntry* SharedRuntime::generate_i2c2i_adapters(MacroAssembler *masm // This def MUST MATCH code in gen_c2i_adapter! const Register code = Z_R11; - __ z_lg(Z_method, holder_method_offset, Z_method); + __ z_lg(Z_method, holder_metadata_offset, Z_method); __ load_and_test_long(Z_R0, method_(code)); __ z_brne(ic_miss); // Cache miss: call runtime to handle this. diff --git a/hotspot/src/cpu/sparc/vm/macroAssembler_sparc.cpp b/hotspot/src/cpu/sparc/vm/macroAssembler_sparc.cpp index e0065402b0..325f6dbcfe 100644 --- a/hotspot/src/cpu/sparc/vm/macroAssembler_sparc.cpp +++ b/hotspot/src/cpu/sparc/vm/macroAssembler_sparc.cpp @@ -2069,9 +2069,10 @@ void MacroAssembler::lookup_interface_method(Register recv_klass, Register method_result, Register scan_temp, Register sethi_temp, - Label& L_no_such_interface) { + Label& L_no_such_interface, + bool return_method) { assert_different_registers(recv_klass, intf_klass, method_result, scan_temp); - assert(itable_index.is_constant() || itable_index.as_register() == method_result, + assert(!return_method || itable_index.is_constant() || itable_index.as_register() == method_result, "caller must use same register for non-constant itable index as for method"); Label L_no_such_interface_restore; @@ -2103,11 +2104,13 @@ void MacroAssembler::lookup_interface_method(Register recv_klass, add(scan_temp, itb_offset, scan_temp); add(recv_klass, scan_temp, scan_temp); - // Adjust recv_klass by scaled itable_index, so we can free itable_index. - RegisterOrConstant itable_offset = itable_index; - itable_offset = regcon_sll_ptr(itable_index, exact_log2(itableMethodEntry::size() * wordSize), itable_offset); - itable_offset = regcon_inc_ptr(itable_offset, itableMethodEntry::method_offset_in_bytes(), itable_offset); - add(recv_klass, ensure_simm13_or_reg(itable_offset, sethi_temp), recv_klass); + if (return_method) { + // Adjust recv_klass by scaled itable_index, so we can free itable_index. + RegisterOrConstant itable_offset = itable_index; + itable_offset = regcon_sll_ptr(itable_index, exact_log2(itableMethodEntry::size() * wordSize), itable_offset); + itable_offset = regcon_inc_ptr(itable_offset, itableMethodEntry::method_offset_in_bytes(), itable_offset); + add(recv_klass, ensure_simm13_or_reg(itable_offset, sethi_temp), recv_klass); + } // for (scan = klass->itable(); scan->interface() != NULL; scan += scan_step) { // if (scan->interface() == intf) { @@ -2142,12 +2145,14 @@ void MacroAssembler::lookup_interface_method(Register recv_klass, bind(L_found_method); - // Got a hit. - int ito_offset = itableOffsetEntry::offset_offset_in_bytes(); - // scan_temp[-scan_step] points to the vtable offset we need - ito_offset -= scan_step; - lduw(scan_temp, ito_offset, scan_temp); - ld_ptr(recv_klass, scan_temp, method_result); + if (return_method) { + // Got a hit. + int ito_offset = itableOffsetEntry::offset_offset_in_bytes(); + // scan_temp[-scan_step] points to the vtable offset we need + ito_offset -= scan_step; + lduw(scan_temp, ito_offset, scan_temp); + ld_ptr(recv_klass, scan_temp, method_result); + } if (did_save) { Label L_done; diff --git a/hotspot/src/cpu/sparc/vm/macroAssembler_sparc.hpp b/hotspot/src/cpu/sparc/vm/macroAssembler_sparc.hpp index a401859e77..201abfc717 100644 --- a/hotspot/src/cpu/sparc/vm/macroAssembler_sparc.hpp +++ b/hotspot/src/cpu/sparc/vm/macroAssembler_sparc.hpp @@ -1290,7 +1290,8 @@ public: RegisterOrConstant itable_index, Register method_result, Register temp_reg, Register temp2_reg, - Label& no_such_interface); + Label& no_such_interface, + bool return_method = true); // virtual method calling void lookup_virtual_method(Register recv_klass, diff --git a/hotspot/src/cpu/sparc/vm/sharedRuntime_sparc.cpp b/hotspot/src/cpu/sparc/vm/sharedRuntime_sparc.cpp index 613e662d65..4b8d40911b 100644 --- a/hotspot/src/cpu/sparc/vm/sharedRuntime_sparc.cpp +++ b/hotspot/src/cpu/sparc/vm/sharedRuntime_sparc.cpp @@ -1079,7 +1079,7 @@ AdapterHandlerEntry* SharedRuntime::generate_i2c2i_adapters(MacroAssembler *masm Label ok, ok2; __ brx(Assembler::equal, false, Assembler::pt, ok); - __ delayed()->ld_ptr(G5_method, CompiledICHolder::holder_method_offset(), G5_method); + __ delayed()->ld_ptr(G5_method, CompiledICHolder::holder_metadata_offset(), G5_method); __ jump_to(ic_miss, G3_scratch); __ delayed()->nop(); diff --git a/hotspot/src/cpu/sparc/vm/templateTable_sparc.cpp b/hotspot/src/cpu/sparc/vm/templateTable_sparc.cpp index f828aa0e37..41cd9bb247 100644 --- a/hotspot/src/cpu/sparc/vm/templateTable_sparc.cpp +++ b/hotspot/src/cpu/sparc/vm/templateTable_sparc.cpp @@ -3173,15 +3173,15 @@ void TemplateTable::invokeinterface(int byte_no) { assert(byte_no == f1_byte, "use this argument"); const Register Rinterface = G1_scratch; + const Register Rmethod = Lscratch; const Register Rret = G3_scratch; - const Register Rindex = Lscratch; const Register O0_recv = O0; const Register O1_flags = O1; const Register O2_Klass = O2; const Register Rscratch = G4_scratch; assert_different_registers(Rscratch, G5_method); - prepare_invoke(byte_no, Rinterface, Rret, Rindex, O0_recv, O1_flags); + prepare_invoke(byte_no, Rinterface, Rret, Rmethod, O0_recv, O1_flags); // get receiver klass __ null_check(O0_recv, oopDesc::klass_offset_in_bytes()); @@ -3201,55 +3201,40 @@ void TemplateTable::invokeinterface(int byte_no) { __ bind(notMethod); + Register Rtemp = O1_flags; + + Label L_no_such_interface; + + // Receiver subtype check against REFC. + __ lookup_interface_method(// inputs: rec. class, interface, itable index + O2_Klass, Rinterface, noreg, + // outputs: temp reg1, temp reg2, temp reg3 + G5_method, Rscratch, Rtemp, + L_no_such_interface, + /*return_method=*/false); + __ profile_virtual_call(O2_Klass, O4); // // find entry point to call // - // compute start of first itableOffsetEntry (which is at end of vtable) - const int base = in_bytes(Klass::vtable_start_offset()); - Label search; - Register Rtemp = O1_flags; + // Get declaring interface class from method + __ ld_ptr(Rmethod, Method::const_offset(), Rinterface); + __ ld_ptr(Rinterface, ConstMethod::constants_offset(), Rinterface); + __ ld_ptr(Rinterface, ConstantPool::pool_holder_offset_in_bytes(), Rinterface); - __ ld(O2_Klass, in_bytes(Klass::vtable_length_offset()), Rtemp); - __ sll(Rtemp, LogBytesPerWord, Rtemp); // Rscratch *= 4; - if (Assembler::is_simm13(base)) { - __ add(Rtemp, base, Rtemp); - } else { - __ set(base, Rscratch); - __ add(Rscratch, Rtemp, Rtemp); - } - __ add(O2_Klass, Rtemp, Rscratch); + // Get itable index from method + const Register Rindex = G5_method; + __ ld(Rmethod, Method::itable_index_offset(), Rindex); + __ sub(Rindex, Method::itable_index_max, Rindex); + __ neg(Rindex); - __ bind(search); - - __ ld_ptr(Rscratch, itableOffsetEntry::interface_offset_in_bytes(), Rtemp); - { - Label ok; - - // Check that entry is non-null. Null entries are probably a bytecode - // problem. If the interface isn't implemented by the receiver class, - // the VM should throw IncompatibleClassChangeError. linkResolver checks - // this too but that's only if the entry isn't already resolved, so we - // need to check again. - __ br_notnull_short( Rtemp, Assembler::pt, ok); - call_VM(noreg, CAST_FROM_FN_PTR(address, InterpreterRuntime::throw_IncompatibleClassChangeError)); - __ should_not_reach_here(); - __ bind(ok); - } - - __ cmp(Rinterface, Rtemp); - __ brx(Assembler::notEqual, true, Assembler::pn, search); - __ delayed()->add(Rscratch, itableOffsetEntry::size() * wordSize, Rscratch); - - // entry found and Rscratch points to it - __ ld(Rscratch, itableOffsetEntry::offset_offset_in_bytes(), Rscratch); - - assert(itableMethodEntry::method_offset_in_bytes() == 0, "adjust instruction below"); - __ sll(Rindex, exact_log2(itableMethodEntry::size() * wordSize), Rindex); // Rindex *= 8; - __ add(Rscratch, Rindex, Rscratch); - __ ld_ptr(O2_Klass, Rscratch, G5_method); + __ lookup_interface_method(// inputs: rec. class, interface, itable index + O2_Klass, Rinterface, Rindex, + // outputs: method, scan temp reg, temp reg + G5_method, Rscratch, Rtemp, + L_no_such_interface); // Check for abstract method error. { @@ -3266,6 +3251,10 @@ void TemplateTable::invokeinterface(int byte_no) { __ profile_arguments_type(G5_method, Rcall, Gargs, true); __ profile_called_method(G5_method, Rscratch); __ call_from_interpreter(Rcall, Gargs, Rret); + + __ bind(L_no_such_interface); + call_VM(noreg, CAST_FROM_FN_PTR(address, InterpreterRuntime::throw_IncompatibleClassChangeError)); + __ should_not_reach_here(); } void TemplateTable::invokehandle(int byte_no) { diff --git a/hotspot/src/cpu/sparc/vm/vtableStubs_sparc.cpp b/hotspot/src/cpu/sparc/vm/vtableStubs_sparc.cpp index 9e825aaa79..3f5a928f4a 100644 --- a/hotspot/src/cpu/sparc/vm/vtableStubs_sparc.cpp +++ b/hotspot/src/cpu/sparc/vm/vtableStubs_sparc.cpp @@ -27,6 +27,7 @@ #include "code/vtableStubs.hpp" #include "interp_masm_sparc.hpp" #include "memory/resourceArea.hpp" +#include "oops/compiledICHolder.hpp" #include "oops/instanceKlass.hpp" #include "oops/klassVtable.hpp" #include "runtime/sharedRuntime.hpp" @@ -140,7 +141,8 @@ VtableStub* VtableStubs::create_itable_stub(int itable_index) { MacroAssembler* masm = new MacroAssembler(&cb); Register G3_Klass = G3_scratch; - Register G5_interface = G5; // Passed in as an argument + Register G5_icholder = G5; // Passed in as an argument + Register G4_interface = G4_scratch; Label search; // Entry arguments: @@ -164,14 +166,26 @@ VtableStub* VtableStubs::create_itable_stub(int itable_index) { } #endif /* PRODUCT */ - Label throw_icce; + Label L_no_such_interface; Register L5_method = L5; + + // Receiver subtype check against REFC. + __ ld_ptr(G5_icholder, CompiledICHolder::holder_klass_offset(), G4_interface); __ lookup_interface_method(// inputs: rec. class, interface, itable index - G3_Klass, G5_interface, itable_index, + G3_Klass, G4_interface, itable_index, + // outputs: scan temp. reg1, scan temp. reg2 + L5_method, L2, L3, + L_no_such_interface, + /*return_method=*/ false); + + // Get Method* and entrypoint for compiler + __ ld_ptr(G5_icholder, CompiledICHolder::holder_metadata_offset(), G4_interface); + __ lookup_interface_method(// inputs: rec. class, interface, itable index + G3_Klass, G4_interface, itable_index, // outputs: method, scan temp. reg L5_method, L2, L3, - throw_icce); + L_no_such_interface); #ifndef PRODUCT if (DebugVtables) { @@ -197,7 +211,7 @@ VtableStub* VtableStubs::create_itable_stub(int itable_index) { __ JMP(G3_scratch, 0); __ delayed()->nop(); - __ bind(throw_icce); + __ bind(L_no_such_interface); AddressLiteral icce(StubRoutines::throw_IncompatibleClassChangeError_entry()); __ jump_to(icce, G3_scratch); __ delayed()->restore(); @@ -232,7 +246,7 @@ int VtableStub::pd_code_size_limit(bool is_vtable_stub) { MacroAssembler::instr_size_for_decode_klass_not_null() : 0); return basic + slop; } else { - const int basic = (28 LP64_ONLY(+ 6)) * BytesPerInstWord + + const int basic = (48 LP64_ONLY(+ 6)) * BytesPerInstWord + // shift;add for load_klass (only shift with zero heap based) (UseCompressedClassPointers ? MacroAssembler::instr_size_for_decode_klass_not_null() : 0); diff --git a/hotspot/src/cpu/x86/vm/macroAssembler_x86.cpp b/hotspot/src/cpu/x86/vm/macroAssembler_x86.cpp index 6b7f947de6..1be4263228 100644 --- a/hotspot/src/cpu/x86/vm/macroAssembler_x86.cpp +++ b/hotspot/src/cpu/x86/vm/macroAssembler_x86.cpp @@ -5733,8 +5733,13 @@ void MacroAssembler::lookup_interface_method(Register recv_klass, RegisterOrConstant itable_index, Register method_result, Register scan_temp, - Label& L_no_such_interface) { - assert_different_registers(recv_klass, intf_klass, method_result, scan_temp); + Label& L_no_such_interface, + bool return_method) { + assert_different_registers(recv_klass, intf_klass, scan_temp); + assert_different_registers(method_result, intf_klass, scan_temp); + assert(recv_klass != method_result || !return_method, + "recv_klass can be destroyed when method isn't needed"); + assert(itable_index.is_constant() || itable_index.as_register() == method_result, "caller must use same register for non-constant itable index as for method"); @@ -5751,9 +5756,11 @@ void MacroAssembler::lookup_interface_method(Register recv_klass, // %%% Could store the aligned, prescaled offset in the klassoop. lea(scan_temp, Address(recv_klass, scan_temp, times_vte_scale, vtable_base)); - // Adjust recv_klass by scaled itable_index, so we can free itable_index. - assert(itableMethodEntry::size() * wordSize == wordSize, "adjust the scaling in the code below"); - lea(recv_klass, Address(recv_klass, itable_index, Address::times_ptr, itentry_off)); + if (return_method) { + // Adjust recv_klass by scaled itable_index, so we can free itable_index. + assert(itableMethodEntry::size() * wordSize == wordSize, "adjust the scaling in the code below"); + lea(recv_klass, Address(recv_klass, itable_index, Address::times_ptr, itentry_off)); + } // for (scan = klass->itable(); scan->interface() != NULL; scan += scan_step) { // if (scan->interface() == intf) { @@ -5787,9 +5794,11 @@ void MacroAssembler::lookup_interface_method(Register recv_klass, bind(found_method); - // Got a hit. - movl(scan_temp, Address(scan_temp, itableOffsetEntry::offset_offset_in_bytes())); - movptr(method_result, Address(recv_klass, scan_temp, Address::times_1)); + if (return_method) { + // Got a hit. + movl(scan_temp, Address(scan_temp, itableOffsetEntry::offset_offset_in_bytes())); + movptr(method_result, Address(recv_klass, scan_temp, Address::times_1)); + } } diff --git a/hotspot/src/cpu/x86/vm/macroAssembler_x86.hpp b/hotspot/src/cpu/x86/vm/macroAssembler_x86.hpp index 2c2b17c06a..07ee112625 100644 --- a/hotspot/src/cpu/x86/vm/macroAssembler_x86.hpp +++ b/hotspot/src/cpu/x86/vm/macroAssembler_x86.hpp @@ -538,7 +538,8 @@ class MacroAssembler: public Assembler { RegisterOrConstant itable_index, Register method_result, Register scan_temp, - Label& no_such_interface); + Label& no_such_interface, + bool return_method = true); // virtual method calling void lookup_virtual_method(Register recv_klass, diff --git a/hotspot/src/cpu/x86/vm/sharedRuntime_x86_32.cpp b/hotspot/src/cpu/x86/vm/sharedRuntime_x86_32.cpp index 47b9fe5c62..5034b4df94 100644 --- a/hotspot/src/cpu/x86/vm/sharedRuntime_x86_32.cpp +++ b/hotspot/src/cpu/x86/vm/sharedRuntime_x86_32.cpp @@ -952,7 +952,7 @@ AdapterHandlerEntry* SharedRuntime::generate_i2c2i_adapters(MacroAssembler *masm Label missed; __ movptr(temp, Address(receiver, oopDesc::klass_offset_in_bytes())); __ cmpptr(temp, Address(holder, CompiledICHolder::holder_klass_offset())); - __ movptr(rbx, Address(holder, CompiledICHolder::holder_method_offset())); + __ movptr(rbx, Address(holder, CompiledICHolder::holder_metadata_offset())); __ jcc(Assembler::notEqual, missed); // Method might have been compiled since the call site was patched to // interpreted if that is the case treat it as a miss so we can get diff --git a/hotspot/src/cpu/x86/vm/sharedRuntime_x86_64.cpp b/hotspot/src/cpu/x86/vm/sharedRuntime_x86_64.cpp index d81e965d05..fe56280ba6 100644 --- a/hotspot/src/cpu/x86/vm/sharedRuntime_x86_64.cpp +++ b/hotspot/src/cpu/x86/vm/sharedRuntime_x86_64.cpp @@ -942,7 +942,7 @@ AdapterHandlerEntry* SharedRuntime::generate_i2c2i_adapters(MacroAssembler *masm { __ load_klass(temp, receiver); __ cmpptr(temp, Address(holder, CompiledICHolder::holder_klass_offset())); - __ movptr(rbx, Address(holder, CompiledICHolder::holder_method_offset())); + __ movptr(rbx, Address(holder, CompiledICHolder::holder_metadata_offset())); __ jcc(Assembler::equal, ok); __ jump(RuntimeAddress(SharedRuntime::get_ic_miss_stub())); diff --git a/hotspot/src/cpu/x86/vm/templateTable_x86.cpp b/hotspot/src/cpu/x86/vm/templateTable_x86.cpp index 3d2f57f37b..421bfb38ea 100644 --- a/hotspot/src/cpu/x86/vm/templateTable_x86.cpp +++ b/hotspot/src/cpu/x86/vm/templateTable_x86.cpp @@ -3695,11 +3695,11 @@ void TemplateTable::fast_invokevfinal(int byte_no) { void TemplateTable::invokeinterface(int byte_no) { transition(vtos, vtos); assert(byte_no == f1_byte, "use this argument"); - prepare_invoke(byte_no, rax, rbx, // get f1 Klass*, f2 itable index + prepare_invoke(byte_no, rax, rbx, // get f1 Klass*, f2 Method* rcx, rdx); // recv, flags - // rax: interface klass (from f1) - // rbx: itable index (from f2) + // rax: reference klass (from f1) + // rbx: method (from f2) // rcx: receiver // rdx: flags @@ -3721,10 +3721,28 @@ void TemplateTable::invokeinterface(int byte_no) { __ null_check(rcx, oopDesc::klass_offset_in_bytes()); __ load_klass(rdx, rcx); + Label no_such_interface, no_such_method; + + // Receiver subtype check against REFC. + // Superklass in rax. Subklass in rdx. Blows rcx, rdi. + __ lookup_interface_method(// inputs: rec. class, interface, itable index + rdx, rax, noreg, + // outputs: scan temp. reg, scan temp. reg + rbcp, rlocals, + no_such_interface, + /*return_method=*/false); + // profile this call + __ restore_bcp(); // rbcp was destroyed by receiver type check __ profile_virtual_call(rdx, rbcp, rlocals); - Label no_such_interface, no_such_method; + // Get declaring interface class from method, and itable index + __ movptr(rax, Address(rbx, Method::const_offset())); + __ movptr(rax, Address(rax, ConstMethod::constants_offset())); + __ movptr(rax, Address(rax, ConstantPool::pool_holder_offset_in_bytes())); + __ movl(rbx, Address(rbx, Method::itable_index_offset())); + __ subl(rbx, Method::itable_index_max); + __ negl(rbx); __ lookup_interface_method(// inputs: rec. class, interface, itable index rdx, rax, rbx, diff --git a/hotspot/src/cpu/x86/vm/vtableStubs_x86_32.cpp b/hotspot/src/cpu/x86/vm/vtableStubs_x86_32.cpp index 3a5c7d0f38..8de43afb37 100644 --- a/hotspot/src/cpu/x86/vm/vtableStubs_x86_32.cpp +++ b/hotspot/src/cpu/x86/vm/vtableStubs_x86_32.cpp @@ -27,6 +27,7 @@ #include "code/vtableStubs.hpp" #include "interp_masm_x86.hpp" #include "memory/resourceArea.hpp" +#include "oops/compiledICHolder.hpp" #include "oops/instanceKlass.hpp" #include "oops/klassVtable.hpp" #include "runtime/sharedRuntime.hpp" @@ -147,7 +148,7 @@ VtableStub* VtableStubs::create_itable_stub(int itable_index) { MacroAssembler* masm = new MacroAssembler(&cb); // Entry arguments: - // rax,: Interface + // rax: CompiledICHolder // rcx: Receiver #ifndef PRODUCT @@ -155,25 +156,42 @@ VtableStub* VtableStubs::create_itable_stub(int itable_index) { __ incrementl(ExternalAddress((address) SharedRuntime::nof_megamorphic_calls_addr())); } #endif /* PRODUCT */ - // get receiver (need to skip return address on top of stack) - - assert(VtableStub::receiver_location() == rcx->as_VMReg(), "receiver expected in rcx"); - - // get receiver klass (also an implicit null-check) - address npe_addr = __ pc(); - __ movptr(rsi, Address(rcx, oopDesc::klass_offset_in_bytes())); // Most registers are in use; we'll use rax, rbx, rsi, rdi // (If we need to make rsi, rdi callee-save, do a push/pop here.) - const Register method = rbx; - Label throw_icce; + const Register recv_klass_reg = rsi; + const Register holder_klass_reg = rax; // declaring interface klass (DECC) + const Register resolved_klass_reg = rbx; // resolved interface klass (REFC) + const Register temp_reg = rdi; - // Get Method* and entrypoint for compiler + const Register icholder_reg = rax; + __ movptr(resolved_klass_reg, Address(icholder_reg, CompiledICHolder::holder_klass_offset())); + __ movptr(holder_klass_reg, Address(icholder_reg, CompiledICHolder::holder_metadata_offset())); + + Label L_no_such_interface; + + // get receiver klass (also an implicit null-check) + address npe_addr = __ pc(); + assert(VtableStub::receiver_location() == rcx->as_VMReg(), "receiver expected in rcx"); + __ load_klass(recv_klass_reg, rcx); + + // Receiver subtype check against REFC. + // Destroys recv_klass_reg value. + __ lookup_interface_method(// inputs: rec. class, interface + recv_klass_reg, resolved_klass_reg, noreg, + // outputs: scan temp. reg1, scan temp. reg2 + recv_klass_reg, temp_reg, + L_no_such_interface, + /*return_method=*/false); + + // Get selected method from declaring class and itable index + const Register method = rbx; + __ load_klass(recv_klass_reg, rcx); // restore recv_klass_reg __ lookup_interface_method(// inputs: rec. class, interface, itable index - rsi, rax, itable_index, + recv_klass_reg, holder_klass_reg, itable_index, // outputs: method, scan temp. reg - method, rdi, - throw_icce); + method, temp_reg, + L_no_such_interface); // method (rbx): Method* // rcx: receiver @@ -193,9 +211,10 @@ VtableStub* VtableStubs::create_itable_stub(int itable_index) { address ame_addr = __ pc(); __ jmp(Address(method, Method::from_compiled_offset())); - __ bind(throw_icce); + __ bind(L_no_such_interface); __ jump(RuntimeAddress(StubRoutines::throw_IncompatibleClassChangeError_entry())); - masm->flush(); + + __ flush(); if (PrintMiscellaneous && (WizardMode || Verbose)) { tty->print_cr("itable #%d at " PTR_FORMAT "[%d] left over: %d", @@ -220,7 +239,7 @@ int VtableStub::pd_code_size_limit(bool is_vtable_stub) { return (DebugVtables ? 210 : 16) + (CountCompiledCalls ? 6 : 0); } else { // Itable stub size - return (DebugVtables ? 256 : 66) + (CountCompiledCalls ? 6 : 0); + return (DebugVtables ? 256 : 110) + (CountCompiledCalls ? 6 : 0); } // In order to tune these parameters, run the JVM with VM options // +PrintMiscellaneous and +WizardMode to see information about diff --git a/hotspot/src/cpu/x86/vm/vtableStubs_x86_64.cpp b/hotspot/src/cpu/x86/vm/vtableStubs_x86_64.cpp index 6c0a2fcb6a..f17330d26e 100644 --- a/hotspot/src/cpu/x86/vm/vtableStubs_x86_64.cpp +++ b/hotspot/src/cpu/x86/vm/vtableStubs_x86_64.cpp @@ -27,6 +27,7 @@ #include "code/vtableStubs.hpp" #include "interp_masm_x86.hpp" #include "memory/resourceArea.hpp" +#include "oops/compiledICHolder.hpp" #include "oops/instanceKlass.hpp" #include "oops/klassVtable.hpp" #include "runtime/sharedRuntime.hpp" @@ -147,36 +148,50 @@ VtableStub* VtableStubs::create_itable_stub(int itable_index) { #endif // Entry arguments: - // rax: Interface + // rax: CompiledICHolder // j_rarg0: Receiver - // Free registers (non-args) are rax (interface), rbx - - // get receiver (need to skip return address on top of stack) - - assert(VtableStub::receiver_location() == j_rarg0->as_VMReg(), "receiver expected in j_rarg0"); - // get receiver klass (also an implicit null-check) - address npe_addr = __ pc(); - // Most registers are in use; we'll use rax, rbx, r10, r11 // (various calling sequences use r[cd]x, r[sd]i, r[89]; stay away from them) - __ load_klass(r10, j_rarg0); + const Register recv_klass_reg = r10; + const Register holder_klass_reg = rax; // declaring interface klass (DECC) + const Register resolved_klass_reg = rbx; // resolved interface klass (REFC) + const Register temp_reg = r11; + + Label L_no_such_interface; + + const Register icholder_reg = rax; + __ movptr(resolved_klass_reg, Address(icholder_reg, CompiledICHolder::holder_klass_offset())); + __ movptr(holder_klass_reg, Address(icholder_reg, CompiledICHolder::holder_metadata_offset())); + + // get receiver klass (also an implicit null-check) + assert(VtableStub::receiver_location() == j_rarg0->as_VMReg(), "receiver expected in j_rarg0"); + address npe_addr = __ pc(); + __ load_klass(recv_klass_reg, j_rarg0); + + // Receiver subtype check against REFC. + // Destroys recv_klass_reg value. + __ lookup_interface_method(// inputs: rec. class, interface + recv_klass_reg, resolved_klass_reg, noreg, + // outputs: scan temp. reg1, scan temp. reg2 + recv_klass_reg, temp_reg, + L_no_such_interface, + /*return_method=*/false); + + // Get selected method from declaring class and itable index + const Register method = rbx; + __ load_klass(recv_klass_reg, j_rarg0); // restore recv_klass_reg + __ lookup_interface_method(// inputs: rec. class, interface, itable index + recv_klass_reg, holder_klass_reg, itable_index, + // outputs: method, scan temp. reg + method, temp_reg, + L_no_such_interface); // If we take a trap while this arg is on the stack we will not // be able to walk the stack properly. This is not an issue except // when there are mistakes in this assembly code that could generate // a spurious fault. Ask me how I know... - const Register method = rbx; - Label throw_icce; - - // Get Method* and entrypoint for compiler - __ lookup_interface_method(// inputs: rec. class, interface, itable index - r10, rax, itable_index, - // outputs: method, scan temp. reg - method, r11, - throw_icce); - // method (rbx): Method* // j_rarg0: receiver @@ -197,7 +212,7 @@ VtableStub* VtableStubs::create_itable_stub(int itable_index) { address ame_addr = __ pc(); __ jmp(Address(method, Method::from_compiled_offset())); - __ bind(throw_icce); + __ bind(L_no_such_interface); __ jump(RuntimeAddress(StubRoutines::throw_IncompatibleClassChangeError_entry())); __ flush(); @@ -224,8 +239,8 @@ int VtableStub::pd_code_size_limit(bool is_vtable_stub) { (UseCompressedClassPointers ? MacroAssembler::instr_size_for_decode_klass_not_null() : 0); } else { // Itable stub size - return (DebugVtables ? 512 : 74) + (CountCompiledCalls ? 13 : 0) + - (UseCompressedClassPointers ? MacroAssembler::instr_size_for_decode_klass_not_null() : 0); + return (DebugVtables ? 512 : 140) + (CountCompiledCalls ? 13 : 0) + + (UseCompressedClassPointers ? 2 * MacroAssembler::instr_size_for_decode_klass_not_null() : 0); } // In order to tune these parameters, run the JVM with VM options // +PrintMiscellaneous and +WizardMode to see information about diff --git a/hotspot/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/oops/CompiledICHolder.java b/hotspot/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/oops/CompiledICHolder.java index 249430ad28..73b325952d 100644 --- a/hotspot/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/oops/CompiledICHolder.java +++ b/hotspot/src/jdk.hotspot.agent/share/classes/sun/jvm/hotspot/oops/CompiledICHolder.java @@ -40,10 +40,10 @@ public class CompiledICHolder extends VMObject { } private static synchronized void initialize(TypeDataBase db) throws WrongTypeException { - Type type = db.lookupType("CompiledICHolder"); - holderMethod = new MetadataField(type.getAddressField("_holder_method"), 0); - holderKlass = new MetadataField(type.getAddressField("_holder_klass"), 0); - headerSize = type.getSize(); + Type type = db.lookupType("CompiledICHolder"); + holderMetadata = new MetadataField(type.getAddressField("_holder_metadata"), 0); + holderKlass = new MetadataField(type.getAddressField("_holder_klass"), 0); + headerSize = type.getSize(); } public CompiledICHolder(Address addr) { @@ -55,12 +55,12 @@ public class CompiledICHolder extends VMObject { private static long headerSize; // Fields - private static MetadataField holderMethod; + private static MetadataField holderMetadata; private static MetadataField holderKlass; // Accessors for declared fields - public Method getHolderMethod() { return (Method) holderMethod.getValue(this); } - public Klass getHolderKlass() { return (Klass) holderKlass.getValue(this); } + public Metadata getHolderMetadata() { return (Metadata) holderMetadata.getValue(this); } + public Klass getHolderKlass() { return (Klass) holderKlass.getValue(this); } public void printValueOn(PrintStream tty) { tty.print("CompiledICHolder"); diff --git a/hotspot/src/share/vm/aot/aotCompiledMethod.cpp b/hotspot/src/share/vm/aot/aotCompiledMethod.cpp index c501ce12e6..ff8540ca8c 100644 --- a/hotspot/src/share/vm/aot/aotCompiledMethod.cpp +++ b/hotspot/src/share/vm/aot/aotCompiledMethod.cpp @@ -273,7 +273,7 @@ void AOTCompiledMethod::metadata_do(void f(Metadata*)) { CompiledIC *ic = CompiledIC_at(&iter); if (ic->is_icholder_call()) { CompiledICHolder* cichk = ic->cached_icholder(); - f(cichk->holder_method()); + f(cichk->holder_metadata()); f(cichk->holder_klass()); } else { // Get Klass* or NULL (if value is -1) from GOT cell of virtual call PLT stub. diff --git a/hotspot/src/share/vm/code/compiledIC.cpp b/hotspot/src/share/vm/code/compiledIC.cpp index 97db8a54b6..0934e4803d 100644 --- a/hotspot/src/share/vm/code/compiledIC.cpp +++ b/hotspot/src/share/vm/code/compiledIC.cpp @@ -230,10 +230,13 @@ bool CompiledIC::set_to_megamorphic(CallInfo* call_info, Bytecodes::Code bytecod #ifdef ASSERT int index = call_info->resolved_method()->itable_index(); assert(index == itable_index, "CallInfo pre-computes this"); -#endif //ASSERT InstanceKlass* k = call_info->resolved_method()->method_holder(); assert(k->verify_itable_index(itable_index), "sanity check"); - InlineCacheBuffer::create_transition_stub(this, k, entry); +#endif //ASSERT + CompiledICHolder* holder = new CompiledICHolder(call_info->resolved_method()->method_holder(), + call_info->resolved_klass()()); + holder->claim(); + InlineCacheBuffer::create_transition_stub(this, holder, entry); } else { assert(call_info->call_kind() == CallInfo::vtable_call, "either itable or vtable"); // Can be different than selected_method->vtable_index(), due to package-private etc. @@ -517,7 +520,14 @@ void CompiledIC::compute_monomorphic_entry(const methodHandle& method, bool CompiledIC::is_icholder_entry(address entry) { CodeBlob* cb = CodeCache::find_blob_unsafe(entry); - return (cb != NULL && cb->is_adapter_blob()); + if (cb != NULL && cb->is_adapter_blob()) { + return true; + } + // itable stubs also use CompiledICHolder + if (VtableStubs::is_entry_point(entry) && VtableStubs::stub_containing(entry)->is_itable_stub()) { + return true; + } + return false; } bool CompiledIC::is_icholder_call_site(virtual_call_Relocation* call_site, const CompiledMethod* cm) { diff --git a/hotspot/src/share/vm/code/compiledIC.hpp b/hotspot/src/share/vm/code/compiledIC.hpp index 15af2b44b8..dd8a7130f0 100644 --- a/hotspot/src/share/vm/code/compiledIC.hpp +++ b/hotspot/src/share/vm/code/compiledIC.hpp @@ -45,11 +45,11 @@ // \ / \ / // [4] \ / [4] \->-/ // \->- Megamorphic -<-/ -// (Method*) +// (CompiledICHolder*) // -// The text in paranteses () refere to the value of the inline cache receiver (mov instruction) +// The text in parentheses () refers to the value of the inline cache receiver (mov instruction) // -// The numbers in square brackets refere to the kind of transition: +// The numbers in square brackets refer to the kind of transition: // [1]: Initial fixup. Receiver it found from debug information // [2]: Compilation of a method // [3]: Recompilation of a method (note: only entry is changed. The Klass* must stay the same) diff --git a/hotspot/src/share/vm/code/compiledMethod.cpp b/hotspot/src/share/vm/code/compiledMethod.cpp index 30120b2989..0447c2bdc3 100644 --- a/hotspot/src/share/vm/code/compiledMethod.cpp +++ b/hotspot/src/share/vm/code/compiledMethod.cpp @@ -417,8 +417,7 @@ void CompiledMethod::clean_ic_if_metadata_is_dead(CompiledIC *ic, BoolObjectClos // yet be marked below. (We check this further below). CompiledICHolder* cichk_oop = ic->cached_icholder(); - if (cichk_oop->holder_method()->method_holder()->is_loader_alive(is_alive) && - cichk_oop->holder_klass()->is_loader_alive(is_alive)) { + if (cichk_oop->is_loader_alive(is_alive)) { return; } } else { diff --git a/hotspot/src/share/vm/code/nmethod.cpp b/hotspot/src/share/vm/code/nmethod.cpp index f82872baf1..80b894df8f 100644 --- a/hotspot/src/share/vm/code/nmethod.cpp +++ b/hotspot/src/share/vm/code/nmethod.cpp @@ -1577,7 +1577,7 @@ void nmethod::metadata_do(void f(Metadata*)) { CompiledIC *ic = CompiledIC_at(&iter); if (ic->is_icholder_call()) { CompiledICHolder* cichk = ic->cached_icholder(); - f(cichk->holder_method()); + f(cichk->holder_metadata()); f(cichk->holder_klass()); } else { Metadata* ic_oop = ic->cached_metadata(); diff --git a/hotspot/src/share/vm/interpreter/interpreterRuntime.cpp b/hotspot/src/share/vm/interpreter/interpreterRuntime.cpp index c9a684cc70..06052f9ab8 100644 --- a/hotspot/src/share/vm/interpreter/interpreterRuntime.cpp +++ b/hotspot/src/share/vm/interpreter/interpreterRuntime.cpp @@ -813,6 +813,7 @@ void InterpreterRuntime::resolve_invoke(JavaThread* thread, Bytecodes::Code byte case CallInfo::itable_call: cp_cache_entry->set_itable_call( bytecode, + info.resolved_klass(), info.resolved_method(), info.itable_index()); break; diff --git a/hotspot/src/share/vm/oops/compiledICHolder.cpp b/hotspot/src/share/vm/oops/compiledICHolder.cpp index 55397d06c1..19f44adab8 100644 --- a/hotspot/src/share/vm/oops/compiledICHolder.cpp +++ b/hotspot/src/share/vm/oops/compiledICHolder.cpp @@ -32,8 +32,8 @@ volatile int CompiledICHolder::_live_count; volatile int CompiledICHolder::_live_not_claimed_count; -CompiledICHolder::CompiledICHolder(Method* method, Klass* klass) - : _holder_method(method), _holder_klass(klass) { +CompiledICHolder::CompiledICHolder(Metadata* metadata, Klass* klass) + : _holder_metadata(metadata), _holder_klass(klass) { #ifdef ASSERT Atomic::inc(&_live_count); Atomic::inc(&_live_not_claimed_count); @@ -47,12 +47,28 @@ CompiledICHolder::~CompiledICHolder() { } #endif // ASSERT +bool CompiledICHolder::is_loader_alive(BoolObjectClosure* is_alive) { + if (_holder_metadata->is_method()) { + if (!((Method*)_holder_metadata)->method_holder()->is_loader_alive(is_alive)) { + return false; + } + } else if (_holder_metadata->is_klass()) { + if (!((Klass*)_holder_metadata)->is_loader_alive(is_alive)) { + return false; + } + } + if (!_holder_klass->is_loader_alive(is_alive)) { + return false; + } + return true; +} + // Printing void CompiledICHolder::print_on(outputStream* st) const { st->print("%s", internal_name()); - st->print(" - method: "); holder_method()->print_value_on(st); st->cr(); - st->print(" - klass: "); holder_klass()->print_value_on(st); st->cr(); + st->print(" - metadata: "); holder_metadata()->print_value_on(st); st->cr(); + st->print(" - klass: "); holder_klass()->print_value_on(st); st->cr(); } void CompiledICHolder::print_value_on(outputStream* st) const { @@ -63,7 +79,7 @@ void CompiledICHolder::print_value_on(outputStream* st) const { // Verification void CompiledICHolder::verify_on(outputStream* st) { - guarantee(holder_method()->is_method(), "should be method"); + guarantee(holder_metadata()->is_method() || holder_metadata()->is_klass(), "should be method or klass"); guarantee(holder_klass()->is_klass(), "should be klass"); } diff --git a/hotspot/src/share/vm/oops/compiledICHolder.hpp b/hotspot/src/share/vm/oops/compiledICHolder.hpp index c3e899fde8..af4a38a9f3 100644 --- a/hotspot/src/share/vm/oops/compiledICHolder.hpp +++ b/hotspot/src/share/vm/oops/compiledICHolder.hpp @@ -29,8 +29,9 @@ #include "utilities/macros.hpp" // A CompiledICHolder* is a helper object for the inline cache implementation. -// It holds an intermediate value (method+klass pair) used when converting from -// compiled to an interpreted call. +// It holds: +// (1) (method+klass pair) when converting from compiled to an interpreted call +// (2) (klass+klass pair) when calling itable stub from megamorphic compiled call // // These are always allocated in the C heap and are freed during a // safepoint by the ICBuffer logic. It's unsafe to free them earlier @@ -45,32 +46,33 @@ class CompiledICHolder : public CHeapObj { static volatile int _live_not_claimed_count; // allocated but not yet in use so not // reachable by iterating over nmethods - Method* _holder_method; + Metadata* _holder_metadata; Klass* _holder_klass; // to avoid name conflict with oopDesc::_klass CompiledICHolder* _next; public: // Constructor - CompiledICHolder(Method* method, Klass* klass); + CompiledICHolder(Metadata* metadata, Klass* klass); ~CompiledICHolder() NOT_DEBUG_RETURN; static int live_count() { return _live_count; } static int live_not_claimed_count() { return _live_not_claimed_count; } // accessors - Method* holder_method() const { return _holder_method; } Klass* holder_klass() const { return _holder_klass; } + Metadata* holder_metadata() const { return _holder_metadata; } - void set_holder_method(Method* m) { _holder_method = m; } - void set_holder_klass(Klass* k) { _holder_klass = k; } + void set_holder_metadata(Metadata* m) { _holder_metadata = m; } + void set_holder_klass(Klass* k) { _holder_klass = k; } - // interpreter support (offsets in bytes) - static int holder_method_offset() { return offset_of(CompiledICHolder, _holder_method); } + static int holder_metadata_offset() { return offset_of(CompiledICHolder, _holder_metadata); } static int holder_klass_offset() { return offset_of(CompiledICHolder, _holder_klass); } CompiledICHolder* next() { return _next; } void set_next(CompiledICHolder* n) { _next = n; } + bool is_loader_alive(BoolObjectClosure* is_alive); + // Verify void verify_on(outputStream* st); diff --git a/hotspot/src/share/vm/oops/cpCache.cpp b/hotspot/src/share/vm/oops/cpCache.cpp index b7522433bb..9ba540097e 100644 --- a/hotspot/src/share/vm/oops/cpCache.cpp +++ b/hotspot/src/share/vm/oops/cpCache.cpp @@ -255,14 +255,16 @@ void ConstantPoolCacheEntry::set_vtable_call(Bytecodes::Code invoke_code, method set_direct_or_vtable_call(invoke_code, method, index, false); } -void ConstantPoolCacheEntry::set_itable_call(Bytecodes::Code invoke_code, const methodHandle& method, int index) { +void ConstantPoolCacheEntry::set_itable_call(Bytecodes::Code invoke_code, + KlassHandle referenced_klass, + const methodHandle& method, int index) { assert(method->method_holder()->verify_itable_index(index), ""); assert(invoke_code == Bytecodes::_invokeinterface, ""); InstanceKlass* interf = method->method_holder(); assert(interf->is_interface(), "must be an interface"); assert(!method->is_final_method(), "interfaces do not have final methods; cannot link to one here"); - set_f1(interf); - set_f2(index); + set_f1(referenced_klass()); + set_f2((intx)method()); set_method_flags(as_TosState(method->result_type()), 0, // no option bits method()->size_of_parameters()); @@ -434,10 +436,23 @@ oop ConstantPoolCacheEntry::method_type_if_resolved(const constantPoolHandle& cp #if INCLUDE_JVMTI + +void log_adjust(const char* entry_type, Method* old_method, Method* new_method, bool* trace_name_printed) { + if (log_is_enabled(Info, redefine, class, update)) { + ResourceMark rm; + if (!(*trace_name_printed)) { + log_info(redefine, class, update)("adjust: name=%s", old_method->method_holder()->external_name()); + *trace_name_printed = true; + } + log_debug(redefine, class, update, constantpool) + ("cpc %s entry update: %s(%s)", entry_type, new_method->name()->as_C_string(), new_method->signature()->as_C_string()); + } +} + // RedefineClasses() API support: // If this ConstantPoolCacheEntry refers to old_method then update it // to refer to new_method. -bool ConstantPoolCacheEntry::adjust_method_entry(Method* old_method, +void ConstantPoolCacheEntry::adjust_method_entry(Method* old_method, Method* new_method, bool * trace_name_printed) { if (is_vfinal()) { @@ -446,63 +461,35 @@ bool ConstantPoolCacheEntry::adjust_method_entry(Method* old_method, // match old_method so need an update // NOTE: can't use set_f2_as_vfinal_method as it asserts on different values _f2 = (intptr_t)new_method; - if (log_is_enabled(Info, redefine, class, update)) { - ResourceMark rm; - if (!(*trace_name_printed)) { - log_info(redefine, class, update)("adjust: name=%s", old_method->method_holder()->external_name()); - *trace_name_printed = true; - } - log_debug(redefine, class, update, constantpool) - ("cpc vf-entry update: %s(%s)", new_method->name()->as_C_string(), new_method->signature()->as_C_string()); - } - return true; + log_adjust("vfinal", old_method, new_method, trace_name_printed); } - - // f1() is not used with virtual entries so bail out - return false; + return; } - if (_f1 == NULL) { - // NULL f1() means this is a virtual entry so bail out - // We are assuming that the vtable index does not need change. - return false; - } + assert (_f1 != NULL, "should not call with uninteresting entry"); - if (_f1 == old_method) { + if (!(_f1->is_method())) { + // _f1 is a Klass* for an interface, _f2 is the method + if (f2_as_interface_method() == old_method) { + _f2 = (intptr_t)new_method; + log_adjust("interface", old_method, new_method, trace_name_printed); + } + } else if (_f1 == old_method) { _f1 = new_method; - if (log_is_enabled(Info, redefine, class, update)) { - ResourceMark rm; - if (!(*trace_name_printed)) { - log_info(redefine, class, update)("adjust: name=%s", old_method->method_holder()->external_name()); - *trace_name_printed = true; - } - log_debug(redefine, class, update, constantpool) - ("cpc entry update: %s(%s)", new_method->name()->as_C_string(), new_method->signature()->as_C_string()); - } - return true; + log_adjust("special, static or dynamic", old_method, new_method, trace_name_printed); } - - return false; } // a constant pool cache entry should never contain old or obsolete methods bool ConstantPoolCacheEntry::check_no_old_or_obsolete_entries() { - if (is_vfinal()) { - // virtual and final so _f2 contains method ptr instead of vtable index - Metadata* f2 = (Metadata*)_f2; - // Return false if _f2 refers to an old or an obsolete method. - // _f2 == NULL || !_f2->is_method() are just as unexpected here. - return (f2 != NULL NOT_PRODUCT(&& f2->is_valid()) && f2->is_method() && - !((Method*)f2)->is_old() && !((Method*)f2)->is_obsolete()); - } else if (_f1 == NULL || - (NOT_PRODUCT(_f1->is_valid() &&) !_f1->is_method())) { - // _f1 == NULL || !_f1->is_method() are OK here + Method* m = get_interesting_method_entry(NULL); + // return false if m refers to a non-deleted old or obsolete method + if (m != NULL) { + assert(m->is_valid() && m->is_method(), "m is a valid method"); + return !m->is_old() && !m->is_obsolete(); // old is always set for old and obsolete + } else { return true; } - // return false if _f1 refers to a non-deleted old or obsolete method - return (NOT_PRODUCT(_f1->is_valid() &&) _f1->is_method() && - (f1_as_method()->is_deleted() || - (!f1_as_method()->is_old() && !f1_as_method()->is_obsolete()))); } Method* ConstantPoolCacheEntry::get_interesting_method_entry(Klass* k) { @@ -519,10 +506,11 @@ Method* ConstantPoolCacheEntry::get_interesting_method_entry(Klass* k) { return NULL; } else { if (!(_f1->is_method())) { - // _f1 can also contain a Klass* for an interface - return NULL; + // _f1 is a Klass* for an interface + m = f2_as_interface_method(); + } else { + m = f1_as_method(); } - m = f1_as_method(); } assert(m != NULL && m->is_method(), "sanity check"); if (m == NULL || !m->is_method() || (k != NULL && m->method_holder() != k)) { diff --git a/hotspot/src/share/vm/oops/cpCache.hpp b/hotspot/src/share/vm/oops/cpCache.hpp index 9db57ffa03..6b689314da 100644 --- a/hotspot/src/share/vm/oops/cpCache.hpp +++ b/hotspot/src/share/vm/oops/cpCache.hpp @@ -249,6 +249,7 @@ class ConstantPoolCacheEntry VALUE_OBJ_CLASS_SPEC { void set_itable_call( Bytecodes::Code invoke_code, // the bytecode used; must be invokeinterface + KlassHandle referenced_klass, // the referenced klass in the InterfaceMethodref const methodHandle& method, // the resolved interface method int itable_index // index into itable for the method ); @@ -345,6 +346,7 @@ class ConstantPoolCacheEntry VALUE_OBJ_CLASS_SPEC { bool is_f1_null() const { Metadata* f1 = f1_ord(); return f1 == NULL; } // classifies a CPC entry as unbound int f2_as_index() const { assert(!is_vfinal(), ""); return (int) _f2; } Method* f2_as_vfinal_method() const { assert(is_vfinal(), ""); return (Method*)_f2; } + Method* f2_as_interface_method() const { assert(bytecode_1() == Bytecodes::_invokeinterface, ""); return (Method*)_f2; } int field_index() const { assert(is_field_entry(), ""); return (_flags & field_index_mask); } int parameter_size() const { assert(is_method_entry(), ""); return (_flags & parameter_size_mask); } bool is_volatile() const { return (_flags & (1 << is_volatile_shift)) != 0; } @@ -377,7 +379,7 @@ class ConstantPoolCacheEntry VALUE_OBJ_CLASS_SPEC { // trace_name_printed is set to true if the current call has // printed the klass name so that other routines in the adjust_* // group don't print the klass name. - bool adjust_method_entry(Method* old_method, Method* new_method, + void adjust_method_entry(Method* old_method, Method* new_method, bool* trace_name_printed); bool check_no_old_or_obsolete_entries(); Method* get_interesting_method_entry(Klass* k); diff --git a/hotspot/src/share/vm/oops/klassVtable.cpp b/hotspot/src/share/vm/oops/klassVtable.cpp index 9715d2b087..0943d52b50 100644 --- a/hotspot/src/share/vm/oops/klassVtable.cpp +++ b/hotspot/src/share/vm/oops/klassVtable.cpp @@ -1173,7 +1173,6 @@ void klassItable::initialize_itable_for_interface(int method_table_offset, Klass Array* methods = InstanceKlass::cast(interf_h())->methods(); int nof_methods = methods->length(); HandleMark hm; - assert(nof_methods > 0, "at least one method must exist for interface to be in vtable"); Handle interface_loader (THREAD, InstanceKlass::cast(interf_h())->class_loader()); int ime_count = method_count_for_interface(interf_h()); @@ -1350,8 +1349,10 @@ void visit_all_interfaces(Array* transitive_intf, InterfaceVisiterClosur } } - // Only count interfaces with at least one method - if (method_count > 0) { + // Visit all interfaces which either have any methods or can participate in receiver type check. + // We do not bother to count methods in transitive interfaces, although that would allow us to skip + // this step in the rare case of a zero-method interface extending another zero-method interface. + if (method_count > 0 || InstanceKlass::cast(intf)->transitive_interfaces()->length() > 0) { blk->doit(intf, method_count); } } diff --git a/hotspot/src/share/vm/oops/method.hpp b/hotspot/src/share/vm/oops/method.hpp index 6675410db8..a1f8e66e72 100644 --- a/hotspot/src/share/vm/oops/method.hpp +++ b/hotspot/src/share/vm/oops/method.hpp @@ -700,6 +700,7 @@ class Method : public Metadata { static ByteSize from_interpreted_offset() { return byte_offset_of(Method, _from_interpreted_entry ); } static ByteSize interpreter_entry_offset() { return byte_offset_of(Method, _i2i_entry ); } static ByteSize signature_handler_offset() { return in_ByteSize(sizeof(Method) + wordSize); } + static ByteSize itable_index_offset() { return byte_offset_of(Method, _vtable_index ); } // for code generation static int method_data_offset_in_bytes() { return offset_of(Method, _method_data); } diff --git a/hotspot/src/share/vm/runtime/vmStructs.cpp b/hotspot/src/share/vm/runtime/vmStructs.cpp index a945f4f4a0..79956edf1d 100644 --- a/hotspot/src/share/vm/runtime/vmStructs.cpp +++ b/hotspot/src/share/vm/runtime/vmStructs.cpp @@ -230,7 +230,7 @@ typedef CompactHashtable SymbolCompactHashTable; nonstatic_field(ArrayKlass, _dimension, int) \ volatile_nonstatic_field(ArrayKlass, _higher_dimension, Klass*) \ volatile_nonstatic_field(ArrayKlass, _lower_dimension, Klass*) \ - nonstatic_field(CompiledICHolder, _holder_method, Method*) \ + nonstatic_field(CompiledICHolder, _holder_metadata, Metadata*) \ nonstatic_field(CompiledICHolder, _holder_klass, Klass*) \ nonstatic_field(ConstantPool, _tags, Array*) \ nonstatic_field(ConstantPool, _cache, ConstantPoolCache*) \ diff --git a/hotspot/test/native/code/test_vtableStub.cpp b/hotspot/test/native/code/test_vtableStub.cpp new file mode 100644 index 0000000000..9930f95127 --- /dev/null +++ b/hotspot/test/native/code/test_vtableStub.cpp @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + * + */ + +#include "precompiled.hpp" +#include "code/vtableStubs.hpp" +#include "runtime/interfaceSupport.hpp" +#include "unittest.hpp" + +TEST_VM(code, vtableStubs) { + // Should be in VM to use locks + ThreadInVMfromNative ThreadInVMfromNative(JavaThread::current()); + + VtableStubs::find_vtable_stub(0); // min vtable index + for (int i = 0; i < 15; i++) { + VtableStubs::find_vtable_stub((1 << i) - 1); + VtableStubs::find_vtable_stub((1 << i)); + } + VtableStubs::find_vtable_stub((1 << 15) - 1); // max vtable index +} + +TEST_VM(code, itableStubs) { + // Should be in VM to use locks + ThreadInVMfromNative ThreadInVMfromNative(JavaThread::current()); + + VtableStubs::find_itable_stub(0); // min itable index + for (int i = 0; i < 15; i++) { + VtableStubs::find_itable_stub((1 << i) - 1); + VtableStubs::find_itable_stub((1 << i)); + } + VtableStubs::find_itable_stub((1 << 15) - 1); // max itable index +} diff --git a/hotspot/test/runtime/RedefineTests/RedefineInterfaceCall.java b/hotspot/test/runtime/RedefineTests/RedefineInterfaceCall.java new file mode 100644 index 0000000000..ec3efe7431 --- /dev/null +++ b/hotspot/test/runtime/RedefineTests/RedefineInterfaceCall.java @@ -0,0 +1,83 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8174962 + * @summary Redefine class with interface method call + * @library /test/lib + * @modules java.base/jdk.internal.misc + * @modules java.compiler + * java.instrument + * jdk.jartool/sun.tools.jar + * @run main RedefineClassHelper + * @run main/othervm -javaagent:redefineagent.jar -Xlog:redefine+class+update*=trace RedefineInterfaceCall + */ + +import static jdk.test.lib.Asserts.assertEquals; + +interface I1 { default int m() { return 0; } } +interface I2 extends I1 {} + +public class RedefineInterfaceCall { + + public static class C implements I2 { + public int test(I2 i) { + return i.m(); // invokeinterface cpCacheEntry + } + } + + static String newI1 = + "interface I1 { default int m() { return 1; } }"; + + static String newC = + "public class RedefineInterfaceCall$C implements I2 { " + + " public int test(I2 i) { " + + " return i.m(); " + + " } " + + "} "; + + static int test(I2 i) { + return i.m(); // invokeinterface cpCacheEntry + } + + public static void main(String[] args) throws Exception { + C c = new C(); + + assertEquals(test(c), 0); + assertEquals(c.test(c), 0); + + RedefineClassHelper.redefineClass(C.class, newC); + + assertEquals(c.test(c), 0); + + RedefineClassHelper.redefineClass(I1.class, newI1); + + assertEquals(test(c), 1); + assertEquals(c.test(c), 1); + + RedefineClassHelper.redefineClass(C.class, newC); + + assertEquals(c.test(c), 1); + } +} diff --git a/hotspot/test/runtime/SharedArchiveFile/serviceability/transformRelatedClasses/TransformTestCommon.java b/hotspot/test/runtime/SharedArchiveFile/serviceability/transformRelatedClasses/TransformTestCommon.java index 00e25bce83..38e9b75148 100644 --- a/hotspot/test/runtime/SharedArchiveFile/serviceability/transformRelatedClasses/TransformTestCommon.java +++ b/hotspot/test/runtime/SharedArchiveFile/serviceability/transformRelatedClasses/TransformTestCommon.java @@ -62,8 +62,8 @@ public class TransformTestCommon { String parent, String child) throws Exception { - String parentSharedMatch = parent + " source: shared objects file"; - String childSharedMatch = child + " source: shared objects file"; + String parentSharedMatch = " " + parent + " source: shared objects file"; + String childSharedMatch = " " + child + " source: shared objects file"; if (entry.isParentExpectedShared) out.shouldContain(parentSharedMatch); From 71c0a0be477375d4b9327824c4bc5bb8e00620d5 Mon Sep 17 00:00:00 2001 From: Martin Doerr Date: Thu, 1 Jun 2017 12:20:37 +0200 Subject: [PATCH 090/269] 8181420: PPC: Image conversion improvements Reviewed-by: thartmann, simonis, mbaesken --- hotspot/src/cpu/ppc/vm/ppc.ad | 23 +++++++++++++++++++++++ hotspot/src/cpu/s390/vm/s390.ad | 18 ++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/hotspot/src/cpu/ppc/vm/ppc.ad b/hotspot/src/cpu/ppc/vm/ppc.ad index 6c3d9cf1fd..f9534b65bf 100644 --- a/hotspot/src/cpu/ppc/vm/ppc.ad +++ b/hotspot/src/cpu/ppc/vm/ppc.ad @@ -11048,6 +11048,29 @@ instruct cmpL_reg_imm16(flagsReg crx, iRegLsrc src1, immL16 src2) %{ ins_pipe(pipe_class_compare); %} +// Added CmpUL for LoopPredicate. +instruct cmpUL_reg_reg(flagsReg crx, iRegLsrc src1, iRegLsrc src2) %{ + match(Set crx (CmpUL src1 src2)); + format %{ "CMPLD $crx, $src1, $src2" %} + size(4); + ins_encode %{ + // TODO: PPC port $archOpcode(ppc64Opcode_cmpl); + __ cmpld($crx$$CondRegister, $src1$$Register, $src2$$Register); + %} + ins_pipe(pipe_class_compare); +%} + +instruct cmpUL_reg_imm16(flagsReg crx, iRegLsrc src1, uimmL16 src2) %{ + match(Set crx (CmpUL src1 src2)); + format %{ "CMPLDI $crx, $src1, $src2" %} + size(4); + ins_encode %{ + // TODO: PPC port $archOpcode(ppc64Opcode_cmpli); + __ cmpldi($crx$$CondRegister, $src1$$Register, $src2$$constant); + %} + ins_pipe(pipe_class_compare); +%} + instruct testL_reg_reg(flagsRegCR0 cr0, iRegLsrc src1, iRegLsrc src2, immL_0 zero) %{ match(Set cr0 (CmpL (AndL src1 src2) zero)); // r0 is killed diff --git a/hotspot/src/cpu/s390/vm/s390.ad b/hotspot/src/cpu/s390/vm/s390.ad index fd188525c4..7daf348c0a 100644 --- a/hotspot/src/cpu/s390/vm/s390.ad +++ b/hotspot/src/cpu/s390/vm/s390.ad @@ -8475,6 +8475,24 @@ instruct compL_reg_memI(iRegL dst, memory src, flagsReg cr)%{ %} // LONG unsigned +// Added CmpUL for LoopPredicate. +instruct compUL_reg_reg(flagsReg cr, iRegL op1, iRegL op2) %{ + match(Set cr (CmpUL op1 op2)); + size(4); + format %{ "CLGR $op1,$op2\t # long" %} + opcode(CLGR_ZOPC); + ins_encode(z_rreform(op1, op2)); + ins_pipe(pipe_class_dummy); +%} + +instruct compUL_reg_imm32(flagsReg cr, iRegL op1, uimmL32 con) %{ + match(Set cr (CmpUL op1 con)); + size(6); + format %{ "CLGFI $op1,$con" %} + opcode(CLGFI_ZOPC); + ins_encode(z_rilform_unsigned(op1, con)); + ins_pipe(pipe_class_dummy); +%} // PTR unsigned From 71610ff5a735ece57c252b08abca72a00b27d229 Mon Sep 17 00:00:00 2001 From: Rachel Protacio Date: Mon, 12 Jun 2017 13:58:09 -0400 Subject: [PATCH 091/269] 8181664: Improve JVM UTF String handling Reviewed-by: mschoene, coleenp, rhalade, acorn, gtriantafill --- hotspot/src/share/vm/prims/jni.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hotspot/src/share/vm/prims/jni.cpp b/hotspot/src/share/vm/prims/jni.cpp index acda443267..5f81a7ecb6 100644 --- a/hotspot/src/share/vm/prims/jni.cpp +++ b/hotspot/src/share/vm/prims/jni.cpp @@ -2839,7 +2839,7 @@ jni_Get##Result##ArrayRegion(JNIEnv *env, ElementType##Array array, jsize start, EntryProbe; \ DT_VOID_RETURN_MARK(Get##Result##ArrayRegion); \ typeArrayOop src = typeArrayOop(JNIHandles::resolve_non_null(array)); \ - if (start < 0 || len < 0 || ((unsigned int)start + (unsigned int)len > (unsigned int)src->length())) { \ + if (start < 0 || len < 0 || (start > src->length() - len)) { \ THROW(vmSymbols::java_lang_ArrayIndexOutOfBoundsException()); \ } else { \ if (len > 0) { \ @@ -2889,7 +2889,7 @@ jni_Set##Result##ArrayRegion(JNIEnv *env, ElementType##Array array, jsize start, EntryProbe; \ DT_VOID_RETURN_MARK(Set##Result##ArrayRegion); \ typeArrayOop dst = typeArrayOop(JNIHandles::resolve_non_null(array)); \ - if (start < 0 || len < 0 || ((unsigned int)start + (unsigned int)len > (unsigned int)dst->length())) { \ + if (start < 0 || len < 0 || (start > dst->length() - len)) { \ THROW(vmSymbols::java_lang_ArrayIndexOutOfBoundsException()); \ } else { \ if (len > 0) { \ @@ -3126,7 +3126,7 @@ JNI_ENTRY(void, jni_GetStringRegion(JNIEnv *env, jstring string, jsize start, js DT_VOID_RETURN_MARK(GetStringRegion); oop s = JNIHandles::resolve_non_null(string); int s_len = java_lang_String::length(s); - if (start < 0 || len < 0 || start + len > s_len) { + if (start < 0 || len < 0 || start > s_len - len) { THROW(vmSymbols::java_lang_StringIndexOutOfBoundsException()); } else { if (len > 0) { @@ -3152,7 +3152,7 @@ JNI_ENTRY(void, jni_GetStringUTFRegion(JNIEnv *env, jstring string, jsize start, DT_VOID_RETURN_MARK(GetStringUTFRegion); oop s = JNIHandles::resolve_non_null(string); int s_len = java_lang_String::length(s); - if (start < 0 || len < 0 || start + len > s_len) { + if (start < 0 || len < 0 || start > s_len - len) { THROW(vmSymbols::java_lang_StringIndexOutOfBoundsException()); } else { //%note jni_7 From 19f1500a1b9155f284bd09acf6f5c04a1b643d13 Mon Sep 17 00:00:00 2001 From: Rob McKenna Date: Fri, 30 Jun 2017 18:06:41 +0100 Subject: [PATCH 092/269] 8183297: Allow duplicate bugid for changeset in jdk9 update forest Reviewed-by: coffeys --- .jcheck/conf | 1 + 1 file changed, 1 insertion(+) diff --git a/.jcheck/conf b/.jcheck/conf index 5c6f62dc12..9bd9e92741 100644 --- a/.jcheck/conf +++ b/.jcheck/conf @@ -1 +1,2 @@ project=jdk9 +bugids=dup From 91beae627cba8980f44a592c77246ea06313ff26 Mon Sep 17 00:00:00 2001 From: Erik Joelsson Date: Mon, 10 Jul 2017 18:16:37 +0200 Subject: [PATCH 093/269] 8181788: Unable to build JDK10 on SPARC-M8 machines Reviewed-by: tbell --- common/conf/jib-profiles.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js index 54ccfcecd5..bad4544d17 100644 --- a/common/conf/jib-profiles.js +++ b/common/conf/jib-profiles.js @@ -387,7 +387,7 @@ var getJibProfilesCommon = function (input, data) { // on such hardware. if (input.build_cpu == "sparcv9") { var cpu_brand = $EXEC("bash -c \"kstat -m cpu_info | grep brand | head -n1 | awk '{ print \$2 }'\""); - if (cpu_brand.trim().match('SPARC-.7')) { + if (cpu_brand.trim().match('SPARC-.[78]')) { boot_jdk_revision = "8u20"; boot_jdk_subdirpart = "1.8.0_20"; } From b109ada8d02431afcb6664ec9d214bfef973eb27 Mon Sep 17 00:00:00 2001 From: Erik Joelsson Date: Mon, 10 Jul 2017 18:25:28 +0200 Subject: [PATCH 094/269] 8183934: Change version number in 9.0.3 to 9.0.3 Reviewed-by: tbell --- common/autoconf/version-numbers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/autoconf/version-numbers b/common/autoconf/version-numbers index 4cb5467118..268e66b71a 100644 --- a/common/autoconf/version-numbers +++ b/common/autoconf/version-numbers @@ -27,7 +27,7 @@ DEFAULT_VERSION_MAJOR=9 DEFAULT_VERSION_MINOR=0 -DEFAULT_VERSION_SECURITY=0 +DEFAULT_VERSION_SECURITY=3 DEFAULT_VERSION_PATCH=0 LAUNCHER_NAME=openjdk From 23975545e98fb836d6e78214899fe90d42b5d796 Mon Sep 17 00:00:00 2001 From: Abhijit Saha Date: Wed, 23 Aug 2017 13:44:21 -0700 Subject: [PATCH 095/269] 8185928: Generate OpenJDK builds for Mac platform JDK 9.0.3 and beyond in Mach 5 Reviewed-by: erikj --- common/conf/jib-profiles.js | 46 ++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js index bad4544d17..e8f5d8f455 100644 --- a/common/conf/jib-profiles.js +++ b/common/conf/jib-profiles.js @@ -814,6 +814,49 @@ var getJibProfilesProfiles = function (input, common, data) { } }, + "macosx-x64-open": { + artifacts: { + jdk: { + local: "bundles/\\(jdk.*bin.tar.gz\\)", + remote: [ + "bundles/openjdk/GPL/osx-x64/jdk-" + data.version + + "_osx-x64_bin.tar.gz", + "bundles/openjdk/GPL/osx-x64/\\1" + ], + subdir: "jdk-" + data.version + }, + jre: { + local: "bundles/\\(jre.*bin.tar.gz\\)", + remote: "bundles/openjdk/GPL/osx-x64/\\1", + }, + test: { + local: "bundles/\\(jdk.*bin-tests.tar.gz\\)", + remote: [ + "bundles/openjdk/GPL/osx-x64/jdk-" + data.version + + "_osx-x64_bin-tests.tar.gz", + "bundles/openjdk/GPL/osx-x64/\\1" + ] + }, + jdk_symbols: { + local: "bundles/\\(jdk.*bin-symbols.tar.gz\\)", + remote: [ + "bundles/openjdk/GPL/osx-x64/jdk-" + data.version + + "_osx-x64_bin-symbols.tar.gz", + "bundles/openjdk/GPL/osx-x64/\\1" + ], + subdir: "jdk-" + data.version + }, + jre_symbols: { + local: "bundles/\\(jre.*bin-symbols.tar.gz\\)", + remote: "bundles/openjdk/GPL/osx-x64/\\1", + }, + doc_api_spec: { + local: "bundles/\\(jdk.*doc-api-spec.tar.gz\\)", + remote: "bundles/openjdk/GPL/osx-x64/\\1", + }, + } + }, + "windows-x86-open": { artifacts: { jdk: { @@ -880,10 +923,11 @@ var getJibProfilesProfiles = function (input, common, data) { profiles["linux-x64-ri"] = clone(profiles["linux-x64-open"]); profiles["linux-x86-ri"] = clone(profiles["linux-x86-open"]); profiles["linux-x86-ri-debug"] = clone(profiles["linux-x86-open-debug"]); + profiles["macosx-x64-ri"] = clone(profiles["macosx-x64-open"]); profiles["windows-x86-ri"] = clone(profiles["windows-x86-open"]); // Generate artifacts for ri profiles - [ "linux-x64-ri", "linux-x86-ri", "linux-x86-ri-debug", "windows-x86-ri" ] + [ "linux-x64-ri", "linux-x86-ri", "linux-x86-ri-debug", "macosx-x64-ri", "windows-x86-ri" ] .forEach(function (name) { // Rewrite all remote dirs to "bundles/openjdk/BCL/..." for (artifactName in profiles[name].artifacts) { From 3d9596e9feeed4c5c6cc95d921720ffd0b0ccd05 Mon Sep 17 00:00:00 2001 From: Abhijit Saha Date: Sun, 1 Oct 2017 20:19:39 -0700 Subject: [PATCH 096/269] 8188194: Change version number in 9.0.4 to 9.0.4 Reviewed-by: erikj --- common/autoconf/version-numbers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/autoconf/version-numbers b/common/autoconf/version-numbers index 268e66b71a..84a962fa81 100644 --- a/common/autoconf/version-numbers +++ b/common/autoconf/version-numbers @@ -1,5 +1,5 @@ # -# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,7 @@ DEFAULT_VERSION_MAJOR=9 DEFAULT_VERSION_MINOR=0 -DEFAULT_VERSION_SECURITY=3 +DEFAULT_VERSION_SECURITY=4 DEFAULT_VERSION_PATCH=0 LAUNCHER_NAME=openjdk From 45a21e0427727241266632f3ec5d60d7d5242c39 Mon Sep 17 00:00:00 2001 From: Rob McKenna Date: Fri, 30 Jun 2017 18:06:41 +0100 Subject: [PATCH 097/269] 8183297: Allow duplicate bugid for changeset in jdk9 update forest Reviewed-by: coffeys --- .jcheck/conf | 1 + 1 file changed, 1 insertion(+) diff --git a/.jcheck/conf b/.jcheck/conf index 5c6f62dc12..9bd9e92741 100644 --- a/.jcheck/conf +++ b/.jcheck/conf @@ -1 +1,2 @@ project=jdk9 +bugids=dup From 802e712c5517996959ce48befec93c7f644be8e9 Mon Sep 17 00:00:00 2001 From: Mark Sheppard Date: Sun, 3 Sep 2017 16:08:13 +0100 Subject: [PATCH 098/269] 8160104: CORBA communication improvements Reviewed-by: rriggs, dfuchs --- .../impl/encoding/BufferManagerWriteGrow.java | 24 ++- .../se/impl/encoding/CDRInputStream_1_0.java | 9 +- .../se/impl/ior/IORTypeCheckRegistryImpl.java | 179 ++++++++++++++++++ .../com/sun/corba/se/impl/orb/ORBImpl.java | 56 +++++- .../sun/corba/se/impl/orb/ORBSingleton.java | 9 +- .../se/spi/ior/IORTypeCheckRegistry.java | 31 +++ .../classes/com/sun/corba/se/spi/orb/ORB.java | 21 +- 7 files changed, 320 insertions(+), 9 deletions(-) create mode 100644 corba/src/java.corba/share/classes/com/sun/corba/se/impl/ior/IORTypeCheckRegistryImpl.java create mode 100644 corba/src/java.corba/share/classes/com/sun/corba/se/spi/ior/IORTypeCheckRegistry.java diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/encoding/BufferManagerWriteGrow.java b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/encoding/BufferManagerWriteGrow.java index 1ede700817..33b94c57cd 100644 --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/encoding/BufferManagerWriteGrow.java +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/encoding/BufferManagerWriteGrow.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,11 +26,13 @@ package com.sun.corba.se.impl.encoding; import com.sun.corba.se.impl.orbutil.ORBConstants; +import com.sun.corba.se.impl.orbutil.ORBUtility; import com.sun.corba.se.impl.encoding.ByteBufferWithInfo; import com.sun.corba.se.impl.encoding.BufferManagerWrite; import com.sun.corba.se.pept.encoding.OutputObject; import com.sun.corba.se.pept.transport.Connection; import com.sun.corba.se.spi.orb.ORB; +import com.sun.corba.se.spi.orb.ORBData; public class BufferManagerWriteGrow extends BufferManagerWrite { @@ -48,7 +50,20 @@ public class BufferManagerWriteGrow extends BufferManagerWrite * buffer manager as set in the ORB. */ public int getBufferSize() { - return orb.getORBData().getGIOPBufferSize(); + ORBData orbData = null; + int bufferSize = ORBConstants.GIOP_DEFAULT_BUFFER_SIZE; + if (orb != null) { + orbData = orb.getORBData(); + if (orbData != null) { + bufferSize = orbData.getGIOPBufferSize(); + dprint("BufferManagerWriteGrow.getBufferSize: bufferSize == " + bufferSize); + } else { + dprint("BufferManagerWriteGrow.getBufferSize: orbData reference is NULL"); + } + } else { + dprint("BufferManagerWriteGrow.getBufferSize: orb reference is NULL"); + } + return bufferSize; } public void overflow (ByteBufferWithInfo bbwi) @@ -89,4 +104,9 @@ public class BufferManagerWriteGrow extends BufferManagerWrite */ public void close() {} + private void dprint(String msg) { + if (orb.transportDebugFlag) { + ORBUtility.dprint(this, msg); +} + } } diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/encoding/CDRInputStream_1_0.java b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/encoding/CDRInputStream_1_0.java index a00d66cb5b..81a81df2ac 100644 --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/encoding/CDRInputStream_1_0.java +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/encoding/CDRInputStream_1_0.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -725,12 +725,14 @@ public class CDRInputStream_1_0 extends CDRInputStreamBase // IDLEntity.class.isAssignableFrom( clz ). // 3. If clz is an interface, use it to create the appropriate // stub factory. + public org.omg.CORBA.Object read_Object(Class clz) { // In any case, we must first read the IOR. IOR ior = IORFactories.makeIOR(parent) ; - if (ior.isNil()) + if (ior.isNil()) { return null ; + } PresentationManager.StubFactoryFactory sff = ORB.getStubFactoryFactory() ; String codeBase = ior.getProfile().getCodebase() ; @@ -739,6 +741,7 @@ public class CDRInputStream_1_0 extends CDRInputStreamBase if (clz == null) { RepositoryId rid = RepositoryId.cache.getId( ior.getTypeId() ) ; String className = rid.getClassName() ; + orb.validateIORClass(className); boolean isIDLInterface = rid.isIDLType() ; if (className == null || className.equals( "" )) @@ -761,11 +764,9 @@ public class CDRInputStream_1_0 extends CDRInputStreamBase } else { // clz is an interface class boolean isIDL = IDLEntity.class.isAssignableFrom( clz ) ; - stubFactory = sff.createStubFactory( clz.getName(), isIDL, codeBase, clz, clz.getClassLoader() ) ; } - return internalIORToObject( ior, stubFactory, orb ) ; } diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/ior/IORTypeCheckRegistryImpl.java b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/ior/IORTypeCheckRegistryImpl.java new file mode 100644 index 0000000000..dd699eaa2b --- /dev/null +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/ior/IORTypeCheckRegistryImpl.java @@ -0,0 +1,179 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package com.sun.corba.se.impl.ior; + +import java.util.Set; + +import com.sun.corba.se.impl.orbutil.ORBUtility; +import com.sun.corba.se.spi.ior.IORTypeCheckRegistry; +import com.sun.corba.se.spi.orb.ORB; + +public class IORTypeCheckRegistryImpl implements IORTypeCheckRegistry { + + private final Set iorTypeNames; + private static final Set builtinIorTypeNames; + private ORB theOrb; + + static { + builtinIorTypeNames = initBuiltinIorTypeNames(); + } + + public IORTypeCheckRegistryImpl( String filterProperties, ORB orb) { + theOrb = orb; + iorTypeNames = parseIorClassNameList(filterProperties); + } + + /* + * + * A note on the validation flow: + * 1. against the filter class name list + * 2. against the builtin class name list + */ + + @Override + public boolean isValidIORType(String iorClassName) { + dprintTransport(".isValidIORType : iorClassName == " + iorClassName); + return validateIorTypeByName(iorClassName); + } + + + private boolean validateIorTypeByName(String iorClassName) { + dprintTransport(".validateIorTypeByName : iorClassName == " + iorClassName); + boolean isValidType; + + isValidType = checkIorTypeNames(iorClassName); + + if (!isValidType) { + isValidType = checkBuiltinClassNames(iorClassName); + } + + dprintTransport(".validateIorTypeByName : isValidType == " + isValidType); + return isValidType; + } + + + /* + * check if the class name corresponding to an IOR Type name + * is in the ior class name list as generated from the filter property. + * So if the IOR type is recorded in the registry then allow the creation of the + * stub factory and let it resolve and load the class. That is if current + * type check deliberation permits. + * IOR Type names are configured by the filter property + */ + + private boolean checkIorTypeNames( + String theIorClassName) { + return (iorTypeNames != null) && (iorTypeNames.contains(theIorClassName)); + } + + /* + * Check the IOR interface class name against the set of + * class names that correspond to the builtin JDK IDL stub classes. + */ + + private boolean checkBuiltinClassNames( + String theIorClassName) { + return builtinIorTypeNames.contains(theIorClassName); + } + + + private Set parseIorClassNameList(String filterProperty) { + Set _iorTypeNames = null; + if (filterProperty != null) { + String[] tempIorClassNames = filterProperty.split(";"); + _iorTypeNames = Set.of(tempIorClassNames); + if (theOrb.orbInitDebugFlag) { + dprintConfiguredIorTypeNames(); + } + } + return _iorTypeNames; + } + + + private static Set initBuiltinIorTypeNames() { + Set> builtInCorbaStubTypes = initBuiltInCorbaStubTypes(); + String [] tempBuiltinIorTypeNames = new String[builtInCorbaStubTypes.size()]; + int i = 0; + for (Class _stubClass: builtInCorbaStubTypes) { + tempBuiltinIorTypeNames[i++] = _stubClass.getName(); + } + return Set.of(tempBuiltinIorTypeNames); + } + + private static Set> initBuiltInCorbaStubTypes() { + Class tempBuiltinCorbaStubTypes[] = { + com.sun.corba.se.spi.activation.Activator.class, + com.sun.corba.se.spi.activation._ActivatorStub.class, + com.sun.corba.se.spi.activation._InitialNameServiceStub.class, + com.sun.corba.se.spi.activation._LocatorStub.class, + com.sun.corba.se.spi.activation._RepositoryStub.class, + com.sun.corba.se.spi.activation._ServerManagerStub.class, + com.sun.corba.se.spi.activation._ServerStub.class, + org.omg.CosNaming.BindingIterator.class, + org.omg.CosNaming._BindingIteratorStub.class, + org.omg.CosNaming.NamingContextExt.class, + org.omg.CosNaming._NamingContextExtStub.class, + org.omg.CosNaming.NamingContext.class, + org.omg.CosNaming._NamingContextStub.class, + org.omg.DynamicAny.DynAnyFactory.class, + org.omg.DynamicAny._DynAnyFactoryStub.class, + org.omg.DynamicAny.DynAny.class, + org.omg.DynamicAny._DynAnyStub.class, + org.omg.DynamicAny.DynArray.class, + org.omg.DynamicAny._DynArrayStub.class, + org.omg.DynamicAny.DynEnum.class, + org.omg.DynamicAny._DynEnumStub.class, + org.omg.DynamicAny.DynFixed.class, + org.omg.DynamicAny._DynFixedStub.class, + org.omg.DynamicAny.DynSequence.class, + org.omg.DynamicAny._DynSequenceStub.class, + org.omg.DynamicAny.DynStruct.class, + org.omg.DynamicAny._DynStructStub.class, + org.omg.DynamicAny.DynUnion.class, + org.omg.DynamicAny._DynUnionStub.class, + org.omg.DynamicAny._DynValueStub.class, + org.omg.DynamicAny.DynValue.class, + org.omg.PortableServer.ServantActivator.class, + org.omg.PortableServer._ServantActivatorStub.class, + org.omg.PortableServer.ServantLocator.class, + org.omg.PortableServer._ServantLocatorStub.class }; + return Set.>of(tempBuiltinCorbaStubTypes); + } + + private void dprintConfiguredIorTypeNames() { + if (iorTypeNames != null) { + for (String iorTypeName : iorTypeNames) { + ORBUtility.dprint(this, ".dprintConfiguredIorTypeNames: " + iorTypeName); + } + } + } + + private void dprintTransport(String msg) { + if (theOrb.transportDebugFlag) { + ORBUtility.dprint(this, msg); + } + } +} diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orb/ORBImpl.java b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orb/ORBImpl.java index 007e6b8dc2..ed8e46d30f 100644 --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orb/ORBImpl.java +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orb/ORBImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -54,6 +54,7 @@ import java.net.InetAddress; import java.security.PrivilegedAction; import java.security.AccessController; +import java.security.Security; import javax.rmi.CORBA.Util; import javax.rmi.CORBA.ValueHandler; @@ -90,6 +91,7 @@ import com.sun.corba.se.pept.transport.ConnectionCache; import com.sun.corba.se.pept.transport.TransportManager; import com.sun.corba.se.spi.ior.IOR; +import com.sun.corba.se.spi.ior.IORTypeCheckRegistry; import com.sun.corba.se.spi.ior.IdentifiableFactoryFinder; import com.sun.corba.se.spi.ior.TaggedComponentFactoryFinder; import com.sun.corba.se.spi.ior.IORFactories; @@ -124,6 +126,7 @@ import com.sun.corba.se.spi.orb.StringPair; import com.sun.corba.se.spi.transport.CorbaContactInfoListFactory; import com.sun.corba.se.spi.transport.CorbaTransportManager; import com.sun.corba.se.spi.legacy.connection.LegacyServerSocketManager; +import com.sun.corba.se.spi.logging.CORBALogDomains; import com.sun.corba.se.spi.copyobject.CopierManager; import com.sun.corba.se.spi.presentation.rmi.PresentationDefaults; import com.sun.corba.se.spi.presentation.rmi.PresentationManager; @@ -145,6 +148,7 @@ import com.sun.corba.se.impl.encoding.EncapsOutputStream; import com.sun.corba.se.impl.encoding.CachedCodeBase; import com.sun.corba.se.impl.interceptors.PIHandlerImpl; import com.sun.corba.se.impl.interceptors.PINoOpHandlerImpl; +import com.sun.corba.se.impl.ior.IORTypeCheckRegistryImpl; import com.sun.corba.se.impl.ior.TaggedComponentFactoryFinderImpl; import com.sun.corba.se.impl.ior.TaggedProfileFactoryFinderImpl; import com.sun.corba.se.impl.ior.TaggedProfileTemplateFactoryFinderImpl; @@ -226,6 +230,8 @@ public class ORBImpl extends com.sun.corba.se.spi.orb.ORB private ServiceContextRegistry serviceContextRegistry ; + private IORTypeCheckRegistry iorTypeCheckRegistry; + // Needed here to implement connect/disconnect private TOAFactory toaFactory ; @@ -274,6 +280,8 @@ public class ORBImpl extends com.sun.corba.se.spi.orb.ORB // insNamingDelegate. private final Object resolverLock = new Object() ; + private static final String IORTYPECHECKREGISTRY_FILTER_PROPNAME = "com.sun.CORBA.ORBIorTypeCheckRegistryFilter"; + private TaggedComponentFactoryFinder taggedComponentFactoryFinder ; private IdentifiableFactoryFinder taggedProfileFactoryFinder ; @@ -411,6 +419,39 @@ public class ORBImpl extends com.sun.corba.se.spi.orb.ORB }; serviceContextRegistry = new ServiceContextRegistry( this ) ; + + } + + + private void initIORTypeCheckRegistry() { + String filterProps = AccessController + .doPrivileged(new PrivilegedAction() { + public String run() { + String props = System + .getProperty(IORTYPECHECKREGISTRY_FILTER_PROPNAME); + if (props == null) { + props = Security + .getProperty(IORTYPECHECKREGISTRY_FILTER_PROPNAME); + } + return props; + } + }); + if (filterProps != null) { + try { + iorTypeCheckRegistry = new IORTypeCheckRegistryImpl(filterProps, this); + } catch (Exception ex) { + throw wrapper.bootstrapException(ex); + } + + if (this.orbInitDebugFlag) { + dprint(".initIORTypeCheckRegistry, IORTypeCheckRegistryImpl created for properties == " + + filterProps); + } + } else { + if (this.orbInitDebugFlag) { + dprint(".initIORTypeCheckRegistry, IORTypeCheckRegistryImpl NOT created for properties == "); + } + } } protected void setDebugFlags( String[] args ) @@ -494,6 +535,8 @@ public class ORBImpl extends com.sun.corba.se.spi.orb.ORB getThreadPoolManager(); super.getByteBufferPool(); + + initIORTypeCheckRegistry(); } private synchronized POAFactory getPOAFactory() @@ -2089,6 +2132,17 @@ public class ORBImpl extends com.sun.corba.se.spi.orb.ORB } return copierManager ; } + + @Override + public void validateIORClass(String iorClassName) { + if (iorTypeCheckRegistry != null) { + if (!iorTypeCheckRegistry.isValidIORType(iorClassName)) { + throw ORBUtilSystemException.get( this, + CORBALogDomains.OA_IOR ).badStringifiedIor(); + } + } + } + } // Class ORBImpl //////////////////////////////////////////////////////////////////////// diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orb/ORBSingleton.java b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orb/ORBSingleton.java index 63bec8b116..3430a4406a 100644 --- a/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orb/ORBSingleton.java +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/impl/orb/ORBSingleton.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -768,6 +768,13 @@ public class ORBSingleton extends ORB public CopierManager getCopierManager() { return null ; } + + @Override + public void validateIORClass(String iorClassName) { + getFullORB().validateIORClass(iorClassName); + + } + } // End of file. diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/spi/ior/IORTypeCheckRegistry.java b/corba/src/java.corba/share/classes/com/sun/corba/se/spi/ior/IORTypeCheckRegistry.java new file mode 100644 index 0000000000..cf10bc6142 --- /dev/null +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/spi/ior/IORTypeCheckRegistry.java @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package com.sun.corba.se.spi.ior; + +public interface IORTypeCheckRegistry { + public boolean isValidIORType(String iorClassName); +} + diff --git a/corba/src/java.corba/share/classes/com/sun/corba/se/spi/orb/ORB.java b/corba/src/java.corba/share/classes/com/sun/corba/se/spi/orb/ORB.java index a527d4458c..2e73453f97 100644 --- a/corba/src/java.corba/share/classes/com/sun/corba/se/spi/orb/ORB.java +++ b/corba/src/java.corba/share/classes/com/sun/corba/se/spi/orb/ORB.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -121,6 +121,7 @@ public abstract class ORB extends com.sun.corba.se.org.omg.CORBA.ORB public boolean shutdownDebugFlag = false; public boolean giopDebugFlag = false; public boolean invocationTimingDebugFlag = false ; + public boolean orbInitDebugFlag = false ; // SystemException log wrappers. Protected so that they can be used in // subclasses. @@ -487,6 +488,24 @@ public abstract class ORB extends com.sun.corba.se.org.omg.CORBA.ORB public abstract ThreadPoolManager getThreadPoolManager(); public abstract CopierManager getCopierManager() ; + + /* + * This method is called to verify that a stringified IOR passed to + * an org.omg.CORBA.ORB::string_to_object method contains a valid and acceptable IOR type. + * If an ORB is configured with IOR type checking enabled, + * the ORB executes a IOR type registry lookup to + * validate that the class name extract from a type id in + * a stringified IOR is a known and accepted type. + * A CORBA {@code org.omg.CORBA.DATA_CONVERSION} exception will be thrown should the type check fail. + * + * @param iorClassName + * a string representing the class name corresponding to the type id of an IOR + * @throws org.omg.CORBA.DATA_CONVERSION + * exception with an indication that it is a "Bad stringified IOR", which is thrown + * when the type check fails. + */ + public abstract void validateIORClass(String iorClassName); + } // End of file. From f437589519e5adc5bcd839dfc27f43ca9ad803bf Mon Sep 17 00:00:00 2001 From: Rob McKenna Date: Fri, 30 Jun 2017 18:07:57 +0100 Subject: [PATCH 099/269] 8183297: Allow duplicate bugid for changeset in jdk9 update forest Reviewed-by: coffeys --- corba/.jcheck/conf | 1 + 1 file changed, 1 insertion(+) diff --git a/corba/.jcheck/conf b/corba/.jcheck/conf index 5c6f62dc12..9bd9e92741 100644 --- a/corba/.jcheck/conf +++ b/corba/.jcheck/conf @@ -1 +1,2 @@ project=jdk9 +bugids=dup From e049d33d6f439d4ad84a54f8e1b6dceb6a1d4361 Mon Sep 17 00:00:00 2001 From: Rob McKenna Date: Fri, 30 Jun 2017 18:08:23 +0100 Subject: [PATCH 100/269] 8183297: Allow duplicate bugid for changeset in jdk9 update forest Reviewed-by: coffeys --- hotspot/.jcheck/conf | 1 + 1 file changed, 1 insertion(+) diff --git a/hotspot/.jcheck/conf b/hotspot/.jcheck/conf index 5c6f62dc12..9bd9e92741 100644 --- a/hotspot/.jcheck/conf +++ b/hotspot/.jcheck/conf @@ -1 +1,2 @@ project=jdk9 +bugids=dup From 044a24c5df8f1a514bb49c128398a3988609c94f Mon Sep 17 00:00:00 2001 From: Harold Seigel Date: Wed, 26 Jul 2017 11:45:53 -0400 Subject: [PATCH 101/269] 8180711: Better invokespecial checks Reviewed-by: acorn, ahgross, rhalade --- .../src/share/vm/interpreter/linkResolver.cpp | 24 +++++++++---------- .../src/share/vm/interpreter/linkResolver.hpp | 9 ++++--- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/hotspot/src/share/vm/interpreter/linkResolver.cpp b/hotspot/src/share/vm/interpreter/linkResolver.cpp index d7ae64effe..2d323cd7d3 100644 --- a/hotspot/src/share/vm/interpreter/linkResolver.cpp +++ b/hotspot/src/share/vm/interpreter/linkResolver.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1061,11 +1061,7 @@ void LinkResolver::resolve_special_call(CallInfo& result, const LinkInfo& link_info, TRAPS) { methodHandle resolved_method = linktime_resolve_special_method(link_info, CHECK); - runtime_resolve_special_method(result, resolved_method, - link_info.resolved_klass(), - link_info.current_klass(), - recv, - link_info.check_access(), CHECK); + runtime_resolve_special_method(result, link_info, resolved_method, recv, CHECK); } // throws linktime exceptions @@ -1148,11 +1144,11 @@ methodHandle LinkResolver::linktime_resolve_special_method(const LinkInfo& link_ // throws runtime exceptions void LinkResolver::runtime_resolve_special_method(CallInfo& result, + const LinkInfo& link_info, const methodHandle& resolved_method, - KlassHandle resolved_klass, - KlassHandle current_klass, - Handle recv, - bool check_access, TRAPS) { + Handle recv, TRAPS) { + + KlassHandle resolved_klass = link_info.resolved_klass(); // resolved method is selected method unless we have an old-style lookup // for a superclass method @@ -1160,12 +1156,13 @@ void LinkResolver::runtime_resolve_special_method(CallInfo& result, // no checks for shadowing methodHandle sel_method(THREAD, resolved_method()); - if (check_access && + if (link_info.check_access() && // check if the method is not resolved_method->name() != vmSymbols::object_initializer_name()) { - // check if this is an old-style super call and do a new lookup if so + // check if this is an old-style super call and do a new lookup if so // a) check if ACC_SUPER flag is set for the current class + KlassHandle current_klass = link_info.current_klass(); if ((current_klass->is_super() || !AllowNonVirtualCalls) && // b) check if the class of the resolved_klass is a superclass // (not supertype in order to exclude interface classes) of the current class. @@ -1185,6 +1182,9 @@ void LinkResolver::runtime_resolve_special_method(CallInfo& result, Method::name_and_sig_as_C_string(resolved_klass(), resolved_method->name(), resolved_method->signature())); + // check loader constraints if found a different method + } else if (sel_method() != resolved_method()) { + check_method_loader_constraints(link_info, sel_method, "method", CHECK); } } diff --git a/hotspot/src/share/vm/interpreter/linkResolver.hpp b/hotspot/src/share/vm/interpreter/linkResolver.hpp index 2f14496bb0..7192b8c133 100644 --- a/hotspot/src/share/vm/interpreter/linkResolver.hpp +++ b/hotspot/src/share/vm/interpreter/linkResolver.hpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -227,11 +227,10 @@ class LinkResolver: AllStatic { static methodHandle linktime_resolve_interface_method (const LinkInfo& link_info, TRAPS); static void runtime_resolve_special_method (CallInfo& result, + const LinkInfo& link_info, const methodHandle& resolved_method, - KlassHandle resolved_klass, - KlassHandle current_klass, - Handle recv, - bool check_access, TRAPS); + Handle recv, TRAPS); + static void runtime_resolve_virtual_method (CallInfo& result, const methodHandle& resolved_method, KlassHandle resolved_klass, From 6504efad2042cc779e4334cf7214adc5f0a676a4 Mon Sep 17 00:00:00 2001 From: Rob McKenna Date: Fri, 30 Jun 2017 18:08:23 +0100 Subject: [PATCH 102/269] 8183297: Allow duplicate bugid for changeset in jdk9 update forest Reviewed-by: coffeys --- hotspot/.jcheck/conf | 1 + 1 file changed, 1 insertion(+) diff --git a/hotspot/.jcheck/conf b/hotspot/.jcheck/conf index 5c6f62dc12..9bd9e92741 100644 --- a/hotspot/.jcheck/conf +++ b/hotspot/.jcheck/conf @@ -1 +1,2 @@ project=jdk9 +bugids=dup From 6c292485abf53f80bed2e9b3e0b9af244f42b319 Mon Sep 17 00:00:00 2001 From: Vyom Tewari Date: Sun, 23 Jul 2017 10:33:13 +0530 Subject: [PATCH 103/269] 8182125: Improve reliability of DNS lookups Reviewed-by: chegar, rriggs, dfuchs --- .../java.base/share/classes/module-info.java | 3 +- .../jndi/dns/DNSDatagramSocketFactory.java | 246 ++++++++++++++++++ .../classes/com/sun/jndi/dns/DnsClient.java | 91 ++++--- .../com/sun/jndi/dns/ResourceRecord.java | 31 ++- 4 files changed, 325 insertions(+), 46 deletions(-) create mode 100644 jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DNSDatagramSocketFactory.java diff --git a/jdk/src/java.base/share/classes/module-info.java b/jdk/src/java.base/share/classes/module-info.java index 549fefc069..94c3355b74 100644 --- a/jdk/src/java.base/share/classes/module-info.java +++ b/jdk/src/java.base/share/classes/module-info.java @@ -214,7 +214,8 @@ module java.base { jdk.jdeps, jdk.jlink; exports sun.net to - jdk.incubator.httpclient; + jdk.incubator.httpclient, + jdk.naming.dns; exports sun.net.ext to jdk.net; exports sun.net.dns to diff --git a/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DNSDatagramSocketFactory.java b/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DNSDatagramSocketFactory.java new file mode 100644 index 0000000000..04b983f692 --- /dev/null +++ b/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DNSDatagramSocketFactory.java @@ -0,0 +1,246 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package com.sun.jndi.dns; + +import java.io.IOException; +import java.net.DatagramSocket; +import java.net.ProtocolFamily; +import java.net.SocketException; +import java.net.InetSocketAddress; +import java.nio.channels.DatagramChannel; +import java.util.Objects; +import java.util.Random; + +class DNSDatagramSocketFactory { + static final int DEVIATION = 3; + static final int THRESHOLD = 6; + static final int BIT_DEVIATION = 2; + static final int HISTORY = 32; + static final int MAX_RANDOM_TRIES = 5; + /** + * The dynamic allocation port range (aka ephemeral ports), as configured + * on the system. Use nested class for lazy evaluation. + */ + static final class EphemeralPortRange { + private EphemeralPortRange() {} + static final int LOWER = sun.net.PortConfig.getLower(); + static final int UPPER = sun.net.PortConfig.getUpper(); + static final int RANGE = UPPER - LOWER + 1; + } + + // Records a subset of max {@code capacity} previously used ports + static final class PortHistory { + final int capacity; + final int[] ports; + final Random random; + int index; + PortHistory(int capacity, Random random) { + this.random = random; + this.capacity = capacity; + this.ports = new int[capacity]; + } + // returns true if the history contains the specified port. + public boolean contains(int port) { + int p = 0; + for (int i=0; i thresholdCount; + if (thresholdCrossed) { + // Underlying stack does not support random UDP port out of the box. + // Use our own algorithm to allocate a random UDP port + s = openRandom(); + if (s != null) return s; + + // couldn't allocate a random port: reset all counters and fall + // through. + unsuitablePortCount = 0; suitablePortCount = 0; lastseen = 0; + } + + // Allocate an ephemeral port (port 0) + s = openDefault(); + lastport = s.getLocalPort(); + if (lastseen == 0) { + history.offer(lastport); + return s; + } + + thresholdCrossed = suitablePortCount > thresholdCount; + boolean farEnough = Integer.bitCount(lastseen ^ lastport) > BIT_DEVIATION + && Math.abs(lastport - lastseen) > deviation; + boolean recycled = history.contains(lastport); + boolean suitable = (thresholdCrossed || farEnough && !recycled); + if (suitable && !recycled) history.add(lastport); + + if (suitable) { + if (!thresholdCrossed) { + suitablePortCount++; + } else if (!farEnough || recycled) { + unsuitablePortCount = 1; + suitablePortCount = thresholdCount/2; + } + // Either the underlying stack supports random UDP port allocation, + // or the new port is sufficiently distant from last port to make + // it look like it is. Let's use it. + return s; + } + + // Undecided... the new port was too close. Let's allocate a random + // port using our own algorithm + assert !thresholdCrossed; + DatagramSocket ss = openRandom(); + if (ss == null) return s; + unsuitablePortCount++; + s.close(); + return ss; + } + + private DatagramSocket openDefault() throws SocketException { + if (family != null) { + try { + DatagramChannel c = DatagramChannel.open(family); + try { + DatagramSocket s = c.socket(); + s.bind(null); + return s; + } catch (Throwable x) { + c.close(); + throw x; + } + } catch (SocketException x) { + throw x; + } catch (IOException x) { + SocketException e = new SocketException(x.getMessage()); + e.initCause(x); + throw e; + } + } + return new DatagramSocket(); + } + + synchronized boolean isUsingNativePortRandomization() { + return unsuitablePortCount <= thresholdCount + && suitablePortCount > thresholdCount; + } + + synchronized boolean isUsingJavaPortRandomization() { + return unsuitablePortCount > thresholdCount ; + } + + synchronized boolean isUndecided() { + return !isUsingJavaPortRandomization() + && !isUsingNativePortRandomization(); + } + + private DatagramSocket openRandom() { + int maxtries = MAX_RANDOM_TRIES; + while (maxtries-- > 0) { + int port = EphemeralPortRange.LOWER + + random.nextInt(EphemeralPortRange.RANGE); + try { + if (family != null) { + DatagramChannel c = DatagramChannel.open(family); + try { + DatagramSocket s = c.socket(); + s.bind(new InetSocketAddress(port)); + return s; + } catch (Throwable x) { + c.close(); + throw x; + } + } + return new DatagramSocket(port); + } catch (IOException x) { + // try again until maxtries == 0; + } + } + return null; + } + +} diff --git a/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DnsClient.java b/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DnsClient.java index 90ed8ef965..a4259fade2 100644 --- a/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DnsClient.java +++ b/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DnsClient.java @@ -85,7 +85,9 @@ public class DnsClient { private int timeout; // initial timeout on UDP queries in ms private int retries; // number of UDP retries - private DatagramSocket udpSocket; + private final Object udpSocketLock = new Object(); + private static final DNSDatagramSocketFactory factory = + new DNSDatagramSocketFactory(random); // Requests sent private Map reqs; @@ -105,14 +107,6 @@ public class DnsClient { throws NamingException { this.timeout = timeout; this.retries = retries; - try { - udpSocket = new DatagramSocket(); - } catch (java.net.SocketException e) { - NamingException ne = new ConfigurationException(); - ne.setRootCause(e); - throw ne; - } - this.servers = new InetAddress[servers.length]; serverPorts = new int[servers.length]; @@ -142,6 +136,16 @@ public class DnsClient { resps = Collections.synchronizedMap(new HashMap()); } + DatagramSocket getDatagramSocket() throws NamingException { + try { + return factory.open(); + } catch (java.net.SocketException e) { + NamingException ne = new ConfigurationException(); + ne.setRootCause(e); + throw ne; + } + } + @SuppressWarnings("deprecation") protected void finalize() { close(); @@ -151,7 +155,6 @@ public class DnsClient { private Object queuesLock = new Object(); public void close() { - udpSocket.close(); synchronized (queuesLock) { reqs.clear(); resps.clear(); @@ -393,43 +396,45 @@ public class DnsClient { int minTimeout = 50; // msec after which there are no retries. - synchronized (udpSocket) { - DatagramPacket opkt = new DatagramPacket( - pkt.getData(), pkt.length(), server, port); - DatagramPacket ipkt = new DatagramPacket(new byte[8000], 8000); - // Packets may only be sent to or received from this server address - udpSocket.connect(server, port); - int pktTimeout = (timeout * (1 << retry)); - try { - udpSocket.send(opkt); + synchronized (udpSocketLock) { + try (DatagramSocket udpSocket = getDatagramSocket()) { + DatagramPacket opkt = new DatagramPacket( + pkt.getData(), pkt.length(), server, port); + DatagramPacket ipkt = new DatagramPacket(new byte[8000], 8000); + // Packets may only be sent to or received from this server address + udpSocket.connect(server, port); + int pktTimeout = (timeout * (1 << retry)); + try { + udpSocket.send(opkt); - // timeout remaining after successive 'receive()' - int timeoutLeft = pktTimeout; - int cnt = 0; - do { - if (debug) { - cnt++; - dprint("Trying RECEIVE(" + - cnt + ") retry(" + (retry + 1) + - ") for:" + xid + " sock-timeout:" + - timeoutLeft + " ms."); - } - udpSocket.setSoTimeout(timeoutLeft); - long start = System.currentTimeMillis(); - udpSocket.receive(ipkt); - long end = System.currentTimeMillis(); + // timeout remaining after successive 'receive()' + int timeoutLeft = pktTimeout; + int cnt = 0; + do { + if (debug) { + cnt++; + dprint("Trying RECEIVE(" + + cnt + ") retry(" + (retry + 1) + + ") for:" + xid + " sock-timeout:" + + timeoutLeft + " ms."); + } + udpSocket.setSoTimeout(timeoutLeft); + long start = System.currentTimeMillis(); + udpSocket.receive(ipkt); + long end = System.currentTimeMillis(); - byte[] data = ipkt.getData(); - if (isMatchResponse(data, xid)) { - return data; - } - timeoutLeft = pktTimeout - ((int) (end - start)); - } while (timeoutLeft > minTimeout); + byte[] data = ipkt.getData(); + if (isMatchResponse(data, xid)) { + return data; + } + timeoutLeft = pktTimeout - ((int) (end - start)); + } while (timeoutLeft > minTimeout); - } finally { - udpSocket.disconnect(); + } finally { + udpSocket.disconnect(); + } + return null; // no matching packet received within the timeout } - return null; // no matching packet received within the timeout } } diff --git a/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/ResourceRecord.java b/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/ResourceRecord.java index d155696bfc..2d219073f3 100644 --- a/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/ResourceRecord.java +++ b/jdk/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/ResourceRecord.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -355,8 +355,19 @@ public class ResourceRecord { pos += typeAndLen; } else if ((typeAndLen & 0xC0) == 0xC0) { // name compression ++level; - endPos = pos + 2; + // cater for the case where the name pointed to is itself + // compressed: we don't want endPos to be reset by the second + // compression level. + int ppos = pos; + if (endPos == -1) endPos = pos + 2; pos = getUShort(pos) & 0x3FFF; + if (debug) { + dprint("decode: name compression at " + ppos + + " -> " + pos + " endPos=" + endPos); + assert endPos > 0; + assert pos < ppos; + assert pos >= Header.HEADER_SIZE; + } } else throw new IOException("Invalid label type: " + typeAndLen); } @@ -405,6 +416,11 @@ public class ResourceRecord { } } // Unknown RR type/class + if (debug) { + dprint("Unknown RR type for RR data: " + rrtype + " rdlen=" + rdlen + + ", pos=" + pos +", msglen=" + msg.length + ", remaining=" + + (msg.length-pos)); + } byte[] rd = new byte[rdlen]; System.arraycopy(msg, pos, rd, 0, rdlen); return rd; @@ -613,4 +629,15 @@ public class ResourceRecord { return sb.toString(); } + + //------------------------------------------------------------------------- + + private static final boolean debug = false; + + private static void dprint(String mess) { + if (debug) { + System.err.println("DNS: " + mess); + } + } + } From 02079b5f535f0a5f3e072d7042d84c10e167d40b Mon Sep 17 00:00:00 2001 From: Pavel Rappo Date: Wed, 26 Jul 2017 17:44:06 +0100 Subject: [PATCH 104/269] 8181612: More stable connection processing Reviewed-by: chegar, coffeys, ahgross, joehw, rhalade --- .../java.base/share/classes/sun/net/ftp/impl/FtpClient.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/net/ftp/impl/FtpClient.java b/jdk/src/java.base/share/classes/sun/net/ftp/impl/FtpClient.java index 7180884ec6..21994bde72 100644 --- a/jdk/src/java.base/share/classes/sun/net/ftp/impl/FtpClient.java +++ b/jdk/src/java.base/share/classes/sun/net/ftp/impl/FtpClient.java @@ -115,8 +115,8 @@ public class FtpClient extends sun.net.ftp.FtpClient { new PrivilegedAction() { public Object run() { - vals[0] = Integer.getInteger("sun.net.client.defaultReadTimeout", 0).intValue(); - vals[1] = Integer.getInteger("sun.net.client.defaultConnectTimeout", 0).intValue(); + vals[0] = Integer.getInteger("sun.net.client.defaultReadTimeout", 300_000).intValue(); + vals[1] = Integer.getInteger("sun.net.client.defaultConnectTimeout", 300_000).intValue(); encs[0] = System.getProperty("file.encoding", "ISO8859_1"); return null; } From 32deb980d2f86f4f79536d01d24e94076c3f19c1 Mon Sep 17 00:00:00 2001 From: Adam Petcher Date: Fri, 28 Jul 2017 18:20:43 +0000 Subject: [PATCH 105/269] 8182387: Improve PKCS usage Reviewed-by: valeriep --- .../classes/sun/security/util/DerValue.java | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/util/DerValue.java b/jdk/src/java.base/share/classes/sun/security/util/DerValue.java index 4f48cdce7b..a08ce522dd 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/DerValue.java +++ b/jdk/src/java.base/share/classes/sun/security/util/DerValue.java @@ -490,20 +490,27 @@ public class DerValue { * @return the octet string held in this DER value */ public byte[] getOctetString() throws IOException { - byte[] bytes; if (tag != tag_OctetString && !isConstructed(tag_OctetString)) { throw new IOException( "DerValue.getOctetString, not an Octet String: " + tag); } - bytes = new byte[length]; - // Note: do not tempt to call buffer.read(bytes) at all. There's a + // Note: do not attempt to call buffer.read(bytes) at all. There's a // known bug that it returns -1 instead of 0. if (length == 0) { - return bytes; + return new byte[0]; } - if (buffer.read(bytes) != length) + + // Only allocate the array if there are enough bytes available. + // This only works for ByteArrayInputStream. + // The assignment below ensures that buffer has the required type. + ByteArrayInputStream arrayInput = buffer; + if (arrayInput.available() < length) { throw new IOException("short read on DerValue buffer"); + } + byte[] bytes = new byte[length]; + arrayInput.read(bytes); + if (isConstructed()) { DerInputStream in = new DerInputStream(bytes, 0, bytes.length, buffer.allowBER); From 426331a51da958dd2eb3078fb017e2b9eeb41bf1 Mon Sep 17 00:00:00 2001 From: Stuart Marks Date: Wed, 2 Aug 2017 10:34:35 -0700 Subject: [PATCH 106/269] 8174109: Better queuing priorities Reviewed-by: chegar, dfuchs, rriggs, alanb, robm, rhalade, jeff, ahgross --- .../classes/java/io/ObjectInputStream.java | 32 ++++++++++++++ .../share/classes/java/util/ArrayDeque.java | 2 + .../share/classes/java/util/ArrayList.java | 4 +- .../share/classes/java/util/HashMap.java | 7 +++- .../share/classes/java/util/HashSet.java | 10 ++++- .../share/classes/java/util/Hashtable.java | 7 +++- .../classes/java/util/IdentityHashMap.java | 7 +++- .../java/util/ImmutableCollections.java | 2 + .../classes/java/util/PriorityQueue.java | 4 +- .../share/classes/java/util/Properties.java | 11 +++++ .../util/concurrent/CopyOnWriteArrayList.java | 2 + .../misc/JavaObjectInputStreamAccess.java | 15 +++---- .../misc/ObjectStreamClassValidator.java | 42 ------------------- .../jdk/internal/misc/SharedSecrets.java | 12 ++++++ .../serialFilter/SerialFilterTest.java | 10 ++++- 15 files changed, 107 insertions(+), 60 deletions(-) delete mode 100644 jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java index 8310b65d9f..0df61e24c5 100644 --- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java +++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java @@ -44,6 +44,7 @@ import java.util.concurrent.ConcurrentMap; import static java.io.ObjectStreamClass.processQueue; +import jdk.internal.misc.SharedSecrets; import jdk.internal.misc.Unsafe; import sun.reflect.misc.ReflectUtil; @@ -1280,6 +1281,33 @@ public class ObjectInputStream } } + /** + * Checks the given array type and length to ensure that creation of such + * an array is permitted by this ObjectInputStream. The arrayType argument + * must represent an actual array type. + * + * This private method is called via SharedSecrets. + * + * @param arrayType the array type + * @param arrayLength the array length + * @throws NullPointerException if arrayType is null + * @throws IllegalArgumentException if arrayType isn't actually an array type + * @throws NegativeArraySizeException if arrayLength is negative + * @throws InvalidClassException if the filter rejects creation + */ + private void checkArray(Class arrayType, int arrayLength) throws InvalidClassException { + Objects.requireNonNull(arrayType); + if (! arrayType.isArray()) { + throw new IllegalArgumentException("not an array type"); + } + + if (arrayLength < 0) { + throw new NegativeArraySizeException(); + } + + filterCheck(arrayType, arrayLength); + } + /** * Provide access to the persistent fields read from the input stream. */ @@ -3976,4 +4004,8 @@ public class ObjectInputStream throw new AssertionError(); } } + + static { + SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::checkArray); + } } diff --git a/jdk/src/java.base/share/classes/java/util/ArrayDeque.java b/jdk/src/java.base/share/classes/java/util/ArrayDeque.java index 53cdeffa84..9556e90d3a 100644 --- a/jdk/src/java.base/share/classes/java/util/ArrayDeque.java +++ b/jdk/src/java.base/share/classes/java/util/ArrayDeque.java @@ -38,6 +38,7 @@ import java.io.Serializable; import java.util.function.Consumer; import java.util.function.Predicate; import java.util.function.UnaryOperator; +import jdk.internal.misc.SharedSecrets; /** * Resizable-array implementation of the {@link Deque} interface. Array @@ -1195,6 +1196,7 @@ public class ArrayDeque extends AbstractCollection // Read in size and allocate array int size = s.readInt(); + SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size + 1); elements = new Object[size + 1]; this.tail = size; diff --git a/jdk/src/java.base/share/classes/java/util/ArrayList.java b/jdk/src/java.base/share/classes/java/util/ArrayList.java index f63ef493dc..25ca76d8a0 100644 --- a/jdk/src/java.base/share/classes/java/util/ArrayList.java +++ b/jdk/src/java.base/share/classes/java/util/ArrayList.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ package java.util; import java.util.function.Consumer; import java.util.function.Predicate; import java.util.function.UnaryOperator; +import jdk.internal.misc.SharedSecrets; /** * Resizable-array implementation of the {@code List} interface. Implements @@ -816,6 +817,7 @@ public class ArrayList extends AbstractList if (size > 0) { // like clone(), allocate array based upon size not capacity + SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size); Object[] elements = new Object[size]; // Read in all elements in the proper order. diff --git a/jdk/src/java.base/share/classes/java/util/HashMap.java b/jdk/src/java.base/share/classes/java/util/HashMap.java index 4f0e8e6c7d..085a688aa8 100644 --- a/jdk/src/java.base/share/classes/java/util/HashMap.java +++ b/jdk/src/java.base/share/classes/java/util/HashMap.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,6 +34,7 @@ import java.util.function.BiConsumer; import java.util.function.BiFunction; import java.util.function.Consumer; import java.util.function.Function; +import jdk.internal.misc.SharedSecrets; /** * Hash table based implementation of the {@code Map} interface. This @@ -1444,6 +1445,10 @@ public class HashMap extends AbstractMap float ft = (float)cap * lf; threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ? (int)ft : Integer.MAX_VALUE); + + // Check Map.Entry[].class since it's the nearest public type to + // what we're actually creating. + SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Map.Entry[].class, cap); @SuppressWarnings({"rawtypes","unchecked"}) Node[] tab = (Node[])new Node[cap]; table = tab; diff --git a/jdk/src/java.base/share/classes/java/util/HashSet.java b/jdk/src/java.base/share/classes/java/util/HashSet.java index 360de8119d..ec47b914b6 100644 --- a/jdk/src/java.base/share/classes/java/util/HashSet.java +++ b/jdk/src/java.base/share/classes/java/util/HashSet.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ package java.util; import java.io.InvalidObjectException; +import jdk.internal.misc.SharedSecrets; /** * This class implements the {@code Set} interface, backed by a hash table @@ -322,6 +323,13 @@ public class HashSet capacity = (int) Math.min(size * Math.min(1 / loadFactor, 4.0f), HashMap.MAXIMUM_CAPACITY); + // Constructing the backing map will lazily create an array when the first element is + // added, so check it before construction. Call HashMap.tableSizeFor to compute the + // actual allocation size. Check Map.Entry[].class since it's the nearest public type to + // what is actually created. + SharedSecrets.getJavaObjectInputStreamAccess() + .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor(capacity)); + // Create backing HashMap map = (((HashSet)this) instanceof LinkedHashSet ? new LinkedHashMap<>(capacity, loadFactor) : diff --git a/jdk/src/java.base/share/classes/java/util/Hashtable.java b/jdk/src/java.base/share/classes/java/util/Hashtable.java index f97303be2b..77f0facc51 100644 --- a/jdk/src/java.base/share/classes/java/util/Hashtable.java +++ b/jdk/src/java.base/share/classes/java/util/Hashtable.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1994, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1994, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ import java.io.*; import java.util.function.BiConsumer; import java.util.function.Function; import java.util.function.BiFunction; +import jdk.internal.misc.SharedSecrets; /** * This class implements a hash table, which maps keys to values. Any @@ -1291,6 +1292,10 @@ public class Hashtable if (length > elements && (length & 1) == 0) length--; length = Math.min(length, origlength); + + // Check Map.Entry[].class since it's the nearest public type to + // what we're actually creating. + SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Map.Entry[].class, length); table = new Entry[length]; threshold = (int)Math.min(length * loadFactor, MAX_ARRAY_SIZE + 1); count = 0; diff --git a/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java b/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java index f749774e78..e48cb354c6 100644 --- a/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java +++ b/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ import java.lang.reflect.Array; import java.util.function.BiConsumer; import java.util.function.BiFunction; import java.util.function.Consumer; +import jdk.internal.misc.SharedSecrets; /** * This class implements the {@code Map} interface with a hash table, using @@ -1304,7 +1305,9 @@ public class IdentityHashMap if (size < 0) throw new java.io.StreamCorruptedException ("Illegal mappings count: " + size); - init(capacity(size)); + int cap = capacity(size); + SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, cap); + init(cap); // Read the keys and values, and put the mappings in the table for (int i=0; i extends AbstractQueue // Read in (and discard) array length s.readInt(); + SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size); queue = new Object[size]; // Read in all elements. diff --git a/jdk/src/java.base/share/classes/java/util/Properties.java b/jdk/src/java.base/share/classes/java/util/Properties.java index 0b117686ce..8e03ec7627 100644 --- a/jdk/src/java.base/share/classes/java/util/Properties.java +++ b/jdk/src/java.base/share/classes/java/util/Properties.java @@ -42,6 +42,7 @@ import java.util.function.BiConsumer; import java.util.function.BiFunction; import java.util.function.Function; +import jdk.internal.misc.SharedSecrets; import jdk.internal.util.xml.PropertiesDefaultHandler; /** @@ -1442,6 +1443,16 @@ class Properties extends Hashtable { throw new StreamCorruptedException("Illegal # of Elements: " + elements); } + // Constructing the backing map will lazily create an array when the first element is + // added, so check it before construction. Note that CHM's constructor takes a size + // that is the number of elements to be stored -- not the table size -- so it must be + // inflated by the default load factor of 0.75, then inflated to the next power of two. + // (CHM uses the same power-of-two computation as HashMap, and HashMap.tableSizeFor is + // accessible here.) Check Map.Entry[].class since it's the nearest public type to + // what is actually created. + SharedSecrets.getJavaObjectInputStreamAccess() + .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor((int)(elements / 0.75))); + // create CHM of appropriate capacity map = new ConcurrentHashMap<>(elements); diff --git a/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java b/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java index 592f9a51cd..ad66f47e27 100644 --- a/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java +++ b/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java @@ -51,6 +51,7 @@ import java.util.Spliterators; import java.util.function.Consumer; import java.util.function.Predicate; import java.util.function.UnaryOperator; +import jdk.internal.misc.SharedSecrets; /** * A thread-safe variant of {@link java.util.ArrayList} in which all mutative @@ -933,6 +934,7 @@ public class CopyOnWriteArrayList // Read in array length and allocate array int len = s.readInt(); + SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, len); Object[] elements = new Object[len]; // Read in all elements in the proper order. diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java index c344f8adc7..4c734670da 100644 --- a/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java +++ b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,17 +25,14 @@ package jdk.internal.misc; +import java.io.InvalidClassException; import java.io.ObjectInputStream; /** - * The interface to specify methods for accessing {@code ObjectInputStream} - * @author sjiang + * Interface to specify methods for accessing {@code ObjectInputStream}. */ +@FunctionalInterface public interface JavaObjectInputStreamAccess { - /** - * Sets a descriptor validating. - * @param ois stream to have the descriptors validated - * @param validator validator used to validate a descriptor. - */ - public void setValidator(ObjectInputStream ois, ObjectStreamClassValidator validator); + void checkArray(ObjectInputStream ois, Class arrayType, int arrayLength) + throws InvalidClassException; } diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java b/jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java deleted file mode 100644 index 2b543a3072..0000000000 --- a/jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ -package jdk.internal.misc; - -import java.io.ObjectStreamClass; - -/** - * A callback used by {@code ObjectInputStream} to do descriptor validation. - * - * @author sjiang - */ -public interface ObjectStreamClassValidator { - /** - * This method will be called by ObjectInputStream to - * check a descriptor just before creating an object described by this descriptor. - * The object will not be created if this method throws a {@code RuntimeException}. - * @param descriptor descriptor to be checked. - */ - public void validateDescriptor(ObjectStreamClass descriptor); -} diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java index 078e5018cc..cd54d422c2 100644 --- a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +++ b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java @@ -69,6 +69,7 @@ public class SharedSecrets { private static JavaAWTAccess javaAWTAccess; private static JavaAWTFontAccess javaAWTFontAccess; private static JavaBeansAccess javaBeansAccess; + private static JavaObjectInputStreamAccess javaObjectInputStreamAccess; private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; public static JavaUtilJarAccess javaUtilJarAccess() { @@ -303,6 +304,17 @@ public class SharedSecrets { javaUtilResourceBundleAccess = access; } + public static JavaObjectInputStreamAccess getJavaObjectInputStreamAccess() { + if (javaObjectInputStreamAccess == null) { + unsafe.ensureClassInitialized(ObjectInputStream.class); + } + return javaObjectInputStreamAccess; + } + + public static void setJavaObjectInputStreamAccess(JavaObjectInputStreamAccess access) { + javaObjectInputStreamAccess = access; + } + public static void setJavaIORandomAccessFileAccess(JavaIORandomAccessFileAccess jirafa) { javaIORandomAccessFileAccess = jirafa; } diff --git a/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java b/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java index 5ce44eba56..362df99767 100644 --- a/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java +++ b/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java @@ -36,9 +36,11 @@ import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Proxy; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collections; import java.util.HashSet; import java.util.Hashtable; import java.util.List; +import java.util.Map; import java.util.concurrent.atomic.LongAdder; import javax.net.ssl.SSLEngineResult; @@ -165,6 +167,11 @@ public class SerialFilterTest implements Serializable { interfaces, (p, m, args) -> p); Runnable runnable = (Runnable & Serializable) SerialFilterTest::noop; + + List> classList = new ArrayList<>(); + classList.add(HashSet.class); + classList.addAll(Collections.nCopies(21, Map.Entry[].class)); + Object[][] objects = { { null, 0, -1, 0, 0, 0, Arrays.asList()}, // no callback, no values @@ -184,8 +191,7 @@ public class SerialFilterTest implements Serializable { objArray.getClass(), SerialFilterTest.class, java.lang.invoke.SerializedLambda.class)}, - { deepHashSet(10), 48, -1, 50, 11, 619, - Arrays.asList(HashSet.class)}, + { deepHashSet(10), 69, 4, 50, 11, 619, classList }, { proxy.getClass(), 3, -1, 2, 2, 112, Arrays.asList(Runnable.class, java.lang.reflect.Proxy.class, From a7bbfe4af90e62aa9aec53591c8fdb0c4a6cfa45 Mon Sep 17 00:00:00 2001 From: Naoto Sato Date: Tue, 8 Aug 2017 10:43:07 -0700 Subject: [PATCH 107/269] 8182601: Improve usage messages Reviewed-by: alanb, ahgross, ksrini, mchung --- jdk/src/java.base/share/classes/java/util/ResourceBundle.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jdk/src/java.base/share/classes/java/util/ResourceBundle.java b/jdk/src/java.base/share/classes/java/util/ResourceBundle.java index 340b53353d..dfc8baf2ed 100644 --- a/jdk/src/java.base/share/classes/java/util/ResourceBundle.java +++ b/jdk/src/java.base/share/classes/java/util/ResourceBundle.java @@ -571,7 +571,7 @@ public abstract class ResourceBundle { */ private static ClassLoader getLoaderForControl(Module module) { ClassLoader loader = getLoader(module); - return loader == null ? ClassLoader.getSystemClassLoader() : loader; + return loader == null ? ClassLoader.getPlatformClassLoader() : loader; } /** From 3bf457e5cbbacba755583baa90967363d5148697 Mon Sep 17 00:00:00 2001 From: Sreeprakash Sreedharan Date: Mon, 14 Aug 2017 15:32:25 +0530 Subject: [PATCH 108/269] 8184937: LCMS error 13: Couldn't link the profiles Reviewed-by: prr --- jdk/src/java.desktop/share/native/liblcms/cmstypes.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c index 95fe4d1a5a..ebf81c83b3 100644 --- a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c +++ b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c @@ -4464,12 +4464,6 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU if (!_cmsReadUInt32Number(io, &ElementCount)) goto Error; if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) goto Error; - if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) { - if (NewLUT != NULL) cmsPipelineFree(NewLUT); - *nItems = 0; - return NULL; - } - // Success *nItems = 1; return NewLUT; From 279526a4c532bf94861b82bcfcb6f27da5684014 Mon Sep 17 00:00:00 2001 From: Valerie Peng Date: Thu, 24 Aug 2017 19:18:51 +0000 Subject: [PATCH 109/269] 8186212: Improve GSS handling Reviewed-by: weijun, ahgross --- .../share/native/libj2gss/GSSLibStub.c | 36 ++++++++++++------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/jdk/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c b/jdk/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c index b5abb9c086..4e1f8445b9 100644 --- a/jdk/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c +++ b/jdk/src/java.security.jgss/share/native/libj2gss/GSSLibStub.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -830,7 +830,7 @@ Java_sun_security_jgss_wrapper_GSSLibStub_initContext(JNIEnv *env, { OM_uint32 minor, major; gss_cred_id_t credHdl ; - gss_ctx_id_t contextHdl; + gss_ctx_id_t contextHdl, contextHdlSave; gss_name_t targetName; gss_OID mech; OM_uint32 flags, aFlags; @@ -847,7 +847,7 @@ Java_sun_security_jgss_wrapper_GSSLibStub_initContext(JNIEnv *env, TRACE0("[GSSLibStub_initContext]"); credHdl = (gss_cred_id_t) jlong_to_ptr(pCred); - contextHdl = (gss_ctx_id_t) jlong_to_ptr( + contextHdl = contextHdlSave = (gss_ctx_id_t) jlong_to_ptr( (*env)->GetLongField(env, jcontextSpi, FID_NativeGSSContext_pContext)); targetName = (gss_name_t) jlong_to_ptr(pName); mech = (gss_OID) jlong_to_ptr((*env)->GetLongField(env, jobj, FID_GSSLibStub_pMech)); @@ -882,10 +882,17 @@ Java_sun_security_jgss_wrapper_GSSLibStub_initContext(JNIEnv *env, TRACE2("[GSSLibStub_initContext] after: pContext=%ld, outToken len=%ld", (long)contextHdl, (long)outToken.length); + // update context handle with the latest value if changed + // this is to work with both MIT and Solaris. Former deletes half-built + // context if error occurs + if (contextHdl != contextHdlSave) { + (*env)->SetLongField(env, jcontextSpi, FID_NativeGSSContext_pContext, + ptr_to_jlong(contextHdl)); + TRACE1("[GSSLibStub_initContext] set pContext=%ld", (long)contextHdl); + } + if (GSS_ERROR(major) == GSS_S_COMPLETE) { /* update member values if needed */ - (*env)->SetLongField(env, jcontextSpi, FID_NativeGSSContext_pContext, - ptr_to_jlong(contextHdl)); (*env)->SetIntField(env, jcontextSpi, FID_NativeGSSContext_flags, aFlags); TRACE1("[GSSLibStub_initContext] set flags=0x%x", aFlags); @@ -939,7 +946,7 @@ Java_sun_security_jgss_wrapper_GSSLibStub_acceptContext(JNIEnv *env, { OM_uint32 minor, major; OM_uint32 minor2, major2; - gss_ctx_id_t contextHdl; + gss_ctx_id_t contextHdl, contextHdlSave; gss_cred_id_t credHdl; gss_buffer_desc inToken; gss_channel_bindings_t cb; @@ -959,7 +966,7 @@ Java_sun_security_jgss_wrapper_GSSLibStub_acceptContext(JNIEnv *env, TRACE0("[GSSLibStub_acceptContext]"); - contextHdl = (gss_ctx_id_t)jlong_to_ptr( + contextHdl = contextHdlSave = (gss_ctx_id_t)jlong_to_ptr( (*env)->GetLongField(env, jcontextSpi, FID_NativeGSSContext_pContext)); credHdl = (gss_cred_id_t) jlong_to_ptr(pCred); initGSSBuffer(env, jinToken, &inToken); @@ -996,19 +1003,22 @@ Java_sun_security_jgss_wrapper_GSSLibStub_acceptContext(JNIEnv *env, TRACE3("[GSSLibStub_acceptContext] after: pCred=%ld, pContext=%ld, pDelegCred=%ld", (long)credHdl, (long)contextHdl, (long) delCred); + // update context handle with the latest value if changed + // this is to work with both MIT and Solaris. Former deletes half-built + // context if error occurs + if (contextHdl != contextHdlSave) { + (*env)->SetLongField(env, jcontextSpi, FID_NativeGSSContext_pContext, + ptr_to_jlong(contextHdl)); + TRACE1("[GSSLibStub_acceptContext] set pContext=%ld", (long)contextHdl); + } + if (GSS_ERROR(major) == GSS_S_COMPLETE) { /* update member values if needed */ - (*env)->SetLongField(env, jcontextSpi, FID_NativeGSSContext_pContext, - ptr_to_jlong(contextHdl)); - TRACE1("[GSSLibStub_acceptContext] set pContext=%ld", - (long)contextHdl); - // WORKAROUND for a Heimdal bug if (delCred == GSS_C_NO_CREDENTIAL) { aFlags &= 0xfffffffe; } (*env)->SetIntField(env, jcontextSpi, FID_NativeGSSContext_flags, aFlags); - TRACE1("[GSSLibStub_acceptContext] set flags=0x%x", aFlags); if (setTarget) { From 0f7654bf0496e602db87b7d17c9fb2203ec3c75f Mon Sep 17 00:00:00 2001 From: Valerie Peng Date: Thu, 31 Aug 2017 21:44:19 +0000 Subject: [PATCH 110/269] 8178466: Better RSA parameters Reviewed-by: mullan, ahgross --- .../share/classes/sun/security/tools/keytool/Main.java | 3 +-- .../classes/sun/security/util/SecurityProviderConstants.java | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java index f9188dd787..19c419394e 100644 --- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java @@ -1788,8 +1788,7 @@ public final class Main { } else if ("RSA".equalsIgnoreCase(keyAlgName)) { keysize = SecurityProviderConstants.DEF_RSA_KEY_SIZE; } else if ("DSA".equalsIgnoreCase(keyAlgName)) { - // hardcode for now as DEF_DSA_KEY_SIZE is still 1024 - keysize = 2048; // SecurityProviderConstants.DEF_DSA_KEY_SIZE; + keysize = SecurityProviderConstants.DEF_DSA_KEY_SIZE; } } diff --git a/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java b/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java index 16499519b5..2631558c9e 100644 --- a/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java +++ b/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java @@ -64,7 +64,7 @@ public final class SecurityProviderConstants { static { String keyLengthStr = GetPropertyAction.privilegedGetProperty (KEY_LENGTH_PROP); - int dsaKeySize = 1024; + int dsaKeySize = 2048; int rsaKeySize = 2048; int dhKeySize = 2048; int ecKeySize = 256; From 4cceb05ef13998100132b6dca005ef0d23de861c Mon Sep 17 00:00:00 2001 From: Mark Sheppard Date: Sun, 3 Sep 2017 16:09:24 +0100 Subject: [PATCH 111/269] 8160104: CORBA communication improvements Reviewed-by: rriggs, dfuchs --- .../share/conf/security/java.security | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/jdk/src/java.base/share/conf/security/java.security b/jdk/src/java.base/share/conf/security/java.security index 5ddf619881..18e8a7b612 100644 --- a/jdk/src/java.base/share/conf/security/java.security +++ b/jdk/src/java.base/share/conf/security/java.security @@ -975,3 +975,24 @@ jdk.xml.dsig.secureValidationPolicy=\ # java.rmi.dgc.VMID;\ # java.rmi.dgc.Lease;\ # maxdepth=5;maxarray=10000 + +# CORBA ORBIorTypeCheckRegistryFilter +# Type check enhancement for ORB::string_to_object processing +# +# An IOR type check filter, if configured, is used by an ORB during +# an ORB::string_to_object invocation to check the veracity of the type encoded +# in the ior string. +# +# The filter pattern consists of a semi-colon separated list of class names. +# The configured list contains the binary class names of the IDL interface types +# corresponding to the IDL stub class to be instantiated. +# As such, a filter specifies a list of IDL stub classes that will be +# allowed by an ORB when an ORB::string_to_object is invoked. +# It is used to specify a white list configuration of acceptable +# IDL stub types which may be contained in a stringified IOR +# parameter passed as input to an ORB::string_to_object method. +# +# Note: This property is currently used by the JDK Reference implementation. +# It is not guaranteed to be examined and used by other implementations. +# +#com.sun.CORBA.ORBIorTypeCheckRegistryFilter=binary_class_name;binary_class_name From 62a06f522c2586e35b853d277e5bbbe08790d748 Mon Sep 17 00:00:00 2001 From: Vinnie Ryan Date: Mon, 4 Sep 2017 19:33:44 +0100 Subject: [PATCH 112/269] 8178449: Improve LDAP logins Reviewed-by: mullan, asmotrak --- .../security/auth/module/LdapLoginModule.java | 63 +++++++++++++++++-- 1 file changed, 59 insertions(+), 4 deletions(-) diff --git a/jdk/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java b/jdk/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java index 29fb8d4e09..636d96f40c 100644 --- a/jdk/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java +++ b/jdk/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java @@ -737,7 +737,8 @@ public class LdapLoginModule implements LoginModule { if (authFirst || authOnly) { - String id = replaceUsernameToken(identityMatcher, authcIdentity); + String id = + replaceUsernameToken(identityMatcher, authcIdentity, username); // Prepare to bind using user's username and password ldapEnvironment.put(Context.SECURITY_CREDENTIALS, password); @@ -864,8 +865,13 @@ public class LdapLoginModule implements LoginModule { } try { - NamingEnumeration results = ctx.search("", - replaceUsernameToken(filterMatcher, userFilter), constraints); + // Sanitize username and substitute into LDAP filter + String canonicalUserFilter = + replaceUsernameToken(filterMatcher, userFilter, + escapeUsernameChars()); + + NamingEnumeration results = + ctx.search("", canonicalUserFilter, constraints); // Extract the distinguished name of the user's entry // (Use the first entry if more than one is returned) @@ -912,13 +918,62 @@ public class LdapLoginModule implements LoginModule { } } + /** + * Modify the supplied username to encode characters that must be escaped + * according to RFC 4515: LDAP: String Representation of Search Filters. + * + * The following characters are encoded as a backslash "\" (ASCII 0x5c) + * followed by the two hexadecimal digits representing the value of the + * escaped character: + * '*' (ASCII 0x2a) + * '(' (ASCII 0x28) + * ')' (ASCII 0x29) + * '\' (ASCII 0x5c) + * '\0'(ASCII 0x00) + * + * @return the modified username with its characters escaped as needed + */ + private String escapeUsernameChars() { + int len = username.length(); + StringBuilder escapedUsername = new StringBuilder(len + 16); + + for (int i = 0; i < len; i++) { + char c = username.charAt(i); + switch (c) { + case '*': + escapedUsername.append("\\\\2A"); + break; + case '(': + escapedUsername.append("\\\\28"); + break; + case ')': + escapedUsername.append("\\\\29"); + break; + case '\\': + escapedUsername.append("\\\\5C"); + break; + case '\0': + escapedUsername.append("\\\\00"); + break; + default: + escapedUsername.append(c); + } + } + + return escapedUsername.toString(); + } + + /** * Replace the username token * + * @param matcher the replacement pattern * @param string the target string + * @param username the supplied username * @return the modified string */ - private String replaceUsernameToken(Matcher matcher, String string) { + private String replaceUsernameToken(Matcher matcher, String string, + String username) { return matcher != null ? matcher.replaceAll(username) : string; } From 03e3219a030e7d0e61cd842b772e4f8f69afe55c Mon Sep 17 00:00:00 2001 From: Vinnie Ryan Date: Tue, 5 Sep 2017 15:53:33 +0100 Subject: [PATCH 113/269] 8181670: Improve implementation of keystores Reviewed-by: mullan --- .../native/libosxsecurity/KeystoreImpl.m | 22 ++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/jdk/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m b/jdk/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m index cdc39aa792..fceaff1193 100644 --- a/jdk/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m +++ b/jdk/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -433,6 +433,11 @@ JNIEXPORT jbyteArray JNICALL Java_apple_security_KeychainStore__1getEncodedKeyDa goto errOut; } passwordStrRef = CFStringCreateWithCharacters(kCFAllocatorDefault, passwordChars, passwordLen); + + // clear the password and release + memset(passwordChars, 0, passwordLen); + (*env)->ReleaseCharArrayElements(env, passwordObj, passwordChars, + JNI_ABORT); } } @@ -519,8 +524,19 @@ JNF_COCOA_ENTER(env); if (passwordObj) { passwordLen = (*env)->GetArrayLength(env, passwordObj); - passwordChars = (*env)->GetCharArrayElements(env, passwordObj, NULL); - passwordStrRef = CFStringCreateWithCharacters(kCFAllocatorDefault, passwordChars, passwordLen); + + if (passwordLen > 0) { + passwordChars = (*env)->GetCharArrayElements(env, passwordObj, NULL); + if (passwordChars == NULL) { + goto errOut; + } + passwordStrRef = CFStringCreateWithCharacters(kCFAllocatorDefault, passwordChars, passwordLen); + + // clear the password and release + memset(passwordChars, 0, passwordLen); + (*env)->ReleaseCharArrayElements(env, passwordObj, passwordChars, + JNI_ABORT); + } } paramBlock.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION; From c6c25fd89eba31353163a9740d46a66b16536ace Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Thu, 14 Sep 2017 07:45:53 +0800 Subject: [PATCH 114/269] 8178458: Better use of certificates in LDAP Reviewed-by: vinnie, asmotrak --- .../sun/security/provider/certpath/ldap/LDAPCertStore.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java b/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java index 00b6a68121..ee36e1f874 100644 --- a/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java +++ b/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -136,6 +136,11 @@ public final class LDAPCertStore extends CertStoreSpi { + params.getClass().getName() + " passed"); } + SecurityManager security = System.getSecurityManager(); + if (security != null) { + security.checkConnect(serverName, port); + } + Key k = new Key(serverName, port); LDAPCertStoreImpl lci = certStoreCache.get(k); if (lci == null) { From affd60e7bd118f2036eaa52abc9d5cc447cc7c08 Mon Sep 17 00:00:00 2001 From: Jesper Wilhelmsson Date: Wed, 13 Sep 2017 10:00:33 +0200 Subject: [PATCH 115/269] 8187482: Backout JDK-8159377 Reviewed-by: hb --- .../classes/java/io/ObjectInputStream.java | 18 + .../jmx/remote/internal/rmi/RMIExporter.java | 6 +- .../remote/rmi/RMIConnectorServer.java | 59 +--- .../remote/rmi/RMIJRMPServerImpl.java | 159 +++++---- .../sun/rmi/server/MarshalInputStream.java | 36 ++ .../sun/rmi/server/UnicastServerRef.java | 90 ++++- .../jmxremote/ConnectorBootstrap.java | 34 +- .../share/conf/management.properties | 39 -- .../connection/DefaultAgentFilterTest.java | 333 ------------------ .../connection/NewRMIClientFilterTest.java | 147 -------- .../mandatory/connection/mgmt1.properties | 38 -- .../mandatory/connection/mgmt2.properties | 38 -- .../connectorServer/RMIExporterTest.java | 6 +- 13 files changed, 250 insertions(+), 753 deletions(-) delete mode 100644 jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java delete mode 100644 jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java delete mode 100644 jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties delete mode 100644 jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java index 0df61e24c5..b07f5ab082 100644 --- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java +++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java @@ -44,6 +44,7 @@ import java.util.concurrent.ConcurrentMap; import static java.io.ObjectStreamClass.processQueue; +import jdk.internal.misc.ObjectStreamClassValidator; import jdk.internal.misc.SharedSecrets; import jdk.internal.misc.Unsafe; import sun.reflect.misc.ReflectUtil; @@ -1766,6 +1767,9 @@ public class ObjectInputStream throw new StreamCorruptedException( String.format("invalid type code: %02X", tc)); } + if (descriptor != null) { + validateDescriptor(descriptor); + } return descriptor; } @@ -4005,7 +4009,21 @@ public class ObjectInputStream } } + private void validateDescriptor(ObjectStreamClass descriptor) { + ObjectStreamClassValidator validating = validator; + if (validating != null) { + validating.validateDescriptor(descriptor); + } + } + + // controlled access to ObjectStreamClassValidator + private volatile ObjectStreamClassValidator validator; + + private static void setValidator(ObjectInputStream ois, ObjectStreamClassValidator validator) { + ois.validator = validator; + } static { SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::checkArray); + SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::setValidator); } } diff --git a/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java b/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java index 333c8f4a73..cd292850a2 100644 --- a/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java +++ b/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,7 +25,6 @@ package com.sun.jmx.remote.internal.rmi; -import java.io.ObjectInputFilter; import java.rmi.NoSuchObjectException; import java.rmi.Remote; import java.rmi.RemoteException; @@ -52,8 +51,7 @@ public interface RMIExporter { public Remote exportObject(Remote obj, int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf, - ObjectInputFilter filter) + RMIServerSocketFactory ssf) throws RemoteException; public boolean unexportObject(Remote obj, boolean force) diff --git a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java index 0cda57065f..a71bef5b40 100644 --- a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java +++ b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java @@ -32,7 +32,6 @@ import com.sun.jmx.remote.util.EnvHelp; import java.io.ByteArrayOutputStream; import java.io.IOException; -import java.io.ObjectInputFilter; import java.io.ObjectOutputStream; import java.net.MalformedURLException; import java.rmi.server.RMIClientSocketFactory; @@ -102,59 +101,19 @@ public class RMIConnectorServer extends JMXConnectorServer { "jmx.remote.rmi.server.socket.factory"; /** - * Name of the attribute that specifies an - * {@link ObjectInputFilter} pattern string to filter classes acceptable - * for {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()} + * Name of the attribute that specifies a list of class names acceptable + * as parameters to the {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()} * remote method call. *

- * The filter pattern must be in same format as used in - * {@link java.io.ObjectInputFilter.Config#createFilter} + * This list of classes should correspond to the transitive closure of the + * credentials class (or classes) used by the installed {@linkplain JMXAuthenticator} + * associated with the {@linkplain RMIServer} implementation. *

- * This list of classes allowed by filter should correspond to the - * transitive closure of the credentials class (or classes) used by the - * installed {@linkplain JMXAuthenticator} associated with the - * {@linkplain RMIServer} implementation. - * If the attribute is not set then any class is deemed acceptable. - * @see ObjectInputFilter + * If the attribute is not set, or is null, then any class is + * deemed acceptable. */ - public static final String CREDENTIALS_FILTER_PATTERN = - "jmx.remote.rmi.server.credentials.filter.pattern"; - - /** - * This attribute defines a pattern from which to create a - * {@link java.io.ObjectInputFilter} that will be used when deserializing - * objects sent to the {@code JMXConnectorServer} by any client. - *

- * The filter will be called for any class found in the serialized - * stream sent to server by client, including all JMX defined classes - * (such as {@link javax.management.ObjectName}), all method parameters, - * and, if present in the stream, all classes transitively referred by - * the serial form of any deserialized object. - * The pattern must be in same format as used in - * {@link java.io.ObjectInputFilter.Config#createFilter}. - * It may define a white list of permitted classes, a black list of - * rejected classes, a maximum depth for the deserialized objects, - * etc. - *

- * To be functional, the filter should allow at least all the - * concrete types in the transitive closure of all objects that - * might get serialized when serializing all JMX classes referred - * as parameters in the {@link - * javax.management.remote.rmi.RMIConnection} interface, - * plus all classes that a {@link javax.management.remote.rmi.RMIConnector client} - * might need to transmit wrapped in {@linkplain java.rmi.MarshalledObject - * marshalled objects} in order to interoperate with the MBeans registered - * in the {@code MBeanServer}. That would potentially include all the - * concrete {@linkplain javax.management.openmbean JMX OpenTypes} and the - * classes they use in their serial form. - *

- * Care must be taken when defining such a filter, as defining - * a white list too restrictive or a too wide a black list may - * prevent legitimate clients from interoperating with the - * {@code JMXConnectorServer}. - */ - public static final String SERIAL_FILTER_PATTERN = - "jmx.remote.rmi.server.serial.filter.pattern"; + public static final String CREDENTIAL_TYPES = + "jmx.remote.rmi.server.credential.types"; /** *

Makes an RMIConnectorServer. diff --git a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java index e6787692ee..8bcbe1919a 100644 --- a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java +++ b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java @@ -26,7 +26,6 @@ package javax.management.remote.rmi; import java.io.IOException; -import java.io.ObjectInputFilter; import java.rmi.NoSuchObjectException; import java.rmi.Remote; import java.rmi.RemoteException; @@ -40,13 +39,15 @@ import javax.security.auth.Subject; import com.sun.jmx.remote.internal.rmi.RMIExporter; import com.sun.jmx.remote.util.EnvHelp; +import java.io.ObjectStreamClass; +import java.lang.reflect.Method; +import java.util.ArrayList; import java.util.Arrays; -import java.util.Set; -import java.util.stream.Collectors; +import java.util.List; import sun.reflect.misc.ReflectUtil; +import sun.rmi.server.DeserializationChecker; import sun.rmi.server.UnicastServerRef; import sun.rmi.server.UnicastServerRef2; -import sun.rmi.transport.LiveRef; /** *

An {@link RMIServer} object that is exported through JRMP and that @@ -59,6 +60,8 @@ import sun.rmi.transport.LiveRef; */ public class RMIJRMPServerImpl extends RMIServerImpl { + private final ExportedWrapper exportedWrapper; + /** *

Creates a new {@link RMIServer} object that will be exported * on the given port using the given socket factories.

@@ -97,48 +100,33 @@ public class RMIJRMPServerImpl extends RMIServerImpl { this.ssf = ssf; this.env = (env == null) ? Collections.emptyMap() : env; - // This attribute was represented by RMIConnectorServer.CREDENTIALS_TYPES. - // This attribute is superceded by - // RMIConnectorServer.CREDENTIALS_FILTER_PATTERN. - // Retaining this for backward compatibility. String[] credentialsTypes - = (String[]) this.env.get("jmx.remote.rmi.server.credential.types"); - - String credentialsFilter - = (String) this.env.get(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN); - - // It is impossible for both attributes to be specified - if(credentialsTypes != null && credentialsFilter != null) - throw new IllegalArgumentException("Cannot specify both \"" - + "jmx.remote.rmi.server.credential.types" + "\" and \"" - + RMIConnectorServer.CREDENTIALS_FILTER_PATTERN + "\""); - else if(credentialsFilter != null){ - cFilter = ObjectInputFilter.Config.createFilter(credentialsFilter); - allowedTypes = null; + = (String[]) this.env.get(RMIConnectorServer.CREDENTIAL_TYPES); + List types = null; + if (credentialsTypes != null) { + types = new ArrayList<>(); + for (String type : credentialsTypes) { + if (type == null) { + throw new IllegalArgumentException("A credential type is null."); + } + ReflectUtil.checkPackageAccess(type); + types.add(type); + } } - else if (credentialsTypes != null) { - allowedTypes = Arrays.stream(credentialsTypes).filter( - s -> s!= null).collect(Collectors.toSet()); - allowedTypes.stream().forEach(ReflectUtil::checkPackageAccess); - cFilter = this::newClientCheckInput; - } else { - allowedTypes = null; - cFilter = null; - } - - String userJmxFilter = - (String) this.env.get(RMIConnectorServer.SERIAL_FILTER_PATTERN); - if(userJmxFilter != null && !userJmxFilter.isEmpty()) - jmxRmiFilter = ObjectInputFilter.Config.createFilter(userJmxFilter); - else - jmxRmiFilter = null; + exportedWrapper = types != null ? + new ExportedWrapper(this, types) : + null; } protected void export() throws IOException { - export(this, cFilter); + if (exportedWrapper != null) { + export(exportedWrapper); + } else { + export(this); + } } - private void export(Remote obj, ObjectInputFilter typeFilter) throws RemoteException { + private void export(Remote obj) throws RemoteException { final RMIExporter exporter = (RMIExporter) env.get(RMIExporter.EXPORTER_ATTRIBUTE); final boolean daemon = EnvHelp.isServerDaemon(env); @@ -149,14 +137,16 @@ public class RMIJRMPServerImpl extends RMIServerImpl { " cannot be used to specify an exporter!"); } - if (exporter != null) { - exporter.exportObject(obj, port, csf, ssf, typeFilter); - } else { + if (daemon) { if (csf == null && ssf == null) { - new UnicastServerRef(new LiveRef(port), typeFilter).exportObject(obj, null, daemon); + new UnicastServerRef(port).exportObject(obj, null, true); } else { - new UnicastServerRef2(port, csf, ssf, typeFilter).exportObject(obj, null, daemon); + new UnicastServerRef2(port, csf, ssf).exportObject(obj, null, true); } + } else if (exporter != null) { + exporter.exportObject(obj, port, csf, ssf); + } else { + UnicastRemoteObject.exportObject(obj, port, csf, ssf); } } @@ -183,7 +173,11 @@ public class RMIJRMPServerImpl extends RMIServerImpl { * RMIJRMPServerImpl has not been exported yet. */ public Remote toStub() throws IOException { - return RemoteObject.toStub(this); + if (exportedWrapper != null) { + return RemoteObject.toStub(exportedWrapper); + } else { + return RemoteObject.toStub(this); + } } /** @@ -213,7 +207,7 @@ public class RMIJRMPServerImpl extends RMIServerImpl { RMIConnection client = new RMIConnectionImpl(this, connectionId, getDefaultClassLoader(), subject, env); - export(client, jmxRmiFilter); + export(client); return client; } @@ -230,39 +224,56 @@ public class RMIJRMPServerImpl extends RMIServerImpl { * server failed. */ protected void closeServer() throws IOException { - unexport(this, true); - } - - /** - * Check that a type in the remote invocation of {@link RMIServerImpl#newClient} - * is one of the {@code allowedTypes}. - * - * @param clazz the class; may be null - * @param size the size for arrays, otherwise is 0 - * @param nObjectRefs the current number of object references - * @param depth the current depth - * @param streamBytes the current number of bytes consumed - * @return {@code ObjectInputFilter.Status.ALLOWED} if the class is allowed, - * otherwise {@code ObjectInputFilter.Status.REJECTED} - */ - ObjectInputFilter.Status newClientCheckInput(ObjectInputFilter.FilterInfo filterInfo) { - ObjectInputFilter.Status status = ObjectInputFilter.Status.UNDECIDED; - if (allowedTypes != null && filterInfo.serialClass() != null) { - // If enabled, check type - String type = filterInfo.serialClass().getName(); - if (allowedTypes.contains(type)) - status = ObjectInputFilter.Status.ALLOWED; - else - status = ObjectInputFilter.Status.REJECTED; + if (exportedWrapper != null) { + unexport(exportedWrapper, true); + } else { + unexport(this, true); } - return status; } private final int port; private final RMIClientSocketFactory csf; private final RMIServerSocketFactory ssf; private final Map env; - private final Set allowedTypes; - private final ObjectInputFilter jmxRmiFilter; - private final ObjectInputFilter cFilter; + + private static class ExportedWrapper implements RMIServer, DeserializationChecker { + private final RMIServer impl; + private final List allowedTypes; + + private ExportedWrapper(RMIServer impl, List credentialsTypes) { + this.impl = impl; + allowedTypes = credentialsTypes; + } + + @Override + public String getVersion() throws RemoteException { + return impl.getVersion(); + } + + @Override + public RMIConnection newClient(Object credentials) throws IOException { + return impl.newClient(credentials); + } + + @Override + public void check(Method method, ObjectStreamClass descriptor, + int paramIndex, int callID) { + String type = descriptor.getName(); + if (!allowedTypes.contains(type)) { + throw new ClassCastException("Unsupported type: " + type); + } + } + + @Override + public void checkProxyClass(Method method, String[] ifaces, + int paramIndex, int callID) { + if (ifaces != null && ifaces.length > 0) { + for (String iface : ifaces) { + if (!allowedTypes.contains(iface)) { + throw new ClassCastException("Unsupported type: " + iface); + } + } + } + } + } } diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java index d04e9292fd..2944e5d0f1 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java @@ -35,6 +35,8 @@ import java.security.AccessControlException; import java.security.Permission; import java.rmi.server.RMIClassLoader; import java.security.PrivilegedAction; +import jdk.internal.misc.ObjectStreamClassValidator; +import jdk.internal.misc.SharedSecrets; /** * MarshalInputStream is an extension of ObjectInputStream. When resolving @@ -52,6 +54,11 @@ import java.security.PrivilegedAction; * @author Peter Jones */ public class MarshalInputStream extends ObjectInputStream { + interface StreamChecker extends ObjectStreamClassValidator { + void checkProxyInterfaceNames(String[] ifaces); + } + + private volatile StreamChecker streamChecker = null; /** * Value of "java.rmi.server.useCodebaseOnly" property, @@ -238,6 +245,11 @@ public class MarshalInputStream extends ObjectInputStream { protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException { + StreamChecker checker = streamChecker; + if (checker != null) { + checker.checkProxyInterfaceNames(interfaces); + } + /* * Always read annotation written by MarshalOutputStream. */ @@ -318,4 +330,28 @@ public class MarshalInputStream extends ObjectInputStream { void useCodebaseOnly() { useCodebaseOnly = true; } + + synchronized void setStreamChecker(StreamChecker checker) { + streamChecker = checker; + SharedSecrets.getJavaObjectInputStreamAccess().setValidator(this, checker); + } + @Override + protected ObjectStreamClass readClassDescriptor() throws IOException, + ClassNotFoundException { + ObjectStreamClass descriptor = super.readClassDescriptor(); + + validateDesc(descriptor); + + return descriptor; + } + + private void validateDesc(ObjectStreamClass descriptor) { + StreamChecker checker; + synchronized (this) { + checker = streamChecker; + } + if (checker != null) { + checker.validateDescriptor(descriptor); + } + } } diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java index 9dbaed70c5..f0a4e0f4e0 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java @@ -30,6 +30,7 @@ import java.io.ObjectInput; import java.io.ObjectInputFilter; import java.io.ObjectInputStream; import java.io.ObjectOutput; +import java.io.ObjectStreamClass; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.rmi.AccessException; @@ -329,16 +330,11 @@ public class UnicastServerRef extends UnicastRef logCall(obj, method); // unmarshal parameters - Class[] types = method.getParameterTypes(); - Object[] params = new Object[types.length]; + Object[] params = null; try { unmarshalCustomCallData(in); - // Unmarshal the parameters - for (int i = 0; i < types.length; i++) { - params[i] = unmarshalValue(types[i], in); - } - + params = unmarshalParameters(obj, method, marshalStream); } catch (AccessException aex) { // For compatibility, AccessException is not wrapped in UnmarshalException // disable saving any refs in the inputStream for GC @@ -604,4 +600,84 @@ public class UnicastServerRef extends UnicastRef } } + /** + * Unmarshal parameters for the given method of the given instance over + * the given marshalinputstream. Perform any necessary checks. + */ + private Object[] unmarshalParameters(Object obj, Method method, MarshalInputStream in) + throws IOException, ClassNotFoundException { + return (obj instanceof DeserializationChecker) ? + unmarshalParametersChecked((DeserializationChecker)obj, method, in) : + unmarshalParametersUnchecked(method, in); + } + + /** + * Unmarshal parameters for the given method of the given instance over + * the given marshalinputstream. Do not perform any additional checks. + */ + private Object[] unmarshalParametersUnchecked(Method method, ObjectInput in) + throws IOException, ClassNotFoundException { + Class[] types = method.getParameterTypes(); + Object[] params = new Object[types.length]; + for (int i = 0; i < types.length; i++) { + params[i] = unmarshalValue(types[i], in); + } + return params; + } + + /** + * Unmarshal parameters for the given method of the given instance over + * the given marshalinputstream. Do perform all additional checks. + */ + private Object[] unmarshalParametersChecked( + DeserializationChecker checker, + Method method, MarshalInputStream in) + throws IOException, ClassNotFoundException { + int callID = methodCallIDCount.getAndIncrement(); + MyChecker myChecker = new MyChecker(checker, method, callID); + in.setStreamChecker(myChecker); + try { + Class[] types = method.getParameterTypes(); + Object[] values = new Object[types.length]; + for (int i = 0; i < types.length; i++) { + myChecker.setIndex(i); + values[i] = unmarshalValue(types[i], in); + } + myChecker.end(callID); + return values; + } finally { + in.setStreamChecker(null); + } + } + + private static class MyChecker implements MarshalInputStream.StreamChecker { + private final DeserializationChecker descriptorCheck; + private final Method method; + private final int callID; + private int parameterIndex; + + MyChecker(DeserializationChecker descriptorCheck, Method method, int callID) { + this.descriptorCheck = descriptorCheck; + this.method = method; + this.callID = callID; + } + + @Override + public void validateDescriptor(ObjectStreamClass descriptor) { + descriptorCheck.check(method, descriptor, parameterIndex, callID); + } + + @Override + public void checkProxyInterfaceNames(String[] ifaces) { + descriptorCheck.checkProxyClass(method, ifaces, parameterIndex, callID); + } + + void setIndex(int parameterIndex) { + this.parameterIndex = parameterIndex; + } + + void end(int callId) { + descriptorCheck.end(callId); + } + } } diff --git a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java index dae6b95c8b..322b180eab 100644 --- a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java +++ b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,7 +32,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; -import java.io.ObjectInputFilter; +import java.io.Serializable; import java.lang.management.ManagementFactory; import java.net.InetAddress; import java.net.MalformedURLException; @@ -45,12 +45,14 @@ import java.rmi.RemoteException; import java.rmi.registry.Registry; import java.rmi.server.RMIClientSocketFactory; import java.rmi.server.RMIServerSocketFactory; +import java.rmi.server.RMISocketFactory; import java.rmi.server.RemoteObject; import java.rmi.server.UnicastRemoteObject; import java.security.KeyStore; import java.security.Principal; import java.util.HashMap; import java.util.HashSet; +import java.util.Iterator; import java.util.Map; import java.util.Properties; import java.util.Set; @@ -82,7 +84,6 @@ import jdk.internal.agent.FileSystem; import sun.rmi.server.UnicastRef; import sun.rmi.server.UnicastServerRef; import sun.rmi.server.UnicastServerRef2; -import sun.rmi.transport.LiveRef; /** * This class initializes and starts the RMIConnectorServer for JSR 163 @@ -141,8 +142,6 @@ public final class ConnectorBootstrap { "com.sun.management.jmxremote.ssl.need.client.auth"; public static final String SSL_CONFIG_FILE_NAME = "com.sun.management.jmxremote.ssl.config.file"; - public static final String SERIAL_FILTER_PATTERN = - "com.sun.management.jmxremote.serial.filter.pattern"; } /** @@ -183,8 +182,7 @@ public final class ConnectorBootstrap { public Remote exportObject(Remote obj, int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf, - ObjectInputFilter filter) + RMIServerSocketFactory ssf) throws RemoteException { synchronized (this) { @@ -195,9 +193,9 @@ public final class ConnectorBootstrap { final UnicastServerRef ref; if (csf == null && ssf == null) { - ref = new UnicastServerRef(new LiveRef(port), filter); + ref = new UnicastServerRef(port); } else { - ref = new UnicastServerRef2(port, csf, ssf, filter); + ref = new UnicastServerRef2(port, csf, ssf); } return ref.exportObject(obj, null, true); } @@ -437,7 +435,6 @@ public final class ConnectorBootstrap { final String bindAddress = props.getProperty(PropertyNames.HOST); - final String jmxRmiFilter = props.getProperty(PropertyNames.SERIAL_FILTER_PATTERN); if (logger.isLoggable(Level.DEBUG)) { logger.log(Level.DEBUG, "startRemoteConnectorServer", @@ -474,7 +471,7 @@ public final class ConnectorBootstrap { sslConfigFileName, enabledCipherSuitesList, enabledProtocolsList, sslNeedClientAuth, useAuthentication, loginConfigName, - passwordFileName, accessFileName, bindAddress, jmxRmiFilter); + passwordFileName, accessFileName, bindAddress); cs = data.jmxConnectorServer; url = data.jmxRemoteURL; config("startRemoteConnectorServer", @@ -514,7 +511,9 @@ public final class ConnectorBootstrap { // This RMI server should not keep the VM alive Map env = new HashMap<>(); env.put(RMIExporter.EXPORTER_ATTRIBUTE, new PermanentExporter()); - env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*"); + env.put(RMIConnectorServer.CREDENTIAL_TYPES, new String[]{ + String[].class.getName(), String.class.getName() + }); // The local connector server need only be available via the // loopback connection. @@ -730,8 +729,7 @@ public final class ConnectorBootstrap { String loginConfigName, String passwordFileName, String accessFileName, - String bindAddress, - String jmxRmiFilter) + String bindAddress) throws IOException, MalformedURLException { /* Make sure we use non-guessable RMI object IDs. Otherwise @@ -746,11 +744,9 @@ public final class ConnectorBootstrap { PermanentExporter exporter = new PermanentExporter(); env.put(RMIExporter.EXPORTER_ATTRIBUTE, exporter); - env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*"); - - if(jmxRmiFilter != null && !jmxRmiFilter.isEmpty()) { - env.put(RMIConnectorServer.SERIAL_FILTER_PATTERN, jmxRmiFilter); - } + env.put(RMIConnectorServer.CREDENTIAL_TYPES, new String[]{ + String[].class.getName(), String.class.getName() + }); boolean useSocketFactory = bindAddress != null && !useSsl; diff --git a/jdk/src/jdk.management.agent/share/conf/management.properties b/jdk/src/jdk.management.agent/share/conf/management.properties index 3bf88daf63..02401d78be 100644 --- a/jdk/src/jdk.management.agent/share/conf/management.properties +++ b/jdk/src/jdk.management.agent/share/conf/management.properties @@ -329,42 +329,3 @@ # The format of the value for that property is any string accepted # by java.net.InetAddress.getByName(String). # - -# ################ Filter for ObjectInputStream ############################# -# com.sun.management.jmxremote.serial.filter.pattern= -# A filter, if configured, is used by java.io.ObjectInputStream during -# deserialization of parameters sent to the JMX default agent to validate the -# contents of the stream. -# A filter is configured as a sequence of patterns, each pattern is either -# matched against the name of a class in the stream or defines a limit. -# Patterns are separated by ";" (semicolon). -# Whitespace is significant and is considered part of the pattern. -# -# If a pattern includes a "=", it sets a limit. -# If a limit appears more than once the last value is used. -# Limits are checked before classes regardless of the order in the sequence of patterns. -# If any of the limits are exceeded, the filter status is REJECTED. -# -# maxdepth=value - the maximum depth of a graph -# maxrefs=value - the maximum number of internal references -# maxbytes=value - the maximum number of bytes in the input stream -# maxarray=value - the maximum array length allowed -# -# Other patterns, from left to right, match the class or package name as -# returned from Class.getName. -# If the class is an array type, the class or package to be matched is the element type. -# Arrays of any number of dimensions are treated the same as the element type. -# For example, a pattern of "!example.Foo", rejects creation of any instance or -# array of example.Foo. -# -# If the pattern starts with "!", the status is REJECTED if the remaining pattern -# is matched; otherwise the status is ALLOWED if the pattern matches. -# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; -# if the module name matches the module name of the class then -# the remaining pattern is matched with the class name. -# If there is no "/", the module name is not compared. -# If the pattern ends with ".**" it matches any class in the package and all subpackages. -# If the pattern ends with ".*" it matches any class in the package. -# If the pattern ends with "*", it matches any class with the pattern as a prefix. -# If the pattern is equal to the class name, it matches. -# Otherwise, the status is UNDECIDED. diff --git a/jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java b/jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java deleted file mode 100644 index 4216545214..0000000000 --- a/jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java +++ /dev/null @@ -1,333 +0,0 @@ -/* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - - /* - * @test - * @bug 8159377 - * @library /lib/testlibrary - * @summary Tests ObjectFilter on default agent - * @author Harsha Wardhana B - * @modules java.management - * @build jdk.testlibrary.* DefaultAgentFilterTest - * @run main/othervm/timeout=600 -XX:+UsePerfData DefaultAgentFilterTest - */ -import java.io.EOFException; -import java.io.File; -import java.io.IOException; -import java.io.InvalidClassException; -import java.io.Serializable; -import java.lang.reflect.InvocationTargetException; -import java.net.BindException; -import java.rmi.UnmarshalException; -import java.rmi.registry.LocateRegistry; -import java.rmi.registry.Registry; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.concurrent.atomic.AtomicBoolean; -import javax.management.MBeanServerConnection; -import javax.management.ObjectName; -import javax.management.remote.JMXConnector; -import javax.management.remote.JMXConnectorFactory; -import javax.management.remote.JMXServiceURL; - -import jdk.testlibrary.ProcessTools; -import jdk.testlibrary.Utils; - -public class DefaultAgentFilterTest { - - public static class MyTestObject implements Serializable { - - String a; - int id; - } - - public interface TestMBean { - - public void op1(HashSet params); - - public void op2(String s, HashSet params); - - public void op3(MyTestObject obj, String s, HashMap param); - } - - public static class Test implements TestMBean { - - @Override - public void op1(HashSet params) { - System.out.println("Invoked op1"); - } - - @Override - public void op2(String s, HashSet params) { - System.out.println("Invoked op2"); - } - - @Override - public void op3(MyTestObject obj, String s, HashMap param) { - System.out.println("Invoked op3"); - } - } - - private static class TestAppRun implements AutoCloseable { - - private Process p; - private final ProcessBuilder pb; - private final String name; - private final AtomicBoolean started = new AtomicBoolean(false); - private volatile long pid = -1; - - public TestAppRun(ProcessBuilder pb, String name) { - this.pb = pb; - this.name = name; - } - - public synchronized void start() throws Exception { - if (started.compareAndSet(false, true)) { - try { - AtomicBoolean error = new AtomicBoolean(false); - AtomicBoolean bindError = new AtomicBoolean(false); - p = ProcessTools.startProcess( - TEST_APP_NAME + "{" + name + "}", - pb, - (line) -> { - if (line.toLowerCase().contains("exception") - || line.toLowerCase().contains("error")) { - error.set(true); - } - bindError.set(line.toLowerCase().contains("bindexception")); - return true; - }); - if (bindError.get()) { - throw new BindException("Process could not be started"); - } else if (error.get()) { - throw new RuntimeException(); - } - pid = p.pid(); - } catch (Exception ex) { - if (p != null) { - p.destroy(); - p.waitFor(); - } - throw ex; - } - } - } - - public long getPid() { - return pid; - } - - public synchronized void stop() - throws IOException, InterruptedException { - if (started.compareAndSet(true, false)) { - p.getOutputStream().write(0); - p.getOutputStream().flush(); - int ec = p.waitFor(); - if (ec != 0) { - StringBuilder msg = new StringBuilder(); - msg.append("Test application '").append(name); - msg.append("' failed with exit code: "); - msg.append(ec); - System.err.println(msg); - } - } - } - - @Override - public void close() throws Exception { - stop(); - } - } - - private static final String TEST_APP_NAME = "TestApp"; - - private static void testDefaultAgent(String propertyFile) throws Exception { - int port = Utils.getFreePort(); - String propFile = System.getProperty("test.src") + File.separator + propertyFile; - List pbArgs = new ArrayList<>(Arrays.asList( - "-cp", - System.getProperty("test.class.path"), - "-XX:+UsePerfData" - )); - String[] args = new String[]{ - "-Dcom.sun.management.jmxremote.port=" + port, - "-Dcom.sun.management.jmxremote.authenticate=false", - "-Dcom.sun.management.jmxremote.ssl=false", - "-Dcom.sun.management.config.file=" + propFile - }; - pbArgs.addAll(Arrays.asList(args)); - pbArgs.add(TEST_APP_NAME); - - ProcessBuilder pb = ProcessTools.createJavaProcessBuilder( - pbArgs.toArray(new String[pbArgs.size()]) - ); - - try (TestAppRun s = new TestAppRun(pb, DefaultAgentFilterTest.class.getSimpleName())) { - s.start(); - JMXServiceURL url = testConnect(port); - testMBeanOperations(url); - } - } - - private static JMXServiceURL testConnect(int port) throws Exception { - EOFException lastException = null; - JMXServiceURL url = null; - // factor adjusted timeout (5 seconds) for the RMI to become available - long timeout = System.currentTimeMillis() + Utils.adjustTimeout(5000); - do { - lastException = null; - try { - Registry registry = LocateRegistry.getRegistry(port); - String[] relist = registry.list(); - for (int i = 0; i < relist.length; ++i) { - System.out.println("Got registry: " + relist[i]); - } - String jmxUrlStr = String.format( - "service:jmx:rmi:///jndi/rmi://localhost:%d/jmxrmi", - port); - url = new JMXServiceURL(jmxUrlStr); - - try (JMXConnector c = JMXConnectorFactory.connect(url, null)) { - MBeanServerConnection conn = c.getMBeanServerConnection(); - ObjectName name = new ObjectName("jtreg:type=Test"); - conn.createMBean(Test.class.getName(), name); - } - } catch (Exception ex) { - if (ex instanceof EOFException) { - lastException = (EOFException) ex; - System.out.println("Error establishing RMI connection. Retrying in 500ms."); - Thread.sleep(500); - } else { - throw ex; - } - } - } while (lastException != null && System.currentTimeMillis() < timeout); - if (lastException != null) { - throw lastException; - } - return url; - } - - public static void main(String[] args) throws Exception { - System.out.println("---" + DefaultAgentFilterTest.class.getName() + "-main: starting ..."); - - boolean retry = false; - do { - try { - // blacklist String - testDefaultAgent("mgmt1.properties"); - System.out.println("----\tTest FAILED !!"); - throw new RuntimeException("---" + DefaultAgentFilterTest.class.getName() + " - No exception reported"); - } catch (Exception ex) { - if (ex instanceof InvocationTargetException) { - if (ex.getCause() instanceof BindException - || ex.getCause() instanceof java.rmi.ConnectException) { - System.out.println("Failed to allocate ports. Retrying ..."); - retry = true; - } - } else if (ex instanceof InvalidClassException) { - System.out.println("----\tTest PASSED !!"); - } else if (ex instanceof UnmarshalException - && ((UnmarshalException) ex).getCause() instanceof InvalidClassException) { - System.out.println("----\tTest PASSED !!"); - } else { - System.out.println(ex); - System.out.println("----\tTest FAILED !!"); - throw ex; - } - } - } while (retry); - retry = false; - do { - try { - // blacklist non-existent class - testDefaultAgent("mgmt2.properties"); - System.out.println("----\tTest PASSED !!"); - } catch (Exception ex) { - if (ex instanceof InvocationTargetException) { - if (ex.getCause() instanceof BindException - || ex.getCause() instanceof java.rmi.ConnectException) { - System.out.println("Failed to allocate ports. Retrying ..."); - retry = true; - } - } else { - System.out.println(ex); - System.out.println("----\tTest FAILED !!"); - throw ex; - } - } - } while (retry); - - System.out.println("---" + DefaultAgentFilterTest.class.getName() + "-main: finished ..."); - } - - private static void testMBeanOperations(JMXServiceURL serverUrl) throws Exception { - Map clientEnv = new HashMap<>(1); - ObjectName name = new ObjectName("jtreg:type=Test"); - try (JMXConnector client = JMXConnectorFactory.connect(serverUrl, clientEnv)) { - MBeanServerConnection conn = client.getMBeanServerConnection(); - - HashSet set = new HashSet<>(); - set.add("test1"); - set.add("test2"); - - String a = "A"; - - Object[] params1 = {set}; - String[] sig1 = {HashSet.class.getName()}; - conn.invoke(name, "op1", params1, sig1); - - Object[] params2 = {a, set}; - String[] sig2 = {String.class.getName(), HashSet.class.getName()}; - conn.invoke(name, "op2", params2, sig2); - - HashMap map = new HashMap<>(); - map.put("a", "A"); - map.put("b", "B"); - - Object[] params3 = {new MyTestObject(), a, map}; - String[] sig3 = {MyTestObject.class.getName(), String.class.getName(), - HashMap.class.getName()}; - conn.invoke(name, "op3", params3, sig3); - } - } -} - -class TestApp { - - private static void doSomething() throws IOException { - int r = System.in.read(); - System.out.println("read: " + r); - } - - public static void main(String args[]) throws Exception { - System.out.println("main enter"); - System.out.flush(); - doSomething(); - System.out.println("main exit"); - } -} diff --git a/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java b/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java deleted file mode 100644 index 78ae27bb64..0000000000 --- a/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java +++ /dev/null @@ -1,147 +0,0 @@ -/* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - - /* - * @test - * @bug 8159377 - * @summary Tests ObjectInputFilter on RMIServer.newClient - * @author Harsha Wardhana B - * @modules java.management - * @run clean NewRMIClientFilterTest - * @run build NewRMIClientFilterTest - * @run main NewRMIClientFilterTest - */ -import java.io.InvalidClassException; -import java.io.Serializable; -import java.lang.management.ManagementFactory; -import java.util.HashMap; -import java.util.Map; -import javax.management.remote.JMXConnector; -import javax.management.remote.JMXConnectorFactory; -import javax.management.remote.JMXConnectorServer; -import javax.management.remote.JMXConnectorServerFactory; -import javax.management.remote.JMXServiceURL; -import javax.management.remote.rmi.RMIConnectorServer; - -public class NewRMIClientFilterTest { - - public static void main(String[] args) throws Exception { - System.out.println("---NewRMIClientFilterTest-main: starting ..."); - String filter1 = java.lang.String.class.getName() + ";!*"; - String filter2 = java.lang.String.class.getName() + ";" + MyCredentials.class.getName() + ";!*"; - - JMXServiceURL url = new JMXServiceURL("rmi", null, 0); - JMXServiceURL serverUrl = null; - Map env = new HashMap<>(1); - JMXConnectorServer server = null; - - System.out.println("\n---NewRMIClientFilterTest-main: testing types = null"); - server = newServer(url, null); - serverUrl = server.getAddress(); - doTest(serverUrl, null); - doTest(serverUrl, new String[]{"toto", "titi"}); - doTest(serverUrl, new Object[]{new MyCredentials(), "toto"}); - server.stop(); - - System.out.println("\n---NewRMIClientFilterTest-main: testing types = String[]"); - env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, - filter1); - server = newServer(url, env); - serverUrl = server.getAddress(); - doTest(serverUrl, null); - doTest(serverUrl, new String[]{"toto", "titi"}); - try { - doTest(serverUrl, new MyCredentials()); - throw new Error("Bad client is not refused!"); - } catch (Exception e) { - isInvalidClassEx(e); - } finally { - server.stop(); - } - - System.out.println("\n---NewRMIClientFilterTest-main: testing user specific types = String, MyCredentials"); - env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, - filter2); - server = newServer(url, env); - serverUrl = server.getAddress(); - doTest(serverUrl, null); - doTest(serverUrl, new String[]{"toto", "titi"}); - doTest(serverUrl, new MyCredentials[]{new MyCredentials(), (MyCredentials) null}); - try { - doTest(serverUrl, new Object[]{"toto", new byte[3]}); - throw new Error("Bad client is not refused!"); - } catch (Exception e) { - isInvalidClassEx(e); - } finally { - server.stop(); - } - - System.out.println("---NewRMIClientFilterTest-main PASSED!!!"); - } - - private static void doTest(JMXServiceURL serverAddr, Object credentials) throws Exception { - System.out.println("---NewRMIClientFilterTest-test:\n\tserver address: " - + serverAddr + "\n\tcredentials: " + credentials); - - Map env = new HashMap<>(1); - env.put("jmx.remote.credentials", credentials); - JMXConnector client = null; - try { - client = JMXConnectorFactory.connect(serverAddr, env); - client.getMBeanServerConnection().getDefaultDomain(); - } finally { - try { - client.close(); - } catch (Exception e) { - } - } - System.out.println("---NewRMIClientFilterTest-test: PASSED!"); - } - - private static JMXConnectorServer newServer(JMXServiceURL url, Map env) - throws Exception { - JMXConnectorServer server = JMXConnectorServerFactory.newJMXConnectorServer( - url, - env, - ManagementFactory.getPlatformMBeanServer()); - - server.start(); - return server; - } - - private static class MyCredentials implements Serializable { - } - - private static void isInvalidClassEx(Exception e) { - Throwable cause = e; - while (cause != null) { - if (cause instanceof InvalidClassException) { - System.out.println("---NewRMIClientFilterTest-InvalidClassException expected: " + cause); - return; - } - cause = cause.getCause(); - } - e.printStackTrace(); - throw new RuntimeException("Did not get expected InvalidClassException!"); - } -} diff --git a/jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties b/jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties deleted file mode 100644 index 17f81fa2ec..0000000000 --- a/jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties +++ /dev/null @@ -1,38 +0,0 @@ -# ################ Filter for ObjectInputStream ############################# -com.sun.management.jmxremote.serial.filter.pattern=!DefaultAgentFilterTest$MyTestObject -# A filter, if configured, is used by java.io.ObjectInputStream during -# deserialization of parameters sent to the JMX default agent to validate the -# contents of the stream. -# A filter is configured as a sequence of patterns, each pattern is either -# matched against the name of a class in the stream or defines a limit. -# Patterns are separated by ";" (semicolon). -# Whitespace is significant and is considered part of the pattern. -# -# If a pattern includes a "=", it sets a limit. -# If a limit appears more than once the last value is used. -# Limits are checked before classes regardless of the order in the sequence of patterns. -# If any of the limits are exceeded, the filter status is REJECTED. -# -# maxdepth=value - the maximum depth of a graph -# maxrefs=value - the maximum number of internal references -# maxbytes=value - the maximum number of bytes in the input stream -# maxarray=value - the maximum array length allowed -# -# Other patterns, from left to right, match the class or package name as -# returned from Class.getName. -# If the class is an array type, the class or package to be matched is the element type. -# Arrays of any number of dimensions are treated the same as the element type. -# For example, a pattern of "!example.Foo", rejects creation of any instance or -# array of example.Foo. -# -# If the pattern starts with "!", the status is REJECTED if the remaining pattern -# is matched; otherwise the status is ALLOWED if the pattern matches. -# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; -# if the module name matches the module name of the class then -# the remaining pattern is matched with the class name. -# If there is no "/", the module name is not compared. -# If the pattern ends with ".**" it matches any class in the package and all subpackages. -# If the pattern ends with ".*" it matches any class in the package. -# If the pattern ends with "*", it matches any class with the pattern as a prefix. -# If the pattern is equal to the class name, it matches. -# Otherwise, the status is UNDECIDED. \ No newline at end of file diff --git a/jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties b/jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties deleted file mode 100644 index d29d746d92..0000000000 --- a/jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties +++ /dev/null @@ -1,38 +0,0 @@ -# ################ Filter for ObjectInputStream ############################# -com.sun.management.jmxremote.serial.filter.pattern=!DefaultAgentFilterTest$ThisTypeIsNotUsed -# A filter, if configured, is used by java.io.ObjectInputStream during -# deserialization of parameters sent to the JMX default agent to validate the -# contents of the stream. -# A filter is configured as a sequence of patterns, each pattern is either -# matched against the name of a class in the stream or defines a limit. -# Patterns are separated by ";" (semicolon). -# Whitespace is significant and is considered part of the pattern. -# -# If a pattern includes a "=", it sets a limit. -# If a limit appears more than once the last value is used. -# Limits are checked before classes regardless of the order in the sequence of patterns. -# If any of the limits are exceeded, the filter status is REJECTED. -# -# maxdepth=value - the maximum depth of a graph -# maxrefs=value - the maximum number of internal references -# maxbytes=value - the maximum number of bytes in the input stream -# maxarray=value - the maximum array length allowed -# -# Other patterns, from left to right, match the class or package name as -# returned from Class.getName. -# If the class is an array type, the class or package to be matched is the element type. -# Arrays of any number of dimensions are treated the same as the element type. -# For example, a pattern of "!example.Foo", rejects creation of any instance or -# array of example.Foo. -# -# If the pattern starts with "!", the status is REJECTED if the remaining pattern -# is matched; otherwise the status is ALLOWED if the pattern matches. -# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; -# if the module name matches the module name of the class then -# the remaining pattern is matched with the class name. -# If there is no "/", the module name is not compared. -# If the pattern ends with ".**" it matches any class in the package and all subpackages. -# If the pattern ends with ".*" it matches any class in the package. -# If the pattern ends with "*", it matches any class with the pattern as a prefix. -# If the pattern is equal to the class name, it matches. -# Otherwise, the status is UNDECIDED. \ No newline at end of file diff --git a/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java b/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java index 5d79b06fd3..3b010e38a1 100644 --- a/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java +++ b/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -47,7 +47,6 @@ import javax.management.remote.JMXConnectorServer; import javax.management.remote.JMXConnectorServerFactory; import javax.management.remote.JMXServiceURL; import com.sun.jmx.remote.internal.rmi.RMIExporter; -import java.io.ObjectInputFilter; public class RMIExporterTest { @@ -61,8 +60,7 @@ public class RMIExporterTest { public Remote exportObject(Remote obj, int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf, - ObjectInputFilter unused) + RMIServerSocketFactory ssf) throws RemoteException { System.out.println("CustomRMIExporter::exportObject():: " + "Remote = " + obj); From b834c7177467476b33a85fbcdd9c641d8e0d4aa6 Mon Sep 17 00:00:00 2001 From: Jesper Wilhelmsson Date: Thu, 14 Sep 2017 22:57:36 +0200 Subject: [PATCH 116/269] 8187556: Backout of a fix reintroduced a dependency that had since been removed Reviewed-by: duke --- .../classes/java/io/ObjectInputStream.java | 18 - .../jmx/remote/internal/rmi/RMIExporter.java | 6 +- .../remote/rmi/RMIConnectorServer.java | 59 +++- .../remote/rmi/RMIJRMPServerImpl.java | 163 ++++----- .../sun/rmi/server/MarshalInputStream.java | 36 -- .../sun/rmi/server/UnicastServerRef.java | 90 +---- .../jmxremote/ConnectorBootstrap.java | 34 +- .../share/conf/management.properties | 39 ++ .../connection/DefaultAgentFilterTest.java | 333 ++++++++++++++++++ .../connection/NewRMIClientFilterTest.java | 147 ++++++++ .../mandatory/connection/mgmt1.properties | 38 ++ .../mandatory/connection/mgmt2.properties | 38 ++ .../connectorServer/RMIExporterTest.java | 6 +- 13 files changed, 755 insertions(+), 252 deletions(-) create mode 100644 jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java create mode 100644 jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java create mode 100644 jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties create mode 100644 jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java index b07f5ab082..0df61e24c5 100644 --- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java +++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java @@ -44,7 +44,6 @@ import java.util.concurrent.ConcurrentMap; import static java.io.ObjectStreamClass.processQueue; -import jdk.internal.misc.ObjectStreamClassValidator; import jdk.internal.misc.SharedSecrets; import jdk.internal.misc.Unsafe; import sun.reflect.misc.ReflectUtil; @@ -1767,9 +1766,6 @@ public class ObjectInputStream throw new StreamCorruptedException( String.format("invalid type code: %02X", tc)); } - if (descriptor != null) { - validateDescriptor(descriptor); - } return descriptor; } @@ -4009,21 +4005,7 @@ public class ObjectInputStream } } - private void validateDescriptor(ObjectStreamClass descriptor) { - ObjectStreamClassValidator validating = validator; - if (validating != null) { - validating.validateDescriptor(descriptor); - } - } - - // controlled access to ObjectStreamClassValidator - private volatile ObjectStreamClassValidator validator; - - private static void setValidator(ObjectInputStream ois, ObjectStreamClassValidator validator) { - ois.validator = validator; - } static { SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::checkArray); - SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::setValidator); } } diff --git a/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java b/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java index cd292850a2..333c8f4a73 100644 --- a/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java +++ b/jdk/src/java.management.rmi/share/classes/com/sun/jmx/remote/internal/rmi/RMIExporter.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,7 @@ package com.sun.jmx.remote.internal.rmi; +import java.io.ObjectInputFilter; import java.rmi.NoSuchObjectException; import java.rmi.Remote; import java.rmi.RemoteException; @@ -51,7 +52,8 @@ public interface RMIExporter { public Remote exportObject(Remote obj, int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf) + RMIServerSocketFactory ssf, + ObjectInputFilter filter) throws RemoteException; public boolean unexportObject(Remote obj, boolean force) diff --git a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java index a71bef5b40..0cda57065f 100644 --- a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java +++ b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java @@ -32,6 +32,7 @@ import com.sun.jmx.remote.util.EnvHelp; import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.ObjectInputFilter; import java.io.ObjectOutputStream; import java.net.MalformedURLException; import java.rmi.server.RMIClientSocketFactory; @@ -101,19 +102,59 @@ public class RMIConnectorServer extends JMXConnectorServer { "jmx.remote.rmi.server.socket.factory"; /** - * Name of the attribute that specifies a list of class names acceptable - * as parameters to the {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()} + * Name of the attribute that specifies an + * {@link ObjectInputFilter} pattern string to filter classes acceptable + * for {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()} * remote method call. *

- * This list of classes should correspond to the transitive closure of the - * credentials class (or classes) used by the installed {@linkplain JMXAuthenticator} - * associated with the {@linkplain RMIServer} implementation. + * The filter pattern must be in same format as used in + * {@link java.io.ObjectInputFilter.Config#createFilter} *

- * If the attribute is not set, or is null, then any class is - * deemed acceptable. + * This list of classes allowed by filter should correspond to the + * transitive closure of the credentials class (or classes) used by the + * installed {@linkplain JMXAuthenticator} associated with the + * {@linkplain RMIServer} implementation. + * If the attribute is not set then any class is deemed acceptable. + * @see ObjectInputFilter */ - public static final String CREDENTIAL_TYPES = - "jmx.remote.rmi.server.credential.types"; + public static final String CREDENTIALS_FILTER_PATTERN = + "jmx.remote.rmi.server.credentials.filter.pattern"; + + /** + * This attribute defines a pattern from which to create a + * {@link java.io.ObjectInputFilter} that will be used when deserializing + * objects sent to the {@code JMXConnectorServer} by any client. + *

+ * The filter will be called for any class found in the serialized + * stream sent to server by client, including all JMX defined classes + * (such as {@link javax.management.ObjectName}), all method parameters, + * and, if present in the stream, all classes transitively referred by + * the serial form of any deserialized object. + * The pattern must be in same format as used in + * {@link java.io.ObjectInputFilter.Config#createFilter}. + * It may define a white list of permitted classes, a black list of + * rejected classes, a maximum depth for the deserialized objects, + * etc. + *

+ * To be functional, the filter should allow at least all the + * concrete types in the transitive closure of all objects that + * might get serialized when serializing all JMX classes referred + * as parameters in the {@link + * javax.management.remote.rmi.RMIConnection} interface, + * plus all classes that a {@link javax.management.remote.rmi.RMIConnector client} + * might need to transmit wrapped in {@linkplain java.rmi.MarshalledObject + * marshalled objects} in order to interoperate with the MBeans registered + * in the {@code MBeanServer}. That would potentially include all the + * concrete {@linkplain javax.management.openmbean JMX OpenTypes} and the + * classes they use in their serial form. + *

+ * Care must be taken when defining such a filter, as defining + * a white list too restrictive or a too wide a black list may + * prevent legitimate clients from interoperating with the + * {@code JMXConnectorServer}. + */ + public static final String SERIAL_FILTER_PATTERN = + "jmx.remote.rmi.server.serial.filter.pattern"; /** *

Makes an RMIConnectorServer. diff --git a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java index 8bcbe1919a..e6787692ee 100644 --- a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java +++ b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java @@ -26,6 +26,7 @@ package javax.management.remote.rmi; import java.io.IOException; +import java.io.ObjectInputFilter; import java.rmi.NoSuchObjectException; import java.rmi.Remote; import java.rmi.RemoteException; @@ -39,15 +40,13 @@ import javax.security.auth.Subject; import com.sun.jmx.remote.internal.rmi.RMIExporter; import com.sun.jmx.remote.util.EnvHelp; -import java.io.ObjectStreamClass; -import java.lang.reflect.Method; -import java.util.ArrayList; import java.util.Arrays; -import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; import sun.reflect.misc.ReflectUtil; -import sun.rmi.server.DeserializationChecker; import sun.rmi.server.UnicastServerRef; import sun.rmi.server.UnicastServerRef2; +import sun.rmi.transport.LiveRef; /** *

An {@link RMIServer} object that is exported through JRMP and that @@ -60,8 +59,6 @@ import sun.rmi.server.UnicastServerRef2; */ public class RMIJRMPServerImpl extends RMIServerImpl { - private final ExportedWrapper exportedWrapper; - /** *

Creates a new {@link RMIServer} object that will be exported * on the given port using the given socket factories.

@@ -100,33 +97,48 @@ public class RMIJRMPServerImpl extends RMIServerImpl { this.ssf = ssf; this.env = (env == null) ? Collections.emptyMap() : env; + // This attribute was represented by RMIConnectorServer.CREDENTIALS_TYPES. + // This attribute is superceded by + // RMIConnectorServer.CREDENTIALS_FILTER_PATTERN. + // Retaining this for backward compatibility. String[] credentialsTypes - = (String[]) this.env.get(RMIConnectorServer.CREDENTIAL_TYPES); - List types = null; - if (credentialsTypes != null) { - types = new ArrayList<>(); - for (String type : credentialsTypes) { - if (type == null) { - throw new IllegalArgumentException("A credential type is null."); - } - ReflectUtil.checkPackageAccess(type); - types.add(type); - } + = (String[]) this.env.get("jmx.remote.rmi.server.credential.types"); + + String credentialsFilter + = (String) this.env.get(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN); + + // It is impossible for both attributes to be specified + if(credentialsTypes != null && credentialsFilter != null) + throw new IllegalArgumentException("Cannot specify both \"" + + "jmx.remote.rmi.server.credential.types" + "\" and \"" + + RMIConnectorServer.CREDENTIALS_FILTER_PATTERN + "\""); + else if(credentialsFilter != null){ + cFilter = ObjectInputFilter.Config.createFilter(credentialsFilter); + allowedTypes = null; } - exportedWrapper = types != null ? - new ExportedWrapper(this, types) : - null; + else if (credentialsTypes != null) { + allowedTypes = Arrays.stream(credentialsTypes).filter( + s -> s!= null).collect(Collectors.toSet()); + allowedTypes.stream().forEach(ReflectUtil::checkPackageAccess); + cFilter = this::newClientCheckInput; + } else { + allowedTypes = null; + cFilter = null; + } + + String userJmxFilter = + (String) this.env.get(RMIConnectorServer.SERIAL_FILTER_PATTERN); + if(userJmxFilter != null && !userJmxFilter.isEmpty()) + jmxRmiFilter = ObjectInputFilter.Config.createFilter(userJmxFilter); + else + jmxRmiFilter = null; } protected void export() throws IOException { - if (exportedWrapper != null) { - export(exportedWrapper); - } else { - export(this); - } + export(this, cFilter); } - private void export(Remote obj) throws RemoteException { + private void export(Remote obj, ObjectInputFilter typeFilter) throws RemoteException { final RMIExporter exporter = (RMIExporter) env.get(RMIExporter.EXPORTER_ATTRIBUTE); final boolean daemon = EnvHelp.isServerDaemon(env); @@ -137,16 +149,14 @@ public class RMIJRMPServerImpl extends RMIServerImpl { " cannot be used to specify an exporter!"); } - if (daemon) { - if (csf == null && ssf == null) { - new UnicastServerRef(port).exportObject(obj, null, true); - } else { - new UnicastServerRef2(port, csf, ssf).exportObject(obj, null, true); - } - } else if (exporter != null) { - exporter.exportObject(obj, port, csf, ssf); + if (exporter != null) { + exporter.exportObject(obj, port, csf, ssf, typeFilter); } else { - UnicastRemoteObject.exportObject(obj, port, csf, ssf); + if (csf == null && ssf == null) { + new UnicastServerRef(new LiveRef(port), typeFilter).exportObject(obj, null, daemon); + } else { + new UnicastServerRef2(port, csf, ssf, typeFilter).exportObject(obj, null, daemon); + } } } @@ -173,11 +183,7 @@ public class RMIJRMPServerImpl extends RMIServerImpl { * RMIJRMPServerImpl has not been exported yet. */ public Remote toStub() throws IOException { - if (exportedWrapper != null) { - return RemoteObject.toStub(exportedWrapper); - } else { - return RemoteObject.toStub(this); - } + return RemoteObject.toStub(this); } /** @@ -207,7 +213,7 @@ public class RMIJRMPServerImpl extends RMIServerImpl { RMIConnection client = new RMIConnectionImpl(this, connectionId, getDefaultClassLoader(), subject, env); - export(client); + export(client, jmxRmiFilter); return client; } @@ -224,56 +230,39 @@ public class RMIJRMPServerImpl extends RMIServerImpl { * server failed. */ protected void closeServer() throws IOException { - if (exportedWrapper != null) { - unexport(exportedWrapper, true); - } else { - unexport(this, true); + unexport(this, true); + } + + /** + * Check that a type in the remote invocation of {@link RMIServerImpl#newClient} + * is one of the {@code allowedTypes}. + * + * @param clazz the class; may be null + * @param size the size for arrays, otherwise is 0 + * @param nObjectRefs the current number of object references + * @param depth the current depth + * @param streamBytes the current number of bytes consumed + * @return {@code ObjectInputFilter.Status.ALLOWED} if the class is allowed, + * otherwise {@code ObjectInputFilter.Status.REJECTED} + */ + ObjectInputFilter.Status newClientCheckInput(ObjectInputFilter.FilterInfo filterInfo) { + ObjectInputFilter.Status status = ObjectInputFilter.Status.UNDECIDED; + if (allowedTypes != null && filterInfo.serialClass() != null) { + // If enabled, check type + String type = filterInfo.serialClass().getName(); + if (allowedTypes.contains(type)) + status = ObjectInputFilter.Status.ALLOWED; + else + status = ObjectInputFilter.Status.REJECTED; } + return status; } private final int port; private final RMIClientSocketFactory csf; private final RMIServerSocketFactory ssf; private final Map env; - - private static class ExportedWrapper implements RMIServer, DeserializationChecker { - private final RMIServer impl; - private final List allowedTypes; - - private ExportedWrapper(RMIServer impl, List credentialsTypes) { - this.impl = impl; - allowedTypes = credentialsTypes; - } - - @Override - public String getVersion() throws RemoteException { - return impl.getVersion(); - } - - @Override - public RMIConnection newClient(Object credentials) throws IOException { - return impl.newClient(credentials); - } - - @Override - public void check(Method method, ObjectStreamClass descriptor, - int paramIndex, int callID) { - String type = descriptor.getName(); - if (!allowedTypes.contains(type)) { - throw new ClassCastException("Unsupported type: " + type); - } - } - - @Override - public void checkProxyClass(Method method, String[] ifaces, - int paramIndex, int callID) { - if (ifaces != null && ifaces.length > 0) { - for (String iface : ifaces) { - if (!allowedTypes.contains(iface)) { - throw new ClassCastException("Unsupported type: " + iface); - } - } - } - } - } + private final Set allowedTypes; + private final ObjectInputFilter jmxRmiFilter; + private final ObjectInputFilter cFilter; } diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java index 2944e5d0f1..d04e9292fd 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java @@ -35,8 +35,6 @@ import java.security.AccessControlException; import java.security.Permission; import java.rmi.server.RMIClassLoader; import java.security.PrivilegedAction; -import jdk.internal.misc.ObjectStreamClassValidator; -import jdk.internal.misc.SharedSecrets; /** * MarshalInputStream is an extension of ObjectInputStream. When resolving @@ -54,11 +52,6 @@ import jdk.internal.misc.SharedSecrets; * @author Peter Jones */ public class MarshalInputStream extends ObjectInputStream { - interface StreamChecker extends ObjectStreamClassValidator { - void checkProxyInterfaceNames(String[] ifaces); - } - - private volatile StreamChecker streamChecker = null; /** * Value of "java.rmi.server.useCodebaseOnly" property, @@ -245,11 +238,6 @@ public class MarshalInputStream extends ObjectInputStream { protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException { - StreamChecker checker = streamChecker; - if (checker != null) { - checker.checkProxyInterfaceNames(interfaces); - } - /* * Always read annotation written by MarshalOutputStream. */ @@ -330,28 +318,4 @@ public class MarshalInputStream extends ObjectInputStream { void useCodebaseOnly() { useCodebaseOnly = true; } - - synchronized void setStreamChecker(StreamChecker checker) { - streamChecker = checker; - SharedSecrets.getJavaObjectInputStreamAccess().setValidator(this, checker); - } - @Override - protected ObjectStreamClass readClassDescriptor() throws IOException, - ClassNotFoundException { - ObjectStreamClass descriptor = super.readClassDescriptor(); - - validateDesc(descriptor); - - return descriptor; - } - - private void validateDesc(ObjectStreamClass descriptor) { - StreamChecker checker; - synchronized (this) { - checker = streamChecker; - } - if (checker != null) { - checker.validateDescriptor(descriptor); - } - } } diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java index f0a4e0f4e0..9dbaed70c5 100644 --- a/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java +++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java @@ -30,7 +30,6 @@ import java.io.ObjectInput; import java.io.ObjectInputFilter; import java.io.ObjectInputStream; import java.io.ObjectOutput; -import java.io.ObjectStreamClass; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.rmi.AccessException; @@ -330,11 +329,16 @@ public class UnicastServerRef extends UnicastRef logCall(obj, method); // unmarshal parameters - Object[] params = null; + Class[] types = method.getParameterTypes(); + Object[] params = new Object[types.length]; try { unmarshalCustomCallData(in); - params = unmarshalParameters(obj, method, marshalStream); + // Unmarshal the parameters + for (int i = 0; i < types.length; i++) { + params[i] = unmarshalValue(types[i], in); + } + } catch (AccessException aex) { // For compatibility, AccessException is not wrapped in UnmarshalException // disable saving any refs in the inputStream for GC @@ -600,84 +604,4 @@ public class UnicastServerRef extends UnicastRef } } - /** - * Unmarshal parameters for the given method of the given instance over - * the given marshalinputstream. Perform any necessary checks. - */ - private Object[] unmarshalParameters(Object obj, Method method, MarshalInputStream in) - throws IOException, ClassNotFoundException { - return (obj instanceof DeserializationChecker) ? - unmarshalParametersChecked((DeserializationChecker)obj, method, in) : - unmarshalParametersUnchecked(method, in); - } - - /** - * Unmarshal parameters for the given method of the given instance over - * the given marshalinputstream. Do not perform any additional checks. - */ - private Object[] unmarshalParametersUnchecked(Method method, ObjectInput in) - throws IOException, ClassNotFoundException { - Class[] types = method.getParameterTypes(); - Object[] params = new Object[types.length]; - for (int i = 0; i < types.length; i++) { - params[i] = unmarshalValue(types[i], in); - } - return params; - } - - /** - * Unmarshal parameters for the given method of the given instance over - * the given marshalinputstream. Do perform all additional checks. - */ - private Object[] unmarshalParametersChecked( - DeserializationChecker checker, - Method method, MarshalInputStream in) - throws IOException, ClassNotFoundException { - int callID = methodCallIDCount.getAndIncrement(); - MyChecker myChecker = new MyChecker(checker, method, callID); - in.setStreamChecker(myChecker); - try { - Class[] types = method.getParameterTypes(); - Object[] values = new Object[types.length]; - for (int i = 0; i < types.length; i++) { - myChecker.setIndex(i); - values[i] = unmarshalValue(types[i], in); - } - myChecker.end(callID); - return values; - } finally { - in.setStreamChecker(null); - } - } - - private static class MyChecker implements MarshalInputStream.StreamChecker { - private final DeserializationChecker descriptorCheck; - private final Method method; - private final int callID; - private int parameterIndex; - - MyChecker(DeserializationChecker descriptorCheck, Method method, int callID) { - this.descriptorCheck = descriptorCheck; - this.method = method; - this.callID = callID; - } - - @Override - public void validateDescriptor(ObjectStreamClass descriptor) { - descriptorCheck.check(method, descriptor, parameterIndex, callID); - } - - @Override - public void checkProxyInterfaceNames(String[] ifaces) { - descriptorCheck.checkProxyClass(method, ifaces, parameterIndex, callID); - } - - void setIndex(int parameterIndex) { - this.parameterIndex = parameterIndex; - } - - void end(int callId) { - descriptorCheck.end(callId); - } - } } diff --git a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java index 322b180eab..dae6b95c8b 100644 --- a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java +++ b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,7 +32,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; -import java.io.Serializable; +import java.io.ObjectInputFilter; import java.lang.management.ManagementFactory; import java.net.InetAddress; import java.net.MalformedURLException; @@ -45,14 +45,12 @@ import java.rmi.RemoteException; import java.rmi.registry.Registry; import java.rmi.server.RMIClientSocketFactory; import java.rmi.server.RMIServerSocketFactory; -import java.rmi.server.RMISocketFactory; import java.rmi.server.RemoteObject; import java.rmi.server.UnicastRemoteObject; import java.security.KeyStore; import java.security.Principal; import java.util.HashMap; import java.util.HashSet; -import java.util.Iterator; import java.util.Map; import java.util.Properties; import java.util.Set; @@ -84,6 +82,7 @@ import jdk.internal.agent.FileSystem; import sun.rmi.server.UnicastRef; import sun.rmi.server.UnicastServerRef; import sun.rmi.server.UnicastServerRef2; +import sun.rmi.transport.LiveRef; /** * This class initializes and starts the RMIConnectorServer for JSR 163 @@ -142,6 +141,8 @@ public final class ConnectorBootstrap { "com.sun.management.jmxremote.ssl.need.client.auth"; public static final String SSL_CONFIG_FILE_NAME = "com.sun.management.jmxremote.ssl.config.file"; + public static final String SERIAL_FILTER_PATTERN = + "com.sun.management.jmxremote.serial.filter.pattern"; } /** @@ -182,7 +183,8 @@ public final class ConnectorBootstrap { public Remote exportObject(Remote obj, int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf) + RMIServerSocketFactory ssf, + ObjectInputFilter filter) throws RemoteException { synchronized (this) { @@ -193,9 +195,9 @@ public final class ConnectorBootstrap { final UnicastServerRef ref; if (csf == null && ssf == null) { - ref = new UnicastServerRef(port); + ref = new UnicastServerRef(new LiveRef(port), filter); } else { - ref = new UnicastServerRef2(port, csf, ssf); + ref = new UnicastServerRef2(port, csf, ssf, filter); } return ref.exportObject(obj, null, true); } @@ -435,6 +437,7 @@ public final class ConnectorBootstrap { final String bindAddress = props.getProperty(PropertyNames.HOST); + final String jmxRmiFilter = props.getProperty(PropertyNames.SERIAL_FILTER_PATTERN); if (logger.isLoggable(Level.DEBUG)) { logger.log(Level.DEBUG, "startRemoteConnectorServer", @@ -471,7 +474,7 @@ public final class ConnectorBootstrap { sslConfigFileName, enabledCipherSuitesList, enabledProtocolsList, sslNeedClientAuth, useAuthentication, loginConfigName, - passwordFileName, accessFileName, bindAddress); + passwordFileName, accessFileName, bindAddress, jmxRmiFilter); cs = data.jmxConnectorServer; url = data.jmxRemoteURL; config("startRemoteConnectorServer", @@ -511,9 +514,7 @@ public final class ConnectorBootstrap { // This RMI server should not keep the VM alive Map env = new HashMap<>(); env.put(RMIExporter.EXPORTER_ATTRIBUTE, new PermanentExporter()); - env.put(RMIConnectorServer.CREDENTIAL_TYPES, new String[]{ - String[].class.getName(), String.class.getName() - }); + env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*"); // The local connector server need only be available via the // loopback connection. @@ -729,7 +730,8 @@ public final class ConnectorBootstrap { String loginConfigName, String passwordFileName, String accessFileName, - String bindAddress) + String bindAddress, + String jmxRmiFilter) throws IOException, MalformedURLException { /* Make sure we use non-guessable RMI object IDs. Otherwise @@ -744,9 +746,11 @@ public final class ConnectorBootstrap { PermanentExporter exporter = new PermanentExporter(); env.put(RMIExporter.EXPORTER_ATTRIBUTE, exporter); - env.put(RMIConnectorServer.CREDENTIAL_TYPES, new String[]{ - String[].class.getName(), String.class.getName() - }); + env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*"); + + if(jmxRmiFilter != null && !jmxRmiFilter.isEmpty()) { + env.put(RMIConnectorServer.SERIAL_FILTER_PATTERN, jmxRmiFilter); + } boolean useSocketFactory = bindAddress != null && !useSsl; diff --git a/jdk/src/jdk.management.agent/share/conf/management.properties b/jdk/src/jdk.management.agent/share/conf/management.properties index 02401d78be..3bf88daf63 100644 --- a/jdk/src/jdk.management.agent/share/conf/management.properties +++ b/jdk/src/jdk.management.agent/share/conf/management.properties @@ -329,3 +329,42 @@ # The format of the value for that property is any string accepted # by java.net.InetAddress.getByName(String). # + +# ################ Filter for ObjectInputStream ############################# +# com.sun.management.jmxremote.serial.filter.pattern= +# A filter, if configured, is used by java.io.ObjectInputStream during +# deserialization of parameters sent to the JMX default agent to validate the +# contents of the stream. +# A filter is configured as a sequence of patterns, each pattern is either +# matched against the name of a class in the stream or defines a limit. +# Patterns are separated by ";" (semicolon). +# Whitespace is significant and is considered part of the pattern. +# +# If a pattern includes a "=", it sets a limit. +# If a limit appears more than once the last value is used. +# Limits are checked before classes regardless of the order in the sequence of patterns. +# If any of the limits are exceeded, the filter status is REJECTED. +# +# maxdepth=value - the maximum depth of a graph +# maxrefs=value - the maximum number of internal references +# maxbytes=value - the maximum number of bytes in the input stream +# maxarray=value - the maximum array length allowed +# +# Other patterns, from left to right, match the class or package name as +# returned from Class.getName. +# If the class is an array type, the class or package to be matched is the element type. +# Arrays of any number of dimensions are treated the same as the element type. +# For example, a pattern of "!example.Foo", rejects creation of any instance or +# array of example.Foo. +# +# If the pattern starts with "!", the status is REJECTED if the remaining pattern +# is matched; otherwise the status is ALLOWED if the pattern matches. +# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; +# if the module name matches the module name of the class then +# the remaining pattern is matched with the class name. +# If there is no "/", the module name is not compared. +# If the pattern ends with ".**" it matches any class in the package and all subpackages. +# If the pattern ends with ".*" it matches any class in the package. +# If the pattern ends with "*", it matches any class with the pattern as a prefix. +# If the pattern is equal to the class name, it matches. +# Otherwise, the status is UNDECIDED. diff --git a/jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java b/jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java new file mode 100644 index 0000000000..4216545214 --- /dev/null +++ b/jdk/test/javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java @@ -0,0 +1,333 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + /* + * @test + * @bug 8159377 + * @library /lib/testlibrary + * @summary Tests ObjectFilter on default agent + * @author Harsha Wardhana B + * @modules java.management + * @build jdk.testlibrary.* DefaultAgentFilterTest + * @run main/othervm/timeout=600 -XX:+UsePerfData DefaultAgentFilterTest + */ +import java.io.EOFException; +import java.io.File; +import java.io.IOException; +import java.io.InvalidClassException; +import java.io.Serializable; +import java.lang.reflect.InvocationTargetException; +import java.net.BindException; +import java.rmi.UnmarshalException; +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.concurrent.atomic.AtomicBoolean; +import javax.management.MBeanServerConnection; +import javax.management.ObjectName; +import javax.management.remote.JMXConnector; +import javax.management.remote.JMXConnectorFactory; +import javax.management.remote.JMXServiceURL; + +import jdk.testlibrary.ProcessTools; +import jdk.testlibrary.Utils; + +public class DefaultAgentFilterTest { + + public static class MyTestObject implements Serializable { + + String a; + int id; + } + + public interface TestMBean { + + public void op1(HashSet params); + + public void op2(String s, HashSet params); + + public void op3(MyTestObject obj, String s, HashMap param); + } + + public static class Test implements TestMBean { + + @Override + public void op1(HashSet params) { + System.out.println("Invoked op1"); + } + + @Override + public void op2(String s, HashSet params) { + System.out.println("Invoked op2"); + } + + @Override + public void op3(MyTestObject obj, String s, HashMap param) { + System.out.println("Invoked op3"); + } + } + + private static class TestAppRun implements AutoCloseable { + + private Process p; + private final ProcessBuilder pb; + private final String name; + private final AtomicBoolean started = new AtomicBoolean(false); + private volatile long pid = -1; + + public TestAppRun(ProcessBuilder pb, String name) { + this.pb = pb; + this.name = name; + } + + public synchronized void start() throws Exception { + if (started.compareAndSet(false, true)) { + try { + AtomicBoolean error = new AtomicBoolean(false); + AtomicBoolean bindError = new AtomicBoolean(false); + p = ProcessTools.startProcess( + TEST_APP_NAME + "{" + name + "}", + pb, + (line) -> { + if (line.toLowerCase().contains("exception") + || line.toLowerCase().contains("error")) { + error.set(true); + } + bindError.set(line.toLowerCase().contains("bindexception")); + return true; + }); + if (bindError.get()) { + throw new BindException("Process could not be started"); + } else if (error.get()) { + throw new RuntimeException(); + } + pid = p.pid(); + } catch (Exception ex) { + if (p != null) { + p.destroy(); + p.waitFor(); + } + throw ex; + } + } + } + + public long getPid() { + return pid; + } + + public synchronized void stop() + throws IOException, InterruptedException { + if (started.compareAndSet(true, false)) { + p.getOutputStream().write(0); + p.getOutputStream().flush(); + int ec = p.waitFor(); + if (ec != 0) { + StringBuilder msg = new StringBuilder(); + msg.append("Test application '").append(name); + msg.append("' failed with exit code: "); + msg.append(ec); + System.err.println(msg); + } + } + } + + @Override + public void close() throws Exception { + stop(); + } + } + + private static final String TEST_APP_NAME = "TestApp"; + + private static void testDefaultAgent(String propertyFile) throws Exception { + int port = Utils.getFreePort(); + String propFile = System.getProperty("test.src") + File.separator + propertyFile; + List pbArgs = new ArrayList<>(Arrays.asList( + "-cp", + System.getProperty("test.class.path"), + "-XX:+UsePerfData" + )); + String[] args = new String[]{ + "-Dcom.sun.management.jmxremote.port=" + port, + "-Dcom.sun.management.jmxremote.authenticate=false", + "-Dcom.sun.management.jmxremote.ssl=false", + "-Dcom.sun.management.config.file=" + propFile + }; + pbArgs.addAll(Arrays.asList(args)); + pbArgs.add(TEST_APP_NAME); + + ProcessBuilder pb = ProcessTools.createJavaProcessBuilder( + pbArgs.toArray(new String[pbArgs.size()]) + ); + + try (TestAppRun s = new TestAppRun(pb, DefaultAgentFilterTest.class.getSimpleName())) { + s.start(); + JMXServiceURL url = testConnect(port); + testMBeanOperations(url); + } + } + + private static JMXServiceURL testConnect(int port) throws Exception { + EOFException lastException = null; + JMXServiceURL url = null; + // factor adjusted timeout (5 seconds) for the RMI to become available + long timeout = System.currentTimeMillis() + Utils.adjustTimeout(5000); + do { + lastException = null; + try { + Registry registry = LocateRegistry.getRegistry(port); + String[] relist = registry.list(); + for (int i = 0; i < relist.length; ++i) { + System.out.println("Got registry: " + relist[i]); + } + String jmxUrlStr = String.format( + "service:jmx:rmi:///jndi/rmi://localhost:%d/jmxrmi", + port); + url = new JMXServiceURL(jmxUrlStr); + + try (JMXConnector c = JMXConnectorFactory.connect(url, null)) { + MBeanServerConnection conn = c.getMBeanServerConnection(); + ObjectName name = new ObjectName("jtreg:type=Test"); + conn.createMBean(Test.class.getName(), name); + } + } catch (Exception ex) { + if (ex instanceof EOFException) { + lastException = (EOFException) ex; + System.out.println("Error establishing RMI connection. Retrying in 500ms."); + Thread.sleep(500); + } else { + throw ex; + } + } + } while (lastException != null && System.currentTimeMillis() < timeout); + if (lastException != null) { + throw lastException; + } + return url; + } + + public static void main(String[] args) throws Exception { + System.out.println("---" + DefaultAgentFilterTest.class.getName() + "-main: starting ..."); + + boolean retry = false; + do { + try { + // blacklist String + testDefaultAgent("mgmt1.properties"); + System.out.println("----\tTest FAILED !!"); + throw new RuntimeException("---" + DefaultAgentFilterTest.class.getName() + " - No exception reported"); + } catch (Exception ex) { + if (ex instanceof InvocationTargetException) { + if (ex.getCause() instanceof BindException + || ex.getCause() instanceof java.rmi.ConnectException) { + System.out.println("Failed to allocate ports. Retrying ..."); + retry = true; + } + } else if (ex instanceof InvalidClassException) { + System.out.println("----\tTest PASSED !!"); + } else if (ex instanceof UnmarshalException + && ((UnmarshalException) ex).getCause() instanceof InvalidClassException) { + System.out.println("----\tTest PASSED !!"); + } else { + System.out.println(ex); + System.out.println("----\tTest FAILED !!"); + throw ex; + } + } + } while (retry); + retry = false; + do { + try { + // blacklist non-existent class + testDefaultAgent("mgmt2.properties"); + System.out.println("----\tTest PASSED !!"); + } catch (Exception ex) { + if (ex instanceof InvocationTargetException) { + if (ex.getCause() instanceof BindException + || ex.getCause() instanceof java.rmi.ConnectException) { + System.out.println("Failed to allocate ports. Retrying ..."); + retry = true; + } + } else { + System.out.println(ex); + System.out.println("----\tTest FAILED !!"); + throw ex; + } + } + } while (retry); + + System.out.println("---" + DefaultAgentFilterTest.class.getName() + "-main: finished ..."); + } + + private static void testMBeanOperations(JMXServiceURL serverUrl) throws Exception { + Map clientEnv = new HashMap<>(1); + ObjectName name = new ObjectName("jtreg:type=Test"); + try (JMXConnector client = JMXConnectorFactory.connect(serverUrl, clientEnv)) { + MBeanServerConnection conn = client.getMBeanServerConnection(); + + HashSet set = new HashSet<>(); + set.add("test1"); + set.add("test2"); + + String a = "A"; + + Object[] params1 = {set}; + String[] sig1 = {HashSet.class.getName()}; + conn.invoke(name, "op1", params1, sig1); + + Object[] params2 = {a, set}; + String[] sig2 = {String.class.getName(), HashSet.class.getName()}; + conn.invoke(name, "op2", params2, sig2); + + HashMap map = new HashMap<>(); + map.put("a", "A"); + map.put("b", "B"); + + Object[] params3 = {new MyTestObject(), a, map}; + String[] sig3 = {MyTestObject.class.getName(), String.class.getName(), + HashMap.class.getName()}; + conn.invoke(name, "op3", params3, sig3); + } + } +} + +class TestApp { + + private static void doSomething() throws IOException { + int r = System.in.read(); + System.out.println("read: " + r); + } + + public static void main(String args[]) throws Exception { + System.out.println("main enter"); + System.out.flush(); + doSomething(); + System.out.println("main exit"); + } +} diff --git a/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java b/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java new file mode 100644 index 0000000000..78ae27bb64 --- /dev/null +++ b/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java @@ -0,0 +1,147 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + /* + * @test + * @bug 8159377 + * @summary Tests ObjectInputFilter on RMIServer.newClient + * @author Harsha Wardhana B + * @modules java.management + * @run clean NewRMIClientFilterTest + * @run build NewRMIClientFilterTest + * @run main NewRMIClientFilterTest + */ +import java.io.InvalidClassException; +import java.io.Serializable; +import java.lang.management.ManagementFactory; +import java.util.HashMap; +import java.util.Map; +import javax.management.remote.JMXConnector; +import javax.management.remote.JMXConnectorFactory; +import javax.management.remote.JMXConnectorServer; +import javax.management.remote.JMXConnectorServerFactory; +import javax.management.remote.JMXServiceURL; +import javax.management.remote.rmi.RMIConnectorServer; + +public class NewRMIClientFilterTest { + + public static void main(String[] args) throws Exception { + System.out.println("---NewRMIClientFilterTest-main: starting ..."); + String filter1 = java.lang.String.class.getName() + ";!*"; + String filter2 = java.lang.String.class.getName() + ";" + MyCredentials.class.getName() + ";!*"; + + JMXServiceURL url = new JMXServiceURL("rmi", null, 0); + JMXServiceURL serverUrl = null; + Map env = new HashMap<>(1); + JMXConnectorServer server = null; + + System.out.println("\n---NewRMIClientFilterTest-main: testing types = null"); + server = newServer(url, null); + serverUrl = server.getAddress(); + doTest(serverUrl, null); + doTest(serverUrl, new String[]{"toto", "titi"}); + doTest(serverUrl, new Object[]{new MyCredentials(), "toto"}); + server.stop(); + + System.out.println("\n---NewRMIClientFilterTest-main: testing types = String[]"); + env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, + filter1); + server = newServer(url, env); + serverUrl = server.getAddress(); + doTest(serverUrl, null); + doTest(serverUrl, new String[]{"toto", "titi"}); + try { + doTest(serverUrl, new MyCredentials()); + throw new Error("Bad client is not refused!"); + } catch (Exception e) { + isInvalidClassEx(e); + } finally { + server.stop(); + } + + System.out.println("\n---NewRMIClientFilterTest-main: testing user specific types = String, MyCredentials"); + env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, + filter2); + server = newServer(url, env); + serverUrl = server.getAddress(); + doTest(serverUrl, null); + doTest(serverUrl, new String[]{"toto", "titi"}); + doTest(serverUrl, new MyCredentials[]{new MyCredentials(), (MyCredentials) null}); + try { + doTest(serverUrl, new Object[]{"toto", new byte[3]}); + throw new Error("Bad client is not refused!"); + } catch (Exception e) { + isInvalidClassEx(e); + } finally { + server.stop(); + } + + System.out.println("---NewRMIClientFilterTest-main PASSED!!!"); + } + + private static void doTest(JMXServiceURL serverAddr, Object credentials) throws Exception { + System.out.println("---NewRMIClientFilterTest-test:\n\tserver address: " + + serverAddr + "\n\tcredentials: " + credentials); + + Map env = new HashMap<>(1); + env.put("jmx.remote.credentials", credentials); + JMXConnector client = null; + try { + client = JMXConnectorFactory.connect(serverAddr, env); + client.getMBeanServerConnection().getDefaultDomain(); + } finally { + try { + client.close(); + } catch (Exception e) { + } + } + System.out.println("---NewRMIClientFilterTest-test: PASSED!"); + } + + private static JMXConnectorServer newServer(JMXServiceURL url, Map env) + throws Exception { + JMXConnectorServer server = JMXConnectorServerFactory.newJMXConnectorServer( + url, + env, + ManagementFactory.getPlatformMBeanServer()); + + server.start(); + return server; + } + + private static class MyCredentials implements Serializable { + } + + private static void isInvalidClassEx(Exception e) { + Throwable cause = e; + while (cause != null) { + if (cause instanceof InvalidClassException) { + System.out.println("---NewRMIClientFilterTest-InvalidClassException expected: " + cause); + return; + } + cause = cause.getCause(); + } + e.printStackTrace(); + throw new RuntimeException("Did not get expected InvalidClassException!"); + } +} diff --git a/jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties b/jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties new file mode 100644 index 0000000000..17f81fa2ec --- /dev/null +++ b/jdk/test/javax/management/remote/mandatory/connection/mgmt1.properties @@ -0,0 +1,38 @@ +# ################ Filter for ObjectInputStream ############################# +com.sun.management.jmxremote.serial.filter.pattern=!DefaultAgentFilterTest$MyTestObject +# A filter, if configured, is used by java.io.ObjectInputStream during +# deserialization of parameters sent to the JMX default agent to validate the +# contents of the stream. +# A filter is configured as a sequence of patterns, each pattern is either +# matched against the name of a class in the stream or defines a limit. +# Patterns are separated by ";" (semicolon). +# Whitespace is significant and is considered part of the pattern. +# +# If a pattern includes a "=", it sets a limit. +# If a limit appears more than once the last value is used. +# Limits are checked before classes regardless of the order in the sequence of patterns. +# If any of the limits are exceeded, the filter status is REJECTED. +# +# maxdepth=value - the maximum depth of a graph +# maxrefs=value - the maximum number of internal references +# maxbytes=value - the maximum number of bytes in the input stream +# maxarray=value - the maximum array length allowed +# +# Other patterns, from left to right, match the class or package name as +# returned from Class.getName. +# If the class is an array type, the class or package to be matched is the element type. +# Arrays of any number of dimensions are treated the same as the element type. +# For example, a pattern of "!example.Foo", rejects creation of any instance or +# array of example.Foo. +# +# If the pattern starts with "!", the status is REJECTED if the remaining pattern +# is matched; otherwise the status is ALLOWED if the pattern matches. +# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; +# if the module name matches the module name of the class then +# the remaining pattern is matched with the class name. +# If there is no "/", the module name is not compared. +# If the pattern ends with ".**" it matches any class in the package and all subpackages. +# If the pattern ends with ".*" it matches any class in the package. +# If the pattern ends with "*", it matches any class with the pattern as a prefix. +# If the pattern is equal to the class name, it matches. +# Otherwise, the status is UNDECIDED. \ No newline at end of file diff --git a/jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties b/jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties new file mode 100644 index 0000000000..d29d746d92 --- /dev/null +++ b/jdk/test/javax/management/remote/mandatory/connection/mgmt2.properties @@ -0,0 +1,38 @@ +# ################ Filter for ObjectInputStream ############################# +com.sun.management.jmxremote.serial.filter.pattern=!DefaultAgentFilterTest$ThisTypeIsNotUsed +# A filter, if configured, is used by java.io.ObjectInputStream during +# deserialization of parameters sent to the JMX default agent to validate the +# contents of the stream. +# A filter is configured as a sequence of patterns, each pattern is either +# matched against the name of a class in the stream or defines a limit. +# Patterns are separated by ";" (semicolon). +# Whitespace is significant and is considered part of the pattern. +# +# If a pattern includes a "=", it sets a limit. +# If a limit appears more than once the last value is used. +# Limits are checked before classes regardless of the order in the sequence of patterns. +# If any of the limits are exceeded, the filter status is REJECTED. +# +# maxdepth=value - the maximum depth of a graph +# maxrefs=value - the maximum number of internal references +# maxbytes=value - the maximum number of bytes in the input stream +# maxarray=value - the maximum array length allowed +# +# Other patterns, from left to right, match the class or package name as +# returned from Class.getName. +# If the class is an array type, the class or package to be matched is the element type. +# Arrays of any number of dimensions are treated the same as the element type. +# For example, a pattern of "!example.Foo", rejects creation of any instance or +# array of example.Foo. +# +# If the pattern starts with "!", the status is REJECTED if the remaining pattern +# is matched; otherwise the status is ALLOWED if the pattern matches. +# If the pattern contains "/", the non-empty prefix up to the "/" is the module name; +# if the module name matches the module name of the class then +# the remaining pattern is matched with the class name. +# If there is no "/", the module name is not compared. +# If the pattern ends with ".**" it matches any class in the package and all subpackages. +# If the pattern ends with ".*" it matches any class in the package. +# If the pattern ends with "*", it matches any class with the pattern as a prefix. +# If the pattern is equal to the class name, it matches. +# Otherwise, the status is UNDECIDED. \ No newline at end of file diff --git a/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java b/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java index 3b010e38a1..5d79b06fd3 100644 --- a/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java +++ b/jdk/test/javax/management/remote/mandatory/connectorServer/RMIExporterTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -47,6 +47,7 @@ import javax.management.remote.JMXConnectorServer; import javax.management.remote.JMXConnectorServerFactory; import javax.management.remote.JMXServiceURL; import com.sun.jmx.remote.internal.rmi.RMIExporter; +import java.io.ObjectInputFilter; public class RMIExporterTest { @@ -60,7 +61,8 @@ public class RMIExporterTest { public Remote exportObject(Remote obj, int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf) + RMIServerSocketFactory ssf, + ObjectInputFilter unused) throws RemoteException { System.out.println("CustomRMIExporter::exportObject():: " + "Remote = " + obj); From 7f31d076f86338792c76ebbc382505357ce71dd7 Mon Sep 17 00:00:00 2001 From: Bradford Wetmore Date: Thu, 14 Sep 2017 15:36:00 -0700 Subject: [PATCH 117/269] 8169080: Improve documentation examples for crypto applications Reviewed-by: mullan --- .../classes/java/security/MessageDigest.java | 4 +-- .../classes/java/security/Signature.java | 9 +++--- .../classes/java/security/SignedObject.java | 13 ++++---- .../share/classes/javax/crypto/Cipher.java | 30 ++++++++++--------- .../share/classes/javax/crypto/CipherSpi.java | 26 ++++++++-------- .../share/classes/javax/crypto/Mac.java | 2 +- .../classes/javax/crypto/SealedObject.java | 4 +-- 7 files changed, 44 insertions(+), 44 deletions(-) diff --git a/jdk/src/java.base/share/classes/java/security/MessageDigest.java b/jdk/src/java.base/share/classes/java/security/MessageDigest.java index be163c179f..4f4987ceb4 100644 --- a/jdk/src/java.base/share/classes/java/security/MessageDigest.java +++ b/jdk/src/java.base/share/classes/java/security/MessageDigest.java @@ -57,7 +57,7 @@ import javax.crypto.SecretKey; * and catching the CloneNotSupportedException: * * 
{@code
- * MessageDigest md = MessageDigest.getInstance("SHA");
+ * MessageDigest md = MessageDigest.getInstance("SHA-256");
  *
  * try {
  *     md.update(toChapter1);
@@ -496,7 +496,7 @@ public abstract class MessageDigest extends MessageDigestSpi {
     /**
      * Returns a string that identifies the algorithm, independent of
      * implementation details. The name should be a standard
-     * Java Security name (such as "SHA", "MD5", and so on).
+     * Java Security name (such as "SHA-256").
      * See the MessageDigest section in the 
      * Java Security Standard Algorithm Names Specification
diff --git a/jdk/src/java.base/share/classes/java/security/Signature.java b/jdk/src/java.base/share/classes/java/security/Signature.java
index c7c25831a3..3f0a9d9677 100644
--- a/jdk/src/java.base/share/classes/java/security/Signature.java
+++ b/jdk/src/java.base/share/classes/java/security/Signature.java
@@ -51,11 +51,10 @@ import sun.security.jca.GetInstance.Instance;
  * authentication and integrity assurance of digital data.
  *
  * 
 The signature algorithm can be, among others, the NIST standard
- * DSA, using DSA and SHA-1. The DSA algorithm using the
- * SHA-1 message digest algorithm can be specified as {@code SHA1withDSA}.
- * In the case of RSA, there are multiple choices for the message digest
- * algorithm, so the signing algorithm could be specified as, for example,
- * {@code MD2withRSA}, {@code MD5withRSA}, or {@code SHA1withRSA}.
+ * DSA, using DSA and SHA-256. The DSA algorithm using the
+ * SHA-256 message digest algorithm can be specified as {@code SHA256withDSA}.
+ * In the case of RSA the signing algorithm could be specified as, for example,
+ * {@code SHA256withRSA}.
  * The algorithm name must be specified, as there is no default.
  *
  * 
 A Signature object can be used to generate and verify digital
diff --git a/jdk/src/java.base/share/classes/java/security/SignedObject.java b/jdk/src/java.base/share/classes/java/security/SignedObject.java
index 810c570657..7ef3eca558 100644
--- a/jdk/src/java.base/share/classes/java/security/SignedObject.java
+++ b/jdk/src/java.base/share/classes/java/security/SignedObject.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -81,13 +81,12 @@ import java.io.*;
  * verification in an attempt to bypass a security check.
  *
  * 
 The signature algorithm can be, among others, the NIST standard
- * DSA, using DSA and SHA-1.  The algorithm is specified using the
+ * DSA, using DSA and SHA-256.  The algorithm is specified using the
  * same convention as that for signatures. The DSA algorithm using the
- * SHA-1 message digest algorithm can be specified, for example, as
- * "SHA/DSA" or "SHA-1/DSA" (they are equivalent).  In the case of
- * RSA, there are multiple choices for the message digest algorithm,
- * so the signing algorithm could be specified as, for example,
- * "MD2/RSA", "MD5/RSA" or "SHA-1/RSA".  The algorithm name must be
+ * SHA-256 message digest algorithm can be specified, for example, as
+ * "SHA256withDSA".  In the case of
+ * RSA the signing algorithm could be specified as, for example,
+ * "SHA256withRSA".  The algorithm name must be
  * specified, as there is no default.
  *
  * 
 The name of the Cryptography Package Provider is designated
diff --git a/jdk/src/java.base/share/classes/javax/crypto/Cipher.java b/jdk/src/java.base/share/classes/javax/crypto/Cipher.java
index 4982a87bbe..cd603f2231 100644
--- a/jdk/src/java.base/share/classes/javax/crypto/Cipher.java
+++ b/jdk/src/java.base/share/classes/javax/crypto/Cipher.java
@@ -59,7 +59,7 @@ import sun.security.jca.*;
  * 
A transformation is a string that describes the operation (or
  * set of operations) to be performed on the given input, to produce some
  * output. A transformation always includes the name of a cryptographic
- * algorithm (e.g., DES), and may be followed by a feedback mode and
+ * algorithm (e.g., AES), and may be followed by a feedback mode and
  * padding scheme.
  *
  * 
 A transformation is of the form:
@@ -75,17 +75,19 @@ import sun.security.jca.*;
  * For example, the following is a valid transformation:
  *
  * 
- *     Cipher c = Cipher.getInstance("DES/CBC/PKCS5Padding");
+ *     Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
  * 

  *
  * Using modes such as {@code CFB} and {@code OFB}, block
  * ciphers can encrypt data in units smaller than the cipher's actual
  * block size.  When requesting such a mode, you may optionally specify
  * the number of bits to be processed at a time by appending this number
- * to the mode name as shown in the "{@code DES/CFB8/NoPadding}" and
- * "{@code DES/OFB32/PKCS5Padding}" transformations. If no such
- * number is specified, a provider-specific default is used. (For
- * example, the SunJCE provider uses a default of 64 bits for DES.)
+ * to the mode name as shown in the "{@code AES/CFB8/NoPadding}" and
+ * "{@code AES/OFB32/PKCS5Padding}" transformations. If no such
+ * number is specified, a provider-specific default is used.
+ * (See the
+ * {@extLink security_guide_jdk_providers JDK Providers Documentation}
+ * for the JDK Providers default values.)
  * Thus, block ciphers can be turned into byte-oriented stream ciphers by
  * using an 8 bit mode such as CFB8 or OFB8.
  * 

@@ -308,7 +310,7 @@ public class Cipher {
         /*
          * array containing the components of a Cipher transformation:
          *
-         * index 0: algorithm component (e.g., DES)
+         * index 0: algorithm component (e.g., AES)
          * index 1: feedback component (e.g., CFB)
          * index 2: padding component (e.g., PKCS5Padding)
          */
@@ -354,8 +356,8 @@ public class Cipher {
         // transform string to lookup in the provider
         final String transform;
         // the mode/padding suffix in upper case. for example, if the algorithm
-        // to lookup is "DES/CBC/PKCS5Padding" suffix is "/CBC/PKCS5PADDING"
-        // if loopup is "DES", suffix is the empty string
+        // to lookup is "AES/CBC/PKCS5Padding" suffix is "/CBC/PKCS5PADDING"
+        // if lookup is "AES", suffix is the empty string
         // needed because aliases prevent straight transform.equals()
         final String suffix;
         // value to pass to setMode() or null if no such call required
@@ -440,11 +442,11 @@ public class Cipher {
         }
 
         if ((mode == null) && (pad == null)) {
-            // DES
+            // AES
             Transform tr = new Transform(alg, "", null, null);
             return Collections.singletonList(tr);
         } else { // if ((mode != null) && (pad != null)) {
-            // DES/CBC/PKCS5Padding
+            // AES/CBC/PKCS5Padding
             List list = new ArrayList<>(4);
             list.add(new Transform(alg, "/" + mode + "/" + pad, null, null));
             list.add(new Transform(alg, "/" + mode, null, pad));
@@ -488,7 +490,7 @@ public class Cipher {
      * {@link Security#getProviders() Security.getProviders()}.
      *
      * @param transformation the name of the transformation, e.g.,
-     * DES/CBC/PKCS5Padding.
+     * AES/CBC/PKCS5Padding.
      * See the Cipher section in the 
      * Java Security Standard Algorithm Names Specification
@@ -566,7 +568,7 @@ public class Cipher {
      * the {@link Security#getProviders() Security.getProviders()} method.
      *
      * @param transformation the name of the transformation,
-     * e.g., DES/CBC/PKCS5Padding.
+     * e.g., AES/CBC/PKCS5Padding.
      * See the Cipher section in the 
      * Java Security Standard Algorithm Names Specification
@@ -626,7 +628,7 @@ public class Cipher {
      * does not have to be registered in the provider list.
      *
      * @param transformation the name of the transformation,
-     * e.g., DES/CBC/PKCS5Padding.
+     * e.g., AES/CBC/PKCS5Padding.
      * See the Cipher section in the 
      * Java Security Standard Algorithm Names Specification
diff --git a/jdk/src/java.base/share/classes/javax/crypto/CipherSpi.java b/jdk/src/java.base/share/classes/javax/crypto/CipherSpi.java
index ce7258157d..72bfa803bd 100644
--- a/jdk/src/java.base/share/classes/javax/crypto/CipherSpi.java
+++ b/jdk/src/java.base/share/classes/javax/crypto/CipherSpi.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -59,7 +59,7 @@ import java.nio.ByteBuffer;
  * 
A transformation is a string that describes the operation (or
  * set of operations) to be performed on the given input, to produce some
  * output. A transformation always includes the name of a cryptographic
- * algorithm (e.g., DES), and may be followed by a feedback mode and
+ * algorithm (e.g., AES), and may be followed by a feedback mode and
  * padding scheme.
  *
  * 
 A transformation is of the form:
@@ -75,7 +75,7 @@ import java.nio.ByteBuffer;
  * For example, the following is a valid transformation:
  *
  * 
- *     Cipher c = Cipher.getInstance("DES/CBC/PKCS5Padding");
+ *     Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
  * 

  *
  * 
A provider may supply a separate class for each combination
@@ -125,32 +125,32 @@ import java.nio.ByteBuffer;
  * 
  *
  * 
For example, a provider may supply a subclass of CipherSpi
- * that implements DES/ECB/PKCS5Padding, one that implements
- * DES/CBC/PKCS5Padding, one that implements
- * DES/CFB/PKCS5Padding, and yet another one that implements
- * DES/OFB/PKCS5Padding. That provider would have the following
+ * that implements AES/ECB/PKCS5Padding, one that implements
+ * AES/CBC/PKCS5Padding, one that implements
+ * AES/CFB/PKCS5Padding, and yet another one that implements
+ * AES/OFB/PKCS5Padding. That provider would have the following
  * Cipher properties in its master class:
  *
  * 
    
  *
  * 
  • 
  * 
    - *     Cipher.DES/ECB/PKCS5Padding
+ *     Cipher.AES/ECB/PKCS5Padding
  * 
    
  *
  * 
  • 
  * 
    - *     Cipher.DES/CBC/PKCS5Padding
+ *     Cipher.AES/CBC/PKCS5Padding
  * 
    
  *
  * 
  • 
  * 
    - *     Cipher.DES/CFB/PKCS5Padding
+ *     Cipher.AES/CFB/PKCS5Padding
  * 
    
  *
  * 
  • 
  * 
    - *     Cipher.DES/OFB/PKCS5Padding
+ *     Cipher.AES/OFB/PKCS5Padding
  * 
    
  *
  * 

@@ -158,7 +158,7 @@ import java.nio.ByteBuffer;
  * 
Another provider may implement a class for each of the above modes
  * (i.e., one class for ECB, one for CBC, one for CFB,
  * and one for OFB), one class for PKCS5Padding,
- * and a generic DES class that subclasses from CipherSpi.
+ * and a generic AES class that subclasses from CipherSpi.
  * That provider would have the following
  * Cipher properties in its master class:
  *
@@ -166,7 +166,7 @@ import java.nio.ByteBuffer;
  *
  * 
  • 
  * 
    - *     Cipher.DES
+ *     Cipher.AES
  * 
    
  *
  * 
diff --git a/jdk/src/java.base/share/classes/javax/crypto/Mac.java b/jdk/src/java.base/share/classes/javax/crypto/Mac.java
index 245f12f693..ad7dae8891 100644
--- a/jdk/src/java.base/share/classes/javax/crypto/Mac.java
+++ b/jdk/src/java.base/share/classes/javax/crypto/Mac.java
@@ -50,7 +50,7 @@ import sun.security.jca.GetInstance.Instance;
  *
  * 
     A MAC mechanism that is based on cryptographic hash functions is
  * referred to as HMAC. HMAC can be used with any cryptographic hash function,
- * e.g., MD5 or SHA-1, in combination with a secret shared key. HMAC is
+ * e.g., SHA256 or SHA384, in combination with a secret shared key. HMAC is
  * specified in RFC 2104.
  *
  * 
     Every implementation of the Java platform is required to support
diff --git a/jdk/src/java.base/share/classes/javax/crypto/SealedObject.java b/jdk/src/java.base/share/classes/javax/crypto/SealedObject.java
index 743125bf0f..3d657423aa 100644
--- a/jdk/src/java.base/share/classes/javax/crypto/SealedObject.java
+++ b/jdk/src/java.base/share/classes/javax/crypto/SealedObject.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,7 +40,7 @@ import java.security.NoSuchProviderException;
  * 
     Given any Serializable object, one can create a SealedObject
  * that encapsulates the original object, in serialized
  * format (i.e., a "deep copy"), and seals (encrypts) its serialized contents,
- * using a cryptographic algorithm such as DES, to protect its
+ * using a cryptographic algorithm such as AES, to protect its
  * confidentiality.  The encrypted content can later be decrypted (with
  * the corresponding algorithm using the correct decryption key) and
  * de-serialized, yielding the original object.

From 33234b6287528ff0ab274333ac408ae95c024957 Mon Sep 17 00:00:00 2001
From: Bradford Wetmore 
Date: Thu, 14 Sep 2017 15:37:37 -0700
Subject: [PATCH 118/269] 8186093: A comment in the java.security configuration
 file incorrectly says that strong but "limited" is the default value

Reviewed-by: mullan
---
 .../share/conf/security/java.security         | 68 ++++++++-----------
 .../share/conf/security/policy/README.txt     | 62 +++++++++++------
 2 files changed, 68 insertions(+), 62 deletions(-)

diff --git a/jdk/src/java.base/share/conf/security/java.security b/jdk/src/java.base/share/conf/security/java.security
index 18e8a7b612..f7b761821e 100644
--- a/jdk/src/java.base/share/conf/security/java.security
+++ b/jdk/src/java.base/share/conf/security/java.security
@@ -678,6 +678,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
     EC keySize < 224
 
+#
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
 #
@@ -742,6 +743,7 @@ jdk.tls.legacyAlgorithms= \
         RC4_128, RC4_40, DES_CBC, DES40_CBC, \
         3DES_EDE_CBC
 
+#
 # The pre-defined default finite field Diffie-Hellman ephemeral (DHE)
 # parameters for Transport Layer Security (SSL/TLS/DTLS) processing.
 #
@@ -799,54 +801,38 @@ jdk.tls.legacyAlgorithms= \
 #       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
 #       FFFFFFFF FFFFFFFF, 2}
 
+#
 # Cryptographic Jurisdiction Policy defaults
 #
-# Due to the import control restrictions of some countries, the default
-# JCE policy files allow for strong but "limited" cryptographic key
-# lengths to be used.  If your country's cryptographic regulations allow,
-# the "unlimited" strength policy files can be used instead, which contain
-# no restrictions on cryptographic strengths.
+# Import and export control rules on cryptographic software vary from
+# country to country.  By default, Java provides two different sets of
+# cryptographic policy files[1]:
 #
-# If your country has restrictions that don't fit either "limited" or
-# "unlimited", an appropriate set of policy files should be created and
-# configured before using this distribution.  The jurisdiction policy file
-# configuration must reflect the cryptographic restrictions appropriate
-# for your country.
+#     unlimited:  These policy files contain no restrictions on cryptographic
+#                 strengths or algorithms
+#
+#     limited:    These policy files contain more restricted cryptographic
+#                 strengths
+#
+# The default setting is determined by the value of the “crypto.policy”
+# Security property below. If your country or usage requires the
+# traditional restrictive policy, the “limited” Java cryptographic
+# policy is still available and may be appropriate for your environment.
+#
+# If you have restrictions that do not fit either use case mentioned
+# above, Java provides the capability to customize these policy files.
+# The “crypto.policy” security property points to a subdirectory
+# within /conf/security/policy/ which can be customized.
+# Please see the /conf/security/policy/README.txt file or consult
+# the Java Security Guide/JCA documentation for more information.
 #
 # YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
 # TO DETERMINE THE EXACT REQUIREMENTS.
 #
-# The policy files are flat text files organized into subdirectories of
-# /conf/security/policy.  Each directory contains a complete
-# set of policy files.
-#
-# The "crypto.policy" Security property controls the directory selection,
-# and thus the effective cryptographic policy.
-#
-# The default set of directories is:
-#
-#     limited | unlimited
-#
-# however other directories can be created and configured.
-#
-# Within a directory, the effective policy is the combined minimum
-# permissions of the grant statements in the file(s) with the filename
-# pattern "default_*.policy".  At least one grant is required.  For
-# example:
-#
-#     limited   =  Export (all) + Import (limited)  =  Limited
-#     unlimited =  Export (all) + Import (all)      =  Unlimited
-#
-# The effective exemption policy is the combined minimum permissions
-# of the grant statements in the file(s) with the filename pattern
-# "exempt_*.policy".  Exemption grants are optional.
-#
-#     limited   =  grants exemption permissions, by which the
-#                  effective policy can be circumvented.
-#                  e.g.  KeyRecovery/Escrow/Weakening.
-#
-# Please see the JCA documentation for additional information on these
-# files and formats.
+# [1] Please note that the JCE for Java SE, including the JCE framework,
+# cryptographic policy files, and standard JCE providers provided with
+# the Java SE, have been reviewed and approved for export as mass market
+# encryption item by the US Bureau of Industry and Security.
 #
 # Note: This property is currently used by the JDK Reference implementation.
 # It is not guaranteed to be examined and used by other implementations.
diff --git a/jdk/src/java.base/share/conf/security/policy/README.txt b/jdk/src/java.base/share/conf/security/policy/README.txt
index 3e0e2294a8..e9138e79a4 100644
--- a/jdk/src/java.base/share/conf/security/policy/README.txt
+++ b/jdk/src/java.base/share/conf/security/policy/README.txt
@@ -5,30 +5,50 @@
                                README
 ------------------------------------------------------------------------
 
+Import and export control rules on cryptographic software vary from
+country to country.  The Java Cryptography Extension (JCE) architecture
+allows flexible cryptographic key strength to be configured via the
+jurisdiction policy files which are referenced by the “crypto.policy”
+security property in the /conf/security/java.security file.
 
-The JCE architecture allows flexible cryptographic strength to be
-configured via the jurisdiction policy files contained within these
-directories.
+By default, Java provides two different sets of cryptographic policy
+files:
 
-The default JCE policy files bundled in this Java Runtime Environment
-allow for "unlimited" cryptographic strengths.  For convenience,
-this build also contains the historic "limited" strength policy files
-which contain restrictions on cryptographic strengths, but they must be
-specifically activated by updating the "crypto.policy" Security property
-(e.g. /conf/security/java.security) to point to the appropriate
-directory.
+    unlimited:  These policy files contain no restrictions on cryptographic
+                strengths or algorithms
 
-Each subdirectory contains a complete policy configuration, and additional
-subdirectories can be added/removed to reflect local regulations.
+    limited:    These policy files contain more restricted cryptographic
+                strengths
 
-JCE for Java SE has been through the U.S. export review process.  The JCE
-framework, along with the various JCE providers that come standard with it
-(SunJCE, SunEC, SunPKCS11, SunMSCAPI, etc), is exportable from the
-United States.
+These files reside in /conf/security/policy in the “unlimited”
+or “limited” subdirectories respectively.
 
-You are advised to consult your export/import control counsel or attorney
-to determine the exact requirements of your location, and what policy
-settings should be used.
+Each subdirectory contains a complete policy configuration,
+and subdirectories can be added/edited/removed to reflect your
+import or export control product requirements.
 
-Please see The Java(TM) Cryptography Architecture (JCA) Reference
-Guide and the java.security file for more information.
+Within a subdirectory, the effective policy is the combined minimum
+permissions of the grant statements in the file(s) matching the filename
+pattern "default_*.policy".  At least one grant is required.  For example:
+
+    limited   =  Export (all) + Import (limited)  =  Limited
+    unlimited =  Export (all) + Import (all)      =  Unlimited
+
+The effective exemption policy is the combined minimum permissions
+of the grant statements in the file(s) matching the filename pattern
+"exempt_*.policy".  Exemption grants are optional.  For example:
+
+    limited   =  grants exemption permissions, by which the
+                 effective policy can be circumvented.
+                 e.g.  KeyRecovery/KeyEscrow/KeyWeakening.
+
+Please see the Java Cryptography Architecture (JCA) documentation for
+additional information on these files and formats.
+
+YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+TO DETERMINE THE EXACT REQUIREMENTS.
+
+Please note that the JCE for Java SE, including the JCE framework,
+cryptographic policy files, and standard JCE providers provided with
+the Java SE, have been reviewed and approved for export as mass market
+encryption item by the US Bureau of Industry and Security.

From 08087fd631fc5a5410df0e44a2599f70c2395a9f Mon Sep 17 00:00:00 2001
From: Phil Race 
Date: Fri, 22 Sep 2017 11:45:44 -0700
Subject: [PATCH 119/269] 8186867: Improve native glyph layouts

Reviewed-by: serb, rhalade, mschoene
---
 .../native/libfontmanager/layout/LookupTables.cpp    | 12 ++++++------
 .../native/libfontmanager/layout/LookupTables.h      | 10 +++++-----
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/jdk/src/java.desktop/share/native/libfontmanager/layout/LookupTables.cpp b/jdk/src/java.desktop/share/native/libfontmanager/layout/LookupTables.cpp
index d51d0d7728..22848a1b5b 100644
--- a/jdk/src/java.desktop/share/native/libfontmanager/layout/LookupTables.cpp
+++ b/jdk/src/java.desktop/share/native/libfontmanager/layout/LookupTables.cpp
@@ -52,9 +52,9 @@ U_NAMESPACE_BEGIN
 const LookupSegment *BinarySearchLookupTable::lookupSegment(const LETableReference &base, const LookupSegment *segments, LEGlyphID glyph, LEErrorCode &success) const
 {
 
-    le_int16  unity = SWAPW(unitSize);
-    le_int16  probe = SWAPW(searchRange);
-    le_int16  extra = SWAPW(rangeShift);
+    le_uint16  unity = SWAPW(unitSize);
+    le_uint16  probe = SWAPW(searchRange);
+    le_uint16  extra = SWAPW(rangeShift);
     TTGlyphID ttGlyph = (TTGlyphID) LE_GET_GLYPH(glyph);
     LEReferenceTo entry(base, success, segments);
     LEReferenceTo trial(entry, success, extra);
@@ -84,9 +84,9 @@ const LookupSegment *BinarySearchLookupTable::lookupSegment(const LETableReferen
 
 const LookupSingle *BinarySearchLookupTable::lookupSingle(const LETableReference &base, const LookupSingle *entries, LEGlyphID glyph, LEErrorCode &success) const
 {
-    le_int16  unity = SWAPW(unitSize);
-    le_int16  probe = SWAPW(searchRange);
-    le_int16  extra = SWAPW(rangeShift);
+    le_uint16  unity = SWAPW(unitSize);
+    le_uint16  probe = SWAPW(searchRange);
+    le_uint16  extra = SWAPW(rangeShift);
     TTGlyphID ttGlyph = (TTGlyphID) LE_GET_GLYPH(glyph);
     LEReferenceTo entry(base, success, entries);
     LEReferenceTo trial(entry, success, extra);
diff --git a/jdk/src/java.desktop/share/native/libfontmanager/layout/LookupTables.h b/jdk/src/java.desktop/share/native/libfontmanager/layout/LookupTables.h
index f15c7decac..8e1e50bee4 100644
--- a/jdk/src/java.desktop/share/native/libfontmanager/layout/LookupTables.h
+++ b/jdk/src/java.desktop/share/native/libfontmanager/layout/LookupTables.h
@@ -74,11 +74,11 @@ struct LookupSingle
 
 struct BinarySearchLookupTable : LookupTable
 {
-    le_int16 unitSize;
-    le_int16 nUnits;
-    le_int16 searchRange;
-    le_int16 entrySelector;
-    le_int16 rangeShift;
+    le_uint16 unitSize;
+    le_uint16 nUnits;
+    le_uint16 searchRange;
+    le_uint16 entrySelector;
+    le_uint16 rangeShift;
 
     const LookupSegment *lookupSegment(const LETableReference &base, const LookupSegment *segments, LEGlyphID glyph, LEErrorCode &success) const;
 

From 94f0f52b297b377ad9385108eba537411c3f898c Mon Sep 17 00:00:00 2001
From: Ujwal Vangapally 
Date: Mon, 25 Sep 2017 19:44:28 +0530
Subject: [PATCH 120/269] 8186998: Improve JMX supportive features

Improve JMX supportive features

Reviewed-by: mchung, dfuchs, rriggs, hb, skoivu, rhalade
---
 .../sun/rmi/registry/RegistryImpl.java        |  2 +-
 .../jmxremote/SingleEntryRegistry.java        |  4 +--
 .../nonLocalAccess/NonLocalJMXRemoteTest.java | 28 +++++++++++++++++--
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java
index af012faeb7..9fe3f0b06a 100644
--- a/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java
@@ -177,7 +177,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
             }
         } else {
             LiveRef lref = new LiveRef(id, port, csf, ssf);
-            setup(new UnicastServerRef2(lref, RegistryImpl::registryFilter));
+            setup(new UnicastServerRef2(lref, serialFilter));
         }
     }
 
diff --git a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java
index c29df19c1a..098f2a51a7 100644
--- a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java
+++ b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/SingleEntryRegistry.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,7 +46,7 @@ import sun.rmi.registry.RegistryImpl;
 public class SingleEntryRegistry extends RegistryImpl {
     SingleEntryRegistry(int port, String name, Remote object)
             throws RemoteException {
-        super(port);
+        super(port, null, null, SingleEntryRegistry::singleRegistryFilter);
         this.name = name;
         this.object = object;
     }
diff --git a/jdk/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java b/jdk/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java
index d05aff18f5..959445d410 100644
--- a/jdk/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java
+++ b/jdk/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java
@@ -43,14 +43,37 @@ import java.util.Set;
  * This tests the SingleEntryRegistry implemented by JMX.
  * This test is a manual test and uses JMX running on a *different* host.
  * JMX can be enabled in any Java runtime; for example:
- * login or ssh to the different host and invoke rmiregistry with arguments below.
+ *
+ * Note: Use remote host with latest JDK update release for invoking rmiregistry.
+ *
+ * Note: Test should be ran twice once using arg1 and once using arg2.
+ *
+ * login or ssh to the remote host and invoke rmiregistry with arg1.
  * It will not show any output.
- * {@code $JDK_HOME/bin/rmiregistry \
+ * Execute the test, after test completes execution, stop the server.
+ *
+ * repeat above step using arg2 and execute the test.
+ *
+ *
+ * arg1: {@code $JDK_HOME/bin/rmiregistry \
  *         -J-Dcom.sun.management.jmxremote.port=8888 \
  *         -J-Dcom.sun.management.jmxremote.local.only=false \
  *         -J-Dcom.sun.management.jmxremote.ssl=false \
  *         -J-Dcom.sun.management.jmxremote.authenticate=false
  * }
+ *
+ *
+ * replace "jmx-registry-host" with the hostname or IP address of the remote host
+ * for property "-J-Dcom.sun.management.jmxremote.host" below.
+ *
+ * arg2: {@code $JDK_HOME/bin/rmiregistry \
+ *         -J-Dcom.sun.management.jmxremote.port=8888 \
+ *         -J-Dcom.sun.management.jmxremote.local.only=false \
+ *         -J-Dcom.sun.management.jmxremote.ssl=false \
+ *         -J-Dcom.sun.management.jmxremote.authenticate=false \
+ *         -J-Dcom.sun.management.jmxremote.host="jmx-registry-host"
+ * }
+ *
  * On the first host modify the @run command above to replace "jmx-registry-host"
  * with the hostname or IP address of the different host and run the test with jtreg.
  */
@@ -123,6 +146,7 @@ public class NonLocalJMXRemoteTest {
             if (asIndex < 0 ||
                     disallowIndex < 0 ||
                     nonLocalHostIndex < 0 ) {
+                System.out.println("Exception message is " + msg);
                 throw new RuntimeException("exception message is malformed", t);
             }
             System.out.printf("Found expected AccessException: %s%n%n", t);

From 2f9020bb40ff0b6cfa496e1a7e595e2025851f9d Mon Sep 17 00:00:00 2001
From: Rob McKenna 
Date: Fri, 30 Jun 2017 18:09:15 +0100
Subject: [PATCH 121/269] 8183297: Allow duplicate bugid for changeset in jdk9
 update forest

Reviewed-by: coffeys
---
 jdk/.jcheck/conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.jcheck/conf b/jdk/.jcheck/conf
index 5c6f62dc12..9bd9e92741 100644
--- a/jdk/.jcheck/conf
+++ b/jdk/.jcheck/conf
@@ -1 +1,2 @@
 project=jdk9
+bugids=dup

From b7382ee2edb2af3999f4914d3e455c12dc561adf Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 5 Jul 2017 17:20:00 -0700
Subject: [PATCH 122/269] Added tag jdk-9.0.3+00 for changeset edb8a7381fd4

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 98bbdae371..29e822bccc 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -417,3 +417,4 @@ b25838a28195f4b6dab34668411eedd2d366a16c jdk-9+169
 2c25fc24103251f9711a1c280c31e1e41016d90f jdk-9+172
 88d7fd969e7df0e07a53b201cfd29393ca33ede9 jdk-9+173
 5466f409346e0446ee9a6daeb7f5d75c8fc76823 jdk-9+174
+023f93e511bae768203c33bb8681f82ee75014da jdk-9.0.3+00

From 0e537769c9854261d9d0ee7c7ad834fa07dd62ee Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 5 Jul 2017 17:20:23 -0700
Subject: [PATCH 123/269] Added tag jdk-9.0.3+00 for changeset 0f92043fb825

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 9deff2db56..c0441a9ab1 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -577,3 +577,4 @@ d53171650a2cc6c6f699c966c533b914ca9c0602 jdk-9+171
 1ae9e84f68b359420d2d153ecfe5ee2903e33a2e jdk-9+172
 e64b1cb48d6e7703928a9d1da106fc27f8cb65fd jdk-9+173
 944791f8160185bffa13fbb821fc09b6198f1f25 jdk-9+174
+ca47dcfdd35129fe3ab2dab71b2601d7a0ff07c0 jdk-9.0.3+00

From 6c7ac46e01c1302afb7d0626183c5b795c29ce16 Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Mon, 10 Jul 2017 18:16:37 +0200
Subject: [PATCH 124/269] 8181788: Unable to build JDK10 on SPARC-M8 machines

Reviewed-by: tbell
---
 common/conf/jib-profiles.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index 54ccfcecd5..bad4544d17 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -387,7 +387,7 @@ var getJibProfilesCommon = function (input, data) {
     // on such hardware.
     if (input.build_cpu == "sparcv9") {
        var cpu_brand = $EXEC("bash -c \"kstat -m cpu_info | grep brand | head -n1 | awk '{ print \$2 }'\"");
-       if (cpu_brand.trim().match('SPARC-.7')) {
+       if (cpu_brand.trim().match('SPARC-.[78]')) {
            boot_jdk_revision = "8u20";
            boot_jdk_subdirpart = "1.8.0_20";
        }

From e94a99e975ca634786ed3b503350fdb16a0d5a87 Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Mon, 10 Jul 2017 18:25:28 +0200
Subject: [PATCH 125/269] 8183934: Change version number in 9.0.3 to 9.0.3

Reviewed-by: tbell
---
 common/autoconf/version-numbers | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/autoconf/version-numbers b/common/autoconf/version-numbers
index 4cb5467118..268e66b71a 100644
--- a/common/autoconf/version-numbers
+++ b/common/autoconf/version-numbers
@@ -27,7 +27,7 @@
 
 DEFAULT_VERSION_MAJOR=9
 DEFAULT_VERSION_MINOR=0
-DEFAULT_VERSION_SECURITY=0
+DEFAULT_VERSION_SECURITY=3
 DEFAULT_VERSION_PATCH=0
 
 LAUNCHER_NAME=openjdk

From 3eb11fa1b8ee75397820156f1edad14fcbe05459 Mon Sep 17 00:00:00 2001
From: Pavel Rappo 
Date: Wed, 26 Jul 2017 17:44:06 +0100
Subject: [PATCH 126/269] 8181612: More stable connection processing

Reviewed-by: chegar, coffeys, ahgross, joehw, rhalade
---
 .../java.base/share/classes/sun/net/ftp/impl/FtpClient.java   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/jdk/src/java.base/share/classes/sun/net/ftp/impl/FtpClient.java b/jdk/src/java.base/share/classes/sun/net/ftp/impl/FtpClient.java
index 7180884ec6..21994bde72 100644
--- a/jdk/src/java.base/share/classes/sun/net/ftp/impl/FtpClient.java
+++ b/jdk/src/java.base/share/classes/sun/net/ftp/impl/FtpClient.java
@@ -115,8 +115,8 @@ public class FtpClient extends sun.net.ftp.FtpClient {
                 new PrivilegedAction() {
 
                     public Object run() {
-                        vals[0] = Integer.getInteger("sun.net.client.defaultReadTimeout", 0).intValue();
-                        vals[1] = Integer.getInteger("sun.net.client.defaultConnectTimeout", 0).intValue();
+                        vals[0] = Integer.getInteger("sun.net.client.defaultReadTimeout", 300_000).intValue();
+                        vals[1] = Integer.getInteger("sun.net.client.defaultConnectTimeout", 300_000).intValue();
                         encs[0] = System.getProperty("file.encoding", "ISO8859_1");
                         return null;
                     }

From 6e451d4290048b75d88253f62932654d71ad1376 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Thu, 3 Aug 2017 11:41:10 -0700
Subject: [PATCH 127/269] Added tag jdk-9.0.3+4 for changeset dc5a038b2a6a

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index f4b275e88b..22b2a4ff34 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -427,3 +427,4 @@ e6c4f6ef717d104dba880e2dae538690c993b46f jdk-9+175
 383a0001f6a0981aa061bf62d7562240abec0b18 jdk-9.0.3+1
 77eba1b12ee981b9d7e6b10b33b233669a1cb23e jdk-9.0.3+2
 f13da3f2da08667ff74541440bb5d67b2dad1aa9 jdk-9.0.3+3
+d9b9658b2bd59ac9ca9d17209dcc487a9cf4bff2 jdk-9.0.3+4

From 93f29c36e656961af2ce1ff9f1fec0d854e1dde4 Mon Sep 17 00:00:00 2001
From: Phil Race 
Date: Thu, 3 Aug 2017 18:56:59 +0000
Subject: [PATCH 128/269] Added tag jdk-9+181 for changeset d27ed723cb13

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index df28072c0e..eca1738714 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -423,3 +423,4 @@ e6c4f6ef717d104dba880e2dae538690c993b46f jdk-9+175
 443025bee731eb2225371b92c1c74b519b7baf33 jdk-9+178
 06df1ce4b9b887d05ce6a13f4def3547e434dd1a jdk-9+179
 4feab1acec6a9c3620a19ff379a65ab8618d0e2a jdk-9+180
+bd66ea2fdde3d60a73b5272263a7b8b0ca926a33 jdk-9+181

From 8d4b5479eed322d943ddee8fd2611a838bacb136 Mon Sep 17 00:00:00 2001
From: Li Jiang 
Date: Thu, 3 Aug 2017 08:30:03 -0700
Subject: [PATCH 129/269] 8185785: 9.0.3 L10n resource file update

Reviewed-by: coffeys
---
 .../sun/launcher/resources/launcher_de.properties    | 10 ++++++----
 .../sun/launcher/resources/launcher_es.properties    | 12 +++++++-----
 .../sun/launcher/resources/launcher_fr.properties    |  9 ++++++---
 .../sun/launcher/resources/launcher_it.properties    | 10 ++++++----
 .../sun/launcher/resources/launcher_ja.properties    | 10 ++++++----
 .../sun/launcher/resources/launcher_ko.properties    | 10 ++++++----
 .../sun/launcher/resources/launcher_pt_BR.properties | 12 +++++++-----
 .../sun/launcher/resources/launcher_sv.properties    | 12 +++++++-----
 .../sun/launcher/resources/launcher_zh_CN.properties | 12 +++++++-----
 .../sun/launcher/resources/launcher_zh_TW.properties | 12 +++++++-----
 .../sun/security/tools/keytool/Resources_de.java     |  4 ++++
 .../sun/security/tools/keytool/Resources_es.java     |  4 ++++
 .../sun/security/tools/keytool/Resources_fr.java     |  4 ++++
 .../sun/security/tools/keytool/Resources_it.java     |  4 ++++
 .../sun/security/tools/keytool/Resources_ja.java     |  4 ++++
 .../sun/security/tools/keytool/Resources_ko.java     |  6 +++++-
 .../sun/security/tools/keytool/Resources_pt_BR.java  |  4 ++++
 .../sun/security/tools/keytool/Resources_sv.java     |  4 ++++
 .../sun/security/tools/keytool/Resources_zh_CN.java  |  4 ++++
 .../sun/security/tools/keytool/Resources_zh_TW.java  |  8 ++++++--
 .../classes/sun/awt/resources/awt_ko.properties      |  2 +-
 21 files changed, 109 insertions(+), 48 deletions(-)

diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_de.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_de.properties
index c311de2bcf..1d9aad17ec 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_de.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_de.properties
@@ -31,12 +31,12 @@ java.launcher.opt.vmselect   =\    {0}\t  zur Auswahl der "{1}" VM\n
 java.launcher.opt.hotspot    =\    {0}\t  ist ein Synonym f\u00FCr die "{1}" VM  [verworfen]\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  Eine durch {0} getrennte Liste mit Verzeichnissen, JAR-Archiven\n                  und ZIP-Archiven, in denen nach Klassendateien gesucht wird.\n    -p \n    --module-path ...\n                  Eine durch {0} getrennte Liste mit Verzeichnissen, von denen jedes Verzeichnis\n                  ein Verzeichnis mit Modulen ist.\n    --upgrade-module-path ...\n                  Eine durch {0} getrennte Liste mit Verzeichnissen, von denen jedes Verzeichnis\n                  ein Verzeichnis mit Modulen ist, die upgradef\u00E4hige\n                  Module im Laufzeitimage ersetzen\n    --add-modules [,...]\n                  Root-Module, die zus\u00E4tzlich zum anf\u00E4nglichen Modul aufgel\u00F6st werden sollen.\n                   kann auch wie folgt lauten: ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  Listet beobachtbare Module auf und beendet den Vorgang\n    --d \n    --describe-module \n                  Beschreibt ein Modul und beendet den Vorgang\n    --dry-run     Erstellt eine VM und l\u00E4dt die Hauptklasse, f\u00FChrt aber nicht die Hauptmethode aus.\n                  Die Option "--dry-run" kann n\u00FCtzlich sein, um die\n                  Befehlszeilenoptionen, wie die Modulsystemkonfiguration, zu validieren.\n    --validate-modules\n                  Validiert alle Module und beendet den Vorgang\n                  Die Option "--validate-modules" kann n\u00FCtzlich sein, um\n                  Konflikte und andere Fehler mit Modulen auf dem Modulpfad zu ermitteln.\n    -D=\n                  Legt eine Systemeigenschaft fest\n    -verbose:[class|module|gc|jni]\n                  Ausgabe im Verbose-Modus aktivieren\n    -version      Gibt die Produktversion an den Fehlerstream aus und beendet den Vorgang\n    --version      Gibt die Produktversion an den Outputstream aus und beendet den Vorgang\n    -showversion  Gibt die Produktversion an den Fehlerstream aus und setzt den Vorgang fort\n    --show-version\n                  Gibt die Produktversion an den Outputstream aus und setzt den Vorgang fort\n    --show-module-resolution\n                  Zeigt die Modulaufl\u00F6sungsausgabe beim Start an\n    -? -h -help\n                  Gibt diese Hilfemeldung an den Fehlerstream aus\n    --help        Gibt diese Hilfemeldung an den Outputstream aus\n    -X            Gibt Hilfe zu zus\u00E4tzlichen Optionen an den Fehlerstream aus\n    --help-extra  Gibt Hilfe zu zus\u00E4tzlichen Optionen an den Outputstream aus\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  Aktiviert Assertions mit angegebener Granularit\u00E4t\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  Deaktiviert Assertions mit angegebener Granularit\u00E4t\n    -esa | -enablesystemassertions\n                  Aktiviert System-Assertions\n    -dsa | -disablesystemassertions\n                  Deaktiviert System-Assertions\n    -agentlib:[=]\n                  L\u00E4dt die native Agent Library . Beispiel: -agentlib:jdwp\n                  siehe auch -agentlib:jdwp=help\n    -agentpath:[=]\n                  L\u00E4dt die native Agent Library mit dem vollst\u00E4ndigen Pfadnamen\n    -javaagent:[=]\n                  L\u00E4dt den Java-Programmiersprachen-Agent, siehe java.lang.instrument\n    -splash:\n                  Zeigt den Startbildschirm mit einem angegebenen Bild an\n                  Skalierte HiDPI-Bilder werden automatisch \
+java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  Eine durch {0} getrennte Liste mit Verzeichnissen, JAR-Archiven\n                  und ZIP-Archiven, in denen nach Klassendateien gesucht wird.\n    -p \n    --module-path ...\n                  Eine durch {0} getrennte Liste mit Verzeichnissen, von denen jedes Verzeichnis\n                  ein Verzeichnis mit Modulen ist.\n    --upgrade-module-path ...\n                  Eine durch {0} getrennte Liste mit Verzeichnissen, von denen jedes Verzeichnis\n                  ein Verzeichnis mit Modulen ist, die upgradef\u00E4hige\n                  Module im Laufzeitimage ersetzen\n    --add-modules [,...]\n                  Root-Module, die zus\u00E4tzlich zum anf\u00E4nglichen Modul aufgel\u00F6st werden sollen.\n                   kann auch wie folgt lauten: ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  Listet beobachtbare Module auf und beendet den Vorgang\n    -d \n    --describe-module \n                  Beschreibt ein Modul und beendet den Vorgang\n    --dry-run     Erstellt eine VM und l\u00E4dt die Hauptklasse, f\u00FChrt aber nicht die Hauptmethode aus.\n                  Die Option "--dry-run" kann n\u00FCtzlich sein, um die\n                  Befehlszeilenoptionen, wie die Modulsystemkonfiguration, zu validieren.\n    --validate-modules\n                  Validiert alle Module und beendet den Vorgang\n                  Die Option "--validate-modules" kann n\u00FCtzlich sein, um\n                  Konflikte und andere Fehler mit Modulen auf dem Modulpfad zu ermitteln.\n    -D=\n                  Legt eine Systemeigenschaft fest\n    -verbose:[class|module|gc|jni]\n                  Ausgabe im Verbose-Modus aktivieren\n    -version      Gibt die Produktversion an den Fehlerstream aus und beendet den Vorgang\n    --version      Gibt die Produktversion an den Outputstream aus und beendet den Vorgang\n    -showversion  Gibt die Produktversion an den Fehlerstream aus und setzt den Vorgang fort\n    --show-version\n                  Gibt die Produktversion an den Outputstream aus und setzt den Vorgang fort\n    --show-module-resolution\n                  Zeigt die Modulaufl\u00F6sungsausgabe beim Start an\n    -? -h -help\n                  Gibt diese Hilfemeldung an den Fehlerstream aus\n    --help        Gibt diese Hilfemeldung an den Outputstream aus\n    -X            Gibt Hilfe zu zus\u00E4tzlichen Optionen an den Fehlerstream aus\n    --help-extra  Gibt Hilfe zu zus\u00E4tzlichen Optionen an den Outputstream aus\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  Aktiviert Assertions mit angegebener Granularit\u00E4t\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  Deaktiviert Assertions mit angegebener Granularit\u00E4t\n    -esa | -enablesystemassertions\n                  Aktiviert System-Assertions\n    -dsa | -disablesystemassertions\n                  Deaktiviert System-Assertions\n    -agentlib:[=]\n                  L\u00E4dt die native Agent Library . Beispiel: -agentlib:jdwp\n                  siehe auch -agentlib:jdwp=help\n    -agentpath:[=]\n                  L\u00E4dt die native Agent Library mit dem vollst\u00E4ndigen Pfadnamen\n    -javaagent:[=]\n                  L\u00E4dt den Java-Programmiersprachen-Agent, siehe java.lang.instrument\n    -splash:\n                  Zeigt den Startbildschirm mit einem angegebenen Bild an\n                  Skalierte HiDPI-Bilder werden automatisch \
 unterst\u00FCtzt und verwendet,\n                  falls verf\u00FCgbar. Der nicht skalierte Bilddateiname (Beispiel: image.ext)\n                  muss immer als Argument an die Option "-splash" \u00FCbergeben werden.\n                  Das am besten geeignete angegebene skalierte Bild wird\n                  automatisch ausgew\u00E4hlt.\n                  Weitere Informationen finden Sie in der Dokumentation zur SplashScreen-API\n    @argument files\n                  Eine oder mehrere Argumentdateien mit Optionen\n    -disable-@files\n                  Verhindert die weitere Erweiterung von Argumentdateien\nUm ein Argument f\u00FCr eine lange Option anzugeben, k\u00F6nnen Sie --= oder\n--  verwenden.\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           Deaktiviert Hintergrundkompilierung\n    -Xbootclasspath/a: \n                      an Ende von Bootstrap Classpath anh\u00E4ngen\n    -Xcheck:jni       F\u00FChrt zus\u00E4tzliche Pr\u00FCfungen f\u00FCr JNI-Funktionen aus\n    -Xcomp            Erzwingt Kompilierung von Methoden beim ersten Aufruf\n    -Xdebug           Wird zur Abw\u00E4rtskompatiblit\u00E4t bereitgestellt\n    -Xdiag            Zeigt zus\u00E4tzliche Diagnosemeldungen an\n    -Xfuture          Aktiviert strengste Pr\u00FCfungen, wird als m\u00F6glicher zuk\u00FCnftiger Standardwert erwartet\n    -Xint             Nur Ausf\u00FChrung im interpretierten Modus\n    -Xinternalversion\n                      Zeigt detailliertere JVM-Versionsinformationen an als die\n                      Option "-version"\n    -Xloggc:    Protokolliert GC-Status in einer Datei mit Zeitstempeln\n    -Xmixed           Ausf\u00FChrung im gemischten Modus (Standard)\n    -Xmn        Legt die anf\u00E4ngliche und die maximale Gr\u00F6\u00DFe (in Byte) des Heaps\n                      f\u00FCr die junge Generation (Nursery) fest\n    -Xms        Legt die anf\u00E4ngliche Java-Heap-Gr\u00F6\u00DFe fest\n    -Xmx        Legt die maximale Java-Heap-Gr\u00F6\u00DFe fest\n    -Xnoclassgc       Deaktiviert die Klassen-Garbage Collection\n    -Xprof            Gibt CPU-Profilierungsdaten aus (veraltet)\n    -Xrs              Reduziert die Verwendung von BS-Signalen durch Java/VM (siehe Dokumentation)\n    -Xshare:auto      Verwendet, wenn m\u00F6glich, freigegebene Klassendaten (Standard)\n    -Xshare:off       Versucht nicht, freigegebene Klassendaten zu verwenden\n    -Xshare:on        Erfordert die Verwendung von freigegebenen Klassendaten, verl\u00E4uft sonst nicht erfolgreich.\n    -XshowSettings    Zeigt alle Einstellungen an und f\u00E4hrt fort\n    -XshowSettings:all\n                      Zeigt alle Einstellungen an und f\u00E4hrt fort\n    -XshowSettings:locale\n                      Zeigt alle gebietsschemabezogenen Einstellungen an und f\u00E4hrt fort\n    -XshowSettings:properties\n                      Zeigt alle Eigenschaftseinstellungen an und f\u00E4hrt fort\n    -XshowSettings:vm Zeigt alle VM-bezogenen Einstellungen an und f\u00E4hrt fort\n    -Xss        Legt Stack-Gr\u00F6\u00DFe des Java-Threads fest\n    -Xverify          Legt den Modus der Bytecodeverifizierung fest\n    --add-reads =(,)*\n                      Aktualisiert , damit  ungeachtet der\n                      Moduldeklaration gelesen wird. \n                       kann ALL-UNNAMED sein, um alle unbenannten\n                      Module zu lesen.\n    --add-exports /=(,)*\n                      Aktualisiert , um  ungeachtet der Moduldeklaration\n                        in  zu exportieren.\n                       kann ALL-UNNAMED sein, um in alle \n                      unbenannten Module zu exportieren.\n    --add-opens /=(,)*\n                      Aktualisiert , um  ungeachtet der Moduldeklaration\n                      in  zu \u00F6ffnen.\n    --limit-modules [,...]\n                      Grenzt die Gesamtmenge der beobachtbaren Module ein\n   --patch-module =({0})*\n                      \u00DCberschreibt oder erweitert ein Modul in JAR-Dateien\n                      oder -Verzeichnissen mit \
-Klassen und Ressourcen.\n    --disable-@files  Deaktiviert die weitere Erweiterung von Argumentdateien\n\nDiese zus\u00E4tzlichen Optionen k\u00F6nnen ohne Vorank\u00FCndigung ge\u00E4ndert werden.
+java.launcher.X.usage=\n    -Xbatch           Deaktiviert Hintergrundkompilierung\n    -Xbootclasspath/a: \n                      an Ende von Bootstrap Classpath anh\u00E4ngen\n    -Xcheck:jni       F\u00FChrt zus\u00E4tzliche Pr\u00FCfungen f\u00FCr JNI-Funktionen aus\n    -Xcomp            Erzwingt Kompilierung von Methoden beim ersten Aufruf\n    -Xdebug           Wird zur Abw\u00E4rtskompatibilit\u00E4t bereitgestellt\n    -Xdiag            Zeigt zus\u00E4tzliche Diagnosemeldungen an\n    -Xfuture          Aktiviert strengste Pr\u00FCfungen, wird als m\u00F6glicher zuk\u00FCnftiger Standardwert erwartet\n    -Xint             Nur Ausf\u00FChrung im interpretierten Modus\n    -Xinternalversion\n                      Zeigt detailliertere JVM-Versionsinformationen an als die\n                      Option "-version"\n    -Xloggc:    Protokolliert GC-Status in einer Datei mit Zeitstempeln\n    -Xmixed           Ausf\u00FChrung im gemischten Modus (Standard)\n    -Xmn        Legt die anf\u00E4ngliche und die maximale Gr\u00F6\u00DFe (in Byte) des Heaps\n                      f\u00FCr die junge Generation (Nursery) fest\n    -Xms        Legt die anf\u00E4ngliche Java-Heap-Gr\u00F6\u00DFe fest\n    -Xmx        Legt die maximale Java-Heap-Gr\u00F6\u00DFe fest\n    -Xnoclassgc       Deaktiviert die Klassen-Garbage Collection\n    -Xprof            Gibt CPU-Profilierungsdaten aus (veraltet)\n    -Xrs              Reduziert die Verwendung von BS-Signalen durch Java/VM (siehe Dokumentation)\n    -Xshare:auto      Verwendet, wenn m\u00F6glich, freigegebene Klassendaten (Standard)\n    -Xshare:off       Versucht nicht, freigegebene Klassendaten zu verwenden\n    -Xshare:on        Erfordert die Verwendung von freigegebenen Klassendaten, verl\u00E4uft sonst nicht erfolgreich.\n    -XshowSettings    Zeigt alle Einstellungen an und f\u00E4hrt fort\n    -XshowSettings:all\n                      Zeigt alle Einstellungen an und f\u00E4hrt fort\n    -XshowSettings:locale\n                      Zeigt alle gebietsschemabezogenen Einstellungen an und f\u00E4hrt fort\n    -XshowSettings:properties\n                      Zeigt alle Eigenschaftseinstellungen an und f\u00E4hrt fort\n    -XshowSettings:vm Zeigt alle VM-bezogenen Einstellungen an und f\u00E4hrt fort\n    -Xss        Legt Stackgr\u00F6\u00DFe des Java-Threads fest\n    -Xverify          Legt den Modus der Bytecodeverifizierung fest\n    --add-reads =(,)*\n                      Aktualisiert , damit  ungeachtet der\n                      Moduldeklaration gelesen wird. \n                       kann ALL-UNNAMED sein, um alle unbenannten\n                      Module zu lesen.\n    --add-exports /=(,)*\n                      Aktualisiert , um  ungeachtet der Moduldeklaration\n                        in  zu exportieren.\n                       kann ALL-UNNAMED sein, um in alle \n                      unbenannten Module zu exportieren.\n    --add-opens /=(,)*\n                      Aktualisiert , um  ungeachtet der Moduldeklaration\n                      in  zu \u00F6ffnen.\n    --illegal-access=\n                      L\u00E4sst Zugriff f\u00FCr Mitglieder mit den Typen in den benannten Modulen\n                      nach Code in unbenannten Modulen zu oder lehnt ihn ab.\n                       ist entweder "ablehnen", "zulassen", "warnen" oder "debuggen".\n                      Diese Option wird in einem zuk\u00FCnftigen Release entfernt.\n    --limit-modules [,...]\n                      Grenzt die Gesamtmenge der beobachtbaren Module ein\n   --patch-module =({0})*\n                      \u00DCberschreibt oder \
+erweitert ein Modul in JAR-Dateien\n                      oder -Verzeichnissen mit Klassen und Ressourcen.\n    --disable-@files  Deaktiviert die weitere Erweiterung von Argumentdateien\n\nDiese zus\u00E4tzlichen Optionen k\u00F6nnen ohne Vorank\u00FCndigung ge\u00E4ndert werden.\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\nDie folgenden Optionen sind f\u00FCr Mac OS X spezifisch:\n    -XstartOnFirstThread\n                      main()-Methode f\u00FCr den ersten (AppKit) Thread ausf\u00FChren\n    -Xdock:name=\n                      Den im Dock angezeigten Standardanwendungsnamen \u00FCberschreiben\n    -Xdock:icon=\n                      Das im Dock angezeigte Standardsymbol \u00FCberschreiben\n\n
@@ -47,6 +47,7 @@ java.launcher.cls.error3=Fehler: Hauptmethode muss einen Wert vom Typ void in Kl
 java.launcher.cls.error4=Fehler: Hauptmethode in Klasse {0} nicht gefunden. Definieren Sie die Hauptmethode als:\n   public static void main(String[] args):\noder eine JavaFX-Anwendung muss {1} erweitern
 java.launcher.cls.error5=Fehler: Zum Ausf\u00FChren dieser Anwendung ben\u00F6tigte JavaFX-Runtime-Komponenten fehlen
 java.launcher.cls.error6=Fehler: Beim Laden der Klasse {0} ist ein LinkageError aufgetreten\n\t{1}
+java.launcher.cls.error7=Fehler: Hauptklasse {0} kann nicht initialisiert werden\nUrsache: {1}: {2}
 java.launcher.jar.error1=Fehler: Beim Versuch, Datei {0} zu \u00F6ffnen, ist ein unerwarteter Fehler aufgetreten
 java.launcher.jar.error2=Manifest in {0} nicht gefunden
 java.launcher.jar.error3=kein Hauptmanifestattribut, in {0}
@@ -55,5 +56,6 @@ java.launcher.init.error=Initialisierungsfehler
 java.launcher.javafx.error1=Fehler: Die JavaFX-Methode launchApplication hat die falsche Signatur, sie\nmuss als statisch deklariert werden und einen Wert vom Typ VOID zur\u00FCckgeben
 java.launcher.module.error1=Modul {0} weist kein MainClass-Attribut auf. Verwenden Sie -m /
 java.launcher.module.error2=Fehler: Hauptklasse {0} konnte in Modul {1} nicht gefunden oder geladen werden
-java.launcher.module.error3=Fehler: Hauptklasse {0} kann nicht aus Modul {1} geladen werden\n\t{2}
+java.launcher.module.error3=Fehler: Hauptklasse {0} kann nicht in Modul {1} geladen werden\n\t{2}
 java.launcher.module.error4={0} nicht gefunden
+java.launcher.module.error5=Fehler: Hauptklasse {0} kann nicht in Modul {1} initialisiert werden\nUrsache: {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_es.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_es.properties
index 3fecb4c841..cd92b93eb5 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_es.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_es.properties
@@ -31,12 +31,12 @@ java.launcher.opt.vmselect   =\    {0}\t  para seleccionar la VM "{1}"\n
 java.launcher.opt.hotspot    =\    {0}\t  es un sin\u00F3nimo de la VM "{1}" [anticuada]\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  Una lista separada por el car\u00E1cter {0}, archivos JAR\n                  y archivos ZIP para buscar archivos de clases.\n    -p \n    --module-path ...\n                  Una lista de directorios separada por el car\u00E1cter {0}, cada directorio\n                  es un directorio de m\u00F3dulos.\n    --upgrade-module-path ...\n                  Una lista de directorios separada por el car\u00E1cter {0}, cada directorio\n                  es un directorio de m\u00F3dulos que sustituye a\n                  los m\u00F3dulos actualizables en la imagen de tiempo de ejecuci\u00F3n\n    --add-modules [,...]\n                  m\u00F3dulos de ra\u00EDz que resolver, adem\u00E1s del m\u00F3dulo inicial.\n                   tambi\u00E9n puede ser ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  mostrar m\u00F3dulos observables y salir\n    --d \n    --describe-module \n                  describir un m\u00F3dulo y salir\n    --dry-run     crear VM y cargar la clase principal pero sin ejecutar el m\u00E9todo principal.\n                  La opci\u00F3n --dry-run puede ser \u00FAtil para validar\n                  las opciones de l\u00EDnea de comandos, como la configuraci\u00F3n del sistema de m\u00F3dulos.\n    --validate-modules\n                  validar todos los m\u00F3dulos y salir\n                  La opci\u00F3n --validate-modules puede ser \u00FAtil para encontrar\n                  conflictos y otros errores con m\u00F3dulos en la ruta de m\u00F3dulos.\n    -D=\n                  definir una propiedad de sistema\n    -verbose:[class|module|gc|jni]\n                  activar la salida en modo verbose\n    -version      imprimir versi\u00F3n de producto en el flujo de errores y salir\n    --version     imprimir versi\u00F3n de producto en el flujo de salida y salir\n    -showversion  imprimir versi\u00F3n de producto en el flujo de errores y continuar\n    --show-version\n                  -showversion  imprimir versi\u00F3n de producto en el flujo de salida y continuar\n    --show-module-resolution\n                  mostrar la salida de resoluci\u00F3n de m\u00F3dulo durante el inicio\n    -? -h -help\n                  imprimir este mensaje de ayuda en el flujo de errores\n    --help        imprimir este mensaje de ayuda en el flujo de salida\n    -X            imprimir ayuda de opciones adicionales en el flujo de errores\n    --help-extra  imprimir ayuda de opciones adicionales en el flujo de salida\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  activar afirmaciones con una granularidad especificada\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  desactivar afirmaciones con una granularidad especificada\n    -esa | -enablesystemassertions\n                  activar afirmaciones del sistema\n    -dsa | -disablesystemassertions\n                  desactivar afirmaciones del sistema\n    -agentlib:[=]\n                  cargar biblioteca de agente nativo , por ejemplo, -agentlib:jdwp\n                  ver tambi\u00E9n -agentlib:jdwp=help\n    -agentpath:[=]\n                  cargar biblioteca de agente nativo por nombre completo de ruta\n    -javaagent:[=]\n                  cargar agente de lenguaje de programaci\u00F3n Java, ver java.lang.instrument\n    -splash:\n         \
-         mostrar pantalla de presentaci\u00F3n con imagen especificada\n                  Las im\u00E1genes a escala HiDPI est\u00E1n soportadas y se usan autom\u00E1ticamente\n                  si est\u00E1n disponibles. El nombre de archivo de la imagen sin escala, por ejemplo, image.ext,\n                  siempre debe transmitirse como el argumento para la opci\u00F3n -splash.\n                  La imagen a escala m\u00E1s adecuada que se haya proporcionado se escoger\u00E1\n                  autom\u00E1ticamente.\n                  Consulte la documentaci\u00F3n de la API de la pantalla de presentaci\u00F3n para obtener m\u00E1s informaci\u00F3n.\n    @argument files\n                  uno o m\u00E1s archivos de argumentos que contienen opciones\n    -disable-@files\n                  evitar una mayor expansi\u00F3n del archivo de argumentos\nPara especificar un argumento para una opci\u00F3n larga, puede usar --= o\n-- .\n
+java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  Una lista separada por el car\u00E1cter {0}, archivos JAR\n                  y archivos ZIP para buscar archivos de clases.\n    -p \n    --module-path ...\n                  Una lista de directorios separada por el car\u00E1cter {0}, cada directorio\n                  es un directorio de m\u00F3dulos.\n    --upgrade-module-path ...\n                  Una lista de directorios separada por el car\u00E1cter {0}, cada directorio\n                  es un directorio de m\u00F3dulos que sustituye a\n                  los m\u00F3dulos actualizables en la imagen de tiempo de ejecuci\u00F3n\n    --add-modules [,...]\n                  m\u00F3dulos de ra\u00EDz que resolver, adem\u00E1s del m\u00F3dulo inicial.\n                   tambi\u00E9n puede ser ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  mostrar m\u00F3dulos observables y salir\n    -d \n    --describe-module \n                  describir un m\u00F3dulo y salir\n    --dry-run     crear VM y cargar la clase principal pero sin ejecutar el m\u00E9todo principal.\n                  La opci\u00F3n --dry-run puede ser \u00FAtil para validar\n                  las opciones de l\u00EDnea de comandos, como la configuraci\u00F3n del sistema de m\u00F3dulos.\n    --validate-modules\n                  validar todos los m\u00F3dulos y salir\n                  La opci\u00F3n --validate-modules puede ser \u00FAtil para encontrar\n                  conflictos y otros errores con m\u00F3dulos en la ruta de m\u00F3dulos.\n    -D=\n                  definir una propiedad de sistema\n    -verbose:[class|module|gc|jni]\n                  activar la salida en modo verbose\n    -version      imprimir versi\u00F3n de producto en el flujo de errores y salir\n    --version     imprimir versi\u00F3n de producto en el flujo de salida y salir\n    -showversion  imprimir versi\u00F3n de producto en el flujo de errores y continuar\n    --show-version\n                  -showversion  imprimir versi\u00F3n de producto en el flujo de salida y continuar\n    --show-module-resolution\n                  mostrar la salida de resoluci\u00F3n de m\u00F3dulo durante el inicio\n    -? -h -help\n                  imprimir este mensaje de ayuda en el flujo de errores\n    --help        imprimir este mensaje de ayuda en el flujo de salida\n    -X            imprimir ayuda de opciones adicionales en el flujo de errores\n    --help-extra  imprimir ayuda de opciones adicionales en el flujo de salida\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  activar afirmaciones con una granularidad especificada\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  desactivar afirmaciones con una granularidad especificada\n    -esa | -enablesystemassertions\n                  activar afirmaciones del sistema\n    -dsa | -disablesystemassertions\n                  desactivar afirmaciones del sistema\n    -agentlib:[=]\n                  cargar biblioteca de agente nativo , por ejemplo, -agentlib:jdwp\n                  ver tambi\u00E9n -agentlib:jdwp=help\n    -agentpath:[=]\n                  cargar biblioteca de agente nativo por nombre completo de ruta\n    -javaagent:[=]\n                  cargar agente de lenguaje de programaci\u00F3n Java, ver java.lang.instrument\n    -splash:\n       \
+           mostrar pantalla de presentaci\u00F3n con imagen especificada\n                  Las im\u00E1genes a escala HiDPI est\u00E1n soportadas y se usan autom\u00E1ticamente\n                  si est\u00E1n disponibles. El nombre de archivo de la imagen sin escala, por ejemplo, image.ext,\n                  siempre debe transmitirse como el argumento para la opci\u00F3n -splash.\n                  La imagen a escala m\u00E1s adecuada que se haya proporcionado se escoger\u00E1\n                  autom\u00E1ticamente.\n                  Consulte la documentaci\u00F3n de la API de la pantalla de presentaci\u00F3n para obtener m\u00E1s informaci\u00F3n.\n    @argument files\n                  uno o m\u00E1s archivos de argumentos que contienen opciones\n    -disable-@files\n                  evitar una mayor expansi\u00F3n del archivo de argumentos\nPara especificar un argumento para una opci\u00F3n larga, puede usar --= o\n-- .\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\    -Xbatch           desactivar compilaci\u00F3n de fondo\n    -Xbootclasspath/a:\n                      agregar al final de la ruta de la clase de inicializaci\u00F3n de datos\n    -Xcheck:jni       realizar comprobaciones adicionales para las funciones de JNI\n    -Xcomp            fuerza la compilaci\u00F3n de m\u00E9todos en la primera llamada\n    -Xdebug           se proporciona para ofrecer compatibilidad con versiones anteriores\n    -Xdiag            mostrar mensajes de diagn\u00F3stico adicionales\n    -Xfuture          activar las comprobaciones m\u00E1s estrictas, anticip\u00E1ndose al futuro valor por defecto\n    -Xint             solo ejecuci\u00F3n de modo interpretado\n    -Xinternalversion\n                      muestra una informaci\u00F3n de la versi\u00F3n de JVM m\u00E1s detallada que la\n                      opci\u00F3n -version\n    -Xloggc:    registrar el estado de GC en un archivo con registros de hora\n    -Xmixed           ejecuci\u00F3n de modo mixto (por defecto)\n    -Xmn        define el tama\u00F1o inicial y m\u00E1ximo (en bytes) de la pila\n                      para la generaci\u00F3n m\u00E1s joven (espacio infantil)\n    -Xms        define el tama\u00F1o inicial de la pila de Java\n    -Xmx        define el tama\u00F1o m\u00E1ximo de la pila de Java\n    -Xnoclassgc       desactivar la recolecci\u00F3n de basura de clases\n    -Xprof            datos de creaci\u00F3n de perfiles de CPU de salida (anticuados)\n    -Xrs              reducir el uso de se\u00F1ales de sistema operativo por parte de Java/VM (consulte la documentaci\u00F3n)\n    -Xshare:auto      usar datos de clase compartidos si es posible (valor por defecto)\n    -Xshare:off       no intentar usar datos de clase compartidos\n    -Xshare:on        es obligatorio el uso de datos de clase compartidos, de lo contrario se producir\u00E1 un fallo.\n    -XshowSettings    mostrar toda la configuraci\u00F3n y continuar\n    -XshowSettings:all\n                      mostrar todos los valores y continuar\n    -XshowSettings:locale\n                      mostrar todos los valores relacionados con la configuraci\u00F3n regional y continuar\n    -XshowSettings:properties\n                      mostrar todos los valores de propiedad y continuar\n    -XshowSettings:vm mostrar todos los valores relacionados con vm y continuar\n    -Xss        definir tama\u00F1o de la pila del thread de Java\n    -Xverify          define el modo del verificador de c\u00F3digo de bytes\n    --add-reads =(,)*\n                      actualiza  para leer , independientement\n                      de la declaraci\u00F3n del m\u00F3dulo. \n                       puede ser ALL-UNNAMED para leer todos los\n                      m\u00F3dulos sin nombre.\n    --add-exports /=(,)*\n                      actualiza  para exportar  en ,\n                      independientemente de la declaraci\u00F3n del m\u00F3dulo.\n                       puede ser ALL-UNNAMED para exportar a todos los\n                      m\u00F3dulos sin nombre.\n    --add-opens /=(,)*\n                      actualiza  para abrir  en\n                      , independientemente de la declaraci\u00F3n del m\u00F3dulo.\n    --limit-modules [,...]\n                      limitar el universo de m\u00F3dulos observables\n    --patch-module =({0})*\n                      anular o aumentar un m\u00F3dulo con clases y recursos\n                      en directorios o archivos JAR.\n    --disable-@files  desactivar una mayor expansi\u00F3n del archivo de argumentos\n\nEstas opciones adicionales est\u00E1n sujetas a cambios sin previo aviso.\n
+java.launcher.X.usage=\n    -Xbatch           desactivar compilaci\u00F3n en segundo plano\n    -Xbootclasspath/a:\n                      agregar al final de la ruta de la clase de inicializaci\u00F3n de datos\n    -Xcheck:jni       realizar comprobaciones adicionales para las funciones de JNI\n    -Xcomp            fuerza la compilaci\u00F3n de m\u00E9todos en la primera llamada\n    -Xdebug           se proporciona para ofrecer compatibilidad con versiones anteriores\n    -Xdiag            mostrar mensajes de diagn\u00F3stico adicionales\n    -Xfuture          activar las comprobaciones m\u00E1s estrictas, anticip\u00E1ndose al futuro valor por defecto\n    -Xint             solo ejecuci\u00F3n de modo interpretado\n    -Xinternalversion\n                      muestra una informaci\u00F3n de la versi\u00F3n de JVM m\u00E1s detallada que la\n                      opci\u00F3n-versi\u00F3n\n    -Xloggc:    registrar el estado de GC en un archivo con registros de hora\n    -Xmixed           modo de ejecuci\u00F3n mixto (valor por defecto)\n    -Xmn        define el tama\u00F1o inicial y m\u00E1ximo (en bytes) de la pila\n                      para la generaci\u00F3n m\u00E1s joven (incubadora)\n    -Xms        define el tama\u00F1o inicial de la pila de Java\n    -Xmx        define el tama\u00F1o m\u00E1ximo de la pila de Java\n    -Xnoclassgc       desactivar la recolecci\u00F3n de basura de clases\n    -Xprof            datos de creaci\u00F3n de perfiles de CPU de salida (anticuados)\n    -Xrs              reducir el uso de se\u00F1ales de sistema operativo por parte de Java/VM (consulte la documentaci\u00F3n)\n    -Xshare:auto      usar datos de clase compartidos si es posible (valor por defecto)\n    -Xshare:off       no intentar usar datos de clase compartidos\n    -Xshare:on        es obligatorio el uso de datos de clase compartidos, de lo contrario se producir\u00E1 un fallo.\n    -XshowSettings    mostrar toda la configuraci\u00F3n y continuar\n    -XshowSettings:all\n                      mostrar todos los valores y continuar\n    -XshowSettings:locale\n                      mostrar todos los valores relacionados con la configuraci\u00F3n regional y continuar\n    -XshowSettings:properties\n                      mostrar todos los valores de propiedad y continuar\n    -XshowSettings:vm mostrar todos los valores relacionados con vm y continuar\n    -Xss        definir tama\u00F1o de la pila del thread de Java\n    -Xverify          define el modo del verificador de c\u00F3digo de bytes\n    --add-reads =(,)*\n                      updates  para leer , independientemente\n                      de la declaraci\u00F3n del m\u00F3dulo. \n                       puede ser ALL-UNNAMED para leer todos los m\u00F3dulos\n                      sin nombre.\n    --add-exports /=(,)*\n                      actualiza  para exportar  en ,\n                      independientemente de la declaraci\u00F3n del m\u00F3dulo.\n                       puede ser ALL-UNNAMED para exportar a todos los\n                      m\u00F3dulos sin nombre.\n    --add-opens /=(,)*\n                      actualiza  para abrir  en\n                      , independientemente de la declaraci\u00F3n del m\u00F3dulo.\n    --illegal-access=\n                      permitir o denegar el acceso a miembros de tipos en m\u00F3dulos con nombre\n                      por c\u00F3digo en m\u00F3dulos sin nombre.\n                       es "denegar", "permitir", "advertir" o "depurar"\n                      Esta opci\u00F3n se eliminar\u00E1 en la \
+pr\u00F3xima versi\u00F3n.\n    --limit-modules [,...]\n                      limitar el universo de m\u00F3dulos observables\n    --patch-module =({0})*\n                      anular o aumentar un m\u00F3dulo con clases y recursos\n                      en directorios o archivos JAR.\n    --disable-@files  desactivar una mayor expansi\u00F3n del archivo de argumentos\n\nEstas opciones adicionales est\u00E1n sujetas a cambios sin previo aviso.\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\nLas siguientes opciones son espec\u00EDficas para Mac OS X:\n    -XstartOnFirstThread\n                      ejecutar el m\u00E9todo main() del primer thread (AppKit)\n    -Xdock:name=\n                      sustituir al nombre por defecto de la aplicaci\u00F3n que se muestra en el Dock\n    -Xdock:icon=\n                      sustituir al icono por defecto que se muestra en el Dock\n\n
@@ -47,6 +47,7 @@ java.launcher.cls.error3=Error: el m\u00E9todo principal debe devolver un valor
 java.launcher.cls.error4=Error: no se ha encontrado el m\u00E9todo principal en la clase {0}, defina el m\u00E9todo principal del siguiente modo:\\n   public static void main(String[] args)\\nde lo contrario, se deber\u00E1 ampliar una clase de aplicaci\u00F3n JavaFX {1}
 java.launcher.cls.error5=Error: faltan los componentes de JavaFX runtime y son necesarios para ejecutar esta aplicaci\u00F3n
 java.launcher.cls.error6=Error: Se ha producido un error de enlace al cargar la clase principal {0}\n\t{1}
+java.launcher.cls.error7=Error: no se ha podido inicializar la clase principal {0}\nCausado por: {1}: {2}
 java.launcher.jar.error1=Error: se ha producido un error inesperado al intentar abrir el archivo {0}
 java.launcher.jar.error2=no se ha encontrado el manifiesto en {0}
 java.launcher.jar.error3=no hay ning\u00FAn atributo de manifiesto principal en {0}
@@ -55,5 +56,6 @@ java.launcher.init.error=error de inicializaci\u00F3n
 java.launcher.javafx.error1=Error: el m\u00E9todo launchApplication de JavaFX tiene una firma que no es correcta.\\nSe debe declarar est\u00E1tico y devolver un valor de tipo nulo
 java.launcher.module.error1=el m\u00F3dulo {0} no tiene ning\u00FAn atributo MainClass, utilice -m /
 java.launcher.module.error2=Error: no se ha encontrado o cargado la clase principal {0} en el m\u00F3dulo {1}
-java.launcher.module.error3=Error: No se ha podido cargar la clase principal {0} del m\u00F3dulo {1}\n\t{2}
+java.launcher.module.error3=Error: no se ha podido cargar la clase principal {0} del m\u00F3dulo {1}\n\t{2}
 java.launcher.module.error4=No se ha encontrado {0}
+java.launcher.module.error5=Error: no se ha podido inicializar la clase principal {0} del m\u00F3dulo {1}\nCausado por: {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_fr.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_fr.properties
index 472d13b4ba..e003962170 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_fr.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_fr.properties
@@ -31,11 +31,12 @@ java.launcher.opt.vmselect   =\    {0}\t  pour s\u00E9lectionner la machine virt
 java.launcher.opt.hotspot    =\    {0}\t  est un synonyme pour la machine virtuelle "{1}"  [en phase d''abandon]\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  Liste distincte {0} de r\u00E9pertoires, d''archives JAR\n                  et d'archives ZIP pour rechercher des fichiers de classe.\n    -p \n    --module-path ...\n                  Liste distincte {0} de r\u00E9pertoires, chaque r\u00E9pertoire\n                  est un r\u00E9pertoire de modules.\n    --upgrade-module-path ...\n                  Liste distincte {0} de r\u00E9pertoires, chaque r\u00E9pertoire\n                  est un r\u00E9pertoire de module qui remplace les modules\n                  pouvant \u00EAtre mis \u00E0 niveau dans l'image d'ex\u00E9cution\n    --add-modules [,...]\n                  modules racine \u00E0 r\u00E9soudre en plus du module initial.\n                   peut \u00E9galement \u00EAtre ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  r\u00E9pertorier les modules observables et quitter\n    --d \n    --describe-module \n                  d\u00E9crire un module et quitter\n    --dry-run     cr\u00E9er une machine virtuelle et charger la classe principale mais ne pas ex\u00E9cuter la m\u00E9thode principale.\n                  L'option--dry-run peut \u00EAtre utile pour la validation des\n                  options de ligne de commande telles que la configuration syst\u00E8me de module.\n    --validate-modules\n                  valider tous les modules et quitter\n                  L'option --validate-modules peut \u00EAtre utile pour la recherche de\n                  conflits et d'autres erreurs avec des modules dans le chemin de module.\n    -D=\n                  d\u00E9finir une propri\u00E9t\u00E9 syst\u00E8me\n    -verbose:[class|module|gc|jni]\n                  activer la sortie en mode verbose\n    -version      afficher la version de produit dans le flux d'erreur et quitter\n    --version     afficher la version de produit dans le flux de sortie et quitter\n    -showversion  afficher la version de produit dans le flux d'erreur et continuer\n    --show-version\n                  afficher la version de produit dans le flux de sortie et continuer\n    --show-module-resolution\n                  afficher la sortie de r\u00E9solution de module lors du d\u00E9marrage\n    -? -h -help\n                  afficher ce message d'aide dans le flux d'erreur\n    --help        afficher ce message d'erreur dans le flux de sortie\n    -X            afficher l'aide sur des options suppl\u00E9mentaires dans le flux d'erreur\n    --help-extra  afficher l'aide sur des options suppl\u00E9mentaires dans le flux de sortie\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  activer des assertions avec la granularit\u00E9 sp\u00E9cifi\u00E9e\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  d\u00E9sactiver des assertions avec la granularit\u00E9 sp\u00E9cifi\u00E9e\n    -esa | -enablesystemassertions\n                  activer des assertions syst\u00E8me\n    -dsa | -disablesystemassertions\n                  d\u00E9sactiver des assertions syst\u00E8me\n    -agentlib:[=]\n                  charger la biblioth\u00E8que d'agent natif , par ex. -agentlib:jdwp\n                  voir \u00E9galement -agentlib:jdwp=help\n    -agentpath:[=]\n                  charger la biblioth\u00E8que d'agent natif par nom de chemin complet\n    -javaagent:[=]\n                  charger l'agent de langage de programmation, voir \
+java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  Liste distincte {0} de r\u00E9pertoires, d''archives JAR\n                  et d'archives ZIP pour rechercher des fichiers de classe.\n    -p \n    --module-path ...\n                  Liste distincte {0} de r\u00E9pertoires, chaque r\u00E9pertoire\n                  est un r\u00E9pertoire de modules.\n    --upgrade-module-path ...\n                  Liste distincte {0} de r\u00E9pertoires, chaque r\u00E9pertoire\n                  est un r\u00E9pertoire de module qui remplace les modules\n                  pouvant \u00EAtre mis \u00E0 niveau dans l'image d'ex\u00E9cution\n    --add-modules [,...]\n                  modules racine \u00E0 r\u00E9soudre en plus du module initial.\n                   peut \u00E9galement \u00EAtre ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  r\u00E9pertorier les modules observables et quitter\n    -d \n    --describe-module \n                  d\u00E9crire un module et quitter\n    --dry-run     cr\u00E9er une machine virtuelle et charger la classe principale mais ne pas ex\u00E9cuter la m\u00E9thode principale.\n                  L'option--dry-run peut \u00EAtre utile pour la validation des\n                  options de ligne de commande telles que la configuration syst\u00E8me de module.\n    --validate-modules\n                  valider tous les modules et quitter\n                  L'option --validate-modules peut \u00EAtre utile pour la recherche de\n                  conflits et d'autres erreurs avec des modules dans le chemin de module.\n    -D=\n                  d\u00E9finir une propri\u00E9t\u00E9 syst\u00E8me\n    -verbose:[class|module|gc|jni]\n                  activer la sortie en mode verbose\n    -version      afficher la version de produit dans le flux d'erreur et quitter\n    --version     afficher la version de produit dans le flux de sortie et quitter\n    -showversion  afficher la version de produit dans le flux d'erreur et continuer\n    --show-version\n                  afficher la version de produit dans le flux de sortie et continuer\n    --show-module-resolution\n                  afficher la sortie de r\u00E9solution de module lors du d\u00E9marrage\n    -? -h -help\n                  afficher ce message d'aide dans le flux d'erreur\n    --help        afficher ce message d'erreur dans le flux de sortie\n    -X            afficher l'aide sur des options suppl\u00E9mentaires dans le flux d'erreur\n    --help-extra  afficher l'aide sur des options suppl\u00E9mentaires dans le flux de sortie\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  activer des assertions avec la granularit\u00E9 sp\u00E9cifi\u00E9e\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  d\u00E9sactiver des assertions avec la granularit\u00E9 sp\u00E9cifi\u00E9e\n    -esa | -enablesystemassertions\n                  activer des assertions syst\u00E8me\n    -dsa | -disablesystemassertions\n                  d\u00E9sactiver des assertions syst\u00E8me\n    -agentlib:[=]\n                  charger la biblioth\u00E8que d'agent natif , par ex. -agentlib:jdwp\n                  voir \u00E9galement -agentlib:jdwp=help\n    -agentpath:[=]\n                  charger la biblioth\u00E8que d'agent natif par nom de chemin complet\n    -javaagent:[=]\n                  charger l'agent de langage de programmation, voir \
 java.lang.instrument\n    -splash:\n                  afficher l'\u00E9cran d'accueil avec l'image indiqu\u00E9e\n                  Les images redimensionn\u00E9es HiDPI sont automatiquement prises en charge et utilis\u00E9es\n                  si elles sont disponibles. Le nom de fichier d'une image non redimensionn\u00E9e, par ex. image.ext,\n                  doit toujours \u00EAtre transmis comme argument \u00E0 l'option -splash.\n                  L'image redimensionn\u00E9e fournie la plus appropri\u00E9e sera automatiquement\n                  s\u00E9lectionn\u00E9e.\n                  Pour plus d'informations, reportez-vous \u00E0 la documentation relative \u00E0 l'API SplashScreen\n    fichiers @argument\n                  fichiers d'arguments contenant des options\n    -disable-@files\n                  emp\u00EAcher le d\u00E9veloppement suppl\u00E9mentaire de fichiers d'arguments\nAfin d'indiquer un argument pour une option longue, vous pouvez utiliser --= ou\n-- .\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           d\u00E9sactivation de la compilation en arri\u00E8re-plan\n    -Xbootclasspath/a:\n                      ajout \u00E0 la fin du chemin de classe bootstrap\n    -Xcheck:jni       ex\u00E9cution de contr\u00F4les suppl\u00E9mentaires pour les fonctions JNI\n    -Xcomp            force la compilation de m\u00E9thodes au premier appel\n    -Xdebug           fourni pour la compatibilit\u00E9 amont\n    -Xdiag            affichage de messages de diagnostic suppl\u00E9mentaires\n    -Xfuture          activation des contr\u00F4les les plus stricts en vue d''anticiper la future valeur par d\u00E9faut\n    -Xint             ex\u00E9cution en mode interpr\u00E9t\u00E9 uniquement\n    -Xinternalversion\n                      affiche des informations de version JVM plus d\u00E9taill\u00E9es que\n                      l''option -version\n    -Xloggc:    journalisation du statut de l''op\u00E9ration de ramasse-miette dans un fichier avec horodatage\n    -Xmixed           ex\u00E9cution en mode mixte (valeur par d\u00E9faut)\n    -Xmn        d\u00E9finit les tailles initiale et maximale (en octets) de la portion de m\u00E9moire\n                      pour la jeune g\u00E9n\u00E9ration (nursery)\n    -Xms        d\u00E9finition de la taille initiale des portions de m\u00E9moire Java\n    -Xmx        d\u00E9finition de la taille maximale des portions de m\u00E9moire Java\n    -Xnoclassgc       d\u00E9sactivation de l''op\u00E9ration de ramasse-miette de la classe\n    -Xprof            sortie des donn\u00E9es de profilage d''UC (en phase d''abandon)\n    -Xrs              r\u00E9duction de l''utilisation des signaux OS par Java/la machine virtuelle (voir documentation)\n    -Xshare:auto      utilisation des donn\u00E9es de classe partag\u00E9es si possible (valeur par d\u00E9faut)\n    -Xshare:off       aucune tentative d''utilisation des donn\u00E9es de classe partag\u00E9es\n    -Xshare:on         utilisation des donn\u00E9es de classe partag\u00E9es obligatoire ou \u00E9chec de l''op\u00E9ration.\n    -XshowSettings    affichage de tous les param\u00E8tres et poursuite de l''op\u00E9ration\n    -XshowSettings:all\n                      affichage de tous les param\u00E8tres et poursuite de l''op\u00E9ration\n    -XshowSettings:locale\n                      affichage de tous les param\u00E8tres d''environnement local et poursuite de l''op\u00E9ration\n    -XshowSettings:properties\n                      affichage de tous les param\u00E8tres de propri\u00E9t\u00E9 et poursuite de l''op\u00E9ration\n    -XshowSettings:vm affichage de tous les param\u00E8tres de machine virtuelle et poursuite de l''op\u00E9ration\n    -Xss        d\u00E9finition de la taille de pile de threads Java\n    -Xverify          d\u00E9finit le mode du v\u00E9rificateur de code ex\u00E9cutable\n    --add-reads =(,)*\n                      met \u00E0 jour  pour lire , sans tenir compte\n                      de la d\u00E9claration de module. \n                       peut \u00EAtre ALL-UNNAMED pour lire tous les modules\n                      sans nom.\n    --add-exports /=(,)*\n                      met \u00E0 jour  pour exporter  vers ,\n                      sans tenir compte de la d\u00E9claration de module.\n                       peut \u00EAtre ALL-UNNAMED pour exporter tous les\n                      modules sans nom.\n    --add-opens /=(,)*\n                      met \u00E0 jour  pour ouvrir  dans\n                      , sans tenir compte de la d\u00E9claration de module.\n    --limit-modules [,...]\n                      limiter l''univers de modules observables\n    --patch-module =({0})*\n                      Remplacement ou augmentation d''un module avec des classes et des ressources\n                      dans des fichiers ou des r\u00E9pertoires JAR.\n    --disable-@files  d\u00E9sactivation d''autres d\u00E9veloppements de fichier d''argument\n\nCes options suppl\u00E9mentaires peuvent \u00EAtre modifi\u00E9es sans pr\u00E9avis.\n
+java.launcher.X.usage=\n    -Xbatch           d\u00E9sactivation de la compilation en arri\u00E8re-plan\n    -Xbootclasspath/a:\n                      ajout \u00E0 la fin du chemin de classe bootstrap\n    -Xcheck:jni        ex\u00E9cution de contr\u00F4les suppl\u00E9mentaires pour les fonctions JNI\n    -Xcomp            force la compilation de m\u00E9thodes au premier appel\n    -Xdebug           fourni pour la compatibilit\u00E9 amont\n    -Xdiag            affichage de messages de diagnostic suppl\u00E9mentaires\n    -Xfuture           activation des contr\u00F4les les plus stricts en vue d''anticiper la future valeur par d\u00E9faut\n    -Xint             ex\u00E9cution en mode interpr\u00E9t\u00E9 uniquement\n    -Xinternalversion\n                      affiche des informations de version JVM plus d\u00E9taill\u00E9es que\n                      l''option -version\n    -Xloggc:    journalisation du statut de l''op\u00E9ration de ramasse-miette dans un fichier avec horodatage\n    -Xmixed           ex\u00E9cution en mode mixte (valeur par d\u00E9faut)\n    -Xmn        d\u00E9finit les tailles initiale et maximale (en octets) de la portion de m\u00E9moire\n                      pour la jeune g\u00E9n\u00E9ration (nursery)\n    -Xms        d\u00E9finition de la taille initiale des portions de m\u00E9moire Java\n    -Xmx        d\u00E9finition de la taille maximale des portions de m\u00E9moire Java\n    -Xnoclassgc       d\u00E9sactivation de l''op\u00E9ration de ramasse-miette de la classe\n    -Xprof            sortie des donn\u00E9es de profilage d''UC (en phase d''abandon)\n    -Xrs              r\u00E9duction de l''utilisation des signaux OS par Java/la machine virtuelle (voir documentation)\n    -Xshare:auto      utilisation des donn\u00E9es de classe partag\u00E9es si possible (valeur par d\u00E9faut)\n    -Xshare:off       aucune tentative d''utilisation des donn\u00E9es de classe partag\u00E9es\n    -Xshare:on        utilisation des donn\u00E9es de classe partag\u00E9es obligatoire ou \u00E9chec de l''op\u00E9ration\n    -XshowSettings    affichage de tous les param\u00E8tres et poursuite de l''op\u00E9ration\n    -XshowSettings:all\n                      affichage de tous les param\u00E8tres et poursuite de l''op\u00E9ration\n    -XshowSettings:locale\n                      affichage de tous les param\u00E8tres d''environnement local et poursuite de l''op\u00E9ration\n    -XshowSettings:properties\n                       affichage de tous les param\u00E8tres de propri\u00E9t\u00E9 et poursuite de l''op\u00E9ration\n    -XshowSettings:vm affichage de tous les param\u00E8tres de machine virtuelle et poursuite de l''op\u00E9ration\n    -Xss        d\u00E9finition de la taille de pile de threads Java\n    -Xverify          d\u00E9finit le mode du v\u00E9rificateur de code ex\u00E9cutable\n    --add-reads =(,)*\n                      met \u00E0 jour  pour lire , sans tenir compte\n                      de la d\u00E9claration de module. \n                       peut \u00EAtre ALL-UNNAMED pour lire tous les modules\n                      sans nom.\n    --add-exports /=(,)*\n                      met \u00E0 jour  pour exporter  vers ,\n                      sans tenir compte de la d\u00E9claration de module.\n                       peut \u00EAtre ALL-UNNAMED pour effectuer un export vers tous\n                      les modules sans nom.\n    --add-opens /=(,)*\n                      met \u00E0 jour  pour ouvrir  vers\n                      , sans tenir compte de la d\u00E9claration de module\n    --illegal-access=\n                      autorise ou refuse l''acc\u00E8s \u00E0 \
+des membres de types dans des modules nomm\u00E9s\n                      par code dans des modules sans nom.\n                       est l''une des valeurs suivantes : "deny", "permit", "warn" ou "debug"\n                      Cette option sera enlev\u00E9e dans une version ult\u00E9rieure.\n    --limit-modules [,...]\n                      limite l''univers des modules observables\n    --patch-module =({0})*\n                      remplace ou augmente un module avec des classes et des ressources\n                      dans des fichiers ou r\u00E9pertoires JAR.\n    --disable-@files  d\u00E9sactive d''autres d\u00E9veloppements de fichier d''argument\n\nCes options suppl\u00E9mentaires peuvent \u00EAtre modifi\u00E9es sans pr\u00E9avis.\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\nLes options suivantes sont propres \u00E0 Mac OS X :\n    -XstartOnFirstThread\n                      ex\u00E9cute la m\u00E9thode main() sur le premier thread (AppKit)\n    -Xdock:name=\n                      remplace le nom d'application par d\u00E9faut affich\u00E9 dans l'ancrage\n    -Xdock:icon=\n                      remplace l'ic\u00F4ne par d\u00E9faut affich\u00E9e dans l'ancrage\n\n
@@ -46,6 +47,7 @@ java.launcher.cls.error3=Erreur : la m\u00E9thode principale doit renvoyer une v
 java.launcher.cls.error4=Erreur : la m\u00E9thode principale est introuvable dans la classe {0}, d\u00E9finissez la m\u00E9thode principale comme suit :\n   public static void main(String[] args)\nou une classe d''applications JavaFX doit \u00E9tendre {1}
 java.launcher.cls.error5=Erreur : des composants d'ex\u00E9cution JavaFX obligatoires pour ex\u00E9cuter cette application sont manquants.
 java.launcher.cls.error6=Erreur : LinkageError lors du chargement de la classe principale {0}\n\t{1}
+java.launcher.cls.error7=Erreur : impossible d''initialiser la classe principale {0}\nCaus\u00E9 par : {1}: {2}
 java.launcher.jar.error1=Erreur : une erreur inattendue est survenue lors de la tentative d''ouverture du fichier {0}
 java.launcher.jar.error2=fichier manifeste introuvable dans {0}
 java.launcher.jar.error3=aucun attribut manifest principal dans {0}
@@ -54,5 +56,6 @@ java.launcher.init.error=erreur d'initialisation
 java.launcher.javafx.error1=Erreur : la signature de la m\u00E9thode launchApplication JavaFX est incorrecte, la\nm\u00E9thode doit \u00EAtre d\u00E9clar\u00E9e statique et renvoyer une valeur de type void
 java.launcher.module.error1=le module {0} n''a pas d''attribut MainClass, utilisez -m /
 java.launcher.module.error2=Erreur : impossible de trouver ou charger la classe principale {0} dans le module {1}
-java.launcher.module.error3=Erreur : impossible de charger la classe principale {0} \u00E0 partir du module {1}\n\t{2}
+java.launcher.module.error3=Erreur : impossible de charger la classe principale {0} dans le module {1}\n\t{2}
 java.launcher.module.error4={0} introuvable
+java.launcher.module.error5=Erreur : impossible d''initialiser la classe principale {0} dans le module {1}\nCaus\u00E9 par : {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_it.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_it.properties
index 9c590b3c53..7dfff408af 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_it.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_it.properties
@@ -31,12 +31,12 @@ java.launcher.opt.vmselect   =\    {0}\t  per selezionare la VM "{1}"\n
 java.launcher.opt.hotspot    =\    {0}\t  \u00E8 un sinonimo per la VM "{1}" [non valido]\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp \n    -classpath \n    -class-path \n                  Una lista separata da {0} di directory, archivi JAR\n                  e archivi ZIP in cui cercare i file di classe.\n    -p \n    --module-path ...\n                  Una lista separata da {0} di directory. Ogni directory\n                  \u00E8 una directory di moduli.\n    --upgrade-module-path ...\n                  Una lista separata da {0} di directory. Ogni directory\n                  \u00E8 una directory di moduli che sostituiscono i moduli\n                  aggiornabili nell'immagine in fase di esecuzione\n    --add-modules [,...]\n                  I moduli radice da risolvere in aggiunta al modulo iniziale.\n                   pu\u00F2 essere anche ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  Elenca i moduli osservabili ed esce\n    --d \n    --describe-module \n                  Descrive un modulo ed esce\n    --dry-run      Crea la VM e carica la classe principale ma non esegue il metodo principale.\n                  L'opzione --dry-run pu\u00F2 essere utile per la convalida delle\n                  opzioni della riga di comando, ad esempio quelle utilizzate per la configurazione del sistema di moduli.\n    --validate-modules\n                  Convalida tutti i moduli ed esce\n                  L'opzione --validate-modules pu\u00F2 essere utile per rilevare\n                  conflitti e altri errori con i moduli nel percorso dei moduli.\n    -D=\n                  Imposta una propriet\u00E0 di sistema\n    -verbose:[class|module|gc|jni]\n                  abilitare output descrittivo\n    -version      Visualizza la versione del prodotto nel flusso di errori ed esce\n    -version      Visualizza la versione del prodotto nel flusso di output ed esce\n    -showversion      Visualizza la versione del prodotto nel flusso di errori e continua\n    --show-version\n                  Visualizza la versione del prodotto nel flusso di output e continua\n    --show-module-resolution\n                  Mostra l'output della risoluzione del modulo durante l'avvio\n    -? -h -help\n                  Visualizza questo messaggio della Guida nel flusso di errori\n    --help        Visualizza questo messaggio della Guida nel flusso di output\n    -X            Visualizza la Guida relativa alle opzioni non standard nel flusso di errori\n    --help-extra  Visualizza la Guida relativa alle opzioni non standard nel flusso di output\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  Abilita le asserzioni con la granularit\u00E0 specificata\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  Disabilita le asserzioni con la granularit\u00E0 specificata\n    -esa | -enablesystemassertions\n                  Abilita le asserzioni di sistema\n    -dsa | -disablesystemassertions\n                  Disabilita le asserzioni di sistema\n    -agentlib:[=]\n                  Carica la libreria agenti nativa , ad esempio -agentlib:jdwp\n                  Vedere anche -agentlib:jdwp=help\n    -agentpath:[=]\n                  Carica la libreria agenti nativa con il percorso completo\n    -javaagent:[=]\n                  Carica l'agente del linguaggio di programmazione Java, vedere java.lang.instrument\n    -splash:\n                  Mostra la schermata iniziale con l'immagine specificata\n                  Le immagini ridimensionate HiDPI sono supportate e utilizzate \
+java.launcher.opt.footer = \    -cp \n    -classpath \n    -class-path \n                  Una lista separata da {0} di directory, archivi JAR\n                  e archivi ZIP in cui cercare i file di classe.\n    -p \n    --module-path ...\n                  Una lista separata da {0} di directory. Ogni directory\n                  \u00E8 una directory di moduli.\n    --upgrade-module-path ...\n                  Una lista separata da {0} di directory. Ogni directory\n                  \u00E8 una directory di moduli che sostituiscono i moduli\n                  aggiornabili nell'immagine in fase di esecuzione\n    --add-modules [,...]\n                  I moduli radice da risolvere in aggiunta al modulo iniziale.\n                   pu\u00F2 essere anche ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  Elenca i moduli osservabili ed esce\n    -d \n    --describe-module \n                  Descrive un modulo ed esce\n    --dry-run      Crea la VM e carica la classe principale ma non esegue il metodo principale.\n                  L'opzione --dry-run pu\u00F2 essere utile per la convalida delle\n                  opzioni della riga di comando, ad esempio quelle utilizzate per la configurazione del sistema di moduli.\n    --validate-modules\n                  Convalida tutti i moduli ed esce\n                  L'opzione --validate-modules pu\u00F2 essere utile per rilevare\n                  conflitti e altri errori con i moduli nel percorso dei moduli.\n    -D=\n                  Imposta una propriet\u00E0 di sistema\n    -verbose:[class|module|gc|jni]\n                  abilitare output descrittivo\n    -version      Visualizza la versione del prodotto nel flusso di errori ed esce\n    -version      Visualizza la versione del prodotto nel flusso di output ed esce\n    -showversion      Visualizza la versione del prodotto nel flusso di errori e continua\n    --show-version\n                  Visualizza la versione del prodotto nel flusso di output e continua\n    --show-module-resolution\n                  Mostra l'output della risoluzione del modulo durante l'avvio\n    -? -h -help\n                  Visualizza questo messaggio della Guida nel flusso di errori\n    --help        Visualizza questo messaggio della Guida nel flusso di output\n    -X            Visualizza la Guida relativa alle opzioni non standard nel flusso di errori\n    --help-extra  Visualizza la Guida relativa alle opzioni non standard nel flusso di output\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  Abilita le asserzioni con la granularit\u00E0 specificata\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  Disabilita le asserzioni con la granularit\u00E0 specificata\n    -esa | -enablesystemassertions\n                  Abilita le asserzioni di sistema\n    -dsa | -disablesystemassertions\n                  Disabilita le asserzioni di sistema\n    -agentlib:[=]\n                  Carica la libreria agenti nativa , ad esempio -agentlib:jdwp\n                  Vedere anche -agentlib:jdwp=help\n    -agentpath:[=]\n                  Carica la libreria agenti nativa con il percorso completo\n    -javaagent:[=]\n                  Carica l'agente del linguaggio di programmazione Java, vedere java.lang.instrument\n    -splash:\n                  Mostra la schermata iniziale con l'immagine specificata\n                  Le immagini ridimensionate HiDPI sono supportate e utilizzate \
 automaticamente\n                  se disponibili. I nomi file delle immagini non ridimensionate, ad esempio image.ext,\n                  devono essere sempre passati come argomenti all'opzione -splash.\n                  Verr\u00E0 scelta automaticamente l'immagine ridimensionata pi\u00F9 appropriata\n                  fornita.\n                  Per ulteriori informazioni, vedere la documentazione relativa all'API SplashScreen\n    @file argomenti\n                  Uno o pi\u00F9 file argomenti contenenti opzioni\n    -disable-@files\n                  Impedisce l'ulteriore espansione di file argomenti\nPer specificare un argomento per un'opzione lunga, \u00E8 possibile usare --= oppure\n-- .\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           Disabilita la compilazione in background.\n    -Xbootclasspath/a:\n                      Aggiunge alla fine del classpath di bootstrap.\n   -Xcheck:jni       Esegue controlli aggiuntivi per le funzioni JNI.\n    -Xcomp            Forza la compilazione dei metodi al primo richiamo.\n    -Xdebug           Fornito per la compatibilit\u00E0 con le versioni precedenti.\n    -Xdiag            Mostra ulteriori messaggi diagnostici.\n    -Xfuture          Abilita i controlli pi\u00F9 limitativi anticipando le impostazioni predefinite future.\n    -Xint             Esecuzione solo in modalit\u00E0 convertita.\n    -Xinternalversion\n                      Visualizza informazioni pi\u00F9 dettagliate sulla versione JVM rispetto\n                      all''opzione -version.\n    -Xloggc:    Registra lo stato GC in un file con indicatori orari.\n    -Xmixed           Esecuzione in modalit\u00E0 mista (impostazione predefinita).\n    -Xmn        Imposta le dimensioni iniziale e massima (in byte) dell''heap\n                      per la young generation (nursery).\n    -Xms        Imposta la dimensione heap Java iniziale.\n    -Xmx        Imposta la dimensione heap Java massima.\n    -Xnoclassgc       Disabilta la garbage collection della classe.\n    -Xprof            Visualizza i dati di profilo della CPU (non pi\u00F9 valida).\n    -Xrs              Riduce l''uso di segnali del sistema operativo da Java/VM (vedere la documentazione).\n    -Xshare:auto      Utilizza i dati di classe condivisi se possibile (impostazione predefinita).\n     -Xshare:off       Non tenta di utilizzare i dati di classe condivisi.\n    -Xshare:on        Richiede l''uso dei dati di classe condivisi, altrimenti l''esecuzione non riesce.\n    -XshowSettings    Mostra tutte le impostazioni e continua.\n    -XshowSettings:all\n                      Mostra tutte le impostazioni e continua.\n    -XshowSettings:locale\n                      Mostra tutte le impostazioni correlate alle impostazioni nazionali e continua.\n    -XshowSettings:properties\n                      Mostra tutte le impostazioni delle propriet\u00E0 e continua.\n    -XshowSettings:vm Mostra tutte le impostazioni correlate alla VM e continua.\n    -Xss        Imposta la dimensione dello stack di thread Java.\n     -Xverify          Imposta la modalit\u00E0 del verificatore bytecode.\n    --add-reads:=(,)*\n                      Aggiorna  per leggere , indipendentemente\n                      dalla dichiarazione del modulo.\n                       pu\u00F2 essere ALL-UNNAMED per leggere tutti i\n                      moduli senza nome.\n   -add-exports:/=(,)*\n                      Aggiorna  per esportare  in ,\n                      indipendentemente dalla dichiarazione del modulo.\n                       pu\u00F2 essere ALL-UNNAMED per esportare tutti i\n                      moduli senza nome.\n    --add-opens /=(,)*\n                      Aggiorna  per aprire  in\n                      , indipendentemente dalla dichiarazione del modulo.\n    --limit-modules [,...]\n                      Limita l''universo di moduli osservabili\n    -patch-module =({0})*\n                      Sostituisce o migliora un modulo con \
-classi e risorse\n                      in file JAR o directory.\n    --disable-@files  Disabilita l''ulteriore espansione di file argomenti.\n\nQueste opzioni non standard sono soggette a modifiche senza preavviso.\n
+java.launcher.X.usage=\n    -Xbatch           Disabilita la compilazione in background.\n    -Xbootclasspath/a:\n                      Aggiunge alla fine del classpath di bootstrap.\n    -Xcheck:jni       Esegue controlli aggiuntivi per le funzioni JNI.\n    -Xcomp            Forza la compilazione dei metodi al primo richiamo.\n    -Xdebug           Fornita per la compatibilit\u00E0 con le versioni precedenti.\n    -Xdiag            Mostra ulteriori messaggi diagnostici.\n    -Xfuture          Abilita i controlli pi\u00F9 limitativi anticipando le impostazioni predefinite future.\n    -Xint             Esecuzione solo in modalit\u00E0 convertita.\n    -Xinternalversion\n                      Visualizza informazioni pi\u00F9 dettagliate sulla versione JVM rispetto\n                      all''opzione -version.\n    -Xloggc:    Registra lo stato GC in un file con indicatori orari.\n    -Xmixed           Esecuzione in modalit\u00E0 mista (impostazione predefinita).\n    -Xmn        Imposta le dimensioni iniziale e massima (in byte) dell''heap\n                      per la young generation (nursery).\n    -Xms        Imposta la dimensione heap Java iniziale.\n    -Xmx        Imposta la dimensione heap Java massima.\n    -Xnoclassgc       Disabilita la garbage collection della classe.\n    -Xprof            Visualizza i dati di profiling della CPU (non pi\u00F9 valida).\n    -Xrs              Riduce l''uso di segnali del sistema operativo da Java/VM (vedere la documentazione).\n    -Xshare:auto      Utilizza i dati di classe condivisi se possibile (impostazione predefinita).\n    -Xshare:off       Non tenta di utilizzare i dati di classe condivisi.\n    -Xshare:on        Richiede l''uso dei dati di classe condivisi, altrimenti l''esecuzione non riesce.\n    -XshowSettings    Mostra tutte le impostazioni e continua.\n    -XshowSettings:all\n                      Mostra tutte le impostazioni e continua.\n    -XshowSettings:locale\n                      Mostra tutte le impostazioni correlate alle impostazioni nazionali e continua.\n    -XshowSettings:properties\n                      Mostra tutte le impostazioni delle propriet\u00E0 e continua.\n    -XshowSettings:vm Mostra tutte le impostazioni correlate alla VM e continua.\n    -Xss        Imposta la dimensione dello stack di thread Java.\n    -Xverify          Imposta la modalit\u00E0 del verificatore bytecode.\n    --add-reads =(,)*\n                      Aggiorna  per leggere , indipendentemente\n                      dalla dichiarazione del modulo.\n                       pu\u00F2 essere ALL-UNNAMED per leggere tutti i\n                      moduli senza nome.\n    --add-exports /=(,)*\n                      Aggiorna  per esportare  in ,\n                      indipendentemente dalla dichiarazione del modulo.\n                       pu\u00F2 essere ALL-UNNAMED per esportare tutti i\n                      moduli senza nome.\n    --add-opens /=(,)*\n                      Aggiorna  per aprire  in\n                      , indipendentemente dalla dichiarazione del modulo.\n    --illegal-access=\n                      Consente o nega l''accesso ai membri dei tipi nei moduli denominati\n                      mediante codice nei moduli senza nome.\n                       pu\u00F2 essere "deny", "permit", "warn" o "debug".\n                      Questa opzione verr\u00E0 rimossa in una release futura.\n    --limit-modules [,...]\n                      Limita l''universe dei moduli osservabili.\n    --patch-module =({0})*\n                      Sostituisce o migliora un modulo con classi e \
+risorse\n                      in file JAR o directory.\n    --disable-@files  Disabilita l''ulteriore espansione di file argomenti.\n\nQueste opzioni extra sono soggette a modifiche senza preavviso.\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\nLe opzioni riportate di seguito sono specifiche del sistema operativo Mac OS X:\n    -XstartOnFirstThread\n                      Esegue il metodo main() sul primo thread (AppKit).\n    -Xdock:name=\n                      Sostituisce il nome applicazione predefinito visualizzato nel dock\n    -Xdock:icon=\n                      Sostituisce l'icona predefinita visualizzata nel dock\n\n
@@ -47,6 +47,7 @@ java.launcher.cls.error3=Errore: il metodo principale deve restituire un valore
 java.launcher.cls.error4=Errore: il metodo principale non \u00E8 stato trovato nella classe {0}. Definire il metodo principale come:\n   public static void main(String[] args)\naltrimenti una classe applicazione JavaFX deve estendere {1}
 java.launcher.cls.error5=Errore: non sono presenti i componenti runtime di JavaFX necessari per eseguire questa applicazione
 java.launcher.cls.error6=Errore: LinkageError durante il caricamento della classe principale {0}\n\t{1}
+java.launcher.cls.error7=Errore: impossibile inizializzare la classe principale {0}\nCausato da: {1}: {2}
 java.launcher.jar.error1=Errore: si \u00E8 verificato un errore imprevisto durante il tentativo di aprire il file {0}
 java.launcher.jar.error2=manifest non trovato in {0}
 java.launcher.jar.error3=nessun attributo manifest principale in {0}
@@ -55,5 +56,6 @@ java.launcher.init.error=errore di inizializzazione
 java.launcher.javafx.error1=Errore: il metodo JavaFX launchApplication dispone di una firma errata, \nla firma deve essere dichiarata static e restituire un valore di tipo void
 java.launcher.module.error1=il modulo {0} non dispone di un attributo MainClass. Utilizzare -m /
 java.launcher.module.error2=Errore: impossibile trovare o caricare la classe principale {0} nel modulo {1}
-java.launcher.module.error3=Errore: impossibile caricare la classe principale {0} dal modulo {1}\n\t{2}
+java.launcher.module.error3=Errore: impossibile caricare la classe principale {0} nel modulo {1}\n\t{2}
 java.launcher.module.error4={0} non trovato
+java.launcher.module.error5=Errore: impossibile inizializzare la classe principale {0} nel modulo {1}\nCausato da: {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ja.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ja.properties
index b8ef45ac9c..6271624094 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ja.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ja.properties
@@ -31,13 +31,13 @@ java.launcher.opt.vmselect   =\    {0}\t  "{1}" VM\u3092\u9078\u629E\u3059\u308B
 java.launcher.opt.hotspot    =\    {0}\t  \u306F"{1}" VM\u306E\u30B7\u30CE\u30CB\u30E0\u3067\u3059  [\u975E\u63A8\u5968]\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp <\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304A\u3088\u3073zip/jar\u30D5\u30A1\u30A4\u30EB\u306E\u30AF\u30E9\u30B9\u691C\u7D22\u30D1\u30B9>\n    -classpath <\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304A\u3088\u3073zip/jar\u30D5\u30A1\u30A4\u30EB\u306E\u30AF\u30E9\u30B9\u691C\u7D22\u30D1\u30B9>\n    --class-path <\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304A\u3088\u3073zip/jar\u30D5\u30A1\u30A4\u30EB\u306E\u30AF\u30E9\u30B9\u691C\u7D22\u30D1\u30B9>\n                  {0}\u533A\u5207\u308A\u30EA\u30B9\u30C8(\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u3001JAR\u30A2\u30FC\u30AB\u30A4\u30D6\u3001\n                  ZIP\u30A2\u30FC\u30AB\u30A4\u30D6)\u3067\u3001\u30AF\u30E9\u30B9\u30FB\u30D5\u30A1\u30A4\u30EB\u306E\u691C\u7D22\u7528\u3002\n    -p \n    --module-path ...\n                  \u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E{0}\u533A\u5207\u308A\u30EA\u30B9\u30C8\u3001\u5404\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\n                  \u306F\u30E2\u30B8\u30E5\u30FC\u30EB\u306E\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u3067\u3059\u3002\n    --upgrade-module-path ...\n                  \u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E{0}\u533A\u5207\u308A\u30EA\u30B9\u30C8\u3001\u5404\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\n                  \u306F\u3001\u30E9\u30F3\u30BF\u30A4\u30E0\u30FB\u30A4\u30E1\u30FC\u30B8\u5185\u306E\u30A2\u30C3\u30D7\u30B0\u30EC\u30FC\u30C9\u53EF\u80FD\u306A\n                  \u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u7F6E\u63DB\u3059\u308B\u30E2\u30B8\u30E5\u30FC\u30EB\u306E\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u3067\u3059\n    --add-modules [,...]\n                  \u521D\u671F\u30E2\u30B8\u30E5\u30FC\u30EB\u306B\u52A0\u3048\u3066\u89E3\u6C7A\u3059\u308B\u30EB\u30FC\u30C8\u30FB\u30E2\u30B8\u30E5\u30FC\u30EB\u3002\n                  \u306B\u306F\u6B21\u3082\u6307\u5B9A\u3067\u304D\u307E\u3059: ALL-DEFAULT\u3001ALL-SYSTEM\u3001\n                  ALL-MODULE-PATH.\n    --list-modules\n                  \u53C2\u7167\u53EF\u80FD\u306A\u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u30EA\u30B9\u30C8\u3057\u7D42\u4E86\u3057\u307E\u3059\n    --d \n    --describe-module \n                  \u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u8AAC\u660E\u3057\u7D42\u4E86\u3057\u307E\u3059\n    --dry-run     VM\u3092\u4F5C\u6210\u3057\u30E1\u30A4\u30F3\u30FB\u30AF\u30E9\u30B9\u3092\u30ED\u30FC\u30C9\u3057\u307E\u3059\u304C\u3001\u30E1\u30A4\u30F3\u30FB\u30E1\u30BD\u30C3\u30C9\u306F\u5B9F\u884C\u3057\u307E\u305B\u3093\u3002\n                  --dry-run\u30AA\u30D7\u30B7\u30E7\u30F3\u306F\u3001\u6B21\u306E\u691C\u8A3C\u306B\u5F79\u7ACB\u3064\u5834\u5408\u304C\u3042\u308A\u307E\u3059:\n                  \u30E2\u30B8\u30E5\u30FC\u30EB\u30FB\u30B7\u30B9\u30C6\u30E0\u69CB\u6210\u306A\u3069\u306E\u30B3\u30DE\u30F3\u30C9\u884C\u30AA\u30D7\u30B7\u30E7\u30F3\u3002\n    --validate-modules\n                  \u3059\u3079\u3066\u306E\u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u691C\u8A3C\u3057\u7D42\u4E86\u3057\u307E\u3059\n                  --validate-modules\u30AA\u30D7\u30B7\u30E7\u30F3\u306F\u3001\u6B21\u306E\u691C\u7D22\u306B\u5F79\u7ACB\u3064\u5834\u5408\u304C\u3042\u308A\u307E\u3059:\n                  \u30E2\u30B8\u30E5\u30FC\u30EB\u30FB\u30D1\u30B9\u4E0A\u306E\u30E2\u30B8\u30E5\u30FC\u30EB\u3067\u306E\u7AF6\u5408\u304A\u3088\u3073\u305D\u306E\u4ED6\u306E\u30A8\u30E9\u30FC\u3002\n    -D=\n                  \u30B7\u30B9\u30C6\u30E0\u30FB\u30D7\u30ED\u30D1\u30C6\u30A3\u3092\u8A2D\u5B9A\u3057\u307E\u3059\n    -verbose:[class|module|gc|jni]\n                  \u8A73\u7D30\u51FA\u529B\u3092\u6709\u52B9\u306B\u3057\u307E\u3059\n    -version      \u88FD\u54C1\u30D0\u30FC\u30B8\u30E7\u30F3\u3092\u30A8\u30E9\u30FC\u30FB\u30B9\u30C8\u30EA\u30FC\u30E0\u306B\u51FA\u529B\u3057\u3066\u7D42\u4E86\u3057\u307E\u3059\n    --version     \
+java.launcher.opt.footer = \    -cp <\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304A\u3088\u3073zip/jar\u30D5\u30A1\u30A4\u30EB\u306E\u30AF\u30E9\u30B9\u691C\u7D22\u30D1\u30B9>\n    -classpath <\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304A\u3088\u3073zip/jar\u30D5\u30A1\u30A4\u30EB\u306E\u30AF\u30E9\u30B9\u691C\u7D22\u30D1\u30B9>\n    --class-path <\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304A\u3088\u3073zip/jar\u30D5\u30A1\u30A4\u30EB\u306E\u30AF\u30E9\u30B9\u691C\u7D22\u30D1\u30B9>\n                  {0}\u533A\u5207\u308A\u30EA\u30B9\u30C8(\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u3001JAR\u30A2\u30FC\u30AB\u30A4\u30D6\u3001\n                  ZIP\u30A2\u30FC\u30AB\u30A4\u30D6)\u3067\u3001\u30AF\u30E9\u30B9\u30FB\u30D5\u30A1\u30A4\u30EB\u306E\u691C\u7D22\u7528\u3002\n    -p \n    --module-path ...\n                  \u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E{0}\u533A\u5207\u308A\u30EA\u30B9\u30C8\u3001\u5404\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\n                  \u306F\u30E2\u30B8\u30E5\u30FC\u30EB\u306E\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u3067\u3059\u3002\n    --upgrade-module-path ...\n                  \u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E{0}\u533A\u5207\u308A\u30EA\u30B9\u30C8\u3001\u5404\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\n                  \u306F\u3001\u30E9\u30F3\u30BF\u30A4\u30E0\u30FB\u30A4\u30E1\u30FC\u30B8\u5185\u306E\u30A2\u30C3\u30D7\u30B0\u30EC\u30FC\u30C9\u53EF\u80FD\u306A\n                  \u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u7F6E\u63DB\u3059\u308B\u30E2\u30B8\u30E5\u30FC\u30EB\u306E\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u3067\u3059\n    --add-modules [,...]\n                  \u521D\u671F\u30E2\u30B8\u30E5\u30FC\u30EB\u306B\u52A0\u3048\u3066\u89E3\u6C7A\u3059\u308B\u30EB\u30FC\u30C8\u30FB\u30E2\u30B8\u30E5\u30FC\u30EB\u3002\n                  \u306B\u306F\u6B21\u3082\u6307\u5B9A\u3067\u304D\u307E\u3059: ALL-DEFAULT\u3001ALL-SYSTEM\u3001\n                  ALL-MODULE-PATH.\n    --list-modules\n                  \u53C2\u7167\u53EF\u80FD\u306A\u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u30EA\u30B9\u30C8\u3057\u7D42\u4E86\u3057\u307E\u3059\n    -d \n    --describe-module \n                  \u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u8AAC\u660E\u3057\u7D42\u4E86\u3057\u307E\u3059\n    --dry-run     VM\u3092\u4F5C\u6210\u3057\u30E1\u30A4\u30F3\u30FB\u30AF\u30E9\u30B9\u3092\u30ED\u30FC\u30C9\u3057\u307E\u3059\u304C\u3001\u30E1\u30A4\u30F3\u30FB\u30E1\u30BD\u30C3\u30C9\u306F\u5B9F\u884C\u3057\u307E\u305B\u3093\u3002\n                  --dry-run\u30AA\u30D7\u30B7\u30E7\u30F3\u306F\u3001\u6B21\u306E\u691C\u8A3C\u306B\u5F79\u7ACB\u3064\u5834\u5408\u304C\u3042\u308A\u307E\u3059:\n                  \u30E2\u30B8\u30E5\u30FC\u30EB\u30FB\u30B7\u30B9\u30C6\u30E0\u69CB\u6210\u306A\u3069\u306E\u30B3\u30DE\u30F3\u30C9\u884C\u30AA\u30D7\u30B7\u30E7\u30F3\u3002\n    --validate-modules\n                  \u3059\u3079\u3066\u306E\u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u691C\u8A3C\u3057\u7D42\u4E86\u3057\u307E\u3059\n                  --validate-modules\u30AA\u30D7\u30B7\u30E7\u30F3\u306F\u3001\u6B21\u306E\u691C\u7D22\u306B\u5F79\u7ACB\u3064\u5834\u5408\u304C\u3042\u308A\u307E\u3059:\n                  \u30E2\u30B8\u30E5\u30FC\u30EB\u30FB\u30D1\u30B9\u4E0A\u306E\u30E2\u30B8\u30E5\u30FC\u30EB\u3067\u306E\u7AF6\u5408\u304A\u3088\u3073\u305D\u306E\u4ED6\u306E\u30A8\u30E9\u30FC\u3002\n    -D=\n                  \u30B7\u30B9\u30C6\u30E0\u30FB\u30D7\u30ED\u30D1\u30C6\u30A3\u3092\u8A2D\u5B9A\u3057\u307E\u3059\n    -verbose:[class|module|gc|jni]\n                  \u8A73\u7D30\u51FA\u529B\u3092\u6709\u52B9\u306B\u3057\u307E\u3059\n    -version      \u88FD\u54C1\u30D0\u30FC\u30B8\u30E7\u30F3\u3092\u30A8\u30E9\u30FC\u30FB\u30B9\u30C8\u30EA\u30FC\u30E0\u306B\u51FA\u529B\u3057\u3066\u7D42\u4E86\u3057\u307E\u3059\n    --version     \
 \u88FD\u54C1\u30D0\u30FC\u30B8\u30E7\u30F3\u3092\u51FA\u529B\u30B9\u30C8\u30EA\u30FC\u30E0\u306B\u51FA\u529B\u3057\u3066\u7D42\u4E86\u3057\u307E\u3059\n    -showversion  \u88FD\u54C1\u30D0\u30FC\u30B8\u30E7\u30F3\u3092\u30A8\u30E9\u30FC\u30FB\u30B9\u30C8\u30EA\u30FC\u30E0\u306B\u51FA\u529B\u3057\u3066\u7D9A\u884C\u3057\u307E\u3059\n    --show-version\n                  \u88FD\u54C1\u30D0\u30FC\u30B8\u30E7\u30F3\u3092\u51FA\u529B\u30B9\u30C8\u30EA\u30FC\u30E0\u306B\u51FA\u529B\u3057\u3066\u7D9A\u884C\u3057\u307E\u3059\n    --show-module-resolution\n                  \u8D77\u52D5\u6642\u306B\u30E2\u30B8\u30E5\u30FC\u30EB\u89E3\u6C7A\u51FA\u529B\u3092\u8868\u793A\u3057\u307E\u3059\n    -? -h -help\n                  \u3053\u306E\u30D8\u30EB\u30D7\u30FB\u30E1\u30C3\u30BB\u30FC\u30B8\u3092\u30A8\u30E9\u30FC\u30FB\u30B9\u30C8\u30EA\u30FC\u30E0\u306B\u51FA\u529B\u3057\u307E\u3059\n    --help        \u3053\u306E\u30D8\u30EB\u30D7\u30FB\u30E1\u30C3\u30BB\u30FC\u30B8\u3092\u51FA\u529B\u30B9\u30C8\u30EA\u30FC\u30E0\u306B\u51FA\u529B\u3057\u307E\u3059\n    -X            \u8FFD\u52A0\u30AA\u30D7\u30B7\u30E7\u30F3\u306E\u30D8\u30EB\u30D7\u3092\u30A8\u30E9\u30FC\u30FB\u30B9\u30C8\u30EA\u30FC\u30E0\u306B\u51FA\u529B\u3057\u307E\u3059\n    --help-extra  \u8FFD\u52A0\u30AA\u30D7\u30B7\u30E7\u30F3\u306E\u30D8\u30EB\u30D7\u3092\u51FA\u529B\u30B9\u30C8\u30EA\u30FC\u30E0\u306B\u51FA\u529B\u3057\u307E\u3059\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  \u6307\u5B9A\u3057\u305F\u7C92\u5EA6\u3067\u30A2\u30B5\u30FC\u30B7\u30E7\u30F3\u3092\u6709\u52B9\u306B\u3057\u307E\u3059\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  \u6307\u5B9A\u3057\u305F\u7C92\u5EA6\u3067\u30A2\u30B5\u30FC\u30B7\u30E7\u30F3\u3092\u7121\u52B9\u306B\u3057\u307E\u3059\n    -esa | -enablesystemassertions\n                  \u30B7\u30B9\u30C6\u30E0\u30FB\u30A2\u30B5\u30FC\u30B7\u30E7\u30F3\u3092\u6709\u52B9\u306B\u3057\u307E\u3059\n    -dsa | -disablesystemassertions\n                  \u30B7\u30B9\u30C6\u30E0\u30FB\u30A2\u30B5\u30FC\u30B7\u30E7\u30F3\u3092\u7121\u52B9\u306B\u3057\u307E\u3059\n    -agentlib:[=]\n                  \u30CD\u30A4\u30C6\u30A3\u30D6\u30FB\u30A8\u30FC\u30B8\u30A7\u30F3\u30C8\u30FB\u30E9\u30A4\u30D6\u30E9\u30EA\u3092\u30ED\u30FC\u30C9\u3057\u307E\u3059\u3002\u4F8B: -agentlib:jdwp\n                  -agentlib:jdwp=help\u3082\u53C2\u7167\u3057\u3066\u304F\u3060\u3055\u3044\n    -agentpath:[=]\n                  \u30D5\u30EB\u30D1\u30B9\u540D\u3092\u4F7F\u7528\u3057\u3066\u3001\u30CD\u30A4\u30C6\u30A3\u30D6\u30FB\u30A8\u30FC\u30B8\u30A7\u30F3\u30C8\u30FB\u30E9\u30A4\u30D6\u30E9\u30EA\u3092\u30ED\u30FC\u30C9\u3057\u307E\u3059\n    -javaagent:[=]\n                  Java\u30D7\u30ED\u30B0\u30E9\u30DF\u30F3\u30B0\u8A00\u8A9E\u30A8\u30FC\u30B8\u30A7\u30F3\u30C8\u3092\u30ED\u30FC\u30C9\u3057\u307E\u3059\u3002java.lang.instrument\u3092\u53C2\u7167\u3057\u3066\u304F\u3060\u3055\u3044\n    -splash:\n                  \u6307\u5B9A\u3055\u308C\u305F\u30A4\u30E1\u30FC\u30B8\u3092\u542B\u3080\u30B9\u30D7\u30E9\u30C3\u30B7\u30E5\u753B\u9762\u3092\u8868\u793A\u3057\u307E\u3059\n                  HiDPI\u30B9\u30B1\u30FC\u30EB\u306E\u30A4\u30E1\u30FC\u30B8\u304C\u81EA\u52D5\u7684\u306B\u30B5\u30DD\u30FC\u30C8\u3055\u308C\u3066\u4F7F\u7528\u3055\u308C\u307E\u3059\n                  (\u53EF\u80FD\u306A\u5834\u5408)\u3002\u30B9\u30B1\u30FC\u30EA\u30F3\u30B0\u3055\u308C\u306A\u3044\u30A4\u30E1\u30FC\u30B8\u306E\u30D5\u30A1\u30A4\u30EB\u540D(image.ext\u306A\u3069)\u3092\n                  \u5F15\u6570\u3068\u3057\u3066-splash\u30AA\u30D7\u30B7\u30E7\u30F3\u306B\u5FC5\u305A\u6E21\u3059\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002\n                  \
 \u6307\u5B9A\u3055\u308C\u305F\u6700\u3082\u9069\u5207\u306A\u30B9\u30B1\u30FC\u30EA\u30F3\u30B0\u6E08\u30A4\u30E1\u30FC\u30B8\u304C\u9078\u629E\u3055\u308C\u307E\u3059\n                  (\u81EA\u52D5\u7684)\u3002\n                  \u8A73\u7D30\u306F\u3001SplashScreen API\u306E\u30C9\u30AD\u30E5\u30E1\u30F3\u30C8\u3092\u53C2\u7167\u3057\u3066\u304F\u3060\u3055\u3044\n    @argument\u30D5\u30A1\u30A4\u30EB\n                  \u30AA\u30D7\u30B7\u30E7\u30F3\u3092\u542B\u30801\u3064\u4EE5\u4E0A\u306E\u5F15\u6570\u30D5\u30A1\u30A4\u30EB\n    -disable-@files\n                  \u3055\u3089\u306A\u308B\u5F15\u6570\u30D5\u30A1\u30A4\u30EB\u62E1\u5F35\u3092\u7121\u52B9\u306B\u3057\u307E\u3059\n\u9577\u3044\u30AA\u30D7\u30B7\u30E7\u30F3\u306E\u5F15\u6570\u3092\u6307\u5B9A\u3059\u308B\u5834\u5408\u3001--=\u307E\u305F\u306F\n-- \u3092\u4F7F\u7528\u3067\u304D\u307E\u3059\u3002\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           \u30D0\u30C3\u30AF\u30B0\u30E9\u30A6\u30F3\u30C9\u306E\u30B3\u30F3\u30D1\u30A4\u30EB\u3092\u7121\u52B9\u306B\u3059\u308B\n    -Xbootclasspath/a:<{0}\u3067\u533A\u5207\u3089\u308C\u305F\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304A\u3088\u3073zip/jar\u30D5\u30A1\u30A4\u30EB>\n                      \u30D6\u30FC\u30C8\u30B9\u30C8\u30E9\u30C3\u30D7\u30FB\u30AF\u30E9\u30B9\u30FB\u30D1\u30B9\u306E\u6700\u5F8C\u306B\u8FFD\u52A0\u3059\u308B\n    -Xcheck:jni       JNI\u95A2\u6570\u306B\u5BFE\u3059\u308B\u8FFD\u52A0\u306E\u30C1\u30A7\u30C3\u30AF\u3092\u5B9F\u884C\u3059\u308B\n    -Xcomp            \u521D\u56DE\u547C\u51FA\u3057\u6642\u306B\u30E1\u30BD\u30C3\u30C9\u306E\u30B3\u30F3\u30D1\u30A4\u30EB\u3092\u5F37\u5236\u3059\u308B\n    -Xdebug           \u4E0B\u4F4D\u4E92\u63DB\u6027\u306E\u305F\u3081\u306B\u63D0\u4F9B\n    -Xdiag            \u8FFD\u52A0\u306E\u8A3A\u65AD\u30E1\u30C3\u30BB\u30FC\u30B8\u3092\u8868\u793A\u3059\u308B\n    -Xfuture          \u5C06\u6765\u306E\u30C7\u30D5\u30A9\u30EB\u30C8\u3092\u898B\u8D8A\u3057\u3066\u3001\u6700\u3082\u53B3\u5BC6\u306A\u30C1\u30A7\u30C3\u30AF\u3092\u6709\u52B9\u306B\u3059\u308B\n    -Xint             \u30A4\u30F3\u30BF\u30D7\u30EA\u30BF\u30FB\u30E2\u30FC\u30C9\u306E\u5B9F\u884C\u306E\u307F\n    -Xinternalversion\n                      -version\u30AA\u30D7\u30B7\u30E7\u30F3\u3088\u308A\u8A73\u7D30\u306AJVM\u30D0\u30FC\u30B8\u30E7\u30F3\u60C5\u5831\u3092\n                       \u8868\u793A\u3059\u308B\n    -Xloggc:    \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u4ED8\u3044\u305F\u30D5\u30A1\u30A4\u30EB\u306BGC\u30B9\u30C6\u30FC\u30BF\u30B9\u306E\u30ED\u30B0\u3092\u8A18\u9332\u3059\u308B\n    -Xmixed           \u6DF7\u5408\u30E2\u30FC\u30C9\u306E\u5B9F\u884C(\u30C7\u30D5\u30A9\u30EB\u30C8)\n    -Xmn        \u82E5\u3044\u4E16\u4EE3(\u30CA\u30FC\u30B5\u30EA)\u306E\u30D2\u30FC\u30D7\u306E\u521D\u671F\u304A\u3088\u3073\u6700\u5927\u30B5\u30A4\u30BA(\u30D0\u30A4\u30C8\u5358\u4F4D)\n                      \u3092\u8A2D\u5B9A\u3059\u308B\n    -Xms        Java\u306E\u521D\u671F\u30D2\u30FC\u30D7\u30FB\u30B5\u30A4\u30BA\u3092\u8A2D\u5B9A\u3059\u308B\n    -Xmx        Java\u306E\u6700\u5927\u30D2\u30FC\u30D7\u30FB\u30B5\u30A4\u30BA\u3092\u8A2D\u5B9A\u3059\u308B\n    -Xnoclassgc       \u30AF\u30E9\u30B9\u306E\u30AC\u30D9\u30FC\u30B8\u30FB\u30B3\u30EC\u30AF\u30B7\u30E7\u30F3\u3092\u7121\u52B9\u306B\u3059\u308B\n    -Xprof            CPU\u30D7\u30ED\u30D5\u30A1\u30A4\u30EB\u30FB\u30C7\u30FC\u30BF\u3092\u51FA\u529B\u3059\u308B\n    -Xrs              Java/VM\u306B\u3088\u308BOS\u30B7\u30B0\u30CA\u30EB\u306E\u4F7F\u7528\u3092\u524A\u6E1B\u3059\u308B(\u30C9\u30AD\u30E5\u30E1\u30F3\u30C8\u3092\u53C2\u7167)\n    -Xshare:auto      \u53EF\u80FD\u3067\u3042\u308C\u3070\u5171\u6709\u30AF\u30E9\u30B9\u306E\u30C7\u30FC\u30BF\u3092\u4F7F\u7528\u3059\u308B(\u30C7\u30D5\u30A9\u30EB\u30C8)\n    -Xshare:off       \u5171\u6709\u30AF\u30E9\u30B9\u306E\u30C7\u30FC\u30BF\u3092\u4F7F\u7528\u3057\u3088\u3046\u3068\u3057\u306A\u3044\n    -Xshare:on        \u5171\u6709\u30AF\u30E9\u30B9\u30FB\u30C7\u30FC\u30BF\u306E\u4F7F\u7528\u3092\u5FC5\u9808\u306B\u3057\u3001\u3067\u304D\u306A\u3051\u308C\u3070\u5931\u6557\u3059\u308B\u3002\n    -XshowSettings    \u3059\u3079\u3066\u306E\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    -XshowSettings:all\n                      \u3059\u3079\u3066\u306E\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    -XshowSettings:locale\n                      \u3059\u3079\u3066\u306E\u30ED\u30B1\u30FC\u30EB\u95A2\u9023\u306E\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    -XshowSettings:properties\n                      \u3059\u3079\u3066\u306E\u30D7\u30ED\u30D1\u30C6\u30A3\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    -XshowSettings:vm \u3059\u3079\u3066\u306EVM\u95A2\u9023\u306E\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    \
--Xss        Java\u306E\u30B9\u30EC\u30C3\u30C9\u30FB\u30B9\u30BF\u30C3\u30AF\u30FB\u30B5\u30A4\u30BA\u3092\u8A2D\u5B9A\u3059\u308B\n    -Xverify          \u30D0\u30A4\u30C8\u30B3\u30FC\u30C9\u691C\u8A3C\u6A5F\u80FD\u306E\u30E2\u30FC\u30C9\u3092\u8A2D\u5B9A\u3059\u308B\n    --add-reads =(,)*\n                      \u30E2\u30B8\u30E5\u30FC\u30EB\u5BA3\u8A00\u306B\u95A2\u4FC2\u306A\u304F\u3001\u3092\u66F4\u65B0\u3057\u3066\n                      \u3092\u8AAD\u307F\u53D6\u308A\u307E\u3059\u3002 \n                      \u3092ALL-UNNAMED\u306B\u8A2D\u5B9A\u3059\u308B\u3068\u3001\u3059\u3079\u3066\u306E\u540D\u524D\u306E\u306A\u3044\u30E2\u30B8\u30E5\u30FC\u30EB\u3092\n                      \u8AAD\u307F\u53D6\u308C\u307E\u3059\u3002\n    --add-exports /=(,)*\n                      \u30E2\u30B8\u30E5\u30FC\u30EB\u5BA3\u8A00\u306B\u95A2\u4FC2\u306A\u304F\u3001\u3092\u66F4\u65B0\u3057\u3066\u3092\u306B\n                      \u30A8\u30AF\u30B9\u30DD\u30FC\u30C8\u3057\u307E\u3059\u3002\n                      \u3092ALL-UNNAMED\u306B\u8A2D\u5B9A\u3059\u308B\u3068\u3001\u3059\u3079\u3066\u306E\u540D\u524D\u306E\u306A\u3044\u30E2\u30B8\u30E5\u30FC\u30EB\u306B\n                      \u30A8\u30AF\u30B9\u30DD\u30FC\u30C8\u3067\u304D\u307E\u3059\u3002\n    --add-opens /=(,)*\n                      \u30E2\u30B8\u30E5\u30FC\u30EB\u5BA3\u8A00\u306B\u95A2\u4FC2\u306A\u304F\u3001\u3092\u66F4\u65B0\u3057\u3066\n                      \u3092\u306B\u958B\u304D\u307E\u3059\u3002\n    --limit-modules [,...]\n                      \u53C2\u7167\u53EF\u80FD\u306A\u30E2\u30B8\u30E5\u30FC\u30EB\u306E\u9818\u57DF\u3092\u5236\u9650\u3057\u307E\u3059\n    --patch-module =({0})*\n                      JAR\u30D5\u30A1\u30A4\u30EB\u307E\u305F\u306F\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\u30AF\u30E9\u30B9\u304A\u3088\u3073\u30EA\u30BD\u30FC\u30B9\u3067\n                      \u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u30AA\u30FC\u30D0\u30FC\u30E9\u30A4\u30C9\u307E\u305F\u306F\u62E1\u5F35\u3057\u307E\u3059\n    --disable-@files  \u3055\u3089\u306A\u308B\u30D5\u30A1\u30A4\u30EB\u62E1\u5F35\u3092\u7121\u52B9\u306B\u3057\u307E\u3059\n\n\u3053\u308C\u3089\u306E\u8FFD\u52A0\u30AA\u30D7\u30B7\u30E7\u30F3\u306F\u4E88\u544A\u306A\u304F\u5909\u66F4\u3055\u308C\u308B\u5834\u5408\u304C\u3042\u308A\u307E\u3059\u3002\n
+java.launcher.X.usage=\n    -Xbatch           \u30D0\u30C3\u30AF\u30B0\u30E9\u30A6\u30F3\u30C9\u306E\u30B3\u30F3\u30D1\u30A4\u30EB\u3092\u7121\u52B9\u306B\u3059\u308B\n    -Xbootclasspath/a:<{0}\u3067\u533A\u5207\u3089\u308C\u305F\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u304A\u3088\u3073zip/jar\u30D5\u30A1\u30A4\u30EB>\n                      \u30D6\u30FC\u30C8\u30B9\u30C8\u30E9\u30C3\u30D7\u30FB\u30AF\u30E9\u30B9\u30FB\u30D1\u30B9\u306E\u6700\u5F8C\u306B\u8FFD\u52A0\u3059\u308B\n    -Xcheck:jni       JNI\u95A2\u6570\u306B\u5BFE\u3059\u308B\u8FFD\u52A0\u306E\u30C1\u30A7\u30C3\u30AF\u3092\u5B9F\u884C\u3059\u308B\n    -Xcomp            \u521D\u56DE\u547C\u51FA\u3057\u6642\u306B\u30E1\u30BD\u30C3\u30C9\u306E\u30B3\u30F3\u30D1\u30A4\u30EB\u3092\u5F37\u5236\u3059\u308B\n    -Xdebug           \u4E0B\u4F4D\u4E92\u63DB\u6027\u306E\u305F\u3081\u306B\u63D0\u4F9B\n    -Xdiag            \u8FFD\u52A0\u306E\u8A3A\u65AD\u30E1\u30C3\u30BB\u30FC\u30B8\u3092\u8868\u793A\u3059\u308B\n    -Xfuture          \u5C06\u6765\u306E\u30C7\u30D5\u30A9\u30EB\u30C8\u3092\u898B\u8D8A\u3057\u3066\u3001\u6700\u3082\u53B3\u5BC6\u306A\u30C1\u30A7\u30C3\u30AF\u3092\u6709\u52B9\u306B\u3059\u308B\n    -Xint             \u30A4\u30F3\u30BF\u30D7\u30EA\u30BF\u30FB\u30E2\u30FC\u30C9\u306E\u5B9F\u884C\u306E\u307F\n    -Xinternalversion\n                      -version\u30AA\u30D7\u30B7\u30E7\u30F3\u3088\u308A\u8A73\u7D30\u306AJVM\u30D0\u30FC\u30B8\u30E7\u30F3\u60C5\u5831\u3092\n                      \u8868\u793A\u3059\u308B\n    -Xloggc:    \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u4ED8\u3044\u305F\u30D5\u30A1\u30A4\u30EB\u306BGC\u30B9\u30C6\u30FC\u30BF\u30B9\u306E\u30ED\u30B0\u3092\u8A18\u9332\u3059\u308B\n    -Xmixed           \u6DF7\u5408\u30E2\u30FC\u30C9\u306E\u5B9F\u884C(\u30C7\u30D5\u30A9\u30EB\u30C8)\n    -Xmn        \u82E5\u3044\u4E16\u4EE3(\u30CA\u30FC\u30B5\u30EA)\u306E\u30D2\u30FC\u30D7\u306E\u521D\u671F\u304A\u3088\u3073\u6700\u5927\u30B5\u30A4\u30BA(\u30D0\u30A4\u30C8\u5358\u4F4D)\n                      \u3092\u8A2D\u5B9A\u3059\u308B\n    -Xms        Java\u306E\u521D\u671F\u30D2\u30FC\u30D7\u30FB\u30B5\u30A4\u30BA\u3092\u8A2D\u5B9A\u3059\u308B\n    -Xmx        Java\u306E\u6700\u5927\u30D2\u30FC\u30D7\u30FB\u30B5\u30A4\u30BA\u3092\u8A2D\u5B9A\u3059\u308B\n    -Xnoclassgc       \u30AF\u30E9\u30B9\u306E\u30AC\u30D9\u30FC\u30B8\u30FB\u30B3\u30EC\u30AF\u30B7\u30E7\u30F3\u3092\u7121\u52B9\u306B\u3059\u308B\n    -Xprof            CPU\u30D7\u30ED\u30D5\u30A1\u30A4\u30EB\u30FB\u30C7\u30FC\u30BF\u3092\u51FA\u529B\u3059\u308B(\u975E\u63A8\u5968)\n    -Xrs              Java/VM\u306B\u3088\u308BOS\u30B7\u30B0\u30CA\u30EB\u306E\u4F7F\u7528\u3092\u524A\u6E1B\u3059\u308B(\u30C9\u30AD\u30E5\u30E1\u30F3\u30C8\u3092\u53C2\u7167)\n    -Xshare:auto      \u53EF\u80FD\u3067\u3042\u308C\u3070\u5171\u6709\u30AF\u30E9\u30B9\u306E\u30C7\u30FC\u30BF\u3092\u4F7F\u7528\u3059\u308B(\u30C7\u30D5\u30A9\u30EB\u30C8)\n    -Xshare:off       \u5171\u6709\u30AF\u30E9\u30B9\u306E\u30C7\u30FC\u30BF\u3092\u4F7F\u7528\u3057\u3088\u3046\u3068\u3057\u306A\u3044\n    -Xshare:on        \u5171\u6709\u30AF\u30E9\u30B9\u30FB\u30C7\u30FC\u30BF\u306E\u4F7F\u7528\u3092\u5FC5\u9808\u306B\u3057\u3001\u3067\u304D\u306A\u3051\u308C\u3070\u5931\u6557\u3059\u308B\u3002\n    -XshowSettings    \u3059\u3079\u3066\u306E\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    -XshowSettings:all\n                      \u3059\u3079\u3066\u306E\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    -XshowSettings:locale\n                      \u3059\u3079\u3066\u306E\u30ED\u30B1\u30FC\u30EB\u95A2\u9023\u306E\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    -XshowSettings:properties\n                      \u3059\u3079\u3066\u306E\u30D7\u30ED\u30D1\u30C6\u30A3\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    -XshowSettings:vm \
+\u3059\u3079\u3066\u306EVM\u95A2\u9023\u306E\u8A2D\u5B9A\u3092\u8868\u793A\u3057\u3066\u7D9A\u884C\u3059\u308B\n    -Xss        Java\u306E\u30B9\u30EC\u30C3\u30C9\u30FB\u30B9\u30BF\u30C3\u30AF\u30FB\u30B5\u30A4\u30BA\u3092\u8A2D\u5B9A\u3059\u308B\n    -Xverify          \u30D0\u30A4\u30C8\u30B3\u30FC\u30C9\u691C\u8A3C\u6A5F\u80FD\u306E\u30E2\u30FC\u30C9\u3092\u8A2D\u5B9A\u3059\u308B\n    --add-reads =(,)*\n                      \u30E2\u30B8\u30E5\u30FC\u30EB\u5BA3\u8A00\u306B\u95A2\u4FC2\u306A\u304F\u3001\u3092\u66F4\u65B0\u3057\u3066\n                      \u3092\u8AAD\u307F\u53D6\u308A\u307E\u3059\u3002 \n                      \u3092ALL-UNNAMED\u306B\u8A2D\u5B9A\u3059\u308B\u3068\u3001\u3059\u3079\u3066\u306E\u540D\u524D\u306E\u306A\u3044\u30E2\u30B8\u30E5\u30FC\u30EB\u3092\n                      \u8AAD\u307F\u53D6\u308C\u307E\u3059\u3002\n    --add-exports /=(,)*\n                      \u30E2\u30B8\u30E5\u30FC\u30EB\u5BA3\u8A00\u306B\u95A2\u4FC2\u306A\u304F\u3001\u3092\u66F4\u65B0\u3057\u3066\u3092\u306B\n                      \u30A8\u30AF\u30B9\u30DD\u30FC\u30C8\u3057\u307E\u3059\u3002\n                      \u3092ALL-UNNAMED\u306B\u8A2D\u5B9A\u3059\u308B\u3068\u3001\u3059\u3079\u3066\u306E\u540D\u524D\u306E\u306A\u3044\u30E2\u30B8\u30E5\u30FC\u30EB\u306B\n                      \u30A8\u30AF\u30B9\u30DD\u30FC\u30C8\u3067\u304D\u307E\u3059\u3002\n    --add-opens /=(,)*\n                      \u30E2\u30B8\u30E5\u30FC\u30EB\u5BA3\u8A00\u306B\u95A2\u4FC2\u306A\u304F\u3001\u3092\u66F4\u65B0\u3057\u3066\n                      \u3092\u306B\u958B\u304D\u307E\u3059\u3002\n    --illegal-access=\n                      \u540D\u524D\u306E\u306A\u3044\u30E2\u30B8\u30E5\u30FC\u30EB\u5185\u306E\u30B3\u30FC\u30C9\u306B\u3088\u308B\u3001\u540D\u524D\u306E\u3042\u308B\u30E2\u30B8\u30E5\u30FC\u30EB\u5185\u306E\n                      \u30BF\u30A4\u30D7\u306E\u30E1\u30F3\u30D0\u30FC\u3078\u306E\u30A2\u30AF\u30BB\u30B9\u3092\u8A31\u53EF\u307E\u305F\u306F\u62D2\u5426\u3057\u307E\u3059\u3002\n                      \u306F"deny"\u3001"permit"\u3001"warn"\u3001"debug"\u306E\u3044\u305A\u308C\u304B\u3067\u3059\n                      \u3053\u306E\u30AA\u30D7\u30B7\u30E7\u30F3\u306F\u5C06\u6765\u306E\u30EA\u30EA\u30FC\u30B9\u3067\u524A\u9664\u3055\u308C\u307E\u3059\u3002\n    --limit-modules [,...]\n                      \u53C2\u7167\u53EF\u80FD\u306A\u30E2\u30B8\u30E5\u30FC\u30EB\u306E\u9818\u57DF\u3092\u5236\u9650\u3057\u307E\u3059\n    --patch-module =({0})*\n                      JAR\u30D5\u30A1\u30A4\u30EB\u307E\u305F\u306F\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\u30AF\u30E9\u30B9\u304A\u3088\u3073\u30EA\u30BD\u30FC\u30B9\u3067\n                      \u30E2\u30B8\u30E5\u30FC\u30EB\u3092\u30AA\u30FC\u30D0\u30FC\u30E9\u30A4\u30C9\u307E\u305F\u306F\u62E1\u5F35\u3057\u307E\u3059\u3002\n    --disable-@files  \u3055\u3089\u306A\u308B\u30D5\u30A1\u30A4\u30EB\u62E1\u5F35\u3092\u7121\u52B9\u306B\u3057\u307E\u3059\n\n\u3053\u308C\u3089\u306E\u8FFD\u52A0\u30AA\u30D7\u30B7\u30E7\u30F3\u306F\u4E88\u544A\u306A\u304F\u5909\u66F4\u3055\u308C\u308B\u5834\u5408\u304C\u3042\u308A\u307E\u3059\u3002\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\n\u6B21\u306E\u30AA\u30D7\u30B7\u30E7\u30F3\u306FMac OS X\u56FA\u6709\u3067\u3059:\n    -XstartOnFirstThread\n                      main()\u30E1\u30BD\u30C3\u30C9\u3092\u6700\u521D(AppKit)\u306E\u30B9\u30EC\u30C3\u30C9\u3067\u5B9F\u884C\u3059\u308B\n    -Xdock:name=\n                      Dock\u306B\u8868\u793A\u3055\u308C\u308B\u30C7\u30D5\u30A9\u30EB\u30C8\u30FB\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u540D\u3092\u30AA\u30FC\u30D0\u30FC\u30E9\u30A4\u30C9\u3059\u308B\n    -Xdock:icon=\n                      Dock\u306B\u8868\u793A\u3055\u308C\u308B\u30C7\u30D5\u30A9\u30EB\u30C8\u30FB\u30A2\u30A4\u30B3\u30F3\u3092\u30AA\u30FC\u30D0\u30FC\u30E9\u30A4\u30C9\u3059\u308B\n\n
@@ -48,6 +48,7 @@ java.launcher.cls.error3=\u30A8\u30E9\u30FC: \u30E1\u30A4\u30F3\u30FB\u30E1\u30B
 java.launcher.cls.error4=\u30A8\u30E9\u30FC: \u30E1\u30A4\u30F3\u30FB\u30E1\u30BD\u30C3\u30C9\u304C\u30AF\u30E9\u30B9{0}\u3067\u898B\u3064\u304B\u308A\u307E\u305B\u3093\u3002\u6B21\u306E\u3088\u3046\u306B\u30E1\u30A4\u30F3\u30FB\u30E1\u30BD\u30C3\u30C9\u3092\u5B9A\u7FA9\u3057\u3066\u304F\u3060\u3055\u3044\u3002\n   public static void main(String[] args)\n\u307E\u305F\u306FJavaFX\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u30FB\u30AF\u30E9\u30B9\u306F{1}\u3092\u62E1\u5F35\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059
 java.launcher.cls.error5=\u30A8\u30E9\u30FC: JavaFX\u30E9\u30F3\u30BF\u30A4\u30E0\u30FB\u30B3\u30F3\u30DD\u30FC\u30CD\u30F3\u30C8\u304C\u4E0D\u8DB3\u3057\u3066\u304A\u308A\u3001\u3053\u306E\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u306E\u5B9F\u884C\u306B\u5FC5\u8981\u3067\u3059
 java.launcher.cls.error6=\u30A8\u30E9\u30FC: \u30E1\u30A4\u30F3\u30FB\u30AF\u30E9\u30B9{0}\u306E\u30ED\u30FC\u30C9\u4E2D\u306BLinkageError\u304C\u767A\u751F\u3057\u307E\u3057\u305F\n\t{1}
+java.launcher.cls.error7=\u30A8\u30E9\u30FC: \u30E1\u30A4\u30F3\u30FB\u30AF\u30E9\u30B9{0}\u3092\u521D\u671F\u5316\u3067\u304D\u307E\u305B\u3093\n\u539F\u56E0: {1}: {2}
 java.launcher.jar.error1=\u30A8\u30E9\u30FC: \u30D5\u30A1\u30A4\u30EB{0}\u3092\u958B\u3053\u3046\u3068\u3057\u3066\u3044\u308B\u3068\u304D\u306B\u3001\u4E88\u671F\u3057\u306A\u3044\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F
 java.launcher.jar.error2={0}\u306B\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093
 java.launcher.jar.error3={0}\u306B\u30E1\u30A4\u30F3\u30FB\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u5C5E\u6027\u304C\u3042\u308A\u307E\u305B\u3093
@@ -56,5 +57,6 @@ java.launcher.init.error=\u521D\u671F\u5316\u30A8\u30E9\u30FC
 java.launcher.javafx.error1=\u30A8\u30E9\u30FC: JavaFX launchApplication\u30E1\u30BD\u30C3\u30C9\u306B\u8AA4\u3063\u305F\u30B7\u30B0\u30CD\u30C1\u30E3\u304C\u3042\u308A\u3001\nstatic\u3092\u5BA3\u8A00\u3057\u3066void\u578B\u306E\u5024\u3092\u8FD4\u3059\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059
 java.launcher.module.error1=\u30E2\u30B8\u30E5\u30FC\u30EB{0}\u306BMainClass\u5C5E\u6027\u304C\u3042\u308A\u307E\u305B\u3093\u3002-m /\u3092\u4F7F\u7528\u3057\u3066\u304F\u3060\u3055\u3044
 java.launcher.module.error2=\u30A8\u30E9\u30FC: \u30E2\u30B8\u30E5\u30FC\u30EB{1}\u306B\u30E1\u30A4\u30F3\u30FB\u30AF\u30E9\u30B9{0}\u304C\u898B\u3064\u304B\u3089\u306A\u304B\u3063\u305F\u304B\u30ED\u30FC\u30C9\u3067\u304D\u307E\u305B\u3093\u3067\u3057\u305F
-java.launcher.module.error3=\u30A8\u30E9\u30FC: \u30E2\u30B8\u30E5\u30FC\u30EB{1}\u304B\u3089\u306E\u30E1\u30A4\u30F3\u30FB\u30AF\u30E9\u30B9{0}\u306E\u30ED\u30FC\u30C9\u306B\u5931\u6557\u3057\u307E\u3057\u305F\n\t{2}
+java.launcher.module.error3=\u30A8\u30E9\u30FC: \u30E2\u30B8\u30E5\u30FC\u30EB{1}\u306E\u30E1\u30A4\u30F3\u30FB\u30AF\u30E9\u30B9{0}\u3092\u30ED\u30FC\u30C9\u3067\u304D\u307E\u305B\u3093\n\t{2}
 java.launcher.module.error4={0}\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093
+java.launcher.module.error5=\u30A8\u30E9\u30FC: \u30E2\u30B8\u30E5\u30FC\u30EB{1}\u306E\u30E1\u30A4\u30F3\u30FB\u30AF\u30E9\u30B9{0}\u3092\u521D\u671F\u5316\u3067\u304D\u307E\u305B\u3093\n\u539F\u56E0: {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ko.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ko.properties
index 5ee8ae9c2b..a128a8126e 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ko.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ko.properties
@@ -31,12 +31,12 @@ java.launcher.opt.vmselect   =\    {0}\t  "{1}" VM\uC744 \uC120\uD0DD\uD569\uB2C
 java.launcher.opt.hotspot    =\    {0}\t  "{1}" VM\uC758 \uB3D9\uC758\uC5B4\uC785\uB2C8\uB2E4[\uC0AC\uC6A9\uB418\uC9C0 \uC54A\uC74C].\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp <\uB514\uB809\uD1A0\uB9AC \uBC0F zip/jar \uD30C\uC77C\uC758 \uD074\uB798\uC2A4 \uAC80\uC0C9 \uACBD\uB85C>\n    -classpath <\uB514\uB809\uD1A0\uB9AC \uBC0F zip/jar \uD30C\uC77C\uC758 \uD074\uB798\uC2A4 \uAC80\uC0C9 \uACBD\uB85C>\n    --class-path <\uB514\uB809\uD1A0\uB9AC \uBC0F zip/jar \uD30C\uC77C\uC758 \uD074\uB798\uC2A4 \uAC80\uC0C9 \uACBD\uB85C>\n                  \uD074\uB798\uC2A4 \uD30C\uC77C\uC744 \uAC80\uC0C9\uD558\uAE30 \uC704\uD55C \uB514\uB809\uD1A0\uB9AC, JAR \uC544\uCE74\uC774\uBE0C \uBC0F ZIP \uC544\uCE74\uC774\uBE0C\uC758 {0}(\uC73C)\uB85C\n                  \uAD6C\uBD84\uB41C \uBAA9\uB85D\uC785\uB2C8\uB2E4.\n    -p <\uBAA8\uB4C8 \uACBD\uB85C>\n    --module-path <\uBAA8\uB4C8 \uACBD\uB85C>...\n                  \uB514\uB809\uD1A0\uB9AC\uC758 {0}(\uC73C)\uB85C \uAD6C\uBD84\uB41C \uBAA9\uB85D\uC785\uB2C8\uB2E4. \uAC01 \uB514\uB809\uD1A0\uB9AC\uB294\n                  \uBAA8\uB4C8\uC758 \uB514\uB809\uD1A0\uB9AC\uC785\uB2C8\uB2E4.\n    --upgrade-module-path <\uBAA8\uB4C8 \uACBD\uB85C>...\n                  \uB514\uB809\uD1A0\uB9AC\uC758 {0}(\uC73C)\uB85C \uAD6C\uBD84\uB41C \uBAA9\uB85D\uC785\uB2C8\uB2E4. \uAC01 \uB514\uB809\uD1A0\uB9AC\uB294\n                  \uB7F0\uD0C0\uC784 \uC774\uBBF8\uC9C0\uC5D0\uC11C \uC5C5\uADF8\uB808\uC774\uB4DC \uAC00\uB2A5\uD55C \uBAA8\uB4C8\uC744 \uB300\uCCB4\uD558\uB294\n                  \uBAA8\uB4C8\uC758 \uB514\uB809\uD1A0\uB9AC\uC785\uB2C8\uB2E4.\n    --add-modules <\uBAA8\uB4C8 \uC774\uB984>[,<\uBAA8\uB4C8 \uC774\uB984>...]\n                  \uCD08\uAE30 \uBAA8\uB4C8 \uC774\uC678\uC758 \uD574\uACB0\uD560 \uB8E8\uD2B8 \uBAA8\uB4C8\uC785\uB2C8\uB2E4.\n                  <\uBAA8\uB4C8 \uC774\uB984>\uC740 ALL-DEFAULT, ALL-SYSTEM\uC77C \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n                  ALL-MODULE-PATH.\n    --list-modules\n                  \uAD00\uCC30 \uAC00\uB2A5\uD55C \uBAA8\uB4C8\uC744 \uB098\uC5F4\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n    --d <\uBAA8\uB4C8 \uC774\uB984>\n    --describe-module <\uBAA8\uB4C8 \uC774\uB984>\n                  \uBAA8\uB4C8\uC744 \uC124\uBA85\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n    --dry-run     VM\uC744 \uC0DD\uC131\uD558\uACE0 \uAE30\uBCF8 \uD074\uB798\uC2A4\uB97C \uB85C\uB4DC\uD558\uC9C0\uB9CC \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB97C \uC2E4\uD589\uD558\uC9C0\uB294 \uC54A\uC2B5\uB2C8\uB2E4.\n                  --dry-run \uC635\uC158\uC740 \uBAA8\uB4C8 \uC2DC\uC2A4\uD15C \uAD6C\uC131\uACFC \uAC19\uC740\n                  \uBA85\uB839\uC904 \uC635\uC158 \uAC80\uC99D\uC5D0 \uC720\uC6A9\uD560 \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n    --validate-modules\n                  \uBAA8\uB4E0 \uBAA8\uB4C8\uC744 \uAC80\uC99D\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n                  --validate-modules \uC635\uC158\uC740 \uBAA8\uB4C8 \uACBD\uB85C\uC5D0\uC11C \uBAA8\uB4C8\uC5D0 \uB300\uD55C\n                  \uCDA9\uB3CC \uBC0F \uAE30\uD0C0 \uC624\uB958\uB97C \uCC3E\uB294 \uB370 \uC720\uC6A9\uD560 \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n    -D<\uC774\uB984>=<\uAC12>\n                  \uC2DC\uC2A4\uD15C \uC18D\uC131\uC744 \uC124\uC815\uD569\uB2C8\uB2E4.\n    -verbose:[class|module|gc|jni]\n                  \uC0C1\uC138 \uC815\uBCF4 \uCD9C\uB825\uC744 \uC0AC\uC6A9\uC73C\uB85C \uC124\uC815\n    -version      \uC624\uB958 \uC2A4\uD2B8\uB9BC\uC5D0 \uC81C\uD488 \uBC84\uC804\uC744 \uC778\uC1C4\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n    --version     \uCD9C\uB825 \uC2A4\uD2B8\uB9BC\uC5D0 \uC81C\uD488 \uBC84\uC804\uC744 \uC778\uC1C4\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n    -showversion  \uC624\uB958 \uC2A4\uD2B8\uB9BC\uC5D0 \uC81C\uD488 \uBC84\uC804\uC744 \uC778\uC1C4\uD558\uACE0 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    --show-version\n                  \uCD9C\uB825 \uC2A4\uD2B8\uB9BC\uC5D0 \uC81C\uD488 \uBC84\uC804\uC744 \uC778\uC1C4\uD558\uACE0 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    --show-module-resolution\n                  \uC2DC\uC791 \uC911 \uBAA8\uB4C8 \uBD84\uC11D \uCD9C\uB825\uC744 \
+java.launcher.opt.footer = \    -cp <\uB514\uB809\uD1A0\uB9AC \uBC0F zip/jar \uD30C\uC77C\uC758 \uD074\uB798\uC2A4 \uAC80\uC0C9 \uACBD\uB85C>\n    -classpath <\uB514\uB809\uD1A0\uB9AC \uBC0F zip/jar \uD30C\uC77C\uC758 \uD074\uB798\uC2A4 \uAC80\uC0C9 \uACBD\uB85C>\n    --class-path <\uB514\uB809\uD1A0\uB9AC \uBC0F zip/jar \uD30C\uC77C\uC758 \uD074\uB798\uC2A4 \uAC80\uC0C9 \uACBD\uB85C>\n                  \uD074\uB798\uC2A4 \uD30C\uC77C\uC744 \uAC80\uC0C9\uD558\uAE30 \uC704\uD55C \uB514\uB809\uD1A0\uB9AC, JAR \uC544\uCE74\uC774\uBE0C \uBC0F ZIP \uC544\uCE74\uC774\uBE0C\uC758 {0}(\uC73C)\uB85C\n                  \uAD6C\uBD84\uB41C \uBAA9\uB85D\uC785\uB2C8\uB2E4.\n    -p <\uBAA8\uB4C8 \uACBD\uB85C>\n    --module-path <\uBAA8\uB4C8 \uACBD\uB85C>...\n                  \uB514\uB809\uD1A0\uB9AC\uC758 {0}(\uC73C)\uB85C \uAD6C\uBD84\uB41C \uBAA9\uB85D\uC785\uB2C8\uB2E4. \uAC01 \uB514\uB809\uD1A0\uB9AC\uB294\n                  \uBAA8\uB4C8\uC758 \uB514\uB809\uD1A0\uB9AC\uC785\uB2C8\uB2E4.\n    --upgrade-module-path <\uBAA8\uB4C8 \uACBD\uB85C>...\n                  \uB514\uB809\uD1A0\uB9AC\uC758 {0}(\uC73C)\uB85C \uAD6C\uBD84\uB41C \uBAA9\uB85D\uC785\uB2C8\uB2E4. \uAC01 \uB514\uB809\uD1A0\uB9AC\uB294\n                  \uB7F0\uD0C0\uC784 \uC774\uBBF8\uC9C0\uC5D0\uC11C \uC5C5\uADF8\uB808\uC774\uB4DC \uAC00\uB2A5\uD55C \uBAA8\uB4C8\uC744 \uB300\uCCB4\uD558\uB294\n                  \uBAA8\uB4C8\uC758 \uB514\uB809\uD1A0\uB9AC\uC785\uB2C8\uB2E4.\n    --add-modules <\uBAA8\uB4C8 \uC774\uB984>[,<\uBAA8\uB4C8 \uC774\uB984>...]\n                  \uCD08\uAE30 \uBAA8\uB4C8 \uC774\uC678\uC758 \uD574\uACB0\uD560 \uB8E8\uD2B8 \uBAA8\uB4C8\uC785\uB2C8\uB2E4.\n                  <\uBAA8\uB4C8 \uC774\uB984>\uC740 ALL-DEFAULT, ALL-SYSTEM\uC77C \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n                  ALL-MODULE-PATH.\n    --list-modules\n                  \uAD00\uCC30 \uAC00\uB2A5\uD55C \uBAA8\uB4C8\uC744 \uB098\uC5F4\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n    -d <\uBAA8\uB4C8 \uC774\uB984>\n    --describe-module <\uBAA8\uB4C8 \uC774\uB984>\n                  \uBAA8\uB4C8\uC744 \uC124\uBA85\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n    --dry-run     VM\uC744 \uC0DD\uC131\uD558\uACE0 \uAE30\uBCF8 \uD074\uB798\uC2A4\uB97C \uB85C\uB4DC\uD558\uC9C0\uB9CC \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB97C \uC2E4\uD589\uD558\uC9C0\uB294 \uC54A\uC2B5\uB2C8\uB2E4.\n                  --dry-run \uC635\uC158\uC740 \uBAA8\uB4C8 \uC2DC\uC2A4\uD15C \uAD6C\uC131\uACFC \uAC19\uC740\n                  \uBA85\uB839\uC904 \uC635\uC158 \uAC80\uC99D\uC5D0 \uC720\uC6A9\uD560 \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n    --validate-modules\n                  \uBAA8\uB4E0 \uBAA8\uB4C8\uC744 \uAC80\uC99D\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n                  --validate-modules \uC635\uC158\uC740 \uBAA8\uB4C8 \uACBD\uB85C\uC5D0\uC11C \uBAA8\uB4C8\uC5D0 \uB300\uD55C\n                  \uCDA9\uB3CC \uBC0F \uAE30\uD0C0 \uC624\uB958\uB97C \uCC3E\uB294 \uB370 \uC720\uC6A9\uD560 \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n    -D<\uC774\uB984>=<\uAC12>\n                  \uC2DC\uC2A4\uD15C \uC18D\uC131\uC744 \uC124\uC815\uD569\uB2C8\uB2E4.\n    -verbose:[class|module|gc|jni]\n                  \uC0C1\uC138 \uC815\uBCF4 \uCD9C\uB825\uC744 \uC0AC\uC6A9\uC73C\uB85C \uC124\uC815\n    -version      \uC624\uB958 \uC2A4\uD2B8\uB9BC\uC5D0 \uC81C\uD488 \uBC84\uC804\uC744 \uC778\uC1C4\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n    --version     \uCD9C\uB825 \uC2A4\uD2B8\uB9BC\uC5D0 \uC81C\uD488 \uBC84\uC804\uC744 \uC778\uC1C4\uD558\uACE0 \uC885\uB8CC\uD569\uB2C8\uB2E4.\n    -showversion  \uC624\uB958 \uC2A4\uD2B8\uB9BC\uC5D0 \uC81C\uD488 \uBC84\uC804\uC744 \uC778\uC1C4\uD558\uACE0 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    --show-version\n                  \uCD9C\uB825 \uC2A4\uD2B8\uB9BC\uC5D0 \uC81C\uD488 \uBC84\uC804\uC744 \uC778\uC1C4\uD558\uACE0 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    --show-module-resolution\n                  \uC2DC\uC791 \uC911 \uBAA8\uB4C8 \uBD84\uC11D \uCD9C\uB825\uC744 \
 \uD45C\uC2DC\uD569\uB2C8\uB2E4.\n    -? -h -help\n                  \uC624\uB958 \uC2A4\uD2B8\uB9BC\uC5D0 \uC774 \uB3C4\uC6C0\uB9D0 \uBA54\uC2DC\uC9C0\uB97C \uC778\uC1C4\uD569\uB2C8\uB2E4.\n    --help        \uCD9C\uB825 \uC2A4\uD2B8\uB9BC\uC5D0 \uC774 \uB3C4\uC6C0\uB9D0 \uBA54\uC2DC\uC9C0\uB97C \uC778\uC1C4\uD569\uB2C8\uB2E4.\n    -X            \uC624\uB958 \uC2A4\uD2B8\uB9BC\uC5D0 \uCD94\uAC00 \uC635\uC158\uC5D0 \uB300\uD55C \uB3C4\uC6C0\uB9D0\uC744 \uC778\uC1C4\uD569\uB2C8\uB2E4.\n    --help-extra  \uCD9C\uB825 \uC2A4\uD2B8\uB9BC\uC5D0 \uCD94\uAC00 \uC635\uC158\uC5D0 \uB300\uD55C \uB3C4\uC6C0\uB9D0\uC744 \uC778\uC1C4\uD569\uB2C8\uB2E4.\n    -ea[:<\uD328\uD0A4\uC9C0 \uC774\uB984>...|:<\uD074\uB798\uC2A4 \uC774\uB984>]\n    -enableassertions[:<\uD328\uD0A4\uC9C0 \uC774\uB984>...|:<\uD074\uB798\uC2A4 \uC774\uB984>]\n                  \uC138\uBD84\uC131\uC774 \uC9C0\uC815\uB41C \uAC80\uC99D\uC744 \uC0AC\uC6A9\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -da[:<\uD328\uD0A4\uC9C0 \uC774\uB984>...|:<\uD074\uB798\uC2A4 \uC774\uB984>]\n    -disableassertions[:<\uD328\uD0A4\uC9C0 \uC774\uB984>...|:<\uD074\uB798\uC2A4 \uC774\uB984>]\n                  \uC138\uBD84\uC131\uC774 \uC9C0\uC815\uB41C \uAC80\uC99D\uC744 \uC0AC\uC6A9 \uC548\uD568\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -esa | -enablesystemassertions\n                  \uC2DC\uC2A4\uD15C \uAC80\uC99D\uC744 \uC0AC\uC6A9\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -dsa | -disablesystemassertions\n                  \uC2DC\uC2A4\uD15C \uAC80\uC99D\uC744 \uC0AC\uC6A9 \uC548\uD568\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -agentlib:<\uB77C\uC774\uBE0C\uB7EC\uB9AC \uC774\uB984>[=<\uC635\uC158>]\n                  \uACE0\uC720 \uC5D0\uC774\uC804\uD2B8 \uB77C\uC774\uBE0C\uB7EC\uB9AC <\uB77C\uC774\uBE0C\uB7EC\uB9AC \uC774\uB984>\uC744 \uB85C\uB4DC\uD569\uB2C8\uB2E4(\uC608: -agentlib:jdwp).\n                  -agentlib:jdwp=help\uB3C4 \uCC38\uC870\uD558\uC2ED\uC2DC\uC624.\n    -agentpath:<\uACBD\uB85C \uC774\uB984>[=<\uC635\uC158>]\n                  \uC804\uCCB4 \uACBD\uB85C \uC774\uB984\uC744 \uC0AC\uC6A9\uD558\uC5EC \uACE0\uC720 \uC5D0\uC774\uC804\uD2B8 \uB77C\uC774\uBE0C\uB7EC\uB9AC\uB97C \uB85C\uB4DC\uD569\uB2C8\uB2E4.\n    -javaagent:[=<\uC635\uC158>]\n                  Java \uD504\uB85C\uADF8\uB798\uBC0D \uC5B8\uC5B4 \uC5D0\uC774\uC804\uD2B8\uB97C \uB85C\uB4DC\uD569\uB2C8\uB2E4. java.lang.instrument\uB97C \uCC38\uC870\uD558\uC2ED\uC2DC\uC624.\n    -splash:<\uC774\uBBF8\uC9C0 \uACBD\uB85C>\n                  \uC774\uBBF8\uC9C0\uAC00 \uC9C0\uC815\uB41C \uC2A4\uD50C\uB798\uC2DC \uD654\uBA74\uC744 \uD45C\uC2DC\uD569\uB2C8\uB2E4.\n                  HiDPI\uB85C \uC870\uC815\uB41C \uC774\uBBF8\uC9C0\uAC00 \uC790\uB3D9\uC73C\uB85C \uC9C0\uC6D0\uB418\uACE0 \uC0AC\uC6A9 \uAC00\uB2A5\uD55C \uACBD\uC6B0\n                  \uC0AC\uC6A9\uB429\uB2C8\uB2E4. \uBBF8\uC870\uC815 \uC774\uBBF8\uC9C0 \uD30C\uC77C \uC774\uB984(\uC608: image.ext)\uC740\n                  \uD56D\uC0C1 -splash \uC635\uC158\uC5D0 \uC778\uC218\uB85C \uC804\uB2EC\uB418\uC5B4\uC57C \uD569\uB2C8\uB2E4.\n                  \uAC00\uC7A5 \uC801\uC808\uD788 \uC870\uC815\uB41C \uC774\uBBF8\uC9C0\uAC00 \uC790\uB3D9\uC73C\uB85C\n                  \uCC44\uD0DD\uB429\uB2C8\uB2E4.\n                  \uC790\uC138\uD55C \uB0B4\uC6A9\uC740 SplashScreen API \uC124\uBA85\uC11C\uB97C \uCC38\uC870\uD558\uC2ED\uC2DC\uC624.\n    @\uC778\uC218 \uD30C\uC77C\n                  -disable-@files \uC635\uC158\uC774 \uD3EC\uD568\uB418\uC5B4 \uC788\uB294 \uD558\uB098 \uC774\uC0C1\uC758\n    \uC778\uC218 \uD30C\uC77C\n                  \uCD94\uAC00 \uC778\uC218 \uD30C\uC77C \uD655\uC7A5\uC744 \uBC29\uC9C0\uD569\uB2C8\uB2E4.\nlong \uC635\uC158\uC5D0 \uB300\uD55C \uC778\uC218\uB97C \uC9C0\uC815\uD558\uB824\uBA74 --<\uC774\uB984>=<\uAC12> \uB610\uB294\n--<\uC774\uB984> <\uAC12>\uC744 \uC0AC\uC6A9\uD560 \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           \uBC31\uADF8\uB77C\uC6B4\uB4DC \uCEF4\uD30C\uC77C\uC744 \uC0AC\uC6A9 \uC548\uD568\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xbootclasspath/a:<{0}(\uC73C)\uB85C \uAD6C\uBD84\uB41C \uB514\uB809\uD1A0\uB9AC \uBC0F zip/jar \uD30C\uC77C>\n                      \uBD80\uD2B8\uC2A4\uD2B8\uB7A9 \uD074\uB798\uC2A4 \uACBD\uB85C \uB05D\uC5D0 \uCD94\uAC00\uD569\uB2C8\uB2E4.\n    -Xcheck:jni       JNI \uD568\uC218\uC5D0 \uB300\uD55C \uCD94\uAC00 \uAC80\uC0AC\uB97C \uC218\uD589\uD569\uB2C8\uB2E4.\n    -Xcomp            \uCCAB\uBC88\uC9F8 \uD638\uCD9C\uC5D0\uC11C \uBA54\uC18C\uB4DC \uCEF4\uD30C\uC77C\uC744 \uAC15\uC81C\uD569\uB2C8\uB2E4.\n    -Xdebug           \uC5ED \uD638\uD658\uC131\uC744 \uC704\uD574 \uC81C\uACF5\uB418\uC5C8\uC2B5\uB2C8\uB2E4.\n    -Xdiag            \uCD94\uAC00 \uC9C4\uB2E8 \uBA54\uC2DC\uC9C0\uB97C \uD45C\uC2DC\uD569\uB2C8\uB2E4.\n    -Xfuture          \uBBF8\uB798 \uAE30\uBCF8\uAC12\uC744 \uC608\uCE21\uD558\uC5EC \uAC00\uC7A5 \uC5C4\uACA9\uD55C \uAC80\uC0AC\uB97C \uC0AC\uC6A9\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xint             \uD574\uC11D\uB41C \uBAA8\uB4DC\uB9CC \uC2E4\uD589\uD569\uB2C8\uB2E4.\n    -Xinternalversion\n                      -version \uC635\uC158\uBCF4\uB2E4 \uC0C1\uC138\uD55C JVM \uBC84\uC804 \uC815\uBCF4\uB97C \uD45C\uC2DC\uD569\uB2C8\uB2E4.\n    -Xloggc:<\uD30C\uC77C>    \uC2DC\uAC04 \uAE30\uB85D\uACFC \uD568\uAED8 \uD30C\uC77C\uC5D0 GC \uC0C1\uD0DC\uB97C \uAE30\uB85D\uD569\uB2C8\uB2E4.\n    -Xmixed           \uD63C\uD569 \uBAA8\uB4DC\uB97C \uC2E4\uD589\uD569\uB2C8\uB2E4(\uAE30\uBCF8\uAC12).\n    -Xmn<\uD06C\uAE30>        \uC80A\uC740 \uC138\uB300(Nursery)\uB97C \uC704\uD574 \uD799\uC758 \uCD08\uAE30 \uBC0F \uCD5C\uB300\n                      \uD06C\uAE30(\uBC14\uC774\uD2B8)\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xms<\uD06C\uAE30>        \uCD08\uAE30 Java \uD799 \uD06C\uAE30\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xmx<\uD06C\uAE30>        \uCD5C\uB300 Java \uD799 \uD06C\uAE30\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xnoclassgc       \uD074\uB798\uC2A4\uC758 \uBD88\uD544\uC694\uD55C \uC815\uBCF4 \uBAA8\uC74C\uC744 \uC0AC\uC6A9 \uC548\uD568\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xprof            CPU \uD504\uB85C\uD30C\uC77C \uC791\uC131 \uB370\uC774\uD130\uB97C \uCD9C\uB825\uD569\uB2C8\uB2E4(\uC0AC\uC6A9\uB418\uC9C0 \uC54A\uC74C).\n    -Xrs              Java/VM\uC5D0 \uC758\uD55C OS \uC2E0\uD638 \uC0AC\uC6A9\uC744 \uC904\uC785\uB2C8\uB2E4(\uC124\uBA85\uC11C \uCC38\uC870).\n    -Xshare:auto      \uAC00\uB2A5\uD55C \uACBD\uC6B0 \uACF5\uC720 \uD074\uB798\uC2A4 \uB370\uC774\uD130\uB97C \uC0AC\uC6A9\uD569\uB2C8\uB2E4(\uAE30\uBCF8\uAC12).\n    -Xshare:off       \uACF5\uC720 \uD074\uB798\uC2A4 \uB370\uC774\uD130 \uC0AC\uC6A9\uC744 \uC2DC\uB3C4\uD558\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.\n    -Xshare:on        \uACF5\uC720 \uD074\uB798\uC2A4 \uB370\uC774\uD130\uB97C \uC0AC\uC6A9\uD574\uC57C \uD569\uB2C8\uB2E4. \uADF8\uB807\uC9C0 \uC54A\uC744 \uACBD\uC6B0 \uC2E4\uD328\uD569\uB2C8\uB2E4.\n    -XshowSettings    \uBAA8\uB4E0 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -XshowSettings:all\n                      \uBAA8\uB4E0 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -XshowSettings:locale\n                      \uBAA8\uB4E0 \uB85C\uCF00\uC77C \uAD00\uB828 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -XshowSettings:properties\n                      \uBAA8\uB4E0 \uC18D\uC131 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -XshowSettings:vm \uBAA8\uB4E0 VM \uAD00\uB828 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -Xss<\uD06C\uAE30>        Java \uC2A4\uB808\uB4DC \uC2A4\uD0DD \uD06C\uAE30\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xverify          \uBC14\uC774\uD2B8\uCF54\uB4DC \uAC80\uC99D\uC790\uC758 \uBAA8\uB4DC\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n  \
-  --add-reads <\uBAA8\uB4C8>=<\uB300\uC0C1-\uBAA8\uB4C8>(,<\uB300\uC0C1-\uBAA8\uB4C8>)*\n                      \uBAA8\uB4C8 \uC120\uC5B8\uC5D0 \uAD00\uACC4\uC5C6\uC774 <\uB300\uC0C1-\uBAA8\uB4C8>\uC744 \uC77D\uB3C4\uB85D\n                      <\uBAA8\uB4C8>\uC744 \uC5C5\uB370\uC774\uD2B8\uD569\uB2C8\uB2E4.\n                      <\uB300\uC0C1-\uBAA8\uB4C8>\uC740 \uC774\uB984\uC774 \uC9C0\uC815\uB418\uC9C0 \uC54A\uC740 \uBAA8\uB4E0 \uBAA8\uB4C8\uC744 \uC77D\uC744 \uC218 \uC788\uB294\n                      ALL-UNNAMED\uC77C \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n    --add-exports <\uBAA8\uB4C8>/<\uD328\uD0A4\uC9C0>=<\uB300\uC0C1-\uBAA8\uB4C8>(,<\uB300\uC0C1-\uBAA8\uB4C8>)*\n                      \uBAA8\uB4C8 \uC120\uC5B8\uC5D0 \uAD00\uACC4\uC5C6\uC774 <\uD328\uD0A4\uC9C0>\uB97C <\uB300\uC0C1-\uBAA8\uB4C8>\uB85C \uC775\uC2A4\uD3EC\uD2B8\uD558\uB3C4\uB85D\n                      <\uBAA8\uB4C8>\uC744 \uC5C5\uB370\uC774\uD2B8\uD569\uB2C8\uB2E4.\n                      <\uB300\uC0C1-\uBAA8\uB4C8>\uC740 \uC774\uB984\uC774 \uC9C0\uC815\uB418\uC9C0 \uC54A\uC740 \uBAA8\uB4E0 \uBAA8\uB4C8\uB85C \uC775\uC2A4\uD3EC\uD2B8\uD560 \uC218 \uC788\uB294\n                      ALL-UNNAMED\uC77C \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n    --add-opens <\uBAA8\uB4C8>/<\uD328\uD0A4\uC9C0>=<\uB300\uC0C1-\uBAA8\uB4C8>(,<\uB300\uC0C1-\uBAA8\uB4C8>)*\n                      \uBAA8\uB4C8 \uC120\uC5B8\uC5D0 \uAD00\uACC4\uC5C6\uC774 <\uD328\uD0A4\uC9C0>\uB97C <\uB300\uC0C1-\uBAA8\uB4C8>\uB85C \uC5F4\uB3C4\uB85D\n                      <\uBAA8\uB4C8>\uC744 \uC5C5\uB370\uC774\uD2B8\uD569\uB2C8\uB2E4.\n    --limit-modules <\uBAA8\uB4C8 \uC774\uB984>[,<\uBAA8\uB4C8 \uC774\uB984>...]\n                      \uAD00\uCC30 \uAC00\uB2A5\uD55C \uBAA8\uB4C8\uC758 \uACF5\uC6A9\uC744 \uC81C\uD55C\uD569\uB2C8\uB2E4.\n    --patch-module <\uBAA8\uB4C8>=<\uD30C\uC77C>({0}<\uD30C\uC77C>)*\n                      JAR \uD30C\uC77C \uB610\uB294 \uB514\uB809\uD1A0\uB9AC\uC758 \uD074\uB798\uC2A4\uC640 \uB9AC\uC18C\uC2A4\uB85C\n                      \uBAA8\uB4C8\uC744 \uBB34\uD6A8\uD654\uD558\uAC70\uB098 \uC778\uC218\uD654\uD569\uB2C8\uB2E4.\n    --disable-@files  \uCD94\uAC00 \uC778\uC218 \uD30C\uC77C \uD655\uC7A5\uC744 \uC0AC\uC6A9 \uC548\uD568\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n\n\uC774\uB7EC\uD55C \uCD94\uAC00 \uC635\uC158\uC740 \uD1B5\uC9C0 \uC5C6\uC774 \uBCC0\uACBD\uB420 \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n
+java.launcher.X.usage=\n    -Xbatch           \uBC31\uADF8\uB77C\uC6B4\uB4DC \uCEF4\uD30C\uC77C\uC744 \uC0AC\uC6A9 \uC548\uD568\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xbootclasspath/a:<{0}(\uC73C)\uB85C \uAD6C\uBD84\uB41C \uB514\uB809\uD1A0\uB9AC \uBC0F zip/jar \uD30C\uC77C>\n                      \uBD80\uD2B8\uC2A4\uD2B8\uB7A9 \uD074\uB798\uC2A4 \uACBD\uB85C \uB05D\uC5D0 \uCD94\uAC00\uD569\uB2C8\uB2E4.\n    -Xcheck:jni       JNI \uD568\uC218\uC5D0 \uB300\uD55C \uCD94\uAC00 \uAC80\uC0AC\uB97C \uC218\uD589\uD569\uB2C8\uB2E4.\n    -Xcomp            \uCCAB\uBC88\uC9F8 \uD638\uCD9C\uC5D0\uC11C \uBA54\uC18C\uB4DC \uCEF4\uD30C\uC77C\uC744 \uAC15\uC81C\uD569\uB2C8\uB2E4.\n    -Xdebug           \uC5ED\uD638\uD658\uC131\uC744 \uC704\uD574 \uC81C\uACF5\uB418\uC5C8\uC2B5\uB2C8\uB2E4.\n    -Xdiag            \uCD94\uAC00 \uC9C4\uB2E8 \uBA54\uC2DC\uC9C0\uB97C \uD45C\uC2DC\uD569\uB2C8\uB2E4.\n    -Xfuture          \uBBF8\uB798 \uAE30\uBCF8\uAC12\uC744 \uC608\uCE21\uD558\uC5EC \uAC00\uC7A5 \uC5C4\uACA9\uD55C \uAC80\uC0AC\uB97C \uC0AC\uC6A9\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xint             \uD574\uC11D\uB41C \uBAA8\uB4DC\uB9CC \uC2E4\uD589\uD569\uB2C8\uB2E4.\n    -Xinternalversion\n                      -version \uC635\uC158\uBCF4\uB2E4 \uC0C1\uC138\uD55C JVM \uBC84\uC804 \uC815\uBCF4\uB97C\n                      \uD45C\uC2DC\uD569\uB2C8\uB2E4.\n    -Xloggc:    \uC2DC\uAC04 \uAE30\uB85D\uACFC \uD568\uAED8 \uD30C\uC77C\uC5D0 GC \uC0C1\uD0DC\uB97C \uAE30\uB85D\uD569\uB2C8\uB2E4.\n    -Xmixed           \uD63C\uD569 \uBAA8\uB4DC\uB97C \uC2E4\uD589\uD569\uB2C8\uB2E4(\uAE30\uBCF8\uAC12).\n    -Xmn        \uC2E0\uC138\uB300(Nursery)\uB97C \uC704\uD574 \uD799\uC758 \uCD08\uAE30 \uBC0F \uCD5C\uB300\n                      \uD06C\uAE30(\uBC14\uC774\uD2B8)\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xms        \uCD08\uAE30 Java \uD799 \uD06C\uAE30\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xmx        \uCD5C\uB300 Java \uD799 \uD06C\uAE30\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xnoclassgc       \uD074\uB798\uC2A4\uC758 \uBD88\uD544\uC694\uD55C \uC815\uBCF4 \uBAA8\uC74C\uC744 \uC0AC\uC6A9 \uC548\uD568\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xprof            CPU \uD504\uB85C\uD30C\uC77C \uC791\uC131 \uB370\uC774\uD130\uB97C \uCD9C\uB825\uD569\uB2C8\uB2E4(\uC0AC\uC6A9\uB418\uC9C0 \uC54A\uC74C).\n    -Xrs              Java/VM\uC5D0 \uC758\uD55C OS \uC2E0\uD638 \uC0AC\uC6A9\uC744 \uC904\uC785\uB2C8\uB2E4(\uC124\uBA85\uC11C \uCC38\uC870).\n    -Xshare:auto      \uAC00\uB2A5\uD55C \uACBD\uC6B0 \uACF5\uC720 \uD074\uB798\uC2A4 \uB370\uC774\uD130\uB97C \uC0AC\uC6A9\uD569\uB2C8\uB2E4(\uAE30\uBCF8\uAC12).\n    -Xshare:off       \uACF5\uC720 \uD074\uB798\uC2A4 \uB370\uC774\uD130 \uC0AC\uC6A9\uC744 \uC2DC\uB3C4\uD558\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.\n    -Xshare:on        \uACF5\uC720 \uD074\uB798\uC2A4 \uB370\uC774\uD130\uB97C \uC0AC\uC6A9\uD574\uC57C \uD569\uB2C8\uB2E4. \uADF8\uB807\uC9C0 \uC54A\uC744 \uACBD\uC6B0 \uC2E4\uD328\uD569\uB2C8\uB2E4.\n    -XshowSettings    \uBAA8\uB4E0 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -XshowSettings:all\n                      \uBAA8\uB4E0 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -XshowSettings:locale\n                      \uBAA8\uB4E0 \uB85C\uCF00\uC77C \uAD00\uB828 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -XshowSettings:properties\n                      \uBAA8\uB4E0 \uC18D\uC131 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -XshowSettings:vm \uBAA8\uB4E0 VM \uAD00\uB828 \uC124\uC815\uC744 \uD45C\uC2DC\uD55C \uD6C4 \uACC4\uC18D\uD569\uB2C8\uB2E4.\n    -Xss        Java \uC2A4\uB808\uB4DC \uC2A4\uD0DD \uD06C\uAE30\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n    -Xverify          \uBC14\uC774\uD2B8\uCF54\uB4DC \uAC80\uC99D\uC790\uC758 \uBAA8\uB4DC\uB97C \uC124\uC815\uD569\uB2C8\uB2E4.\n    --add-reads \
+=(,)*\n                      \uBAA8\uB4C8 \uC120\uC5B8\uC5D0 \uAD00\uACC4\uC5C6\uC774 \uC744 \uC77D\uB3C4\uB85D\n                      \uC744 \uC5C5\uB370\uC774\uD2B8\uD569\uB2C8\uB2E4. \n                      \uC740 \uC774\uB984\uC774 \uC9C0\uC815\uB418\uC9C0 \uC54A\uC740 \uBAA8\uB4E0 \uBAA8\uB4C8\uC744 \uC77D\uC744 \uC218 \uC788\uB294\n                      ALL-UNNAMED\uC77C \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n    --add-exports /=(,)*\n                      \uBAA8\uB4C8 \uC120\uC5B8\uC5D0 \uAD00\uACC4\uC5C6\uC774 \uB97C \uB85C \uC775\uC2A4\uD3EC\uD2B8\uD558\uB3C4\uB85D\n                      \uC744 \uC5C5\uB370\uC774\uD2B8\uD569\uB2C8\uB2E4.\n                      \uC740 \uC774\uB984\uC774 \uC9C0\uC815\uB418\uC9C0 \uC54A\uC740 \uBAA8\uB4E0 \uBAA8\uB4C8\uB85C \uC775\uC2A4\uD3EC\uD2B8\uD560 \uC218 \uC788\uB294\n                      ALL-UNNAMED\uC77C \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n    --add-opens /=(,)*\n                      \uBAA8\uB4C8 \uC120\uC5B8\uC5D0 \uAD00\uACC4\uC5C6\uC774 \uB97C \uB85C \uC5F4\uB3C4\uB85D\n                      \uC744 \uC5C5\uB370\uC774\uD2B8\uD569\uB2C8\uB2E4.\n    --illegal-access=\n                      \uC774\uB984\uC774 \uC9C0\uC815\uB418\uC9C0 \uC54A\uC740 \uBAA8\uB4C8\uC758 \uCF54\uB4DC\uB97C \uC0AC\uC6A9\uD558\uC5EC \uC774\uB984\uC774 \uC9C0\uC815\uB41C \uBAA8\uB4C8\uC758 \uC720\uD615 \uBA64\uBC84\uC5D0 \uB300\uD55C\n                      \uC561\uC138\uC2A4 \uAD8C\uD55C\uC744 \uD5C8\uC6A9 \uB610\uB294 \uAC70\uBD80\uD569\uB2C8\uB2E4.\n                      \uB294 "deny", "permit", "warn" \uB610\uB294 "debug" \uC911 \uD558\uB098\uC785\uB2C8\uB2E4.\n                      \uC774 \uC635\uC158\uC740 \uC774\uD6C4 \uB9B4\uB9AC\uC2A4\uC5D0\uC11C \uC81C\uAC70\uB429\uB2C8\uB2E4.\n    --limit-modules [,...]\n                      \uAD00\uCC30 \uAC00\uB2A5\uD55C \uBAA8\uB4C8\uC758 \uACF5\uC6A9\uC744 \uC81C\uD55C\uD569\uB2C8\uB2E4.\n    --patch-module =({0})*\n                      JAR \uD30C\uC77C \uB610\uB294 \uB514\uB809\uD1A0\uB9AC\uC758 \uD074\uB798\uC2A4\uC640 \uB9AC\uC18C\uC2A4\uB85C \uBAA8\uB4C8\uC744\n                      \uBB34\uD6A8\uD654\uD558\uAC70\uB098 \uC778\uC218\uD654\uD569\uB2C8\uB2E4.\n    --disable-@files  \uCD94\uAC00 \uC778\uC218 \uD30C\uC77C \uD655\uC7A5\uC744 \uC0AC\uC6A9 \uC548\uD568\uC73C\uB85C \uC124\uC815\uD569\uB2C8\uB2E4.\n\n\uC774\uB7EC\uD55C \uCD94\uAC00 \uC635\uC158\uC740 \uD1B5\uC9C0 \uC5C6\uC774 \uBCC0\uACBD\uB420 \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\n\uB2E4\uC74C\uC740 Mac OS X\uC5D0 \uD2B9\uC815\uB41C \uC635\uC158\uC785\uB2C8\uB2E4.\n    -XstartOnFirstThread\n                      \uCCAB\uBC88\uC9F8 (AppKit) \uC2A4\uB808\uB4DC\uC5D0 main() \uBA54\uC18C\uB4DC\uB97C \uC2E4\uD589\uD569\uB2C8\uB2E4.\n    -Xdock:name=\n                      \uACE0\uC815\uC73C\uB85C \uD45C\uC2DC\uB41C \uAE30\uBCF8 \uC560\uD50C\uB9AC\uCF00\uC774\uC158 \uC774\uB984\uC744 \uBB34\uD6A8\uD654\uD569\uB2C8\uB2E4.\n    -Xdock:icon=\n                      \uACE0\uC815\uC73C\uB85C \uD45C\uC2DC\uB41C \uAE30\uBCF8 \uC544\uC774\uCF58\uC744 \uBB34\uD6A8\uD654\uD569\uB2C8\uB2E4.\n\n
@@ -47,6 +47,7 @@ java.launcher.cls.error3=\uC624\uB958: \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB294 {0}
 java.launcher.cls.error4=\uC624\uB958: {0} \uD074\uB798\uC2A4\uC5D0\uC11C \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4. \uB2E4\uC74C \uD615\uC2DD\uC73C\uB85C \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB97C \uC815\uC758\uD558\uC2ED\uC2DC\uC624.\r\n   public static void main(String[] args)\r\n\uB610\uB294 JavaFX \uC560\uD50C\uB9AC\uCF00\uC774\uC158 \uD074\uB798\uC2A4\uB294 {1}\uC744(\uB97C) \uD655\uC7A5\uD574\uC57C \uD569\uB2C8\uB2E4.
 java.launcher.cls.error5=\uC624\uB958: \uC774 \uC560\uD50C\uB9AC\uCF00\uC774\uC158\uC744 \uC2E4\uD589\uD558\uB294 \uB370 \uD544\uC694\uD55C JavaFX \uB7F0\uD0C0\uC784 \uAD6C\uC131 \uC694\uC18C\uAC00 \uB204\uB77D\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
 java.launcher.cls.error6=\uC624\uB958: \uAE30\uBCF8 \uD074\uB798\uC2A4 {0}\uC744(\uB97C) \uB85C\uB4DC\uD558\uB294 \uC911 LinkageError\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4.\n\t{1}
+java.launcher.cls.error7=\uC624\uB958: \uAE30\uBCF8 \uD074\uB798\uC2A4 {0}\uC744(\uB97C) \uCD08\uAE30\uD654\uD560 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.\n\uC6D0\uC778: {1}: {2}
 java.launcher.jar.error1=\uC624\uB958: {0} \uD30C\uC77C\uC744 \uC5F4\uB824\uACE0 \uC2DC\uB3C4\uD558\uB294 \uC911 \uC608\uC0C1\uCE58 \uC54A\uC740 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4.
 java.launcher.jar.error2={0}\uC5D0\uC11C Manifest\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.
 java.launcher.jar.error3={0}\uC5D0 \uAE30\uBCF8 Manifest \uC18D\uC131\uC774 \uC5C6\uC2B5\uB2C8\uB2E4.
@@ -55,5 +56,6 @@ java.launcher.init.error=\uCD08\uAE30\uD654 \uC624\uB958
 java.launcher.javafx.error1=\uC624\uB958: JavaFX launchApplication \uBA54\uC18C\uB4DC\uC5D0 \uC798\uBABB\uB41C \uC11C\uBA85\uC774 \uC788\uC2B5\uB2C8\uB2E4.\\n\uB530\uB77C\uC11C static\uC73C\uB85C \uC120\uC5B8\uD558\uACE0 void \uC720\uD615\uC758 \uAC12\uC744 \uBC18\uD658\uD574\uC57C \uD569\uB2C8\uB2E4.
 java.launcher.module.error1={0} \uBAA8\uB4C8\uC5D0 MainClass \uC18D\uC131\uC774 \uC5C6\uC2B5\uB2C8\uB2E4. -m /\uB97C \uC0AC\uC6A9\uD558\uC2ED\uC2DC\uC624.
 java.launcher.module.error2=\uC624\uB958: {1} \uBAA8\uB4C8\uC758 \uAE30\uBCF8 \uD074\uB798\uC2A4 {0}\uC744(\uB97C) \uCC3E\uAC70\uB098 \uB85C\uB4DC\uD560 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.
-java.launcher.module.error3=\uC624\uB958: {1} \uBAA8\uB4C8\uC5D0\uC11C \uAE30\uBCF8 \uD074\uB798\uC2A4 {0}\uC744(\uB97C) \uB85C\uB4DC\uD560 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.\n\t{2}
+java.launcher.module.error3=\uC624\uB958: {1} \uBAA8\uB4C8\uC758 \uAE30\uBCF8 \uD074\uB798\uC2A4 {0}\uC744(\uB97C) \uB85C\uB4DC\uD560 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.\n\t{2}
 java.launcher.module.error4={0}\uC744(\uB97C) \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.
+java.launcher.module.error5=\uC624\uB958: {1} \uBAA8\uB4C8\uC758 \uAE30\uBCF8 \uD074\uB798\uC2A4 {0}\uC744(\uB97C) \uCD08\uAE30\uD654\uD560 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.\n\uC6D0\uC778: {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_pt_BR.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_pt_BR.properties
index cfe8507e56..d82c37173b 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_pt_BR.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_pt_BR.properties
@@ -31,12 +31,12 @@ java.launcher.opt.vmselect   =\    {0}\t  para selecionar a VM "{1}"\n
 java.launcher.opt.hotspot    =\    {0}\t  \u00E9 um sin\u00F4nimo da VM "{1}" [obsoleto]\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  Uma lista separada por {0} de diret\u00F3rios, arquivos compactados JAR\n                  e arquivos compactados ZIP para procurar arquivos de classe.\n    -p \n    --module-path ...\n                  Uma lista separada por {0} de diret\u00F3rios, cada um\n                  sendo um diret\u00F3rio de m\u00F3dulos.\n    --upgrade-module-path ...\n                  Uma lista separada por {0} de diret\u00F3rios, cada um\n                  sendo um diret\u00F3rio de m\u00F3dulos que substituem m\u00F3dulos\n                  pass\u00EDveis de upgrade na imagem de runtime\n    --add-modules [,...]\n                  m\u00F3dulos-raiz a serem resolvidos al\u00E9m do m\u00F3dulo inicial.\n                   tamb\u00E9m pode ser ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  lista os m\u00F3dulos observ\u00E1veis e sai\n    --d \n    --describe-module \n                  descreve um m\u00F3dulo e sai\n    --dry-run     cria VM e carrega classe principal, mas n\u00E3o executa o m\u00E9todo principal.\n                  A op\u00E7\u00E3o --dry-run pode ser \u00FAtil para validar as\n                  op\u00E7\u00F5es de linha de comando como a configura\u00E7\u00E3o do sistema do m\u00F3dulo.\n    --validate-modules\n                  valida todos os m\u00F3dulos e sai\n                  A op\u00E7\u00E3o --validate-modules pode ser \u00FAtil para localizar\n                  conflitos e outros erros com m\u00F3dulos no caminho do m\u00F3dulo.\n    -D=\n                  define uma propriedade de sistema\n    -verbose:[class|module|gc|jni]\n                  ativar sa\u00EDda verbosa\n    -version      imprime a vers\u00E3o do produto no fluxo de erros e sai\n    -version      imprime a vers\u00E3o do produto no fluxo de sa\u00EDda e sai\n    -showversion  imprime a vers\u00E3o do produto no fluxo de erros e continua\n    --show-version\n                  imprime a vers\u00E3o do produto no fluxo de sa\u00EDda e continua\n    --show-module-resolution\n                  mostra a sa\u00EDda da resolu\u00E7\u00E3o do m\u00F3dulo durante a inicializa\u00E7\u00E3o\n    -? -h -help\n                  imprime esta mensagem de ajuda no fluxo de erros\n    --help        imprime esta mensagem de ajuda no fluxo de sa\u00EDda\n    -X            imprime ajuda sobre op\u00E7\u00F5es extras no fluxo de erros\n    --help-extra  imprime ajuda sobre op\u00E7\u00F5es extras no fluxo de sa\u00EDda\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  ativa asser\u00E7\u00F5es com granularidade especificada\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  desativa asser\u00E7\u00F5es com granularidade especificada\n    -esa | -enablesystemassertions\n                  ativa asser\u00E7\u00F5es de sistema\n    -dsa | -disablesystemassertions\n                  desativa asser\u00E7\u00F5es de sistema\n    -agentlib:[=]\n                  carrega biblioteca de agente nativo , por exemplo, -agentlib:jdwp\n                  consulte tamb\u00E9m -agentlib:jdwp=help\n    -agentpath:[=]\n                  carrega biblioteca de agente nativo por nome do caminho completo\n    -javaagent:[=]\n                  carrega agente de linguagem de programa\u00E7\u00E3o Java, consulte java.lang.instrument\n    -splash:\n                  \
-mostra a tela inicial com a imagem especificada\n                  Imagens HiDPI dimensionadas s\u00E3o suportadas automaticamente e utilizadas,\n                  se dispon\u00EDveis. O nome do arquivo de imagem n\u00E3o dimensionada, por exemplo, image.ext,\n                  deve ser informado sempre como argumento para a op\u00E7\u00E3o -splash.\n                  A imagem dimensionada mais apropriada fornecida ser\u00E1 selecionada\n                  automaticamente.\n                  Consulte a documenta\u00E7\u00E3o da API de Tela Inicial para obter mais informa\u00E7\u00F5es\n    @arquivos de argumento\n                  Um ou mais arquivos de argumentos que cont\u00EAm op\u00E7\u00F5es\n    -disable-@files\n                  impede expans\u00E3o adicional de arquivo de argumentos\nnPara especificar um argumento para uma op\u00E7\u00E3o longa, voc\u00EA pode usar --= ou\n-- .\n
+java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  Uma lista separada por {0} de diret\u00F3rios, arquivos compactados JAR\n                  e arquivos compactados ZIP para procurar arquivos de classe.\n    -p \n    --module-path ...\n                  Uma lista separada por {0} de diret\u00F3rios, cada um\n                  sendo um diret\u00F3rio de m\u00F3dulos.\n    --upgrade-module-path ...\n                  Uma lista separada por {0} de diret\u00F3rios, cada um\n                  sendo um diret\u00F3rio de m\u00F3dulos que substituem m\u00F3dulos\n                  pass\u00EDveis de upgrade na imagem de runtime\n    --add-modules [,...]\n                  m\u00F3dulos-raiz a serem resolvidos al\u00E9m do m\u00F3dulo inicial.\n                   tamb\u00E9m pode ser ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  lista os m\u00F3dulos observ\u00E1veis e sai\n    -d \n    --describe-module \n                  descreve um m\u00F3dulo e sai\n    --dry-run     cria VM e carrega classe principal, mas n\u00E3o executa o m\u00E9todo principal.\n                  A op\u00E7\u00E3o --dry-run pode ser \u00FAtil para validar as\n                  op\u00E7\u00F5es de linha de comando como a configura\u00E7\u00E3o do sistema do m\u00F3dulo.\n    --validate-modules\n                  valida todos os m\u00F3dulos e sai\n                  A op\u00E7\u00E3o --validate-modules pode ser \u00FAtil para localizar\n                  conflitos e outros erros com m\u00F3dulos no caminho do m\u00F3dulo.\n    -D=\n                  define uma propriedade de sistema\n    -verbose:[class|module|gc|jni]\n                  ativar sa\u00EDda verbosa\n    -version      imprime a vers\u00E3o do produto no fluxo de erros e sai\n    -version      imprime a vers\u00E3o do produto no fluxo de sa\u00EDda e sai\n    -showversion  imprime a vers\u00E3o do produto no fluxo de erros e continua\n    --show-version\n                  imprime a vers\u00E3o do produto no fluxo de sa\u00EDda e continua\n    --show-module-resolution\n                  mostra a sa\u00EDda da resolu\u00E7\u00E3o do m\u00F3dulo durante a inicializa\u00E7\u00E3o\n    -? -h -help\n                  imprime esta mensagem de ajuda no fluxo de erros\n    --help        imprime esta mensagem de ajuda no fluxo de sa\u00EDda\n    -X            imprime ajuda sobre op\u00E7\u00F5es extras no fluxo de erros\n    --help-extra  imprime ajuda sobre op\u00E7\u00F5es extras no fluxo de sa\u00EDda\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  ativa asser\u00E7\u00F5es com granularidade especificada\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  desativa asser\u00E7\u00F5es com granularidade especificada\n    -esa | -enablesystemassertions\n                  ativa asser\u00E7\u00F5es de sistema\n    -dsa | -disablesystemassertions\n                  desativa asser\u00E7\u00F5es de sistema\n    -agentlib:[=]\n                  carrega biblioteca de agente nativo , por exemplo, -agentlib:jdwp\n                  consulte tamb\u00E9m -agentlib:jdwp=help\n    -agentpath:[=]\n                  carrega biblioteca de agente nativo por nome do caminho completo\n    -javaagent:[=]\n                  carrega agente de linguagem de programa\u00E7\u00E3o Java, consulte java.lang.instrument\n    -splash:\n                  mostra \
+a tela inicial com a imagem especificada\n                  Imagens HiDPI dimensionadas s\u00E3o suportadas automaticamente e utilizadas,\n                  se dispon\u00EDveis. O nome do arquivo de imagem n\u00E3o dimensionada, por exemplo, image.ext,\n                  deve ser informado sempre como argumento para a op\u00E7\u00E3o -splash.\n                  A imagem dimensionada mais apropriada fornecida ser\u00E1 selecionada\n                  automaticamente.\n                  Consulte a documenta\u00E7\u00E3o da API de Tela Inicial para obter mais informa\u00E7\u00F5es\n    @arquivos de argumento\n                  Um ou mais arquivos de argumentos que cont\u00EAm op\u00E7\u00F5es\n    -disable-@files\n                  impede expans\u00E3o adicional de arquivo de argumentos\nnPara especificar um argumento para uma op\u00E7\u00E3o longa, voc\u00EA pode usar --= ou\n-- .\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           desativa compila\u00E7\u00E3o em segundo plano\n    -Xbootclasspath/a:\n                      anexa ao final do caminho de classe de bootstrap\n    -Xcheck:jni       executa verifica\u00E7\u00F5es adicionais de fun\u00E7\u00F5es JNI\n    -Xcomp            for\u00E7a a compila\u00E7\u00E3o de m\u00E9todos na primeira chamada\n    -Xdebug           fornecido para compatibilidade reversa\n    -Xdiag            mostra mensagens adicionais de diagn\u00F3stico\n        -Xfuture          ativa verifica\u00E7\u00F5es de n\u00EDvel m\u00E1ximo, antecipando padr\u00E3o futuro\n    -Xint             somente execu\u00E7\u00E3o de modo interpretado\n    -Xinternalversion\n                      exibe informa\u00E7\u00F5es mais detalhadas da vers\u00E3o da JVM do que a\n                      op\u00E7\u00E3o -version\n    -Xloggc:    registra status de GC em um arquivo com timestamps\n    -Xmixed           execu\u00E7\u00E3o em modo misto (padr\u00E3o)\n    -Xmn        define o tamanho inicial e m\u00E1ximo (em bytes) do heap\n                      para a gera\u00E7\u00E3o jovem (infantil)\n    -Xms        define tamanho inicial do heap Java\n    -Xmx        define tamanho m\u00E1ximo do heap Java\n    -Xnoclassgc       desativa coleta de lixo de classe\n    -Xprof            gera dados de perfil de cpu (obsoleto)\n    -Xrs              reduz uso de sinais do SO por Java/VM (ver documenta\u00E7\u00E3o)\n    -Xshare:auto      usa dados de classe compartilhados se poss\u00EDvel (padr\u00E3o)\n    -Xshare:off       n\u00E3o tenta usar dados de classe compartilhados\n    -Xshare:on        exige o uso de dados de classe compartilhados; caso contr\u00E1rio, falhar\u00E1.\n    -XshowSettings    mostra todas as defini\u00E7\u00F5es e continua\n    -XshowSettings:all\n                      mostra todas as defini\u00E7\u00F5es e continua\n    -XshowSettings:locale\n                      mostra todas as defini\u00E7\u00F5es relacionadas \u00E0 configura\u00E7\u00E3o regional e continua\n    -XshowSettings:properties\n                      mostra todas as defini\u00E7\u00F5es de propriedade e continua\n    -XshowSettings:vm mostra todas as defini\u00E7\u00F5es relacionadas a vm e continua\n    -Xss        define o tamanho da pilha de thread java\n    -Xverify          define o modo do verificador de c\u00F3digo de byte\n    --add-reads =(,)*\n                      atualiza  para ler , independentemente\n                      da declara\u00E7\u00E3o de m\u00F3dulo. \n                       pode ser ALL-UNNAMED para ler todos os m\u00F3dulos\n                      sem nome.\n    --add-exports /=(,)*\n                      atualiza  para exportar  para ,\n                      independentemente da declara\u00E7\u00E3o de m\u00F3dulo.\n                       pode ser ALL-UNNAMED para exportar todos os\n                      m\u00F3dulos sem nome.\n    --add-opens /=(,)*\n                      atualiza  para abrir  para\n                      , independentemente da declara\u00E7\u00E3o de m\u00F3dulo.\n    --limit-modules [,...]\n                      limita o universo de m\u00F3dulos observ\u00E1veis\n--patch-module =({0})*\n                      substitui ou amplia um m\u00F3dulo com classes e recursos\n                      em arquivos ou \
-diret\u00F3rios JAR.\n\nEssas op\u00E7\u00F5es extras est\u00E3o sujeitas a altera\u00E7\u00E3o sem aviso.\n
+java.launcher.X.usage=\n    -Xbatch           desativa compila\u00E7\u00E3o em segundo plano\n    -Xbootclasspath/a:\n                      anexa ao final do caminho de classe de bootstrap\n    -Xcheck:jni       executa verifica\u00E7\u00F5es adicionais de fun\u00E7\u00F5es JNI\n    -Xcomp            for\u00E7a a compila\u00E7\u00E3o de m\u00E9todos na primeira chamada\n    -Xdebug           fornecido para compatibilidade reversa\n    -Xdiag            mostra mensagens adicionais de diagn\u00F3stico\n        -Xfuture          ativa verifica\u00E7\u00F5es de n\u00EDvel m\u00E1ximo, antecipando padr\u00E3o futuro\n    -Xint             somente execu\u00E7\u00E3o de modo interpretado\n    -Xinternalversion\n                      exibe informa\u00E7\u00F5es mais detalhadas da vers\u00E3o da JVM do que a\n                      op\u00E7\u00E3o -version\n    -Xloggc:    registra status de GC em um arquivo com timestamps\n    -Xmixed           execu\u00E7\u00E3o em modo misto (padr\u00E3o)\n    -Xmn        define o tamanho inicial e m\u00E1ximo (em bytes) do heap\n                      para a gera\u00E7\u00E3o jovem (infantil)\n    -Xms        define tamanho inicial do heap Java\n    -Xmx        define tamanho m\u00E1ximo do heap Java\n    -Xnoclassgc       desativa coleta de lixo de classe\n    -Xprof            gera dados de perfil de cpu (obsoleto)\n    -Xrs              reduz uso de sinais do SO por Java/VM (ver documenta\u00E7\u00E3o)\n    -Xshare:auto      usa dados de classe compartilhados se poss\u00EDvel (padr\u00E3o)\n    -Xshare:off       n\u00E3o tenta usar dados de classe compartilhados\n    -Xshare:on        exige o uso de dados de classe compartilhados; caso contr\u00E1rio, falhar\u00E1.\n    -XshowSettings    mostra todas as defini\u00E7\u00F5es e continua\n    -XshowSettings:all\n                      mostra todas as defini\u00E7\u00F5es e continua\n    -XshowSettings:locale\n                      mostra todas as defini\u00E7\u00F5es relacionadas \u00E0 configura\u00E7\u00E3o regional e continua\n    -XshowSettings:properties\n                      mostra todas as defini\u00E7\u00F5es de propriedade e continua\n    -XshowSettings:vm mostra todas as defini\u00E7\u00F5es relacionadas a vm e continua\n    -Xss        define o tamanho da pilha de thread java\n    -Xverify          define o modo do verificador de c\u00F3digo de byte\n    --add-reads =(,)*\n                      atualiza  para ler , independentemente\n                      da declara\u00E7\u00E3o de m\u00F3dulo. \n                       pode ser ALL-UNNAMED para ler todos os m\u00F3dulos\n                      sem nome.\n    --add-exports /=(,)*\n                      atualiza  para exportar  para ,\n                      independentemente da declara\u00E7\u00E3o de m\u00F3dulo.\n                       pode ser ALL-UNNAMED para exportar para todos os\n                      m\u00F3dulos sem nome.\n    --add-opens /=(,)*\n                      atualiza  para abrir  para\n                      , independentemente da declara\u00E7\u00E3o de m\u00F3dulo.\n    --illegal-access=\n                      permite ou nega acesso aos membros dos tipos nos m\u00F3dulos com nome\n                     por c\u00F3digo nos m\u00F3dulos sem nomes.\n                       \u00E9 um entre "deny", "permit", "warn" ou "debug"\n                       Esta op\u00E7\u00E3o ser\u00E1 removida em uma futura release.\n    --limit-modules [,...]\n                      limita o universo de m\u00F3dulos observ\u00E1veis\n--patch-module =({0})*\n                      substitui ou amplia um m\u00F3dulo \
+com classes e recursos\n                      em arquivos ou diret\u00F3rios JAR.\n   --disable-@files  desativa uma maior expans\u00E3o do arquivo de argumento\n\nEssas op\u00E7\u00F5es extras est\u00E3o sujeitas a altera\u00E7\u00E3o sem aviso.\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\nAs op\u00E7\u00F5es a seguir s\u00E3o espec\u00EDficas para o Mac OS X:\n    -XstartOnFirstThread\n                      executa o m\u00E9todo main() no primeiro thread (AppKit)\n    -Xdock:name=\n                      substitui o nome do aplicativo padr\u00E3o exibido no encaixe\n    -Xdock:icon=\n                      substitui o \u00EDcone exibido no encaixe\n\n
@@ -47,6 +47,7 @@ java.launcher.cls.error3=Erro: o m\u00E9todo main deve retornar um valor do tipo
 java.launcher.cls.error4=Erro: o m\u00E9todo main n\u00E3o foi encontrado na classe {0}; defina o m\u00E9todo main como:\n   public static void main(String[] args)\nou uma classe de aplicativo JavaFX deve expandir {1}
 java.launcher.cls.error5=Erro: os componentes de runtime do JavaFX n\u00E3o foram encontrados. Eles s\u00E3o obrigat\u00F3rios para executar este aplicativo
 java.launcher.cls.error6=Erro: ocorreu LinkageError ao carregar a classe principal {0}\n\t{1}
+java.launcher.cls.error7=Erro: N\u00E3o \u00E9 poss\u00EDvel inicializar a classe principal {0}\nCausado por: {1}: {2}
 java.launcher.jar.error1=Erro: ocorreu um erro inesperado ao tentar abrir o arquivo {0}
 java.launcher.jar.error2=manifesto n\u00E3o encontrado em {0}
 java.launcher.jar.error3=nenhum atributo de manifesto principal em {0}
@@ -55,5 +56,6 @@ java.launcher.init.error=erro de inicializa\u00E7\u00E3o
 java.launcher.javafx.error1=Erro: O m\u00E9todo launchApplication do JavaFX tem a assinatura errada. Ele\\ndeve ser declarado como est\u00E1tico e retornar um valor do tipo void
 java.launcher.module.error1=o m\u00F3dulo {0} n\u00E3o tem um atributo MainClass, use -m /
 java.launcher.module.error2=Erro: N\u00E3o foi poss\u00EDvel localizar nem carregar a classe principal {0} no m\u00F3dulo {1}
-java.launcher.module.error3=Erro: N\u00E3o \u00E9 poss\u00EDvel carregar a classe principal {0} do m\u00F3dulo {1}\n\t{2}
+java.launcher.module.error3=Erro: N\u00E3o \u00E9 poss\u00EDvel carregar a classe principal {0} no m\u00F3dulo {1}\n\t{2}
 java.launcher.module.error4={0} n\u00E3o encontrado.
+java.launcher.module.error5=Erro: N\u00E3o \u00E9 poss\u00EDvel inicializar a classe principal {0} no m\u00F3dulo {1}\nCausado por: {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_sv.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_sv.properties
index 885602e9a2..04e67e5371 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_sv.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_sv.properties
@@ -31,12 +31,12 @@ java.launcher.opt.vmselect   =\    {0}\t  f\u00F6r att v\u00E4lja "{1}" VM\n
 java.launcher.opt.hotspot    =\    {0}\t  \u00E4r en synonym f\u00F6r "{1}" VM  [inaktuell]\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  En {0}-avgr\u00E4nsad lista \u00F6ver kataloger, JAR-arkiv\n                  och ZIP-arkiv att s\u00F6ka efter klassfiler i.\n    -p \n    --module-path ...\n                  En {0}-avgr\u00E4nsad lista \u00F6ver kataloger, d\u00E4r varje katalog\n                  \u00E4r en katalog \u00F6ver moduler.\n    --upgrade-module-path ...\n                  En {0}-avgr\u00E4nsad lista \u00F6ver kataloger, d\u00E4r varje katalog\n                  \u00E4r en katalog \u00F6ver moduler som ers\u00E4tter uppgraderingsbara\n                  moduler i exekveringsavbilden\n    --add-modules [,...]\n                  rotmoduler att l\u00F6sa f\u00F6rutom den ursprungliga modulen.\n                   kan \u00E4ven vara ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  visa observerbara moduler och avsluta\n    --d \n    --describe-module \n                  beskriv en modul och avsluta\n    --dry-run     skapa VM och ladda huvudklassen men k\u00F6r inte huvudmetoden.\n                  Alternativet --dry-run kan vara anv\u00E4ndbart f\u00F6r att validera\n                  kommandoradsalternativ, som modulsystemkonfigurationen.\n    --validate-modules\n                  validera alla moduler och avsluta\n                  Alternativet --validate-modules kan vara anv\u00E4ndbart f\u00F6r att hitta\n                  konflikter och andra fel i modulerna p\u00E5 moduls\u00F6kv\u00E4gen.\n    -D=\n                  ange en systemegenskap\n    -verbose:[class|module|gc|jni]\n                  aktivera utf\u00F6rliga utdata\n    -version      skriv ut produktversion till felstr\u00F6mmen och avsluta\n    --version     skriv ut produktversion till utdatastr\u00F6mmen och avsluta\n    -showversion  skriv ut produktversion till felstr\u00F6mmen och forts\u00E4tt\n    --show-version\n                  skriv ut produktversion till utdatastr\u00F6mmen och forts\u00E4tt\n    --show-module-resolution\n                  visa modull\u00F6sningsutdata vid start\n    -? -h -help\n                  skriv ut det h\u00E4r hj\u00E4lpmeddelandet till felstr\u00F6mmen\n    --help        skriv ut det h\u00E4r hj\u00E4lpmeddelandet till utdatastr\u00F6mmen\n    -X            skriv ut hj\u00E4lp f\u00F6r extraalternativ till felstr\u00F6mmen\n    --help-extra  skriv ut hj\u00E4lp f\u00F6r extraalternativ till utdatastr\u00F6mmen\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  aktivera verifieringar med den angivna detaljgraden\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  avaktivera verifieringar med den angivna detaljgraden\n    -esa | -enablesystemassertions\n                  aktivera systemverifieringar\n    -dsa | -disablesystemassertions\n                  avaktivera systemverifieringar\n    -agentlib:[=]\n                  ladda det ursprungliga agentbiblioteket , t.ex. -agentlib:jdwp\n                  se \u00E4ven -agentlib:jdwp=help\n    -agentpath:[=]\n                  ladda det ursprungliga agentbiblioteket med fullst\u00E4ndigt s\u00F6kv\u00E4gsnamn\n    -javaagent:[=]\n                  ladda Java-programmeringsspr\u00E5ksagenten, se java.lang.instrument\n    -splash:\n                  visa v\u00E4lkomstsk\u00E4rmen med den angivna bilden\n                  HiDPI-skal\u00E4ndrade bilder st\u00F6ds automatiskt och anv\u00E4nds om de \u00E4r\n       \
-           tillg\u00E4ngliga. Filnamnet p\u00E5 den oskal\u00E4ndrade bilden, t.ex. image.ext,\n                  ska alltid \u00F6verf\u00F6ras som argument till alternativet -splash.\n                  Den l\u00E4mpligaste skal\u00E4ndrade bilden v\u00E4ljs\n                  automatiskt.\n                  Mer information finns i dokumentationen f\u00F6r API:t SplashScreen\n    @argument filer\n                  en eller flera argumentfiler som inneh\u00E5ller alternativ\n    -disable-@files\n                  f\u00F6rhindra ytterligare ut\u00F6kning av argumentfiler\nOm du vill ange ett argument f\u00F6r ett l\u00E5ngt alternativ kan du anv\u00E4nda --= eller\n-- .\n
+java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  En {0}-avgr\u00E4nsad lista \u00F6ver kataloger, JAR-arkiv\n                  och ZIP-arkiv att s\u00F6ka efter klassfiler i.\n    -p \n    --module-path ...\n                  En {0}-avgr\u00E4nsad lista \u00F6ver kataloger, d\u00E4r varje katalog\n                  \u00E4r en katalog \u00F6ver moduler.\n    --upgrade-module-path ...\n                  En {0}-avgr\u00E4nsad lista \u00F6ver kataloger, d\u00E4r varje katalog\n                  \u00E4r en katalog \u00F6ver moduler som ers\u00E4tter uppgraderingsbara\n                  moduler i exekveringsavbilden\n    --add-modules [,...]\n                  rotmoduler att l\u00F6sa f\u00F6rutom den ursprungliga modulen.\n                   kan \u00E4ven vara ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  visa observerbara moduler och avsluta\n    -d \n    --describe-module \n                  beskriv en modul och avsluta\n    --dry-run     skapa VM och ladda huvudklassen men k\u00F6r inte huvudmetoden.\n                  Alternativet --dry-run kan vara anv\u00E4ndbart f\u00F6r att validera\n                  kommandoradsalternativ, som modulsystemkonfigurationen.\n    --validate-modules\n                  validera alla moduler och avsluta\n                  Alternativet --validate-modules kan vara anv\u00E4ndbart f\u00F6r att hitta\n                  konflikter och andra fel i modulerna p\u00E5 moduls\u00F6kv\u00E4gen.\n    -D=\n                  ange en systemegenskap\n    -verbose:[class|module|gc|jni]\n                  aktivera utf\u00F6rliga utdata\n    -version      skriv ut produktversion till felstr\u00F6mmen och avsluta\n    --version     skriv ut produktversion till utdatastr\u00F6mmen och avsluta\n    -showversion  skriv ut produktversion till felstr\u00F6mmen och forts\u00E4tt\n    --show-version\n                  skriv ut produktversion till utdatastr\u00F6mmen och forts\u00E4tt\n    --show-module-resolution\n                  visa modull\u00F6sningsutdata vid start\n    -? -h -help\n                  skriv ut det h\u00E4r hj\u00E4lpmeddelandet till felstr\u00F6mmen\n    --help        skriv ut det h\u00E4r hj\u00E4lpmeddelandet till utdatastr\u00F6mmen\n    -X            skriv ut hj\u00E4lp f\u00F6r extraalternativ till felstr\u00F6mmen\n    --help-extra  skriv ut hj\u00E4lp f\u00F6r extraalternativ till utdatastr\u00F6mmen\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  aktivera verifieringar med den angivna detaljgraden\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  avaktivera verifieringar med den angivna detaljgraden\n    -esa | -enablesystemassertions\n                  aktivera systemverifieringar\n    -dsa | -disablesystemassertions\n                  avaktivera systemverifieringar\n    -agentlib:[=]\n                  ladda det ursprungliga agentbiblioteket , t.ex. -agentlib:jdwp\n                  se \u00E4ven -agentlib:jdwp=help\n    -agentpath:[=]\n                  ladda det ursprungliga agentbiblioteket med fullst\u00E4ndigt s\u00F6kv\u00E4gsnamn\n    -javaagent:[=]\n                  ladda Java-programmeringsspr\u00E5ksagenten, se java.lang.instrument\n    -splash:\n                  visa v\u00E4lkomstsk\u00E4rmen med den angivna bilden\n                  HiDPI-skal\u00E4ndrade bilder st\u00F6ds automatiskt och anv\u00E4nds om de \u00E4r\n        \
+          tillg\u00E4ngliga. Filnamnet p\u00E5 den oskal\u00E4ndrade bilden, t.ex. image.ext,\n                  ska alltid \u00F6verf\u00F6ras som argument till alternativet -splash.\n                  Den l\u00E4mpligaste skal\u00E4ndrade bilden v\u00E4ljs\n                  automatiskt.\n                  Mer information finns i dokumentationen f\u00F6r API:t SplashScreen\n    @argument filer\n                  en eller flera argumentfiler som inneh\u00E5ller alternativ\n    -disable-@files\n                  f\u00F6rhindra ytterligare ut\u00F6kning av argumentfiler\nOm du vill ange ett argument f\u00F6r ett l\u00E5ngt alternativ kan du anv\u00E4nda --= eller\n-- .\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           avaktivera bakgrundskompilering\n    -Xbootclasspath/a:\n                      l\u00E4gg till sist i klass\u00F6kv\u00E4gen f\u00F6r programladdning\n    -Xcheck:jni       utf\u00F6r fler kontroller f\u00F6r JNI-funktioner\n    -Xcomp            tvingar kompilering av metoder vid det f\u00F6rsta anropet\n    -Xdebug           tillhandah\u00E5lls f\u00F6r bak\u00E5tkompatibilitet\n    -Xdiag            visa fler diagnostiska meddelanden\n    -Xfuture          aktivera str\u00E4ngaste kontroller, f\u00F6rv\u00E4ntad framtida standard\n    -Xint             endast exekvering i tolkat l\u00E4ge\n    -Xinternalversion\n                      visar mer detaljerad information om JVM-version \u00E4n\n                      alternativet -version\n    -Xloggc:    logga GC-status till en fil med tidsst\u00E4mplar\n    -Xmixed           exekvering i blandat l\u00E4ge (standard)\n    -Xmn     anger ursprunglig och maximal storlek (i byte) f\u00F6r h\u00F6gen f\u00F6r\n                      generationen med nyare objekt (h\u00F6gen f\u00F6r tilldelning av nya objekt)\n    -Xms     ange ursprunglig storlek f\u00F6r Java-heap-utrymmet\n    -Xmx     ange st\u00F6rsta storlek f\u00F6r Java-heap-utrymmet\n    -Xnoclassgc       avaktivera klasskr\u00E4pinsamling\n    -Xprof            utdata f\u00F6r processorprofilering (inaktuellt)\n    -Xrs              minska operativsystemssignalanv\u00E4ndning f\u00F6r Java/VM (se dokumentationen)\n    -Xshare:auto      anv\u00E4nd delade klassdata om m\u00F6jligt (standard)\n    -Xshare:off       f\u00F6rs\u00F6k inte anv\u00E4nda delade klassdata\n    -Xshare:on        kr\u00E4v anv\u00E4ndning av delade klassdata, utf\u00F6r inte i annat fall.\n    -XshowSettings    visa alla inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:all\n                      visa alla inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:locale\n                      visa alla spr\u00E5kkonventionsrelaterade inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:properties\n                      visa alla egenskapsinst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:vm visa alla vm-relaterade inst\u00E4llningar och forts\u00E4tt\n    -Xss     ange storlek f\u00F6r java-tr\u00E5dsstacken\n    -Xverify          anger l\u00E4ge f\u00F6r bytekodverifieraren\n    --add-reads =(,)*\n                      uppdaterar  f\u00F6r att l\u00E4sa , oavsett\n                      moduldeklarationen. \n                       kan vara ALL-UNNAMED f\u00F6r att l\u00E4sa alla\n                      ej namngivna moduler.\n    --add-exports /=(,)*\n                      uppdaterar  f\u00F6r att exportera  till ,\n                      oavsett moduldeklarationen.\n                       kan vara ALL-UNNAMED f\u00F6r att exportera till alla\n                      ej namngivna moduler.\n    --add-opens /=(,)*\n                      uppdaterar  f\u00F6r att \u00F6ppna  till\n                      , oavsett moduldeklarationen.\n    --limit-modules [,...]\n                      begr\u00E4nsar universumet med observerbara moduler\n    --patch-module =({0})*\n                      \u00E5sidos\u00E4tt eller ut\u00F6ka en modul med klasser och resurser\n                      i JAR-filer eller kataloger.\n    --disable-@files  avaktivera ytterligare \
-argumentfilsut\u00F6kning\n\nDe h\u00E4r extraalternativen kan \u00E4ndras utan f\u00F6reg\u00E5ende meddelande.\n
+java.launcher.X.usage=\n    -Xbatch           avaktivera bakgrundskompilering\n    -Xbootclasspath/a:\n                      l\u00E4gg till sist i klass\u00F6kv\u00E4gen f\u00F6r programladdning\n    -Xcheck:jni       utf\u00F6r fler kontroller f\u00F6r JNI-funktioner\n    -Xcomp            tvingar kompilering av metoder vid det f\u00F6rsta anropet\n    -Xdebug           tillhandah\u00E5lls f\u00F6r bak\u00E5tkompatibilitet\n    -Xdiag            visa fler diagnostiska meddelanden\n    -Xfuture          aktivera str\u00E4ngaste kontroller, f\u00F6rv\u00E4ntad framtida standard\n    -Xint             endast exekvering i tolkat l\u00E4ge\n    -Xinternalversion\n                      visar mer detaljerad information om JVM-version \u00E4n\n                      alternativet -version\n    -Xloggc:    logga GC-status till en fil med tidsst\u00E4mplar\n    -Xmixed           exekvering i blandat l\u00E4ge (standard)\n    -Xmn     anger ursprunglig och maximal storlek (i byte) f\u00F6r h\u00F6gen f\u00F6r\n                      generationen med nyare objekt (h\u00F6gen f\u00F6r tilldelning av nya objekt)\n    -Xms     ange ursprunglig storlek f\u00F6r Java-heap-utrymmet\n    -Xmx     ange st\u00F6rsta storlek f\u00F6r Java-heap-utrymmet\n    -Xnoclassgc       avaktivera klasskr\u00E4pinsamling\n    -Xprof            utdata f\u00F6r processorprofilering (inaktuellt)\n    -Xrs              minska operativsystemssignalanv\u00E4ndning f\u00F6r Java/VM (se dokumentationen)\n    -Xshare:auto      anv\u00E4nd delade klassdata om m\u00F6jligt (standard)\n    -Xshare:off       f\u00F6rs\u00F6k inte anv\u00E4nda delade klassdata\n    -Xshare:on        kr\u00E4v anv\u00E4ndning av delade klassdata, utf\u00F6r inte i annat fall.\n    -XshowSettings    visa alla inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:all\n                      visa alla inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:locale\n                      visa alla spr\u00E5kkonventionsrelaterade inst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:properties\n                      visa alla egenskapsinst\u00E4llningar och forts\u00E4tt\n    -XshowSettings:vm visa alla vm-relaterade inst\u00E4llningar och forts\u00E4tt\n    -Xss     ange storlek f\u00F6r java-tr\u00E5dsstacken\n    -Xverify          anger l\u00E4ge f\u00F6r bytekodverifieraren\n    --add-reads =(,)*\n                      uppdaterar  f\u00F6r att l\u00E4sa , oavsett\n                      moduldeklarationen. \n                       kan vara ALL-UNNAMED f\u00F6r att l\u00E4sa alla\n                      ej namngivna moduler.\n    --add-exports /=(,)*\n                      uppdaterar  f\u00F6r att exportera  till ,\n                      oavsett moduldeklarationen.\n                       kan vara ALL-UNNAMED f\u00F6r att exportera till alla\n                      ej namngivna moduler.\n    --add-opens /=(,)*\n                      uppdaterar  f\u00F6r att \u00F6ppna  till\n                      , oavsett moduldeklarationen.\n    --illegal-access=\n                      till\u00E5t eller neka \u00E5tkomst till medlemmar av typer i namngivna\n                      moduler av kod i ej namngivna moduler.\n                       \u00E4r "deny", "permit", "warn" eller "debug"\n                      Det h\u00E4r alternativet tas bort i en kommande utg\u00E5va.\n    --limit-modules [,...]\n                      begr\u00E4nsar universumet med observerbara moduler\n    --patch-module =({0})*\n                      \u00E5sidos\u00E4tt eller ut\u00F6ka en modul med klasser och resurser\n                      i \
+JAR-filer eller kataloger.\n    --disable-@files  avaktivera ytterligare argumentfilsut\u00F6kning\n\nDe h\u00E4r extraalternativen kan \u00E4ndras utan f\u00F6reg\u00E5ende meddelande.
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\nF\u00F6ljande alternativ \u00E4r Mac OS X-specifika:\n    -XstartOnFirstThread\n                      k\u00F6r main()-metoden p\u00E5 den f\u00F6rsta (AppKit)-tr\u00E5den\n    -Xdock:name=\n                      \u00E5sidos\u00E4tt det standardapplikationsnamn som visas i dockan\n    -Xdock:icon=\n                      \u00E5sidos\u00E4tt den standardikon som visas i dockan\n\n
@@ -47,6 +47,7 @@ java.launcher.cls.error3=Fel: Huvudmetoden m\u00E5ste returnera ett v\u00E4rde a
 java.launcher.cls.error4=Fel: Huvudmetoden finns inte i klassen {0}, definiera huvudmetoden som:\n   public static void main(String[] args)\neller s\u00E5 m\u00E5ste en JavaFX-applikationsklass ut\u00F6ka {1}
 java.launcher.cls.error5=Fel: JavaFX-exekveringskomponenter saknas, och de kr\u00E4vs f\u00F6r att kunna k\u00F6ra den h\u00E4r applikationen
 java.launcher.cls.error6=Fel: LinkageError intr\u00E4ffade vid laddning av huvudklassen {0}\n\t{1}
+java.launcher.cls.error7=Fel: Kan inte initiera huvudklassen {0}\nOrsakades av: {1}: {2}
 java.launcher.jar.error1=Fel: Ett ov\u00E4ntat fel intr\u00E4ffade n\u00E4r filen {0} skulle \u00F6ppnas
 java.launcher.jar.error2=manifest finns inte i {0}
 java.launcher.jar.error3=inget huvudmanifestattribut i {0}
@@ -55,5 +56,6 @@ java.launcher.init.error=initieringsfel
 java.launcher.javafx.error1=Fel: JavaFX launchApplication-metoden har fel signatur, den \nm\u00E5ste ha deklarerats som statisk och returnera ett v\u00E4rde av typen void
 java.launcher.module.error1=modulen {0} har inget MainClass-attribut, anv\u00E4nd -m /
 java.launcher.module.error2=Fel: kunde inte hitta eller ladda huvudklassen {0} i modulen {1}
-java.launcher.module.error3=Fel: kan inte ladda huvudklassen {0} fr\u00E5n modulen {1}\n\t{2}
+java.launcher.module.error3=Fel: Kan inte ladda huvudklassen {0} i modulen {1}\n\t{2}
 java.launcher.module.error4={0} hittades inte
+java.launcher.module.error5=Fel: Kan inte initiera huvudklassen {0} i modulen {1}\nOrsakades av: {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_zh_CN.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_zh_CN.properties
index 574a3d2629..68935fb5c4 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_zh_CN.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_zh_CN.properties
@@ -31,12 +31,12 @@ java.launcher.opt.vmselect   =\    {0}\t  \u9009\u62E9 "{1}" VM\n
 java.launcher.opt.hotspot    =\    {0}\t  \u662F "{1}" VM \u7684\u540C\u4E49\u8BCD [\u5DF2\u8FC7\u65F6]\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp <\u76EE\u5F55\u548C zip/jar \u6587\u4EF6\u7684\u7C7B\u641C\u7D22\u8DEF\u5F84>\n    -classpath <\u76EE\u5F55\u548C zip/jar \u6587\u4EF6\u7684\u7C7B\u641C\u7D22\u8DEF\u5F84>\n    --class-path <\u76EE\u5F55\u548C zip/jar \u6587\u4EF6\u7684\u7C7B\u641C\u7D22\u8DEF\u5F84>\n                  \u4F7F\u7528 {0} \u5206\u9694\u7684, \u7528\u4E8E\u641C\u7D22\u7C7B\u6587\u4EF6\u7684\u76EE\u5F55, JAR \u6863\u6848\n                  \u548C ZIP \u6863\u6848\u5217\u8868\u3002\n    -p <\u6A21\u5757\u8DEF\u5F84>\n    --module-path <\u6A21\u5757\u8DEF\u5F84>...\n                  \u7528 {0} \u5206\u9694\u7684\u76EE\u5F55\u5217\u8868, \u6BCF\u4E2A\u76EE\u5F55\n                  \u90FD\u662F\u4E00\u4E2A\u5305\u542B\u6A21\u5757\u7684\u76EE\u5F55\u3002\n    --upgrade-module-path <\u6A21\u5757\u8DEF\u5F84>...\n                  \u7528 {0} \u5206\u9694\u7684\u76EE\u5F55\u5217\u8868, \u6BCF\u4E2A\u76EE\u5F55\n                  \u90FD\u662F\u4E00\u4E2A\u5305\u542B\u6A21\u5757\u7684\u76EE\u5F55, \u8FD9\u4E9B\u6A21\u5757\n                  \u7528\u4E8E\u66FF\u6362\u8FD0\u884C\u65F6\u6620\u50CF\u4E2D\u7684\u53EF\u5347\u7EA7\u6A21\u5757\n    --add-modules <\u6A21\u5757\u540D\u79F0>[,<\u6A21\u5757\u540D\u79F0>...]\n                  \u9664\u4E86\u521D\u59CB\u6A21\u5757\u4E4B\u5916\u8981\u89E3\u6790\u7684\u6839\u6A21\u5757\u3002\n                  <\u6A21\u5757\u540D\u79F0> \u8FD8\u53EF\u4EE5\u4E3A ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  \u5217\u51FA\u53EF\u89C2\u5BDF\u6A21\u5757\u5E76\u9000\u51FA\n    --d <\u6A21\u5757\u540D\u79F0>\n    --describe-module <\u6A21\u5757\u540D\u79F0>\n                  \u63CF\u8FF0\u6A21\u5757\u5E76\u9000\u51FA\n    --dry-run     \u521B\u5EFA VM \u5E76\u52A0\u8F7D\u4E3B\u7C7B, \u4F46\u4E0D\u6267\u884C main \u65B9\u6CD5\u3002\n                  \u6B64 --dry-run \u9009\u9879\u5BF9\u4E8E\u9A8C\u8BC1\u8BF8\u5982\n                  \u6A21\u5757\u7CFB\u7EDF\u914D\u7F6E\u8FD9\u6837\u7684\u547D\u4EE4\u884C\u9009\u9879\u53EF\u80FD\u975E\u5E38\u6709\u7528\u3002\n    --validate-modules\n                  \u9A8C\u8BC1\u6240\u6709\u6A21\u5757\u5E76\u9000\u51FA\n                  --validate-modules \u9009\u9879\u5BF9\u4E8E\u67E5\u627E\n                  \u6A21\u5757\u8DEF\u5F84\u4E2D\u6A21\u5757\u7684\u51B2\u7A81\u53CA\u5176\u4ED6\u9519\u8BEF\u53EF\u80FD\u975E\u5E38\u6709\u7528\u3002\n    -D<\u540D\u79F0>=<\u503C>\n                  \u8BBE\u7F6E\u7CFB\u7EDF\u5C5E\u6027\n    -verbose:[class|module|gc|jni]\n                  \u542F\u7528\u8BE6\u7EC6\u8F93\u51FA\n    -version      \u5C06\u4EA7\u54C1\u7248\u672C\u8F93\u51FA\u5230\u9519\u8BEF\u6D41\u5E76\u9000\u51FA\n    --version     \u5C06\u4EA7\u54C1\u7248\u672C\u8F93\u51FA\u5230\u8F93\u51FA\u6D41\u5E76\u9000\u51FA\n    -showversion  \u5C06\u4EA7\u54C1\u7248\u672C\u8F93\u51FA\u5230\u9519\u8BEF\u6D41\u5E76\u7EE7\u7EED\n    --show-version\n                  \u5C06\u4EA7\u54C1\u7248\u672C\u8F93\u51FA\u5230\u8F93\u51FA\u6D41\u5E76\u7EE7\u7EED\n    --show-module-resolution\n                  \u5728\u542F\u52A8\u8FC7\u7A0B\u4E2D\u663E\u793A\u6A21\u5757\u89E3\u6790\u8F93\u51FA\n    -? -h -help\n                  \u5C06\u6B64\u5E2E\u52A9\u6D88\u606F\u8F93\u51FA\u5230\u9519\u8BEF\u6D41\n    --help        \u5C06\u6B64\u5E2E\u52A9\u6D88\u606F\u8F93\u51FA\u5230\u8F93\u51FA\u6D41\n    -X            \u5C06\u989D\u5916\u9009\u9879\u7684\u5E2E\u52A9\u8F93\u51FA\u5230\u9519\u8BEF\u6D41\n    --help-extra  \u5C06\u989D\u5916\u9009\u9879\u7684\u5E2E\u52A9\u8F93\u51FA\u5230\u8F93\u51FA\u6D41\n    -ea[:<\u7A0B\u5E8F\u5305\u540D\u79F0>...|:<\u7C7B\u540D>]\n    -enableassertions[:<\u7A0B\u5E8F\u5305\u540D\u79F0>...|:<\u7C7B\u540D>]\n                  \u6309\u6307\u5B9A\u7684\u7C92\u5EA6\u542F\u7528\u65AD\u8A00\n    -da[:<\u7A0B\u5E8F\u5305\u540D\u79F0>...|:<\u7C7B\u540D>]\n    -disableassertions[:<\u7A0B\u5E8F\u5305\u540D\u79F0>...|:<\u7C7B\u540D>]\n                  \
-\u6309\u6307\u5B9A\u7684\u7C92\u5EA6\u7981\u7528\u65AD\u8A00\n    -esa | -enablesystemassertions\n                  \u542F\u7528\u7CFB\u7EDF\u65AD\u8A00\n    -dsa | -disablesystemassertions\n                  \u7981\u7528\u7CFB\u7EDF\u65AD\u8A00\n    -agentlib:<\u5E93\u540D>[=<\u9009\u9879>]\n                  \u52A0\u8F7D\u672C\u673A\u4EE3\u7406\u5E93 <\u5E93\u540D>, \u4F8B\u5982 -agentlib:jdwp\n                  \u53E6\u8BF7\u53C2\u9605 -agentlib:jdwp=help\n    -agentpath:<\u8DEF\u5F84\u540D>[=<\u9009\u9879>]\n                  \u6309\u5B8C\u6574\u8DEF\u5F84\u540D\u52A0\u8F7D\u672C\u673A\u4EE3\u7406\u5E93\n    -javaagent:[=<\u9009\u9879>]\n                  \u52A0\u8F7D Java \u7F16\u7A0B\u8BED\u8A00\u4EE3\u7406, \u8BF7\u53C2\u9605 java.lang.instrument\n    -splash:<\u56FE\u50CF\u8DEF\u5F84>\n                  \u4F7F\u7528\u6307\u5B9A\u7684\u56FE\u50CF\u663E\u793A\u542F\u52A8\u5C4F\u5E55\n                  \u81EA\u52A8\u652F\u6301\u548C\u4F7F\u7528 HiDPI \u7F29\u653E\u56FE\u50CF\n                  (\u5982\u679C\u53EF\u7528)\u3002\u5E94\u59CB\u7EC8\u5C06\u672A\u7F29\u653E\u7684\u56FE\u50CF\u6587\u4EF6\u540D (\u4F8B\u5982, image.ext)\n                  \u4F5C\u4E3A\u53C2\u6570\u4F20\u9012\u7ED9 -splash \u9009\u9879\u3002\n                  \u5C06\u81EA\u52A8\u9009\u53D6\u63D0\u4F9B\u7684\u6700\u5408\u9002\u7684\u7F29\u653E\n                  \u56FE\u50CF\u3002\n                  \u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u53C2\u9605 SplashScreen API \u6587\u6863\n    @argument \u6587\u4EF6\n                  \u4E00\u4E2A\u6216\u591A\u4E2A\u5305\u542B\u9009\u9879\u7684\u53C2\u6570\u6587\u4EF6\n    -disable-@files\n                  \u963B\u6B62\u8FDB\u4E00\u6B65\u6269\u5C55\u53C2\u6570\u6587\u4EF6\n\u8981\u4E3A\u957F\u9009\u9879\u6307\u5B9A\u53C2\u6570, \u53EF\u4EE5\u4F7F\u7528 --<\u540D\u79F0>=<\u503C> \u6216\n--<\u540D\u79F0> <\u503C>\u3002\n
+java.launcher.opt.footer = \    -cp <\u76EE\u5F55\u548C zip/jar \u6587\u4EF6\u7684\u7C7B\u641C\u7D22\u8DEF\u5F84>\n    -classpath <\u76EE\u5F55\u548C zip/jar \u6587\u4EF6\u7684\u7C7B\u641C\u7D22\u8DEF\u5F84>\n    --class-path <\u76EE\u5F55\u548C zip/jar \u6587\u4EF6\u7684\u7C7B\u641C\u7D22\u8DEF\u5F84>\n                  \u4F7F\u7528 {0} \u5206\u9694\u7684, \u7528\u4E8E\u641C\u7D22\u7C7B\u6587\u4EF6\u7684\u76EE\u5F55, JAR \u6863\u6848\n                  \u548C ZIP \u6863\u6848\u5217\u8868\u3002\n    -p <\u6A21\u5757\u8DEF\u5F84>\n    --module-path <\u6A21\u5757\u8DEF\u5F84>...\n                  \u7528 {0} \u5206\u9694\u7684\u76EE\u5F55\u5217\u8868, \u6BCF\u4E2A\u76EE\u5F55\n                  \u90FD\u662F\u4E00\u4E2A\u5305\u542B\u6A21\u5757\u7684\u76EE\u5F55\u3002\n    --upgrade-module-path <\u6A21\u5757\u8DEF\u5F84>...\n                  \u7528 {0} \u5206\u9694\u7684\u76EE\u5F55\u5217\u8868, \u6BCF\u4E2A\u76EE\u5F55\n                  \u90FD\u662F\u4E00\u4E2A\u5305\u542B\u6A21\u5757\u7684\u76EE\u5F55, \u8FD9\u4E9B\u6A21\u5757\n                  \u7528\u4E8E\u66FF\u6362\u8FD0\u884C\u65F6\u6620\u50CF\u4E2D\u7684\u53EF\u5347\u7EA7\u6A21\u5757\n    --add-modules <\u6A21\u5757\u540D\u79F0>[,<\u6A21\u5757\u540D\u79F0>...]\n                  \u9664\u4E86\u521D\u59CB\u6A21\u5757\u4E4B\u5916\u8981\u89E3\u6790\u7684\u6839\u6A21\u5757\u3002\n                  <\u6A21\u5757\u540D\u79F0> \u8FD8\u53EF\u4EE5\u4E3A ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  \u5217\u51FA\u53EF\u89C2\u5BDF\u6A21\u5757\u5E76\u9000\u51FA\n    -d \n    --describe-module <\u6A21\u5757\u540D\u79F0>\n                  \u63CF\u8FF0\u6A21\u5757\u5E76\u9000\u51FA\n    --dry-run     \u521B\u5EFA VM \u5E76\u52A0\u8F7D\u4E3B\u7C7B, \u4F46\u4E0D\u6267\u884C main \u65B9\u6CD5\u3002\n                  \u6B64 --dry-run \u9009\u9879\u5BF9\u4E8E\u9A8C\u8BC1\u8BF8\u5982\n                  \u6A21\u5757\u7CFB\u7EDF\u914D\u7F6E\u8FD9\u6837\u7684\u547D\u4EE4\u884C\u9009\u9879\u53EF\u80FD\u975E\u5E38\u6709\u7528\u3002\n    --validate-modules\n                  \u9A8C\u8BC1\u6240\u6709\u6A21\u5757\u5E76\u9000\u51FA\n                  --validate-modules \u9009\u9879\u5BF9\u4E8E\u67E5\u627E\n                  \u6A21\u5757\u8DEF\u5F84\u4E2D\u6A21\u5757\u7684\u51B2\u7A81\u53CA\u5176\u4ED6\u9519\u8BEF\u53EF\u80FD\u975E\u5E38\u6709\u7528\u3002\n    -D<\u540D\u79F0>=<\u503C>\n                  \u8BBE\u7F6E\u7CFB\u7EDF\u5C5E\u6027\n    -verbose:[class|module|gc|jni]\n                  \u542F\u7528\u8BE6\u7EC6\u8F93\u51FA\n    -version      \u5C06\u4EA7\u54C1\u7248\u672C\u8F93\u51FA\u5230\u9519\u8BEF\u6D41\u5E76\u9000\u51FA\n    --version     \u5C06\u4EA7\u54C1\u7248\u672C\u8F93\u51FA\u5230\u8F93\u51FA\u6D41\u5E76\u9000\u51FA\n    -showversion  \u5C06\u4EA7\u54C1\u7248\u672C\u8F93\u51FA\u5230\u9519\u8BEF\u6D41\u5E76\u7EE7\u7EED\n    --show-version\n                  \u5C06\u4EA7\u54C1\u7248\u672C\u8F93\u51FA\u5230\u8F93\u51FA\u6D41\u5E76\u7EE7\u7EED\n    --show-module-resolution\n                  \u5728\u542F\u52A8\u8FC7\u7A0B\u4E2D\u663E\u793A\u6A21\u5757\u89E3\u6790\u8F93\u51FA\n    -? -h -help\n                  \u5C06\u6B64\u5E2E\u52A9\u6D88\u606F\u8F93\u51FA\u5230\u9519\u8BEF\u6D41\n    --help        \u5C06\u6B64\u5E2E\u52A9\u6D88\u606F\u8F93\u51FA\u5230\u8F93\u51FA\u6D41\n    -X            \u5C06\u989D\u5916\u9009\u9879\u7684\u5E2E\u52A9\u8F93\u51FA\u5230\u9519\u8BEF\u6D41\n    --help-extra  \u5C06\u989D\u5916\u9009\u9879\u7684\u5E2E\u52A9\u8F93\u51FA\u5230\u8F93\u51FA\u6D41\n    -ea[:<\u7A0B\u5E8F\u5305\u540D\u79F0>...|:<\u7C7B\u540D>]\n    -enableassertions[:<\u7A0B\u5E8F\u5305\u540D\u79F0>...|:<\u7C7B\u540D>]\n                  \u6309\u6307\u5B9A\u7684\u7C92\u5EA6\u542F\u7528\u65AD\u8A00\n    -da[:<\u7A0B\u5E8F\u5305\u540D\u79F0>...|:<\u7C7B\u540D>]\n    -disableassertions[:<\u7A0B\u5E8F\u5305\u540D\u79F0>...|:<\u7C7B\u540D>]\n                  \u6309\u6307\u5B9A\u7684\u7C92\u5EA6\u7981\u7528\u65AD\u8A00\n    -esa \
+| -enablesystemassertions\n                  \u542F\u7528\u7CFB\u7EDF\u65AD\u8A00\n    -dsa | -disablesystemassertions\n                  \u7981\u7528\u7CFB\u7EDF\u65AD\u8A00\n    -agentlib:<\u5E93\u540D>[=<\u9009\u9879>]\n                  \u52A0\u8F7D\u672C\u673A\u4EE3\u7406\u5E93 <\u5E93\u540D>, \u4F8B\u5982 -agentlib:jdwp\n                  \u53E6\u8BF7\u53C2\u9605 -agentlib:jdwp=help\n    -agentpath:<\u8DEF\u5F84\u540D>[=<\u9009\u9879>]\n                  \u6309\u5B8C\u6574\u8DEF\u5F84\u540D\u52A0\u8F7D\u672C\u673A\u4EE3\u7406\u5E93\n    -javaagent:[=<\u9009\u9879>]\n                  \u52A0\u8F7D Java \u7F16\u7A0B\u8BED\u8A00\u4EE3\u7406, \u8BF7\u53C2\u9605 java.lang.instrument\n    -splash:<\u56FE\u50CF\u8DEF\u5F84>\n                  \u4F7F\u7528\u6307\u5B9A\u7684\u56FE\u50CF\u663E\u793A\u542F\u52A8\u5C4F\u5E55\n                  \u81EA\u52A8\u652F\u6301\u548C\u4F7F\u7528 HiDPI \u7F29\u653E\u56FE\u50CF\n                  (\u5982\u679C\u53EF\u7528)\u3002\u5E94\u59CB\u7EC8\u5C06\u672A\u7F29\u653E\u7684\u56FE\u50CF\u6587\u4EF6\u540D (\u4F8B\u5982, image.ext)\n                  \u4F5C\u4E3A\u53C2\u6570\u4F20\u9012\u7ED9 -splash \u9009\u9879\u3002\n                  \u5C06\u81EA\u52A8\u9009\u53D6\u63D0\u4F9B\u7684\u6700\u5408\u9002\u7684\u7F29\u653E\n                  \u56FE\u50CF\u3002\n                  \u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u53C2\u9605 SplashScreen API \u6587\u6863\n    @argument \u6587\u4EF6\n                  \u4E00\u4E2A\u6216\u591A\u4E2A\u5305\u542B\u9009\u9879\u7684\u53C2\u6570\u6587\u4EF6\n    -disable-@files\n                  \u963B\u6B62\u8FDB\u4E00\u6B65\u6269\u5C55\u53C2\u6570\u6587\u4EF6\n\u8981\u4E3A\u957F\u9009\u9879\u6307\u5B9A\u53C2\u6570, \u53EF\u4EE5\u4F7F\u7528 --<\u540D\u79F0>=<\u503C> \u6216\n--<\u540D\u79F0> <\u503C>\u3002\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           \u7981\u7528\u540E\u53F0\u7F16\u8BD1\n    -Xbootclasspath/a:<\u7528 {0} \u5206\u9694\u7684\u76EE\u5F55\u548C zip/jar \u6587\u4EF6>\n                      \u9644\u52A0\u5728\u5F15\u5BFC\u7C7B\u8DEF\u5F84\u672B\u5C3E\n    -Xcheck:jni       \u5BF9 JNI \u51FD\u6570\u6267\u884C\u5176\u4ED6\u68C0\u67E5\n    -Xcomp            \u5728\u9996\u6B21\u8C03\u7528\u65F6\u5F3A\u5236\u4F7F\u7528\u7684\u7F16\u8BD1\u65B9\u6CD5\n    -Xdebug           \u4E3A\u5B9E\u73B0\u5411\u540E\u517C\u5BB9\u800C\u63D0\u4F9B\n    -Xdiag            \u663E\u793A\u9644\u52A0\u8BCA\u65AD\u6D88\u606F\n    -Xfuture          \u542F\u7528\u6700\u4E25\u683C\u7684\u68C0\u67E5, \u9884\u671F\u5C06\u6765\u7684\u9ED8\u8BA4\u503C\n    -Xint             \u4EC5\u89E3\u91CA\u6A21\u5F0F\u6267\u884C\n    -Xinternalversion\n                      \u663E\u793A\u6BD4 -version \u9009\u9879\u66F4\u8BE6\u7EC6\u7684 JVM\n                      \u7248\u672C\u4FE1\u606F\n    -Xloggc:<\u6587\u4EF6>    \u5C06 GC \u72B6\u6001\u8BB0\u5F55\u5728\u6587\u4EF6\u4E2D (\u5E26\u65F6\u95F4\u6233)\n    -Xmixed           \u6DF7\u5408\u6A21\u5F0F\u6267\u884C (\u9ED8\u8BA4\u503C)\n    -Xmn<\u5927\u5C0F>        \u4E3A\u5E74\u8F7B\u4EE3 (\u65B0\u751F\u4EE3) \u8BBE\u7F6E\u521D\u59CB\u548C\u6700\u5927\u5806\u5927\u5C0F\n                      (\u4EE5\u5B57\u8282\u4E3A\u5355\u4F4D)\n    -Xms<\u5927\u5C0F>        \u8BBE\u7F6E\u521D\u59CB Java \u5806\u5927\u5C0F\n    -Xmx<\u5927\u5C0F>        \u8BBE\u7F6E\u6700\u5927 Java \u5806\u5927\u5C0F\n    -Xnoclassgc       \u7981\u7528\u7C7B\u5783\u573E\u6536\u96C6\n    -Xprof            \u8F93\u51FA cpu \u5206\u6790\u6570\u636E (\u5DF2\u8FC7\u65F6)\n    -Xrs              \u51CF\u5C11 Java/VM \u5BF9\u64CD\u4F5C\u7CFB\u7EDF\u4FE1\u53F7\u7684\u4F7F\u7528 (\u8BF7\u53C2\u9605\u6587\u6863)\n    -Xshare:auto      \u5728\u53EF\u80FD\u7684\u60C5\u51B5\u4E0B\u4F7F\u7528\u5171\u4EAB\u7C7B\u6570\u636E (\u9ED8\u8BA4\u503C)\n    -Xshare:off       \u4E0D\u5C1D\u8BD5\u4F7F\u7528\u5171\u4EAB\u7C7B\u6570\u636E\n    -Xshare:on        \u8981\u6C42\u4F7F\u7528\u5171\u4EAB\u7C7B\u6570\u636E, \u5426\u5219\u5C06\u5931\u8D25\u3002\n    -XshowSettings    \u663E\u793A\u6240\u6709\u8BBE\u7F6E\u5E76\u7EE7\u7EED\n    -XshowSettings:all\n                      \u663E\u793A\u6240\u6709\u8BBE\u7F6E\u5E76\u7EE7\u7EED\n    -XshowSettings:locale\n                      \u663E\u793A\u6240\u6709\u4E0E\u533A\u57DF\u8BBE\u7F6E\u76F8\u5173\u7684\u8BBE\u7F6E\u5E76\u7EE7\u7EEDe\n    -XshowSettings:properties\n                      \u663E\u793A\u6240\u6709\u5C5E\u6027\u8BBE\u7F6E\u5E76\u7EE7\u7EED\n    -XshowSettings:vm \u663E\u793A\u6240\u6709\u4E0E vm \u76F8\u5173\u7684\u8BBE\u7F6E\u5E76\u7EE7\u7EED\n    -Xss<\u5927\u5C0F>        \u8BBE\u7F6E Java \u7EBF\u7A0B\u5806\u6808\u5927\u5C0F\n    -Xverify          \u8BBE\u7F6E\u5B57\u8282\u7801\u9A8C\u8BC1\u5668\u7684\u6A21\u5F0F\n    --add-reads <\u6A21\u5757>=<\u76EE\u6807\u6A21\u5757>(,<\u76EE\u6807\u6A21\u5757>)*\n                      \u66F4\u65B0 <\u6A21\u5757> \u4EE5\u8BFB\u53D6 <\u76EE\u6807\u6A21\u5757>,\n                      \u800C\u65E0\u8BBA\u6A21\u5757\u58F0\u660E\u5982\u4F55\u3002\n                      <\u76EE\u6807\u6A21\u5757> \u53EF\u4EE5\u662F ALL-UNNAMED \u4EE5\u8BFB\u53D6\u6240\u6709\u672A\u547D\u540D\n                      \u6A21\u5757\u3002\n    --add-exports <\u6A21\u5757>/<\u7A0B\u5E8F\u5305>=<\u76EE\u6807\u6A21\u5757>(,<\u76EE\u6807\u6A21\u5757>)*\n                      \u66F4\u65B0 <\u6A21\u5757> \u4EE5\u5C06 <\u7A0B\u5E8F\u5305> \u5BFC\u51FA\u5230 <\u76EE\u6807\u6A21\u5757>,\n                      \u800C\u65E0\u8BBA\u6A21\u5757\u58F0\u660E\u5982\u4F55\u3002\n                      <\u76EE\u6807\u6A21\u5757> \u53EF\u4EE5\u662F ALL-UNNAMED \u4EE5\u5BFC\u51FA\u5230\u6240\u6709\n                      \u672A\u547D\u540D\u6A21\u5757\u3002\n    --add-opens <\u6A21\u5757>/<\u7A0B\u5E8F\u5305>=<\u76EE\u6807\u6A21\u5757>(,<\u76EE\u6807\u6A21\u5757>)*\n                      \u66F4\u65B0 <\u6A21\u5757> \
-\u4EE5\u5728 <\u76EE\u6807\u6A21\u5757> \u4E2D\n                      \u6253\u5F00 <\u7A0B\u5E8F\u5305>, \u800C\u65E0\u8BBA\u6A21\u5757\u58F0\u660E\u5982\u4F55\u3002\n    --limit-modules <\u6A21\u5757\u540D\u79F0>[,<\u6A21\u5757\u540D\u79F0>...]\n                      \u9650\u5236\u53EF\u89C2\u5BDF\u6A21\u5757\u7684\u9886\u57DF\n    --patch-module <\u6A21\u5757>=<\u6587\u4EF6>({0}<\u6587\u4EF6>)*\n                      \u4F7F\u7528 JAR \u6587\u4EF6\u6216\u76EE\u5F55\u4E2D\u7684\u7C7B\u548C\u8D44\u6E90\n                      \u8986\u76D6\u6216\u589E\u5F3A\u6A21\u5757\u3002\n    --disable-@files  \u7981\u6B62\u8FDB\u4E00\u6B65\u6269\u5C55\u53C2\u6570\u6587\u4EF6\n\n\u8FD9\u4E9B\u989D\u5916\u9009\u9879\u5982\u6709\u66F4\u6539, \u6055\u4E0D\u53E6\u884C\u901A\u77E5\u3002\n
+java.launcher.X.usage=\n    -Xbatch           \u7981\u7528\u540E\u53F0\u7F16\u8BD1\n    -Xbootclasspath/a:\n                      \u9644\u52A0\u5728\u5F15\u5BFC\u7C7B\u8DEF\u5F84\u672B\u5C3E\n    -Xcheck:jni       \u5BF9 JNI \u51FD\u6570\u6267\u884C\u5176\u4ED6\u68C0\u67E5\n    -Xcomp            \u5728\u9996\u6B21\u8C03\u7528\u65F6\u5F3A\u5236\u7F16\u8BD1\u65B9\u6CD5\n    -Xdebug           \u4E3A\u5B9E\u73B0\u5411\u540E\u517C\u5BB9\u800C\u63D0\u4F9B\n    -Xdiag            \u663E\u793A\u9644\u52A0\u8BCA\u65AD\u6D88\u606F\n    -Xfuture          \u542F\u7528\u6700\u4E25\u683C\u7684\u68C0\u67E5, \u9884\u671F\u5C06\u6765\u7684\u9ED8\u8BA4\u503C\n    -Xint             \u4EC5\u89E3\u91CA\u6A21\u5F0F\u6267\u884C\n    -Xinternalversion\n                      \u663E\u793A\u6BD4 -version \u9009\u9879\u66F4\u8BE6\u7EC6\u7684 JVM\n                      \u7248\u672C\u4FE1\u606F\n    -Xloggc:    \u5C06 GC \u72B6\u6001\u8BB0\u5F55\u5728\u6587\u4EF6\u4E2D (\u5E26\u65F6\u95F4\u6233)\n    -Xmixed           \u6DF7\u5408\u6A21\u5F0F\u6267\u884C (\u9ED8\u8BA4\u503C)\n    -Xmn        \u4E3A\u5E74\u8F7B\u4EE3 (\u65B0\u751F\u4EE3) \u8BBE\u7F6E\u521D\u59CB\u548C\u6700\u5927\u5806\u5927\u5C0F\n                      (\u4EE5\u5B57\u8282\u4E3A\u5355\u4F4D)\n    -Xms        \u8BBE\u7F6E\u521D\u59CB Java \u5806\u5927\u5C0F\n    -Xmx        \u8BBE\u7F6E\u6700\u5927 Java \u5806\u5927\u5C0F\n    -Xnoclassgc       \u7981\u7528\u7C7B\u5783\u573E\u6536\u96C6\n    -Xprof            \u8F93\u51FA cpu \u5206\u6790\u6570\u636E (\u5DF2\u8FC7\u65F6)\n    -Xrs              \u51CF\u5C11 Java/VM \u5BF9\u64CD\u4F5C\u7CFB\u7EDF\u4FE1\u53F7\u7684\u4F7F\u7528 (\u8BF7\u53C2\u9605\u6587\u6863)\n    -Xshare:auto      \u5728\u53EF\u80FD\u7684\u60C5\u51B5\u4E0B\u4F7F\u7528\u5171\u4EAB\u7C7B\u6570\u636E (\u9ED8\u8BA4\u503C)\n    -Xshare:off       \u4E0D\u5C1D\u8BD5\u4F7F\u7528\u5171\u4EAB\u7C7B\u6570\u636E\n    -Xshare:on        \u8981\u6C42\u4F7F\u7528\u5171\u4EAB\u7C7B\u6570\u636E, \u5426\u5219\u5C06\u5931\u8D25\u3002\n    -XshowSettings    \u663E\u793A\u6240\u6709\u8BBE\u7F6E\u5E76\u7EE7\u7EED\n    -XshowSettings:all\n                      \u663E\u793A\u6240\u6709\u8BBE\u7F6E\u5E76\u7EE7\u7EED\n    -XshowSettings:locale\n                      \u663E\u793A\u6240\u6709\u4E0E\u533A\u57DF\u8BBE\u7F6E\u76F8\u5173\u7684\u8BBE\u7F6E\u5E76\u7EE7\u7EED\n    -XshowSettings:properties\n                      \u663E\u793A\u6240\u6709\u5C5E\u6027\u8BBE\u7F6E\u5E76\u7EE7\u7EED\n    -XshowSettings:vm \u663E\u793A\u6240\u6709\u4E0E vm \u76F8\u5173\u7684\u8BBE\u7F6E\u5E76\u7EE7\u7EED\n    -Xss        \u8BBE\u7F6E Java \u7EBF\u7A0B\u5806\u6808\u5927\u5C0F\n    -Xverify          \u8BBE\u7F6E\u5B57\u8282\u7801\u9A8C\u8BC1\u5668\u7684\u6A21\u5F0F\n    --add-reads =(,)*\n                      \u66F4\u65B0  \u4EE5\u8BFB\u53D6 , \u800C\u65E0\u8BBA\n                      \u6A21\u5757\u58F0\u660E\u5982\u4F55\u3002\n                       \u53EF\u4EE5\u662F ALL-UNNAMED \u4EE5\u8BFB\u53D6\u6240\u6709\u672A\u547D\u540D\n                      \u6A21\u5757\u3002\n    --add-exports /=(,)*\n                      \u66F4\u65B0  \u4EE5\u5C06  \u5230\u5904\u5230 ,\n                      \u800C\u65E0\u8BBA\u6A21\u5757\u58F0\u660E\u5982\u4F55\u3002\n                       \u53EF\u4EE5\u662F ALL-UNNAMED \u4EE5\u5BFC\u51FA\u5230\u6240\u6709\n                      \u672A\u547D\u540D\u6A21\u5757\u3002\n    --add-opens /=(,)*\n                      \u66F4\u65B0  \u4EE5\u5728  \u4E2D\u6253\u5F00\n                      , \u800C\u65E0\u8BBA\u6A21\u5757\u58F0\u660E\u5982\u4F55\u3002\n    --illegal-access=\n                      \
+\u5141\u8BB8\u6216\u62D2\u7EDD\u901A\u8FC7\u672A\u547D\u540D\u6A21\u5757\u4E2D\u7684\u4EE3\u7801\u5BF9\u547D\u540D\u6A21\u5757\u4E2D\u7684\n                      \u7C7B\u578B\u6210\u5458\u8FDB\u884C\u8BBF\u95EE\u3002\n                       \u4E3A "deny", "permit", "warn" \u6216 "debug" \u4E4B\u4E00\n                      \u6B64\u9009\u9879\u5C06\u5728\u672A\u6765\u53D1\u884C\u7248\u4E2D\u5220\u9664\u3002\n    --limit-modules [,...]\n                      \u9650\u5236\u53EF\u89C2\u5BDF\u6A21\u5757\u7684\u9886\u57DF\n    --patch-module =({0})*\n                      \u4F7F\u7528 JAR \u6587\u4EF6\u6216\u76EE\u5F55\u4E2D\u7684\u7C7B\u548C\u8D44\u6E90\n                      \u8986\u76D6\u6216\u589E\u5F3A\u6A21\u5757\u3002\n    --disable-@files \u7981\u6B62\u8FDB\u4E00\u6B65\u6269\u5C55\u53C2\u6570\u6587\u4EF6\n\n\u8FD9\u4E9B\u989D\u5916\u9009\u9879\u5982\u6709\u66F4\u6539, \u6055\u4E0D\u53E6\u884C\u901A\u77E5\u3002\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\n\u4EE5\u4E0B\u9009\u9879\u4E3A Mac OS X \u7279\u5B9A\u7684\u9009\u9879:\n    -XstartOnFirstThread\n                      \u5728\u7B2C\u4E00\u4E2A (AppKit) \u7EBF\u7A0B\u4E0A\u8FD0\u884C main() \u65B9\u6CD5\n    -Xdock:name=<\u5E94\u7528\u7A0B\u5E8F\u540D\u79F0>\n                      \u8986\u76D6\u505C\u9760\u680F\u4E2D\u663E\u793A\u7684\u9ED8\u8BA4\u5E94\u7528\u7A0B\u5E8F\u540D\u79F0\n    -Xdock:icon=<\u56FE\u6807\u6587\u4EF6\u7684\u8DEF\u5F84>\n                      \u8986\u76D6\u505C\u9760\u680F\u4E2D\u663E\u793A\u7684\u9ED8\u8BA4\u56FE\u6807\n\n
@@ -47,6 +47,7 @@ java.launcher.cls.error3=\u9519\u8BEF: main \u65B9\u6CD5\u5FC5\u987B\u8FD4\u56DE
 java.launcher.cls.error4=\u9519\u8BEF: \u5728\u7C7B {0} \u4E2D\u627E\u4E0D\u5230 main \u65B9\u6CD5, \u8BF7\u5C06 main \u65B9\u6CD5\u5B9A\u4E49\u4E3A:\n   public static void main(String[] args)\n\u5426\u5219 JavaFX \u5E94\u7528\u7A0B\u5E8F\u7C7B\u5FC5\u987B\u6269\u5C55{1}
 java.launcher.cls.error5=\u9519\u8BEF: \u7F3A\u5C11 JavaFX \u8FD0\u884C\u65F6\u7EC4\u4EF6, \u9700\u8981\u4F7F\u7528\u8BE5\u7EC4\u4EF6\u6765\u8FD0\u884C\u6B64\u5E94\u7528\u7A0B\u5E8F
 java.launcher.cls.error6=\u9519\u8BEF: \u52A0\u8F7D\u4E3B\u7C7B {0} \u65F6\u51FA\u73B0 LinkageError\n\t{1}
+java.launcher.cls.error7=\u9519\u8BEF: \u65E0\u6CD5\u521D\u59CB\u5316\u4E3B\u7C7B {0}\n\u539F\u56E0: {1}: {2}
 java.launcher.jar.error1=\u9519\u8BEF: \u5C1D\u8BD5\u6253\u5F00\u6587\u4EF6{0}\u65F6\u51FA\u73B0\u610F\u5916\u9519\u8BEF
 java.launcher.jar.error2=\u5728{0}\u4E2D\u627E\u4E0D\u5230\u6E05\u5355
 java.launcher.jar.error3={0}\u4E2D\u6CA1\u6709\u4E3B\u6E05\u5355\u5C5E\u6027
@@ -55,5 +56,6 @@ java.launcher.init.error=\u521D\u59CB\u5316\u9519\u8BEF
 java.launcher.javafx.error1=\u9519\u8BEF: JavaFX launchApplication \u65B9\u6CD5\u5177\u6709\u9519\u8BEF\u7684\u7B7E\u540D, \u5FC5\u987B\n\u5C06\u65B9\u6CD5\u58F0\u660E\u4E3A\u9759\u6001\u65B9\u6CD5\u5E76\u8FD4\u56DE\u7A7A\u7C7B\u578B\u7684\u503C
 java.launcher.module.error1=\u6A21\u5757 {0} \u4E0D\u5177\u6709 MainClass \u5C5E\u6027, \u8BF7\u4F7F\u7528 -m /
 java.launcher.module.error2=\u9519\u8BEF: \u5728\u6A21\u5757 {1} \u4E2D\u627E\u4E0D\u5230\u6216\u65E0\u6CD5\u52A0\u8F7D\u4E3B\u7C7B {0}
-java.launcher.module.error3=\u9519\u8BEF: \u65E0\u6CD5\u4ECE\u6A21\u5757 {1} \u52A0\u8F7D\u4E3B\u7C7B {0}\n\t{2}
+java.launcher.module.error3=\u9519\u8BEF: \u65E0\u6CD5\u5C06\u4E3B\u7C7B {0} \u52A0\u8F7D\u5230\u6A21\u5757 {1} \u4E2D\n\t{2}
 java.launcher.module.error4=\u627E\u4E0D\u5230{0}
+java.launcher.module.error5=\u9519\u8BEF: \u65E0\u6CD5\u521D\u59CB\u5316\u6A21\u5757 {1} \u4E2D\u7684\u4E3B\u7C7B {0}\n\u539F\u56E0: {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_zh_TW.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_zh_TW.properties
index 5b9cafa63f..16de9973cd 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_zh_TW.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_zh_TW.properties
@@ -31,12 +31,12 @@ java.launcher.opt.vmselect   =\    {0}\t  \u9078\u53D6 "{1}" VM\n
 java.launcher.opt.hotspot    =\    {0}\t  \u662F "{1}" VM \u7684\u540C\u7FA9\u5B57  [\u5DF2\u4E0D\u518D\u4F7F\u7528]\n
 
 # Translators please note do not translate the options themselves
-java.launcher.opt.footer = \    -cp <\u76EE\u9304\u548C zip/jar \u6A94\u6848\u7684\u985E\u5225\u641C\u5C0B\u8DEF\u5F91>\n    -classpath <\u76EE\u9304\u548C zip/jar \u6A94\u6848\u7684\u985E\u5225\u641C\u5C0B\u8DEF\u5F91>\n    --class-path <\u76EE\u9304\u548C zip/jar \u6A94\u6848\u7684\u985E\u5225\u641C\u5C0B\u8DEF\u5F91>\n                  \u4EE5 {0} \u5340\u9694\u7684\u76EE\u9304\u3001JAR \u5B58\u6A94\n                  \u4EE5\u53CA ZIP \u5B58\u6A94\u6E05\u55AE (\u5C07\u65BC\u5176\u4E2D\u641C\u5C0B\u985E\u5225\u6A94\u6848)\u3002\n    -p <\u6A21\u7D44\u8DEF\u5F91>\n    --module-path <\u6A21\u7D44\u8DEF\u5F91>...\n                  \u4EE5 {0} \u5340\u9694\u7684\u76EE\u9304\u6E05\u55AE\uFF0C\u6BCF\u500B\u76EE\u9304\n                  \u90FD\u662F\u4E00\u500B\u6A21\u7D44\u76EE\u9304\u3002\n    --upgrade-module-path <\u6A21\u7D44\u8DEF\u5F91>...\n                  \u4EE5 {0} \u5340\u9694\u7684\u76EE\u9304\u6E05\u55AE\uFF0C\u6BCF\u500B\u76EE\u9304\n                  \u90FD\u662F\u4E00\u500B\u6A21\u7D44\u76EE\u9304\uFF0C\u7576\u4E2D\u7684\u6A21\u7D44\u53EF\u53D6\u4EE3\u53EF\u5347\u7D1A\n                  \u6A21\u7D44 (\u5728\u7A0B\u5F0F\u5BE6\u969B\u57F7\u884C\u5F71\u50CF\u4E2D)\n    --add-modules [,...]\n                  \u9664\u4E86\u8D77\u59CB\u6A21\u7D44\u4E4B\u5916\uFF0C\u8981\u89E3\u6790\u7684\u6839\u6A21\u7D44\u3002\n                   \u4E5F\u53EF\u4EE5\u662F ALL-DEFAULT\u3001ALL-SYSTEM\u3001\n                  ALL-MODULE-PATH.\n    --list-modules\n                  \u5217\u51FA\u53EF\u76E3\u6E2C\u7684\u6A21\u7D44\u4E26\u7D50\u675F\n    --d <\u6A21\u7D44\u540D\u7A31>\n    --describe-module <\u6A21\u7D44\u540D\u7A31>\n                  \u63CF\u8FF0\u6A21\u7D44\u4E26\u7D50\u675F\n    --dry-run     \u5EFA\u7ACB VM \u4E26\u8F09\u5165\u4E3B\u8981\u985E\u5225\uFF0C\u4F46\u4E0D\u57F7\u884C\u4E3B\u8981\u65B9\u6CD5\u3002\n                  --dry-run \u9078\u9805\u9069\u5408\u7528\u5728\u9A57\u8B49\n                  \u50CF\u6A21\u7D44\u7CFB\u7D71\u7D44\u614B\u7684\u547D\u4EE4\u884C\u9078\u9805\u3002\n    --validate-modules\n                  \u9A57\u8B49\u6240\u6709\u6A21\u7D44\u4E26\u7D50\u675F\n                  --validate-modules \u9078\u9805\u9069\u5408\u7528\u5728\u5C0B\u627E\n                  \u6A21\u7D44\u8DEF\u5F91\u4E0A\u4E4B\u6A21\u7D44\u7684\u885D\u7A81\u548C\u5176\u4ED6\u932F\u8AA4\u3002\n    -D=\n                  \u8A2D\u5B9A\u7CFB\u7D71\u7279\u6027\n    -verbose:[class|module|gc|jni]\n                  \u555F\u7528\u8A73\u7D30\u8CC7\u8A0A\u8F38\u51FA\n    -version      \u5728\u932F\u8AA4\u4E32\u6D41\u5370\u51FA\u7522\u54C1\u7248\u672C\u4E26\u7D50\u675F\n    --version      \u5728\u8F38\u51FA\u4E32\u6D41\u5370\u51FA\u7522\u54C1\u7248\u672C\u4E26\u7D50\u675F\n    -showversion  \u5728\u932F\u8AA4\u4E32\u6D41\u5370\u51FA\u7522\u54C1\u7248\u672C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    --show-version\n                  \u5728\u8F38\u51FA\u4E32\u6D41\u5370\u51FA\u7522\u54C1\u7248\u672C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    --show-module-resolution\n                  \u5728\u555F\u52D5\u6642\u986F\u793A\u6A21\u7D44\u89E3\u6790\u8F38\u51FA\n    -? -h -help\n                  \u5728\u932F\u8AA4\u4E32\u6D41\u5370\u51FA\u6B64\u8AAA\u660E\u8A0A\u606F\n    --help        \u5728\u8F38\u51FA\u4E32\u6D41\u5370\u51FA\u6B64\u8AAA\u660E\u8A0A\u606F\n    -X            \u5728\u932F\u8AA4\u4E32\u6D41\u5370\u51FA\u984D\u5916\u9078\u9805\u7684\u8AAA\u660E\n    --help-extra  \u5728\u8F38\u51FA\u4E32\u6D41\u5370\u51FA\u984D\u5916\u9078\u9805\u7684\u8AAA\u660E\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  \u555F\u7528\u6307\u5B9A\u4E4B\u8A73\u7D30\u7A0B\u5EA6\u7684\u5BA3\u544A\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  \u505C\u7528\u6307\u5B9A\u4E4B\u8A73\u7D30\u7A0B\u5EA6\u7684\u5BA3\u544A\n    -esa | -enablesystemassertions\n               \
-   \u555F\u7528\u7CFB\u7D71\u5BA3\u544A\n    -dsa | -disablesystemassertions\n                  \u505C\u7528\u7CFB\u7D71\u5BA3\u544A\n    -agentlib:[=]\n                  \u8F09\u5165\u539F\u751F\u4EE3\u7406\u7A0B\u5F0F\u7A0B\u5F0F\u5EAB \uFF0C\u4F8B\u5982 -agentlib:jdwp\n                  \u53E6\u8ACB\u53C3\u95B1 -agentlib:jdwp=help\n    -agentpath:[=]\n                  \u4F9D\u5B8C\u6574\u8DEF\u5F91\u540D\u7A31\u8F09\u5165\u539F\u751F\u4EE3\u7406\u7A0B\u5F0F\u7A0B\u5F0F\u5EAB\n    -javaagent:[=]\n                  \u8F09\u5165 Java \u7A0B\u5F0F\u8A9E\u8A00\u4EE3\u7406\u7A0B\u5F0F\uFF0C\u8ACB\u53C3\u95B1 java.lang.instrument\n    -splash:\n                  \u986F\u793A\u542B\u6307\u5B9A\u5F71\u50CF\u7684\u8EDF\u9AD4\u8CC7\u8A0A\u756B\u9762\n                  \u7CFB\u7D71\u6703\u81EA\u52D5\u652F\u63F4\u4E26\u4F7F\u7528 HiDPI \u7E2E\u653E\u7684\u5F71\u50CF\n                  (\u82E5\u6709\u7684\u8A71)\u3002\u672A\u7E2E\u653E\u5F71\u50CF\u6A94\u6848\u540D\u7A31 (\u4F8B\u5982 image.ext)\n                  \u61C9\u4E00\u5F8B\u4EE5\u5F15\u6578\u7684\u5F62\u5F0F\u50B3\u9001\u7D66 -splash \u9078\u9805\u3002\n                  \u7CFB\u7D71\u5C07\u6703\u81EA\u52D5\u9078\u64C7\u4F7F\u7528\u6700\u9069\u5408\u7684\u7E2E\u653E\u5F71\u50CF\n                  \u3002\n                  \u8ACB\u53C3\u95B1 SplashScreen API \u6587\u4EF6\u77AD\u89E3\u8A73\u7D30\u8CC7\u8A0A\u3002\n    @argument files\n                  \u4E00\u6216\u591A\u500B\u5305\u542B\u9078\u9805\u7684\u5F15\u6578\u6A94\u6848\n    -disable-@files\n                  \u505C\u7528\u9032\u4E00\u6B65\u7684\u5F15\u6578\u6A94\u6848\u64F4\u5145\n\u82E5\u8981\u6307\u5B9A\u9577\u9078\u9805\u7684\u5F15\u6578\uFF0C\u53EF\u4EE5\u4F7F\u7528 --= \u6216\n-- \u3002\n
+java.launcher.opt.footer = \    -cp <\u76EE\u9304\u548C zip/jar \u6A94\u6848\u7684\u985E\u5225\u641C\u5C0B\u8DEF\u5F91>\n    -classpath <\u76EE\u9304\u548C zip/jar \u6A94\u6848\u7684\u985E\u5225\u641C\u5C0B\u8DEF\u5F91>\n    --class-path <\u76EE\u9304\u548C zip/jar \u6A94\u6848\u7684\u985E\u5225\u641C\u5C0B\u8DEF\u5F91>\n                  \u4EE5 {0} \u5340\u9694\u7684\u76EE\u9304\u3001JAR \u5B58\u6A94\n                  \u4EE5\u53CA ZIP \u5B58\u6A94\u6E05\u55AE (\u5C07\u65BC\u5176\u4E2D\u641C\u5C0B\u985E\u5225\u6A94\u6848)\u3002\n    -p <\u6A21\u7D44\u8DEF\u5F91>\n    --module-path <\u6A21\u7D44\u8DEF\u5F91>...\n                  \u4EE5 {0} \u5340\u9694\u7684\u76EE\u9304\u6E05\u55AE\uFF0C\u6BCF\u500B\u76EE\u9304\n                  \u90FD\u662F\u4E00\u500B\u6A21\u7D44\u76EE\u9304\u3002\n    --upgrade-module-path <\u6A21\u7D44\u8DEF\u5F91>...\n                  \u4EE5 {0} \u5340\u9694\u7684\u76EE\u9304\u6E05\u55AE\uFF0C\u6BCF\u500B\u76EE\u9304\n                  \u90FD\u662F\u4E00\u500B\u6A21\u7D44\u76EE\u9304\uFF0C\u7576\u4E2D\u7684\u6A21\u7D44\u53EF\u53D6\u4EE3\u53EF\u5347\u7D1A\n                  \u6A21\u7D44 (\u5728\u7A0B\u5F0F\u5BE6\u969B\u57F7\u884C\u5F71\u50CF\u4E2D)\n    --add-modules [,...]\n                  \u9664\u4E86\u8D77\u59CB\u6A21\u7D44\u4E4B\u5916\uFF0C\u8981\u89E3\u6790\u7684\u6839\u6A21\u7D44\u3002\n                   \u4E5F\u53EF\u4EE5\u662F ALL-DEFAULT\u3001ALL-SYSTEM\u3001\n                  ALL-MODULE-PATH.\n    --list-modules\n                  \u5217\u51FA\u53EF\u76E3\u6E2C\u7684\u6A21\u7D44\u4E26\u7D50\u675F\n    -d <\u6A21\u7D44\u540D\u7A31>\n    --describe-module <\u6A21\u7D44\u540D\u7A31>\n                  \u63CF\u8FF0\u6A21\u7D44\u4E26\u7D50\u675F\n    --dry-run     \u5EFA\u7ACB VM \u4E26\u8F09\u5165\u4E3B\u8981\u985E\u5225\uFF0C\u4F46\u4E0D\u57F7\u884C\u4E3B\u8981\u65B9\u6CD5\u3002\n                  --dry-run \u9078\u9805\u9069\u5408\u7528\u5728\u9A57\u8B49\n                  \u50CF\u6A21\u7D44\u7CFB\u7D71\u7D44\u614B\u7684\u547D\u4EE4\u884C\u9078\u9805\u3002\n    --validate-modules\n                  \u9A57\u8B49\u6240\u6709\u6A21\u7D44\u4E26\u7D50\u675F\n                  --validate-modules \u9078\u9805\u9069\u5408\u7528\u5728\u5C0B\u627E\n                  \u6A21\u7D44\u8DEF\u5F91\u4E0A\u4E4B\u6A21\u7D44\u7684\u885D\u7A81\u548C\u5176\u4ED6\u932F\u8AA4\u3002\n    -D=\n                  \u8A2D\u5B9A\u7CFB\u7D71\u7279\u6027\n    -verbose:[class|module|gc|jni]\n                  \u555F\u7528\u8A73\u7D30\u8CC7\u8A0A\u8F38\u51FA\n    -version      \u5728\u932F\u8AA4\u4E32\u6D41\u5370\u51FA\u7522\u54C1\u7248\u672C\u4E26\u7D50\u675F\n    --version      \u5728\u8F38\u51FA\u4E32\u6D41\u5370\u51FA\u7522\u54C1\u7248\u672C\u4E26\u7D50\u675F\n    -showversion  \u5728\u932F\u8AA4\u4E32\u6D41\u5370\u51FA\u7522\u54C1\u7248\u672C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    --show-version\n                  \u5728\u8F38\u51FA\u4E32\u6D41\u5370\u51FA\u7522\u54C1\u7248\u672C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    --show-module-resolution\n                  \u5728\u555F\u52D5\u6642\u986F\u793A\u6A21\u7D44\u89E3\u6790\u8F38\u51FA\n    -? -h -help\n                  \u5728\u932F\u8AA4\u4E32\u6D41\u5370\u51FA\u6B64\u8AAA\u660E\u8A0A\u606F\n    --help        \u5728\u8F38\u51FA\u4E32\u6D41\u5370\u51FA\u6B64\u8AAA\u660E\u8A0A\u606F\n    -X            \u5728\u932F\u8AA4\u4E32\u6D41\u5370\u51FA\u984D\u5916\u9078\u9805\u7684\u8AAA\u660E\n    --help-extra  \u5728\u8F38\u51FA\u4E32\u6D41\u5370\u51FA\u984D\u5916\u9078\u9805\u7684\u8AAA\u660E\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  \u555F\u7528\u6307\u5B9A\u4E4B\u8A73\u7D30\u7A0B\u5EA6\u7684\u5BA3\u544A\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  \u505C\u7528\u6307\u5B9A\u4E4B\u8A73\u7D30\u7A0B\u5EA6\u7684\u5BA3\u544A\n    -esa | -enablesystemassertions\n                \
+  \u555F\u7528\u7CFB\u7D71\u5BA3\u544A\n    -dsa | -disablesystemassertions\n                  \u505C\u7528\u7CFB\u7D71\u5BA3\u544A\n    -agentlib:[=]\n                  \u8F09\u5165\u539F\u751F\u4EE3\u7406\u7A0B\u5F0F\u7A0B\u5F0F\u5EAB \uFF0C\u4F8B\u5982 -agentlib:jdwp\n                  \u53E6\u8ACB\u53C3\u95B1 -agentlib:jdwp=help\n    -agentpath:[=]\n                  \u4F9D\u5B8C\u6574\u8DEF\u5F91\u540D\u7A31\u8F09\u5165\u539F\u751F\u4EE3\u7406\u7A0B\u5F0F\u7A0B\u5F0F\u5EAB\n    -javaagent:[=]\n                  \u8F09\u5165 Java \u7A0B\u5F0F\u8A9E\u8A00\u4EE3\u7406\u7A0B\u5F0F\uFF0C\u8ACB\u53C3\u95B1 java.lang.instrument\n    -splash:\n                  \u986F\u793A\u542B\u6307\u5B9A\u5F71\u50CF\u7684\u8EDF\u9AD4\u8CC7\u8A0A\u756B\u9762\n                  \u7CFB\u7D71\u6703\u81EA\u52D5\u652F\u63F4\u4E26\u4F7F\u7528 HiDPI \u7E2E\u653E\u7684\u5F71\u50CF\n                  (\u82E5\u6709\u7684\u8A71)\u3002\u672A\u7E2E\u653E\u5F71\u50CF\u6A94\u6848\u540D\u7A31 (\u4F8B\u5982 image.ext)\n                  \u61C9\u4E00\u5F8B\u4EE5\u5F15\u6578\u7684\u5F62\u5F0F\u50B3\u9001\u7D66 -splash \u9078\u9805\u3002\n                  \u7CFB\u7D71\u5C07\u6703\u81EA\u52D5\u9078\u64C7\u4F7F\u7528\u6700\u9069\u5408\u7684\u7E2E\u653E\u5F71\u50CF\n                  \u3002\n                  \u8ACB\u53C3\u95B1 SplashScreen API \u6587\u4EF6\u77AD\u89E3\u8A73\u7D30\u8CC7\u8A0A\u3002\n    @argument files\n                  \u4E00\u6216\u591A\u500B\u5305\u542B\u9078\u9805\u7684\u5F15\u6578\u6A94\u6848\n    -disable-@files\n                  \u505C\u7528\u9032\u4E00\u6B65\u7684\u5F15\u6578\u6A94\u6848\u64F4\u5145\n\u82E5\u8981\u6307\u5B9A\u9577\u9078\u9805\u7684\u5F15\u6578\uFF0C\u53EF\u4EE5\u4F7F\u7528 --= \u6216\n-- \u3002\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           \u505C\u7528\u80CC\u666F\u7DE8\u8B6F\n    -Xbootclasspath/a:<\u4EE5 {0} \u5340\u9694\u7684\u76EE\u9304\u548C zip/jar \u6A94\u6848>\n                      \u9644\u52A0\u81F3\u555F\u52D5\u5B89\u88DD\u985E\u5225\u8DEF\u5F91\u7684\u7D50\u5C3E\n    -Xcheck:jni       \u57F7\u884C\u984D\u5916\u7684 JNI \u51FD\u6578\u6AA2\u67E5\n    -Xcomp            \u5F37\u5236\u7DE8\u8B6F\u7B2C\u4E00\u500B\u547C\u53EB\u7684\u65B9\u6CD5\n    -Xdebug           \u91DD\u5C0D\u56DE\u6EAF\u76F8\u5BB9\u6027\u63D0\u4F9B\n    -Xdiag            \u986F\u793A\u984D\u5916\u7684\u8A3A\u65B7\u8A0A\u606F\n    -Xfuture          \u555F\u7528\u6700\u56B4\u683C\u7684\u6AA2\u67E5\uFF0C\u9810\u5148\u4F5C\u70BA\u5C07\u4F86\u7684\u9810\u8A2D\n    -Xint             \u50C5\u9650\u89E3\u8B6F\u6A21\u5F0F\u57F7\u884C\n    -Xinternalversion\n                      \u986F\u793A\u6BD4 -version \u9078\u9805\u66F4\u70BA\u8A73\u7D30\u7684\n                      JVM \u7248\u672C\u8CC7\u8A0A\n    -Xloggc:    \u5C07 GC \u72C0\u614B\u8A18\u9304\u81F3\u6A94\u6848\u4E14\u9023\u540C\u6642\u6233\n    -Xmixed           \u6DF7\u5408\u6A21\u5F0F\u57F7\u884C (\u9810\u8A2D)\n    -Xmn        \u8A2D\u5B9A\u65B0\u751F\u4EE3 (\u990A\u6210\u5340) \u4E4B\u5806\u96C6\u7684\u8D77\u59CB\u5927\u5C0F\u548C\n                      \u5927\u5C0F\u4E0A\u9650 (\u4F4D\u5143\u7D44)\n    -Xms        \u8A2D\u5B9A\u8D77\u59CB Java \u5806\u96C6\u5927\u5C0F\n    -Xmx        \u8A2D\u5B9A Java \u5806\u96C6\u5927\u5C0F\u4E0A\u9650\n    -Xnoclassgc       \u505C\u7528\u985E\u5225\u8CC7\u6E90\u56DE\u6536\n    -Xprof            \u8F38\u51FA cpu \u5206\u6790\u8CC7\u6599 (\u5DF2\u4E0D\u518D\u4F7F\u7528)\n    -Xrs              \u6E1B\u5C11 Java/VM \u4F7F\u7528\u7684\u4F5C\u696D\u7CFB\u7D71\u4FE1\u865F (\u8ACB\u53C3\u95B1\u6587\u4EF6)\n    -Xshare:auto      \u5728\u53EF\u80FD\u7684\u60C5\u6CC1\u4E0B\u4F7F\u7528\u5171\u7528\u985E\u5225\u8CC7\u6599 (\u9810\u8A2D)\n    -Xshare:off       \u4E0D\u5617\u8A66\u4F7F\u7528\u5171\u7528\u985E\u5225\u8CC7\u6599\n    -Xshare:on        \u9700\u8981\u4F7F\u7528\u5171\u7528\u985E\u5225\u8CC7\u6599\uFF0C\u5426\u5247\u6703\u5931\u6557\u3002\n    -XshowSettings    \u986F\u793A\u6240\u6709\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -XshowSettings:all\n                      \u986F\u793A\u6240\u6709\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -XshowSettings:locale\n                      \u986F\u793A\u6240\u6709\u5730\u5340\u8A2D\u5B9A\u76F8\u95DC\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -XshowSettings:properties\n                      \u986F\u793A\u6240\u6709\u5C6C\u6027\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -XshowSettings:vm \u986F\u793A\u6240\u6709 VM \u76F8\u95DC\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -Xss        \u8A2D\u5B9A Java \u57F7\u884C\u7DD2\u5806\u758A\u5927\u5C0F\n    -Xverify          \u8A2D\u5B9A Bytecode \u9A57\u8B49\u7A0B\u5F0F\u7684\u6A21\u5F0F\n    --add-reads =(,)*\n                      \u66F4\u65B0  \u4EE5\u8B80\u53D6 \uFF0C\u4E0D\u8AD6\n                      \u6A21\u7D44\u5BA3\u544A\u70BA\u4F55\u3002\n                      \u53EF\u5C07  \u8A2D\u70BA ALL-UNNAMED \u4EE5\u8B80\u53D6\u6240\u6709\u672A\u547D\u540D\u7684\n                      \u6A21\u7D44\u3002\n    --add-exports /=(,)*\n                      \u66F4\u65B0  \u4EE5\u4FBF\u5C07  \u532F\u51FA\u81F3 \uFF0C\n                      \u4E0D\u8AD6\u6A21\u7D44\u5BA3\u544A\u70BA\u4F55\u3002\n                      \u53EF\u5C07  \u8A2D\u70BA ALL-UNNAMED \u4EE5\u532F\u51FA\u81F3\u6240\u6709\n                      \u672A\u547D\u540D\u7684\u6A21\u7D44\u3002\n    --add-opens /=(,)*\n                      \u66F4\u65B0  \
-\u4EE5\u4FBF\u5C07  \u958B\u555F\u81F3\n                      \uFF0C\u4E0D\u8AD6\u6A21\u7D44\u5BA3\u544A\u70BA\u4F55\u3002\n    --limit-modules [,...]\n                      \u9650\u5236\u53EF\u76E3\u6E2C\u6A21\u7D44\u7684\u7BC4\u570D\n    --patch-module =({0})*\n                      \u8986\u5BEB\u6216\u52A0\u5F37\u542B\u6709 JAR \u6A94\u6848\u6216\u76EE\u9304\u4E2D\n                      \u985E\u5225\u548C\u8CC7\u6E90\u7684\u6A21\u7D44\u3002\n    --disable-@files  \u505C\u7528\u9032\u4E00\u6B65\u7684\u5F15\u6578\u6A94\u6848\u64F4\u5145\n\n\u4E0A\u8FF0\u7684\u984D\u5916\u9078\u9805\u82E5\u6709\u8B8A\u66F4\u4E0D\u53E6\u884C\u901A\u77E5\u3002\n
+java.launcher.X.usage=\n    -Xbatch           \u505C\u7528\u80CC\u666F\u7DE8\u8B6F\n    -Xbootclasspath/a:<\u4EE5 {0} \u5340\u9694\u7684\u76EE\u9304\u548C zip/jar \u6A94\u6848>\n                      \u9644\u52A0\u81F3\u555F\u52D5\u5B89\u88DD\u985E\u5225\u8DEF\u5F91\u7684\u7D50\u5C3E\n    -Xcheck:jni       \u57F7\u884C\u984D\u5916\u7684 JNI \u51FD\u6578\u6AA2\u67E5\n    -Xcomp            \u5F37\u5236\u7DE8\u8B6F\u7B2C\u4E00\u500B\u547C\u53EB\u7684\u65B9\u6CD5\n    -Xdebug           \u91DD\u5C0D\u56DE\u6EAF\u76F8\u5BB9\u6027\u63D0\u4F9B\n    -Xdiag            \u986F\u793A\u984D\u5916\u7684\u8A3A\u65B7\u8A0A\u606F\n    -Xfuture          \u555F\u7528\u6700\u56B4\u683C\u7684\u6AA2\u67E5\uFF0C\u9810\u5148\u4F5C\u70BA\u5C07\u4F86\u7684\u9810\u8A2D\n    -Xint             \u50C5\u9650\u89E3\u8B6F\u6A21\u5F0F\u57F7\u884C\n    -Xinternalversion\n                      \u986F\u793A\u6BD4 -version \u9078\u9805\u66F4\u70BA\u8A73\u7D30\u7684\n                      JVM \u7248\u672C\u8CC7\u8A0A\n    -Xloggc:    \u9023\u540C\u6642\u6233\u5C07 GC \u72C0\u614B\u8A18\u9304\u81F3\u6A94\u6848\n    -Xmixed           \u6DF7\u5408\u6A21\u5F0F\u57F7\u884C (\u9810\u8A2D)\n    -Xmn        \u8A2D\u5B9A\u65B0\u751F\u4EE3 (\u990A\u6210\u5340) \u4E4B\u5806\u96C6\u7684\u8D77\u59CB\u5927\u5C0F\u548C\n                      \u5927\u5C0F\u4E0A\u9650 (\u4F4D\u5143\u7D44)\n    -Xms        \u8A2D\u5B9A\u8D77\u59CB Java \u5806\u96C6\u5927\u5C0F\n    -Xmx        \u8A2D\u5B9A Java \u5806\u96C6\u5927\u5C0F\u4E0A\u9650\n    -Xnoclassgc       \u505C\u7528\u985E\u5225\u8CC7\u6E90\u56DE\u6536\n    -Xprof            \u8F38\u51FA cpu \u5206\u6790\u8CC7\u6599 (\u5DF2\u4E0D\u518D\u4F7F\u7528)\n    -Xrs              \u6E1B\u5C11 Java/VM \u4F7F\u7528\u7684\u4F5C\u696D\u7CFB\u7D71\u4FE1\u865F (\u8ACB\u53C3\u95B1\u6587\u4EF6)\n    -Xshare:auto      \u5728\u53EF\u80FD\u7684\u60C5\u6CC1\u4E0B\u4F7F\u7528\u5171\u7528\u985E\u5225\u8CC7\u6599 (\u9810\u8A2D)\n    -Xshare:off       \u4E0D\u5617\u8A66\u4F7F\u7528\u5171\u7528\u985E\u5225\u8CC7\u6599\n    -Xshare:on        \u9700\u8981\u4F7F\u7528\u5171\u7528\u985E\u5225\u8CC7\u6599\uFF0C\u5426\u5247\u6703\u5931\u6557\u3002\n    -XshowSettings    \u986F\u793A\u6240\u6709\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -XshowSettings:all\n                      \u986F\u793A\u6240\u6709\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -XshowSettings:locale\n                      \u986F\u793A\u6240\u6709\u5730\u5340\u8A2D\u5B9A\u76F8\u95DC\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -XshowSettings:properties\n                      \u986F\u793A\u6240\u6709\u5C6C\u6027\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -XshowSettings:vm \u986F\u793A\u6240\u6709 VM \u76F8\u95DC\u8A2D\u5B9A\u503C\u4E26\u7E7C\u7E8C\u9032\u884C\u4F5C\u696D\n    -Xss        \u8A2D\u5B9A Java \u57F7\u884C\u7DD2\u5806\u758A\u5927\u5C0F\n    -Xverify          \u8A2D\u5B9A Bytecode \u9A57\u8B49\u7A0B\u5F0F\u7684\u6A21\u5F0F\n    --add-reads =(,)*\n                      \u66F4\u65B0  \u4EE5\u8B80\u53D6 \uFF0C\u4E0D\u8AD6\n                      \u6A21\u7D44\u5BA3\u544A\u70BA\u4F55\u3002\n                      \u53EF\u5C07  \u8A2D\u70BA ALL-UNNAMED \u4EE5\u8B80\u53D6\u6240\u6709\u672A\u547D\u540D\u7684\n                      \u6A21\u7D44\u3002\n    --add-exports /=(,)*\n                      \u66F4\u65B0  \u4EE5\u4FBF\u5C07  \u532F\u51FA\u81F3 \uFF0C\n                      \u4E0D\u8AD6\u6A21\u7D44\u5BA3\u544A\u70BA\u4F55\u3002\n                      \u53EF\u5C07  \u8A2D\u70BA ALL-UNNAMED \u4EE5\u532F\u51FA\u81F3\u6240\u6709\n                      \u672A\u547D\u540D\u7684\u6A21\u7D44\u3002\n    --add-opens /=(,)*\n                      \u66F4\u65B0  \
+\u4EE5\u4FBF\u5C07  \u958B\u555F\u81F3\n                      \uFF0C\u4E0D\u8AD6\u6A21\u7D44\u5BA3\u544A\u70BA\u4F55\u3002\n    --illegal-access=\n                      \u5141\u8A31\u6216\u62D2\u7D55\u672A\u547D\u540D\u6A21\u7D44\u4E2D\u7684\u7A0B\u5F0F\u78BC\u5C0D\u5DF2\u547D\u540D\u6A21\u7D44\u4E2D\u7684\n                      \u985E\u578B\u6210\u54E1\u9032\u884C\u5B58\u53D6\u3002\n                       \u70BA "deny"\u3001"permit"\u3001"warn" \u6216 "debug" \u5176\u4E2D\u4E4B\u4E00\n                      \u6B64\u9078\u9805\u5C07\u5728\u672A\u4F86\u7248\u672C\u4E2D\u79FB\u9664\u3002\n    --limit-modules [,...]\n                      \u9650\u5236\u53EF\u76E3\u6E2C\u6A21\u7D44\u7684\u7BC4\u570D\n    --patch-module =({0})*\n                      \u8986\u5BEB\u6216\u52A0\u5F37\u542B\u6709 JAR \u6A94\u6848\u6216\u76EE\u9304\u4E2D\n                      \u985E\u5225\u548C\u8CC7\u6E90\u7684\u6A21\u7D44\u3002\n    --disable-@files  \u505C\u7528\u9032\u4E00\u6B65\u7684\u5F15\u6578\u6A94\u6848\u64F4\u5145\n\n\u4E0A\u8FF0\u7684\u984D\u5916\u9078\u9805\u82E5\u6709\u8B8A\u66F4\u4E0D\u53E6\u884C\u901A\u77E5\u3002\n
 
 # Translators please note do not translate the options themselves
 java.launcher.X.macosx.usage=\n\u4E0B\u5217\u662F Mac OS X \u7279\u5B9A\u9078\u9805:\n    -XstartOnFirstThread\n                      \u5728\u7B2C\u4E00\u500B (AppKit) \u57F7\u884C\u7DD2\u57F7\u884C main() \u65B9\u6CD5\n    -Xdock:name=\n                      \u8986\u5BEB\u7D50\u5408\u8AAA\u660E\u756B\u9762\u4E2D\u986F\u793A\u7684\u9810\u8A2D\u61C9\u7528\u7A0B\u5F0F\u540D\u7A31\n    -Xdock:icon=\n                      \u8986\u5BEB\u7D50\u5408\u8AAA\u660E\u756B\u9762\u4E2D\u986F\u793A\u7684\u9810\u8A2D\u5716\u793A\n\n
@@ -47,6 +47,7 @@ java.launcher.cls.error3=\u932F\u8AA4: \u4E3B\u8981\u65B9\u6CD5\u5FC5\u9808\u50B
 java.launcher.cls.error4=\u932F\u8AA4: \u5728\u985E\u5225 {0} \u4E2D\u627E\u4E0D\u5230\u4E3B\u8981\u65B9\u6CD5\uFF0C\u8ACB\u5B9A\u7FA9\u4E3B\u8981\u65B9\u6CD5\u70BA:\n   public static void main(String[] args)\n\u6216\u8005 JavaFX \u61C9\u7528\u7A0B\u5F0F\u985E\u5225\u5FC5\u9808\u64F4\u5145 {1}
 java.launcher.cls.error5=\u932F\u8AA4: \u907A\u6F0F\u57F7\u884C\u6B64\u61C9\u7528\u7A0B\u5F0F\u6240\u9700\u7684 JavaFX \u7A0B\u5F0F\u5BE6\u969B\u57F7\u884C\u5143\u4EF6
 java.launcher.cls.error6=\u932F\u8AA4: \u8F09\u5165\u4E3B\u8981\u985E\u5225 {0} \u6642\u767C\u751F LinkageError\n\t{1}
+java.launcher.cls.error7=\u932F\u8AA4: \u7121\u6CD5\u8D77\u59CB\u4E3B\u8981\u985E\u5225 {0}\n\u539F\u56E0: {1}: {2}
 java.launcher.jar.error1=\u932F\u8AA4: \u5617\u8A66\u958B\u555F\u6A94\u6848 {0} \u6642\u767C\u751F\u672A\u9810\u671F\u7684\u932F\u8AA4
 java.launcher.jar.error2=\u5728 {0} \u4E2D\u627E\u4E0D\u5230\u8CC7\u8A0A\u6E05\u55AE
 java.launcher.jar.error3={0} \u4E2D\u6C92\u6709\u4E3B\u8981\u8CC7\u8A0A\u6E05\u55AE\u5C6C\u6027
@@ -55,5 +56,6 @@ java.launcher.init.error=\u521D\u59CB\u5316\u932F\u8AA4
 java.launcher.javafx.error1=\u932F\u8AA4: JavaFX launchApplication \u65B9\u6CD5\u7684\u7C3D\u7AE0\u932F\u8AA4\uFF0C\u5B83\n\u5FC5\u9808\u5BA3\u544A\u70BA\u975C\u614B\u4E26\u50B3\u56DE void \u985E\u578B\u7684\u503C
 java.launcher.module.error1=\u6A21\u7D44 {0} \u4E0D\u542B MainClass \u5C6C\u6027\uFF0C\u8ACB\u4F7F\u7528 -m /
 java.launcher.module.error2=\u932F\u8AA4: \u627E\u4E0D\u5230\u6216\u7121\u6CD5\u8F09\u5165\u6A21\u7D44 {1} \u4E2D\u7684\u4E3B\u8981\u985E\u5225 {0}
-java.launcher.module.error3=\u932F\u8AA4: \u7121\u6CD5\u5F9E\u6A21\u7D44 {1} \u8F09\u5165\u4E3B\u8981\u985E\u5225 {0}\n\t{2}
+java.launcher.module.error3=\u932F\u8AA4: \u7121\u6CD5\u8F09\u5165\u6A21\u7D44 {1} \u4E2D\u7684\u4E3B\u8981\u985E\u5225 {0}\n\t{2}
 java.launcher.module.error4=\u627E\u4E0D\u5230 {0}
+java.launcher.module.error5=\u932F\u8AA4: \u7121\u6CD5\u8D77\u59CB\u6A21\u7D44 {1} \u4E2D\u7684\u4E3B\u8981\u985E\u5225 {0}\n\u539F\u56E0: {1}: {2}
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_de.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_de.java
index e3af1fdcf4..9f1c612f2b 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_de.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_de.java
@@ -460,6 +460,10 @@ public class Resources_de extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "Von %s in %s mit %s verifiziert"},
         {"whose.sigalg.risk", "%s verwendet den Signaturalgorithmus %s. Dies gilt als Sicherheitsrisiko."},
         {"whose.key.risk", "%s verwendet %s. Dies gilt als Sicherheitsrisiko."},
+        {"jks.storetype.warning", "Der %1$s-Keystore verwendet ein propriet\u00E4res Format. Es wird empfohlen, auf PKCS12 zu migrieren, das ein Industriestandardformat mit \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\" ist."},
+        {"migrate.keystore.warning", "\"%1$s\" zu %4$s migriert. Der %2$s-Keystore wurde als \"%3$s\" gesichert."},
+        {"backup.keystore.warning", "Der urspr\u00FCngliche Keystore \"%1$s\" wird als \"%3$s\" gesichert..."},
+        {"importing.keystore.status", "Keystore %1$s wird in %2$s importiert..."},
     };
 
 
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_es.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_es.java
index 31a0fe38b2..9689db8219 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_es.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_es.java
@@ -460,6 +460,10 @@ public class Resources_es extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "Verificado por %s en %s con %s"},
         {"whose.sigalg.risk", "%s usa el algoritmo de firma %s, lo que se considera un riesgo de seguridad."},
         {"whose.key.risk", "%s usa %s, lo que se considera un riesgo de seguridad."},
+        {"jks.storetype.warning", "El almac\u00E9n de claves %1$s utiliza un formato propietario. Se recomienda migrar a PKCS12, que es un formato est\u00E1ndar del sector que utiliza \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
+        {"migrate.keystore.warning", "Se ha migrado \"%1$s\" a %4$s. Se ha realizado la copia de seguridad del almac\u00E9n de claves %2$s como \"%3$s\"."},
+        {"backup.keystore.warning", "La copia de seguridad del almac\u00E9n de claves \"%1$s\" se ha realizado como \"%3$s\"..."},
+        {"importing.keystore.status", "Importando el almac\u00E9n de claves de %1$s a %2$s..."},
     };
 
 
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_fr.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_fr.java
index 892001d28f..448eb451ed 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_fr.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_fr.java
@@ -460,6 +460,10 @@ public class Resources_fr extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "V\u00E9rifi\u00E9 par %s dans %s avec un \u00E9l\u00E9ment %s"},
         {"whose.sigalg.risk", "%s utilise l'algorithme de signature %s, qui repr\u00E9sente un risque pour la s\u00E9curit\u00E9."},
         {"whose.key.risk", "%s utilise un \u00E9l\u00E9ment %s, qui repr\u00E9sente un risque pour la s\u00E9curit\u00E9."},
+        {"jks.storetype.warning", "Le fichier de cl\u00E9s %1$s utilise un format propri\u00E9taire. Il est recommand\u00E9 de migrer vers PKCS12, qui est un format standard de l'industrie en utilisant \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
+        {"migrate.keystore.warning", "El\u00E9ment \"%1$s\" migr\u00E9 vers %4$s. Le fichier de cl\u00E9s %2$s est sauvegard\u00E9 en tant que \"%3$s\"."},
+        {"backup.keystore.warning", "Le fichier de cl\u00E9s d'origine \"%1$s\" est sauvegard\u00E9 en tant que \"%3$s\"..."},
+        {"importing.keystore.status", "Import du fichier de cl\u00E9s %1$s vers %2$s..."},
     };
 
 
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_it.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_it.java
index 4f7013f71d..31dd6904d5 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_it.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_it.java
@@ -460,6 +460,10 @@ public class Resources_it extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "Verificato da %s in %s con un %s"},
         {"whose.sigalg.risk", "%s utilizza l'algoritmo firma %s che \u00E8 considerato un rischio per la sicurezza."},
         {"whose.key.risk", "%s utilizza un %s che \u00E8 considerato un rischio per la sicurezza."},
+        {"jks.storetype.warning", "Il keystore %1$s utilizza un formato proprietario. Si consiglia di eseguire la migrazione a PKCS12, un formato standard di settore, utilizzando il comando \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
+        {"migrate.keystore.warning", "Migrazione di \"%1$s\" in %4$s eseguita. Backup del keystore %2$s eseguito con il nome \"%3$s\"."},
+        {"backup.keystore.warning", "Backup del keystore originale \"%1$s\" eseguito con il nome \"%3$s\"..."},
+        {"importing.keystore.status", "Importazione del keystore %1$s in %2$s in corso..."},
     };
 
 
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ja.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ja.java
index 5d47830cf9..feb3f200d3 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ja.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ja.java
@@ -460,6 +460,10 @@ public class Resources_ja extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "%s(%s\u5185)\u306B\u3088\u308A%s\u3067\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F"},
         {"whose.sigalg.risk", "%s\u306F\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u308B%s\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3092\u4F7F\u7528\u3057\u3066\u3044\u307E\u3059\u3002"},
         {"whose.key.risk", "%s\u306F\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u308B%s\u3092\u4F7F\u7528\u3057\u3066\u3044\u307E\u3059\u3002"},
+        {"jks.storetype.warning", "%1$s\u30AD\u30FC\u30B9\u30C8\u30A2\u306F\u72EC\u81EA\u306E\u5F62\u5F0F\u3092\u4F7F\u7528\u3057\u3066\u3044\u307E\u3059\u3002\"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"\u3092\u4F7F\u7528\u3059\u308B\u696D\u754C\u6A19\u6E96\u306E\u5F62\u5F0F\u3067\u3042\u308BPKCS12\u306B\u79FB\u884C\u3059\u308B\u3053\u3068\u3092\u304A\u85A6\u3081\u3057\u307E\u3059\u3002"},
+        {"migrate.keystore.warning", "\"%1$s\"\u304C%4$s\u306B\u79FB\u884C\u3055\u308C\u307E\u3057\u305F\u3002%2$s\u30AD\u30FC\u30B9\u30C8\u30A2\u306F\"%3$s\"\u3068\u3057\u3066\u30D0\u30C3\u30AF\u30A2\u30C3\u30D7\u3055\u308C\u307E\u3059\u3002"},
+        {"backup.keystore.warning", "\u5143\u306E\u30AD\u30FC\u30B9\u30C8\u30A2\"%1$s\"\u306F\"%3$s\"\u3068\u3057\u3066\u30D0\u30C3\u30AF\u30A2\u30C3\u30D7\u3055\u308C\u307E\u3059..."},
+        {"importing.keystore.status", "\u30AD\u30FC\u30B9\u30C8\u30A2%1$s\u3092%2$s\u306B\u30A4\u30F3\u30DD\u30FC\u30C8\u3057\u3066\u3044\u307E\u3059..."},
     };
 
 
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ko.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ko.java
index b25180899c..f1c90261e0 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ko.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ko.java
@@ -382,7 +382,7 @@ public class Resources_ko extends java.util.ListResourceBundle {
         {".WARNING.WARNING.WARNING.",
             "*****************  WARNING WARNING WARNING  *****************"},
         {"Signer.d.", "\uC11C\uBA85\uC790 #%d:"},
-        {"Timestamp.", "\uC2DC\uAC04 \uAE30\uB85D:"},
+        {"Timestamp.", "\uC2DC\uAC04\uAE30\uB85D:"},
         {"Signature.", "\uC11C\uBA85:"},
         {"CRLs.", "CRL:"},
         {"Certificate.owner.", "\uC778\uC99D\uC11C \uC18C\uC720\uC790: "},
@@ -460,6 +460,10 @@ public class Resources_ko extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "%s\uC774(\uAC00) %s\uC5D0\uC11C %s\uC744(\uB97C) \uC0AC\uC6A9\uD558\uC5EC \uD655\uC778"},
         {"whose.sigalg.risk", "%s\uC774(\uAC00) \uBCF4\uC548 \uC704\uD5D8\uC73C\uB85C \uAC04\uC8FC\uB418\uB294 %s \uC11C\uBA85 \uC54C\uACE0\uB9AC\uC998\uC744 \uC0AC\uC6A9\uD569\uB2C8\uB2E4."},
         {"whose.key.risk", "%s\uC774(\uAC00) \uBCF4\uC548 \uC704\uD5D8\uC73C\uB85C \uAC04\uC8FC\uB418\uB294 %s\uC744(\uB97C) \uC0AC\uC6A9\uD569\uB2C8\uB2E4."},
+        {"jks.storetype.warning", "%1$s \uD0A4 \uC800\uC7A5\uC18C\uB294 \uACE0\uC720 \uD615\uC2DD\uC744 \uC0AC\uC6A9\uD569\uB2C8\uB2E4. \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"\uB97C \uC0AC\uC6A9\uD558\uB294 \uC0B0\uC5C5 \uD45C\uC900 \uD615\uC2DD\uC778 PKCS12\uB85C \uC774\uC804\uD558\uB294 \uAC83\uC774 \uC88B\uC2B5\uB2C8\uB2E4."},
+        {"migrate.keystore.warning", "\"%1$s\"\uC744(\uB97C) %4$s(\uC73C)\uB85C \uC774\uC804\uD588\uC2B5\uB2C8\uB2E4. %2$s \uD0A4 \uC800\uC7A5\uC18C\uAC00 \"%3$s\"(\uC73C)\uB85C \uBC31\uC5C5\uB418\uC5C8\uC2B5\uB2C8\uB2E4."},
+        {"backup.keystore.warning", "\uC6D0\uBCF8 \uD0A4 \uC800\uC7A5\uC18C \"%1$s\"\uC774(\uAC00) \"%3$s\"(\uC73C)\uB85C \uBC31\uC5C5\uB418\uC5C8\uC2B5\uB2C8\uB2E4."},
+        {"importing.keystore.status", "\uD0A4 \uC800\uC7A5\uC18C %1$s\uC744(\uB97C) %2$s(\uC73C)\uB85C \uC784\uD3EC\uD2B8\uD558\uB294 \uC911..."},
     };
 
 
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_pt_BR.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_pt_BR.java
index fa00132217..288f93ba42 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_pt_BR.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_pt_BR.java
@@ -460,6 +460,10 @@ public class Resources_pt_BR extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "Verificado por %s em %s com um %s"},
         {"whose.sigalg.risk", "%s usa o algoritmo de assinatura %s que \u00E9 considerado um risco \u00E0 seguran\u00E7a."},
         {"whose.key.risk", "%s usa um %s que \u00E9 considerado um risco \u00E0 seguran\u00E7a."},
+        {"jks.storetype.warning", "O armazenamento de chaves %1$s usa um formato propriet\u00E1rio. \u00C9 recomendada a migra\u00E7\u00E3o para PKCS12, que \u00E9 um formato de padr\u00E3o industrial que usa \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
+        {"migrate.keystore.warning", "\"%1$s\" foi migrado para %4$s. O backup do armazenamento de chaves %2$s \u00E9 feito como \"%3$s\"."},
+        {"backup.keystore.warning", "O backup do armazenamento de chaves original \"%1$s\" \u00E9 feito como \"%3$s\"..."},
+        {"importing.keystore.status", "Importando armazenamento de chaves %1$s to %2$s..."},
     };
 
 
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_sv.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_sv.java
index bf53bf8b8e..3bd7b2eda6 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_sv.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_sv.java
@@ -460,6 +460,10 @@ public class Resources_sv extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "Verifierades av %s i %s med en %s"},
         {"whose.sigalg.risk", "%s anv\u00E4nder signaturalgoritmen %s, vilket anses utg\u00F6ra en s\u00E4kerhetsrisk."},
         {"whose.key.risk", "%s anv\u00E4nder en %s, vilket anses utg\u00F6ra en s\u00E4kerhetsrisk."},
+        {"jks.storetype.warning", "Nyckellagret %1$s anv\u00E4nder ett propriet\u00E4rt format. Du b\u00F6r migrera till PKCS12, som \u00E4r ett branschstandardformat, med \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
+        {"migrate.keystore.warning", "Migrerade \"%1$s\" till %4$s. Nyckellagret %2$s s\u00E4kerhetskopierades som \"%3$s\"."},
+        {"backup.keystore.warning", "Det ursprungliga nyckellagret, \"%1$s\", s\u00E4kerhetskopieras som \"%3$s\"..."},
+        {"importing.keystore.status", "Importerar nyckellagret %1$s till %2$s..."},
     };
 
 
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_CN.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_CN.java
index dbaf741de9..9b0e065d08 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_CN.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_CN.java
@@ -460,6 +460,10 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "\u7531 %2$s \u4E2D\u7684 %1$s \u4EE5 %3$s \u9A8C\u8BC1"},
         {"whose.sigalg.risk", "%s \u4F7F\u7528\u7684 %s \u7B7E\u540D\u7B97\u6CD5\u5B58\u5728\u5B89\u5168\u98CE\u9669\u3002"},
         {"whose.key.risk", "%s \u4F7F\u7528\u7684 %s \u5B58\u5728\u5B89\u5168\u98CE\u9669\u3002"},
+        {"jks.storetype.warning", "%1$s \u5BC6\u94A5\u5E93\u4F7F\u7528\u4E13\u7528\u683C\u5F0F\u3002\u5EFA\u8BAE\u4F7F\u7528 \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\" \u8FC1\u79FB\u5230\u884C\u4E1A\u6807\u51C6\u683C\u5F0F PKCS12\u3002"},
+        {"migrate.keystore.warning", "\u5DF2\u5C06 \"%1$s\" \u8FC1\u79FB\u5230 %4$s\u3002\u5C06 %2$s \u5BC6\u94A5\u5E93\u4F5C\u4E3A \"%3$s\" \u8FDB\u884C\u4E86\u5907\u4EFD\u3002"},
+        {"backup.keystore.warning", "\u5DF2\u5C06\u539F\u59CB\u5BC6\u94A5\u5E93 \"%1$s\" \u5907\u4EFD\u4E3A \"%3$s\"..."},
+        {"importing.keystore.status", "\u6B63\u5728\u5C06\u5BC6\u94A5\u5E93 %1$s \u5BFC\u5165\u5230 %2$s..."},
     };
 
 
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_TW.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_TW.java
index c73206ec33..a0638cacc5 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_TW.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_TW.java
@@ -391,9 +391,9 @@ public class Resources_zh_TW extends java.util.ListResourceBundle {
                 "\u6C92\u6709\u4F86\u81EA SSL \u4F3A\u670D\u5668\u7684\u6191\u8B49"},
 
         {".The.integrity.of.the.information.stored.in.your.keystore.",
-            "* \u5C1A\u672A\u9A57\u8B49\u5132\u5B58\u65BC\u91D1\u9470\u5132\u5B58\u5EAB\u4E2D\u8CC7\u8A0A  *\n* \u7684\u5B8C\u6574\u6027\uFF01\u82E5\u8981\u9A57\u8B49\u5176\u5B8C\u6574\u6027\uFF0C    *\n* \u60A8\u5FC5\u9808\u63D0\u4F9B\u60A8\u7684\u91D1\u9470\u5132\u5B58\u5EAB\u5BC6\u78BC\u3002  *"},
+            "* \u5C1A\u672A\u9A57\u8B49\u5132\u5B58\u65BC\u91D1\u9470\u5132\u5B58\u5EAB\u4E2D\u8CC7\u8A0A  *\n* \u7684\u5B8C\u6574\u6027\uFF01\u82E5\u8981\u9A57\u8B49\u5176\u5B8C\u6574\u6027\uFF0C\u60A8  *\n* \u5FC5\u9808\u63D0\u4F9B\u60A8\u7684\u91D1\u9470\u5132\u5B58\u5EAB\u5BC6\u78BC\u3002    *"},
         {".The.integrity.of.the.information.stored.in.the.srckeystore.",
-            "* \u5C1A\u672A\u9A57\u8B49\u5132\u5B58\u65BC srckeystore \u4E2D\u8CC7\u8A0A *\n* \u7684\u5B8C\u6574\u6027\uFF01\u82E5\u8981\u9A57\u8B49\u5176\u5B8C\u6574\u6027\uFF0C\u60A8    *\n* \u5FC5\u9808\u63D0\u4F9B srckeystore \u5BC6\u78BC\u3002       *"},
+            "* \u5C1A\u672A\u9A57\u8B49\u5132\u5B58\u65BC srckeystore \u4E2D\u8CC7\u8A0A *\n* \u7684\u5B8C\u6574\u6027\uFF01\u82E5\u8981\u9A57\u8B49\u5176\u5B8C\u6574\u6027\uFF0C\u60A8\u5FC5  *\n* \u9808\u63D0\u4F9B srckeystore \u5BC6\u78BC\u3002         *"},
 
         {"Certificate.reply.does.not.contain.public.key.for.alias.",
                 "\u6191\u8B49\u56DE\u8986\u4E26\u672A\u5305\u542B <{0}> \u7684\u516C\u958B\u91D1\u9470"},
@@ -460,6 +460,10 @@ public class Resources_zh_TW extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "\u7531 %2$s \u4E2D\u7684 %1$s \u4EE5 %3$s \u9A57\u8B49"},
         {"whose.sigalg.risk", "%s \u4F7F\u7528\u7684 %s \u7C3D\u7AE0\u6F14\u7B97\u6CD5\u5B58\u5728\u5B89\u5168\u98A8\u96AA\u3002"},
         {"whose.key.risk", "%s \u4F7F\u7528\u7684 %s \u5B58\u5728\u5B89\u5168\u98A8\u96AA\u3002"},
+        {"jks.storetype.warning", "%1$s \u91D1\u9470\u5132\u5B58\u5EAB\u4F7F\u7528\u5C08\u6709\u683C\u5F0F\u3002\u5EFA\u8B70\u60A8\u4F7F\u7528 \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\" \u79FB\u8F49\u6210\u70BA\u4F7F\u7528 PKCS12 (\u696D\u754C\u6A19\u6E96\u683C\u5F0F)\u3002"},
+        {"migrate.keystore.warning", "\u5DF2\u5C07 \"%1$s\" \u79FB\u8F49\u6210\u70BA %4$s\u3002%2$s \u91D1\u9470\u5132\u5B58\u5EAB\u5DF2\u5099\u4EFD\u70BA \"%3$s\"\u3002"},
+        {"backup.keystore.warning", "\u539F\u59CB\u7684\u91D1\u9470\u5132\u5B58\u5EAB \"%1$s\" \u5DF2\u5099\u4EFD\u70BA \"%3$s\"..."},
+        {"importing.keystore.status", "\u6B63\u5728\u5C07\u91D1\u9470\u5132\u5B58\u5EAB %1$s \u532F\u5165 %2$s..."},
     };
 
 
diff --git a/jdk/src/java.desktop/share/classes/sun/awt/resources/awt_ko.properties b/jdk/src/java.desktop/share/classes/sun/awt/resources/awt_ko.properties
index d1448cefe0..932b9b8d85 100644
--- a/jdk/src/java.desktop/share/classes/sun/awt/resources/awt_ko.properties
+++ b/jdk/src/java.desktop/share/classes/sun/awt/resources/awt_ko.properties
@@ -14,7 +14,7 @@ AWT.altGraph=Alt Graph
 AWT.enter=Enter
 AWT.backSpace=Backspace
 AWT.tab=Tab
-AWT.cancel=Cancel
+AWT.cancel=\uCDE8\uC18C
 AWT.clear=Clear
 AWT.pause=Pause
 AWT.capsLock=Caps Lock

From 1bdefdb43e004974a087e0770a0da464150d3bfa Mon Sep 17 00:00:00 2001
From: Weijun Wang 
Date: Wed, 12 Jul 2017 10:55:40 +0800
Subject: [PATCH 130/269] 8182879: Add warnings to keytool when using JKS and
 JCEKS

Reviewed-by: vinnie, ahgross, mullan
---
 .../sun/security/tools/keytool/Main.java      | 187 ++++++++++++++----
 .../sun/security/tools/keytool/Resources.java |   6 +-
 .../sun/security/tools/keytool/WeakAlg.java   | 181 +++++++++++++++--
 3 files changed, 319 insertions(+), 55 deletions(-)

diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
index 53ea970620..3fc3769cff 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -26,6 +26,8 @@
 package sun.security.tools.keytool;
 
 import java.io.*;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.security.CodeSigner;
 import java.security.CryptoPrimitive;
 import java.security.KeyStore;
@@ -168,7 +170,12 @@ public final class Main {
     private List ids = new ArrayList<>();   // used in GENCRL
     private List v3ext = new ArrayList<>();
 
-    // Warnings on weak algorithms
+    // In-place importkeystore is special.
+    // A backup is needed, and no need to prompt for deststorepass.
+    private boolean inplaceImport = false;
+    private String inplaceBackupName = null;
+
+    // Warnings on weak algorithms etc
     private List weakWarnings = new ArrayList<>();
 
     private static final DisabledAlgorithmConstraints DISABLED_CHECK =
@@ -812,37 +819,52 @@ public final class Main {
                 ("New.password.must.be.at.least.6.characters"));
         }
 
+        // Set this before inplaceImport check so we can compare name.
+        if (ksfname == null) {
+            ksfname = System.getProperty("user.home") + File.separator
+                    + ".keystore";
+        }
+
+        KeyStore srcKeyStore = null;
+        if (command == IMPORTKEYSTORE) {
+            inplaceImport = inplaceImportCheck();
+            if (inplaceImport) {
+                // We load srckeystore first so we have srcstorePass that
+                // can be assigned to storePass
+                srcKeyStore = loadSourceKeyStore();
+                if (storePass == null) {
+                    storePass = srcstorePass;
+                }
+            }
+        }
+
         // Check if keystore exists.
         // If no keystore has been specified at the command line, try to use
         // the default, which is located in $HOME/.keystore.
         // If the command is "genkey", "identitydb", "import", or "printcert",
         // it is OK not to have a keystore.
-        if (isKeyStoreRelated(command)) {
-            if (ksfname == null) {
-                ksfname = System.getProperty("user.home") + File.separator
-                    + ".keystore";
-            }
 
-            if (!nullStream) {
-                try {
-                    ksfile = new File(ksfname);
-                    // Check if keystore file is empty
-                    if (ksfile.exists() && ksfile.length() == 0) {
-                        throw new Exception(rb.getString
-                        ("Keystore.file.exists.but.is.empty.") + ksfname);
-                    }
-                    ksStream = new FileInputStream(ksfile);
-                } catch (FileNotFoundException e) {
-                    if (command != GENKEYPAIR &&
+        // DO NOT open the existing keystore if this is an in-place import.
+        // The keystore should be created as brand new.
+        if (isKeyStoreRelated(command) && !nullStream && !inplaceImport) {
+            try {
+                ksfile = new File(ksfname);
+                // Check if keystore file is empty
+                if (ksfile.exists() && ksfile.length() == 0) {
+                    throw new Exception(rb.getString
+                            ("Keystore.file.exists.but.is.empty.") + ksfname);
+                }
+                ksStream = new FileInputStream(ksfile);
+            } catch (FileNotFoundException e) {
+                if (command != GENKEYPAIR &&
                         command != GENSECKEY &&
                         command != IDENTITYDB &&
                         command != IMPORTCERT &&
                         command != IMPORTPASS &&
                         command != IMPORTKEYSTORE &&
                         command != PRINTCRL) {
-                        throw new Exception(rb.getString
-                                ("Keystore.file.does.not.exist.") + ksfname);
-                    }
+                    throw new Exception(rb.getString
+                            ("Keystore.file.does.not.exist.") + ksfname);
                 }
             }
         }
@@ -866,7 +888,7 @@ public final class Main {
         // Create new keystore
         // Probe for keystore type when filename is available
         if (ksfile != null && ksStream != null && providerName == null &&
-            hasStoretypeOption == false) {
+                hasStoretypeOption == false && !inplaceImport) {
             keyStore = KeyStore.getInstance(ksfile, storePass);
         } else {
             if (providerName == null) {
@@ -896,7 +918,11 @@ public final class Main {
              * Null stream keystores are loaded later.
              */
             if (!nullStream) {
-                keyStore.load(ksStream, storePass);
+                if (inplaceImport) {
+                    keyStore.load(null, storePass);
+                } else {
+                    keyStore.load(ksStream, storePass);
+                }
                 if (ksStream != null) {
                     ksStream.close();
                 }
@@ -1133,7 +1159,11 @@ public final class Main {
                 }
             }
         } else if (command == IMPORTKEYSTORE) {
-            doImportKeyStore();
+            // When not in-place import, srcKeyStore is not loaded yet.
+            if (srcKeyStore == null) {
+                srcKeyStore = loadSourceKeyStore();
+            }
+            doImportKeyStore(srcKeyStore);
             kssave = true;
         } else if (command == KEYCLONE) {
             keyPassNew = newPass;
@@ -1264,6 +1294,51 @@ public final class Main {
                 }
             }
         }
+
+        if (isKeyStoreRelated(command)
+                && !token && !nullStream && ksfname != null) {
+
+            // JKS storetype warning on the final result keystore
+            File f = new File(ksfname);
+            char[] pass = (storePassNew!=null) ? storePassNew : storePass;
+            if (f.exists()) {
+                // Probe for real type. A JKS can be loaded as PKCS12 because
+                // DualFormat support, vice versa.
+                keyStore = KeyStore.getInstance(f, pass);
+                String realType = keyStore.getType();
+                if (realType.equalsIgnoreCase("JKS")
+                        || realType.equalsIgnoreCase("JCEKS")) {
+                    boolean allCerts = true;
+                    for (String a : Collections.list(keyStore.aliases())) {
+                        if (!keyStore.entryInstanceOf(
+                                a, TrustedCertificateEntry.class)) {
+                            allCerts = false;
+                            break;
+                        }
+                    }
+                    // Don't warn for "cacerts" style keystore.
+                    if (!allCerts) {
+                        weakWarnings.add(String.format(
+                                rb.getString("jks.storetype.warning"),
+                                realType, ksfname));
+                    }
+                }
+                if (inplaceImport) {
+                    String realSourceStoreType = KeyStore.getInstance(
+                            new File(inplaceBackupName), srcstorePass).getType();
+                    String format =
+                            realType.equalsIgnoreCase(realSourceStoreType) ?
+                            rb.getString("backup.keystore.warning") :
+                            rb.getString("migrate.keystore.warning");
+                    weakWarnings.add(
+                            String.format(format,
+                                    srcksfname,
+                                    realSourceStoreType,
+                                    inplaceBackupName,
+                                    realType));
+                }
+            }
+        }
     }
 
     /**
@@ -1955,12 +2030,40 @@ public final class Main {
         }
     }
 
+    boolean inplaceImportCheck() throws Exception {
+        if (P11KEYSTORE.equalsIgnoreCase(srcstoretype) ||
+                KeyStoreUtil.isWindowsKeyStore(srcstoretype)) {
+            return false;
+        }
+
+        if (srcksfname != null) {
+            File srcksfile = new File(srcksfname);
+            if (srcksfile.exists() && srcksfile.length() == 0) {
+                throw new Exception(rb.getString
+                        ("Source.keystore.file.exists.but.is.empty.") +
+                        srcksfname);
+            }
+            if (srcksfile.getCanonicalFile()
+                    .equals(new File(ksfname).getCanonicalFile())) {
+                return true;
+            } else {
+                // Informational, especially if destkeystore is not
+                // provided, which default to ~/.keystore.
+                System.err.println(String.format(rb.getString(
+                        "importing.keystore.status"), srcksfname, ksfname));
+                return false;
+            }
+        } else {
+            throw new Exception(rb.getString
+                    ("Please.specify.srckeystore"));
+        }
+    }
+
     /**
      * Load the srckeystore from a stream, used in -importkeystore
      * @return the src KeyStore
      */
     KeyStore loadSourceKeyStore() throws Exception {
-        boolean isPkcs11 = false;
 
         InputStream is = null;
         File srcksfile = null;
@@ -1973,20 +2076,9 @@ public final class Main {
                 System.err.println();
                 tinyHelp();
             }
-            isPkcs11 = true;
         } else {
-            if (srcksfname != null) {
-                srcksfile = new File(srcksfname);
-                    if (srcksfile.exists() && srcksfile.length() == 0) {
-                        throw new Exception(rb.getString
-                                ("Source.keystore.file.exists.but.is.empty.") +
-                                srcksfname);
-                }
-                is = new FileInputStream(srcksfile);
-            } else {
-                throw new Exception(rb.getString
-                        ("Please.specify.srckeystore"));
-            }
+            srcksfile = new File(srcksfname);
+            is = new FileInputStream(srcksfile);
         }
 
         KeyStore store;
@@ -2053,17 +2145,32 @@ public final class Main {
      * keep alias unchanged if no name conflict, otherwise, prompt.
      * keep keypass unchanged for keys
      */
-    private void doImportKeyStore() throws Exception {
+    private void doImportKeyStore(KeyStore srcKS) throws Exception {
 
         if (alias != null) {
-            doImportKeyStoreSingle(loadSourceKeyStore(), alias);
+            doImportKeyStoreSingle(srcKS, alias);
         } else {
             if (dest != null || srckeyPass != null) {
                 throw new Exception(rb.getString(
                         "if.alias.not.specified.destalias.and.srckeypass.must.not.be.specified"));
             }
-            doImportKeyStoreAll(loadSourceKeyStore());
+            doImportKeyStoreAll(srcKS);
         }
+
+        if (inplaceImport) {
+            // Backup to file.old or file.old2...
+            // The keystore is not rewritten yet now.
+            for (int n = 1; /* forever */; n++) {
+                inplaceBackupName = srcksfname + ".old" + (n == 1 ? "" : n);
+                File bkFile = new File(inplaceBackupName);
+                if (!bkFile.exists()) {
+                    Files.copy(Paths.get(srcksfname), bkFile.toPath());
+                    break;
+                }
+            }
+
+        }
+
         /*
          * Information display rule of -importkeystore
          * 1. inside single, shows failure
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java
index 522449c366..6503ee3b82 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -468,6 +468,10 @@ public class Resources extends java.util.ListResourceBundle {
         {"verified.by.s.in.s.weak", "Verified by %s in %s with a %s"},
         {"whose.sigalg.risk", "%s uses the %s signature algorithm which is considered a security risk."},
         {"whose.key.risk", "%s uses a %s which is considered a security risk."},
+        {"jks.storetype.warning", "The %1$s keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
+        {"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
+        {"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},
+        {"importing.keystore.status", "Importing keystore %1$s to %2$s..."},
     };
 
 
diff --git a/jdk/test/sun/security/tools/keytool/WeakAlg.java b/jdk/test/sun/security/tools/keytool/WeakAlg.java
index bb7ae77737..1f725096b8 100644
--- a/jdk/test/sun/security/tools/keytool/WeakAlg.java
+++ b/jdk/test/sun/security/tools/keytool/WeakAlg.java
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 8171319 8177569
+ * @bug 8171319 8177569 8182879
  * @summary keytool should print out warnings when reading or generating
   *         cert/cert req using weak algorithms
  * @library /test/lib
@@ -33,6 +33,7 @@
  * @run main/othervm/timeout=600 -Duser.language=en -Duser.country=US WeakAlg
  */
 
+import jdk.test.lib.Asserts;
 import jdk.test.lib.SecurityTools;
 import jdk.test.lib.process.OutputAnalyzer;
 import sun.security.tools.KeyStoreUtil;
@@ -40,6 +41,7 @@ import sun.security.util.DisabledAlgorithmConstraints;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.PrintStream;
@@ -134,25 +136,164 @@ public class WeakAlg {
         kt("-delete -alias b");
         kt("-printcrl -file b.crl")
                 .shouldContain("WARNING: not verified");
+
+        jksTypeCheck();
+
+        checkInplaceImportKeyStore();
+    }
+
+    static void jksTypeCheck() throws Exception {
+
+        // No warning for cacerts, all certs
+        kt0("-cacerts -list -storepass changeit")
+                .shouldNotContain("Warning:");
+
+        rm("ks");
+        rm("ks2");
+
+        kt("-genkeypair -alias a -dname CN=A")
+                .shouldNotContain("Warning:");
+        kt("-list")
+                .shouldNotContain("Warning:");
+        kt("-list -storetype jks") // no warning if PKCS12 used as JKS
+                .shouldNotContain("Warning:");
+        kt("-exportcert -alias a -file a.crt")
+                .shouldNotContain("Warning:");
+
+        // warn if migrating to JKS
+        importkeystore("ks", "ks2", "-deststoretype jks")
+                .shouldContain("JKS keystore uses a proprietary format");
+
+        rm("ks");
+        rm("ks2");
+        rm("ks3");
+
+        // no warning if all certs
+        kt("-importcert -alias b -file a.crt -storetype jks -noprompt")
+                .shouldNotContain("Warning:");
+        kt("-genkeypair -alias a -dname CN=A")
+                .shouldContain("JKS keystore uses a proprietary format");
+        kt("-list")
+                .shouldContain("JKS keystore uses a proprietary format");
+        kt("-list -storetype pkcs12") // warn if JKS used as PKCS12
+                .shouldContain("JKS keystore uses a proprietary format");
+        kt("-exportcert -alias a -file a.crt")
+                .shouldContain("JKS keystore uses a proprietary format");
+        kt("-printcert -file a.crt") // no warning if keystore not touched
+                .shouldNotContain("Warning:");
+        kt("-certreq -alias a -file a.req")
+                .shouldContain("JKS keystore uses a proprietary format");
+        kt("-printcertreq -file a.req") // no warning if keystore not touched
+                .shouldNotContain("Warning:");
+
+        // No warning if migrating from JKS
+        importkeystore("ks", "ks2", "")
+                .shouldNotContain("Warning:");
+
+        importkeystore("ks", "ks3", "-deststoretype pkcs12")
+                .shouldNotContain("Warning:");
+
+        rm("ks");
+
+        kt("-genkeypair -alias a -dname CN=A -storetype jceks")
+                .shouldContain("JCEKS keystore uses a proprietary format");
+        kt("-list")
+                .shouldContain("JCEKS keystore uses a proprietary format");
+        kt("-importcert -alias b -file a.crt -noprompt")
+                .shouldContain("JCEKS keystore uses a proprietary format");
+        kt("-exportcert -alias a -file a.crt")
+                .shouldContain("JCEKS keystore uses a proprietary format");
+        kt("-printcert -file a.crt")
+                .shouldNotContain("Warning:");
+        kt("-certreq -alias a -file a.req")
+                .shouldContain("JCEKS keystore uses a proprietary format");
+        kt("-printcertreq -file a.req")
+                .shouldNotContain("Warning:");
+        kt("-genseckey -alias c -keyalg AES -keysize 128")
+                .shouldContain("JCEKS keystore uses a proprietary format");
     }
 
     static void checkImportKeyStore() throws Exception {
 
-        saveStore();
+        rm("ks2");
+        rm("ks3");
 
-        rm("ks");
-        kt("-importkeystore -srckeystore ks2 -srcstorepass changeit")
+        importkeystore("ks", "ks2", "")
                 .shouldContain("3 entries successfully imported")
                 .shouldContain("Warning")
                 .shouldMatch(".*512-bit RSA key.*risk")
                 .shouldMatch(".*MD5withRSA.*risk");
 
-        rm("ks");
-        kt("-importkeystore -srckeystore ks2 -srcstorepass changeit -srcalias a")
+        importkeystore("ks", "ks3", "-srcalias a")
                 .shouldContain("Warning")
                 .shouldMatch(".*MD5withRSA.*risk");
+    }
 
-        reStore();
+    static void checkInplaceImportKeyStore() throws Exception {
+
+        rm("ks");
+        genkeypair("a", "");
+
+        // Same type backup
+        importkeystore("ks", "ks", "")
+                .shouldContain("Warning:")
+                .shouldMatch("original.*ks.old");
+
+        importkeystore("ks", "ks", "")
+                .shouldContain("Warning:")
+                .shouldMatch("original.*ks.old2");
+
+        importkeystore("ks", "ks", "-srcstoretype jks") // it knows real type
+                .shouldContain("Warning:")
+                .shouldMatch("original.*ks.old3");
+
+        String cPath = new File("ks").getCanonicalPath();
+
+        importkeystore("ks", cPath, "")
+                .shouldContain("Warning:")
+                .shouldMatch("original.*ks.old4");
+
+        // Migration
+        importkeystore("ks", "ks", "-deststoretype jks")
+                .shouldContain("Warning:")
+                .shouldContain("JKS keystore uses a proprietary format")
+                .shouldMatch("Migrated.*JKS.*PKCS12.*ks.old5");
+
+        Asserts.assertEQ(
+                KeyStore.getInstance(
+                        new File("ks"), "changeit".toCharArray()).getType(),
+                "JKS");
+
+        importkeystore("ks", "ks", "-srcstoretype PKCS12")
+                .shouldContain("Warning:")
+                .shouldNotContain("proprietary format")
+                .shouldMatch("Migrated.*PKCS12.*JKS.*ks.old6");
+
+        Asserts.assertEQ(
+                KeyStore.getInstance(
+                        new File("ks"), "changeit".toCharArray()).getType(),
+                "PKCS12");
+
+        Asserts.assertEQ(
+                KeyStore.getInstance(
+                        new File("ks.old6"), "changeit".toCharArray()).getType(),
+                "JKS");
+
+        // One password prompt is enough for migration
+        kt0("-importkeystore -srckeystore ks -destkeystore ks", "changeit")
+                .shouldMatch("original.*ks.old7");
+
+        // But three if importing to a different keystore
+        rm("ks2");
+        kt0("-importkeystore -srckeystore ks -destkeystore ks2",
+                    "changeit")
+                .shouldContain("Keystore password is too short");
+
+        kt0("-importkeystore -srckeystore ks -destkeystore ks2",
+                "changeit", "changeit", "changeit")
+                .shouldContain("Importing keystore ks to ks2...")
+                .shouldNotContain("original")
+                .shouldNotContain("Migrated");
     }
 
     static void checkImport() throws Exception {
@@ -518,17 +659,22 @@ public class WeakAlg {
         }
     }
 
-    // Fast keytool execution by directly calling its main() method
     static OutputAnalyzer kt(String cmd, String... input) {
+        return kt0("-keystore ks -storepass changeit " +
+                "-keypass changeit " + cmd, input);
+    }
+
+    // Fast keytool execution by directly calling its main() method
+    static OutputAnalyzer kt0(String cmd, String... input) {
         PrintStream out = System.out;
         PrintStream err = System.err;
         InputStream ins = System.in;
         ByteArrayOutputStream bout = new ByteArrayOutputStream();
         ByteArrayOutputStream berr = new ByteArrayOutputStream();
         boolean succeed = true;
+        String sout;
+        String serr;
         try {
-            cmd = "-keystore ks -storepass changeit " +
-                    "-keypass changeit " + cmd;
             System.out.println("---------------------------------------------");
             System.out.println("$ keytool " + cmd);
             System.out.println();
@@ -552,19 +698,26 @@ public class WeakAlg {
             System.setOut(out);
             System.setErr(err);
             System.setIn(ins);
+            sout = new String(bout.toByteArray());
+            serr = new String(berr.toByteArray());
+            System.out.println("STDOUT:\n" + sout + "\nSTDERR:\n" + serr);
         }
-        String sout = new String(bout.toByteArray());
-        String serr = new String(berr.toByteArray());
-        System.out.println("STDOUT:\n" + sout + "\nSTDERR:\n" + serr);
         if (!succeed) {
             throw new RuntimeException();
         }
         return new OutputAnalyzer(sout, serr);
     }
 
+    static OutputAnalyzer importkeystore(String src, String dest,
+                                         String options) {
+        return kt0("-importkeystore "
+                + "-srckeystore " + src + " -destkeystore " + dest
+                + " -srcstorepass changeit -deststorepass changeit " + options);
+    }
+
     static OutputAnalyzer genkeypair(String alias, String options) {
         return kt("-genkeypair -alias " + alias + " -dname CN=" + alias
-                + " -keyalg RSA -storetype JKS " + options);
+                + " -keyalg RSA -storetype PKCS12 " + options);
     }
 
     static OutputAnalyzer certreq(String alias, String options) {

From 97b5d5c6a8663e19b9ce1aa1875013e423811c01 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 8 Aug 2017 10:12:13 -0700
Subject: [PATCH 131/269] Added tag jdk-9.0.3+5 for changeset 45357d60aefc

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index 93456c1733..c81f597ca5 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -429,3 +429,4 @@ bd66ea2fdde3d60a73b5272263a7b8b0ca926a33 jdk-9+181
 77eba1b12ee981b9d7e6b10b33b233669a1cb23e jdk-9.0.3+2
 f13da3f2da08667ff74541440bb5d67b2dad1aa9 jdk-9.0.3+3
 d9b9658b2bd59ac9ca9d17209dcc487a9cf4bff2 jdk-9.0.3+4
+e884b64ff38e744760402a3315816a6d74e01719 jdk-9.0.3+5

From 7105f2302d05f75e45728795c950bd61978e7de9 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 15 Aug 2017 14:59:49 -0700
Subject: [PATCH 132/269] Added tag jdk-9.0.3+6 for changeset 5d7ddc90baf6

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index c81f597ca5..f11bcb9563 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -430,3 +430,4 @@ bd66ea2fdde3d60a73b5272263a7b8b0ca926a33 jdk-9+181
 f13da3f2da08667ff74541440bb5d67b2dad1aa9 jdk-9.0.3+3
 d9b9658b2bd59ac9ca9d17209dcc487a9cf4bff2 jdk-9.0.3+4
 e884b64ff38e744760402a3315816a6d74e01719 jdk-9.0.3+5
+7b182ade7b8f974be5e459b018e67d1f4440e5f8 jdk-9.0.3+6

From 0b06e5da0579f83bc110bf0d0ccf91d875be0164 Mon Sep 17 00:00:00 2001
From: Sreeprakash Sreedharan 
Date: Mon, 14 Aug 2017 15:32:25 +0530
Subject: [PATCH 133/269] 8184937: LCMS error 13: Couldn't link the profiles

Reviewed-by: prr
---
 jdk/src/java.desktop/share/native/liblcms/cmstypes.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c
index 95fe4d1a5a..ebf81c83b3 100644
--- a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c
+++ b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c
@@ -4464,12 +4464,6 @@ void *Type_MPE_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
     if (!_cmsReadUInt32Number(io, &ElementCount)) goto Error;
     if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) goto Error;
 
-    if (!ReadPositionTable(self, io, ElementCount, BaseOffset, NewLUT, ReadMPEElem)) {
-        if (NewLUT != NULL) cmsPipelineFree(NewLUT);
-        *nItems = 0;
-        return NULL;
-    }
-
     // Success
     *nItems = 1;
     return NewLUT;

From 0afaffed91eb2413821874ecfeed5def624691ae Mon Sep 17 00:00:00 2001
From: Stuart Marks 
Date: Mon, 21 Aug 2017 14:50:01 -0700
Subject: [PATCH 134/269] 8174109: Better queuing priorities

Reviewed-by: chegar, dfuchs, rriggs, alanb, robm, rhalade, jeff, ahgross
---
 .../classes/java/io/ObjectInputStream.java    | 32 ++++++++++++++
 .../share/classes/java/util/ArrayDeque.java   |  2 +
 .../share/classes/java/util/ArrayList.java    |  4 +-
 .../share/classes/java/util/HashMap.java      |  7 +++-
 .../share/classes/java/util/HashSet.java      | 10 ++++-
 .../share/classes/java/util/Hashtable.java    |  7 +++-
 .../classes/java/util/IdentityHashMap.java    |  7 +++-
 .../java/util/ImmutableCollections.java       |  2 +
 .../classes/java/util/PriorityQueue.java      |  4 +-
 .../share/classes/java/util/Properties.java   | 11 +++++
 .../util/concurrent/CopyOnWriteArrayList.java |  2 +
 .../misc/JavaObjectInputStreamAccess.java     | 15 +++----
 .../misc/ObjectStreamClassValidator.java      | 42 -------------------
 .../jdk/internal/misc/SharedSecrets.java      | 11 +++++
 .../serialFilter/SerialFilterTest.java        | 10 ++++-
 15 files changed, 106 insertions(+), 60 deletions(-)
 delete mode 100644 jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java

diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
index 11e33b4e5d..f80b5902b7 100644
--- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
+++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
@@ -44,6 +44,7 @@ import java.util.concurrent.ConcurrentMap;
 
 import static java.io.ObjectStreamClass.processQueue;
 
+import jdk.internal.misc.SharedSecrets;
 import jdk.internal.misc.ObjectStreamClassValidator;
 import jdk.internal.misc.SharedSecrets;
 import jdk.internal.misc.Unsafe;
@@ -1282,6 +1283,33 @@ public class ObjectInputStream
         }
     }
 
+    /**
+     * Checks the given array type and length to ensure that creation of such
+     * an array is permitted by this ObjectInputStream. The arrayType argument
+     * must represent an actual array type.
+     *
+     * This private method is called via SharedSecrets.
+     *
+     * @param arrayType the array type
+     * @param arrayLength the array length
+     * @throws NullPointerException if arrayType is null
+     * @throws IllegalArgumentException if arrayType isn't actually an array type
+     * @throws NegativeArraySizeException if arrayLength is negative
+     * @throws InvalidClassException if the filter rejects creation
+     */
+    private void checkArray(Class arrayType, int arrayLength) throws InvalidClassException {
+        Objects.requireNonNull(arrayType);
+        if (! arrayType.isArray()) {
+            throw new IllegalArgumentException("not an array type");
+        }
+
+        if (arrayLength < 0) {
+            throw new NegativeArraySizeException();
+        }
+
+        filterCheck(arrayType, arrayLength);
+    }
+
     /**
      * Provide access to the persistent fields read from the input stream.
      */
@@ -3982,6 +4010,10 @@ public class ObjectInputStream
         }
     }
 
+    static {
+        SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::checkArray);
+    }
+
     private void validateDescriptor(ObjectStreamClass descriptor) {
         ObjectStreamClassValidator validating = validator;
         if (validating != null) {
diff --git a/jdk/src/java.base/share/classes/java/util/ArrayDeque.java b/jdk/src/java.base/share/classes/java/util/ArrayDeque.java
index 53cdeffa84..9556e90d3a 100644
--- a/jdk/src/java.base/share/classes/java/util/ArrayDeque.java
+++ b/jdk/src/java.base/share/classes/java/util/ArrayDeque.java
@@ -38,6 +38,7 @@ import java.io.Serializable;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * Resizable-array implementation of the {@link Deque} interface.  Array
@@ -1195,6 +1196,7 @@ public class ArrayDeque extends AbstractCollection
 
         // Read in size and allocate array
         int size = s.readInt();
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size + 1);
         elements = new Object[size + 1];
         this.tail = size;
 
diff --git a/jdk/src/java.base/share/classes/java/util/ArrayList.java b/jdk/src/java.base/share/classes/java/util/ArrayList.java
index f63ef493dc..25ca76d8a0 100644
--- a/jdk/src/java.base/share/classes/java/util/ArrayList.java
+++ b/jdk/src/java.base/share/classes/java/util/ArrayList.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@ package java.util;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * Resizable-array implementation of the {@code List} interface.  Implements
@@ -816,6 +817,7 @@ public class ArrayList extends AbstractList
 
         if (size > 0) {
             // like clone(), allocate array based upon size not capacity
+            SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size);
             Object[] elements = new Object[size];
 
             // Read in all elements in the proper order.
diff --git a/jdk/src/java.base/share/classes/java/util/HashMap.java b/jdk/src/java.base/share/classes/java/util/HashMap.java
index 4f0e8e6c7d..085a688aa8 100644
--- a/jdk/src/java.base/share/classes/java/util/HashMap.java
+++ b/jdk/src/java.base/share/classes/java/util/HashMap.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,6 +34,7 @@ import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Consumer;
 import java.util.function.Function;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * Hash table based implementation of the {@code Map} interface.  This
@@ -1444,6 +1445,10 @@ public class HashMap extends AbstractMap
             float ft = (float)cap * lf;
             threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
                          (int)ft : Integer.MAX_VALUE);
+
+            // Check Map.Entry[].class since it's the nearest public type to
+            // what we're actually creating.
+            SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Map.Entry[].class, cap);
             @SuppressWarnings({"rawtypes","unchecked"})
                 Node[] tab = (Node[])new Node[cap];
             table = tab;
diff --git a/jdk/src/java.base/share/classes/java/util/HashSet.java b/jdk/src/java.base/share/classes/java/util/HashSet.java
index 360de8119d..ec47b914b6 100644
--- a/jdk/src/java.base/share/classes/java/util/HashSet.java
+++ b/jdk/src/java.base/share/classes/java/util/HashSet.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package java.util;
 
 import java.io.InvalidObjectException;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * This class implements the {@code Set} interface, backed by a hash table
@@ -322,6 +323,13 @@ public class HashSet
         capacity = (int) Math.min(size * Math.min(1 / loadFactor, 4.0f),
                 HashMap.MAXIMUM_CAPACITY);
 
+        // Constructing the backing map will lazily create an array when the first element is
+        // added, so check it before construction. Call HashMap.tableSizeFor to compute the
+        // actual allocation size. Check Map.Entry[].class since it's the nearest public type to
+        // what is actually created.
+        SharedSecrets.getJavaObjectInputStreamAccess()
+                     .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor(capacity));
+
         // Create backing HashMap
         map = (((HashSet)this) instanceof LinkedHashSet ?
                new LinkedHashMap<>(capacity, loadFactor) :
diff --git a/jdk/src/java.base/share/classes/java/util/Hashtable.java b/jdk/src/java.base/share/classes/java/util/Hashtable.java
index f97303be2b..77f0facc51 100644
--- a/jdk/src/java.base/share/classes/java/util/Hashtable.java
+++ b/jdk/src/java.base/share/classes/java/util/Hashtable.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1994, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@ import java.io.*;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
 import java.util.function.BiFunction;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * This class implements a hash table, which maps keys to values. Any
@@ -1291,6 +1292,10 @@ public class Hashtable
         if (length > elements && (length & 1) == 0)
             length--;
         length = Math.min(length, origlength);
+
+        // Check Map.Entry[].class since it's the nearest public type to
+        // what we're actually creating.
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Map.Entry[].class, length);
         table = new Entry[length];
         threshold = (int)Math.min(length * loadFactor, MAX_ARRAY_SIZE + 1);
         count = 0;
diff --git a/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java b/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java
index f749774e78..e48cb354c6 100644
--- a/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java
+++ b/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@ import java.lang.reflect.Array;
 import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Consumer;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * This class implements the {@code Map} interface with a hash table, using
@@ -1304,7 +1305,9 @@ public class IdentityHashMap
         if (size < 0)
             throw new java.io.StreamCorruptedException
                 ("Illegal mappings count: " + size);
-        init(capacity(size));
+        int cap = capacity(size);
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, cap);
+        init(cap);
 
         // Read the keys and values, and put the mappings in the table
         for (int i=0; i extends AbstractQueue
         // Read in (and discard) array length
         s.readInt();
 
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size);
         queue = new Object[size];
 
         // Read in all elements.
diff --git a/jdk/src/java.base/share/classes/java/util/Properties.java b/jdk/src/java.base/share/classes/java/util/Properties.java
index 0b117686ce..8e03ec7627 100644
--- a/jdk/src/java.base/share/classes/java/util/Properties.java
+++ b/jdk/src/java.base/share/classes/java/util/Properties.java
@@ -42,6 +42,7 @@ import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Function;
 
+import jdk.internal.misc.SharedSecrets;
 import jdk.internal.util.xml.PropertiesDefaultHandler;
 
 /**
@@ -1442,6 +1443,16 @@ class Properties extends Hashtable {
             throw new StreamCorruptedException("Illegal # of Elements: " + elements);
         }
 
+        // Constructing the backing map will lazily create an array when the first element is
+        // added, so check it before construction. Note that CHM's constructor takes a size
+        // that is the number of elements to be stored -- not the table size -- so it must be
+        // inflated by the default load factor of 0.75, then inflated to the next power of two.
+        // (CHM uses the same power-of-two computation as HashMap, and HashMap.tableSizeFor is
+        // accessible here.) Check Map.Entry[].class since it's the nearest public type to
+        // what is actually created.
+        SharedSecrets.getJavaObjectInputStreamAccess()
+                     .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor((int)(elements / 0.75)));
+
         // create CHM of appropriate capacity
         map = new ConcurrentHashMap<>(elements);
 
diff --git a/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java b/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
index 592f9a51cd..ad66f47e27 100644
--- a/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
@@ -51,6 +51,7 @@ import java.util.Spliterators;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * A thread-safe variant of {@link java.util.ArrayList} in which all mutative
@@ -933,6 +934,7 @@ public class CopyOnWriteArrayList
 
         // Read in array length and allocate array
         int len = s.readInt();
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, len);
         Object[] elements = new Object[len];
 
         // Read in all elements in the proper order.
diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java
index c344f8adc7..4c734670da 100644
--- a/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java
+++ b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,17 +25,14 @@
 
 package jdk.internal.misc;
 
+import java.io.InvalidClassException;
 import java.io.ObjectInputStream;
 
 /**
- * The interface to specify methods for accessing {@code ObjectInputStream}
- * @author sjiang
+ * Interface to specify methods for accessing {@code ObjectInputStream}.
  */
+@FunctionalInterface
 public interface JavaObjectInputStreamAccess {
-    /**
-     * Sets a descriptor validating.
-     * @param ois stream to have the descriptors validated
-     * @param validator validator used to validate a descriptor.
-     */
-    public void setValidator(ObjectInputStream ois, ObjectStreamClassValidator validator);
+    void checkArray(ObjectInputStream ois, Class arrayType, int arrayLength)
+        throws InvalidClassException;
 }
diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java b/jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java
deleted file mode 100644
index 2b543a3072..0000000000
--- a/jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-package jdk.internal.misc;
-
-import java.io.ObjectStreamClass;
-
-/**
- * A callback used by {@code ObjectInputStream} to do descriptor validation.
- *
- * @author sjiang
- */
-public interface ObjectStreamClassValidator {
-    /**
-     * This method will be called by ObjectInputStream to
-     * check a descriptor just before creating an object described by this descriptor.
-     * The object will not be created if this method throws a {@code RuntimeException}.
-     * @param descriptor descriptor to be checked.
-     */
-    public void validateDescriptor(ObjectStreamClass descriptor);
-}
diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
index cd54d422c2..df48c0873c 100644
--- a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+++ b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
@@ -315,6 +315,17 @@ public class SharedSecrets {
         javaObjectInputStreamAccess = access;
     }
 
+    public static JavaObjectInputStreamAccess getJavaObjectInputStreamAccess() {
+        if (javaObjectInputStreamAccess == null) {
+            unsafe.ensureClassInitialized(ObjectInputStream.class);
+        }
+        return javaObjectInputStreamAccess;
+    }
+
+    public static void setJavaObjectInputStreamAccess(JavaObjectInputStreamAccess access) {
+        javaObjectInputStreamAccess = access;
+    }
+
     public static void setJavaIORandomAccessFileAccess(JavaIORandomAccessFileAccess jirafa) {
         javaIORandomAccessFileAccess = jirafa;
     }
diff --git a/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java b/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java
index 5ce44eba56..362df99767 100644
--- a/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java
+++ b/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java
@@ -36,9 +36,11 @@ import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Proxy;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.atomic.LongAdder;
 
 import javax.net.ssl.SSLEngineResult;
@@ -165,6 +167,11 @@ public class SerialFilterTest implements Serializable {
                 interfaces, (p, m, args) -> p);
 
         Runnable runnable = (Runnable & Serializable) SerialFilterTest::noop;
+
+        List> classList = new ArrayList<>();
+        classList.add(HashSet.class);
+        classList.addAll(Collections.nCopies(21, Map.Entry[].class));
+
         Object[][] objects = {
                 { null, 0, -1, 0, 0, 0,
                         Arrays.asList()},        // no callback, no values
@@ -184,8 +191,7 @@ public class SerialFilterTest implements Serializable {
                                 objArray.getClass(),
                                 SerialFilterTest.class,
                                 java.lang.invoke.SerializedLambda.class)},
-                { deepHashSet(10), 48, -1, 50, 11, 619,
-                        Arrays.asList(HashSet.class)},
+                { deepHashSet(10), 69, 4, 50, 11, 619, classList },
                 { proxy.getClass(), 3, -1, 2, 2, 112,
                         Arrays.asList(Runnable.class,
                                 java.lang.reflect.Proxy.class,

From 22d92ff2cf20fb8f78bc3849b8071a953132d3a1 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 23 Aug 2017 09:45:30 -0700
Subject: [PATCH 135/269] 8186674: Remove JDK-8174109 from CPU Aug 21 week
 builds

Backed out changeset 00dc5b33dc56

Reviewed-by: robm
---
 .../classes/java/io/ObjectInputStream.java    | 32 --------------
 .../share/classes/java/util/ArrayDeque.java   |  2 -
 .../share/classes/java/util/ArrayList.java    |  4 +-
 .../share/classes/java/util/HashMap.java      |  7 +---
 .../share/classes/java/util/HashSet.java      | 10 +----
 .../share/classes/java/util/Hashtable.java    |  7 +---
 .../classes/java/util/IdentityHashMap.java    |  7 +---
 .../java/util/ImmutableCollections.java       |  2 -
 .../classes/java/util/PriorityQueue.java      |  4 +-
 .../share/classes/java/util/Properties.java   | 11 -----
 .../util/concurrent/CopyOnWriteArrayList.java |  2 -
 .../misc/JavaObjectInputStreamAccess.java     | 15 ++++---
 .../misc/ObjectStreamClassValidator.java      | 42 +++++++++++++++++++
 .../jdk/internal/misc/SharedSecrets.java      | 11 -----
 .../serialFilter/SerialFilterTest.java        | 10 +----
 15 files changed, 60 insertions(+), 106 deletions(-)
 create mode 100644 jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java

diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
index f80b5902b7..11e33b4e5d 100644
--- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
+++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
@@ -44,7 +44,6 @@ import java.util.concurrent.ConcurrentMap;
 
 import static java.io.ObjectStreamClass.processQueue;
 
-import jdk.internal.misc.SharedSecrets;
 import jdk.internal.misc.ObjectStreamClassValidator;
 import jdk.internal.misc.SharedSecrets;
 import jdk.internal.misc.Unsafe;
@@ -1283,33 +1282,6 @@ public class ObjectInputStream
         }
     }
 
-    /**
-     * Checks the given array type and length to ensure that creation of such
-     * an array is permitted by this ObjectInputStream. The arrayType argument
-     * must represent an actual array type.
-     *
-     * This private method is called via SharedSecrets.
-     *
-     * @param arrayType the array type
-     * @param arrayLength the array length
-     * @throws NullPointerException if arrayType is null
-     * @throws IllegalArgumentException if arrayType isn't actually an array type
-     * @throws NegativeArraySizeException if arrayLength is negative
-     * @throws InvalidClassException if the filter rejects creation
-     */
-    private void checkArray(Class arrayType, int arrayLength) throws InvalidClassException {
-        Objects.requireNonNull(arrayType);
-        if (! arrayType.isArray()) {
-            throw new IllegalArgumentException("not an array type");
-        }
-
-        if (arrayLength < 0) {
-            throw new NegativeArraySizeException();
-        }
-
-        filterCheck(arrayType, arrayLength);
-    }
-
     /**
      * Provide access to the persistent fields read from the input stream.
      */
@@ -4010,10 +3982,6 @@ public class ObjectInputStream
         }
     }
 
-    static {
-        SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::checkArray);
-    }
-
     private void validateDescriptor(ObjectStreamClass descriptor) {
         ObjectStreamClassValidator validating = validator;
         if (validating != null) {
diff --git a/jdk/src/java.base/share/classes/java/util/ArrayDeque.java b/jdk/src/java.base/share/classes/java/util/ArrayDeque.java
index 9556e90d3a..53cdeffa84 100644
--- a/jdk/src/java.base/share/classes/java/util/ArrayDeque.java
+++ b/jdk/src/java.base/share/classes/java/util/ArrayDeque.java
@@ -38,7 +38,6 @@ import java.io.Serializable;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
-import jdk.internal.misc.SharedSecrets;
 
 /**
  * Resizable-array implementation of the {@link Deque} interface.  Array
@@ -1196,7 +1195,6 @@ public class ArrayDeque extends AbstractCollection
 
         // Read in size and allocate array
         int size = s.readInt();
-        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size + 1);
         elements = new Object[size + 1];
         this.tail = size;
 
diff --git a/jdk/src/java.base/share/classes/java/util/ArrayList.java b/jdk/src/java.base/share/classes/java/util/ArrayList.java
index 25ca76d8a0..f63ef493dc 100644
--- a/jdk/src/java.base/share/classes/java/util/ArrayList.java
+++ b/jdk/src/java.base/share/classes/java/util/ArrayList.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,6 @@ package java.util;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
-import jdk.internal.misc.SharedSecrets;
 
 /**
  * Resizable-array implementation of the {@code List} interface.  Implements
@@ -817,7 +816,6 @@ public class ArrayList extends AbstractList
 
         if (size > 0) {
             // like clone(), allocate array based upon size not capacity
-            SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size);
             Object[] elements = new Object[size];
 
             // Read in all elements in the proper order.
diff --git a/jdk/src/java.base/share/classes/java/util/HashMap.java b/jdk/src/java.base/share/classes/java/util/HashMap.java
index 085a688aa8..4f0e8e6c7d 100644
--- a/jdk/src/java.base/share/classes/java/util/HashMap.java
+++ b/jdk/src/java.base/share/classes/java/util/HashMap.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,7 +34,6 @@ import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Consumer;
 import java.util.function.Function;
-import jdk.internal.misc.SharedSecrets;
 
 /**
  * Hash table based implementation of the {@code Map} interface.  This
@@ -1445,10 +1444,6 @@ public class HashMap extends AbstractMap
             float ft = (float)cap * lf;
             threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
                          (int)ft : Integer.MAX_VALUE);
-
-            // Check Map.Entry[].class since it's the nearest public type to
-            // what we're actually creating.
-            SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Map.Entry[].class, cap);
             @SuppressWarnings({"rawtypes","unchecked"})
                 Node[] tab = (Node[])new Node[cap];
             table = tab;
diff --git a/jdk/src/java.base/share/classes/java/util/HashSet.java b/jdk/src/java.base/share/classes/java/util/HashSet.java
index ec47b914b6..360de8119d 100644
--- a/jdk/src/java.base/share/classes/java/util/HashSet.java
+++ b/jdk/src/java.base/share/classes/java/util/HashSet.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,7 +26,6 @@
 package java.util;
 
 import java.io.InvalidObjectException;
-import jdk.internal.misc.SharedSecrets;
 
 /**
  * This class implements the {@code Set} interface, backed by a hash table
@@ -323,13 +322,6 @@ public class HashSet
         capacity = (int) Math.min(size * Math.min(1 / loadFactor, 4.0f),
                 HashMap.MAXIMUM_CAPACITY);
 
-        // Constructing the backing map will lazily create an array when the first element is
-        // added, so check it before construction. Call HashMap.tableSizeFor to compute the
-        // actual allocation size. Check Map.Entry[].class since it's the nearest public type to
-        // what is actually created.
-        SharedSecrets.getJavaObjectInputStreamAccess()
-                     .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor(capacity));
-
         // Create backing HashMap
         map = (((HashSet)this) instanceof LinkedHashSet ?
                new LinkedHashMap<>(capacity, loadFactor) :
diff --git a/jdk/src/java.base/share/classes/java/util/Hashtable.java b/jdk/src/java.base/share/classes/java/util/Hashtable.java
index 77f0facc51..f97303be2b 100644
--- a/jdk/src/java.base/share/classes/java/util/Hashtable.java
+++ b/jdk/src/java.base/share/classes/java/util/Hashtable.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1994, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,7 +29,6 @@ import java.io.*;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
 import java.util.function.BiFunction;
-import jdk.internal.misc.SharedSecrets;
 
 /**
  * This class implements a hash table, which maps keys to values. Any
@@ -1292,10 +1291,6 @@ public class Hashtable
         if (length > elements && (length & 1) == 0)
             length--;
         length = Math.min(length, origlength);
-
-        // Check Map.Entry[].class since it's the nearest public type to
-        // what we're actually creating.
-        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Map.Entry[].class, length);
         table = new Entry[length];
         threshold = (int)Math.min(length * loadFactor, MAX_ARRAY_SIZE + 1);
         count = 0;
diff --git a/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java b/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java
index e48cb354c6..f749774e78 100644
--- a/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java
+++ b/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,7 +29,6 @@ import java.lang.reflect.Array;
 import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Consumer;
-import jdk.internal.misc.SharedSecrets;
 
 /**
  * This class implements the {@code Map} interface with a hash table, using
@@ -1305,9 +1304,7 @@ public class IdentityHashMap
         if (size < 0)
             throw new java.io.StreamCorruptedException
                 ("Illegal mappings count: " + size);
-        int cap = capacity(size);
-        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, cap);
-        init(cap);
+        init(capacity(size));
 
         // Read the keys and values, and put the mappings in the table
         for (int i=0; i extends AbstractQueue
         // Read in (and discard) array length
         s.readInt();
 
-        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size);
         queue = new Object[size];
 
         // Read in all elements.
diff --git a/jdk/src/java.base/share/classes/java/util/Properties.java b/jdk/src/java.base/share/classes/java/util/Properties.java
index 8e03ec7627..0b117686ce 100644
--- a/jdk/src/java.base/share/classes/java/util/Properties.java
+++ b/jdk/src/java.base/share/classes/java/util/Properties.java
@@ -42,7 +42,6 @@ import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Function;
 
-import jdk.internal.misc.SharedSecrets;
 import jdk.internal.util.xml.PropertiesDefaultHandler;
 
 /**
@@ -1443,16 +1442,6 @@ class Properties extends Hashtable {
             throw new StreamCorruptedException("Illegal # of Elements: " + elements);
         }
 
-        // Constructing the backing map will lazily create an array when the first element is
-        // added, so check it before construction. Note that CHM's constructor takes a size
-        // that is the number of elements to be stored -- not the table size -- so it must be
-        // inflated by the default load factor of 0.75, then inflated to the next power of two.
-        // (CHM uses the same power-of-two computation as HashMap, and HashMap.tableSizeFor is
-        // accessible here.) Check Map.Entry[].class since it's the nearest public type to
-        // what is actually created.
-        SharedSecrets.getJavaObjectInputStreamAccess()
-                     .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor((int)(elements / 0.75)));
-
         // create CHM of appropriate capacity
         map = new ConcurrentHashMap<>(elements);
 
diff --git a/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java b/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
index ad66f47e27..592f9a51cd 100644
--- a/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
@@ -51,7 +51,6 @@ import java.util.Spliterators;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
-import jdk.internal.misc.SharedSecrets;
 
 /**
  * A thread-safe variant of {@link java.util.ArrayList} in which all mutative
@@ -934,7 +933,6 @@ public class CopyOnWriteArrayList
 
         // Read in array length and allocate array
         int len = s.readInt();
-        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, len);
         Object[] elements = new Object[len];
 
         // Read in all elements in the proper order.
diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java
index 4c734670da..c344f8adc7 100644
--- a/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java
+++ b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,14 +25,17 @@
 
 package jdk.internal.misc;
 
-import java.io.InvalidClassException;
 import java.io.ObjectInputStream;
 
 /**
- * Interface to specify methods for accessing {@code ObjectInputStream}.
+ * The interface to specify methods for accessing {@code ObjectInputStream}
+ * @author sjiang
  */
-@FunctionalInterface
 public interface JavaObjectInputStreamAccess {
-    void checkArray(ObjectInputStream ois, Class arrayType, int arrayLength)
-        throws InvalidClassException;
+    /**
+     * Sets a descriptor validating.
+     * @param ois stream to have the descriptors validated
+     * @param validator validator used to validate a descriptor.
+     */
+    public void setValidator(ObjectInputStream ois, ObjectStreamClassValidator validator);
 }
diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java b/jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java
new file mode 100644
index 0000000000..2b543a3072
--- /dev/null
+++ b/jdk/src/java.base/share/classes/jdk/internal/misc/ObjectStreamClassValidator.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package jdk.internal.misc;
+
+import java.io.ObjectStreamClass;
+
+/**
+ * A callback used by {@code ObjectInputStream} to do descriptor validation.
+ *
+ * @author sjiang
+ */
+public interface ObjectStreamClassValidator {
+    /**
+     * This method will be called by ObjectInputStream to
+     * check a descriptor just before creating an object described by this descriptor.
+     * The object will not be created if this method throws a {@code RuntimeException}.
+     * @param descriptor descriptor to be checked.
+     */
+    public void validateDescriptor(ObjectStreamClass descriptor);
+}
diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
index df48c0873c..cd54d422c2 100644
--- a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+++ b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
@@ -315,17 +315,6 @@ public class SharedSecrets {
         javaObjectInputStreamAccess = access;
     }
 
-    public static JavaObjectInputStreamAccess getJavaObjectInputStreamAccess() {
-        if (javaObjectInputStreamAccess == null) {
-            unsafe.ensureClassInitialized(ObjectInputStream.class);
-        }
-        return javaObjectInputStreamAccess;
-    }
-
-    public static void setJavaObjectInputStreamAccess(JavaObjectInputStreamAccess access) {
-        javaObjectInputStreamAccess = access;
-    }
-
     public static void setJavaIORandomAccessFileAccess(JavaIORandomAccessFileAccess jirafa) {
         javaIORandomAccessFileAccess = jirafa;
     }
diff --git a/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java b/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java
index 362df99767..5ce44eba56 100644
--- a/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java
+++ b/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java
@@ -36,11 +36,9 @@ import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Proxy;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.List;
-import java.util.Map;
 import java.util.concurrent.atomic.LongAdder;
 
 import javax.net.ssl.SSLEngineResult;
@@ -167,11 +165,6 @@ public class SerialFilterTest implements Serializable {
                 interfaces, (p, m, args) -> p);
 
         Runnable runnable = (Runnable & Serializable) SerialFilterTest::noop;
-
-        List> classList = new ArrayList<>();
-        classList.add(HashSet.class);
-        classList.addAll(Collections.nCopies(21, Map.Entry[].class));
-
         Object[][] objects = {
                 { null, 0, -1, 0, 0, 0,
                         Arrays.asList()},        // no callback, no values
@@ -191,7 +184,8 @@ public class SerialFilterTest implements Serializable {
                                 objArray.getClass(),
                                 SerialFilterTest.class,
                                 java.lang.invoke.SerializedLambda.class)},
-                { deepHashSet(10), 69, 4, 50, 11, 619, classList },
+                { deepHashSet(10), 48, -1, 50, 11, 619,
+                        Arrays.asList(HashSet.class)},
                 { proxy.getClass(), 3, -1, 2, 2, 112,
                         Arrays.asList(Runnable.class,
                                 java.lang.reflect.Proxy.class,

From 133b1b1414c20222ca687ee34b741c0bc22c5237 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 23 Aug 2017 14:04:16 -0700
Subject: [PATCH 136/269] Added tag jdk-9.0.3+7 for changeset 434fdbd69f52

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index f11bcb9563..7329c683c0 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -431,3 +431,4 @@ f13da3f2da08667ff74541440bb5d67b2dad1aa9 jdk-9.0.3+3
 d9b9658b2bd59ac9ca9d17209dcc487a9cf4bff2 jdk-9.0.3+4
 e884b64ff38e744760402a3315816a6d74e01719 jdk-9.0.3+5
 7b182ade7b8f974be5e459b018e67d1f4440e5f8 jdk-9.0.3+6
+a1b2b4e871fe277827b29ca7356a723599303843 jdk-9.0.3+7

From ebb83a387b0f0366f74e137339401ec12426dff0 Mon Sep 17 00:00:00 2001
From: Rob McKenna 
Date: Thu, 24 Aug 2017 21:14:56 +0100
Subject: [PATCH 137/269] 8174109: Better queuing priorities

Reviewed-by: smarks
---
 .../classes/java/io/ObjectInputStream.java    | 33 ++++++++++++++-
 .../share/classes/java/util/ArrayDeque.java   |  2 +
 .../share/classes/java/util/ArrayList.java    |  4 +-
 .../share/classes/java/util/HashMap.java      |  7 +++-
 .../share/classes/java/util/HashSet.java      | 10 ++++-
 .../share/classes/java/util/Hashtable.java    |  7 +++-
 .../classes/java/util/IdentityHashMap.java    |  7 +++-
 .../java/util/ImmutableCollections.java       |  2 +
 .../classes/java/util/PriorityQueue.java      |  4 +-
 .../share/classes/java/util/Properties.java   | 11 +++++
 .../util/concurrent/CopyOnWriteArrayList.java |  2 +
 .../jdk/internal/misc/JavaOISAccess.java      | 41 +++++++++++++++++++
 .../misc/JavaObjectInputStreamAccess.java     | 15 +++----
 .../jdk/internal/misc/SharedSecrets.java      | 12 ++++++
 .../sun/rmi/server/MarshalInputStream.java    |  2 +-
 .../serialFilter/SerialFilterTest.java        | 10 ++++-
 16 files changed, 149 insertions(+), 20 deletions(-)
 create mode 100644 jdk/src/java.base/share/classes/jdk/internal/misc/JavaOISAccess.java

diff --git a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
index 11e33b4e5d..5911e6d8dd 100644
--- a/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
+++ b/jdk/src/java.base/share/classes/java/io/ObjectInputStream.java
@@ -1282,6 +1282,33 @@ public class ObjectInputStream
         }
     }
 
+    /**
+     * Checks the given array type and length to ensure that creation of such
+     * an array is permitted by this ObjectInputStream. The arrayType argument
+     * must represent an actual array type.
+     *
+     * This private method is called via SharedSecrets.
+     *
+     * @param arrayType the array type
+     * @param arrayLength the array length
+     * @throws NullPointerException if arrayType is null
+     * @throws IllegalArgumentException if arrayType isn't actually an array type
+     * @throws NegativeArraySizeException if arrayLength is negative
+     * @throws InvalidClassException if the filter rejects creation
+     */
+    private void checkArray(Class arrayType, int arrayLength) throws InvalidClassException {
+        Objects.requireNonNull(arrayType);
+        if (! arrayType.isArray()) {
+            throw new IllegalArgumentException("not an array type");
+        }
+
+        if (arrayLength < 0) {
+            throw new NegativeArraySizeException();
+        }
+
+        filterCheck(arrayType, arrayLength);
+    }
+
     /**
      * Provide access to the persistent fields read from the input stream.
      */
@@ -3982,6 +4009,10 @@ public class ObjectInputStream
         }
     }
 
+    static {
+        SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::checkArray);
+    }
+
     private void validateDescriptor(ObjectStreamClass descriptor) {
         ObjectStreamClassValidator validating = validator;
         if (validating != null) {
@@ -3996,6 +4027,6 @@ public class ObjectInputStream
         ois.validator = validator;
     }
     static {
-        SharedSecrets.setJavaObjectInputStreamAccess(ObjectInputStream::setValidator);
+        SharedSecrets.setJavaOISAccess(ObjectInputStream::setValidator);
     }
 }
diff --git a/jdk/src/java.base/share/classes/java/util/ArrayDeque.java b/jdk/src/java.base/share/classes/java/util/ArrayDeque.java
index 53cdeffa84..9556e90d3a 100644
--- a/jdk/src/java.base/share/classes/java/util/ArrayDeque.java
+++ b/jdk/src/java.base/share/classes/java/util/ArrayDeque.java
@@ -38,6 +38,7 @@ import java.io.Serializable;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * Resizable-array implementation of the {@link Deque} interface.  Array
@@ -1195,6 +1196,7 @@ public class ArrayDeque extends AbstractCollection
 
         // Read in size and allocate array
         int size = s.readInt();
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size + 1);
         elements = new Object[size + 1];
         this.tail = size;
 
diff --git a/jdk/src/java.base/share/classes/java/util/ArrayList.java b/jdk/src/java.base/share/classes/java/util/ArrayList.java
index f63ef493dc..25ca76d8a0 100644
--- a/jdk/src/java.base/share/classes/java/util/ArrayList.java
+++ b/jdk/src/java.base/share/classes/java/util/ArrayList.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@ package java.util;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * Resizable-array implementation of the {@code List} interface.  Implements
@@ -816,6 +817,7 @@ public class ArrayList extends AbstractList
 
         if (size > 0) {
             // like clone(), allocate array based upon size not capacity
+            SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size);
             Object[] elements = new Object[size];
 
             // Read in all elements in the proper order.
diff --git a/jdk/src/java.base/share/classes/java/util/HashMap.java b/jdk/src/java.base/share/classes/java/util/HashMap.java
index 4f0e8e6c7d..085a688aa8 100644
--- a/jdk/src/java.base/share/classes/java/util/HashMap.java
+++ b/jdk/src/java.base/share/classes/java/util/HashMap.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,6 +34,7 @@ import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Consumer;
 import java.util.function.Function;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * Hash table based implementation of the {@code Map} interface.  This
@@ -1444,6 +1445,10 @@ public class HashMap extends AbstractMap
             float ft = (float)cap * lf;
             threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
                          (int)ft : Integer.MAX_VALUE);
+
+            // Check Map.Entry[].class since it's the nearest public type to
+            // what we're actually creating.
+            SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Map.Entry[].class, cap);
             @SuppressWarnings({"rawtypes","unchecked"})
                 Node[] tab = (Node[])new Node[cap];
             table = tab;
diff --git a/jdk/src/java.base/share/classes/java/util/HashSet.java b/jdk/src/java.base/share/classes/java/util/HashSet.java
index 360de8119d..ec47b914b6 100644
--- a/jdk/src/java.base/share/classes/java/util/HashSet.java
+++ b/jdk/src/java.base/share/classes/java/util/HashSet.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package java.util;
 
 import java.io.InvalidObjectException;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * This class implements the {@code Set} interface, backed by a hash table
@@ -322,6 +323,13 @@ public class HashSet
         capacity = (int) Math.min(size * Math.min(1 / loadFactor, 4.0f),
                 HashMap.MAXIMUM_CAPACITY);
 
+        // Constructing the backing map will lazily create an array when the first element is
+        // added, so check it before construction. Call HashMap.tableSizeFor to compute the
+        // actual allocation size. Check Map.Entry[].class since it's the nearest public type to
+        // what is actually created.
+        SharedSecrets.getJavaObjectInputStreamAccess()
+                     .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor(capacity));
+
         // Create backing HashMap
         map = (((HashSet)this) instanceof LinkedHashSet ?
                new LinkedHashMap<>(capacity, loadFactor) :
diff --git a/jdk/src/java.base/share/classes/java/util/Hashtable.java b/jdk/src/java.base/share/classes/java/util/Hashtable.java
index f97303be2b..77f0facc51 100644
--- a/jdk/src/java.base/share/classes/java/util/Hashtable.java
+++ b/jdk/src/java.base/share/classes/java/util/Hashtable.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1994, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@ import java.io.*;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
 import java.util.function.BiFunction;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * This class implements a hash table, which maps keys to values. Any
@@ -1291,6 +1292,10 @@ public class Hashtable
         if (length > elements && (length & 1) == 0)
             length--;
         length = Math.min(length, origlength);
+
+        // Check Map.Entry[].class since it's the nearest public type to
+        // what we're actually creating.
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Map.Entry[].class, length);
         table = new Entry[length];
         threshold = (int)Math.min(length * loadFactor, MAX_ARRAY_SIZE + 1);
         count = 0;
diff --git a/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java b/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java
index f749774e78..e48cb354c6 100644
--- a/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java
+++ b/jdk/src/java.base/share/classes/java/util/IdentityHashMap.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@ import java.lang.reflect.Array;
 import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Consumer;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * This class implements the {@code Map} interface with a hash table, using
@@ -1304,7 +1305,9 @@ public class IdentityHashMap
         if (size < 0)
             throw new java.io.StreamCorruptedException
                 ("Illegal mappings count: " + size);
-        init(capacity(size));
+        int cap = capacity(size);
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, cap);
+        init(cap);
 
         // Read the keys and values, and put the mappings in the table
         for (int i=0; i extends AbstractQueue
         // Read in (and discard) array length
         s.readInt();
 
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size);
         queue = new Object[size];
 
         // Read in all elements.
diff --git a/jdk/src/java.base/share/classes/java/util/Properties.java b/jdk/src/java.base/share/classes/java/util/Properties.java
index 0b117686ce..8e03ec7627 100644
--- a/jdk/src/java.base/share/classes/java/util/Properties.java
+++ b/jdk/src/java.base/share/classes/java/util/Properties.java
@@ -42,6 +42,7 @@ import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Function;
 
+import jdk.internal.misc.SharedSecrets;
 import jdk.internal.util.xml.PropertiesDefaultHandler;
 
 /**
@@ -1442,6 +1443,16 @@ class Properties extends Hashtable {
             throw new StreamCorruptedException("Illegal # of Elements: " + elements);
         }
 
+        // Constructing the backing map will lazily create an array when the first element is
+        // added, so check it before construction. Note that CHM's constructor takes a size
+        // that is the number of elements to be stored -- not the table size -- so it must be
+        // inflated by the default load factor of 0.75, then inflated to the next power of two.
+        // (CHM uses the same power-of-two computation as HashMap, and HashMap.tableSizeFor is
+        // accessible here.) Check Map.Entry[].class since it's the nearest public type to
+        // what is actually created.
+        SharedSecrets.getJavaObjectInputStreamAccess()
+                     .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor((int)(elements / 0.75)));
+
         // create CHM of appropriate capacity
         map = new ConcurrentHashMap<>(elements);
 
diff --git a/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java b/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
index 592f9a51cd..ad66f47e27 100644
--- a/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
@@ -51,6 +51,7 @@ import java.util.Spliterators;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
+import jdk.internal.misc.SharedSecrets;
 
 /**
  * A thread-safe variant of {@link java.util.ArrayList} in which all mutative
@@ -933,6 +934,7 @@ public class CopyOnWriteArrayList
 
         // Read in array length and allocate array
         int len = s.readInt();
+        SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, len);
         Object[] elements = new Object[len];
 
         // Read in all elements in the proper order.
diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/JavaOISAccess.java b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaOISAccess.java
new file mode 100644
index 0000000000..8e3ea407c3
--- /dev/null
+++ b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaOISAccess.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.internal.misc;
+
+import java.io.ObjectInputStream;
+
+/**
+ * The interface to specify methods for accessing {@code ObjectInputStream}
+ * @author sjiang
+ */
+public interface JavaOISAccess {
+    /**
+     * Sets a descriptor validating.
+     * @param ois stream to have the descriptors validated
+     * @param validator validator used to validate a descriptor.
+     */
+    public void setValidator(ObjectInputStream ois, ObjectStreamClassValidator validator);
+}
diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java
index c344f8adc7..4c734670da 100644
--- a/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java
+++ b/jdk/src/java.base/share/classes/jdk/internal/misc/JavaObjectInputStreamAccess.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,17 +25,14 @@
 
 package jdk.internal.misc;
 
+import java.io.InvalidClassException;
 import java.io.ObjectInputStream;
 
 /**
- * The interface to specify methods for accessing {@code ObjectInputStream}
- * @author sjiang
+ * Interface to specify methods for accessing {@code ObjectInputStream}.
  */
+@FunctionalInterface
 public interface JavaObjectInputStreamAccess {
-    /**
-     * Sets a descriptor validating.
-     * @param ois stream to have the descriptors validated
-     * @param validator validator used to validate a descriptor.
-     */
-    public void setValidator(ObjectInputStream ois, ObjectStreamClassValidator validator);
+    void checkArray(ObjectInputStream ois, Class arrayType, int arrayLength)
+        throws InvalidClassException;
 }
diff --git a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
index cd54d422c2..466bed7275 100644
--- a/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+++ b/jdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
@@ -70,6 +70,7 @@ public class SharedSecrets {
     private static JavaAWTFontAccess javaAWTFontAccess;
     private static JavaBeansAccess javaBeansAccess;
     private static JavaObjectInputStreamAccess javaObjectInputStreamAccess;
+    private static JavaOISAccess javaOISAccess;
     private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
 
     public static JavaUtilJarAccess javaUtilJarAccess() {
@@ -304,6 +305,17 @@ public class SharedSecrets {
         javaUtilResourceBundleAccess = access;
     }
 
+    public static JavaOISAccess getJavaOISAccess() {
+        if (javaObjectInputStreamAccess == null) {
+            unsafe.ensureClassInitialized(ObjectInputStream.class);
+        }
+        return javaOISAccess;
+    }
+
+    public static void setJavaOISAccess(JavaOISAccess access) {
+        javaOISAccess = access;
+    }
+
     public static JavaObjectInputStreamAccess getJavaObjectInputStreamAccess() {
         if (javaObjectInputStreamAccess == null) {
             unsafe.ensureClassInitialized(ObjectInputStream.class);
diff --git a/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java b/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java
index 2944e5d0f1..5ae0076e3d 100644
--- a/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/server/MarshalInputStream.java
@@ -333,7 +333,7 @@ public class MarshalInputStream extends ObjectInputStream {
 
     synchronized void setStreamChecker(StreamChecker checker) {
         streamChecker = checker;
-        SharedSecrets.getJavaObjectInputStreamAccess().setValidator(this, checker);
+        SharedSecrets.getJavaOISAccess().setValidator(this, checker);
     }
     @Override
     protected ObjectStreamClass readClassDescriptor() throws IOException,
diff --git a/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java b/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java
index 5ce44eba56..362df99767 100644
--- a/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java
+++ b/jdk/test/java/io/Serializable/serialFilter/SerialFilterTest.java
@@ -36,9 +36,11 @@ import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Proxy;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.atomic.LongAdder;
 
 import javax.net.ssl.SSLEngineResult;
@@ -165,6 +167,11 @@ public class SerialFilterTest implements Serializable {
                 interfaces, (p, m, args) -> p);
 
         Runnable runnable = (Runnable & Serializable) SerialFilterTest::noop;
+
+        List> classList = new ArrayList<>();
+        classList.add(HashSet.class);
+        classList.addAll(Collections.nCopies(21, Map.Entry[].class));
+
         Object[][] objects = {
                 { null, 0, -1, 0, 0, 0,
                         Arrays.asList()},        // no callback, no values
@@ -184,8 +191,7 @@ public class SerialFilterTest implements Serializable {
                                 objArray.getClass(),
                                 SerialFilterTest.class,
                                 java.lang.invoke.SerializedLambda.class)},
-                { deepHashSet(10), 48, -1, 50, 11, 619,
-                        Arrays.asList(HashSet.class)},
+                { deepHashSet(10), 69, 4, 50, 11, 619, classList },
                 { proxy.getClass(), 3, -1, 2, 2, 112,
                         Arrays.asList(Runnable.class,
                                 java.lang.reflect.Proxy.class,

From 375c0be03885e7a7eb0ed083337391924b9a4ec4 Mon Sep 17 00:00:00 2001
From: Valerie Peng 
Date: Thu, 13 Jul 2017 20:41:59 +0000
Subject: [PATCH 138/269] 8181048: Refactor existing providers to refer to the
 same constants for default values for key length

Reviewed-by: mullan, ahgross
---
 .../crypto/provider/DHKeyPairGenerator.java   |   8 +-
 .../crypto/provider/DHParameterGenerator.java |   7 +-
 .../provider/DSAKeyPairGenerator.java         | 139 ++++++++++--------
 .../provider/DSAParameterGenerator.java       |  46 +++---
 .../sun/security/provider/SunEntries.java     |  12 +-
 .../sun/security/rsa/RSAKeyPairGenerator.java |   5 +-
 .../sun/security/tools/keytool/Main.java      |  10 +-
 .../util/SecurityProviderConstants.java       | 131 +++++++++++++++++
 .../security/pkcs11/P11KeyPairGenerator.java  |  16 +-
 .../sun/security/ec/ECKeyPairGenerator.java   |   6 +-
 .../security/mscapi/RSAKeyPairGenerator.java  |   8 +-
 jdk/test/java/security/Signature/Offsets.java |  11 +-
 .../java/security/SignedObject/Chain.java     |  23 ++-
 .../DSA/TestAlgParameterGenerator.java        |   5 +-
 .../provider/DSA/TestKeyPairGenerator.java    |   7 +-
 .../DSA/TestLegacyDSAKeyPairGenerator.java    |  84 +++++++++++
 16 files changed, 380 insertions(+), 138 deletions(-)
 create mode 100644 jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java
 create mode 100644 jdk/test/sun/security/provider/DSA/TestLegacyDSAKeyPairGenerator.java

diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java
index 2322741110..3399cc5a3a 100644
--- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java
+++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,7 @@ import javax.crypto.spec.DHParameterSpec;
 import javax.crypto.spec.DHGenParameterSpec;
 
 import sun.security.provider.ParameterCache;
+import static sun.security.util.SecurityProviderConstants.DEF_DH_KEY_SIZE;
 
 /**
  * This class represents the key pair generator for Diffie-Hellman key pairs.
@@ -42,8 +43,7 @@ import sun.security.provider.ParameterCache;
  * 
      
  * 
    • By providing the size in bits of the prime modulus -
  * This will be used to create a prime modulus and base generator, which will
- * then be used to create the Diffie-Hellman key pair. The default size of the
- * prime modulus is 2048 bits.
+ * then be used to create the Diffie-Hellman key pair.
  * 
    • By providing a prime modulus and base generator
  * 
    
  *
@@ -68,7 +68,7 @@ public final class DHKeyPairGenerator extends KeyPairGeneratorSpi {
 
     public DHKeyPairGenerator() {
         super();
-        initialize(2048, null);
+        initialize(DEF_DH_KEY_SIZE, null);
     }
 
     private static void checkKeySize(int keysize)
diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
index f8001b5ab2..293dfd895a 100644
--- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
+++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,6 +31,8 @@ import java.security.spec.*;
 import javax.crypto.spec.DHParameterSpec;
 import javax.crypto.spec.DHGenParameterSpec;
 
+import static sun.security.util.SecurityProviderConstants.DEF_DH_KEY_SIZE;
+
 /*
  * This class generates parameters for the Diffie-Hellman algorithm.
  * The parameters are a prime, a base, and optionally the length in bits of
@@ -38,7 +40,6 @@ import javax.crypto.spec.DHGenParameterSpec;
  *
  * 
    The Diffie-Hellman parameter generation accepts the size in bits of the
  * prime modulus and the size in bits of the random exponent as input.
- * The size of the prime modulus defaults to 2048 bits.
  *
  * @author Jan Luehe
  *
@@ -50,7 +51,7 @@ import javax.crypto.spec.DHGenParameterSpec;
 public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi {
 
     // The size in bits of the prime modulus
-    private int primeSize = 2048;
+    private int primeSize = DEF_DH_KEY_SIZE;
 
     // The size in bits of the random exponent (private value)
     private int exponentSize = 0;
diff --git a/jdk/src/java.base/share/classes/sun/security/provider/DSAKeyPairGenerator.java b/jdk/src/java.base/share/classes/sun/security/provider/DSAKeyPairGenerator.java
index f162b595f4..50d9bcc2bc 100644
--- a/jdk/src/java.base/share/classes/sun/security/provider/DSAKeyPairGenerator.java
+++ b/jdk/src/java.base/share/classes/sun/security/provider/DSAKeyPairGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -35,6 +35,8 @@ import java.security.spec.InvalidParameterSpecException;
 import java.security.spec.DSAParameterSpec;
 
 import sun.security.jca.JCAUtil;
+import static sun.security.util.SecurityProviderConstants.DEF_DSA_KEY_SIZE;
+import static sun.security.util.SecurityProviderConstants.getDefDSASubprimeSize;
 
 /**
  * This class generates DSA key parameters and public/private key
@@ -45,15 +47,14 @@ import sun.security.jca.JCAUtil;
  * @author Andreas Sterbenz
  *
  */
-public class DSAKeyPairGenerator extends KeyPairGenerator
-        implements java.security.interfaces.DSAKeyPairGenerator {
+class DSAKeyPairGenerator extends KeyPairGenerator {
 
     /* Length for prime P and subPrime Q in bits */
     private int plen;
     private int qlen;
 
     /* whether to force new parameters to be generated for each KeyPair */
-    private boolean forceNewParameters;
+    boolean forceNewParameters;
 
     /* preset algorithm parameters. */
     private DSAParameterSpec params;
@@ -61,9 +62,9 @@ public class DSAKeyPairGenerator extends KeyPairGenerator
     /* The source of random bits to use */
     private SecureRandom random;
 
-    public DSAKeyPairGenerator() {
+    DSAKeyPairGenerator(int defaultKeySize) {
         super("DSA");
-        initialize(1024, null);
+        initialize(defaultKeySize, null);
     }
 
     private static void checkStrength(int sizeP, int sizeQ) {
@@ -84,61 +85,7 @@ public class DSAKeyPairGenerator extends KeyPairGenerator
     }
 
     public void initialize(int modlen, SecureRandom random) {
-        // generate new parameters when no precomputed ones available.
-        initialize(modlen, true, random);
-        this.forceNewParameters = false;
-    }
-
-    /**
-     * Initializes the DSA key pair generator. If genParams
-     * is false, a set of pre-computed parameters is used.
-     */
-    @Override
-    public void initialize(int modlen, boolean genParams, SecureRandom random)
-            throws InvalidParameterException {
-
-        int subPrimeLen = -1;
-        if (modlen <= 1024) {
-            subPrimeLen = 160;
-        } else if (modlen == 2048) {
-            subPrimeLen = 224;
-        } else if (modlen == 3072) {
-            subPrimeLen = 256;
-        }
-        checkStrength(modlen, subPrimeLen);
-        if (genParams) {
-            params = null;
-        } else {
-            params = ParameterCache.getCachedDSAParameterSpec(modlen,
-                subPrimeLen);
-            if (params == null) {
-                throw new InvalidParameterException
-                    ("No precomputed parameters for requested modulus size "
-                     + "available");
-            }
-
-        }
-        this.plen = modlen;
-        this.qlen = subPrimeLen;
-        this.random = random;
-        this.forceNewParameters = genParams;
-    }
-
-    /**
-     * Initializes the DSA object using a DSA parameter object.
-     *
-     * @param params a fully initialized DSA parameter object.
-     */
-    @Override
-    public void initialize(DSAParams params, SecureRandom random)
-            throws InvalidParameterException {
-
-        if (params == null) {
-            throw new InvalidParameterException("Params must not be null");
-        }
-        DSAParameterSpec spec = new DSAParameterSpec
-                                (params.getP(), params.getQ(), params.getG());
-        initialize0(spec, random);
+        init(modlen, random, false);
     }
 
     /**
@@ -157,10 +104,21 @@ public class DSAKeyPairGenerator extends KeyPairGenerator
             throw new InvalidAlgorithmParameterException
                 ("Inappropriate parameter");
         }
-        initialize0((DSAParameterSpec)params, random);
+        init((DSAParameterSpec)params, random, false);
     }
 
-    private void initialize0(DSAParameterSpec params, SecureRandom random) {
+    void init(int modlen, SecureRandom random, boolean forceNew) {
+        int subPrimeLen = getDefDSASubprimeSize(modlen);
+        checkStrength(modlen, subPrimeLen);
+        this.plen = modlen;
+        this.qlen = subPrimeLen;
+        this.params = null;
+        this.random = random;
+        this.forceNewParameters = forceNew;
+    }
+
+    void init(DSAParameterSpec params, SecureRandom random,
+        boolean forceNew) {
         int sizeP = params.getP().bitLength();
         int sizeQ = params.getQ().bitLength();
         checkStrength(sizeP, sizeQ);
@@ -168,7 +126,7 @@ public class DSAKeyPairGenerator extends KeyPairGenerator
         this.qlen = sizeQ;
         this.params = params;
         this.random = random;
-        this.forceNewParameters = false;
+        this.forceNewParameters = forceNew;
     }
 
     /**
@@ -197,7 +155,7 @@ public class DSAKeyPairGenerator extends KeyPairGenerator
         return generateKeyPair(spec.getP(), spec.getQ(), spec.getG(), random);
     }
 
-    public KeyPair generateKeyPair(BigInteger p, BigInteger q, BigInteger g,
+    private KeyPair generateKeyPair(BigInteger p, BigInteger q, BigInteger g,
                                    SecureRandom random) {
 
         BigInteger x = generateX(random, q);
@@ -252,4 +210,55 @@ public class DSAKeyPairGenerator extends KeyPairGenerator
         return y;
     }
 
+    public static final class Current extends DSAKeyPairGenerator {
+        public Current() {
+            super(DEF_DSA_KEY_SIZE);
+        }
+    }
+
+    public static final class Legacy extends DSAKeyPairGenerator
+        implements java.security.interfaces.DSAKeyPairGenerator {
+
+        public Legacy() {
+            super(1024);
+        }
+
+        /**
+         * Initializes the DSA key pair generator. If genParams
+         * is false, a set of pre-computed parameters is used.
+         */
+        @Override
+        public void initialize(int modlen, boolean genParams,
+            SecureRandom random) throws InvalidParameterException {
+            if (genParams) {
+                super.init(modlen, random, true);
+            } else {
+                DSAParameterSpec cachedParams =
+                    ParameterCache.getCachedDSAParameterSpec(modlen,
+                        getDefDSASubprimeSize(modlen));
+                if (cachedParams == null) {
+                    throw new InvalidParameterException
+                        ("No precomputed parameters for requested modulus" +
+                         " size available");
+                }
+                super.init(cachedParams, random, false);
+            }
+        }
+
+        /**
+         * Initializes the DSA object using a DSA parameter object.
+         *
+         * @param params a fully initialized DSA parameter object.
+         */
+        @Override
+        public void initialize(DSAParams params, SecureRandom random)
+            throws InvalidParameterException {
+            if (params == null) {
+                throw new InvalidParameterException("Params must not be null");
+             }
+             DSAParameterSpec spec = new DSAParameterSpec
+                 (params.getP(), params.getQ(), params.getG());
+             super.init(spec, random, false);
+        }
+    }
 }
diff --git a/jdk/src/java.base/share/classes/sun/security/provider/DSAParameterGenerator.java b/jdk/src/java.base/share/classes/sun/security/provider/DSAParameterGenerator.java
index 220b5989f5..8c8ca9b42d 100644
--- a/jdk/src/java.base/share/classes/sun/security/provider/DSAParameterGenerator.java
+++ b/jdk/src/java.base/share/classes/sun/security/provider/DSAParameterGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,15 +34,18 @@ import java.security.NoSuchProviderException;
 import java.security.InvalidParameterException;
 import java.security.MessageDigest;
 import java.security.SecureRandom;
+import java.security.ProviderException;
 import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.InvalidParameterSpecException;
 import java.security.spec.DSAParameterSpec;
 import java.security.spec.DSAGenParameterSpec;
 
+import static sun.security.util.SecurityProviderConstants.DEF_DSA_KEY_SIZE;
+import static sun.security.util.SecurityProviderConstants.getDefDSASubprimeSize;
+
+
 /**
- * This class generates parameters for the DSA algorithm. It uses a default
- * prime modulus size of 1024 bits, which can be overwritten during
- * initialization.
+ * This class generates parameters for the DSA algorithm.
  *
  * @author Jan Luehe
  *
@@ -56,10 +59,6 @@ import java.security.spec.DSAGenParameterSpec;
 
 public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
 
-    // the default parameters
-    private static final DSAGenParameterSpec DEFAULTS =
-        new DSAGenParameterSpec(1024, 160, 160);
-
     // the length of prime P, subPrime Q, and seed in bits
     private int valueL = -1;
     private int valueN = -1;
@@ -80,18 +79,14 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
      */
     @Override
     protected void engineInit(int strength, SecureRandom random) {
-        if ((strength >= 512) && (strength <= 1024) && (strength % 64 == 0)) {
-            this.valueN = 160;
-        } else if (strength == 2048) {
-            this.valueN = 224;
-        } else if (strength == 3072) {
-            this.valueN = 256;
-        } else {
+        if ((strength != 2048) && (strength != 3072) &&
+            ((strength < 512) || (strength > 1024) || (strength % 64 != 0))) {
             throw new InvalidParameterException(
-                "Unexpected strength (size of prime): " + strength + ". " +
-                "Prime size should be 512 - 1024, or 2048, 3072");
+                "Unexpected strength (size of prime): " + strength +
+                ". Prime size should be 512-1024, 2048, or 3072");
         }
         this.valueL = strength;
+        this.valueN = getDefDSASubprimeSize(strength);
         this.seedLen = valueN;
         this.random = random;
     }
@@ -110,7 +105,6 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
     @Override
     protected void engineInit(AlgorithmParameterSpec genParamSpec,
             SecureRandom random) throws InvalidAlgorithmParameterException {
-
         if (!(genParamSpec instanceof DSAGenParameterSpec)) {
             throw new InvalidAlgorithmParameterException("Invalid parameter");
         }
@@ -136,11 +130,7 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
                 this.random = new SecureRandom();
             }
             if (valueL == -1) {
-                try {
-                    engineInit(DEFAULTS, this.random);
-                } catch (InvalidAlgorithmParameterException iape) {
-                    // should never happen
-                }
+                engineInit(DEF_DSA_KEY_SIZE, this.random);
             }
             BigInteger[] pAndQ = generatePandQ(this.random, valueL,
                                                valueN, seedLen);
@@ -206,13 +196,17 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
         int b = (valueL - 1) % outLen;
         byte[] seedBytes = new byte[seedLen/8];
         BigInteger twoSl = BigInteger.TWO.pow(seedLen);
-        int primeCertainty = 80; // for 1024-bit prime P
-        if (valueL == 2048) {
+        int primeCertainty = -1;
+        if (valueL <= 1024) {
+            primeCertainty = 80;
+        } else if (valueL == 2048) {
             primeCertainty = 112;
         } else if (valueL == 3072) {
             primeCertainty = 128;
         }
-
+        if (primeCertainty < 0) {
+            throw new ProviderException("Invalid valueL: " + valueL);
+        }
         BigInteger resultP, resultQ, seed = null;
         int counter;
         while (true) {
diff --git a/jdk/src/java.base/share/classes/sun/security/provider/SunEntries.java b/jdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
index 31164695ec..f440f1556c 100644
--- a/jdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
+++ b/jdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@ import java.io.*;
 import java.net.*;
 import java.util.Map;
 import java.security.*;
+import sun.security.action.GetPropertyAction;
 
 /**
  * Defines the entries of the SUN provider.
@@ -74,6 +75,10 @@ import java.security.*;
 
 final class SunEntries {
 
+    private static final boolean useLegacyDSA =
+        Boolean.parseBoolean(GetPropertyAction.privilegedGetProperty
+            ("jdk.security.legacyDSAKeyPairGenerator"));
+
     private SunEntries() {
         // empty
     }
@@ -174,8 +179,9 @@ final class SunEntries {
         /*
          *  Key Pair Generator engines
          */
-        map.put("KeyPairGenerator.DSA",
-            "sun.security.provider.DSAKeyPairGenerator");
+        String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+        dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+        map.put("KeyPairGenerator.DSA", dsaKPGImplClass);
         map.put("Alg.Alias.KeyPairGenerator.OID.1.2.840.10040.4.1", "DSA");
         map.put("Alg.Alias.KeyPairGenerator.1.2.840.10040.4.1", "DSA");
         map.put("Alg.Alias.KeyPairGenerator.1.3.14.3.2.12", "DSA");
diff --git a/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java b/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java
index 0901e4c7af..6ad77b5236 100644
--- a/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java
+++ b/jdk/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@ import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.RSAKeyGenParameterSpec;
 
 import sun.security.jca.JCAUtil;
+import static sun.security.util.SecurityProviderConstants.DEF_RSA_KEY_SIZE;
 
 /**
  * RSA keypair generation. Standard algorithm, minimum key length 512 bit.
@@ -55,7 +56,7 @@ public final class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
 
     public RSAKeyPairGenerator() {
         // initialize to default in case the app does not call initialize()
-        initialize(2048, null);
+        initialize(DEF_RSA_KEY_SIZE, null);
     }
 
     // initialize the generator. See JCA doc
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
index 3fc3769cff..f9188dd787 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -74,6 +74,7 @@ import sun.security.pkcs10.PKCS10Attribute;
 import sun.security.provider.X509Factory;
 import sun.security.provider.certpath.ssl.SSLServerCertStore;
 import sun.security.util.Password;
+import sun.security.util.SecurityProviderConstants;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
@@ -1783,9 +1784,12 @@ public final class Main {
     {
         if (keysize == -1) {
             if ("EC".equalsIgnoreCase(keyAlgName)) {
-                keysize = 256;
-            } else {
-                keysize = 2048;     // RSA and DSA
+                keysize = SecurityProviderConstants.DEF_EC_KEY_SIZE;
+            } else if ("RSA".equalsIgnoreCase(keyAlgName)) {
+                keysize = SecurityProviderConstants.DEF_RSA_KEY_SIZE;
+            } else if ("DSA".equalsIgnoreCase(keyAlgName)) {
+                // hardcode for now as DEF_DSA_KEY_SIZE is still 1024
+                keysize = 2048; // SecurityProviderConstants.DEF_DSA_KEY_SIZE;
             }
         }
 
diff --git a/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java b/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java
new file mode 100644
index 0000000000..16499519b5
--- /dev/null
+++ b/jdk/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.util.regex.PatternSyntaxException;
+import java.security.InvalidParameterException;
+import sun.security.action.GetPropertyAction;
+
+/**
+ * Various constants such as version number, default key length, used by
+ * the JDK security/crypto providers.
+ */
+public final class SecurityProviderConstants {
+    private static final Debug debug =
+        Debug.getInstance("jca", "ProviderConfig");
+
+    // Cannot create one of these
+    private SecurityProviderConstants () {
+    }
+
+    public static final int getDefDSASubprimeSize(int primeSize) {
+        if (primeSize <= 1024) {
+            return 160;
+        } else if (primeSize == 2048) {
+            return 224;
+        } else if (primeSize == 3072) {
+            return 256;
+        } else {
+            throw new InvalidParameterException("Invalid DSA Prime Size: " +
+                primeSize);
+        }
+    }
+
+    public static final int DEF_DSA_KEY_SIZE;
+    public static final int DEF_RSA_KEY_SIZE;
+    public static final int DEF_DH_KEY_SIZE;
+    public static final int DEF_EC_KEY_SIZE;
+
+    private static final String KEY_LENGTH_PROP =
+        "jdk.security.defaultKeySize";
+    static {
+        String keyLengthStr = GetPropertyAction.privilegedGetProperty
+            (KEY_LENGTH_PROP);
+        int dsaKeySize = 1024;
+        int rsaKeySize = 2048;
+        int dhKeySize = 2048;
+        int ecKeySize = 256;
+
+        if (keyLengthStr != null) {
+            try {
+                String[] pairs = keyLengthStr.split(",");
+                for (String p : pairs) {
+                    String[] algoAndValue = p.split(":");
+                    if (algoAndValue.length != 2) {
+                        // invalid pair, skip to next pair
+                        if (debug != null) {
+                            debug.println("Ignoring invalid pair in " +
+                                KEY_LENGTH_PROP + " property: " + p);
+                        }
+                        continue;
+                    }
+                    String algoName = algoAndValue[0].trim().toUpperCase();
+                    int value = -1;
+                    try {
+                        value = Integer.parseInt(algoAndValue[1].trim());
+                    } catch (NumberFormatException nfe) {
+                        // invalid value, skip to next pair
+                        if (debug != null) {
+                            debug.println("Ignoring invalid value in " +
+                                KEY_LENGTH_PROP + " property: " + p);
+                        }
+                        continue;
+                    }
+                    if (algoName.equals("DSA")) {
+                        dsaKeySize = value;
+                    } else if (algoName.equals("RSA")) {
+                        rsaKeySize = value;
+                    } else if (algoName.equals("DH")) {
+                        dhKeySize = value;
+                    } else if (algoName.equals("EC")) {
+                        ecKeySize = value;
+                    } else {
+                        if (debug != null) {
+                            debug.println("Ignoring unsupported algo in " +
+                                KEY_LENGTH_PROP + " property: " + p);
+                        }
+                        continue;
+                    }
+                    if (debug != null) {
+                        debug.println("Overriding default " + algoName +
+                            " keysize with value from " +
+                            KEY_LENGTH_PROP + " property: " + value);
+                    }
+                }
+            } catch (PatternSyntaxException pse) {
+                // if property syntax is not followed correctly
+                if (debug != null) {
+                    debug.println("Unexpected exception while parsing " +
+                        KEY_LENGTH_PROP + " property: " + pse);
+                }
+            }
+        }
+        DEF_DSA_KEY_SIZE = dsaKeySize;
+        DEF_RSA_KEY_SIZE = rsaKeySize;
+        DEF_DH_KEY_SIZE = dhKeySize;
+        DEF_EC_KEY_SIZE = ecKeySize;
+    }
+}
diff --git a/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java b/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java
index 3aa2e69103..e3f867248b 100644
--- a/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java
+++ b/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,11 +33,13 @@ import java.security.spec.*;
 import javax.crypto.spec.DHParameterSpec;
 
 import sun.security.provider.ParameterCache;
+import static sun.security.util.SecurityProviderConstants.*;
 
 import static sun.security.pkcs11.TemplateManager.*;
 import sun.security.pkcs11.wrapper.*;
 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
 
+
 import sun.security.rsa.RSAKeyFactory;
 
 /**
@@ -98,7 +100,7 @@ final class P11KeyPairGenerator extends KeyPairGeneratorSpi {
         // override lower limit to disallow unsecure keys being generated
         // override upper limit to deter DOS attack
         if (algorithm.equals("EC")) {
-            keySize = 256;
+            keySize = DEF_EC_KEY_SIZE;
             if ((minKeyLen == -1) || (minKeyLen < 112)) {
                 minKeyLen = 112;
             }
@@ -107,13 +109,11 @@ final class P11KeyPairGenerator extends KeyPairGeneratorSpi {
             }
         } else {
             if (algorithm.equals("DSA")) {
-                // keep default keysize at 1024 since larger keysizes may be
-                // incompatible with SHA1withDSA and SHA-2 Signature algs
-                // may not be supported by native pkcs11 implementations
-                keySize = 1024;
+                keySize = DEF_DSA_KEY_SIZE;
+            } else if (algorithm.equals("RSA")) {
+                keySize = DEF_RSA_KEY_SIZE;
             } else {
-                // RSA and DH
-                keySize = 2048;
+                keySize = DEF_DH_KEY_SIZE;
             }
             if ((minKeyLen == -1) || (minKeyLen < 512)) {
                 minKeyLen = 512;
diff --git a/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECKeyPairGenerator.java b/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECKeyPairGenerator.java
index 2df53fb60e..c96806ab8c 100644
--- a/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECKeyPairGenerator.java
+++ b/jdk/src/jdk.crypto.ec/share/classes/sun/security/ec/ECKeyPairGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,7 @@ import sun.security.ec.ECPublicKeyImpl;
 import sun.security.jca.JCAUtil;
 import sun.security.util.ECParameters;
 import sun.security.util.ECUtil;
+import static sun.security.util.SecurityProviderConstants.DEF_EC_KEY_SIZE;
 
 /**
  * EC keypair generator.
@@ -48,7 +49,6 @@ public final class ECKeyPairGenerator extends KeyPairGeneratorSpi {
 
     private static final int KEY_SIZE_MIN = 112; // min bits (see ecc_impl.h)
     private static final int KEY_SIZE_MAX = 571; // max bits (see ecc_impl.h)
-    private static final int KEY_SIZE_DEFAULT = 256;
 
     // used to seed the keypair generator
     private SecureRandom random;
@@ -64,7 +64,7 @@ public final class ECKeyPairGenerator extends KeyPairGeneratorSpi {
      */
     public ECKeyPairGenerator() {
         // initialize to default in case the app does not call initialize()
-        initialize(KEY_SIZE_DEFAULT, null);
+        initialize(DEF_EC_KEY_SIZE, null);
     }
 
     // initialize the generator. See JCA doc
diff --git a/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java b/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java
index f28e5cb513..d4f509058f 100644
--- a/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java
+++ b/jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAKeyPairGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,6 +31,7 @@ import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.RSAKeyGenParameterSpec;
 
 import sun.security.rsa.RSAKeyFactory;
+import static sun.security.util.SecurityProviderConstants.DEF_RSA_KEY_SIZE;
 
 /**
  * RSA keypair generator.
@@ -45,14 +46,13 @@ public final class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
     // Supported by Microsoft Base, Strong and Enhanced Cryptographic Providers
     static final int KEY_SIZE_MIN = 512; // disallow MSCAPI min. of 384
     static final int KEY_SIZE_MAX = 16384;
-    private static final int KEY_SIZE_DEFAULT = 2048;
 
     // size of the key to generate, KEY_SIZE_MIN <= keySize <= KEY_SIZE_MAX
     private int keySize;
 
     public RSAKeyPairGenerator() {
         // initialize to default in case the app does not call initialize()
-        initialize(KEY_SIZE_DEFAULT, null);
+        initialize(DEF_RSA_KEY_SIZE, null);
     }
 
     // initialize the generator. See JCA doc
@@ -76,7 +76,7 @@ public final class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
 
         int tmpSize;
         if (params == null) {
-            tmpSize = KEY_SIZE_DEFAULT;
+            tmpSize = DEF_RSA_KEY_SIZE;
         } else if (params instanceof RSAKeyGenParameterSpec) {
 
             if (((RSAKeyGenParameterSpec) params).getPublicExponent() != null) {
diff --git a/jdk/test/java/security/Signature/Offsets.java b/jdk/test/java/security/Signature/Offsets.java
index 9e71690ea4..1db510dd6c 100644
--- a/jdk/test/java/security/Signature/Offsets.java
+++ b/jdk/test/java/security/Signature/Offsets.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,7 +34,7 @@ import jdk.testlibrary.RandomFactory;
 
 /*
  * @test
- * @bug 8050374
+ * @bug 8050374 8181048
  * @key randomness
  * @summary This test validates signature verification
  *          Signature.verify(byte[], int, int). The test uses RandomFactory to
@@ -105,18 +105,25 @@ public class Offsets {
         Signature signature = Signature.getInstance(algorithm, provider);
 
         String keyAlgo;
+        int keySize = 2048;
         if (algorithm.contains("RSA")) {
             keyAlgo = "RSA";
         } else if (algorithm.contains("ECDSA")) {
             keyAlgo = "EC";
+            keySize = 256;
         } else if (algorithm.contains("DSA")) {
             keyAlgo = "DSA";
+            if (algorithm.startsWith("SHAwith") ||
+                    algorithm.startsWith("SHA1with")) {
+                keySize = 1024;
+            }
         } else {
             throw new RuntimeException("Test doesn't support this signature "
                     + "algorithm: " + algorithm);
         }
 
         KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyAlgo, provider);
+        kpg.initialize(keySize);
         KeyPair kp = kpg.generateKeyPair();
         PublicKey pubkey = kp.getPublic();
         PrivateKey privkey = kp.getPrivate();
diff --git a/jdk/test/java/security/SignedObject/Chain.java b/jdk/test/java/security/SignedObject/Chain.java
index 65e1ebbd7f..3c9bad3dd1 100644
--- a/jdk/test/java/security/SignedObject/Chain.java
+++ b/jdk/test/java/security/SignedObject/Chain.java
@@ -32,7 +32,7 @@ import java.util.Arrays;
 
 /*
  * @test
- * @bug 8050374
+ * @bug 8050374 8181048
  * @summary Verify a chain of signed objects
  */
 public class Chain {
@@ -97,22 +97,28 @@ public class Chain {
         final Provider provider;
         final KeyAlg keyAlg;
         final SigAlg sigAlg;
+        final int keySize;
 
-        Test(SigAlg sigAlg, KeyAlg keyAlg, Provider privider) {
-            this.provider = privider;
+        Test(SigAlg sigAlg, KeyAlg keyAlg, Provider provider) {
+            this(sigAlg, keyAlg, provider, -1);
+        }
+
+        Test(SigAlg sigAlg, KeyAlg keyAlg, Provider provider, int keySize) {
+            this.provider = provider;
             this.keyAlg = keyAlg;
             this.sigAlg = sigAlg;
+            this.keySize = keySize;
         }
     }
 
     private static final Test[] tests = {
-        new Test(SigAlg.SHA1withDSA, KeyAlg.DSA, Provider.Default),
+        new Test(SigAlg.SHA1withDSA, KeyAlg.DSA, Provider.Default, 1024),
         new Test(SigAlg.MD2withRSA, KeyAlg.RSA, Provider.Default),
         new Test(SigAlg.MD5withRSA, KeyAlg.RSA, Provider.Default),
         new Test(SigAlg.SHA1withRSA, KeyAlg.RSA, Provider.Default),
-        new Test(SigAlg.SHA1withDSA, KeyAlg.DSA, Provider.Sun),
-        new Test(SigAlg.SHA224withDSA, KeyAlg.DSA, Provider.Sun),
-        new Test(SigAlg.SHA256withDSA, KeyAlg.DSA, Provider.Sun),
+        new Test(SigAlg.SHA1withDSA, KeyAlg.DSA, Provider.Sun, 1024),
+        new Test(SigAlg.SHA224withDSA, KeyAlg.DSA, Provider.Sun, 2048),
+        new Test(SigAlg.SHA256withDSA, KeyAlg.DSA, Provider.Sun, 2048),
     };
 
     private static final String str = "to-be-signed";
@@ -148,6 +154,9 @@ public class Chain {
                 kpg = KeyPairGenerator.getInstance(test.keyAlg.name);
             }
             for (int j=0; j < N; j++) {
+                if (test.keySize != -1) {
+                    kpg.initialize(test.keySize);
+                }
                 KeyPair kp = kpg.genKeyPair();
                 KeyPair anotherKp = kpg.genKeyPair();
                 privKeys[j] = kp.getPrivate();
diff --git a/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java b/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java
index 10af679486..cf39a5bab5 100644
--- a/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java
+++ b/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
  /*
  * @test
- * @bug 7044060 8055351
+ * @bug 7044060 8055351 8181048
  * @summary verify that DSA parameter generation works
  * @run main/timeout=600 TestAlgParameterGenerator
  */
@@ -81,7 +81,6 @@ public class TestAlgParameterGenerator {
         AlgorithmParameters param = apg.generateParameters();
         stop = System.currentTimeMillis();
         System.out.println("Time: " + (stop - start) + " ms.");
-        checkParamStrength(param, 1024);
 
         // make sure the old model works
         int[] strengths = {512, 768, 1024};
diff --git a/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java b/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java
index bfd47b23ad..105c50015d 100644
--- a/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java
+++ b/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 4800108 8072452
+ * @bug 4800108 8072452 8181048
  * @summary verify that precomputed DSA parameters are always used (512, 768,
  *          1024, 2048, 3072 bit)
  * @run main/othervm/timeout=15 TestKeyPairGenerator
@@ -59,15 +59,12 @@ public class TestKeyPairGenerator {
         // on JDKs that do not have the fix
         kpg = KeyPairGenerator.getInstance("DSA", "SUN");
         kp = kpg.generateKeyPair();
-        checkKeyLength(kp, 1024);
 
         kpg = KeyPairGenerator.getInstance("DSA", "SUN");
         kp = kpg.generateKeyPair();
-        checkKeyLength(kp, 1024);
 
         // some other basic tests
         kp = kpg.generateKeyPair();
-        checkKeyLength(kp, 1024);
 
         kpg.initialize(1024);
         kp = kpg.generateKeyPair();
diff --git a/jdk/test/sun/security/provider/DSA/TestLegacyDSAKeyPairGenerator.java b/jdk/test/sun/security/provider/DSA/TestLegacyDSAKeyPairGenerator.java
new file mode 100644
index 0000000000..5b4f902aff
--- /dev/null
+++ b/jdk/test/sun/security/provider/DSA/TestLegacyDSAKeyPairGenerator.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8181048
+ * @summary verify that when the returned DSA KeyPairGenerator is
+ * an instance of java.security.interfaces.DSAKeyPairGenerator,
+ * the behavior is compliant with the javadoc spec.
+ * @run main/othervm -Djdk.security.legacyDSAKeyPairGenerator=tRUe TestLegacyDSAKeyPairGenerator
+ */
+
+import java.security.*;
+import java.security.interfaces.*;
+
+public class TestLegacyDSAKeyPairGenerator {
+
+    private static void checkKeyLength(KeyPair kp, int len) throws Exception {
+        DSAPublicKey key = (DSAPublicKey)kp.getPublic();
+        int n = key.getParams().getP().bitLength();
+        System.out.println("Key length: " + n);
+        if (len != n) {
+            throw new Exception("Wrong key length");
+        }
+    }
+
+    public static void main(String[] args) throws Exception {
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA", "SUN");
+        // check the returned object implements the legacy interface
+        if (!(kpg instanceof DSAKeyPairGenerator)) {
+            throw new Exception("Should be an instance of DSAKeyPairGenerator");
+        }
+        System.out.println("Returned an instance of DSAKeyPairGenerator");
+        // check the default key size is 1024 when initiaize(..) is not called
+        KeyPair kp1 = kpg.generateKeyPair();
+        checkKeyLength(kp1, 1024);
+        KeyPair kp2 = kpg.generateKeyPair();
+        checkKeyLength(kp2, 1024);
+        System.out.println("Used 1024 default key size");
+
+        // check kp1 and kp2 uses the same DSA parameters p, q, g
+        DSAParams param1 = ((DSAPublicKey)kp1.getPublic()).getParams();
+        DSAParams param2 = ((DSAPublicKey)kp2.getPublic()).getParams();
+        if ((param1.getP().compareTo(param2.getP()) != 0) ||
+            (param1.getQ().compareTo(param2.getQ()) != 0) ||
+            (param1.getG().compareTo(param2.getG()) != 0)) {
+            throw new RuntimeException("Key params mismatch");
+        }
+        System.out.println("Used same default params");
+
+        // check that the documented exception is thrown if no cached parameters
+        int sizeNotInCache = (1024 - 64);
+        try {
+            ((DSAKeyPairGenerator)kpg).initialize(sizeNotInCache, false, null);
+            throw new RuntimeException("Expected IPE not thrown");
+        } catch (InvalidParameterException ipe) {
+            System.out.println("Throwed expected IPE");
+        }
+        ((DSAKeyPairGenerator)kpg).initialize(sizeNotInCache, true, null);
+        KeyPair kp = kpg.generateKeyPair();
+        checkKeyLength(kp, sizeNotInCache);
+        System.out.println("Generated requested key size");
+    }
+}

From 31f940c40e750dd13fd7b0b20f2f228978e2f120 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 18 Jul 2017 11:29:04 -0700
Subject: [PATCH 139/269] Added tag jdk-9.0.3+1 for changeset 5fed84dc4015

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index ff96d642ab..5133cf6565 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -421,3 +421,4 @@ b25838a28195f4b6dab34668411eedd2d366a16c jdk-9+169
 8f7227c6012b0051ea4e0bcee040c627bf699b88 jdk-9+175
 84777531d994ef70163d35078ec9c4127f2eadb5 jdk-9+176
 a4371edb589c60db01142e45c317adb9ccbcb083 jdk-9+177
+d73368c690d4f1ab188cf306f4b27218e28596b6 jdk-9.0.3+1

From 2f0c61adb54c5cea9c78ac3eedbf48b95d0d1fff Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 18 Jul 2017 11:29:14 -0700
Subject: [PATCH 140/269] Added tag jdk-9.0.3+1 for changeset 8a7a23ea057d

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index b5dd62b87b..4d33f52878 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -421,3 +421,4 @@ c62e5964cfcf144d8f72e9ba69757897785349a9 jdk-9+171
 dc78a3dd6b3a4f11cdae8a3e3d160e6a78bc7838 jdk-9+175
 40fb9f229471ef357d493813d34b15afcce9f32b jdk-9+176
 c72e9d3823f04cb3ef3166646dfea9e4c2769133 jdk-9+177
+53ba069e7f46ad62c8db049be90a2974dfc638e0 jdk-9.0.3+1

From 52002d7b8b4788d9f0b26030565b1eb9a1b423c3 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 19 Jul 2017 14:35:55 -0700
Subject: [PATCH 141/269] Added tag jdk-9.0.3+2 for changeset d5ea0b7d394f

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 5133cf6565..98383eb91c 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -422,3 +422,4 @@ b25838a28195f4b6dab34668411eedd2d366a16c jdk-9+169
 84777531d994ef70163d35078ec9c4127f2eadb5 jdk-9+176
 a4371edb589c60db01142e45c317adb9ccbcb083 jdk-9+177
 d73368c690d4f1ab188cf306f4b27218e28596b6 jdk-9.0.3+1
+ede48839f34b0b74210e2e081872a3c12d5339ab jdk-9.0.3+2

From da602c76f9b51c882d15761b7a4c440cdb313dc2 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 19 Jul 2017 14:36:05 -0700
Subject: [PATCH 142/269] Added tag jdk-9.0.3+2 for changeset bdbb7b7b7c30

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 4d33f52878..887176f7c5 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -422,3 +422,4 @@ dc78a3dd6b3a4f11cdae8a3e3d160e6a78bc7838 jdk-9+175
 40fb9f229471ef357d493813d34b15afcce9f32b jdk-9+176
 c72e9d3823f04cb3ef3166646dfea9e4c2769133 jdk-9+177
 53ba069e7f46ad62c8db049be90a2974dfc638e0 jdk-9.0.3+1
+862693aa58490d65f1050d8d6b49d1abb40433b8 jdk-9.0.3+2

From c100fe78ffecc6d57c97d82f9e7b90e5499956bb Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 25 Jul 2017 22:23:24 -0700
Subject: [PATCH 143/269] Added tag jdk-9.0.3+3 for changeset 8f3ee827b926

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 98383eb91c..fe5166c727 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -423,3 +423,4 @@ b25838a28195f4b6dab34668411eedd2d366a16c jdk-9+169
 a4371edb589c60db01142e45c317adb9ccbcb083 jdk-9+177
 d73368c690d4f1ab188cf306f4b27218e28596b6 jdk-9.0.3+1
 ede48839f34b0b74210e2e081872a3c12d5339ab jdk-9.0.3+2
+086e9950ebfa8a0239018ade61f59b7c539bacc9 jdk-9.0.3+3

From 79b6479f5a1ac47c4deaf6c662e9be68d70315b3 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 25 Jul 2017 22:23:41 -0700
Subject: [PATCH 144/269] Added tag jdk-9.0.3+3 for changeset dec687523ce6

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 887176f7c5..560e2ebe3f 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -423,3 +423,4 @@ dc78a3dd6b3a4f11cdae8a3e3d160e6a78bc7838 jdk-9+175
 c72e9d3823f04cb3ef3166646dfea9e4c2769133 jdk-9+177
 53ba069e7f46ad62c8db049be90a2974dfc638e0 jdk-9.0.3+1
 862693aa58490d65f1050d8d6b49d1abb40433b8 jdk-9.0.3+2
+34504835797ff6c671720590636b65395d392e9e jdk-9.0.3+3

From f32a298e8ff14a1c2a7d0a3414e2db15cf64373e Mon Sep 17 00:00:00 2001
From: Phil Race 
Date: Thu, 3 Aug 2017 18:56:57 +0000
Subject: [PATCH 145/269] Added tag jdk-9+181 for changeset d677cdee547b

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 3e06b395fe..408222359c 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -583,3 +583,4 @@ e64b1cb48d6e7703928a9d1da106fc27f8cb65fd jdk-9+173
 9d032191f82fca5ba0aac98682f69c4ff0f1283d jdk-9+178
 d2661aa42bff322badbe6c1337fc638d2e0f5730 jdk-9+179
 d7baadc223e790c08bc69bf7e553bce65b4e7e40 jdk-9+180
+4a443796f6f57842d6a0434ac27ca3d1033ccc20 jdk-9+181

From f5491c069f44b7b4238033f43bfb58ad0ff89e99 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:22:23 -0700
Subject: [PATCH 146/269] Added tag jdk-9.0.3+1 for changeset 54dba938ad31

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index f88b074111..2e75534a40 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -581,3 +581,4 @@ ca47dcfdd35129fe3ab2dab71b2601d7a0ff07c0 jdk-9.0.3+00
 8f04d457168b9f1f4a1b2c37f49e0513ca9d33a7 jdk-9+175
 2ab74e5dbdc2b6a962c865500cafd23cf387dc60 jdk-9+176
 1ca8f038fceb88c640badf9bd18905205bc63b43 jdk-9+177
+8297b62a7b62bafe42c7d567a5752f7a82bafab8 jdk-9.0.3+1

From 193544e19f6a195d245c4b54b25774d93b9f1255 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:22:45 -0700
Subject: [PATCH 147/269] Added tag jdk-9.0.3+2 for changeset d1de7f1a35de

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 2e75534a40..cf1c633305 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -582,3 +582,4 @@ ca47dcfdd35129fe3ab2dab71b2601d7a0ff07c0 jdk-9.0.3+00
 2ab74e5dbdc2b6a962c865500cafd23cf387dc60 jdk-9+176
 1ca8f038fceb88c640badf9bd18905205bc63b43 jdk-9+177
 8297b62a7b62bafe42c7d567a5752f7a82bafab8 jdk-9.0.3+1
+d2efdbb193a02613867c8949f783d2905f7a28fc jdk-9.0.3+2

From 26698105e5b075505eec7d3223cb0d4331508212 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:23:01 -0700
Subject: [PATCH 148/269] Added tag jdk-9.0.3+3 for changeset ff9ae7d32100

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index cf1c633305..0c43cddfdb 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -583,3 +583,4 @@ ca47dcfdd35129fe3ab2dab71b2601d7a0ff07c0 jdk-9.0.3+00
 1ca8f038fceb88c640badf9bd18905205bc63b43 jdk-9+177
 8297b62a7b62bafe42c7d567a5752f7a82bafab8 jdk-9.0.3+1
 d2efdbb193a02613867c8949f783d2905f7a28fc jdk-9.0.3+2
+68f9ff7c5eedfd41f9c10959e41024efbd3aa79c jdk-9.0.3+3

From 0e0229a9b1016b732b4ac5c1666f156e667c29a6 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:27:51 -0700
Subject: [PATCH 149/269] Added tag jdk-9.0.3+4 for changeset 95070aeed40e

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index b9d434b54e..f672a7be38 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -588,3 +588,4 @@ d7baadc223e790c08bc69bf7e553bce65b4e7e40 jdk-9+180
 8297b62a7b62bafe42c7d567a5752f7a82bafab8 jdk-9.0.3+1
 d2efdbb193a02613867c8949f783d2905f7a28fc jdk-9.0.3+2
 68f9ff7c5eedfd41f9c10959e41024efbd3aa79c jdk-9.0.3+3
+82584ea6464de2e0a59e9fc00173e18a85dc45d8 jdk-9.0.3+4

From 490b565abfa515db526adff1e444aef1f9fdb5e9 Mon Sep 17 00:00:00 2001
From: Harold Seigel 
Date: Wed, 26 Jul 2017 11:45:53 -0400
Subject: [PATCH 150/269] 8180711: Better invokespecial checks

Reviewed-by: acorn, ahgross, rhalade
---
 .../src/share/vm/interpreter/linkResolver.cpp | 24 +++++++++----------
 .../src/share/vm/interpreter/linkResolver.hpp |  9 ++++---
 2 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/hotspot/src/share/vm/interpreter/linkResolver.cpp b/hotspot/src/share/vm/interpreter/linkResolver.cpp
index d7ae64effe..2d323cd7d3 100644
--- a/hotspot/src/share/vm/interpreter/linkResolver.cpp
+++ b/hotspot/src/share/vm/interpreter/linkResolver.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1061,11 +1061,7 @@ void LinkResolver::resolve_special_call(CallInfo& result,
                                         const LinkInfo& link_info,
                                         TRAPS) {
   methodHandle resolved_method = linktime_resolve_special_method(link_info, CHECK);
-  runtime_resolve_special_method(result, resolved_method,
-                                 link_info.resolved_klass(),
-                                 link_info.current_klass(),
-                                 recv,
-                                 link_info.check_access(), CHECK);
+  runtime_resolve_special_method(result, link_info, resolved_method, recv, CHECK);
 }
 
 // throws linktime exceptions
@@ -1148,11 +1144,11 @@ methodHandle LinkResolver::linktime_resolve_special_method(const LinkInfo& link_
 
 // throws runtime exceptions
 void LinkResolver::runtime_resolve_special_method(CallInfo& result,
+                                                  const LinkInfo& link_info,
                                                   const methodHandle& resolved_method,
-                                                  KlassHandle resolved_klass,
-                                                  KlassHandle current_klass,
-                                                  Handle recv,
-                                                  bool check_access, TRAPS) {
+                                                  Handle recv, TRAPS) {
+
+  KlassHandle resolved_klass = link_info.resolved_klass();
 
   // resolved method is selected method unless we have an old-style lookup
   // for a superclass method
@@ -1160,12 +1156,13 @@ void LinkResolver::runtime_resolve_special_method(CallInfo& result,
   // no checks for shadowing
   methodHandle sel_method(THREAD, resolved_method());
 
-  if (check_access &&
+  if (link_info.check_access() &&
       // check if the method is not 
       resolved_method->name() != vmSymbols::object_initializer_name()) {
 
-  // check if this is an old-style super call and do a new lookup if so
+     // check if this is an old-style super call and do a new lookup if so
         // a) check if ACC_SUPER flag is set for the current class
+    KlassHandle current_klass = link_info.current_klass();
     if ((current_klass->is_super() || !AllowNonVirtualCalls) &&
         // b) check if the class of the resolved_klass is a superclass
         // (not supertype in order to exclude interface classes) of the current class.
@@ -1185,6 +1182,9 @@ void LinkResolver::runtime_resolve_special_method(CallInfo& result,
                   Method::name_and_sig_as_C_string(resolved_klass(),
                                             resolved_method->name(),
                                             resolved_method->signature()));
+      // check loader constraints if found a different method
+      } else if (sel_method() != resolved_method()) {
+        check_method_loader_constraints(link_info, sel_method, "method", CHECK);
       }
     }
 
diff --git a/hotspot/src/share/vm/interpreter/linkResolver.hpp b/hotspot/src/share/vm/interpreter/linkResolver.hpp
index 2f14496bb0..7192b8c133 100644
--- a/hotspot/src/share/vm/interpreter/linkResolver.hpp
+++ b/hotspot/src/share/vm/interpreter/linkResolver.hpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -227,11 +227,10 @@ class LinkResolver: AllStatic {
   static methodHandle linktime_resolve_interface_method (const LinkInfo& link_info, TRAPS);
 
   static void runtime_resolve_special_method    (CallInfo& result,
+                                                 const LinkInfo& link_info,
                                                  const methodHandle& resolved_method,
-                                                 KlassHandle resolved_klass,
-                                                 KlassHandle current_klass,
-                                                 Handle recv,
-                                                 bool check_access, TRAPS);
+                                                 Handle recv, TRAPS);
+
   static void runtime_resolve_virtual_method    (CallInfo& result,
                                                  const methodHandle& resolved_method,
                                                  KlassHandle resolved_klass,

From be37b08f7e96d0b9af0a4d58cdb73f6c347fd498 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 2 Aug 2017 12:31:03 -0700
Subject: [PATCH 151/269] 8185725: Update milestone to fcs for 9.0.3+4

Reviewed-by: ctornqvi
---
 common/conf/jib-profiles.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index bad4544d17..cef2b553e7 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -1200,7 +1200,7 @@ var versionArgs = function(input, common) {
     if (input.build_type == "promoted") {
         args = concat(args,
                       // This needs to be changed when we start building release candidates
-                      "--with-version-pre=ea",
+                      "--with-version-pre=fcs",
                       "--without-version-opt");
     } else {
         args = concat(args, "--with-version-opt=" + common.build_id);

From 32fab364826272411829e8fd2656bedf7a6aeb62 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Thu, 3 Aug 2017 11:39:25 -0700
Subject: [PATCH 152/269] Added tag jdk-9.0.3+4 for changeset 41bc968df10d

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 78824be4a3..de42348e25 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -427,3 +427,4 @@ d2982a786f53814367698e63efe6349c9128e1db jdk-9+180
 d73368c690d4f1ab188cf306f4b27218e28596b6 jdk-9.0.3+1
 ede48839f34b0b74210e2e081872a3c12d5339ab jdk-9.0.3+2
 086e9950ebfa8a0239018ade61f59b7c539bacc9 jdk-9.0.3+3
+2c95bee2722f2396b709b384473c07291a7d1e4b jdk-9.0.3+4

From d6ec60dc3848045b2c695c5aa74d3eaadd093f86 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Thu, 3 Aug 2017 11:39:41 -0700
Subject: [PATCH 153/269] Added tag jdk-9.0.3+4 for changeset 9c51d3980ab2

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 6b9912909e..6981a17ade 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -427,3 +427,4 @@ c72e9d3823f04cb3ef3166646dfea9e4c2769133 jdk-9+177
 53ba069e7f46ad62c8db049be90a2974dfc638e0 jdk-9.0.3+1
 862693aa58490d65f1050d8d6b49d1abb40433b8 jdk-9.0.3+2
 34504835797ff6c671720590636b65395d392e9e jdk-9.0.3+3
+9d0501a9354d061b7e17a306dc0acc4676024c25 jdk-9.0.3+4

From 5255225debf63a61ad4f353cf02bd92eb00f9515 Mon Sep 17 00:00:00 2001
From: Phil Race 
Date: Thu, 3 Aug 2017 18:56:56 +0000
Subject: [PATCH 154/269] Added tag jdk-9+181 for changeset 1d17536e8d8b

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 07b5d34491..59ffd206b6 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -423,3 +423,4 @@ a4371edb589c60db01142e45c317adb9ccbcb083 jdk-9+177
 ec4159ebe7050fcc5dcee8a2d150cf948ecc97db jdk-9+178
 252475ccfd84cc249f8d6faf4b7806b5e2c384ce jdk-9+179
 d2982a786f53814367698e63efe6349c9128e1db jdk-9+180
+b656dea9398ef601f7fc08d1a5157a560e0ccbe0 jdk-9+181

From 8c6dedd086cd94170a05da9f33933813c940d2d5 Mon Sep 17 00:00:00 2001
From: Phil Race 
Date: Thu, 3 Aug 2017 18:56:56 +0000
Subject: [PATCH 155/269] Added tag jdk-9+181 for changeset 5cd8072203ac

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 688de6cbf1..c7fb6d371d 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -423,3 +423,4 @@ c72e9d3823f04cb3ef3166646dfea9e4c2769133 jdk-9+177
 9c1e9712648921ae389d623042d22561fad82d75 jdk-9+178
 24390da83c5ee9e23ceafbcaff4460a01e37bb3a jdk-9+179
 6ce6cb8ff41c71c49f23b15e0f0468aca5d52b17 jdk-9+180
+ba71941ad9dba53b8fffb30602ef673eee88696c jdk-9+181

From c8bb0832cfc69395152d2ba334eb362ec06474d4 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 8 Aug 2017 10:10:38 -0700
Subject: [PATCH 156/269] Added tag jdk-9.0.3+5 for changeset c951805d6ae6

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 6bb07193f7..348e26fce3 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -429,3 +429,4 @@ d73368c690d4f1ab188cf306f4b27218e28596b6 jdk-9.0.3+1
 ede48839f34b0b74210e2e081872a3c12d5339ab jdk-9.0.3+2
 086e9950ebfa8a0239018ade61f59b7c539bacc9 jdk-9.0.3+3
 2c95bee2722f2396b709b384473c07291a7d1e4b jdk-9.0.3+4
+d24281b60e0bb6d441ec3a9440e7daa322bbc822 jdk-9.0.3+5

From 1b833488ceb3dae37fcf2287814706e70dc69c43 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 8 Aug 2017 10:10:52 -0700
Subject: [PATCH 157/269] Added tag jdk-9.0.3+5 for changeset ffe6fb8e065c

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 6025d87c12..20db76b4c5 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -429,3 +429,4 @@ ba71941ad9dba53b8fffb30602ef673eee88696c jdk-9+181
 862693aa58490d65f1050d8d6b49d1abb40433b8 jdk-9.0.3+2
 34504835797ff6c671720590636b65395d392e9e jdk-9.0.3+3
 9d0501a9354d061b7e17a306dc0acc4676024c25 jdk-9.0.3+4
+23f00502db730453c28633bc62071030ae1f28c5 jdk-9.0.3+5

From d4171f028b8a520145e34e79d555dcd7e507a6c4 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 15 Aug 2017 14:58:18 -0700
Subject: [PATCH 158/269] Added tag jdk-9.0.3+6 for changeset a1db0be0495f

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 348e26fce3..13616106ba 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -430,3 +430,4 @@ ede48839f34b0b74210e2e081872a3c12d5339ab jdk-9.0.3+2
 086e9950ebfa8a0239018ade61f59b7c539bacc9 jdk-9.0.3+3
 2c95bee2722f2396b709b384473c07291a7d1e4b jdk-9.0.3+4
 d24281b60e0bb6d441ec3a9440e7daa322bbc822 jdk-9.0.3+5
+489c57f8e1c0f6fa34de86f8ed8f98a809cba4a9 jdk-9.0.3+6

From 2a8c4b15d48c34595df7efa299e21cff8f304a95 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 15 Aug 2017 14:58:31 -0700
Subject: [PATCH 159/269] Added tag jdk-9.0.3+6 for changeset 9ae4eada72fe

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 20db76b4c5..3bacc15568 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -430,3 +430,4 @@ ba71941ad9dba53b8fffb30602ef673eee88696c jdk-9+181
 34504835797ff6c671720590636b65395d392e9e jdk-9.0.3+3
 9d0501a9354d061b7e17a306dc0acc4676024c25 jdk-9.0.3+4
 23f00502db730453c28633bc62071030ae1f28c5 jdk-9.0.3+5
+db0ea99e2418dd88160c1c480c4c1525a5c0c993 jdk-9.0.3+6

From 7292b0d05cf99a9207b0c39b98fc4fc4b7c594e2 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 22 Aug 2017 11:11:50 -0700
Subject: [PATCH 160/269] 8185964: 9.0.3 fcs 4 bundle names looks incorrect

Reviewed-by: erikj
---
 common/conf/jib-profiles.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index cef2b553e7..2232b5140a 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -1200,7 +1200,7 @@ var versionArgs = function(input, common) {
     if (input.build_type == "promoted") {
         args = concat(args,
                       // This needs to be changed when we start building release candidates
-                      "--with-version-pre=fcs",
+                      "--with-version-pre=",
                       "--without-version-opt");
     } else {
         args = concat(args, "--with-version-opt=" + common.build_id);

From 1b1c5c9b413492bf1e359cf3406f6e4bee044d98 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 23 Aug 2017 13:44:21 -0700
Subject: [PATCH 161/269] 8185928: Generate OpenJDK builds for Mac platform JDK
 9.0.3 and beyond in Mach 5

Reviewed-by: erikj
---
 common/conf/jib-profiles.js | 46 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index 2232b5140a..5d5f53bc50 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -814,6 +814,49 @@ var getJibProfilesProfiles = function (input, common, data) {
             }
         },
 
+        "macosx-x64-open": {
+            artifacts: {
+                jdk: {
+                    local: "bundles/\\(jdk.*bin.tar.gz\\)",
+                    remote: [
+                        "bundles/openjdk/GPL/osx-x64/jdk-" + data.version
+                            + "_osx-x64_bin.tar.gz",
+                        "bundles/openjdk/GPL/osx-x64/\\1"
+                    ],
+                    subdir: "jdk-" + data.version
+                },
+                jre: {
+                    local: "bundles/\\(jre.*bin.tar.gz\\)",
+                    remote: "bundles/openjdk/GPL/osx-x64/\\1",
+                },
+                test: {
+                    local: "bundles/\\(jdk.*bin-tests.tar.gz\\)",
+                    remote: [
+                        "bundles/openjdk/GPL/osx-x64/jdk-" + data.version
+                            + "_osx-x64_bin-tests.tar.gz",
+                        "bundles/openjdk/GPL/osx-x64/\\1"
+                    ]
+                },
+                jdk_symbols: {
+                    local: "bundles/\\(jdk.*bin-symbols.tar.gz\\)",
+                    remote: [
+                        "bundles/openjdk/GPL/osx-x64/jdk-" + data.version
+                            + "_osx-x64_bin-symbols.tar.gz",
+                        "bundles/openjdk/GPL/osx-x64/\\1"
+                    ],
+                    subdir: "jdk-" + data.version
+                },
+                jre_symbols: {
+                    local: "bundles/\\(jre.*bin-symbols.tar.gz\\)",
+                    remote: "bundles/openjdk/GPL/osx-x64/\\1",
+                },
+                doc_api_spec: {
+                    local: "bundles/\\(jdk.*doc-api-spec.tar.gz\\)",
+                    remote: "bundles/openjdk/GPL/osx-x64/\\1",
+                },
+            }
+        },
+
         "windows-x86-open": {
             artifacts: {
                 jdk: {
@@ -880,10 +923,11 @@ var getJibProfilesProfiles = function (input, common, data) {
     profiles["linux-x64-ri"] = clone(profiles["linux-x64-open"]);
     profiles["linux-x86-ri"] = clone(profiles["linux-x86-open"]);
     profiles["linux-x86-ri-debug"] = clone(profiles["linux-x86-open-debug"]);
+    profiles["macosx-x64-ri"] = clone(profiles["macosx-x64-open"]);
     profiles["windows-x86-ri"] = clone(profiles["windows-x86-open"]);
 
     // Generate artifacts for ri profiles
-    [ "linux-x64-ri", "linux-x86-ri", "linux-x86-ri-debug", "windows-x86-ri" ]
+    [ "linux-x64-ri", "linux-x86-ri", "linux-x86-ri-debug", "macosx-x64-ri", "windows-x86-ri" ]
         .forEach(function (name) {
             // Rewrite all remote dirs to "bundles/openjdk/BCL/..."
             for (artifactName in profiles[name].artifacts) {

From 9018cdef4a063931d019f55d1bb48562ebab23b4 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 23 Aug 2017 14:02:56 -0700
Subject: [PATCH 162/269] Added tag jdk-9.0.3+7 for changeset a19281428ab7

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 3bacc15568..7fdc6a72ec 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -431,3 +431,4 @@ ba71941ad9dba53b8fffb30602ef673eee88696c jdk-9+181
 9d0501a9354d061b7e17a306dc0acc4676024c25 jdk-9.0.3+4
 23f00502db730453c28633bc62071030ae1f28c5 jdk-9.0.3+5
 db0ea99e2418dd88160c1c480c4c1525a5c0c993 jdk-9.0.3+6
+6189293024ef2e419b54392b37ad14e8b8670ab9 jdk-9.0.3+7

From 0b07a4f541df89593e0139ecf5e2db73fb612280 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 23 Aug 2017 14:08:07 -0700
Subject: [PATCH 163/269] Added tag jdk-9.0.3+7 for changeset f94029f43907

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 13616106ba..88f2b64c53 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -431,3 +431,4 @@ ede48839f34b0b74210e2e081872a3c12d5339ab jdk-9.0.3+2
 2c95bee2722f2396b709b384473c07291a7d1e4b jdk-9.0.3+4
 d24281b60e0bb6d441ec3a9440e7daa322bbc822 jdk-9.0.3+5
 489c57f8e1c0f6fa34de86f8ed8f98a809cba4a9 jdk-9.0.3+6
+9d5aca497123931d52625b3539a8549d98728622 jdk-9.0.3+7

From d1e310c1eb87c27fdc003f43e2a5ed8f103e3035 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 29 Aug 2017 10:35:53 -0700
Subject: [PATCH 164/269] Added tag jdk-9.0.3+8 for changeset 30b925f57e23

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 88f2b64c53..6201113b4d 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -432,3 +432,4 @@ ede48839f34b0b74210e2e081872a3c12d5339ab jdk-9.0.3+2
 d24281b60e0bb6d441ec3a9440e7daa322bbc822 jdk-9.0.3+5
 489c57f8e1c0f6fa34de86f8ed8f98a809cba4a9 jdk-9.0.3+6
 9d5aca497123931d52625b3539a8549d98728622 jdk-9.0.3+7
+eaa4ea516c7f1e31c8e0faaec3ef981eb2919ae3 jdk-9.0.3+8

From 154d59ca9c68142d87a233d703f39bf183115f87 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 29 Aug 2017 10:36:04 -0700
Subject: [PATCH 165/269] Added tag jdk-9.0.3+8 for changeset 3723243789e5

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 7fdc6a72ec..10ff54abc6 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -432,3 +432,4 @@ ba71941ad9dba53b8fffb30602ef673eee88696c jdk-9+181
 23f00502db730453c28633bc62071030ae1f28c5 jdk-9.0.3+5
 db0ea99e2418dd88160c1c480c4c1525a5c0c993 jdk-9.0.3+6
 6189293024ef2e419b54392b37ad14e8b8670ab9 jdk-9.0.3+7
+b69fd398311af4f5d2b67b27c0bfa5622f971ec1 jdk-9.0.3+8

From c6900223e1105556a61cdf6ca90bda1d4639b37b Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 29 Aug 2017 10:37:16 -0700
Subject: [PATCH 166/269] Added tag jdk-9.0.3+8 for changeset ad4c89185b9f

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index 7329c683c0..066014275c 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -432,3 +432,4 @@ d9b9658b2bd59ac9ca9d17209dcc487a9cf4bff2 jdk-9.0.3+4
 e884b64ff38e744760402a3315816a6d74e01719 jdk-9.0.3+5
 7b182ade7b8f974be5e459b018e67d1f4440e5f8 jdk-9.0.3+6
 a1b2b4e871fe277827b29ca7356a723599303843 jdk-9.0.3+7
+a33a03d42ff990b1041bf0f86dc90c1964e2d214 jdk-9.0.3+8

From e2a33c672a5aaf0d3d646dec741ededef3400ce2 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 5 Sep 2017 18:50:26 -0700
Subject: [PATCH 167/269] Added tag jdk-9.0.3+9 for changeset 4752bbed1565

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 6201113b4d..fcaa87f013 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -433,3 +433,4 @@ d24281b60e0bb6d441ec3a9440e7daa322bbc822 jdk-9.0.3+5
 489c57f8e1c0f6fa34de86f8ed8f98a809cba4a9 jdk-9.0.3+6
 9d5aca497123931d52625b3539a8549d98728622 jdk-9.0.3+7
 eaa4ea516c7f1e31c8e0faaec3ef981eb2919ae3 jdk-9.0.3+8
+a31dfd85bee9c16aac1e65dfbe81d1c5fe443c2c jdk-9.0.3+9

From 7b44a83574bab1169be325dd9646482a58051a71 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 5 Sep 2017 18:50:38 -0700
Subject: [PATCH 168/269] Added tag jdk-9.0.3+9 for changeset 08491d46ec29

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 10ff54abc6..36de8c5cab 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -433,3 +433,4 @@ ba71941ad9dba53b8fffb30602ef673eee88696c jdk-9+181
 db0ea99e2418dd88160c1c480c4c1525a5c0c993 jdk-9.0.3+6
 6189293024ef2e419b54392b37ad14e8b8670ab9 jdk-9.0.3+7
 b69fd398311af4f5d2b67b27c0bfa5622f971ec1 jdk-9.0.3+8
+e81a65e5771c0e9e524ff310c098e042cf381e8f jdk-9.0.3+9

From dae5560e9e6170d7d0082d3f3e063f6eafbae16b Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 5 Sep 2017 18:52:02 -0700
Subject: [PATCH 169/269] Added tag jdk-9.0.3+9 for changeset ede5dbde3a47

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index 066014275c..aa75b47a2b 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -433,3 +433,4 @@ e884b64ff38e744760402a3315816a6d74e01719 jdk-9.0.3+5
 7b182ade7b8f974be5e459b018e67d1f4440e5f8 jdk-9.0.3+6
 a1b2b4e871fe277827b29ca7356a723599303843 jdk-9.0.3+7
 a33a03d42ff990b1041bf0f86dc90c1964e2d214 jdk-9.0.3+8
+a120deff1775a5107cac1ccdf40fb41df0612f7e jdk-9.0.3+9

From bd56503ad69bfef7bfb156f13603a37cf038c04d Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 18 Sep 2017 12:27:50 -0700
Subject: [PATCH 170/269] Added tag jdk-9.0.1+10 for changeset 76f9ff4aadd8

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index fcaa87f013..f9e40cf7f8 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -434,3 +434,4 @@ d24281b60e0bb6d441ec3a9440e7daa322bbc822 jdk-9.0.3+5
 9d5aca497123931d52625b3539a8549d98728622 jdk-9.0.3+7
 eaa4ea516c7f1e31c8e0faaec3ef981eb2919ae3 jdk-9.0.3+8
 a31dfd85bee9c16aac1e65dfbe81d1c5fe443c2c jdk-9.0.3+9
+9acb1002f33e257e932a188632969e45cc32e66c jdk-9.0.1+10

From 1deeaa495e9ba79a22d2394fc4bbe367278ab458 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 18 Sep 2017 12:28:08 -0700
Subject: [PATCH 171/269] Added tag jdk-9.0.1+10 for changeset e9491f2ca8d9

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 36de8c5cab..8f318edd6e 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -434,3 +434,4 @@ db0ea99e2418dd88160c1c480c4c1525a5c0c993 jdk-9.0.3+6
 6189293024ef2e419b54392b37ad14e8b8670ab9 jdk-9.0.3+7
 b69fd398311af4f5d2b67b27c0bfa5622f971ec1 jdk-9.0.3+8
 e81a65e5771c0e9e524ff310c098e042cf381e8f jdk-9.0.3+9
+97fad1859593b8f8b445d170f412870bf0aceff4 jdk-9.0.1+10

From 6d079f0d754733c298b2242954c2dc1aecdb6b24 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 18 Sep 2017 12:29:33 -0700
Subject: [PATCH 172/269] Added tag jdk-9.0.1+10 for changeset a369361cb0ce

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index aa75b47a2b..9b020108c0 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -434,3 +434,4 @@ e884b64ff38e744760402a3315816a6d74e01719 jdk-9.0.3+5
 a1b2b4e871fe277827b29ca7356a723599303843 jdk-9.0.3+7
 a33a03d42ff990b1041bf0f86dc90c1964e2d214 jdk-9.0.3+8
 a120deff1775a5107cac1ccdf40fb41df0612f7e jdk-9.0.3+9
+aa6f847fc0f4a57efc42055921994d022d5cbff0 jdk-9.0.1+10

From 1c6fb06205fd548955e641ece34332c660154eba Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 19 Sep 2017 19:49:08 -0700
Subject: [PATCH 173/269] 8187701: Remove and retag jdk-9.0.1+10 to include fix
 JDK-8187664

Reviewed-by: erikj
---
 .hgtags-top-repo | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index f9e40cf7f8..423e13b926 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -435,3 +435,5 @@ d24281b60e0bb6d441ec3a9440e7daa322bbc822 jdk-9.0.3+5
 eaa4ea516c7f1e31c8e0faaec3ef981eb2919ae3 jdk-9.0.3+8
 a31dfd85bee9c16aac1e65dfbe81d1c5fe443c2c jdk-9.0.3+9
 9acb1002f33e257e932a188632969e45cc32e66c jdk-9.0.1+10
+9acb1002f33e257e932a188632969e45cc32e66c jdk-9.0.1+10
+0000000000000000000000000000000000000000 jdk-9.0.1+10

From 0c957445e3b03e681d0b914f4f0d46e7c82a41bb Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 19 Sep 2017 19:51:28 -0700
Subject: [PATCH 174/269] 8187664: The built-out bundle names of JDK 9.0.1
 forest are still 9.0.3

Reviewed-by: erikj
---
 common/autoconf/version-numbers | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/autoconf/version-numbers b/common/autoconf/version-numbers
index 268e66b71a..81a5937ec2 100644
--- a/common/autoconf/version-numbers
+++ b/common/autoconf/version-numbers
@@ -27,7 +27,7 @@
 
 DEFAULT_VERSION_MAJOR=9
 DEFAULT_VERSION_MINOR=0
-DEFAULT_VERSION_SECURITY=3
+DEFAULT_VERSION_SECURITY=1
 DEFAULT_VERSION_PATCH=0
 
 LAUNCHER_NAME=openjdk

From 2bdd8b4511b56ece825d3b8d07e85cb012654c61 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 19 Sep 2017 19:51:54 -0700
Subject: [PATCH 175/269] Added tag jdk-9.0.1+10 for changeset 2971fa72b5db

---
 .hgtags-top-repo | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 423e13b926..4b8ef168c0 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -437,3 +437,5 @@ a31dfd85bee9c16aac1e65dfbe81d1c5fe443c2c jdk-9.0.3+9
 9acb1002f33e257e932a188632969e45cc32e66c jdk-9.0.1+10
 9acb1002f33e257e932a188632969e45cc32e66c jdk-9.0.1+10
 0000000000000000000000000000000000000000 jdk-9.0.1+10
+0000000000000000000000000000000000000000 jdk-9.0.1+10
+5a9191c980ca3ada63b234e2b9ec6dc23bd37595 jdk-9.0.1+10

From f284e124ddcce7ffedd7dd5d98166a5f64aa9861 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:30:25 -0700
Subject: [PATCH 176/269] Added tag jdk-9.0.3+5 for changeset 139d89c6b048

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index f672a7be38..1af1ce72a4 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -589,3 +589,4 @@ d7baadc223e790c08bc69bf7e553bce65b4e7e40 jdk-9+180
 d2efdbb193a02613867c8949f783d2905f7a28fc jdk-9.0.3+2
 68f9ff7c5eedfd41f9c10959e41024efbd3aa79c jdk-9.0.3+3
 82584ea6464de2e0a59e9fc00173e18a85dc45d8 jdk-9.0.3+4
+c45e75533bae7b5db5c626bf9233b4226934d582 jdk-9.0.3+5

From 5c38bf340845db201e566cf447cd349abca8a4d1 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:30:45 -0700
Subject: [PATCH 177/269] Added tag jdk-9.0.3+6 for changeset 6de81878f6ee

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 1af1ce72a4..76905a31f4 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -590,3 +590,4 @@ d2efdbb193a02613867c8949f783d2905f7a28fc jdk-9.0.3+2
 68f9ff7c5eedfd41f9c10959e41024efbd3aa79c jdk-9.0.3+3
 82584ea6464de2e0a59e9fc00173e18a85dc45d8 jdk-9.0.3+4
 c45e75533bae7b5db5c626bf9233b4226934d582 jdk-9.0.3+5
+4c0248d117fabf46c5931cdd09e543c3d89b68a5 jdk-9.0.3+6

From 9c211d847867386e916c2b4850d932e6f4718540 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:31:00 -0700
Subject: [PATCH 178/269] Added tag jdk-9.0.3+7 for changeset dca097dcc381

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 76905a31f4..6e7fa88356 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -591,3 +591,4 @@ d2efdbb193a02613867c8949f783d2905f7a28fc jdk-9.0.3+2
 82584ea6464de2e0a59e9fc00173e18a85dc45d8 jdk-9.0.3+4
 c45e75533bae7b5db5c626bf9233b4226934d582 jdk-9.0.3+5
 4c0248d117fabf46c5931cdd09e543c3d89b68a5 jdk-9.0.3+6
+fca264c9fa3ce57b3f4d662242d38b44fb442c87 jdk-9.0.3+7

From 3fad6e6ee86a214f67ebbd4b2661917a20216529 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:31:16 -0700
Subject: [PATCH 179/269] Added tag jdk-9.0.3+8 for changeset 84013199bb19

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 6e7fa88356..87adeadce4 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -592,3 +592,4 @@ d2efdbb193a02613867c8949f783d2905f7a28fc jdk-9.0.3+2
 c45e75533bae7b5db5c626bf9233b4226934d582 jdk-9.0.3+5
 4c0248d117fabf46c5931cdd09e543c3d89b68a5 jdk-9.0.3+6
 fca264c9fa3ce57b3f4d662242d38b44fb442c87 jdk-9.0.3+7
+1f5a9c0ddb4b8da443f70fc5d135b320f6e0b78a jdk-9.0.3+8

From d74d386f67ffd0ade1d0d3b210e81b780c56a1d8 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:31:53 -0700
Subject: [PATCH 180/269] Added tag jdk-9.0.3+9 for changeset ce237c180a82

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 87adeadce4..bda7a4a29a 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -593,3 +593,4 @@ c45e75533bae7b5db5c626bf9233b4226934d582 jdk-9.0.3+5
 4c0248d117fabf46c5931cdd09e543c3d89b68a5 jdk-9.0.3+6
 fca264c9fa3ce57b3f4d662242d38b44fb442c87 jdk-9.0.3+7
 1f5a9c0ddb4b8da443f70fc5d135b320f6e0b78a jdk-9.0.3+8
+a10c11fed5bdc5202523baee3cf391cc0e0cfcaa jdk-9.0.3+9

From 63e6f9430abb33c38036ab823e1796cc28882b89 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 11:32:14 -0700
Subject: [PATCH 181/269] Added tag jdk-9.0.1+10 for changeset 637a012a7118

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index bda7a4a29a..4c4f73cacc 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -594,3 +594,4 @@ c45e75533bae7b5db5c626bf9233b4226934d582 jdk-9.0.3+5
 fca264c9fa3ce57b3f4d662242d38b44fb442c87 jdk-9.0.3+7
 1f5a9c0ddb4b8da443f70fc5d135b320f6e0b78a jdk-9.0.3+8
 a10c11fed5bdc5202523baee3cf391cc0e0cfcaa jdk-9.0.3+9
+172baf6c99c5e9fdd72a6f3729f6ec8cd6b48183 jdk-9.0.1+10

From f8a8d797ce9c23bd68f1a5e0075286aa9a501f8b Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 17:35:57 -0700
Subject: [PATCH 182/269] Added tag jdk-9.0.1+11 for changeset 514e78c13269

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 4b8ef168c0..2f89443b6a 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -439,3 +439,4 @@ a31dfd85bee9c16aac1e65dfbe81d1c5fe443c2c jdk-9.0.3+9
 0000000000000000000000000000000000000000 jdk-9.0.1+10
 0000000000000000000000000000000000000000 jdk-9.0.1+10
 5a9191c980ca3ada63b234e2b9ec6dc23bd37595 jdk-9.0.1+10
+e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11

From e0c51005f79b7594eeefffb9c391a2d792a3aaa2 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 17:36:09 -0700
Subject: [PATCH 183/269] Added tag jdk-9.0.1+11 for changeset 4b4cb103d884

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 8f318edd6e..a9570f6aac 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -435,3 +435,4 @@ db0ea99e2418dd88160c1c480c4c1525a5c0c993 jdk-9.0.3+6
 b69fd398311af4f5d2b67b27c0bfa5622f971ec1 jdk-9.0.3+8
 e81a65e5771c0e9e524ff310c098e042cf381e8f jdk-9.0.3+9
 97fad1859593b8f8b445d170f412870bf0aceff4 jdk-9.0.1+10
+f67e7e2c01929cfe7a1a3cb2f4b279c1d4fee120 jdk-9.0.1+11

From 0e04a0bb6827bb7a457097a61f6d0728531359db Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 17:36:28 -0700
Subject: [PATCH 184/269] Added tag jdk-9.0.1+11 for changeset 4dc1dad20246

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 4c4f73cacc..edac44bf31 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -595,3 +595,4 @@ fca264c9fa3ce57b3f4d662242d38b44fb442c87 jdk-9.0.3+7
 1f5a9c0ddb4b8da443f70fc5d135b320f6e0b78a jdk-9.0.3+8
 a10c11fed5bdc5202523baee3cf391cc0e0cfcaa jdk-9.0.3+9
 172baf6c99c5e9fdd72a6f3729f6ec8cd6b48183 jdk-9.0.1+10
+3546eb2ee2693043eb107d980ce5b72fe7f8f47a jdk-9.0.1+11

From beed412fdcb31d7bb0a2c50088f99394c25177d0 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 27 Sep 2017 17:37:27 -0700
Subject: [PATCH 185/269] Added tag jdk-9.0.1+11 for changeset 5ff4549be5ec

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index 9b020108c0..60a1f6e774 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -435,3 +435,4 @@ a1b2b4e871fe277827b29ca7356a723599303843 jdk-9.0.3+7
 a33a03d42ff990b1041bf0f86dc90c1964e2d214 jdk-9.0.3+8
 a120deff1775a5107cac1ccdf40fb41df0612f7e jdk-9.0.3+9
 aa6f847fc0f4a57efc42055921994d022d5cbff0 jdk-9.0.1+10
+2bd4dd6cc82060b6d705de5f47077633ae7b7c82 jdk-9.0.1+11

From 4dc32f4e7b3529e14c001b40a4bc0f02ae242af6 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 2 Oct 2017 10:03:27 -0700
Subject: [PATCH 186/269] Added tag jdk-9.0.4+00 for changeset bf1f0fb1f687

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index 60a1f6e774..4bd7e97a20 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -436,3 +436,4 @@ a33a03d42ff990b1041bf0f86dc90c1964e2d214 jdk-9.0.3+8
 a120deff1775a5107cac1ccdf40fb41df0612f7e jdk-9.0.3+9
 aa6f847fc0f4a57efc42055921994d022d5cbff0 jdk-9.0.1+10
 2bd4dd6cc82060b6d705de5f47077633ae7b7c82 jdk-9.0.1+11
+fa3b1c07db0508e2bb1a6ab5e8b3a2be97544243 jdk-9.0.4+00

From 10a924dd219c683cc9291edf8f946243dfa67bb3 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 2 Oct 2017 15:36:11 -0700
Subject: [PATCH 187/269] Added tag jdk-9.0.1+00 for changeset 59a43cd7f391

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index 140c6960e0..e9d03680ab 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -417,3 +417,4 @@ ef9954f6896bb0b95ac62bf769f68b59a7a56ccd jdk-9+170
 0ff9ad7d067cd4fa14450cf208bf019175a0aaba jdk-9+172
 a5506b425f1bf91530d8417b57360e5d89328c0c jdk-9+173
 42f18c931bd4fae5c206ccf6d8e591e4c4e69d31 jdk-9+174
+c31ac0b8a60e8f872d38ad251a25ad043adc0191 jdk-9.0.1+00

From 4a30d9e467748fa74d76ba5ae62aa517333527a4 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 3 Oct 2017 23:08:00 -0700
Subject: [PATCH 188/269] Added tag jdk-9.0.4+1 for changeset ecffc6b10ca3

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index 82ecd8da34..2d983e2c07 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -438,3 +438,4 @@ a120deff1775a5107cac1ccdf40fb41df0612f7e jdk-9.0.3+9
 aa6f847fc0f4a57efc42055921994d022d5cbff0 jdk-9.0.1+10
 2bd4dd6cc82060b6d705de5f47077633ae7b7c82 jdk-9.0.1+11
 fa3b1c07db0508e2bb1a6ab5e8b3a2be97544243 jdk-9.0.4+00
+c66ff2442ffa563c48bd641d1f4273e00833014c jdk-9.0.4+1

From d28d02fcc91972dc5eb4abbdf7573b8dc7372dc6 Mon Sep 17 00:00:00 2001
From: Sergey Bylokhov 
Date: Mon, 2 Oct 2017 11:04:01 -0700
Subject: [PATCH 189/269] 8185325: Improve GTK initialization

Reviewed-by: azvegint, rhalade, mschoene
---
 .../native/libawt_xawt/awt/gtk2_interface.c   | 57 +++++++++----------
 .../native/libawt_xawt/awt/gtk3_interface.c   | 55 +++++++++---------
 2 files changed, 52 insertions(+), 60 deletions(-)

diff --git a/jdk/src/java.desktop/unix/native/libawt_xawt/awt/gtk2_interface.c b/jdk/src/java.desktop/unix/native/libawt_xawt/awt/gtk2_interface.c
index 66fba97d19..800af14d67 100644
--- a/jdk/src/java.desktop/unix/native/libawt_xawt/awt/gtk2_interface.c
+++ b/jdk/src/java.desktop/unix/native/libawt_xawt/awt/gtk2_interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -761,46 +761,41 @@ GtkApi* gtk2_load(JNIEnv *env, const char* lib_name)
     }
 
     /*
-     * Strip the AT-SPI GTK_MODULEs if present
+     * Strip the AT-SPI GTK_MODULES if present
      */
     gtk_modules_env = getenv ("GTK_MODULES");
+    if ((gtk_modules_env && strstr(gtk_modules_env, "atk-bridge")) ||
+        (gtk_modules_env && strstr(gtk_modules_env, "gail"))) {
+        /* careful, strtok modifies its args */
+        gchar *tmp_env = strdup(gtk_modules_env);
+        if (tmp_env) {
+            /* the new env will be smaller than the old one */
+            gchar *s, *new_env = SAFE_SIZE_STRUCT_ALLOC(malloc,
+                    sizeof(ENV_PREFIX), 1, strlen (gtk_modules_env));
 
-    if (gtk_modules_env && strstr (gtk_modules_env, "atk-bridge") ||
-        gtk_modules_env && strstr (gtk_modules_env, "gail"))
-    {
-        /* the new env will be smaller than the old one */
-        gchar *s, *new_env = SAFE_SIZE_STRUCT_ALLOC(malloc,
-                sizeof(ENV_PREFIX), 1, strlen (gtk_modules_env));
+            if (new_env) {
+                strcpy(new_env, ENV_PREFIX);
 
-        if (new_env != NULL )
-        {
-            /* careful, strtok modifies its args */
-            gchar *tmp_env = strdup (gtk_modules_env);
-            strcpy(new_env, ENV_PREFIX);
-
-            /* strip out 'atk-bridge' and 'gail' */
-            size_t PREFIX_LENGTH = strlen(ENV_PREFIX);
-            while (s = strtok(tmp_env, ":"))
-            {
-                if ((!strstr (s, "atk-bridge")) && (!strstr (s, "gail")))
-                {
-                    if (strlen (new_env) > PREFIX_LENGTH) {
-                        new_env = strcat (new_env, ":");
+                /* strip out 'atk-bridge' and 'gail' */
+                size_t PREFIX_LENGTH = strlen(ENV_PREFIX);
+                gchar *tmp_ptr = NULL;
+                for (s = strtok_r(tmp_env, ":", &tmp_ptr); s;
+                     s = strtok_r(NULL, ":", &tmp_ptr)) {
+                    if ((!strstr(s, "atk-bridge")) && (!strstr(s, "gail"))) {
+                        if (strlen(new_env) > PREFIX_LENGTH) {
+                            new_env = strcat(new_env, ":");
+                        }
+                        new_env = strcat(new_env, s);
                     }
-                    new_env = strcat(new_env, s);
                 }
-                if (tmp_env)
-                {
-                    free (tmp_env);
-                    tmp_env = NULL; /* next call to strtok arg1==NULL */
+                if (putenv(new_env) != 0) {
+                    /* no free() on success, putenv() doesn't copy string */
+                    free(new_env);
                 }
             }
-            putenv (new_env);
-            free (new_env);
-            free (tmp_env);
+            free(tmp_env);
         }
     }
-
     /*
      * GTK should be initialized with gtk_init_check() before use.
      *
diff --git a/jdk/src/java.desktop/unix/native/libawt_xawt/awt/gtk3_interface.c b/jdk/src/java.desktop/unix/native/libawt_xawt/awt/gtk3_interface.c
index c3c0021a9c..af4cf9ebaf 100644
--- a/jdk/src/java.desktop/unix/native/libawt_xawt/awt/gtk3_interface.c
+++ b/jdk/src/java.desktop/unix/native/libawt_xawt/awt/gtk3_interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -580,42 +580,39 @@ GtkApi* gtk3_load(JNIEnv *env, const char* lib_name)
     }
 
     /*
-     * Strip the AT-SPI GTK_MODULEs if present
+     * Strip the AT-SPI GTK_MODULES if present
      */
     gtk_modules_env = getenv ("GTK_MODULES");
-    if (gtk_modules_env && strstr (gtk_modules_env, "atk-bridge") ||
-        gtk_modules_env && strstr (gtk_modules_env, "gail"))
-    {
-        /* the new env will be smaller than the old one */
-        gchar *s, *new_env = SAFE_SIZE_STRUCT_ALLOC(malloc,
-                sizeof(ENV_PREFIX), 1, strlen (gtk_modules_env));
+    if ((gtk_modules_env && strstr(gtk_modules_env, "atk-bridge")) ||
+        (gtk_modules_env && strstr(gtk_modules_env, "gail"))) {
+        /* careful, strtok modifies its args */
+        gchar *tmp_env = strdup(gtk_modules_env);
+        if (tmp_env) {
+            /* the new env will be smaller than the old one */
+            gchar *s, *new_env = SAFE_SIZE_STRUCT_ALLOC(malloc,
+                    sizeof(ENV_PREFIX), 1, strlen (gtk_modules_env));
 
-        if (new_env != NULL )
-        {
-            /* careful, strtok modifies its args */
-            gchar *tmp_env = strdup (gtk_modules_env);
-            strcpy(new_env, ENV_PREFIX);
+            if (new_env) {
+                strcpy(new_env, ENV_PREFIX);
 
-            /* strip out 'atk-bridge' and 'gail' */
-            size_t PREFIX_LENGTH = strlen(ENV_PREFIX);
-            while (s = strtok(tmp_env, ":"))
-            {
-                if ((!strstr (s, "atk-bridge")) && (!strstr (s, "gail")))
-                {
-                    if (strlen (new_env) > PREFIX_LENGTH) {
-                        new_env = strcat (new_env, ":");
+                /* strip out 'atk-bridge' and 'gail' */
+                size_t PREFIX_LENGTH = strlen(ENV_PREFIX);
+                gchar *tmp_ptr = NULL;
+                for (s = strtok_r(tmp_env, ":", &tmp_ptr); s;
+                     s = strtok_r(NULL, ":", &tmp_ptr)) {
+                    if ((!strstr(s, "atk-bridge")) && (!strstr(s, "gail"))) {
+                        if (strlen(new_env) > PREFIX_LENGTH) {
+                            new_env = strcat(new_env, ":");
+                        }
+                        new_env = strcat(new_env, s);
                     }
-                    new_env = strcat(new_env, s);
                 }
-                if (tmp_env)
-                {
-                    free (tmp_env);
-                    tmp_env = NULL; /* next call to strtok arg1==NULL */
+                if (putenv(new_env) != 0) {
+                    /* no free() on success, putenv() doesn't copy string */
+                    free(new_env);
                 }
             }
-            putenv (new_env);
-            free (new_env);
-            free (tmp_env);
+            free(tmp_env);
         }
     }
     /*

From 958370eea1376cc42beac2b1e65b0f60a092574f Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 10 Oct 2017 12:53:03 -0700
Subject: [PATCH 190/269] Added tag jdk-9.0.4+2 for changeset 00f8a140f51a

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index 2d983e2c07..c83e551a6f 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -439,3 +439,4 @@ aa6f847fc0f4a57efc42055921994d022d5cbff0 jdk-9.0.1+10
 2bd4dd6cc82060b6d705de5f47077633ae7b7c82 jdk-9.0.1+11
 fa3b1c07db0508e2bb1a6ab5e8b3a2be97544243 jdk-9.0.4+00
 c66ff2442ffa563c48bd641d1f4273e00833014c jdk-9.0.4+1
+c03f6dda488064a24e53e372e5ad00b1d7505f6b jdk-9.0.4+2

From 432d72b1c7c736df8f056f831a63d98ca24b38db Mon Sep 17 00:00:00 2001
From: Rob McKenna 
Date: Thu, 28 Sep 2017 15:30:52 +0100
Subject: [PATCH 191/269] 8187558: Undo JDK-8159377 spec change

Reviewed-by: dfuchs, rriggs, shshahma, jwilhelm, asapre
---
 .../remote/rmi/RMIConnectorServer.java        | 59 +++----------------
 .../remote/rmi/RMIJRMPServerImpl.java         | 18 +++---
 .../com/sun/jmx/remote/util/EnvHelp.java      | 55 +++++++++++++++++
 .../jmxremote/ConnectorBootstrap.java         | 12 +++-
 .../connection/NewRMIClientFilterTest.java    | 15 +++--
 5 files changed, 91 insertions(+), 68 deletions(-)

diff --git a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java
index 0cda57065f..a71bef5b40 100644
--- a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java
+++ b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectorServer.java
@@ -32,7 +32,6 @@ import com.sun.jmx.remote.util.EnvHelp;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.io.ObjectInputFilter;
 import java.io.ObjectOutputStream;
 import java.net.MalformedURLException;
 import java.rmi.server.RMIClientSocketFactory;
@@ -102,59 +101,19 @@ public class RMIConnectorServer extends JMXConnectorServer {
         "jmx.remote.rmi.server.socket.factory";
 
     /**
-    * Name of the attribute that specifies an
-    * {@link ObjectInputFilter} pattern string to filter classes acceptable
-    * for {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()}
+    * Name of the attribute that specifies a list of class names acceptable
+    * as parameters to the {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()}
     * remote method call.
     * 
    
-    * The filter pattern must be in same format as used in
-    * {@link java.io.ObjectInputFilter.Config#createFilter}
+    * This list of classes should correspond to the transitive closure of the
+    * credentials class (or classes) used by the installed {@linkplain JMXAuthenticator}
+    * associated with the {@linkplain RMIServer} implementation.
     * 
    
-    * This list of classes allowed by filter should correspond to the
-    * transitive closure of the credentials class (or classes) used by the
-    * installed {@linkplain JMXAuthenticator} associated with the
-    * {@linkplain RMIServer} implementation.
-    * If the attribute is not set then any class is deemed acceptable.
-    * @see ObjectInputFilter
+    * If the attribute is not set, or is null, then any class is
+    * deemed acceptable.
     */
-    public static final String CREDENTIALS_FILTER_PATTERN =
-        "jmx.remote.rmi.server.credentials.filter.pattern";
-
-    /**
-     * This attribute defines a pattern from which to create a
-     * {@link java.io.ObjectInputFilter} that will be used when deserializing
-     * objects sent to the {@code JMXConnectorServer} by any client.
-     * 
    
-     * The filter will be called for any class found in the serialized
-     * stream sent to server by client, including all JMX defined classes
-     * (such as {@link javax.management.ObjectName}), all method parameters,
-     * and, if present in the stream, all classes transitively referred by
-     * the serial form of any deserialized object.
-     * The pattern must be in same format as used in
-     * {@link java.io.ObjectInputFilter.Config#createFilter}.
-     * It may define a white list of permitted classes, a black list of
-     * rejected classes, a maximum depth for the deserialized objects,
-     * etc.
-     * 
    
-     * To be functional, the filter should allow at least all the
-     * concrete types in the transitive closure of all objects that
-     * might get serialized when serializing all JMX classes referred
-     * as parameters in the {@link
-     * javax.management.remote.rmi.RMIConnection} interface,
-     * plus all classes that a {@link javax.management.remote.rmi.RMIConnector client}
-     * might need to transmit wrapped in {@linkplain java.rmi.MarshalledObject
-     * marshalled objects} in order to interoperate with the MBeans registered
-     * in the {@code MBeanServer}. That would potentially include all the
-     * concrete {@linkplain javax.management.openmbean  JMX OpenTypes} and the
-     * classes they use in their serial form.
-     * 
    
-     * Care must be taken when defining such a filter, as defining
-     * a white list too restrictive or a too wide a black list may
-     * prevent legitimate clients from interoperating with the
-     * {@code JMXConnectorServer}.
-     */
-    public static final String SERIAL_FILTER_PATTERN =
-       "jmx.remote.rmi.server.serial.filter.pattern";
+    public static final String CREDENTIAL_TYPES =
+            "jmx.remote.rmi.server.credential.types";
 
     /**
      * 
    Makes an RMIConnectorServer.
diff --git a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java
index e6787692ee..c4af7756af 100644
--- a/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java
+++ b/jdk/src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIJRMPServerImpl.java
@@ -97,22 +97,18 @@ public class RMIJRMPServerImpl extends RMIServerImpl {
         this.ssf = ssf;
         this.env = (env == null) ? Collections.emptyMap() : env;
 
-        // This attribute was represented by RMIConnectorServer.CREDENTIALS_TYPES.
-        // This attribute is superceded by
-        // RMIConnectorServer.CREDENTIALS_FILTER_PATTERN.
-        // Retaining this for backward compatibility.
         String[] credentialsTypes
-                = (String[]) this.env.get("jmx.remote.rmi.server.credential.types");
+                = (String[]) this.env.get(RMIConnectorServer.CREDENTIAL_TYPES);
 
         String credentialsFilter
-                = (String) this.env.get(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN);
+                = (String) this.env.get(EnvHelp.CREDENTIALS_FILTER_PATTERN);
 
         // It is impossible for both attributes to be specified
-        if(credentialsTypes != null && credentialsFilter != null)
+        if(credentialsTypes != null && credentialsFilter != null) {
             throw new IllegalArgumentException("Cannot specify both \""
-                    + "jmx.remote.rmi.server.credential.types" + "\" and \""
-           + RMIConnectorServer.CREDENTIALS_FILTER_PATTERN + "\"");
-        else if(credentialsFilter != null){
+                    + RMIConnectorServer.CREDENTIAL_TYPES + "\" and \""
+                    + EnvHelp.CREDENTIALS_FILTER_PATTERN + "\"");
+        } else if(credentialsFilter != null){
             cFilter = ObjectInputFilter.Config.createFilter(credentialsFilter);
             allowedTypes = null;
         }
@@ -127,7 +123,7 @@ public class RMIJRMPServerImpl extends RMIServerImpl {
         }
 
         String userJmxFilter =
-                (String) this.env.get(RMIConnectorServer.SERIAL_FILTER_PATTERN);
+                (String) this.env.get(EnvHelp.SERIAL_FILTER_PATTERN);
         if(userJmxFilter != null && !userJmxFilter.isEmpty())
             jmxRmiFilter = ObjectInputFilter.Config.createFilter(userJmxFilter);
         else
diff --git a/jdk/src/java.management/share/classes/com/sun/jmx/remote/util/EnvHelp.java b/jdk/src/java.management/share/classes/com/sun/jmx/remote/util/EnvHelp.java
index 47ab569579..c8ead8e396 100644
--- a/jdk/src/java.management/share/classes/com/sun/jmx/remote/util/EnvHelp.java
+++ b/jdk/src/java.management/share/classes/com/sun/jmx/remote/util/EnvHelp.java
@@ -53,6 +53,61 @@ import javax.management.remote.JMXConnectorServer;
 
 public class EnvHelp {
 
+   /**
+    * Name of the attribute that specifies an
+    * {@link ObjectInputFilter} pattern string to filter classes acceptable
+    * for {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()}
+    * remote method call.
+    * 
    
+    * The filter pattern must be in same format as used in
+    * {@link java.io.ObjectInputFilter.Config.createFilter}
+    * 
    
+    * This list of classes allowed by filter should correspond to the
+    * transitive closure of the credentials class (or classes) used by the
+    * installed {@linkplain JMXAuthenticator} associated with the
+    * {@linkplain RMIServer} implementation.
+    * If the attribute is not set then any class is deemed acceptable.
+    * @see ObjectInputFilter
+    */
+    public static final String CREDENTIALS_FILTER_PATTERN =
+        "jmx.remote.rmi.server.credentials.filter.pattern";
+
+    /**
+     * This attribute defines a pattern from which to create a
+     * {@link java.io.ObjectInputFilter} that will be used when deserializing
+     * objects sent to the {@code JMXConnectorServer} by any client.
+     * 
    
+     * The filter will be called for any class found in the serialized
+     * stream sent to server by client, including all JMX defined classes
+     * (such as {@link javax.management.ObjectName}), all method parameters,
+     * and, if present in the stream, all classes transitively referred by
+     * the serial form of any deserialized object.
+     * The pattern must be in same format as used in
+     * {@link java.io.ObjectInputFilter.Config.createFilter}.
+     * It may define a white list of permitted classes, a black list of
+     * rejected classes, a maximum depth for the deserialized objects,
+     * etc.
+     * 
    
+     * To be functional, the filter should allow at least all the
+     * concrete types in the transitive closure of all objects that
+     * might get serialized when serializing all JMX classes referred
+     * as parameters in the {@link
+     * javax.management.remote.rmi.RMIConnection} interface,
+     * plus all classes that a {@link javax.management.remote.rmi.RMIConnectorClient}
+     * might need to transmit wrapped in {@linkplain java.rmi.MarshalledObject
+     * marshalled objects} in order to interoperate with the MBeans registered
+     * in the {@code MBeanServer}. That would potentially include all the
+     * concrete {@linkplain javax.management.openmbean  JMX OpenTypes} and the
+     * classes they use in their serial form.
+     * 
    
+     * Care must be taken when defining such a filter, as defining
+     * a white list too restrictive or a too wide a black list may
+     * prevent legitimate clients from interoperating with the
+     * {@code JMXConnectorServer}.
+     */
+    public static final String SERIAL_FILTER_PATTERN =
+       "jmx.remote.rmi.server.serial.filter.pattern";
+
     /**
      * Name of the attribute that specifies a default class loader
      * object.
diff --git a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java
index dae6b95c8b..d161593401 100644
--- a/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java
+++ b/jdk/src/jdk.management.agent/share/classes/sun/management/jmxremote/ConnectorBootstrap.java
@@ -514,7 +514,8 @@ public final class ConnectorBootstrap {
         // This RMI server should not keep the VM alive
         Map env = new HashMap<>();
         env.put(RMIExporter.EXPORTER_ATTRIBUTE, new PermanentExporter());
-        env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*");
+        env.put("jmx.remote.rmi.server.credentials.filter.pattern",
+                String.class.getName() + ";!*");
 
         // The local connector server need only be available via the
         // loopback connection.
@@ -540,6 +541,10 @@ public final class ConnectorBootstrap {
             if (props ==  null) {
                 props = new Properties();
             }
+            String jmxRmiFilter = props.getProperty(PropertyNames.SERIAL_FILTER_PATTERN);
+            if (jmxRmiFilter != null && !jmxRmiFilter.isEmpty()) {
+                env.put("jmx.remote.rmi.server.serial.filter.pattern", jmxRmiFilter);
+            }
             String useLocalOnlyStr = props.getProperty(
                     PropertyNames.USE_LOCAL_ONLY, DefaultValues.USE_LOCAL_ONLY);
             boolean useLocalOnly = Boolean.valueOf(useLocalOnlyStr).booleanValue();
@@ -746,10 +751,11 @@ public final class ConnectorBootstrap {
         PermanentExporter exporter = new PermanentExporter();
 
         env.put(RMIExporter.EXPORTER_ATTRIBUTE, exporter);
-        env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, String.class.getName() + ";!*");
+        env.put("jmx.remote.rmi.server.credentials.filter.pattern",
+                String.class.getName() + ";!*");
 
         if(jmxRmiFilter != null && !jmxRmiFilter.isEmpty()) {
-            env.put(RMIConnectorServer.SERIAL_FILTER_PATTERN, jmxRmiFilter);
+            env.put("jmx.remote.rmi.server.serial.filter.pattern", jmxRmiFilter);
         }
 
         boolean useSocketFactory = bindAddress != null && !useSsl;
diff --git a/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java b/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java
index 78ae27bb64..51ff463624 100644
--- a/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java
+++ b/jdk/test/javax/management/remote/mandatory/connection/NewRMIClientFilterTest.java
@@ -45,6 +45,15 @@ import javax.management.remote.rmi.RMIConnectorServer;
 
 public class NewRMIClientFilterTest {
 
+   /**
+    * Name of the attribute that specifies an
+    * {@link ObjectInputFilter} pattern string to filter classes acceptable
+    * for {@link RMIServer#newClient(java.lang.Object) RMIServer.newClient()}
+    * remote method call.
+    */
+    static final String CREDENTIALS_FILTER_PATTERN =
+        "jmx.remote.rmi.server.credentials.filter.pattern";
+
     public static void main(String[] args) throws Exception {
         System.out.println("---NewRMIClientFilterTest-main: starting ...");
         String filter1 = java.lang.String.class.getName() + ";!*";
@@ -64,8 +73,7 @@ public class NewRMIClientFilterTest {
         server.stop();
 
         System.out.println("\n---NewRMIClientFilterTest-main: testing types = String[]");
-        env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN,
-                filter1);
+        env.put(CREDENTIALS_FILTER_PATTERN, filter1);
         server = newServer(url, env);
         serverUrl = server.getAddress();
         doTest(serverUrl, null);
@@ -80,8 +88,7 @@ public class NewRMIClientFilterTest {
         }
 
         System.out.println("\n---NewRMIClientFilterTest-main: testing user specific types = String, MyCredentials");
-        env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN,
-                filter2);
+        env.put(CREDENTIALS_FILTER_PATTERN, filter2);
         server = newServer(url, env);
         serverUrl = server.getAddress();
         doTest(serverUrl, null);

From f8e84a4d3bd3a9dcffb9cda105c24b8cf49e564a Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 2 Oct 2017 10:02:07 -0700
Subject: [PATCH 192/269] Added tag jdk-9.0.4+00 for changeset 93155af2a6b6

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 2f89443b6a..6a51f6e583 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -440,3 +440,4 @@ a31dfd85bee9c16aac1e65dfbe81d1c5fe443c2c jdk-9.0.3+9
 0000000000000000000000000000000000000000 jdk-9.0.1+10
 5a9191c980ca3ada63b234e2b9ec6dc23bd37595 jdk-9.0.1+10
 e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
+3a64fdb24a8c26e2d7d32864dad4425a9496b90d jdk-9.0.4+00

From d94210f31a1f1f69597bedbba233f9caa46527eb Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 2 Oct 2017 10:02:17 -0700
Subject: [PATCH 193/269] Added tag jdk-9.0.4+00 for changeset da9866cbb099

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index a9570f6aac..1a7fe0d284 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -436,3 +436,4 @@ b69fd398311af4f5d2b67b27c0bfa5622f971ec1 jdk-9.0.3+8
 e81a65e5771c0e9e524ff310c098e042cf381e8f jdk-9.0.3+9
 97fad1859593b8f8b445d170f412870bf0aceff4 jdk-9.0.1+10
 f67e7e2c01929cfe7a1a3cb2f4b279c1d4fee120 jdk-9.0.1+11
+0876f7e30c48b7cc0b3c15fcd3860522b1f4ae38 jdk-9.0.4+00

From 0d938837c163a1b89be60ebf4788b0168f1dad8f Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 2 Oct 2017 10:02:33 -0700
Subject: [PATCH 194/269] Added tag jdk-9.0.4+00 for changeset 0971abddf7e2

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index edac44bf31..9542ed333b 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -596,3 +596,4 @@ fca264c9fa3ce57b3f4d662242d38b44fb442c87 jdk-9.0.3+7
 a10c11fed5bdc5202523baee3cf391cc0e0cfcaa jdk-9.0.3+9
 172baf6c99c5e9fdd72a6f3729f6ec8cd6b48183 jdk-9.0.1+10
 3546eb2ee2693043eb107d980ce5b72fe7f8f47a jdk-9.0.1+11
+5be37d3ef648d06850aa164d8b22ac7539559e80 jdk-9.0.4+00

From 8113f746141e1f2f37af1d0d6c47918d98afa88f Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 2 Oct 2017 15:35:08 -0700
Subject: [PATCH 195/269] Added tag jdk-9.0.1+00 for changeset edb8a7381fd4

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 98bbdae371..0f7abe974a 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -417,3 +417,4 @@ b25838a28195f4b6dab34668411eedd2d366a16c jdk-9+169
 2c25fc24103251f9711a1c280c31e1e41016d90f jdk-9+172
 88d7fd969e7df0e07a53b201cfd29393ca33ede9 jdk-9+173
 5466f409346e0446ee9a6daeb7f5d75c8fc76823 jdk-9+174
+023f93e511bae768203c33bb8681f82ee75014da jdk-9.0.1+00

From 1d0a78214d1254ec1fa3ee4bf7634948a056d071 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 2 Oct 2017 15:35:16 -0700
Subject: [PATCH 196/269] Added tag jdk-9.0.1+00 for changeset 0f0a67ad90e1

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 0cb7bc2e8c..0445f3031c 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -417,3 +417,4 @@ c62e5964cfcf144d8f72e9ba69757897785349a9 jdk-9+171
 95ed14547ca9246baed34f90ef3ca13217538a8c jdk-9+172
 534ba4f8cfcf12accc5b9adb943103f2ff79fe16 jdk-9+173
 3615768c12904e29bb2ec1b506cd4633cd8a9ced jdk-9+174
+6a33ed67219134933d276bd7575a84511a48c384 jdk-9.0.1+00

From aa996cf96764ccdcb79129e1efbb8c0212640c20 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 2 Oct 2017 15:35:30 -0700
Subject: [PATCH 197/269] Added tag jdk-9.0.1+00 for changeset 0f92043fb825

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 9deff2db56..adc34563d0 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -577,3 +577,4 @@ d53171650a2cc6c6f699c966c533b914ca9c0602 jdk-9+171
 1ae9e84f68b359420d2d153ecfe5ee2903e33a2e jdk-9+172
 e64b1cb48d6e7703928a9d1da106fc27f8cb65fd jdk-9+173
 944791f8160185bffa13fbb821fc09b6198f1f25 jdk-9+174
+ca47dcfdd35129fe3ab2dab71b2601d7a0ff07c0 jdk-9.0.1+00

From 90c3ac0b3e09896ad4a82870c39e122d317b172b Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 3 Oct 2017 22:03:35 -0700
Subject: [PATCH 198/269] 8188741: Update milestone to ea for 9.0.4+1

Reviewed-by: erikj
---
 common/conf/jib-profiles.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index 5d5f53bc50..e8f5d8f455 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -1244,7 +1244,7 @@ var versionArgs = function(input, common) {
     if (input.build_type == "promoted") {
         args = concat(args,
                       // This needs to be changed when we start building release candidates
-                      "--with-version-pre=",
+                      "--with-version-pre=ea",
                       "--without-version-opt");
     } else {
         args = concat(args, "--with-version-opt=" + common.build_id);

From bc3b99c2bd1e2b25bbbf866a492ff92334f16362 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 3 Oct 2017 23:06:46 -0700
Subject: [PATCH 199/269] Added tag jdk-9.0.4+1 for changeset df90aaec547b

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 8758dd5ad0..2da0b7ca28 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -442,3 +442,4 @@ a31dfd85bee9c16aac1e65dfbe81d1c5fe443c2c jdk-9.0.3+9
 5a9191c980ca3ada63b234e2b9ec6dc23bd37595 jdk-9.0.1+10
 e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 3a64fdb24a8c26e2d7d32864dad4425a9496b90d jdk-9.0.4+00
+726bf8524f7d3780518ada8648488ad4a7bfe6a2 jdk-9.0.4+1

From e98b22556e1d110f979f5ac476eca5a777d1047f Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 3 Oct 2017 23:06:56 -0700
Subject: [PATCH 200/269] Added tag jdk-9.0.4+1 for changeset ba04c9dfa32f

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index ca3312e1c6..e7f0c63e62 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -438,3 +438,4 @@ e81a65e5771c0e9e524ff310c098e042cf381e8f jdk-9.0.3+9
 97fad1859593b8f8b445d170f412870bf0aceff4 jdk-9.0.1+10
 f67e7e2c01929cfe7a1a3cb2f4b279c1d4fee120 jdk-9.0.1+11
 0876f7e30c48b7cc0b3c15fcd3860522b1f4ae38 jdk-9.0.4+00
+03683a1b2e25231ea6305c91cae4cf83d01738f0 jdk-9.0.4+1

From 8cf2d304aa035ca21e3485b390b39c64fc9b3bf0 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 3 Oct 2017 23:07:10 -0700
Subject: [PATCH 201/269] Added tag jdk-9.0.4+1 for changeset e48b6b6ebc62

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 0404a62fd5..3e6b48705e 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -598,3 +598,4 @@ a10c11fed5bdc5202523baee3cf391cc0e0cfcaa jdk-9.0.3+9
 172baf6c99c5e9fdd72a6f3729f6ec8cd6b48183 jdk-9.0.1+10
 3546eb2ee2693043eb107d980ce5b72fe7f8f47a jdk-9.0.1+11
 5be37d3ef648d06850aa164d8b22ac7539559e80 jdk-9.0.4+00
+46290b7298be50f9a70d27465d50d1675732f0af jdk-9.0.4+1

From 61c87851ccfa1638df80831de536f7784e0c161e Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 10 Oct 2017 12:51:37 -0700
Subject: [PATCH 202/269] Added tag jdk-9.0.4+2 for changeset 0fd67569947a

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 2da0b7ca28..8b3697ffa6 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -443,3 +443,4 @@ a31dfd85bee9c16aac1e65dfbe81d1c5fe443c2c jdk-9.0.3+9
 e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 3a64fdb24a8c26e2d7d32864dad4425a9496b90d jdk-9.0.4+00
 726bf8524f7d3780518ada8648488ad4a7bfe6a2 jdk-9.0.4+1
+8055b6778ac8fc6bb165082230951cc8f146f8fd jdk-9.0.4+2

From b7d7c3acae3ebf2917787030e0b57cf676a893b8 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 10 Oct 2017 12:51:48 -0700
Subject: [PATCH 203/269] Added tag jdk-9.0.4+2 for changeset 011db3d970fd

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index e7f0c63e62..e7e1afcdf5 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -439,3 +439,4 @@ e81a65e5771c0e9e524ff310c098e042cf381e8f jdk-9.0.3+9
 f67e7e2c01929cfe7a1a3cb2f4b279c1d4fee120 jdk-9.0.1+11
 0876f7e30c48b7cc0b3c15fcd3860522b1f4ae38 jdk-9.0.4+00
 03683a1b2e25231ea6305c91cae4cf83d01738f0 jdk-9.0.4+1
+bcb2300e20962172f7b94ba422d3e634d4f2c62c jdk-9.0.4+2

From 4b2b2ea10f58cd69a69f778b9db23825d30eecf5 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 10 Oct 2017 12:52:04 -0700
Subject: [PATCH 204/269] Added tag jdk-9.0.4+2 for changeset 6b2d84d07e3a

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 3e6b48705e..603b6d7656 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -599,3 +599,4 @@ a10c11fed5bdc5202523baee3cf391cc0e0cfcaa jdk-9.0.3+9
 3546eb2ee2693043eb107d980ce5b72fe7f8f47a jdk-9.0.1+11
 5be37d3ef648d06850aa164d8b22ac7539559e80 jdk-9.0.4+00
 46290b7298be50f9a70d27465d50d1675732f0af jdk-9.0.4+1
+dab4c60adabfb8ea35cfcd96a7218994a84d652f jdk-9.0.4+2

From 76ef440af8ba0c54425138abe78ae146f625615c Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 18 Oct 2017 10:21:46 -0700
Subject: [PATCH 205/269] Added tag jdk-9.0.4+3 for changeset 3bca079255d7

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index c83e551a6f..b0493de369 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -440,3 +440,4 @@ aa6f847fc0f4a57efc42055921994d022d5cbff0 jdk-9.0.1+10
 fa3b1c07db0508e2bb1a6ab5e8b3a2be97544243 jdk-9.0.4+00
 c66ff2442ffa563c48bd641d1f4273e00833014c jdk-9.0.4+1
 c03f6dda488064a24e53e372e5ad00b1d7505f6b jdk-9.0.4+2
+b46885be0c21ebb379e9f9835591dc8b12245971 jdk-9.0.4+3

From e54678451641b9bd2f5467c88f494c35072e74b8 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 1 Nov 2017 12:07:10 -0700
Subject: [PATCH 206/269] Added tag jdk-9.0.4+4 for changeset e326c69fff34

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index b0493de369..0919005959 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -441,3 +441,4 @@ fa3b1c07db0508e2bb1a6ab5e8b3a2be97544243 jdk-9.0.4+00
 c66ff2442ffa563c48bd641d1f4273e00833014c jdk-9.0.4+1
 c03f6dda488064a24e53e372e5ad00b1d7505f6b jdk-9.0.4+2
 b46885be0c21ebb379e9f9835591dc8b12245971 jdk-9.0.4+3
+0d40ce5e2249fb4643614855694dd1909112bb97 jdk-9.0.4+4

From 9e2e50e325de5d743e4ec335c5b2f447515a079a Mon Sep 17 00:00:00 2001
From: Li Jiang 
Date: Sun, 5 Nov 2017 23:04:42 -0800
Subject: [PATCH 207/269] 8190543: 9.0.4 L10n resource file update

Reviewed-by: coffeys
---
 .../classes/sun/launcher/resources/launcher_es.properties   | 6 +++---
 .../classes/sun/applet/resources/MsgAppletViewer_es.java    | 4 ++--
 .../com/sun/rowset/RowSetResourceBundle_sv.properties       | 4 ++--
 .../share/classes/sun/tools/jar/resources/jar_es.properties | 4 ++--
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_es.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_es.properties
index cd92b93eb5..d205b058b4 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_es.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_es.properties
@@ -26,16 +26,16 @@
 # Translators please note do not translate the options themselves
 java.launcher.opt.header  =   Sintaxis: {0} [opciones]  [argumentos...]\n           (para ejecutar una clase)\n   o  {0} [opciones] -jar  [argumentos...]\n           (para ejecutar un archivo jar)\n   o  {0} [opciones] -m [/] [argumentos...]\n       {0} [opciones] --module [/] [argumentos...]\n           (para ejecutar la clase principal en un m\u00F3dulo)\n\n Argumentos que siguen la clase principal, -jar , -m o --module\n / se transfieren como argumentos a una clase principal.\n\n donde las opciones incluyen:\n\n
 
-java.launcher.opt.datamodel  =\    -d{0}\t  Anticuada, se eliminar\u00E1 en una versi\u00F3n futura\n
+java.launcher.opt.datamodel  =\    -d{0}\t  En desuso, se eliminar\u00E1 en una versi\u00F3n futura\n
 java.launcher.opt.vmselect   =\    {0}\t  para seleccionar la VM "{1}"\n
-java.launcher.opt.hotspot    =\    {0}\t  es un sin\u00F3nimo de la VM "{1}" [anticuada]\n
+java.launcher.opt.hotspot    =\    {0}\t  es un sin\u00F3nimo de la VM "{1}" [en desuso]\n
 
 # Translators please note do not translate the options themselves
 java.launcher.opt.footer = \    -cp \n    -classpath \n    --class-path \n                  Una lista separada por el car\u00E1cter {0}, archivos JAR\n                  y archivos ZIP para buscar archivos de clases.\n    -p \n    --module-path ...\n                  Una lista de directorios separada por el car\u00E1cter {0}, cada directorio\n                  es un directorio de m\u00F3dulos.\n    --upgrade-module-path ...\n                  Una lista de directorios separada por el car\u00E1cter {0}, cada directorio\n                  es un directorio de m\u00F3dulos que sustituye a\n                  los m\u00F3dulos actualizables en la imagen de tiempo de ejecuci\u00F3n\n    --add-modules [,...]\n                  m\u00F3dulos de ra\u00EDz que resolver, adem\u00E1s del m\u00F3dulo inicial.\n                   tambi\u00E9n puede ser ALL-DEFAULT, ALL-SYSTEM,\n                  ALL-MODULE-PATH.\n    --list-modules\n                  mostrar m\u00F3dulos observables y salir\n    -d \n    --describe-module \n                  describir un m\u00F3dulo y salir\n    --dry-run     crear VM y cargar la clase principal pero sin ejecutar el m\u00E9todo principal.\n                  La opci\u00F3n --dry-run puede ser \u00FAtil para validar\n                  las opciones de l\u00EDnea de comandos, como la configuraci\u00F3n del sistema de m\u00F3dulos.\n    --validate-modules\n                  validar todos los m\u00F3dulos y salir\n                  La opci\u00F3n --validate-modules puede ser \u00FAtil para encontrar\n                  conflictos y otros errores con m\u00F3dulos en la ruta de m\u00F3dulos.\n    -D=\n                  definir una propiedad de sistema\n    -verbose:[class|module|gc|jni]\n                  activar la salida en modo verbose\n    -version      imprimir versi\u00F3n de producto en el flujo de errores y salir\n    --version     imprimir versi\u00F3n de producto en el flujo de salida y salir\n    -showversion  imprimir versi\u00F3n de producto en el flujo de errores y continuar\n    --show-version\n                  -showversion  imprimir versi\u00F3n de producto en el flujo de salida y continuar\n    --show-module-resolution\n                  mostrar la salida de resoluci\u00F3n de m\u00F3dulo durante el inicio\n    -? -h -help\n                  imprimir este mensaje de ayuda en el flujo de errores\n    --help        imprimir este mensaje de ayuda en el flujo de salida\n    -X            imprimir ayuda de opciones adicionales en el flujo de errores\n    --help-extra  imprimir ayuda de opciones adicionales en el flujo de salida\n    -ea[:...|:]\n    -enableassertions[:...|:]\n                  activar afirmaciones con una granularidad especificada\n    -da[:...|:]\n    -disableassertions[:...|:]\n                  desactivar afirmaciones con una granularidad especificada\n    -esa | -enablesystemassertions\n                  activar afirmaciones del sistema\n    -dsa | -disablesystemassertions\n                  desactivar afirmaciones del sistema\n    -agentlib:[=]\n                  cargar biblioteca de agente nativo , por ejemplo, -agentlib:jdwp\n                  ver tambi\u00E9n -agentlib:jdwp=help\n    -agentpath:[=]\n                  cargar biblioteca de agente nativo por nombre completo de ruta\n    -javaagent:[=]\n                  cargar agente de lenguaje de programaci\u00F3n Java, ver java.lang.instrument\n    -splash:\n       \
            mostrar pantalla de presentaci\u00F3n con imagen especificada\n                  Las im\u00E1genes a escala HiDPI est\u00E1n soportadas y se usan autom\u00E1ticamente\n                  si est\u00E1n disponibles. El nombre de archivo de la imagen sin escala, por ejemplo, image.ext,\n                  siempre debe transmitirse como el argumento para la opci\u00F3n -splash.\n                  La imagen a escala m\u00E1s adecuada que se haya proporcionado se escoger\u00E1\n                  autom\u00E1ticamente.\n                  Consulte la documentaci\u00F3n de la API de la pantalla de presentaci\u00F3n para obtener m\u00E1s informaci\u00F3n.\n    @argument files\n                  uno o m\u00E1s archivos de argumentos que contienen opciones\n    -disable-@files\n                  evitar una mayor expansi\u00F3n del archivo de argumentos\nPara especificar un argumento para una opci\u00F3n larga, puede usar --= o\n-- .\n
 
 # Translators please note do not translate the options themselves
-java.launcher.X.usage=\n    -Xbatch           desactivar compilaci\u00F3n en segundo plano\n    -Xbootclasspath/a:\n                      agregar al final de la ruta de la clase de inicializaci\u00F3n de datos\n    -Xcheck:jni       realizar comprobaciones adicionales para las funciones de JNI\n    -Xcomp            fuerza la compilaci\u00F3n de m\u00E9todos en la primera llamada\n    -Xdebug           se proporciona para ofrecer compatibilidad con versiones anteriores\n    -Xdiag            mostrar mensajes de diagn\u00F3stico adicionales\n    -Xfuture          activar las comprobaciones m\u00E1s estrictas, anticip\u00E1ndose al futuro valor por defecto\n    -Xint             solo ejecuci\u00F3n de modo interpretado\n    -Xinternalversion\n                      muestra una informaci\u00F3n de la versi\u00F3n de JVM m\u00E1s detallada que la\n                      opci\u00F3n-versi\u00F3n\n    -Xloggc:    registrar el estado de GC en un archivo con registros de hora\n    -Xmixed           modo de ejecuci\u00F3n mixto (valor por defecto)\n    -Xmn        define el tama\u00F1o inicial y m\u00E1ximo (en bytes) de la pila\n                      para la generaci\u00F3n m\u00E1s joven (incubadora)\n    -Xms        define el tama\u00F1o inicial de la pila de Java\n    -Xmx        define el tama\u00F1o m\u00E1ximo de la pila de Java\n    -Xnoclassgc       desactivar la recolecci\u00F3n de basura de clases\n    -Xprof            datos de creaci\u00F3n de perfiles de CPU de salida (anticuados)\n    -Xrs              reducir el uso de se\u00F1ales de sistema operativo por parte de Java/VM (consulte la documentaci\u00F3n)\n    -Xshare:auto      usar datos de clase compartidos si es posible (valor por defecto)\n    -Xshare:off       no intentar usar datos de clase compartidos\n    -Xshare:on        es obligatorio el uso de datos de clase compartidos, de lo contrario se producir\u00E1 un fallo.\n    -XshowSettings    mostrar toda la configuraci\u00F3n y continuar\n    -XshowSettings:all\n                      mostrar todos los valores y continuar\n    -XshowSettings:locale\n                      mostrar todos los valores relacionados con la configuraci\u00F3n regional y continuar\n    -XshowSettings:properties\n                      mostrar todos los valores de propiedad y continuar\n    -XshowSettings:vm mostrar todos los valores relacionados con vm y continuar\n    -Xss        definir tama\u00F1o de la pila del thread de Java\n    -Xverify          define el modo del verificador de c\u00F3digo de bytes\n    --add-reads =(,)*\n                      updates  para leer , independientemente\n                      de la declaraci\u00F3n del m\u00F3dulo. \n                       puede ser ALL-UNNAMED para leer todos los m\u00F3dulos\n                      sin nombre.\n    --add-exports /=(,)*\n                      actualiza  para exportar  en ,\n                      independientemente de la declaraci\u00F3n del m\u00F3dulo.\n                       puede ser ALL-UNNAMED para exportar a todos los\n                      m\u00F3dulos sin nombre.\n    --add-opens /=(,)*\n                      actualiza  para abrir  en\n                      , independientemente de la declaraci\u00F3n del m\u00F3dulo.\n    --illegal-access=\n                      permitir o denegar el acceso a miembros de tipos en m\u00F3dulos con nombre\n                      por c\u00F3digo en m\u00F3dulos sin nombre.\n                       es "denegar", "permitir", "advertir" o "depurar"\n                      Esta opci\u00F3n se eliminar\u00E1 en la \
+java.launcher.X.usage=\n    -Xbatch           desactivar compilaci\u00F3n en segundo plano\n    -Xbootclasspath/a:\n                      agregar al final de la ruta de la clase de inicializaci\u00F3n de datos\n    -Xcheck:jni       realizar comprobaciones adicionales para las funciones de JNI\n    -Xcomp            fuerza la compilaci\u00F3n de m\u00E9todos en la primera llamada\n    -Xdebug           se proporciona para ofrecer compatibilidad con versiones anteriores\n    -Xdiag            mostrar mensajes de diagn\u00F3stico adicionales\n    -Xfuture          activar las comprobaciones m\u00E1s estrictas, anticip\u00E1ndose al futuro valor por defecto\n    -Xint             solo ejecuci\u00F3n de modo interpretado\n    -Xinternalversion\n                      muestra una informaci\u00F3n de la versi\u00F3n de JVM m\u00E1s detallada que la\n                      opci\u00F3n-versi\u00F3n\n    -Xloggc:    registrar el estado de GC en un archivo con registros de hora\n    -Xmixed           modo de ejecuci\u00F3n mixto (valor por defecto)\n    -Xmn        define el tama\u00F1o inicial y m\u00E1ximo (en bytes) de la pila\n                      para la generaci\u00F3n m\u00E1s joven (incubadora)\n    -Xms        define el tama\u00F1o inicial de la pila de Java\n    -Xmx        define el tama\u00F1o m\u00E1ximo de la pila de Java\n    -Xnoclassgc       desactivar la recolecci\u00F3n de basura de clases\n    -Xprof            datos de creaci\u00F3n de perfiles de CPU de salida (en desuso)\n    -Xrs              reducir el uso de se\u00F1ales de sistema operativo por parte de Java/VM (consulte la documentaci\u00F3n)\n    -Xshare:auto      usar datos de clase compartidos si es posible (valor por defecto)\n    -Xshare:off       no intentar usar datos de clase compartidos\n    -Xshare:on        es obligatorio el uso de datos de clase compartidos, de lo contrario se producir\u00E1 un fallo.\n    -XshowSettings    mostrar toda la configuraci\u00F3n y continuar\n    -XshowSettings:all\n                      mostrar todos los valores y continuar\n    -XshowSettings:locale\n                      mostrar todos los valores relacionados con la configuraci\u00F3n regional y continuar\n    -XshowSettings:properties\n                      mostrar todos los valores de propiedad y continuar\n    -XshowSettings:vm mostrar todos los valores relacionados con vm y continuar\n    -Xss        definir tama\u00F1o de la pila del thread de Java\n    -Xverify          define el modo del verificador de c\u00F3digo de bytes\n    --add-reads =(,)*\n                      updates  para leer , independientemente\n                      de la declaraci\u00F3n del m\u00F3dulo. \n                       puede ser ALL-UNNAMED para leer todos los m\u00F3dulos\n                      sin nombre.\n    --add-exports /=(,)*\n                      actualiza  para exportar  en ,\n                      independientemente de la declaraci\u00F3n del m\u00F3dulo.\n                       puede ser ALL-UNNAMED para exportar a todos los\n                      m\u00F3dulos sin nombre.\n    --add-opens /=(,)*\n                      actualiza  para abrir  en\n                      , independientemente de la declaraci\u00F3n del m\u00F3dulo.\n    --illegal-access=\n                      permitir o denegar el acceso a miembros de tipos en m\u00F3dulos con nombre\n                      por c\u00F3digo en m\u00F3dulos sin nombre.\n                       es "denegar", "permitir", "advertir" o "depurar"\n                      Esta opci\u00F3n se eliminar\u00E1 en la \
 pr\u00F3xima versi\u00F3n.\n    --limit-modules [,...]\n                      limitar el universo de m\u00F3dulos observables\n    --patch-module =({0})*\n                      anular o aumentar un m\u00F3dulo con clases y recursos\n                      en directorios o archivos JAR.\n    --disable-@files  desactivar una mayor expansi\u00F3n del archivo de argumentos\n\nEstas opciones adicionales est\u00E1n sujetas a cambios sin previo aviso.\n
 
 # Translators please note do not translate the options themselves
diff --git a/jdk/src/java.desktop/share/classes/sun/applet/resources/MsgAppletViewer_es.java b/jdk/src/java.desktop/share/classes/sun/applet/resources/MsgAppletViewer_es.java
index 330a98986e..5825af8602 100644
--- a/jdk/src/java.desktop/share/classes/sun/applet/resources/MsgAppletViewer_es.java
+++ b/jdk/src/java.desktop/share/classes/sun/applet/resources/MsgAppletViewer_es.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -73,7 +73,7 @@ public class MsgAppletViewer_es extends ListResourceBundle {
             {"appletviewer.parse.warning.embed.requiresheight", "Advertencia: la etiqueta  requiere el atributo height."},
             {"appletviewer.parse.warning.embed.requireswidth", "Advertencia: la etiqueta  requiere el atributo width."},
             {"appletviewer.parse.warning.appnotLongersupported", "Advertencia: la etiqueta  ya no est\u00E1 soportada, utilice  en su lugar:"},
-            {"appletviewer.deprecated", "Advertencia: la API de applet y AppletViewer est\u00E1n anticuados."},
+            {"appletviewer.deprecated", "Advertencia: la API de applet y AppletViewer est\u00E1n en desuso."},
             {"appletviewer.usage", "Sintaxis: appletviewer  url(s)\n\ndonde  incluye:\n  -encoding     Especificar la codificaci\u00F3n de caracteres utilizada por los archivos HTML\n  -J        Transferir argumento al int\u00E9rprete de Java\n\nLa opci\u00F3n -J es no est\u00E1ndar y est\u00E1 sujeta a cambios sin previo aviso."},
             {"appletviewer.main.err.unsupportedopt", "Opci\u00F3n no soportada: {0}"},
             {"appletviewer.main.err.unrecognizedarg", "Argumento no reconocido: {0}"},
diff --git a/jdk/src/java.sql.rowset/share/classes/com/sun/rowset/RowSetResourceBundle_sv.properties b/jdk/src/java.sql.rowset/share/classes/com/sun/rowset/RowSetResourceBundle_sv.properties
index 0cf8d5dfed..96bed5c6e2 100644
--- a/jdk/src/java.sql.rowset/share/classes/com/sun/rowset/RowSetResourceBundle_sv.properties
+++ b/jdk/src/java.sql.rowset/share/classes/com/sun/rowset/RowSetResourceBundle_sv.properties
@@ -159,8 +159,8 @@ xmlrch.errinsdel = Ett fel intr\u00E4ffade vid konstruktion av insdel-rad: {0}
 xmlrch.errupdate = Ett fel intr\u00E4ffade vid konstruktion av uppdateringsrad: {0}
 xmlrch.errupdrow = Ett fel intr\u00E4ffade vid uppdatering av rad: {0}
 xmlrch.chars = tecken:
-xmlrch.badvalue = Felaktigt v\u00E4rde; egenskapen kan inte ha ett tomt v\u00E4rde
-xmlrch.badvalue1 = Felaktigt v\u00E4rde; metadatan kan inte ha ett tomt v\u00E4rde
+xmlrch.badvalue = Felaktigt v\u00E4rde; egenskapen f\u00E5r inte ha v\u00E4rdet null
+xmlrch.badvalue1 = Felaktigt v\u00E4rde; metadata f\u00E5r inte ha v\u00E4rdet null
 xmlrch.warning =  ** Varning! {0}, rad: {1}, URI: {2}
 
 #RIOptimisticProvider Exceptions
diff --git a/jdk/src/jdk.jartool/share/classes/sun/tools/jar/resources/jar_es.properties b/jdk/src/jdk.jartool/share/classes/sun/tools/jar/resources/jar_es.properties
index 2cc206e83e..79854be6d8 100644
--- a/jdk/src/jdk.jartool/share/classes/sun/tools/jar/resources/jar_es.properties
+++ b/jdk/src/jdk.jartool/share/classes/sun/tools/jar/resources/jar_es.properties
@@ -34,7 +34,7 @@ error.bad.cflag=El indicador 'c' necesita la especificaci\u00F3n de archivos de
 error.bad.uflag=El indicador 'u' necesita la especificaci\u00F3n de archivos de manifiesto, de entrada o indicador 'e'.
 error.bad.eflag=El indicador 'e' y el manifiesto con el atributo 'Main-Class' no pueden especificarse \na la vez.
 error.bad.dflag=La opci\u00F3n '-d, --describe-module'  no requiere especificar archivos de entrada
-error.bad.reason=Motivo err\u00F3neo: {0}, debe ser anticuado, anticuado para eliminaci\u00F3n o incubando
+error.bad.reason=Motivo err\u00F3neo: {0}, debe ser en desuso, en desuso para eliminaci\u00F3n o incubando
 error.nosuch.fileordir={0} : no existe tal archivo o directorio
 error.write.file=Error al escribir un archivo jar existente
 error.create.dir={0} : no se ha podido crear el directorio
@@ -115,7 +115,7 @@ main.help.opt.create.update.module-version=\      --module-version=VERSION    Ve
 main.help.opt.create.update.hash-modules=\      --hash-modules=PATTERN Calcular y registrar los hash de m\u00F3dulos\n                             que coinciden con el patr\u00F3n proporcionado y que dependen\n                             directa o indirectamente de la creaci\u00F3n de un archivo jar modular\n                             o de la actualizaci\u00F3n de un archivo jar no modular
 main.help.opt.create.update.module-path=\  -p, --module-path          Ubicaci\u00F3n de la dependencia de m\u00F3dulo para generar\n                             el hash
 main.help.opt.create.update.do-not-resolve-by-default=\      --do-not-resolve-by-default  Excluir del conjunto de m\u00F3dulos ra\u00EDz por defecto
-main.help.opt.create.update.warn-if-resolved=\      --warn-if-resolved     Indicaci\u00F3n para que una herramienta emita una advertencia si el m\u00F3dulo\n                             se ha resuelto. Anticuado, anticuado para eliminaci\u00F3n\n                             o incubando
+main.help.opt.create.update.warn-if-resolved=\      --warn-if-resolved     Indicaci\u00F3n para que una herramienta emita una advertencia si el m\u00F3dulo\n                             se ha resuelto. En desuso, en desuso para eliminaci\u00F3n\n                             o incubando
 main.help.opt.create.update.index=\ Modificadores de operaci\u00F3n v\u00E1lidos solo en el modo de creaci\u00F3n, actualizaci\u00F3n y generaci\u00F3n de \u00EDndice:\n
 main.help.opt.create.update.index.no-compress=\  -0, --no-compress          Solo almacenar; no usar compresi\u00F3n ZIP
 main.help.opt.other=\ Otras opciones:\n

From 2bbbb7f83de38a95365c9732aa9ccd39ee90417e Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 7 Nov 2017 18:42:06 -0800
Subject: [PATCH 208/269] Added tag jdk-9.0.4+5 for changeset c74c48875a48

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index 0919005959..f7a1549713 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -442,3 +442,4 @@ c66ff2442ffa563c48bd641d1f4273e00833014c jdk-9.0.4+1
 c03f6dda488064a24e53e372e5ad00b1d7505f6b jdk-9.0.4+2
 b46885be0c21ebb379e9f9835591dc8b12245971 jdk-9.0.4+3
 0d40ce5e2249fb4643614855694dd1909112bb97 jdk-9.0.4+4
+7ba3aa648bf9635a75bc124539acc08d06dea600 jdk-9.0.4+5

From 578631c53055e448bcf9261a23c8c1e85e5178b9 Mon Sep 17 00:00:00 2001
From: Ivan Gerasimov 
Date: Fri, 13 Oct 2017 21:56:11 -0700
Subject: [PATCH 209/269] 8185292: Stricter key generation

Reviewed-by: mullan
---
 .../sun/crypto/provider/DHKeyAgreement.java   | 23 ++++++++++++++++++-
 .../share/lib/security/default.policy         |  1 +
 .../sun/security/pkcs11/P11KeyAgreement.java  | 22 +++++++++++++++++-
 .../provider/KeyAgreement/DHGenSecretKey.java |  3 ++-
 .../KeyAgreement/DHKeyAgreement2.java         |  3 ++-
 .../KeyAgreement/SameDHKeyStressTest.java     |  4 ++--
 .../security/pkcs11/KeyAgreement/TestDH.java  |  4 ++--
 7 files changed, 52 insertions(+), 8 deletions(-)

diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyAgreement.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyAgreement.java
index 6a2f298fe6..201d47ca7f 100644
--- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyAgreement.java
+++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/DHKeyAgreement.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,11 +28,13 @@ package com.sun.crypto.provider;
 import java.util.*;
 import java.lang.*;
 import java.math.BigInteger;
+import java.security.AccessController;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.Key;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.security.PrivilegedAction;
 import java.security.ProviderException;
 import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.InvalidKeySpecException;
@@ -60,6 +62,17 @@ extends KeyAgreementSpi {
     private BigInteger x = BigInteger.ZERO; // the private value
     private BigInteger y = BigInteger.ZERO;
 
+    private static class AllowKDF {
+
+        private static final boolean VALUE = getValue();
+
+        private static boolean getValue() {
+            return AccessController.doPrivileged(
+                (PrivilegedAction)
+                () -> Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF"));
+        }
+    }
+
     /**
      * Empty constructor
      */
@@ -367,6 +380,14 @@ extends KeyAgreementSpi {
         if (algorithm == null) {
             throw new NoSuchAlgorithmException("null algorithm");
         }
+
+        if (!algorithm.equalsIgnoreCase("TlsPremasterSecret") &&
+            !AllowKDF.VALUE) {
+
+            throw new NoSuchAlgorithmException("Unsupported secret key "
+                                               + "algorithm: " + algorithm);
+        }
+
         byte[] secret = engineGenerateSecret();
         if (algorithm.equalsIgnoreCase("DES")) {
             // DES
diff --git a/jdk/src/java.base/share/lib/security/default.policy b/jdk/src/java.base/share/lib/security/default.policy
index 94c2f153a9..51c40228e5 100644
--- a/jdk/src/java.base/share/lib/security/default.policy
+++ b/jdk/src/java.base/share/lib/security/default.policy
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
     permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";
     permission java.util.PropertyPermission "os.name", "read";
     permission java.util.PropertyPermission "os.arch", "read";
+    permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
     permission java.security.SecurityPermission "putProviderProperty.*";
     permission java.security.SecurityPermission "clearProviderProperties.*";
     permission java.security.SecurityPermission "removeProviderProperty.*";
diff --git a/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java b/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java
index 3e35ff23ce..2ae655ae60 100644
--- a/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java
+++ b/jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -69,6 +69,17 @@ final class P11KeyAgreement extends KeyAgreementSpi {
     // KeyAgreement from SunJCE as fallback for > 2 party agreement
     private KeyAgreement multiPartyAgreement;
 
+    private static class AllowKDF {
+
+        private static final boolean VALUE = getValue();
+
+        private static boolean getValue() {
+            return AccessController.doPrivileged(
+                (PrivilegedAction)
+                () -> Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF"));
+        }
+    }
+
     P11KeyAgreement(Token token, String algorithm, long mechanism) {
         super();
         this.token = token;
@@ -260,6 +271,7 @@ final class P11KeyAgreement extends KeyAgreementSpi {
         if (algorithm == null) {
             throw new NoSuchAlgorithmException("Algorithm must not be null");
         }
+
         if (algorithm.equals("TlsPremasterSecret")) {
             // For now, only perform native derivation for TlsPremasterSecret
             // as that is required for FIPS compliance.
@@ -268,6 +280,14 @@ final class P11KeyAgreement extends KeyAgreementSpi {
             // (bug not yet filed).
             return nativeGenerateSecret(algorithm);
         }
+
+        if (!algorithm.equalsIgnoreCase("TlsPremasterSecret") &&
+            !AllowKDF.VALUE) {
+
+            throw new NoSuchAlgorithmException("Unsupported secret key "
+                                               + "algorithm: " + algorithm);
+        }
+
         byte[] secret = engineGenerateSecret();
         // Maintain compatibility for SunJCE:
         // verify secret length is sensible for algorithm / truncate
diff --git a/jdk/test/com/sun/crypto/provider/KeyAgreement/DHGenSecretKey.java b/jdk/test/com/sun/crypto/provider/KeyAgreement/DHGenSecretKey.java
index 48248e6703..d77dc6b0da 100644
--- a/jdk/test/com/sun/crypto/provider/KeyAgreement/DHGenSecretKey.java
+++ b/jdk/test/com/sun/crypto/provider/KeyAgreement/DHGenSecretKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
  * @summary Verify that DHKeyAgreement can generate secret key
  * objects for AES algorithm
  * @author Valerie Peng
+ * @run main/othervm -Djdk.crypto.KeyAgreement.legacyKDF=true DHGenSecretKey
  */
 import java.security.*;
 import java.security.interfaces.*;
diff --git a/jdk/test/com/sun/crypto/provider/KeyAgreement/DHKeyAgreement2.java b/jdk/test/com/sun/crypto/provider/KeyAgreement/DHKeyAgreement2.java
index 9c506f761c..be1e4c9803 100644
--- a/jdk/test/com/sun/crypto/provider/KeyAgreement/DHKeyAgreement2.java
+++ b/jdk/test/com/sun/crypto/provider/KeyAgreement/DHKeyAgreement2.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
  * @bug 7146728
  * @summary DHKeyAgreement2
  * @author Jan Luehe
+ * @run main/othervm -Djdk.crypto.KeyAgreement.legacyKDF=true DHKeyAgreement2
  */
 
 import java.io.*;
diff --git a/jdk/test/com/sun/crypto/provider/KeyAgreement/SameDHKeyStressTest.java b/jdk/test/com/sun/crypto/provider/KeyAgreement/SameDHKeyStressTest.java
index f0067da543..910104b98c 100644
--- a/jdk/test/com/sun/crypto/provider/KeyAgreement/SameDHKeyStressTest.java
+++ b/jdk/test/com/sun/crypto/provider/KeyAgreement/SameDHKeyStressTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,7 +26,7 @@
  * @bug 8048819
  * @summary This test stressful verifies the assertion of "The secret keys generated
  * by all involved parties should be the same." for javax.crypto.KeyAgreement
- * @run main SameDHKeyStressTest
+ * @run main/othervm -Djdk.crypto.KeyAgreement.legacyKDF=true SameDHKeyStressTest
  */
 import java.security.AlgorithmParameterGenerator;
 import java.security.InvalidAlgorithmParameterException;
diff --git a/jdk/test/sun/security/pkcs11/KeyAgreement/TestDH.java b/jdk/test/sun/security/pkcs11/KeyAgreement/TestDH.java
index 9dba311bf3..9681860d60 100644
--- a/jdk/test/sun/security/pkcs11/KeyAgreement/TestDH.java
+++ b/jdk/test/sun/security/pkcs11/KeyAgreement/TestDH.java
@@ -28,8 +28,8 @@
  * @author Andreas Sterbenz
  * @library ..
  * @modules jdk.crypto.cryptoki
- * @run main/othervm TestDH
- * @run main/othervm TestDH sm
+ * @run main/othervm -Djdk.crypto.KeyAgreement.legacyKDF=true TestDH
+ * @run main/othervm -Djdk.crypto.KeyAgreement.legacyKDF=true TestDH sm
  */
 
 import java.security.KeyPair;

From ba451ac6361af9d21a94050657d8a642c422e354 Mon Sep 17 00:00:00 2001
From: Sergey Bylokhov 
Date: Tue, 7 Nov 2017 16:02:08 -0800
Subject: [PATCH 210/269] 8190289: More refactoring for client deserialization
 cases

Reviewed-by: prr, azvegint, rhalade, skoivu
---
 .../share/classes/java/awt/geom/Path2D.java   | 14 +++++++-----
 .../classes/javax/swing/text/html/CSS.java    | 22 ++++++++++++-------
 2 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/jdk/src/java.desktop/share/classes/java/awt/geom/Path2D.java b/jdk/src/java.desktop/share/classes/java/awt/geom/Path2D.java
index 0c946b5c0a..903e35117b 100644
--- a/jdk/src/java.desktop/share/classes/java/awt/geom/Path2D.java
+++ b/jdk/src/java.desktop/share/classes/java/awt/geom/Path2D.java
@@ -25,13 +25,14 @@
 
 package java.awt.geom;
 
-import java.awt.Shape;
 import java.awt.Rectangle;
-import sun.awt.geom.Curve;
+import java.awt.Shape;
 import java.io.Serializable;
 import java.io.StreamCorruptedException;
 import java.util.Arrays;
 
+import sun.awt.geom.Curve;
+
 /**
  * The {@code Path2D} class provides a simple, yet flexible
  * shape which represents an arbitrary geometric path.
@@ -2594,9 +2595,12 @@ public abstract class Path2D implements Shape, Cloneable {
             throw new java.io.InvalidObjectException(iae.getMessage());
         }
 
-        pointTypes = new byte[(nT < 0) ? INIT_SIZE : nT];
-        if (nC < 0) {
-            nC = INIT_SIZE * 2;
+        // Accept the size from the stream only if it is less than INIT_SIZE
+        // otherwise the size will be based on the real data in the stream
+        pointTypes = new byte[(nT < 0 || nT > INIT_SIZE) ? INIT_SIZE : nT];
+        final int initX2 = INIT_SIZE * 2;
+        if (nC < 0 || nC > initX2) {
+            nC = initX2;
         }
         if (storedbl) {
             ((Path2D.Double) this).doubleCoords = new double[nC];
diff --git a/jdk/src/java.desktop/share/classes/javax/swing/text/html/CSS.java b/jdk/src/java.desktop/share/classes/javax/swing/text/html/CSS.java
index 1acce37568..9123086132 100644
--- a/jdk/src/java.desktop/share/classes/javax/swing/text/html/CSS.java
+++ b/jdk/src/java.desktop/share/classes/javax/swing/text/html/CSS.java
@@ -26,21 +26,27 @@ package javax.swing.text.html;
 
 import java.awt.Color;
 import java.awt.Font;
-import java.awt.GraphicsEnvironment;
-import java.awt.Toolkit;
 import java.awt.HeadlessException;
 import java.awt.Image;
-import java.io.*;
-import java.lang.reflect.Method;
-import java.net.URL;
+import java.awt.Toolkit;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.Serializable;
 import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.Enumeration;
 import java.util.Hashtable;
 import java.util.Vector;
-import java.util.Locale;
+
 import javax.swing.ImageIcon;
 import javax.swing.SizeRequirements;
-import javax.swing.text.*;
+import javax.swing.text.AttributeSet;
+import javax.swing.text.Element;
+import javax.swing.text.MutableAttributeSet;
+import javax.swing.text.SimpleAttributeSet;
+import javax.swing.text.StyleConstants;
+import javax.swing.text.StyleContext;
+import javax.swing.text.View;
 
 /**
  * Defines a set of
@@ -3568,7 +3574,7 @@ public class CSS implements Serializable {
 
         // Reconstruct the hashtable.
         int numValues = s.readInt();
-        valueConvertor = new Hashtable<>(Math.max(1, numValues));
+        valueConvertor = new Hashtable<>();
         while (numValues-- > 0) {
             Object key = s.readObject();
             Object value = s.readObject();

From 0c21ed193cb753e528856e9ec4395e919bd2069f Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 14 Nov 2017 13:03:01 -0800
Subject: [PATCH 211/269] Added tag jdk-9.0.4+6 for changeset b934e67a6687

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index f7a1549713..f14e11536b 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -443,3 +443,4 @@ c03f6dda488064a24e53e372e5ad00b1d7505f6b jdk-9.0.4+2
 b46885be0c21ebb379e9f9835591dc8b12245971 jdk-9.0.4+3
 0d40ce5e2249fb4643614855694dd1909112bb97 jdk-9.0.4+4
 7ba3aa648bf9635a75bc124539acc08d06dea600 jdk-9.0.4+5
+46524cd9b1e84d2b60b15d5ef26c7ca6260c41a4 jdk-9.0.4+6

From 748d96b294173297f2638fefd6da01afc089f706 Mon Sep 17 00:00:00 2001
From: Weijun Wang 
Date: Wed, 18 Oct 2017 11:02:47 +0800
Subject: [PATCH 212/269] 8186600: Improve property negotiations

Reviewed-by: valeriep, ahgross, mullan
---
 .../http/spnego/NegotiateCallbackHandler.java | 38 ++++++++++++-------
 .../classes/sun/security/jgss/GSSUtil.java    | 27 +++++--------
 .../sun/security/jgss/LoginConfigImpl.java    | 19 +++++++++-
 3 files changed, 51 insertions(+), 33 deletions(-)

diff --git a/jdk/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java b/jdk/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java
index 43003bfb81..202af32656 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -35,6 +35,7 @@ import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import sun.net.www.protocol.http.HttpCallerInfo;
+import sun.security.jgss.LoginConfigImpl;
 
 /**
  * @since 1.6
@@ -61,19 +62,28 @@ public class NegotiateCallbackHandler implements CallbackHandler {
     private void getAnswer() {
         if (!answered) {
             answered = true;
-            PasswordAuthentication passAuth =
-                    Authenticator.requestPasswordAuthentication(
-                    hci.authenticator,
-                    hci.host, hci.addr, hci.port, hci.protocol,
-                    hci.prompt, hci.scheme, hci.url, hci.authType);
-            /**
-             * To be compatible with existing callback handler implementations,
-             * when the underlying Authenticator is canceled, username and
-             * password are assigned null. No exception is thrown.
-             */
-            if (passAuth != null) {
-                username = passAuth.getUserName();
-                password = passAuth.getPassword();
+            Authenticator auth;
+            if (hci.authenticator != null) {
+                auth = hci.authenticator;
+            } else {
+                auth = LoginConfigImpl.HTTP_USE_GLOBAL_CREDS ?
+                        Authenticator.getDefault() : null;
+            }
+
+            if (auth != null) {
+                PasswordAuthentication passAuth =
+                        auth.requestPasswordAuthenticationInstance(
+                                hci.host, hci.addr, hci.port, hci.protocol,
+                                hci.prompt, hci.scheme, hci.url, hci.authType);
+                /**
+                 * To be compatible with existing callback handler implementations,
+                 * when the underlying Authenticator is canceled, username and
+                 * password are assigned null. No exception is thrown.
+                 */
+                if (passAuth != null) {
+                    username = passAuth.getUserName();
+                    password = passAuth.getPassword();
+                }
             }
         }
     }
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java
index abcacf024a..646a8c633c 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -270,24 +270,17 @@ public class GSSUtil {
      */
     public static boolean useSubjectCredsOnly(GSSCaller caller) {
 
-        // HTTP/SPNEGO doesn't use the standard JAAS framework. Instead, it
-        // uses the java.net.Authenticator style, therefore always return
-        // false here.
+        String propValue = GetPropertyAction.privilegedGetProperty(
+                "javax.security.auth.useSubjectCredsOnly");
+
+        // Invalid values should be ignored and the default assumed.
         if (caller instanceof HttpCaller) {
-            return false;
+            // Default for HTTP/SPNEGO is false.
+            return "true".equalsIgnoreCase(propValue);
+        } else {
+            // Default for JGSS is true.
+            return !("false".equalsIgnoreCase(propValue));
         }
-        /*
-         * Don't use GetBooleanAction because the default value in the JRE
-         * (when this is unset) has to treated as true.
-         */
-        String propValue = AccessController.doPrivileged(
-                new GetPropertyAction("javax.security.auth.useSubjectCredsOnly",
-                "true"));
-        /*
-         * This property has to be explicitly set to "false". Invalid
-         * values should be ignored and the default "true" assumed.
-         */
-        return (!propValue.equalsIgnoreCase("false"));
     }
 
     /**
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java
index 26181f7b72..eab531d8db 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@ import java.util.HashMap;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
 import org.ietf.jgss.Oid;
+import sun.security.action.GetPropertyAction;
 
 /**
  * A Configuration implementation especially designed for JGSS.
@@ -44,6 +45,16 @@ public class LoginConfigImpl extends Configuration {
     private static final sun.security.util.Debug debug =
         sun.security.util.Debug.getInstance("gssloginconfig", "\t[GSS LoginConfigImpl]");
 
+    public static final boolean HTTP_USE_GLOBAL_CREDS;
+
+    static {
+        String prop = GetPropertyAction
+                .privilegedGetProperty("http.use.global.creds");
+        //HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false
+        HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true
+    }
+
+
     /**
      * A new instance of LoginConfigImpl must be created for each login request
      * since it's only used by a single (caller, mech) pair
@@ -178,7 +189,11 @@ public class LoginConfigImpl extends Configuration {
                 options.put("principal", "*");
                 options.put("isInitiator", "false");
             } else {
-                options.put("useTicketCache", "true");
+                if (caller instanceof HttpCaller && !HTTP_USE_GLOBAL_CREDS) {
+                    options.put("useTicketCache", "false");
+                } else {
+                    options.put("useTicketCache", "true");
+                }
                 options.put("doNotPrompt", "false");
             }
             return new AppConfigurationEntry[] {

From fea32a26576abf8abc2985ea9679b60fb2fcb5a7 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 18 Oct 2017 10:20:38 -0700
Subject: [PATCH 213/269] Added tag jdk-9.0.4+3 for changeset 9e37d1204cf0

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 8b3697ffa6..3013b4a3bf 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -444,3 +444,4 @@ e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 3a64fdb24a8c26e2d7d32864dad4425a9496b90d jdk-9.0.4+00
 726bf8524f7d3780518ada8648488ad4a7bfe6a2 jdk-9.0.4+1
 8055b6778ac8fc6bb165082230951cc8f146f8fd jdk-9.0.4+2
+572ea0db1d87a1d2fcc01f73ffbcfb78bd5688f4 jdk-9.0.4+3

From ad07b4155d26536b80d4f28e2c853e492935a26a Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 18 Oct 2017 10:20:47 -0700
Subject: [PATCH 214/269] Added tag jdk-9.0.4+3 for changeset 2c0392b8b8bb

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index e7e1afcdf5..9611557a7d 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -440,3 +440,4 @@ f67e7e2c01929cfe7a1a3cb2f4b279c1d4fee120 jdk-9.0.1+11
 0876f7e30c48b7cc0b3c15fcd3860522b1f4ae38 jdk-9.0.4+00
 03683a1b2e25231ea6305c91cae4cf83d01738f0 jdk-9.0.4+1
 bcb2300e20962172f7b94ba422d3e634d4f2c62c jdk-9.0.4+2
+7e5bd44ac820cfb3ccceaf1c2e72d3701a625946 jdk-9.0.4+3

From e376a4efa147ae3e81c7f608d6096af74491dc39 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 18 Oct 2017 10:21:01 -0700
Subject: [PATCH 215/269] Added tag jdk-9.0.4+3 for changeset dc195a2229ad

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 603b6d7656..df8689dfe3 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -600,3 +600,4 @@ a10c11fed5bdc5202523baee3cf391cc0e0cfcaa jdk-9.0.3+9
 5be37d3ef648d06850aa164d8b22ac7539559e80 jdk-9.0.4+00
 46290b7298be50f9a70d27465d50d1675732f0af jdk-9.0.4+1
 dab4c60adabfb8ea35cfcd96a7218994a84d652f jdk-9.0.4+2
+deed95e4b4cba997b3cc13b62e33615fd11bc902 jdk-9.0.4+3

From 716cdd7084e2f49814eaa66d7f5c65a97e9f6532 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 1 Nov 2017 12:06:20 -0700
Subject: [PATCH 216/269] Added tag jdk-9.0.4+4 for changeset dadc0ddee768

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index df8689dfe3..5d54dc2dc5 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -601,3 +601,4 @@ a10c11fed5bdc5202523baee3cf391cc0e0cfcaa jdk-9.0.3+9
 46290b7298be50f9a70d27465d50d1675732f0af jdk-9.0.4+1
 dab4c60adabfb8ea35cfcd96a7218994a84d652f jdk-9.0.4+2
 deed95e4b4cba997b3cc13b62e33615fd11bc902 jdk-9.0.4+3
+ce49d719fd4d5f0ff12a1906d9d8b651a7a7d60c jdk-9.0.4+4

From 3af3dcb3f6c38ac0630cd285bf61c1a081053588 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 7 Nov 2017 18:41:26 -0800
Subject: [PATCH 217/269] Added tag jdk-9.0.4+5 for changeset 8974573f013f

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 5d54dc2dc5..67a66a248f 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -602,3 +602,4 @@ a10c11fed5bdc5202523baee3cf391cc0e0cfcaa jdk-9.0.3+9
 dab4c60adabfb8ea35cfcd96a7218994a84d652f jdk-9.0.4+2
 deed95e4b4cba997b3cc13b62e33615fd11bc902 jdk-9.0.4+3
 ce49d719fd4d5f0ff12a1906d9d8b651a7a7d60c jdk-9.0.4+4
+11116cc619ac1b0d00cdcd47e8a7eb2339207bbf jdk-9.0.4+5

From cbde827f05e31d807b7dfcb0885836a1bbc526cd Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 14 Nov 2017 13:02:05 -0800
Subject: [PATCH 218/269] Added tag jdk-9.0.4+6 for changeset 0c3151cb549f

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 67a66a248f..fc92a3a254 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -603,3 +603,4 @@ dab4c60adabfb8ea35cfcd96a7218994a84d652f jdk-9.0.4+2
 deed95e4b4cba997b3cc13b62e33615fd11bc902 jdk-9.0.4+3
 ce49d719fd4d5f0ff12a1906d9d8b651a7a7d60c jdk-9.0.4+4
 11116cc619ac1b0d00cdcd47e8a7eb2339207bbf jdk-9.0.4+5
+f3ba0e190ffcc82f1ed0dd8275a51096123514b6 jdk-9.0.4+6

From ee68c6f5988a190524890887b5c5b03d1736814a Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 21 Nov 2017 20:59:46 -0800
Subject: [PATCH 219/269] Added tag jdk-9.0.4+7 for changeset b4130360f425

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index fc92a3a254..fe0da5a280 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -604,3 +604,4 @@ deed95e4b4cba997b3cc13b62e33615fd11bc902 jdk-9.0.4+3
 ce49d719fd4d5f0ff12a1906d9d8b651a7a7d60c jdk-9.0.4+4
 11116cc619ac1b0d00cdcd47e8a7eb2339207bbf jdk-9.0.4+5
 f3ba0e190ffcc82f1ed0dd8275a51096123514b6 jdk-9.0.4+6
+e020892c9b441ff0855479ad4de63a9eb4b59bf7 jdk-9.0.4+7

From 5c97fc2606893af557a3746f2afe93e913be2b44 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 29 Nov 2017 13:10:20 -0800
Subject: [PATCH 220/269] Added tag jdk-9.0.4+8 for changeset 96cf60cb81bf

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index fe0da5a280..7ac047ef8c 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -605,3 +605,4 @@ ce49d719fd4d5f0ff12a1906d9d8b651a7a7d60c jdk-9.0.4+4
 11116cc619ac1b0d00cdcd47e8a7eb2339207bbf jdk-9.0.4+5
 f3ba0e190ffcc82f1ed0dd8275a51096123514b6 jdk-9.0.4+6
 e020892c9b441ff0855479ad4de63a9eb4b59bf7 jdk-9.0.4+7
+d74a282dcd6d05cc3752c8e29a526eb9216fa08c jdk-9.0.4+8

From f833b2088cdbc793ece68ac03724ccfcf538ac04 Mon Sep 17 00:00:00 2001
From: Martin Doerr 
Date: Mon, 30 Oct 2017 17:14:39 +0100
Subject: [PATCH 221/269] 8190285: s390: Some java boolean checks are not
 correct

Reviewed-by: lucy, coleenp
---
 .../src/cpu/s390/vm/c1_LIRGenerator_s390.cpp  | 13 +++++---
 hotspot/src/cpu/s390/vm/interp_masm_s390.cpp  | 32 +++++++++++++++++++
 hotspot/src/cpu/s390/vm/interp_masm_s390.hpp  |  2 ++
 .../vm/templateInterpreterGenerator_s390.cpp  |  6 ++++
 .../src/cpu/s390/vm/templateTable_s390.cpp    | 21 +++++++++++-
 5 files changed, 68 insertions(+), 6 deletions(-)

diff --git a/hotspot/src/cpu/s390/vm/c1_LIRGenerator_s390.cpp b/hotspot/src/cpu/s390/vm/c1_LIRGenerator_s390.cpp
index 0ec97da623..ca6abb0598 100644
--- a/hotspot/src/cpu/s390/vm/c1_LIRGenerator_s390.cpp
+++ b/hotspot/src/cpu/s390/vm/c1_LIRGenerator_s390.cpp
@@ -291,7 +291,7 @@ void LIRGenerator::do_StoreIndexed(StoreIndexed* x) {
     length.set_instruction(x->length());
     length.load_item();
   }
-  if (needs_store_check) {
+  if (needs_store_check || x->check_boolean()) {
     value.load_item();
   } else {
     value.load_for_store(x->elt_type());
@@ -341,11 +341,14 @@ void LIRGenerator::do_StoreIndexed(StoreIndexed* x) {
     // Needs GC write barriers.
     pre_barrier(LIR_OprFact::address(array_addr), LIR_OprFact::illegalOpr /* pre_val */,
                 true /* do_load */, false /* patch */, NULL);
-    __ move(value.result(), array_addr, null_check_info);
-    // Seems to be a precise.
+  }
+
+  LIR_Opr result = maybe_mask_boolean(x, array.result(), value.result(), null_check_info);
+  __ move(result, array_addr, null_check_info);
+
+  if (obj_store) {
+    // Precise card mark
     post_barrier(LIR_OprFact::address(array_addr), value.result());
-  } else {
-    __ move(value.result(), array_addr, null_check_info);
   }
 }
 
diff --git a/hotspot/src/cpu/s390/vm/interp_masm_s390.cpp b/hotspot/src/cpu/s390/vm/interp_masm_s390.cpp
index 8cec2da25a..60d35285ea 100644
--- a/hotspot/src/cpu/s390/vm/interp_masm_s390.cpp
+++ b/hotspot/src/cpu/s390/vm/interp_masm_s390.cpp
@@ -842,6 +842,38 @@ void InterpreterMacroAssembler::unlock_if_synchronized_method(TosState state,
   verify_oop(Z_tos, state);
 }
 
+void InterpreterMacroAssembler::narrow(Register result, Register ret_type) {
+  get_method(ret_type);
+  z_lg(ret_type, Address(ret_type, in_bytes(Method::const_offset())));
+  z_lb(ret_type, Address(ret_type, in_bytes(ConstMethod::result_type_offset())));
+
+  Label notBool, notByte, notChar, done;
+
+  // common case first
+  compareU32_and_branch(ret_type, T_INT, bcondEqual, done);
+
+  compareU32_and_branch(ret_type, T_BOOLEAN, bcondNotEqual, notBool);
+  z_nilf(result, 0x1);
+  z_bru(done);
+
+  bind(notBool);
+  compareU32_and_branch(ret_type, T_BYTE, bcondNotEqual, notByte);
+  z_lbr(result, result);
+  z_bru(done);
+
+  bind(notByte);
+  compareU32_and_branch(ret_type, T_CHAR, bcondNotEqual, notChar);
+  z_nilf(result, 0xffff);
+  z_bru(done);
+
+  bind(notChar);
+  // compareU32_and_branch(ret_type, T_SHORT, bcondNotEqual, notShort);
+  z_lhr(result, result);
+
+  // Nothing to do for T_INT
+  bind(done);
+}
+
 // remove activation
 //
 // Unlock the receiver if this is a synchronized method.
diff --git a/hotspot/src/cpu/s390/vm/interp_masm_s390.hpp b/hotspot/src/cpu/s390/vm/interp_masm_s390.hpp
index 5f29a60648..34aa11a957 100644
--- a/hotspot/src/cpu/s390/vm/interp_masm_s390.hpp
+++ b/hotspot/src/cpu/s390/vm/interp_masm_s390.hpp
@@ -86,6 +86,8 @@ class InterpreterMacroAssembler: public MacroAssembler {
   void dispatch_next_noverify_oop(TosState state, int step = 0);
   void dispatch_via(TosState state, address* table);
 
+  void narrow(Register result, Register ret_type);
+
   // Jump to an invoked target.
   void prepare_to_jump_from_interpreted(Register method);
   void jump_from_interpreted(Register method, Register temp);
diff --git a/hotspot/src/cpu/s390/vm/templateInterpreterGenerator_s390.cpp b/hotspot/src/cpu/s390/vm/templateInterpreterGenerator_s390.cpp
index 20a9a3e957..1333dd8a45 100644
--- a/hotspot/src/cpu/s390/vm/templateInterpreterGenerator_s390.cpp
+++ b/hotspot/src/cpu/s390/vm/templateInterpreterGenerator_s390.cpp
@@ -2314,6 +2314,12 @@ address TemplateInterpreterGenerator::generate_earlyret_entry_for (TosState stat
   __ store_const(Address(RjvmtiState, JvmtiThreadState::earlyret_state_offset()),
                  JvmtiThreadState::earlyret_inactive, 4, 4, Z_R0_scratch);
 
+  if (state == itos) {
+    // Narrow result if state is itos but result type is smaller.
+    // Need to narrow in the return bytecode rather than in generate_return_entry
+    // since compiled code callers expect the result to already be narrowed.
+    __ narrow(Z_tos, Z_tmp_1); /* fall through */
+  }
   __ remove_activation(state,
                        Z_tmp_1, // retaddr
                        false,   // throw_monitor_exception
diff --git a/hotspot/src/cpu/s390/vm/templateTable_s390.cpp b/hotspot/src/cpu/s390/vm/templateTable_s390.cpp
index 83d707dbd6..1e471d7b02 100644
--- a/hotspot/src/cpu/s390/vm/templateTable_s390.cpp
+++ b/hotspot/src/cpu/s390/vm/templateTable_s390.cpp
@@ -1174,8 +1174,20 @@ void TemplateTable::bastore() {
   __ pop_i(Z_ARG3);
   __ pop_ptr(Z_tmp_2);
   // Z_tos   : value
-  // Z_ARG3 : index
+  // Z_ARG3  : index
   // Z_tmp_2 : array
+
+  // Need to check whether array is boolean or byte
+  // since both types share the bastore bytecode.
+  __ load_klass(Z_tmp_1, Z_tmp_2);
+  __ z_llgf(Z_tmp_1, Address(Z_tmp_1, Klass::layout_helper_offset()));
+  __ z_tmll(Z_tmp_1, Klass::layout_helper_boolean_diffbit());
+  Label L_skip;
+  __ z_bfalse(L_skip);
+  // if it is a T_BOOLEAN array, mask the stored value to 0/1
+  __ z_nilf(Z_tos, 0x1);
+  __ bind(L_skip);
+
   // No index shift necessary - pass 0.
   index_check(Z_tmp_2, Z_ARG3, 0); // Prefer index in Z_ARG3.
   __ z_stc(Z_tos,
@@ -2321,6 +2333,13 @@ void TemplateTable::_return(TosState state) {
     __ bind(skip_register_finalizer);
   }
 
+  if (state == itos) {
+    // Narrow result if state is itos but result type is smaller.
+    // Need to narrow in the return bytecode rather than in generate_return_entry
+    // since compiled code callers expect the result to already be narrowed.
+    __ narrow(Z_tos, Z_tmp_1); /* fall through */
+  }
+
   __ remove_activation(state, Z_R14);
   __ z_br(Z_R14);
 }

From 47da2db90951b7c6171a0a050b03dea4a0f7f089 Mon Sep 17 00:00:00 2001
From: Xue-Lei Andrew Fan 
Date: Tue, 31 Oct 2017 01:00:12 +0000
Subject: [PATCH 222/269] 8163237: Restrict the use of EXPORT cipher suites

Reviewed-by: mullan, igerasim, rhalade, jnimeh
---
 jdk/src/java.base/share/conf/security/java.security       | 4 +---
 jdk/test/sun/security/ssl/ClientHandshaker/RSAExport.java | 1 +
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/jdk/src/java.base/share/conf/security/java.security b/jdk/src/java.base/share/conf/security/java.security
index f7b761821e..a572781d50 100644
--- a/jdk/src/java.base/share/conf/security/java.security
+++ b/jdk/src/java.base/share/conf/security/java.security
@@ -676,7 +676,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224
+    EC keySize < 224, DES40_CBC, RC4_40
 
 #
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
@@ -737,8 +737,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
 #
 jdk.tls.legacyAlgorithms= \
         K_NULL, C_NULL, M_NULL, \
-        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
-        DH_RSA_EXPORT, RSA_EXPORT, \
         DH_anon, ECDH_anon, \
         RC4_128, RC4_40, DES_CBC, DES40_CBC, \
         3DES_EDE_CBC
diff --git a/jdk/test/sun/security/ssl/ClientHandshaker/RSAExport.java b/jdk/test/sun/security/ssl/ClientHandshaker/RSAExport.java
index 48d01f8ccb..54ebadd9f5 100644
--- a/jdk/test/sun/security/ssl/ClientHandshaker/RSAExport.java
+++ b/jdk/test/sun/security/ssl/ClientHandshaker/RSAExport.java
@@ -419,6 +419,7 @@ public class RSAExport {
         // reset the security property to make sure that the algorithms
         // and keys used in this test are not disabled.
         Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
+        Security.setProperty("jdk.tls.disabledAlgorithms", "MD2");
 
         if (debug)
             System.setProperty("javax.net.debug", "all");

From 05f6dc253b4aa3269856327801728f8c30cb1771 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 1 Nov 2017 12:05:56 -0700
Subject: [PATCH 223/269] Added tag jdk-9.0.4+4 for changeset 0f643e01d60b

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 3013b4a3bf..5aa2f33f18 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -445,3 +445,4 @@ e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 726bf8524f7d3780518ada8648488ad4a7bfe6a2 jdk-9.0.4+1
 8055b6778ac8fc6bb165082230951cc8f146f8fd jdk-9.0.4+2
 572ea0db1d87a1d2fcc01f73ffbcfb78bd5688f4 jdk-9.0.4+3
+0053ace2e9e484fb52d00ec961e24805d0aae04a jdk-9.0.4+4

From 0213573060432cf4aff74419abc1c1822e4f894a Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 1 Nov 2017 12:06:06 -0700
Subject: [PATCH 224/269] Added tag jdk-9.0.4+4 for changeset 262756f78d90

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 9611557a7d..6dd435d0e7 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -441,3 +441,4 @@ f67e7e2c01929cfe7a1a3cb2f4b279c1d4fee120 jdk-9.0.1+11
 03683a1b2e25231ea6305c91cae4cf83d01738f0 jdk-9.0.4+1
 bcb2300e20962172f7b94ba422d3e634d4f2c62c jdk-9.0.4+2
 7e5bd44ac820cfb3ccceaf1c2e72d3701a625946 jdk-9.0.4+3
+37249aa145988b06ec51b490e0d3d343f8faf660 jdk-9.0.4+4

From a313b7f708a37ca55b898a302efbfce76973a9fa Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Thu, 2 Nov 2017 10:57:58 -0700
Subject: [PATCH 225/269] 8190550: Update milestone to fcs for 9.0.4+5

Reviewed-by: erikj
---
 common/conf/jib-profiles.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index e8f5d8f455..4ad67f40a2 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -1244,7 +1244,7 @@ var versionArgs = function(input, common) {
     if (input.build_type == "promoted") {
         args = concat(args,
                       // This needs to be changed when we start building release candidates
-                      "--with-version-pre=ea",
+                      "--with-version-pre=fcs",
                       "--without-version-opt");
     } else {
         args = concat(args, "--with-version-opt=" + common.build_id);

From 9aa121703a5b94029e7088a277234d1e660d37f0 Mon Sep 17 00:00:00 2001
From: Weijun Wang 
Date: Sat, 4 Nov 2017 09:18:51 +0800
Subject: [PATCH 226/269] 8186606: Improve LDAP lookup robustness

Reviewed-by: mullan, skoivu, ahgross
---
 .../certpath/ldap/LDAPCertStoreImpl.java      | 69 +++++++++++++++----
 1 file changed, 57 insertions(+), 12 deletions(-)

diff --git a/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java b/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java
index 8813ff6e33..5465f4898f 100644
--- a/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java
+++ b/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java
@@ -26,9 +26,11 @@
 package sun.security.provider.certpath.ldap;
 
 import java.io.ByteArrayInputStream;
-import java.io.IOException;
+import java.net.URI;
 import java.util.*;
+import javax.naming.CompositeName;
 import javax.naming.Context;
+import javax.naming.InvalidNameException;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.NameNotFoundException;
@@ -44,6 +46,7 @@ import javax.naming.ldap.InitialLdapContext;
 import javax.naming.ldap.LdapContext;
 import javax.security.auth.x500.X500Principal;
 
+import com.sun.jndi.ldap.LdapReferralException;
 import sun.security.util.HexDumpEncoder;
 import sun.security.provider.certpath.X509CertificatePair;
 import sun.security.util.Cache;
@@ -181,13 +184,9 @@ final class LDAPCertStoreImpl {
         try {
             ctx = new InitialLdapContext(env, null);
             /*
-             * By default, follow referrals unless application has
-             * overridden property in an application resource file.
+             * Always deal with referrals here.
              */
-            Hashtable currentEnv = ctx.getEnvironment();
-            if (currentEnv.get(Context.REFERRAL) == null) {
-                ctx.addToEnvironment(Context.REFERRAL, "follow-scheme");
-            }
+            ctx.addToEnvironment(Context.REFERRAL, "throw");
         } catch (NamingException e) {
             if (debug != null) {
                 debug.println("LDAPCertStore.engineInit about to throw "
@@ -223,11 +222,25 @@ final class LDAPCertStoreImpl {
         private Map valueMap;
         private final List requestedAttributes;
 
-        LDAPRequest(String name) {
-            this.name = name;
+        LDAPRequest(String name) throws CertStoreException {
+            this.name = checkName(name);
             requestedAttributes = new ArrayList<>(5);
         }
 
+        private String checkName(String name) throws CertStoreException {
+            if (name == null) {
+                throw new CertStoreException("Name absent");
+            }
+            try {
+                if (new CompositeName(name).size() != 1) {
+                    throw new CertStoreException("Invalid name: " + name);
+                }
+            } catch (InvalidNameException ine) {
+                throw new CertStoreException("Invalid name: " + name, ine);
+            }
+            return name;
+        }
+
         String getName() {
             return name;
         }
@@ -242,7 +255,6 @@ final class LDAPCertStoreImpl {
         /**
          * Gets one or more binary values from an attribute.
          *
-         * @param name          the location holding the attribute
          * @param attrId                the attribute identifier
          * @return                      an array of binary values (byte arrays)
          * @throws NamingException      if a naming exception occurs
@@ -300,6 +312,39 @@ final class LDAPCertStoreImpl {
 
             try {
                 attrs = ctx.getAttributes(name, attrIds);
+            } catch (LdapReferralException lre) {
+                // LdapCtx has a hopCount field to avoid infinite loop
+                while (true) {
+                    try {
+                        String newName = (String) lre.getReferralInfo();
+                        URI newUri = new URI(newName);
+                        if (!newUri.getScheme().equalsIgnoreCase("ldap")) {
+                            throw new IllegalArgumentException("Not LDAP");
+                        }
+                        String newDn = newUri.getPath();
+                        if (newDn != null && newDn.charAt(0) == '/') {
+                            newDn = newDn.substring(1);
+                        }
+                        checkName(newDn);
+                    } catch (Exception e) {
+                        throw new NamingException("Cannot follow referral to "
+                                + lre.getReferralInfo());
+                    }
+                    LdapContext refCtx =
+                            (LdapContext)lre.getReferralContext();
+
+                    // repeat the original operation at the new context
+                    try {
+                        attrs = refCtx.getAttributes(name, attrIds);
+                        break;
+                    } catch (LdapReferralException re) {
+                        lre = re;
+                        continue;
+                    } finally {
+                        // Make sure we close referral context
+                        refCtx.close();
+                    }
+                }
             } catch (CommunicationException ce) {
                 communicationError = true;
                 throw ce;
@@ -513,7 +558,7 @@ final class LDAPCertStoreImpl {
      * X509CertSelector), a CertStoreException is
      * thrown.
      *
-     * @param selector a X509CertSelector used to select which
+     * @param xsel a X509CertSelector used to select which
      *  Certificates should be returned.
      * @return a Collection of X509Certificates that
      *         match the specified selector
@@ -684,7 +729,7 @@ final class LDAPCertStoreImpl {
      * (or the selector is not an X509CRLSelector), a
      * CertStoreException is thrown.
      *
-     * @param selector A X509CRLSelector used to select which
+     * @param xsel A X509CRLSelector used to select which
      *  CRLs should be returned. Specify null
      *  to return all CRLs.
      * @return A Collection of X509CRLs that

From 5dca52f60352611951567083626794be9bfff6c7 Mon Sep 17 00:00:00 2001
From: Weijun Wang 
Date: Mon, 6 Nov 2017 22:06:01 +0800
Subject: [PATCH 227/269] 8190789:
 sun/security/provider/certpath/LDAPCertStore/TestURICertStoreParameters.java
 fails after JDK-8186606

Reviewed-by: mullan
---
 .../sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java b/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java
index 5465f4898f..5b7e821269 100644
--- a/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java
+++ b/jdk/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreImpl.java
@@ -232,7 +232,7 @@ final class LDAPCertStoreImpl {
                 throw new CertStoreException("Name absent");
             }
             try {
-                if (new CompositeName(name).size() != 1) {
+                if (new CompositeName(name).size() > 1) {
                     throw new CertStoreException("Invalid name: " + name);
                 }
             } catch (InvalidNameException ine) {

From 70b82384ca46f0b34f228c21b67c4983945f3e8b Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Mon, 6 Nov 2017 19:52:20 +0100
Subject: [PATCH 228/269] 8190718: Change OpenJDK RI builds of Windows to x64

Reviewed-by: tbell, asaha
---
 common/conf/jib-profiles.js | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index 4ad67f40a2..969a534947 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -857,41 +857,41 @@ var getJibProfilesProfiles = function (input, common, data) {
             }
         },
 
-        "windows-x86-open": {
+        "windows-x64-open": {
             artifacts: {
                 jdk: {
                     local: "bundles/\\(jdk.*bin.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/windows-x86/jdk-" + data.version
-                            + "_windows-x86_bin.tar.gz",
-                        "bundles/openjdk/GPL/windows-x86/\\1"
+                        "bundles/openjdk/GPL/windows-x64/jdk-" + data.version
+                            + "_windows-x64_bin.tar.gz",
+                        "bundles/openjdk/GPL/windows-x64/\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },
                 jre: {
                     local: "bundles/\\(jre.*bin.tar.gz\\)",
-                    remote: "bundles/openjdk/GPL/windows-x86/\\1"
+                    remote: "bundles/openjdk/GPL/windows-x64/\\1"
                 },
                 test: {
                     local: "bundles/\\(jdk.*bin-tests.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/windows-x86/jdk-" + data.version
-                            + "_windows-x86_bin-tests.tar.gz",
-                        "bundles/openjdk/GPL/windows-x86/\\1"
+                        "bundles/openjdk/GPL/windows-x64/jdk-" + data.version
+                            + "_windows-x64_bin-tests.tar.gz",
+                        "bundles/openjdk/GPL/windows-x64/\\1"
                     ]
                 },
                 jdk_symbols: {
                     local: "bundles/\\(jdk.*bin-symbols.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/windows-x86/jdk-" + data.version
-                            + "_windows-x86_bin-symbols.tar.gz",
-                        "bundles/openjdk/GPL/windows-x86/\\1"
+                        "bundles/openjdk/GPL/windows-x64/jdk-" + data.version
+                            + "_windows-x64_bin-symbols.tar.gz",
+                        "bundles/openjdk/GPL/windows-x64/\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },
                 jre_symbols: {
                     local: "bundles/\\(jre.*bin-symbols.tar.gz\\)",
-                    remote: "bundles/openjdk/GPL/windows-x86/\\1",
+                    remote: "bundles/openjdk/GPL/windows-x64/\\1",
                 }
             }
         },
@@ -924,10 +924,10 @@ var getJibProfilesProfiles = function (input, common, data) {
     profiles["linux-x86-ri"] = clone(profiles["linux-x86-open"]);
     profiles["linux-x86-ri-debug"] = clone(profiles["linux-x86-open-debug"]);
     profiles["macosx-x64-ri"] = clone(profiles["macosx-x64-open"]);
-    profiles["windows-x86-ri"] = clone(profiles["windows-x86-open"]);
+    profiles["windows-x64-ri"] = clone(profiles["windows-x64-open"]);
 
     // Generate artifacts for ri profiles
-    [ "linux-x64-ri", "linux-x86-ri", "linux-x86-ri-debug", "macosx-x64-ri", "windows-x86-ri" ]
+    [ "linux-x64-ri", "linux-x86-ri", "linux-x86-ri-debug", "macosx-x64-ri", "windows-x64-ri" ]
         .forEach(function (name) {
             // Rewrite all remote dirs to "bundles/openjdk/BCL/..."
             for (artifactName in profiles[name].artifacts) {
@@ -939,10 +939,10 @@ var getJibProfilesProfiles = function (input, common, data) {
 
     // The windows ri profile needs to add the freetype license file
     profilesRiFreetype = {
-        "windows-x86-ri": {
+        "windows-x64-ri": {
             configure_args: "--with-freetype-license="
                 + input.get("freetype", "install_path")
-                + "/freetype-2.7.1-v120-x86/freetype.md"
+                + "/freetype-2.7.1-v120-x64/freetype.md"
         }
     };
     profiles = concatObjects(profiles, profilesRiFreetype);

From e533f3858cd0379a62bad1d1c78344320f27a056 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 7 Nov 2017 18:41:05 -0800
Subject: [PATCH 229/269] Added tag jdk-9.0.4+5 for changeset fe660d418505

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 5aa2f33f18..cced07f3b2 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -446,3 +446,4 @@ e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 8055b6778ac8fc6bb165082230951cc8f146f8fd jdk-9.0.4+2
 572ea0db1d87a1d2fcc01f73ffbcfb78bd5688f4 jdk-9.0.4+3
 0053ace2e9e484fb52d00ec961e24805d0aae04a jdk-9.0.4+4
+73d63ccf56f46f258f367ed72633f0f5cc229680 jdk-9.0.4+5

From 534bd64b23c66d4bb2b043efeb8eaf9ea8456f80 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 7 Nov 2017 18:41:13 -0800
Subject: [PATCH 230/269] Added tag jdk-9.0.4+5 for changeset a010f3342a41

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 6dd435d0e7..b99f18cd0b 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -442,3 +442,4 @@ f67e7e2c01929cfe7a1a3cb2f4b279c1d4fee120 jdk-9.0.1+11
 bcb2300e20962172f7b94ba422d3e634d4f2c62c jdk-9.0.4+2
 7e5bd44ac820cfb3ccceaf1c2e72d3701a625946 jdk-9.0.4+3
 37249aa145988b06ec51b490e0d3d343f8faf660 jdk-9.0.4+4
+ec450e8c90c53c4e4cd35468a038123ca4fe0129 jdk-9.0.4+5

From ca10e9d7695903c5624f024ed44891f34c83ddfb Mon Sep 17 00:00:00 2001
From: Ramanand Patil 
Date: Thu, 9 Nov 2017 14:49:17 +0530
Subject: [PATCH 231/269] 8190258: (tz) Support tzdata2017c 8190259: test
 tck.java.time.zone.TCKZoneRules is broken by tzdata2017c

Reviewed-by: naoto, martin
---
 jdk/make/data/tzdata/VERSION                  |   2 +-
 jdk/make/data/tzdata/africa                   |  99 ++++++----
 jdk/make/data/tzdata/antarctica               |   8 +-
 jdk/make/data/tzdata/asia                     | 144 ++++++++++-----
 jdk/make/data/tzdata/australasia              |  67 ++++---
 jdk/make/data/tzdata/backward                 |   4 +-
 jdk/make/data/tzdata/europe                   |  88 ++++-----
 jdk/make/data/tzdata/leapseconds              |  17 +-
 jdk/make/data/tzdata/northamerica             | 169 +++++++++++-------
 jdk/make/data/tzdata/southamerica             |  32 ++--
 jdk/make/data/tzdata/zone.tab                 |   4 +-
 .../classes/java/time/format/ZoneName.java    |   7 +-
 .../sun/util/resources/TimeZoneNames.java     |   7 +-
 .../util/resources/ext/TimeZoneNames_de.java  |   7 +-
 .../util/resources/ext/TimeZoneNames_es.java  |   7 +-
 .../util/resources/ext/TimeZoneNames_fr.java  |   7 +-
 .../util/resources/ext/TimeZoneNames_it.java  |   7 +-
 .../util/resources/ext/TimeZoneNames_ja.java  |   7 +-
 .../util/resources/ext/TimeZoneNames_ko.java  |   7 +-
 .../resources/ext/TimeZoneNames_pt_BR.java    |   7 +-
 .../util/resources/ext/TimeZoneNames_sv.java  |   7 +-
 .../resources/ext/TimeZoneNames_zh_CN.java    |   7 +-
 .../resources/ext/TimeZoneNames_zh_TW.java    |   7 +-
 .../time/tck/java/time/zone/TCKZoneRules.java |  16 +-
 .../time/test/java/time/format/ZoneName.java  |   5 +-
 jdk/test/sun/util/calendar/zi/tzdata/VERSION  |   2 +-
 jdk/test/sun/util/calendar/zi/tzdata/africa   |  99 ++++++----
 .../sun/util/calendar/zi/tzdata/antarctica    |   8 +-
 jdk/test/sun/util/calendar/zi/tzdata/asia     | 144 ++++++++++-----
 .../sun/util/calendar/zi/tzdata/australasia   |  67 ++++---
 jdk/test/sun/util/calendar/zi/tzdata/backward |   4 +-
 jdk/test/sun/util/calendar/zi/tzdata/europe   |  88 ++++-----
 .../sun/util/calendar/zi/tzdata/leapseconds   |  17 +-
 .../sun/util/calendar/zi/tzdata/northamerica  | 169 +++++++++++-------
 .../sun/util/calendar/zi/tzdata/southamerica  |  32 ++--
 jdk/test/sun/util/calendar/zi/tzdata/zone.tab |   4 +-
 36 files changed, 838 insertions(+), 535 deletions(-)

diff --git a/jdk/make/data/tzdata/VERSION b/jdk/make/data/tzdata/VERSION
index eb5b4595f3..6642908310 100644
--- a/jdk/make/data/tzdata/VERSION
+++ b/jdk/make/data/tzdata/VERSION
@@ -21,4 +21,4 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
-tzdata2017b
+tzdata2017c
diff --git a/jdk/make/data/tzdata/africa b/jdk/make/data/tzdata/africa
index d3de96d143..10d4dfaabb 100644
--- a/jdk/make/data/tzdata/africa
+++ b/jdk/make/data/tzdata/africa
@@ -49,7 +49,7 @@
 #
 # For data circa 1899, a common source is:
 # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94.
-# http://www.jstor.org/stable/1774359
+# https://www.jstor.org/stable/1774359
 #
 # A reliable and entertaining source about time zones is
 # Derek Howse, Greenwich time and longitude, Philip Wilson Publishers (1997).
@@ -241,7 +241,7 @@ Rule	Egypt	2006	only	-	Sep	21	24:00	0	-
 # saving time in Egypt will end in the night of 2007-09-06 to 2007-09-07.
 # From Jesper Nørgaard Welen (2007-08-15): [The following agree:]
 # http://www.nentjes.info/Bill/bill5.htm
-# http://www.timeanddate.com/worldclock/city.html?n=53
+# https://www.timeanddate.com/worldclock/city.html?n=53
 # From Steffen Thorsen (2007-09-04): The official information...:
 # http://www.sis.gov.eg/En/EgyptOnline/Miscellaneous/000002/0207000000000000001580.htm
 Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
@@ -279,8 +279,8 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
 # timeanddate[2] and another site I've found[3] also support that.
 #
 # [1] https://bugzilla.redhat.com/show_bug.cgi?id=492263
-# [2] http://www.timeanddate.com/worldclock/clockchange.html?n=53
-# [3] http://wwp.greenwichmeantime.com/time-zone/africa/egypt/
+# [2] https://www.timeanddate.com/worldclock/clockchange.html?n=53
+# [3] https://wwp.greenwichmeantime.com/time-zone/africa/egypt/
 
 # From Arthur David Olson (2009-04-20):
 # In 2009 (and for the next several years), Ramadan ends before the fourth
@@ -290,10 +290,10 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
 # From Steffen Thorsen (2009-08-11):
 # We have been able to confirm the August change with the Egyptian Cabinet
 # Information and Decision Support Center:
-# http://www.timeanddate.com/news/time/egypt-dst-ends-2009.html
+# https://www.timeanddate.com/news/time/egypt-dst-ends-2009.html
 #
 # The Middle East News Agency
-# http://www.mena.org.eg/index.aspx
+# https://www.mena.org.eg/index.aspx
 # also reports "Egypt starts winter time on August 21"
 # today in article numbered "71, 11/08/2009 12:25 GMT."
 # Only the title above is available without a subscription to their service,
@@ -343,7 +343,7 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
 # Thursday of April....  Clocks will still be turned back for Ramadan, but
 # dates not yet announced....
 # http://almogaz.com/news/weird-news/2015/04/05/1947105 ...
-# http://www.timeanddate.com/news/time/egypt-starts-dst-2015.html
+# https://www.timeanddate.com/news/time/egypt-starts-dst-2015.html
 
 # From Ahmed Nazmy (2015-04-20):
 # Egypt's ministers cabinet just announced ... that it will cancel DST at
@@ -470,11 +470,11 @@ Zone	Africa/Monrovia	-0:43:08 -	LMT	1882
 
 # From Even Scharning (2012-11-10):
 # Libya set their time one hour back at 02:00 on Saturday November 10.
-# http://www.libyaherald.com/2012/11/04/clocks-to-go-back-an-hour-on-saturday/
+# https://www.libyaherald.com/2012/11/04/clocks-to-go-back-an-hour-on-saturday/
 # Here is an official source [in Arabic]: http://ls.ly/fb6Yc
 #
 # Steffen Thorsen forwarded a translation (2012-11-10) in
-# http://mm.icann.org/pipermail/tz/2012-November/018451.html
+# https://mm.icann.org/pipermail/tz/2012-November/018451.html
 #
 # From Tim Parenti (2012-11-11):
 # Treat the 2012-11-10 change as a zone change from UTC+2 to UTC+1.
@@ -485,7 +485,7 @@ Zone	Africa/Monrovia	-0:43:08 -	LMT	1882
 # From Even Scharning (2013-10-25):
 # The scheduled end of DST in Libya on Friday, October 25, 2013 was
 # cancelled yesterday....
-# http://www.libyaherald.com/2013/10/24/correction-no-time-change-tomorrow/
+# https://www.libyaherald.com/2013/10/24/correction-no-time-change-tomorrow/
 #
 # From Paul Eggert (2013-10-25):
 # For now, assume they're reverting to the pre-2012 rules of permanent UT +02.
@@ -538,7 +538,7 @@ Zone	Africa/Tripoli	0:52:44 -	LMT	1920
 # basis....
 # It seems that Mauritius observed daylight saving time from 1982-10-10 to
 # 1983-03-20 as well, but that was not successful....
-# http://www.timeanddate.com/news/time/mauritius-daylight-saving-time.html
+# https://www.timeanddate.com/news/time/mauritius-daylight-saving-time.html
 
 # From Alex Krivenyshev (2008-06-25):
 # http://economicdevelopment.gov.mu/portal/site/Mainhomepage/menuitem.a42b24128104d9845dabddd154508a0c/?content_id=0a7cee8b5d69a110VgnVCM1000000a04a8c0RCRD
@@ -606,7 +606,7 @@ Zone	Africa/Tripoli	0:52:44 -	LMT	1920
 # http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-%C3%A9conomie-d-%C3%A9nergie-de-l-heure-d-%C3%A9t%C3%A9-ont-%C3%A9t%C3%A9-atteints-
 #
 # Our wrap-up:
-# http://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html
+# https://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html
 
 # From Arthur David Olson (2009-07-11):
 # The "mauritius-dst-will-not-repeat" wrapup includes this:
@@ -638,7 +638,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # be one hour ahead of GMT between 1 June and 27 September, according to
 # Communication Minister and Government Spokesman, Khalid Naciri...."
 #
-# http://www.worldtimezone.net/dst_news/dst_news_morocco01.html
+# http://www.worldtimezone.com/dst_news/dst_news_morocco01.html
 # http://en.afrik.com/news11892.html
 
 # From Alex Krivenyshev (2008-05-09):
@@ -651,7 +651,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 
 # From Patrice Scattolin (2008-05-09):
 # According to this article:
-# http://www.avmaroc.com/actualite/heure-dete-comment-a127896.html
+# https://www.avmaroc.com/actualite/heure-dete-comment-a127896.html
 # (and republished here: )
 # the changes occur at midnight:
 #
@@ -673,7 +673,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # posted in English).
 #
 # The following Google query will generate many relevant hits:
-# http://www.google.com/search?hl=en&q=Conseil+de+gouvernement+maroc+heure+avance&btnG=Search
+# https://www.google.com/search?hl=en&q=Conseil+de+gouvernement+maroc+heure+avance&btnG=Search
 
 # From Steffen Thorsen (2008-08-27):
 # Morocco will change the clocks back on the midnight between August 31
@@ -684,7 +684,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # http://www.menara.ma/fr/Actualites/Maroc/Societe/ci.retour_a_l_heure_gmt_a_partir_du_dimanche_31_aout_a_minuit_officiel_.default
 #
 # We have some further details posted here:
-# http://www.timeanddate.com/news/time/morocco-ends-dst-early-2008.html
+# https://www.timeanddate.com/news/time/morocco-ends-dst-early-2008.html
 
 # From Steffen Thorsen (2009-03-17):
 # Morocco will observe DST from 2009-06-01 00:00 to 2009-08-21 00:00 according
@@ -694,7 +694,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # (French)
 #
 # Our summary:
-# http://www.timeanddate.com/news/time/morocco-starts-dst-2009.html
+# https://www.timeanddate.com/news/time/morocco-starts-dst-2009.html
 
 # From Alexander Krivenyshev (2009-03-17):
 # Here is a link to official document from Royaume du Maroc Premier Ministre,
@@ -717,7 +717,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # http://www.lavieeco.com/actualites/4099-le-maroc-passera-a-l-heure-d-ete-gmt1-le-2-mai.html
 # (French)
 # Our page:
-# http://www.timeanddate.com/news/time/morocco-starts-dst-2010.html
+# https://www.timeanddate.com/news/time/morocco-starts-dst-2010.html
 
 # From Dan Abitol (2011-03-30):
 # ...Rules for Africa/Casablanca are the following (24h format)
@@ -734,7 +734,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # They said that the decision was already taken.
 #
 # More articles in the press
-# http://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html
+# https://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html
 # http://www.lematin.ma/Actualite/Express/Article.asp?id=148923
 # http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT%2B1-a-partir-de-dim
 
@@ -826,7 +826,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # 1433 (18 April 2012) and the decision of the Head of Government of
 # 16 N. 3-29-15 Chaaban 1435 (4 June 2015).
 # Source (french):
-# http://lnt.ma/le-maroc-reculera-dune-heure-le-dimanche-14-juin/
+# https://lnt.ma/le-maroc-reculera-dune-heure-le-dimanche-14-juin/
 #
 # From Milamber (2015-06-09):
 # http://www.mmsp.gov.ma/fr/actualites.aspx?id=863
@@ -835,7 +835,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # [The gov.ma announcement] would (probably) make the switch on 2015-07-19 go
 # from 03:00 to 04:00 rather than from 02:00 to 03:00, as in the patch....
 # I think the patch is correct and the quoted text is wrong; the text in
-#  agrees
+#  agrees
 # with the patch.
 
 # From Paul Eggert (2015-06-08):
@@ -960,9 +960,17 @@ Link Africa/Maputo Africa/Kigali	# Rwanda
 Link Africa/Maputo Africa/Lubumbashi	# E Dem. Rep. of Congo
 Link Africa/Maputo Africa/Lusaka	# Zambia
 
+
 # Namibia
-# The 1994-04-03 transition is from Shanks & Pottenger.
-# Shanks & Pottenger report no DST after 1998-04; go with IATA.
+
+# From Arthur David Olson (2017-08-09):
+# The text of the "Namibia Time Act, 1994" is available online at
+# www.lac.org.na/laws/1994/811.pdf
+# and includes this nugget:
+# Notwithstanding the provisions of subsection (2) of section 1, the
+# first winter period after the commencement of this Act shall
+# commence at OOhOO on Monday 21 March 1994 and shall end at 02h00 on
+# Sunday 4 September 1994.
 
 # From Petronella Sibeene (2007-03-30):
 # http://allafrica.com/stories/200703300178.html
@@ -978,19 +986,30 @@ Link Africa/Maputo Africa/Lusaka	# Zambia
 # observes Botswana time, we have no details about historical practice.
 # In the meantime people there can use Africa/Gaborone.
 # See: Immanuel S. The Namibian. 2017-02-23.
-# http://www.namibian.com.na/51480/read/Time-change-divides-lawmakers
+# https://www.namibian.com.na/51480/read/Time-change-divides-lawmakers
+
+# From Steffen Thorsen (2017-08-09):
+# Namibia is going to change their time zone to what is now their DST:
+# https://www.newera.com.na/2017/02/23/namibias-winter-time-might-be-repealed/
+# This video is from the government decision:
+# https://www.nbc.na/news/na-passes-namibia-time-bill-repealing-1994-namibia-time-act.8665
+# We have made the assumption so far that they will change their time zone at
+# the same time they would normally start DST, the first Sunday in September:
+# https://www.timeanddate.com/news/time/namibia-new-time-zone.html
 
 # RULE	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-Rule	Namibia	1994	max	-	Sep	Sun>=1	2:00	1:00	S
-Rule	Namibia	1995	max	-	Apr	Sun>=1	2:00	0	-
+Rule	Namibia	1994	only	-	Mar	21	0:00	0	-
+Rule	Namibia	1994	2016	-	Sep	Sun>=1	2:00	1:00	S
+Rule	Namibia	1995	2017	-	Apr	Sun>=1	2:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Windhoek	1:08:24 -	LMT	1892 Feb 8
 			1:30	-	+0130	1903 Mar
 			2:00	-	SAST	1942 Sep 20  2:00
 			2:00	1:00	SAST	1943 Mar 21  2:00
 			2:00	-	SAST	1990 Mar 21 # independence
-			2:00	-	CAT	1994 Apr  3
-			1:00	Namibia	WA%sT
+			2:00	-	CAT	1994 Mar 21  0:00
+			1:00	Namibia	WA%sT	2017 Sep  3  2:00
+			2:00	-	CAT
 
 # Niger
 # See Africa/Lagos.
@@ -1077,14 +1096,24 @@ Link Africa/Johannesburg Africa/Mbabane    # Swaziland
 # no information
 
 # Sudan
-#
+
 # From 
 # Sudan News Agency (2000-01-13),
 # also reported by Michaël De Beukelaer-Dossche via Steffen Thorsen:
 # Clocks will be moved ahead for 60 minutes all over the Sudan as of noon
 # Saturday....  This was announced Thursday by Caretaker State Minister for
 # Manpower Abdul-Rahman Nur-Eddin.
+
+# From Ahmed Atyya, National Telecommunications Corp. (NTC), Sudan (2017-10-17):
+# ... the Republic of Sudan is going to change the time zone from (GMT+3:00)
+# to (GMT+ 2:00) starting from Wednesday 1 November 2017.
 #
+# From Paul Eggert (2017-10-18):
+# A scanned copy (in Arabic) of Cabinet Resolution No. 352 for the
+# year 2017 can be found as an attachment in email today from Yahia
+# Abdalla of NTC, archived at:
+# https://mm.icann.org/pipermail/tz/2017-October/025333.html
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Sudan	1970	only	-	May	 1	0:00	1:00	S
 Rule	Sudan	1970	1985	-	Oct	15	0:00	0	-
@@ -1093,10 +1122,14 @@ Rule	Sudan	1972	1985	-	Apr	lastSun	0:00	1:00	S
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Khartoum	2:10:08 -	LMT	1931
 			2:00	Sudan	CA%sT	2000 Jan 15 12:00
-			3:00	-	EAT
+			3:00	-	EAT	2017 Nov  1
+			2:00	-	CAT
 
 # South Sudan
-Link Africa/Khartoum Africa/Juba
+# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
+Zone	Africa/Juba	2:06:28 -	LMT	1931
+			2:00	Sudan	CA%sT	2000 Jan 15 12:00
+			3:00	-	EAT
 
 # Swaziland
 # See Africa/Johannesburg.
@@ -1134,11 +1167,11 @@ Link Africa/Khartoum Africa/Juba
 # According to several news sources, Tunisia will not observe DST this year.
 # (Arabic)
 # http://www.elbashayer.com/?page=viewn&nid=42546
-# http://www.babnet.net/kiwidetail-15295.asp
+# https://www.babnet.net/kiwidetail-15295.asp
 #
 # We have also confirmed this with the US embassy in Tunisia.
 # We have a wrap-up about this on the following page:
-# http://www.timeanddate.com/news/time/tunisia-cancels-dst-2009.html
+# https://www.timeanddate.com/news/time/tunisia-cancels-dst-2009.html
 
 # From Alexander Krivenyshev (2009-03-17):
 # Here is a link to Tunis Afrique Presse News Agency
diff --git a/jdk/make/data/tzdata/antarctica b/jdk/make/data/tzdata/antarctica
index c88c0b4107..c78ef7ed50 100644
--- a/jdk/make/data/tzdata/antarctica
+++ b/jdk/make/data/tzdata/antarctica
@@ -49,7 +49,7 @@
 # Heard Island, McDonald Islands (uninhabited)
 #	previously sealers and scientific personnel wintered
 #	Margaret Turner reports
-#	http://web.archive.org/web/20021204222245/http://www.dstc.qut.edu.au/DST/marg/daylight.html
+#	https://web.archive.org/web/20021204222245/http://www.dstc.qut.edu.au/DST/marg/daylight.html
 #	(1999-09-30) that they're UT +05, with no DST;
 #	presumably this is when they have visitors.
 #
@@ -70,7 +70,7 @@
 # http://www.aad.gov.au/default.asp?casid=37079
 #
 # We have more background information here:
-# http://www.timeanddate.com/news/time/antarctica-new-times.html
+# https://www.timeanddate.com/news/time/antarctica-new-times.html
 
 # From Steffen Thorsen (2010-03-10):
 # We got these changes from the Australian Antarctic Division: ...
@@ -85,7 +85,7 @@
 # - Mawson station stays on UTC+5.
 #
 # Background:
-# http://www.timeanddate.com/news/time/antartica-time-changes-2010.html
+# https://www.timeanddate.com/news/time/antartica-time-changes-2010.html
 
 # From Steffen Thorsen (2016-10-28):
 # Australian Antarctica Division informed us that Casey changed time
@@ -168,7 +168,7 @@ Zone Indian/Kerguelen	0	-	-00	1950 # Port-aux-Français
 #
 # year-round base in the main continent
 # Dumont d'Urville, Île des Pétrels, -6640+14001, since 1956-11
-#  (2005-12-05)
+#  (2005-12-05)
 #
 # Another base at Port-Martin, 50km east, began operation in 1947.
 # It was destroyed by fire on 1952-01-14.
diff --git a/jdk/make/data/tzdata/asia b/jdk/make/data/tzdata/asia
index 306a2aa8bc..71f5d0cfc8 100644
--- a/jdk/make/data/tzdata/asia
+++ b/jdk/make/data/tzdata/asia
@@ -49,7 +49,7 @@
 #
 # For data circa 1899, a common source is:
 # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94.
-# http://www.jstor.org/stable/1774359
+# https://www.jstor.org/stable/1774359
 #
 # For Russian data circa 1919, a source is:
 # Byalokoz EL. New Counting of Time in Russia since July 1, 1919.
@@ -98,8 +98,8 @@ Rule E-EurAsia	1996	max	-	Oct	lastSun	 0:00	0	-
 Rule RussiaAsia	1981	1984	-	Apr	1	 0:00	1:00	S
 Rule RussiaAsia	1981	1983	-	Oct	1	 0:00	0	-
 Rule RussiaAsia	1984	1995	-	Sep	lastSun	 2:00s	0	-
-Rule RussiaAsia	1985	2011	-	Mar	lastSun	 2:00s	1:00	S
-Rule RussiaAsia	1996	2011	-	Oct	lastSun	 2:00s	0	-
+Rule RussiaAsia	1985	2010	-	Mar	lastSun	 2:00s	1:00	S
+Rule RussiaAsia	1996	2010	-	Oct	lastSun	 2:00s	0	-
 
 # Afghanistan
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -132,13 +132,17 @@ Zone	Asia/Kabul	4:36:48 -	LMT	1890
 # or
 # (brief)
 # http://www.worldtimezone.com/dst_news/dst_news_armenia03.html
+# Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
+Rule Armenia	2011	only	-	Mar	lastSun	 2:00s	1:00	S
+Rule Armenia	2011	only	-	Oct	lastSun	 2:00s	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Yerevan	2:58:00 -	LMT	1924 May  2
 			3:00	-	+03	1957 Mar
 			4:00 RussiaAsia +04/+05	1991 Mar 31  2:00s
 			3:00 RussiaAsia	+03/+04	1995 Sep 24  2:00s
 			4:00	-	+04	1997
-			4:00 RussiaAsia	+04/+05
+			4:00 RussiaAsia	+04/+05	2011
+			4:00	Armenia	+04/+05
 
 # Azerbaijan
 
@@ -150,7 +154,7 @@ Zone	Asia/Yerevan	2:58:00 -	LMT	1924 May  2
 # From Steffen Thorsen (2016-03-17):
 # ... the Azerbaijani Cabinet of Ministers has cancelled switching to
 # daylight saving time....
-# http://www.azernews.az/azerbaijan/94137.html
+# https://www.azernews.az/azerbaijan/94137.html
 # http://vestnikkavkaza.net/news/Azerbaijani-Cabinet-of-Ministers-cancels-daylight-saving-time.html
 # http://en.apa.az/xeber_azerbaijan_abolishes_daylight_savings_ti_240862.html
 
@@ -191,11 +195,11 @@ Zone	Asia/Baku	3:19:24 -	LMT	1924 May  2
 # the 19th and 20th, and they have not set the end date yet.
 #
 # Some sources:
-# http://in.reuters.com/article/southAsiaNews/idINIndia-40017620090601
+# https://in.reuters.com/article/southAsiaNews/idINIndia-40017620090601
 # http://bdnews24.com/details.php?id=85889&cid=2
 #
 # Our wrap-up:
-# http://www.timeanddate.com/news/time/bangladesh-daylight-saving-2009.html
+# https://www.timeanddate.com/news/time/bangladesh-daylight-saving-2009.html
 
 # From A. N. M. Kamrus Saadat (2009-06-15):
 # Finally we've got the official mail regarding DST start time where DST start
@@ -281,9 +285,15 @@ Zone	Asia/Brunei	7:39:40 -	LMT	1926 Mar # Bandar Seri Begawan
 
 # Milne says 6:24:40 was the meridian of the time ball observatory at Rangoon.
 
+# From Paul Eggert (2017-04-20):
+# Page 27 of Reed & Low (cited for Asia/Kolkata) says "Rangoon local time is
+# used upon the railways and telegraphs of Burma, and is 6h. 24m. 47s. ahead
+# of Greenwich."  This refers to the period before Burma's transition to +0630,
+# a transition for which Shanks is the only source.
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Asia/Yangon	6:24:40 -	LMT	1880        # or Rangoon
-			6:24:40	-	RMT	1920        # Rangoon Mean Time?
+Zone	Asia/Yangon	6:24:47 -	LMT	1880        # or Rangoon
+			6:24:47	-	RMT	1920        # Rangoon local time
 			6:30	-	+0630	1942 May
 			9:00	-	+09	1945 May  3
 			6:30	-	+0630
@@ -340,7 +350,7 @@ Rule	PRC	1987	1991	-	Apr	Sun>=10	0:00	1:00	D
 #
 # From Jesper Nørgaard Welen (2006-07-14):
 # I have investigated the timezones around 1970 on the
-# http://www.astro.com/atlas site [with provinces and county
+# https://www.astro.com/atlas site [with provinces and county
 # boundaries summarized below]....  A few other exceptions were two
 # counties on the Sichuan side of the Xizang-Sichuan border,
 # counties Dege and Baiyu which lies on the Sichuan side and are
@@ -492,7 +502,7 @@ Rule	PRC	1987	1991	-	Apr	Sun>=10	0:00	1:00	D
 
 # From David Cochrane (2014-03-26):
 # Just a confirmation that Ürümqi time was implemented in Ürümqi on 1 Feb 1986:
-# http://content.time.com/time/magazine/article/0,9171,960684,00.html
+# https://content.time.com/time/magazine/article/0,9171,960684,00.html
 
 # From Luther Ma (2014-04-22):
 # I have interviewed numerous people of various nationalities and from
@@ -649,7 +659,7 @@ Zone	Asia/Hong_Kong	7:36:42 -	LMT	1904 Oct 30
 # (both in Okinawa) adopt the Western Standard Time which is based on
 # 120E. The adoption began from Jan 1, 1896. The original text can be
 # found on Wikisource:
-# http://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
+# https://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
 # ... This could be the first adoption of time zone in Taiwan, because
 # during the Qing Dynasty, it seems that there was no time zone
 # declared officially.
@@ -662,7 +672,7 @@ Zone	Asia/Hong_Kong	7:36:42 -	LMT	1904 Oct 30
 # territory, including later occupations, adopt Japan Central Time
 # (UTC+9). The adoption began on Oct 1, 1937. The original text can
 # be found on Wikisource:
-# http://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
+# https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
 #
 # That is, the time zone of Taipei switched to UTC+9 on Oct 1, 1937.
 
@@ -798,6 +808,12 @@ Zone	Asia/Macau	7:34:20 -	LMT	1912 Jan  1
 # Looks like the time zone split in Cyprus went through last night.
 # http://cyprus-mail.com/2016/10/30/cyprus-new-division-two-time-zones-now-reality/
 
+# From Paul Eggert (2017-10-18):
+# Northern Cyprus will reinstate winter time on October 29, thus
+# staying in sync with the rest of Cyprus.  See: Anastasiou A.
+# Cyprus to remain united in time.  Cyprus Mail 2017-10-17.
+# https://cyprus-mail.com/2017/10/17/cyprus-remain-united-time/
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Cyprus	1975	only	-	Apr	13	0:00	1:00	S
 Rule	Cyprus	1975	only	-	Oct	12	0:00	0	-
@@ -815,7 +831,8 @@ Zone	Asia/Nicosia	2:13:28 -	LMT	1921 Nov 14
 Zone	Asia/Famagusta	2:15:48	-	LMT	1921 Nov 14
 			2:00	Cyprus	EE%sT	1998 Sep
 			2:00	EUAsia	EE%sT	2016 Sep  8
-			3:00	-	+03
+			3:00	-	+03	2017 Oct 29 1:00u
+			2:00	EUAsia	EE%sT
 
 # Classically, Cyprus belongs to Asia; e.g. see Herodotus, Histories, I.72.
 # However, for various reasons many users expect to find it under Europe.
@@ -875,7 +892,7 @@ Zone	Asia/Tbilisi	2:59:11 -	LMT	1880
 
 # From João Carrascalão, brother of the former governor of East Timor, in
 # East Timor may be late for its millennium
-#  (1999-12-26/31):
+#  (1999-12-26/31):
 # Portugal tried to change the time forward in 1974 because the sun
 # rises too early but the suggestion raised a lot of problems with the
 # Timorese and I still don't think it would work today because it
@@ -903,21 +920,62 @@ Zone	Asia/Dili	8:22:20 -	LMT	1912 Jan  1
 # India
 
 # From Ian P. Beacock, in "A brief history of (modern) time", The Atlantic
-# http://www.theatlantic.com/technology/archive/2015/12/the-creation-of-modern-time/421419/
+# https://www.theatlantic.com/technology/archive/2015/12/the-creation-of-modern-time/421419/
 # (2015-12-22):
 # In January 1906, several thousand cotton-mill workers rioted on the
 # outskirts of Bombay....  They were protesting the proposed abolition of
 # local time in favor of Indian Standard Time....  Journalists called this
 # dispute the "Battle of the Clocks."  It lasted nearly half a century.
 
+# From Paul Eggert (2017-04-20):
+# Good luck trying to nail down old timekeeping records in India.
+# "... in the nineteenth century ... Madras Observatory took its magnetic
+# measurements on Göttingen time, its meteorological measurements on Madras
+# (local) time, dropped its time ball on Greenwich (ocean navigator's) time,
+# and distributed civil (local time)." -- Bartky IR. Selling the true time:
+# 19th-century timekeeping in america. Stanford U Press (2000), 247 note 19.
+# "A more potent cause of resistance to the general adoption of the present
+# standard time lies in the fact that it is Madras time.  The citizen of
+# Bombay, proud of being 'primus in Indis' and of Calcutta, equally proud of
+# his city being the Capital of India, and - for a part of the year - the Seat
+# of the Supreme Government, alike look down on Madras, and refuse to change
+# the time they are using, for that of what they regard as a benighted
+# Presidency; while Madras, having for long given the standard time to the
+# rest of India, would resist the adoption of any other Indian standard in its
+# place." -- Oldham RD. On Time in India: a suggestion for its improvement.
+# Proceedings of the Asiatic Society of Bengal (April 1899), 49-55.
+#
+# "In 1870 ... Madras time - 'now used by the telegraph and regulated from the
+# only government observatory' - was suggested as a standard railway time,
+# first to be adopted on the Great Indian Peninsular Railway (GIPR)....
+# Calcutta, Bombay, and Karachi, were to be allowed to continue with their
+# local time for civil purposes." - Prasad R. Tracks of Change: Railways and
+# Everyday Life in Colonial India. Cambridge University Press (2016), 145.
+#
+# Reed S, Low F. The Indian Year Book 1936-37. Bennett, Coleman, pp 27-8.
+# https://archive.org/details/in.ernet.dli.2015.282212
+# This lists +052110 as Madras local time used in railways, and says that on
+# 1906-01-01 railways and telegraphs in India switched to +0530.  Some
+# municipalities retained their former time, and the time in Calcutta
+# continued to depend on whether you were at the railway station or at
+# government offices.  Government time was at +055320 (according to Shanks) or
+# at +0554 (according to the Indian Year Book).  Railway time is more
+# appropriate for our purposes, as it was better documented, it is what we do
+# elsewhere (e.g., Europe/London before 1880), and after 1906 it was
+# consistent in the region now identified by Asia/Kolkata.  So, use railway
+# time for 1870-1941.  Shanks is our only (and dubious) source for the
+# 1941-1945 data.
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Asia/Kolkata	5:53:28 -	LMT	1880        # Kolkata
-			5:53:20	-	HMT	1941 Oct    # Howrah Mean Time?
-			6:30	-	+0630	1942 May 15
+Zone	Asia/Kolkata	5:53:28 -	LMT	1854 Jun 28 # Kolkata
+			5:53:20	-	HMT	1870	    # Howrah Mean Time?
+			5:21:10	-	MMT	1906 Jan  1 # Madras local time
+			5:30	-	IST	1941 Oct
+			5:30	1:00	+0630	1942 May 15
 			5:30	-	IST	1942 Sep
 			5:30	1:00	+0630	1945 Oct 15
 			5:30	-	IST
-# The following are like Asia/Kolkata:
+# Since 1970 the following are like Asia/Kolkata:
 #	Andaman Is
 #	Lakshadweep (Laccadive, Minicoy and Amindivi Is)
 #	Nicobar Is
@@ -1059,7 +1117,7 @@ Zone Asia/Jayapura	9:22:48 -	LMT	1932 Nov
 # From Reuters (2007-09-16), with a heads-up from Jesper Nørgaard Welen:
 # ... the Guardian Council ... approved a law on Sunday to re-introduce
 # daylight saving time ...
-# http://uk.reuters.com/article/oilRpt/idUKBLA65048420070916
+# https://uk.reuters.com/article/oilRpt/idUKBLA65048420070916
 #
 # From Roozbeh Pournader (2007-11-05):
 # This is quoted from Official Gazette of the Islamic Republic of
@@ -1158,7 +1216,7 @@ Zone	Asia/Tehran	3:25:44	-	LMT	1916
 # http://www.aswataliraq.info/look/article.tpl?id=2047&IdLanguage=17&IdPublication=4&NrArticle=71743&NrIssue=1&NrSection=10
 #
 # We have published a short article in English about the change:
-# http://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html
+# https://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Iraq	1982	only	-	May	1	0:00	1:00	D
@@ -1466,12 +1524,12 @@ Rule	Japan	1950	1951	-	May	Sun>=1	2:00	1:00	D
 # From Yu-Cheng Chuang (2013-07-12):
 # ...the Meiji Emperor announced Ordinance No. 167 of Meiji Year 28 "The clause
 # about standard time" ... The adoption began from Jan 1, 1896.
-# http://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
+# https://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
 #
 # ...the Showa Emperor announced Ordinance No. 529 of Showa Year 12 ... which
 # means the whole Japan territory, including later occupations, adopt Japan
 # Central Time (UTC+9). The adoption began on Oct 1, 1937.
-# http://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
+# https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Tokyo	9:18:59	-	LMT	1887 Dec 31 15:00u
@@ -1533,7 +1591,7 @@ Zone	Asia/Tokyo	9:18:59	-	LMT	1887 Dec 31 15:00u
 # Official, in Arabic:
 # http://www.petra.gov.jo/public_news/Nws_NewsDetails.aspx?Menu_ID=&Site_Id=2&lang=1&NewsID=133230&CatID=14
 # ... Our background/permalink about it
-# http://www.timeanddate.com/news/time/jordan-reverses-dst-decision.html
+# https://www.timeanddate.com/news/time/jordan-reverses-dst-decision.html
 # ...
 # http://www.petra.gov.jo/Public_News/Nws_NewsDetails.aspx?lang=2&site_id=1&NewsID=133313&Type=P
 # ... says midnight for the coming one and 1:00 for the ones in the future
@@ -1891,9 +1949,9 @@ Zone	Asia/Bishkek	4:58:24 -	LMT	1924 May  2
 # between 1987 and 1988 ...
 
 # From Sanghyuk Jung (2014-10-29):
-# http://mm.icann.org/pipermail/tz/2014-October/021830.html
+# https://mm.icann.org/pipermail/tz/2014-October/021830.html
 # According to the Korean Wikipedia
-# http://ko.wikipedia.org/wiki/한국_표준시
+# https://ko.wikipedia.org/wiki/한국_표준시
 # [oldid=12896437 2014-09-04 08:03 UTC]
 # DST in Republic of Korea was as follows....  And I checked old
 # newspapers in Korean, all articles correspond with data in Wikipedia.
@@ -2115,7 +2173,7 @@ Zone	Indian/Maldives	4:54:00 -	LMT	1880 # Male
 # +08:00 instead. Different sources appear to disagree with the tz
 # database on this, e.g.:
 #
-# http://www.timeanddate.com/worldclock/city.html?n=1026
+# https://www.timeanddate.com/worldclock/city.html?n=1026
 # http://www.worldtimeserver.com/current_time_in_MN.aspx
 #
 # both say GMT+08:00.
@@ -2245,7 +2303,7 @@ Zone	Asia/Kathmandu	5:41:16 -	LMT	1920
 # help reduce load shedding by approving the closure of commercial centres at
 # 9pm and moving clocks forward by one hour for the next three months. ...."
 #
-# http://www.worldtimezone.net/dst_news/dst_news_pakistan01.html
+# http://www.worldtimezone.com/dst_news/dst_news_pakistan01.html
 # http://www.dailytimes.com.pk/default.asp?page=2008%5C05%5C15%5Cstory_15-5-2008_pg1_4
 
 # From Arthur David Olson (2008-05-19):
@@ -2311,7 +2369,7 @@ Zone	Asia/Kathmandu	5:41:16 -	LMT	1920
 #
 # We have confirmed this year's end date with both with the Ministry of
 # Water and Power and the Pakistan Electric Power Company:
-# http://www.timeanddate.com/news/time/pakistan-ends-dst09.html
+# https://www.timeanddate.com/news/time/pakistan-ends-dst09.html
 
 # From Christoph Göhre (2009-10-01):
 # [T]he German Consulate General in Karachi reported me today that Pakistan
@@ -2493,7 +2551,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 #
 # We are not sure if Gaza will do the same, last year they had a different
 # end date, we will keep this page updated:
-# http://www.timeanddate.com/news/time/westbank-gaza-dst-2009.html
+# https://www.timeanddate.com/news/time/westbank-gaza-dst-2009.html
 
 # From Alexander Krivenyshev (2009-09-02):
 # Seems that Gaza Strip will go back to Winter Time same date as West Bank.
@@ -2531,7 +2589,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 # the clocks were set back one hour at 2010-08-11 00:00:00 local time in
 # Gaza and the West Bank.
 # Some more background info:
-# http://www.timeanddate.com/news/time/westbank-gaza-end-dst-2010.html
+# https://www.timeanddate.com/news/time/westbank-gaza-end-dst-2010.html
 
 # From Steffen Thorsen (2011-08-26):
 # Gaza and the West Bank did go back to standard time in the beginning of
@@ -2541,7 +2599,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 #
 # http://www.maannews.net/eng/ViewDetails.aspx?ID=416217
 # Additional info:
-# http://www.timeanddate.com/news/time/palestine-dst-2011.html
+# https://www.timeanddate.com/news/time/palestine-dst-2011.html
 
 # From Alexander Krivenyshev (2011-08-27):
 # According to the article in The Jerusalem Post:
@@ -2551,7 +2609,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 # The Hamas government said on Saturday that it won't observe summertime after
 # the Muslim feast of Id al-Fitr, which begins on Tuesday..."
 # ...
-# http://www.jpost.com/MiddleEast/Article.aspx?id=235650
+# https://www.jpost.com/MiddleEast/Article.aspx?id=235650
 # http://www.worldtimezone.com/dst_news/dst_news_gazastrip05.html
 # The rules for Egypt are stolen from the 'africa' file.
 
@@ -2572,7 +2630,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 # http://safa.ps/details/news/74352/%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-%D8%A8%D8%A7%D9%84%D8%B6%D9%81%D8%A9-%D9%88%D8%BA%D8%B2%D8%A9-%D9%84%D9%8A%D9%84%D8%A9-%D8%A7%D9%84%D8%AC%D9%85%D8%B9%D8%A9.html
 #
 # Our brief summary:
-# http://www.timeanddate.com/news/time/gaza-west-bank-dst-2012.html
+# https://www.timeanddate.com/news/time/gaza-west-bank-dst-2012.html
 
 # From Steffen Thorsen (2013-03-26):
 # The following news sources tells that Palestine will "start daylight saving
@@ -2592,11 +2650,11 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 
 # From Steffen Thorsen (2015-03-03):
 # Sources such as http://www.alquds.com/news/article/view/id/548257
-# and http://www.raya.ps/ar/news/890705.html say Palestine areas will
+# and https://www.raya.ps/ar/news/890705.html say Palestine areas will
 # start DST on 2015-03-28 00:00 which is one day later than expected.
 #
 # From Paul Eggert (2015-03-03):
-# http://www.timeanddate.com/time/change/west-bank/ramallah?year=2014
+# https://www.timeanddate.com/time/change/west-bank/ramallah?year=2014
 # says that the fall 2014 transition was Oct 23 at 24:00.
 
 # From Hannah Kreitem (2016-03-09):
@@ -2620,8 +2678,8 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 #
 # From Paul Eggert (2016-10-19):
 # It's also consistent with predictions in the following URLs today:
-# http://www.timeanddate.com/time/change/gaza-strip/gaza
-# http://www.timeanddate.com/time/change/west-bank/hebron
+# https://www.timeanddate.com/time/change/gaza-strip/gaza
+# https://www.timeanddate.com/time/change/west-bank/hebron
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
@@ -2684,7 +2742,7 @@ Zone	Asia/Hebron	2:20:23	-	LMT	1900 Oct
 # Philippines, issued a proclamation announcing that 1844-12-30 was to
 # be immediately followed by 1845-01-01; see R.H. van Gent's
 # History of the International Date Line
-# http://www.staff.science.uu.nl/~gent0113/idl/idl_philippines.htm
+# https://www.staff.science.uu.nl/~gent0113/idl/idl_philippines.htm
 # The rest of the data entries are from Shanks & Pottenger.
 
 # From Jesper Nørgaard Welen (2006-04-26):
@@ -2948,7 +3006,7 @@ Rule	Syria	2007	only	-	Nov	 Fri>=1	0:00	0	-
 # We have not found any sources saying anything about when DST ends this year.
 #
 # Our summary
-# http://www.timeanddate.com/news/time/syria-dst-starts-march-27-2009.html
+# https://www.timeanddate.com/news/time/syria-dst-starts-march-27-2009.html
 
 # From Steffen Thorsen (2009-10-27):
 # The Syrian Arab News Network on 2009-09-29 reported that Syria will
@@ -2975,7 +3033,7 @@ Rule	Syria	2007	only	-	Nov	 Fri>=1	0:00	0	-
 # http://www.sana.sy/ara/2/2012/03/26/408215.htm
 #
 # Our brief summary:
-# http://www.timeanddate.com/news/time/syria-dst-2012.html
+# https://www.timeanddate.com/news/time/syria-dst-2012.html
 
 # From Arthur David Olson (2012-03-27):
 # Assume last Friday in March going forward XXX.
@@ -3058,7 +3116,7 @@ Zone	Asia/Tashkent	4:37:11 -	LMT	1924 May  2
 # is quoted verbatim in:
 # http://www.thoigian.com.vn/?mPage=P80D01
 # is translated by Brian Inglis in:
-# http://mm.icann.org/pipermail/tz/2014-October/021654.html
+# https://mm.icann.org/pipermail/tz/2014-October/021654.html
 # and is the basis for the information below.
 #
 # The 1906 transition was effective July 1 and standardized Indochina to
diff --git a/jdk/make/data/tzdata/australasia b/jdk/make/data/tzdata/australasia
index db7e7f7bcb..6726ef3381 100644
--- a/jdk/make/data/tzdata/australasia
+++ b/jdk/make/data/tzdata/australasia
@@ -316,7 +316,7 @@ Zone	Indian/Cocos	6:27:40	-	LMT	1900
 # http://www.fiji.gov.fj/index.php?option=com_content&view=article&id=1096:3310-cabinet-approves-change-in-daylight-savings-dates&catid=49:cabinet-releases&Itemid=166
 #
 # A bit more background info here:
-# http://www.timeanddate.com/news/time/fiji-dst-ends-march-2010.html
+# https://www.timeanddate.com/news/time/fiji-dst-ends-march-2010.html
 
 # From Alexander Krivenyshev (2010-10-24):
 # According to Radio Fiji and Fiji Times online, Fiji will end DST 3
@@ -380,9 +380,12 @@ Zone	Indian/Cocos	6:27:40	-	LMT	1900
 # clocks go forward an hour at 2am to 3am....  Daylight Saving will
 # end at 3.00am on Sunday 15th January 2017."
 
-# From Paul Eggert (2016-10-03):
-# For now, guess DST from 02:00 the first Sunday in November to
-# 03:00 the third Sunday in January.  Although ad hoc, it matches
+# From Paul Eggert (2017-08-21):
+# Dominic Fok writes (2017-08-20) that DST ends 2018-01-14, citing
+# Extraordinary Government of Fiji Gazette Supplement No. 21 (2017-08-27),
+# [Legal Notice No. 41] of an order of the previous day by J Usamate.
+# For now, guess DST from 02:00 the first Sunday in November to 03:00
+# the first Sunday on or after January 14.  Although ad hoc, it matches
 # transitions since late 2014 and seems more likely to match future
 # practice than guessing no DST.
 
@@ -396,7 +399,7 @@ Rule	Fiji	2011	only	-	Mar	Sun>=1	3:00	0	-
 Rule	Fiji	2012	2013	-	Jan	Sun>=18	3:00	0	-
 Rule	Fiji	2014	only	-	Jan	Sun>=18	2:00	0	-
 Rule	Fiji	2014	max	-	Nov	Sun>=1	2:00	1:00	S
-Rule	Fiji	2015	max	-	Jan	Sun>=15	3:00	0	-
+Rule	Fiji	2015	max	-	Jan	Sun>=14	3:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Pacific/Fiji	11:55:44 -	LMT	1915 Oct 26 # Suva
 			12:00	Fiji	+12/+13
@@ -580,7 +583,7 @@ Zone Pacific/Port_Moresby 9:48:40 -	LMT	1880
 # The World War II entries below are instead based on Arawa-Kieta.
 # The Japanese occupied Kieta in July 1942,
 # according to the Pacific War Online Encyclopedia
-# http://pwencycl.kgbudge.com/B/o/Bougainville.htm
+# https://pwencycl.kgbudge.com/B/o/Bougainville.htm
 # and seem to have controlled it until their 1945-08-21 surrender.
 #
 # The Autonomous Region of Bougainville switched from UT +10 to +11
@@ -602,7 +605,7 @@ Zone Pacific/Pitcairn	-8:40:20 -	LMT	1901        # Adamstown
 			-8:00	-	-08
 
 # American Samoa
-Zone Pacific/Pago_Pago	 12:37:12 -	LMT	1879 Jul  5
+Zone Pacific/Pago_Pago	 12:37:12 -	LMT	1892 Jul  5
 			-11:22:48 -	LMT	1911
 			-11:00	-	SST	            # S=Samoa
 Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands
@@ -618,7 +621,7 @@ Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands
 # Sunday of April 2011."
 #
 # Background info:
-# http://www.timeanddate.com/news/time/samoa-dst-plan-2009.html
+# https://www.timeanddate.com/news/time/samoa-dst-plan-2009.html
 #
 # Samoa's Daylight Saving Time Act 2009 is available here, but does not
 # contain any dates:
@@ -682,7 +685,7 @@ Rule	WS	2011	only	-	Sep	lastSat	3:00	1	D
 Rule	WS	2012	max	-	Apr	Sun>=1	4:00	0	S
 Rule	WS	2012	max	-	Sep	lastSun	3:00	1	D
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone Pacific/Apia	 12:33:04 -	LMT	1879 Jul  5
+Zone Pacific/Apia	 12:33:04 -	LMT	1892 Jul  5
 			-11:26:56 -	LMT	1911
 			-11:30	-	-1130	1950
 			-11:00	WS	-11/-10	2011 Dec 29 24:00
@@ -709,7 +712,7 @@ Zone Pacific/Guadalcanal 10:39:48 -	LMT	1912 Oct # Honiara
 # From Paul Eggert (2012-07-25)
 # A Google Books snippet of Appendix to the Journals of the House of
 # Representatives of New Zealand, Session 1948,
-# , page 65, says Tokelau
+# , page 65, says Tokelau
 # was "11 hours slow on G.M.T."  Go with Thorsen and assume Shanks & Pottenger
 # are off by an hour starting in 1901.
 
@@ -724,8 +727,8 @@ Rule	Tonga	1999	only	-	Oct	 7	2:00s	1:00	S
 Rule	Tonga	2000	only	-	Mar	19	2:00s	0	-
 Rule	Tonga	2000	2001	-	Nov	Sun>=1	2:00	1:00	S
 Rule	Tonga	2001	2002	-	Jan	lastSun	2:00	0	-
-Rule	Tonga	2016	max	-	Nov	Sun>=1	2:00	1:00	S
-Rule	Tonga	2017	max	-	Jan	Sun>=15	3:00	0	-
+Rule	Tonga	2016	only	-	Nov	Sun>=1	2:00	1:00	S
+Rule	Tonga	2017	only	-	Jan	Sun>=15	3:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Pacific/Tongatapu	12:19:20 -	LMT	1901
 			12:20	-	+1220	1941
@@ -779,7 +782,7 @@ Zone Pacific/Funafuti	11:56:52 -	LMT	1901
 # Operation Fishbowl shot (Tightrope, 1962-11-04).... [See] Herman Hoerlin,
 # "The United States High-Altitude Test Experience: A Review Emphasizing the
 # Impact on the Environment", Los Alamos LA-6405, Oct 1976.
-# http://www.fas.org/sgp/othergov/doe/lanl/docs1/00322994.pdf
+# https://www.fas.org/sgp/othergov/doe/lanl/docs1/00322994.pdf
 # See the table on page 4 where he lists GMT and local times for the tests; a
 # footnote for the JI tests reads that local time is "JI time = Hawaii Time
 # Minus One Hour".
@@ -845,7 +848,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 #
 # For data circa 1899, a common source is:
 # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94.
-# http://www.jstor.org/stable/1774359
+# https://www.jstor.org/stable/1774359
 #
 # A reliable and entertaining source about time zones is
 # Derek Howse, Greenwich time and longitude, Philip Wilson Publishers (1997).
@@ -992,7 +995,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 #   AEST ACST AWST AEDT ACDT
 #
 #   Parliamentary Library (2008-11-10)
-#   http://www.aph.gov.au/binaries/library/pubs/rp/2008-09/09rp14.pdf
+#   https://www.aph.gov.au/binaries/library/pubs/rp/2008-09/09rp14.pdf
 #   EST CST WST preferred for standard time; AEST AEDT ACST ACDT also used
 #
 #   The Transport Safety Bureau has an extensive series of accident reports,
@@ -1028,13 +1031,13 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 #
 # NSW (including LHI and Broken Hill):
 # Standard Time Act 1987 (updated 1995-04-04)
-# http://www.austlii.edu.au/au/legis/nsw/consol_act/sta1987137/index.html
+# https://www.austlii.edu.au/au/legis/nsw/consol_act/sta1987137/index.html
 # ACT
 # Standard Time and Summer Time Act 1972
-# http://www.austlii.edu.au/au/legis/act/consol_act/stasta1972279/index.html
+# https://www.austlii.edu.au/au/legis/act/consol_act/stasta1972279/index.html
 # SA
 # Standard Time Act, 1898
-# http://www.austlii.edu.au/au/legis/sa/consol_act/sta1898137/index.html
+# https://www.austlii.edu.au/au/legis/sa/consol_act/sta1898137/index.html
 
 # From David Grosz (2005-06-13):
 # It was announced last week that Daylight Saving would be extended by
@@ -1329,7 +1332,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # http://abc.net.au/news/regionals/neweng/monthly/regeng-22jul1999-1.htm
 # (1999-07-22).  For now, we'll wait to see if this really happens.
 #
-# Victoria will following NSW.  See:
+# Victoria will follow NSW.  See:
 # Vic to extend daylight saving (1999-07-28)
 # http://abc.net.au/local/news/olympics/1999/07/item19990728112314_1.htm
 #
@@ -1432,7 +1435,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # the ACT for all 52 weeks of the year...
 #
 # We have a wrap-up here:
-# http://www.timeanddate.com/news/time/south-australia-extends-dst.html
+# https://www.timeanddate.com/news/time/south-australia-extends-dst.html
 ###############################################################################
 
 # New Zealand
@@ -1486,7 +1489,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # From Paul Eggert (2014-07-14):
 # Chatham Island time was formally standardized on 1957-01-01 by
 # New Zealand's Standard Time Amendment Act 1956 (1956-10-26).
-# http://www.austlii.edu.au/nz/legis/hist_act/staa19561956n100244.pdf
+# https://www.austlii.edu.au/nz/legis/hist_act/staa19561956n100244.pdf
 # According to Google Books snippet view, a speaker in the New Zealand
 # parliamentary debates in 1956 said "Clause 78 makes provision for standard
 # time in the Chatham Islands.  The time there is 45 minutes in advance of New
@@ -1601,7 +1604,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # the Norfolk Island Museum and the Australian Bureau of Meteorology's
 # Norfolk Island station, and found no record of Norfolk observing DST
 # other than in 1974/5.  See:
-# http://www.timeanddate.com/time/australia/norfolk-island.html
+# https://www.timeanddate.com/time/australia/norfolk-island.html
 
 # Pitcairn
 
@@ -1629,11 +1632,13 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 
 # (Western) Samoa and American Samoa
 
-# Howse writes (p 153, citing p 10 of the 1883-11-18 New York Herald)
-# that in 1879 the King of Samoa decided to change
+# Howse writes (p 153) that after the 1879 standardization on Antipodean
+# time by the British governor of Fiji, the King of Samoa decided to change
 # "the date in his kingdom from the Antipodean to the American system,
 # ordaining - by a masterpiece of diplomatic flattery - that
 # the Fourth of July should be celebrated twice in that year."
+# This happened in 1892, according to the Evening News (Sydney) of 1892-07-20.
+# https://www.staff.science.uu.nl/~gent0113/idl/idl.htm
 
 # Although Shanks & Pottenger says they both switched to UT -11:30
 # in 1911, and to -11 in 1950. many earlier sources give -11
@@ -1644,6 +1649,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # day in 2011.  Assume also that the Samoas follow the US and New
 # Zealand's "ST"/"DT" style of daylight-saving abbreviations.
 
+
 # Tonga
 
 # From Paul Eggert (1996-01-22):
@@ -1738,6 +1744,15 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # Assume Tonga will observe DST from the first Sunday in November at 02:00
 # through the third Sunday in January at 03:00, like Fiji, for now.
 
+# From David Wade (2017-10-18):
+# In August government was disolved by the King.  The current prime minister
+# continued in office in care taker mode.  It is easy to see that few
+# decisions will be made until elections 16th November.
+#
+# From Paul Eggert (2017-10-18):
+# For now, guess that DST is discontinued.  That's what the IATA is guessing.
+
+
 # Wake
 
 # From Vernice Anderson, Personal Secretary to Philip Jessup,
@@ -1750,7 +1765,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # making calculation of time in Washington difficult if not almost
 # impossible.
 #
-# http://www.trumanlibrary.org/wake/meeting.htm
+# https://www.trumanlibrary.org/oralhist/andrsonv.htm
 
 # From Paul Eggert (2003-03-23):
 # We have no other report of DST in Wake Island, so omit this info for now.
@@ -1778,7 +1793,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # an international standard, there are some places on the high seas where the
 # correct date is ambiguous.
 
-# From Wikipedia  (2005-08-31):
+# From Wikipedia  (2005-08-31):
 # Before 1920, all ships kept local apparent time on the high seas by setting
 # their clocks at night or at the morning sight so that, given the ship's
 # speed and direction, it would be 12 o'clock when the Sun crossed the ship's
diff --git a/jdk/make/data/tzdata/backward b/jdk/make/data/tzdata/backward
index b4cf3be2d3..fca4ed1881 100644
--- a/jdk/make/data/tzdata/backward
+++ b/jdk/make/data/tzdata/backward
@@ -84,7 +84,9 @@ Link	America/Sao_Paulo	Brazil/East
 Link	America/Manaus		Brazil/West
 Link	America/Halifax		Canada/Atlantic
 Link	America/Winnipeg	Canada/Central
-Link	America/Regina		Canada/East-Saskatchewan
+# This line is commented out, as the name exceeded the 14-character limit
+# and was an unused misnomer.
+#Link	America/Regina		Canada/East-Saskatchewan
 Link	America/Toronto		Canada/Eastern
 Link	America/Edmonton	Canada/Mountain
 Link	America/St_Johns	Canada/Newfoundland
diff --git a/jdk/make/data/tzdata/europe b/jdk/make/data/tzdata/europe
index 0d8a40e4f3..6359279d2f 100644
--- a/jdk/make/data/tzdata/europe
+++ b/jdk/make/data/tzdata/europe
@@ -60,14 +60,14 @@
 #	[PDF] (1914-03)
 #
 #	Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94
-#	.  He writes:
+#	.  He writes:
 #	"It is requested that corrections and additions to these tables
 #	may be sent to Mr. John Milne, Royal Geographical Society,
 #	Savile Row, London."  Nowadays please email them to tz@iana.org.
 #
 #	Byalokoz EL. New Counting of Time in Russia since July 1, 1919.
 #	This Russian-language source was consulted by Vladimir Karpinsky; see
-#	http://mm.icann.org/pipermail/tz/2014-August/021320.html
+#	https://mm.icann.org/pipermail/tz/2014-August/021320.html
 #	The full Russian citation is:
 #	Бялокоз, Евгений Людвигович. Новый счет времени в течении суток
 #	введенный декретом Совета народных комиссаров для всей России с 1-го
@@ -210,7 +210,7 @@
 # foundations of civilization throughout the world.
 #	-- "A Silent Toast to William Willett", Pictorial Weekly;
 #	republished in Finest Hour (Spring 2002) 1(114):26
-#	http://www.winstonchurchill.org/images/finesthour/Vol.01%20No.114.pdf
+#	https://www.winstonchurchill.org/publications/finest-hour/finest-hour-114/a-silent-toast-to-william-willett-by-winston-s-churchill
 
 # From Paul Eggert (2015-08-08):
 # The OED Supplement says that the English originally said "Daylight Saving"
@@ -248,8 +248,8 @@
 # official designation; the reply of the 21st was that there wasn't
 # but he couldn't think of anything better than the "Double British
 # Summer Time" that the BBC had been using informally.
-# http://www.polyomino.org.uk/british-time/bbc-19410418.png
-# http://www.polyomino.org.uk/british-time/ho-19410421.png
+# https://www.polyomino.org.uk/british-time/bbc-19410418.png
+# https://www.polyomino.org.uk/british-time/ho-19410421.png
 
 # From Sir Alexander Maxwell in the above-mentioned letter (1941-04-21):
 # [N]o official designation has as far as I know been adopted for the time
@@ -266,13 +266,13 @@
 # the history of summer time legislation in the United Kingdom.
 # Since 1998 Joseph S. Myers has been updating
 # and extending this list, which can be found in
-# http://www.polyomino.org.uk/british-time/
+# https://www.polyomino.org.uk/british-time/
 
 # From Joseph S. Myers (1998-01-06):
 #
 # The legal time in the UK outside of summer time is definitely GMT, not UTC;
 # see Lord Tanlaw's speech
-# http://www.publications.parliament.uk/pa/ld199798/ldhansrd/vo970611/text/70611-10.htm#70611-10_head0
+# https://www.publications.parliament.uk/pa/ld199798/ldhansrd/vo970611/text/70611-10.htm#70611-10_head0
 # (Lords Hansard 11 June 1997 columns 964 to 976).
 
 # From Paul Eggert (2006-03-22):
@@ -318,7 +318,7 @@
 # Irish 'public feeling (was) outraged by forcing of English time on us'."
 # -- Parsons M. Dublin lost its time zone - and 25 minutes - after 1916 Rising.
 # Irish Times 2014-10-27.
-# http://www.irishtimes.com/news/politics/dublin-lost-its-time-zone-and-25-minutes-after-1916-rising-1.1977411
+# https://www.irishtimes.com/news/politics/dublin-lost-its-time-zone-and-25-minutes-after-1916-rising-1.1977411
 
 # From Joseph S. Myers (2005-01-26):
 # Irish laws are available online at .
@@ -371,6 +371,12 @@
 # Justice (tel +353 1 678 9711) who confirmed to me that the correct name is
 # "Irish Summer Time", abbreviated to "IST".
 
+# Michael Deckers (2017-06-01) gave the following URLs for Ireland's
+# Summer Time Act, 1925 and Summer Time Orders, 1926 and 1947:
+# http://www.irishstatutebook.ie/eli/1925/act/8/enacted/en/print.html
+# http://www.irishstatutebook.ie/eli/1926/sro/919/made/en/print.html
+# http://www.irishstatutebook.ie/eli/1947/sro/71/made/en/print.html
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 # Summer Time Act, 1916
 Rule	GB-Eire	1916	only	-	May	21	2:00s	1:00	BST
@@ -495,14 +501,14 @@ Link	Europe/London	Europe/Isle_of_Man
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Dublin	-0:25:00 -	LMT	1880 Aug  2
-			-0:25:21 -	DMT	1916 May 21  2:00 # Dublin MT
+			-0:25:21 -	DMT	1916 May 21  2:00s # Dublin MT
 			-0:25:21 1:00	IST	1916 Oct  1  2:00s
 			 0:00	GB-Eire	%s	1921 Dec  6 # independence
-			 0:00	GB-Eire	GMT/IST	1940 Feb 25  2:00
-			 0:00	1:00	IST	1946 Oct  6  2:00
-			 0:00	-	GMT	1947 Mar 16  2:00
-			 0:00	1:00	IST	1947 Nov  2  2:00
-			 0:00	-	GMT	1948 Apr 18  2:00
+			 0:00	GB-Eire	GMT/IST	1940 Feb 25  2:00s
+			 0:00	1:00	IST	1946 Oct  6  2:00s
+			 0:00	-	GMT	1947 Mar 16  2:00s
+			 0:00	1:00	IST	1947 Nov  2  2:00s
+			 0:00	-	GMT	1948 Apr 18  2:00s
 			 0:00	GB-Eire	GMT/IST	1968 Oct 27
 			 1:00	-	IST	1971 Oct 31  2:00u
 			 0:00	GB-Eire	GMT/IST	1996
@@ -648,7 +654,7 @@ Rule	Russia	1996	2010	-	Oct	lastSun	 2:00s	0	-
 # Council of Ministers of the USSR from 1989-03-14 No. 227.
 #
 # I did not find full texts of these acts.  For the 1989 one we have
-# title at http://base.garant.ru/70754136/ :
+# title at https://base.garant.ru/70754136/ :
 # "About change in calculation of time on the territories of
 # Lithuanian SSR, Latvian SSR and Estonian SSR, Astrakhan,
 # Kaliningrad, Kirov, Kuybyshev, Ulyanovsk and Uralsk oblasts".
@@ -679,7 +685,7 @@ Rule	Russia	1996	2010	-	Oct	lastSun	 2:00s	0	-
 # http://bmockbe.ru/events/?ID=7583
 #
 # Medvedev signed a law on the calculation of the time (in russian):
-# http://www.regnum.ru/news/polit/1413906.html
+# https://www.regnum.ru/news/polit/1413906.html
 
 # From Arthur David Olson (2011-06-15):
 # Take "abolishing daylight saving time" to mean that time is now considered
@@ -806,7 +812,7 @@ Zone	Europe/Vienna	1:05:21 -	LMT	1893 Apr
 # Sources (Russian language):
 # http://www.belta.by/ru/all_news/society/V-Belarusi-otmenjaetsja-perexod-na-sezonnoe-vremja_i_572952.html
 # http://naviny.by/rubrics/society/2011/09/16/ic_articles_116_175144/
-# http://news.tut.by/society/250578.html
+# https://news.tut.by/society/250578.html
 #
 # From Alexander Bokovoy (2014-10-09):
 # Belarussian government decided against changing to winter time....
@@ -1127,7 +1133,7 @@ Zone America/Thule	-4:35:08 -	LMT	1916 Jul 28 # Pituffik air base
 # for their standard and summer times. He says no, they use "suveaeg"
 # (summer time) and "talveaeg" (winter time).
 
-# From The Baltic Times  (1999-09-09)
+# From The Baltic Times  (1999-09-09)
 # via Steffen Thorsen:
 # This year will mark the last time Estonia shifts to summer time,
 # a council of the ruling coalition announced Sept. 6....
@@ -1179,7 +1185,7 @@ Zone	Europe/Tallinn	1:39:00	-	LMT	1880
 # This is documented in Heikki Oja: Aikakirja 2007, published by The Almanac
 # Office of University of Helsinki, ISBN 952-10-3221-9, available online (in
 # Finnish) at
-# http://almanakka.helsinki.fi/aikakirja/Aikakirja2007kokonaan.pdf
+# https://almanakka.helsinki.fi/aikakirja/Aikakirja2007kokonaan.pdf
 #
 # Page 105 (56 in PDF version) has a handy table of all past daylight savings
 # transitions. It is easy enough to interpret without Finnish skills.
@@ -1192,7 +1198,7 @@ Zone	Europe/Tallinn	1:39:00	-	LMT	1880
 
 # From Konstantin Hyppönen (2014-06-13):
 # [Heikki Oja's book Aikakirja 2013]
-# http://almanakka.helsinki.fi/images/aikakirja/Aikakirja2013kokonaan.pdf
+# https://almanakka.helsinki.fi/images/aikakirja/Aikakirja2013kokonaan.pdf
 # pages 104-105, including a scan from a newspaper published on Apr 2 1942
 # say that ... [o]n Apr 2 1942, 24 o'clock (which means Apr 3 1942,
 # 00:00), clocks were moved one hour forward. The newspaper
@@ -1322,7 +1328,7 @@ Zone	Europe/Paris	0:09:21 -	LMT	1891 Mar 15  0:01
 
 # From Jörg Schilling (2002-10-23):
 # In 1945, Berlin was switched to Moscow Summer time (GMT+4) by
-# http://www.dhm.de/lemo/html/biografien/BersarinNikolai/
+# https://www.dhm.de/lemo/html/biografien/BersarinNikolai/
 # General [Nikolai] Bersarin.
 
 # From Paul Eggert (2003-03-08):
@@ -1547,7 +1553,7 @@ Zone Atlantic/Reykjavik	-1:28	-	LMT	1908
 # From Paul Eggert (2016-10-27):
 # Go with INRiM for DST rules, except as corrected by Inglis for 1944
 # for the Kingdom of Italy.  This is consistent with Renzo Baldini.
-# Model Rome's occupation by using using C-Eur rules from 1943-09-10
+# Model Rome's occupation by using C-Eur rules from 1943-09-10
 # to 1944-06-04; although Rome was an open city during this period, it
 # was effectively controlled by Germany.
 #
@@ -1862,14 +1868,14 @@ Zone	Europe/Malta	0:58:04 -	LMT	1893 Nov  2  0:00s # Valletta
 # Following Moldova and neighboring Ukraine- Transnistria (Pridnestrovie)-
 # Tiraspol will go back to winter time on October 30, 2011.
 # News from Moldova (in russian):
-# http://ru.publika.md/link_317061.html
+# https://ru.publika.md/link_317061.html
 
 # From Roman Tudos (2015-07-02):
 # http://lex.justice.md/index.php?action=view&view=doc&lang=1&id=355077
 # From Paul Eggert (2015-07-01):
 # The abovementioned official link to IGO1445-868/2014 states that
 # 2014-10-26's fallback transition occurred at 03:00 local time.  Also,
-# http://www.trm.md/en/social/la-30-martie-vom-trece-la-ora-de-vara
+# https://www.trm.md/en/social/la-30-martie-vom-trece-la-ora-de-vara
 # says the 2014-03-30 spring-forward transition was at 02:00 local time.
 # Guess that since 1997 Moldova has switched one hour before the EU.
 
@@ -1941,7 +1947,7 @@ Zone	Europe/Monaco	0:29:32 -	LMT	1891 Mar 15
 # Amsterdam mean time.
 
 # The data entries before 1945 are taken from
-# http://www.staff.science.uu.nl/~gent0113/wettijd/wettijd.htm
+# https://www.staff.science.uu.nl/~gent0113/wettijd/wettijd.htm
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Neth	1916	only	-	May	 1	0:00	1:00	NST	# Netherlands Summer Time
@@ -2022,7 +2028,7 @@ Zone	Europe/Oslo	0:43:00 -	LMT	1895 Jan  1
 # so it must have diverged from Oslo time during the war, as Oslo was
 # keeping Berlin time.
 #
-#  says that the meteorologists
+#  says that the meteorologists
 # burned down their station in 1940 and left the island, but returned in
 # 1941 with a small Norwegian garrison and continued operations despite
 # frequent air attacks from Germans.  In 1943 the Americans established a
@@ -2060,7 +2066,7 @@ Rule	Poland	1945	only	-	Apr	29	0:00	1:00	S
 Rule	Poland	1945	only	-	Nov	 1	0:00	0	-
 # For 1946 on the source is Kazimierz Borkowski,
 # Toruń Center for Astronomy, Dept. of Radio Astronomy, Nicolaus Copernicus U.,
-# http://www.astro.uni.torun.pl/~kb/Artykuly/U-PA/Czas2.htm#tth_tAb1
+# https://www.astro.uni.torun.pl/~kb/Artykuly/U-PA/Czas2.htm#tth_tAb1
 # Thanks to Przemysław Augustyniak (2005-05-28) for this reference.
 # He also gives these further references:
 # Mon Pol nr 13, poz 162 (1995) 
@@ -2094,7 +2100,7 @@ Zone	Europe/Warsaw	1:24:00 -	LMT	1880
 #
 # From Paul Eggert (2014-08-11), after a heads-up from Stephen Colebourne:
 # According to a Portuguese decree (1911-05-26)
-# http://dre.pt/pdf1sdip/1911/05/12500/23132313.pdf
+# https://dre.pt/application/dir/pdf1sdip/1911/05/12500/23132313.pdf
 # Lisbon was at -0:36:44.68, but switched to GMT on 1912-01-01 at 00:00.
 # Round the old offset to -0:36:45.  This agrees with Willett but disagrees
 # with Shanks, who says the transition occurred on 1911-05-24 at 00:00 for
@@ -2276,7 +2282,7 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # 2011 No. 725" and contains no other dates or "effective date" information.
 #
 # Another source is
-# http://www.rg.ru/2011/09/06/chas-zona-dok.html
+# https://rg.ru/2011/09/06/chas-zona-dok.html
 # which, according to translate.google.com, begins "Resolution of the
 # Government of the Russian Federation on August 31, 2011 N 725" and also
 # contains "Date first official publication: September 6, 2011 Posted on:
@@ -2284,7 +2290,7 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # does not contain any "effective date" information.
 #
 # Another source is
-# http://en.wikipedia.org/wiki/Oymyakonsky_District#cite_note-RuTime-7
+# https://en.wikipedia.org/wiki/Oymyakonsky_District#cite_note-RuTime-7
 # which, in note 8, contains "Resolution No. 725 of August 31, 2011...
 # Effective as of after 7 days following the day of the official publication"
 # but which does not contain any reference to September 6, 2011.
@@ -2320,7 +2326,7 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # http://itar-tass.com/obschestvo/1333711
 # http://www.pravo.gov.ru:8080/page.aspx?111660
 # http://www.kremlin.ru/acts/46279
-# From October 26, 2014 the new Russian time zone map will looks like this:
+# From October 26, 2014 the new Russian time zone map will look like this:
 # http://www.worldtimezone.com/dst_news/dst_news_russia-map-2014-07.html
 
 # From Paul Eggert (2006-03-22):
@@ -2367,7 +2373,7 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # with maintenance only and represent our best guesses as to which regions
 # are covered by each zone.  They are not meant to be taken as an authoritative
 # listing.  The region codes listed come from
-# http://en.wikipedia.org/w/?title=Federal_subjects_of_Russia&oldid=611810498
+# https://en.wikipedia.org/w/?title=Federal_subjects_of_Russia&oldid=611810498
 # and are used for convenience only; no guarantees are made regarding their
 # future stability.  ISO 3166-2:RU codes are also listed for first-level
 # divisions where available.
@@ -2532,7 +2538,7 @@ Zone Europe/Kaliningrad	 1:22:00 -	LMT	1893 Apr
 # http://www.kaliningradka.ru/site_pc/cherez/index.php?ELEMENT_ID=40091
 # says that Kaliningrad decided not to be an exception 2 days before the
 # 1991-03-31 switch and one person at
-# http://izhevsk.ru/forum_light_message/50/682597-m8369040.html
+# https://izhevsk.ru/forum_light_message/50/682597-m8369040.html
 # says he remembers that Samara opted out of the 1992-01-19 exception
 # 2 days before the switch.
 #
@@ -2604,7 +2610,7 @@ Zone Europe/Simferopol	 2:16:24 -	LMT	1880
 			 3:00	-	MSK	1997 Mar lastSun  1:00u
 # From Alexander Krivenyshev (2014-03-17):
 # time change at 2:00 (2am) on March 30, 2014
-# http://vz.ru/news/2014/3/17/677464.html
+# https://vz.ru/news/2014/3/17/677464.html
 # From Paul Eggert (2014-03-30):
 # Simferopol and Sevastopol reportedly changed their central town clocks
 # late the previous day, but this appears to have been ceremonial
@@ -2787,7 +2793,7 @@ Zone Asia/Omsk		 4:53:30 -	LMT	1919 Nov 14
 # suggests that Altai Republic transitioned to Moscow+3 on
 # 1995-05-28.
 #
-# http://regnum.ru/news/society/1957270.html
+# https://regnum.ru/news/society/1957270.html
 # has some historical data for Altai Krai:
 # before 1957: west part on UTC+6, east on UTC+7
 # after 1957: UTC+7
@@ -3161,8 +3167,8 @@ Zone Asia/Magadan	10:03:12 -	LMT	1924 May  2
 # districts, but have very similar populations.  In fact, Wikipedia currently
 # lists them both as having 3528 people, exactly 1668 males and 1860 females
 # each!  (Yikes!)
-# http://en.wikipedia.org/w/?title=Srednekolymsky_District&oldid=603435276
-# http://en.wikipedia.org/w/?title=Verkhnekolymsky_District&oldid=594378493
+# https://en.wikipedia.org/w/?title=Srednekolymsky_District&oldid=603435276
+# https://en.wikipedia.org/w/?title=Verkhnekolymsky_District&oldid=594378493
 # Assume this is a mistake, albeit an amusing one.
 #
 # Looking at censuses, the populations of the two municipalities seem to have
@@ -3483,7 +3489,7 @@ Zone Europe/Stockholm	1:12:12 -	LMT	1879 Jan  1
 #
 # From Alois Treindl (2013-09-11):
 # The Federal regulations say
-# http://www.admin.ch/opc/de/classified-compilation/20071096/index.html
+# https://www.admin.ch/opc/de/classified-compilation/20071096/index.html
 # ... the meridian for Bern mean time ... is 7 degrees 26' 22.50".
 # Expressed in time, it is 0h29m45.5s.
 
@@ -3560,9 +3566,9 @@ Zone	Europe/Zurich	0:34:08 -	LMT	1853 Jul 16 # See above comment.
 # According to the articles linked below, Turkey will change into summer
 # time zone (GMT+3) on March 28, 2011 at 3:00 a.m. instead of March 27.
 # This change is due to a nationwide exam on 27th.
-# http://www.worldbulletin.net/?aType=haber&ArticleID=70872
+# https://www.worldbulletin.net/?aType=haber&ArticleID=70872
 # Turkish:
-# http://www.hurriyet.com.tr/ekonomi/17230464.asp?gid=373
+# https://www.hurriyet.com.tr/yaz-saati-uygulamasi-bir-gun-ileri-alindi-17230464
 
 # From Faruk Pasin (2014-02-14):
 # The DST for Turkey has been changed for this year because of the
@@ -3698,7 +3704,7 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
 # http://www.segodnya.ua/news/14290482.html
 #
 # Deputies cancelled the winter time (in Russian)
-# http://www.pravda.com.ua/rus/news/2011/09/20/6600616/
+# https://www.pravda.com.ua/rus/news/2011/09/20/6600616/
 #
 # From Philip Pizzey (2011-10-18):
 # Today my Ukrainian colleagues have informed me that the
diff --git a/jdk/make/data/tzdata/leapseconds b/jdk/make/data/tzdata/leapseconds
index 3823c9abc4..9b4ec9ad47 100644
--- a/jdk/make/data/tzdata/leapseconds
+++ b/jdk/make/data/tzdata/leapseconds
@@ -26,19 +26,18 @@
 # This file is in the public domain.
 
 # This file is generated automatically from the data in the public-domain
-# leap-seconds.list file available from most NIST time servers.
-# If the URL  does not work,
-# you should be able to pick up leap-seconds.list from a secondary NIST server.
-# See  for a list of secondary servers.
+# leap-seconds.list file, which is copied from:
+# ftp://ftp.nist.gov/pub/time/leap-seconds.list
 # For more about leap-seconds.list, please see
 # The NTP Timescale and Leap Seconds
-# http://www.eecis.udel.edu/~mills/leap.html
+# https://www.eecis.udel.edu/~mills/leap.html
 
 # The International Earth Rotation and Reference Systems Service
 # periodically uses leap seconds to keep UTC to within 0.9 s of UT1
 # (which measures the true angular orientation of the earth in space); see
-# Terry J Quinn, The BIPM and the accurate measure of time,
-# Proc IEEE 79, 7 (July 1991), 894-905 .
+# Levine J. Coordinated Universal Time and the leap second.
+# URSI Radio Sci Bull. 2016;89(4):30-6. doi:10.23919/URSIRSB.2016.7909995
+# http://ieeexplore.ieee.org/document/7909995/
 # There were no leap seconds before 1972, because the official mechanism
 # accounting for the discrepancy between atomic time and the earth's rotation
 # did not exist until the early 1970s.
@@ -81,5 +80,5 @@ Leap	2012	Jun	30	23:59:60	+	S
 Leap	2015	Jun	30	23:59:60	+	S
 Leap	2016	Dec	31	23:59:60	+	S
 
-#	Updated through IERS Bulletin C53
-#	File expires on:  28 December 2017
+#	Updated through IERS Bulletin C54
+#	File expires on:  28 June 2018
diff --git a/jdk/make/data/tzdata/northamerica b/jdk/make/data/tzdata/northamerica
index d59d2705b9..99dcc938fa 100644
--- a/jdk/make/data/tzdata/northamerica
+++ b/jdk/make/data/tzdata/northamerica
@@ -128,10 +128,13 @@
 # Last night I heard part of a rebroadcast of a 1945 Arch Oboler radio drama.
 # In the introduction, Oboler spoke of "Eastern Peace Time."
 # An AltaVista search turned up:
-# http://rowayton.org/rhs/hstaug45.html
+# https://web.archive.org/web/20000926032210/http://rowayton.org/rhs/hstaug45.html
 # "When the time is announced over the radio now, it is 'Eastern Peace
 # Time' instead of the old familiar 'Eastern War Time.'  Peace is wonderful."
 # (August 1945) by way of confirmation.
+#
+# From Paul Eggert (2017-09-23):
+# This was the V-J Day issue of the Clamdigger, a Rowayton, CT newsletter.
 
 # From Joseph Gallant citing
 # George H. Douglas, _The Early Days of Radio Broadcasting_ (1987):
@@ -280,7 +283,7 @@ Zone	PST8PDT		 -8:00	US	P%sT
 # HST and HDT are standardized abbreviations for Hawaii-Aleutian
 # standard and daylight times.  See section 9.47 (p 234) of the
 # U.S. Government Printing Office Style Manual (2008)
-# http://www.gpo.gov/fdsys/pkg/GPO-STYLEMANUAL-2008/pdf/GPO-STYLEMANUAL-2008.pdf
+# https://www.gpo.gov/fdsys/pkg/GPO-STYLEMANUAL-2008/pdf/GPO-STYLEMANUAL-2008.pdf
 
 # From Arthur David Olson, 2005-08-09
 # The following was signed into law on 2005-08-08.
@@ -369,7 +372,7 @@ Zone America/New_York	-4:56:02 -	LMT	1883 Nov 18 12:03:58
 # western Tennessee, most of Texas, Wisconsin
 
 # From Larry M. Smith (2006-04-26) re Wisconsin:
-# http://www.legis.state.wi.us/statutes/Stat0175.pdf ...
+# https://docs.legis.wisconsin.gov/statutes/statutes/175.pdf
 # is currently enforced at the 01:00 time of change.  Because the local
 # "bar time" in the state corresponds to 02:00, a number of citations
 # are issued for the "sale of class 'B' alcohol after prohibited
@@ -378,7 +381,7 @@ Zone America/New_York	-4:56:02 -	LMT	1883 Nov 18 12:03:58
 # From Douglas R. Bomberg (2007-03-12):
 # Wisconsin has enacted (nearly eleventh-hour) legislation to get WI
 # Statue 175 closer in synch with the US Congress' intent....
-# http://www.legis.state.wi.us/2007/data/acts/07Act3.pdf
+# https://docs.legis.wisconsin.gov/2007/related/acts/3
 
 # From an email administrator of the City of Fort Pierre, SD (2015-12-21):
 # Fort Pierre is technically located in the Mountain time zone as is
@@ -425,7 +428,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
 # ...it appears that Mercer County, North Dakota, changed from the
 # mountain time zone to the central time zone at the last transition from
 # daylight-saving to standard time (on Nov. 7, 2010):
-# http://www.gpo.gov/fdsys/pkg/FR-2010-09-29/html/2010-24376.htm
+# https://www.gpo.gov/fdsys/pkg/FR-2010-09-29/html/2010-24376.htm
 # http://www.bismarcktribune.com/news/local/article_1eb1b588-c758-11df-b472-001cc4c03286.html
 
 # From Andy Lipscomb (2011-01-24):
@@ -476,7 +479,7 @@ Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 12:00:04
 # legal time, and is not part of the data here.)  See:
 # Ross SA. An energy crisis from the past: Northern California in 1948.
 # Working Paper No. 8, Institute of Governmental Studies, UC Berkeley,
-# 1973-11.  http://escholarship.org/uc/item/8x22k30c
+# 1973-11.  https://escholarship.org/uc/item/8x22k30c
 #
 # In another measure to save electricity, DST was instituted from 1948-03-14
 # at 02:01 to 1949-01-16 at 02:00, with the governor having the option to move
@@ -497,8 +500,8 @@ Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 12:00:04
 # which established DST from April's last Sunday at 01:00 until September's
 # last Sunday at 02:00. This was amended by 1962's Proposition 6, which changed
 # the fall-back date to October's last Sunday. See:
-# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props
-# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props
+# https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props
+# https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props
 #
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER
 Rule	CA	1948	only	-	Mar	14	2:01	1:00	D
@@ -515,20 +518,31 @@ Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 12:07:02
 # Alaska
 # AK%sT is the modern abbreviation for -09 per USNO.
 #
-# From Paul Eggert (2001-05-30):
+# From Paul Eggert (2017-06-15):
 # Howse writes that Alaska switched from the Julian to the Gregorian calendar,
 # and from east-of-GMT to west-of-GMT days, when the US bought it from Russia.
-# This was on 1867-10-18, a Friday; the previous day was 1867-10-06 Julian,
-# also a Friday.  Include only the time zone part of this transition,
-# ignoring the switch from Julian to Gregorian, since we can't represent
-# the Julian calendar.
+# On Friday, 1867-10-18 (Gregorian), at precisely 15:30 local time, the
+# Russian forts and fleet at Sitka fired salutes to mark the ceremony of
+# formal transfer.  See the Sacramento Daily Union (1867-11-14), p 3, col 2.
+# https://cdnc.ucr.edu/cgi-bin/cdnc?a=d&d=SDU18671114.2.12.1
+# Sitka workers did not change their calendars until Sunday, 1867-10-20,
+# and so celebrated two Sundays that week.  See: Ahllund T (tr Hallamaa P).
+# From the memoirs of a Finnish workman. Alaska History. 2006 Fall;21(2):1-25.
+# http://alaskahistoricalsociety.org/wp-content/uploads/2016/12/Ahllund-2006-Memoirs-of-a-Finnish-Workman.pdf
+# Include only the time zone part of this transition, ignoring the switch
+# from Julian to Gregorian, since we can't represent the Julian calendar.
 #
-# As far as we know, none of the exact locations mentioned below were
+# As far as we know, of the locations mentioned below only Sitka was
 # permanently inhabited in 1867 by anyone using either calendar.
-# (Yakutat was colonized by the Russians in 1799, but the settlement
-# was destroyed in 1805 by a Yakutat-kon war party.)  However, there
-# were nearby inhabitants in some cases and for our purposes perhaps
-# it's best to simply use the official transition.
+# (Yakutat was colonized by the Russians in 1799, but the settlement was
+# destroyed in 1805 by a Yakutat-kon war party.)  Many of Alaska's inhabitants
+# were unaware of the US acquisition of Alaska, much less of any calendar or
+# time change.  However, the Russian-influenced part of Alaska did observe
+# Russian time, and it is more accurate to model this than to ignore it.
+# The database format requires an exact transition time; use the Russian
+# salute as a somewhat-arbitrary time for the formal transfer of control for
+# all of Alaska.  Sitka's UTC offset is -9:01:13; adjust its 15:30 to the
+# local times of other Alaskan locations so that they change simultaneously.
 
 # From Paul Eggert (2014-07-18):
 # One opinion of the early-1980s turmoil in Alaska over time zones and
@@ -581,10 +595,10 @@ Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 12:07:02
 # It seems Metlakatla did go off PST on Sunday, November 1, changing
 # their time to AKST and are going to follow Alaska's DST, switching
 # between AKST and AKDT from now on....
-# http://www.krbd.org/2015/10/30/annette-island-times-they-are-a-changing/
+# https://www.krbd.org/2015/10/30/annette-island-times-they-are-a-changing/
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone America/Juneau	 15:02:19 -	LMT	1867 Oct 18
+Zone America/Juneau	 15:02:19 -	LMT	1867 Oct 19 15:33:32
 			 -8:57:41 -	LMT	1900 Aug 20 12:00
 			 -8:00	-	PST	1942
 			 -8:00	US	P%sT	1946
@@ -594,7 +608,7 @@ Zone America/Juneau	 15:02:19 -	LMT	1867 Oct 18
 			 -8:00	US	P%sT	1983 Oct 30  2:00
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Sitka	 14:58:47 -	LMT	1867 Oct 18
+Zone America/Sitka	 14:58:47 -	LMT	1867 Oct 19 15:30
 			 -9:01:13 -	LMT	1900 Aug 20 12:00
 			 -8:00	-	PST	1942
 			 -8:00	US	P%sT	1946
@@ -602,7 +616,7 @@ Zone America/Sitka	 14:58:47 -	LMT	1867 Oct 18
 			 -8:00	US	P%sT	1983 Oct 30  2:00
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Metlakatla	 15:13:42 -	LMT	1867 Oct 18
+Zone America/Metlakatla	 15:13:42 -	LMT	1867 Oct 19 15:44:55
 			 -8:46:18 -	LMT	1900 Aug 20 12:00
 			 -8:00	-	PST	1942
 			 -8:00	US	P%sT	1946
@@ -610,14 +624,14 @@ Zone America/Metlakatla	 15:13:42 -	LMT	1867 Oct 18
 			 -8:00	US	P%sT	1983 Oct 30  2:00
 			 -8:00	-	PST	2015 Nov  1  2:00
 			 -9:00	US	AK%sT
-Zone America/Yakutat	 14:41:05 -	LMT	1867 Oct 18
+Zone America/Yakutat	 14:41:05 -	LMT	1867 Oct 19 15:12:18
 			 -9:18:55 -	LMT	1900 Aug 20 12:00
 			 -9:00	-	YST	1942
 			 -9:00	US	Y%sT	1946
 			 -9:00	-	YST	1969
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Anchorage	 14:00:24 -	LMT	1867 Oct 18
+Zone America/Anchorage	 14:00:24 -	LMT	1867 Oct 19 14:31:37
 			 -9:59:36 -	LMT	1900 Aug 20 12:00
 			-10:00	-	AST	1942
 			-10:00	US	A%sT	1967 Apr
@@ -625,7 +639,7 @@ Zone America/Anchorage	 14:00:24 -	LMT	1867 Oct 18
 			-10:00	US	AH%sT	1983 Oct 30  2:00
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Nome	 12:58:21 -	LMT	1867 Oct 18
+Zone America/Nome	 12:58:22 -	LMT	1867 Oct 19 13:29:35
 			-11:01:38 -	LMT	1900 Aug 20 12:00
 			-11:00	-	NST	1942
 			-11:00	US	N%sT	1946
@@ -634,7 +648,7 @@ Zone America/Nome	 12:58:21 -	LMT	1867 Oct 18
 			-11:00	US	B%sT	1983 Oct 30  2:00
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Adak	 12:13:21 -	LMT	1867 Oct 18
+Zone America/Adak	 12:13:22 -	LMT	1867 Oct 19 12:44:35
 			-11:46:38 -	LMT	1900 Aug 20 12:00
 			-11:00	-	NST	1942
 			-11:00	US	N%sT	1946
@@ -670,7 +684,7 @@ Zone America/Adak	 12:13:21 -	LMT	1867 Oct 18
 # "Hawaiian Time" by Robert C. Schmitt and Doak C. Cox appears on pages 207-225
 # of volume 26 of The Hawaiian Journal of History (1992). As of 2010-12-09,
 # the article is available at
-# http://evols.library.manoa.hawaii.edu/bitstream/10524/239/2/JL26215.pdf
+# https://evols.library.manoa.hawaii.edu/bitstream/10524/239/2/JL26215.pdf
 # and indicates that standard time was adopted effective noon, January
 # 13, 1896 (page 218), that in "1933, the Legislature decreed daylight
 # saving for the period between the last Sunday of each April and the
@@ -769,7 +783,7 @@ Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 12:15:11
 # Indiana
 #
 # For a map of Indiana's time zone regions, see:
-# http://en.wikipedia.org/wiki/Time_in_Indiana
+# https://en.wikipedia.org/wiki/Time_in_Indiana
 #
 # From Paul Eggert (2007-08-17):
 # Since 1970, most of Indiana has been like America/Indiana/Indianapolis,
@@ -996,7 +1010,7 @@ Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
 # From Paul Eggert (2001-07-16):
 # The final rule was published in the
 # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
-# http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2000_register&docid=fr17au00-22
+# https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
 #
 Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
 			-6:00	US	C%sT	1946
@@ -1022,7 +1036,7 @@ Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
 # West Wendover, NV officially switched from Pacific to mountain time on
 # 1999-10-31.  See the
 # Federal Register 64, 203 (1999-10-21), pp 56705-56707.
-# http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=1999_register&docid=fr21oc99-15
+# https://www.gpo.gov/fdsys/pkg/FR-1999-10-21/html/99-27240.htm
 # However, the Federal Register says that West Wendover already operated
 # on mountain time, and the rule merely made this official;
 # hence a separate tz entry is not needed.
@@ -1052,12 +1066,23 @@ Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
 # one hour in 1914."  This change is not in Shanks.  We have no more
 # info, so omit this for now.
 #
+# From Paul Eggert (2017-07-26):
+# Although Shanks says Detroit observed DST in 1967 from 06-14 00:01
+# until 10-29 00:01, I now see multiple reports that this is incorrect.
+# For example, according to a 50-year anniversary report about the 1967
+# Detroit riots and a major-league doubleheader on 1967-07-23, "By the time
+# the last fly ball of the doubleheader settled into the glove of leftfielder
+# Lenny Green, it was after 7 p.m.  Detroit did not observe daylight saving
+# time, so light was already starting to fail.  Twilight was made even deeper
+# by billowing columns of smoke that ascended in an unbroken wall north of the
+# ballpark."  See: Dow B. Detroit '67: As violence unfolded, Tigers played two
+# at home vs. Yankees. Detroit Free Press 2017-07-23.
+# https://www.freep.com/story/sports/mlb/tigers/2017/07/23/detroit-tigers-1967-riot-new-york-yankees/499951001/
+#
 # Most of Michigan observed DST from 1973 on, but was a bit late in 1975.
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER
 Rule	Detroit	1948	only	-	Apr	lastSun	2:00	1:00	D
 Rule	Detroit	1948	only	-	Sep	lastSun	2:00	0	S
-Rule	Detroit	1967	only	-	Jun	14	2:00	1:00	D
-Rule	Detroit	1967	only	-	Oct	lastSun	2:00	0	S
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone America/Detroit	-5:32:11 -	LMT	1905
 			-6:00	-	CST	1915 May 15  2:00
@@ -1121,7 +1146,7 @@ Zone America/Menominee	-5:50:27 -	LMT	1885 Sep 18 12:00
 #	[PDF] (1914-03)
 #
 #	Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94
-#	.
+#	.
 #
 # See the 'europe' file for Greenland.
 
@@ -1167,19 +1192,19 @@ Zone America/Menominee	-5:50:27 -	LMT	1885 Sep 18 12:00
 # The British Columbia government announced yesterday that it will
 # adjust daylight savings next year to align with changes in the
 # U.S. and the rest of Canada....
-# http://www2.news.gov.bc.ca/news_releases_2005-2009/2006AG0014-000330.htm
+# https://archive.news.gov.bc.ca/releases/news_releases_2005-2009/2006AG0014-000330.htm
 # ...
 # Nova Scotia
 # Daylight saving time will be extended by four weeks starting in 2007....
-# http://www.gov.ns.ca/just/regulations/rg2/2006/ma1206.pdf
+# https://www.novascotia.ca/just/regulations/rg2/2006/ma1206.pdf
 #
 # [For New Brunswick] the new legislation dictates that the time change is to
 # be done at 02:00 instead of 00:01.
-# http://www.gnb.ca/0062/acts/BBA-2006/Chap-19.pdf
+# https://www.gnb.ca/0062/acts/BBA-2006/Chap-19.pdf
 # ...
 # Manitoba has traditionally changed the clock every fall at 03:00.
 # As of 2006, the transition is to take place one hour earlier at 02:00.
-# http://web2.gov.mb.ca/laws/statutes/ccsm/o030e.php
+# https://web2.gov.mb.ca/laws/statutes/ccsm/o030e.php
 # ...
 # [Alberta, Ontario, Quebec] will follow US rules.
 # http://www.qp.gov.ab.ca/documents/spring/CH03_06.CFM
@@ -1193,7 +1218,7 @@ Zone America/Menominee	-5:50:27 -	LMT	1885 Sep 18 12:00
 # http://www.hoa.gov.nl.ca/hoa/bills/Bill0634.htm
 # ...
 # Yukon
-# http://www.gov.yk.ca/legislation/regs/oic2006_127.pdf
+# https://www.gov.yk.ca/legislation/regs/oic2006_127.pdf
 # ...
 # N.W.T. will follow US rules.  Whoever maintains the government web site
 # does not seem to believe in bookmarks.  To see the news release, click the
@@ -1214,8 +1239,8 @@ Zone America/Menominee	-5:50:27 -	LMT	1885 Sep 18 12:00
 # time and daylight saving time arrangements in Canada circa 1998.
 #
 # National Research Council Canada maintains info about time zones and DST.
-# http://www.nrc-cnrc.gc.ca/eng/services/time/time_zones.html
-# http://www.nrc-cnrc.gc.ca/eng/services/time/faq/index.html#Q5
+# https://www.nrc-cnrc.gc.ca/eng/services/time/time_zones.html
+# https://www.nrc-cnrc.gc.ca/eng/services/time/faq/index.html#Q5
 # Its unofficial information is often taken from Matthews and Vincent.
 
 # From Paul Eggert (2006-06-27):
@@ -1252,11 +1277,13 @@ Rule	Canada	2007	max	-	Nov	Sun>=1	2:00	0	S
 
 # Newfoundland and Labrador
 
-# From Paul Eggert (2000-10-02):
-# Matthews and Vincent (1998) write that Labrador should use NST/NDT,
-# but the only part of Labrador that follows the rules is the
-# southeast corner, including Port Hope Simpson and Mary's Harbour,
-# but excluding, say, Black Tickle.
+# From Paul Eggert (2017-10-14):
+# Legally Labrador should observe Newfoundland time; see:
+# McLeod J. Labrador time - legal or not? St. John's Telegram, 2017-10-07
+# http://www.thetelegram.com/news/local/labrador-time--legal-or-not-154860/
+# Matthews and Vincent (1998) write that the only part of Labrador
+# that follows the rules is the southeast corner, including Port Hope
+# Simpson and Mary's Harbour, but excluding, say, Black Tickle.
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	StJohns	1917	only	-	Apr	 8	2:00	1:00	D
@@ -1456,7 +1483,7 @@ Zone America/Moncton	-4:19:08 -	LMT	1883 Dec  9
 # http://www.justice.gouv.qc.ca/english/publications/generale/temps-minganie-a.htm
 # that the coastal strip from just east of Natashquan to Blanc-Sablon
 # observes Atlantic standard time all year round.
-# http://www.assnat.qc.ca/Media/Process.aspx?MediaId=ANQ.Vigie.Bll.DocumentGenerique_8845en
+# https://www.assnat.qc.ca/Media/Process.aspx?MediaId=ANQ.Vigie.Bll.DocumentGenerique_8845en
 # says this common practice was codified into law as of 2007.
 # For lack of better info, guess this practice began around 1970, contra to
 # Shanks & Pottenger who have this region observing AST/ADT.
@@ -1488,6 +1515,11 @@ Zone America/Blanc-Sablon -3:48:28 -	LMT	1884
 # earlier in June).
 #
 # Kenora, Ontario, was to abandon DST on 1914-06-01 (-05-21).
+#
+# From Paul Eggert (2017-07-08):
+# For more on Orillia, see: Daubs K. Bold attempt at daylight saving
+# time became a comic failure in Orillia. Toronto Star 2017-07-08.
+# https://www.thestar.com/news/insight/2017/07/08/bold-attempt-at-daylight-saving-time-became-a-comic-failure-in-orillia.html
 
 # From Paul Eggert (1997-10-17):
 # Mark Brader writes that an article in the 1997-10-14 Toronto Star
@@ -1979,7 +2011,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #	* 1967. Paragraph 28(34)(g) of the Interpretation Act, S.C. 1967-68,
 #	c. 7 defines Yukon standard time as UTC-9....
 #	see Interpretation Act, R.S.C. 1985, c. I-21, s. 35(1).
-#	[http://canlii.ca/t/7vhg]
+#	[https://www.canlii.org/en/ca/laws/stat/rsc-1985-c-i-21/latest/rsc-1985-c-i-21.html]
 #	* C.O. 1973/214 switched Yukon to PST on 1973-10-28 00:00.
 #	* O.I.C. 1980/02 established DST.
 #	* O.I.C. 1987/056 changed DST to Apr firstSun 2:00 to Oct lastSun 2:00.
@@ -2044,7 +2076,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #     hours behind Greenwich Time.
 #
 # * Yukon Standard Time defined as Pacific Standard Time, YCO 1973/214
-#   http://www.canlii.org/en/yk/laws/regu/yco-1973-214/latest/yco-1973-214.html
+#   https://www.canlii.org/en/yk/laws/regu/yco-1973-214/latest/yco-1973-214.html
 #   C.O. 1973/214 INTERPRETATION ACT ...
 #
 #     1. Effective October 28, 1973 Commissioner's Order 1967/59 is hereby
@@ -2059,7 +2091,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #   http://? - no online source found
 #
 # * Yukon Daylight Saving Time, YOIC 1987/56
-#   http://www.canlii.org/en/yk/laws/regu/yoic-1987-56/latest/yoic-1987-56.html
+#   https://www.canlii.org/en/yk/laws/regu/yoic-1987-56/latest/yoic-1987-56.html
 #   O.I.C. 1987/056 INTERPRETATION ACT ...
 #
 #   In every year between
@@ -2071,7 +2103,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #   Dated ... 9th day of March, A.D., 1987.
 #
 # * Yukon Daylight Saving Time 2006, YOIC 2006/127
-#   http://www.canlii.org/en/yk/laws/regu/yoic-2006-127/latest/yoic-2006-127.html
+#   https://www.canlii.org/en/yk/laws/regu/yoic-2006-127/latest/yoic-2006-127.html
 #   O.I.C. 2006/127 INTERPRETATION ACT ...
 #
 #     1. In Yukon each year the time for general purposes shall be 7 hours
@@ -2085,7 +2117,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #     3. This order comes into force January 1, 2007.
 #
 # * Interpretation Act, RSY 2002, c 125
-# http://www.canlii.org/en/yk/laws/stat/rsy-2002-c-125/latest/rsy-2002-c-125.html
+# https://www.canlii.org/en/yk/laws/stat/rsy-2002-c-125/latest/rsy-2002-c-125.html
 
 # From Rives McDow (1999-09-04):
 # Nunavut ... moved ... to incorporate the whole territory into one time zone.
@@ -2128,7 +2160,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 
 # From Michaela Rodrigue, writing in the
 # Nunatsiaq News (1999-11-19):
-# http://www.nunatsiaq.com/archives/nunavut991130/nvt91119_17.html
+# http://www.nunatsiaqonline.ca/archives/nunavut991130/nvt91119_17.html
 # Clyde River, Pangnirtung and Sanikiluaq now operate with two time zones,
 # central - or Nunavut time - for government offices, and eastern time
 # for municipal offices and schools....  Igloolik [was similar but then]
@@ -2146,7 +2178,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 # Central Time and Southampton Island [in the Central zone] is not
 # required to use daylight savings.
 
-# From 
+# From 
 # Nunavut now has two time zones (2000-11-10):
 # The Nunavut government would allow its employees in Kugluktuk and
 # Cambridge Bay to operate on central time year-round, putting them
@@ -2477,7 +2509,7 @@ Zone America/Dawson	-9:17:40 -	LMT	1900 Aug 20
 # http://gaceta.diputados.gob.mx/Gaceta/61/2009/dic/V2-101209.html
 #
 # Our page:
-# http://www.timeanddate.com/news/time/north-mexico-dst-change.html
+# https://www.timeanddate.com/news/time/north-mexico-dst-change.html
 
 # From Arthur David Olson (2010-01-20):
 # The page
@@ -2896,7 +2928,7 @@ Zone America/Costa_Rica	-5:36:13 -	LMT	1890        # San José
 # http://www.nnc.cubaweb.cu/marzo-2008/cien-1-11-3-08.htm
 #
 # Some more background information is posted here:
-# http://www.timeanddate.com/news/time/cuba-starts-dst-march-16.html
+# https://www.timeanddate.com/news/time/cuba-starts-dst-march-16.html
 #
 # The article also says that Cuba has been observing DST since 1963,
 # while Shanks (and tzdata) has 1965 as the first date (except in the
@@ -2943,7 +2975,7 @@ Zone America/Costa_Rica	-5:36:13 -	LMT	1890        # San José
 # http://granma.co.cu/2011/03/08/nacional/artic01.html
 #
 # Our info:
-# http://www.timeanddate.com/news/time/cuba-starts-dst-2011.html
+# https://www.timeanddate.com/news/time/cuba-starts-dst-2011.html
 #
 # From Steffen Thorsen (2011-10-30)
 # Cuba will end DST two weeks later this year. Instead of going back
@@ -2953,7 +2985,7 @@ Zone America/Costa_Rica	-5:36:13 -	LMT	1890        # San José
 # http://www.radioangulo.cu/noticias/cuba/17105-cuba-restablecera-el-horario-del-meridiano-de-greenwich.html
 #
 # Our page:
-# http://www.timeanddate.com/news/time/cuba-time-changes-2011.html
+# https://www.timeanddate.com/news/time/cuba-time-changes-2011.html
 #
 # From Steffen Thorsen (2012-03-01)
 # According to Radio Reloj, Cuba will start DST on Midnight between March
@@ -2963,7 +2995,7 @@ Zone America/Costa_Rica	-5:36:13 -	LMT	1890        # San José
 # http://www.radioreloj.cu/index.php/noticias-radio-reloj/71-miscelaneas/7529-cuba-aplicara-el-horario-de-verano-desde-el-1-de-abril
 #
 # Our info on it:
-# http://www.timeanddate.com/news/time/cuba-starts-dst-2012.html
+# https://www.timeanddate.com/news/time/cuba-starts-dst-2012.html
 
 # From Steffen Thorsen (2012-11-03):
 # Radio Reloj and many other sources report that Cuba is changing back
@@ -3158,8 +3190,8 @@ Zone America/Guatemala	-6:02:04 -	LMT	1918 Oct 5
 # From Steffen Thorsen (2016-03-12):
 # Jean Antoine, editor of www.haiti-reference.com informed us that Haiti
 # are not going on DST this year.  Several other resources confirm this: ...
-# http://www.radiotelevisioncaraibes.com/presse/heure_d_t_pas_de_changement_d_heure_pr_vu_pour_cet_ann_e.html
-# http://www.vantbefinfo.com/changement-dheure-pas-pour-haiti/
+# https://www.radiotelevisioncaraibes.com/presse/heure_d_t_pas_de_changement_d_heure_pr_vu_pour_cet_ann_e.html
+# https://www.vantbefinfo.com/changement-dheure-pas-pour-haiti/
 # http://news.anmwe.com/haiti-lheure-nationale-ne-sera-ni-avancee-ni-reculee-cette-annee/
 
 # From Steffen Thorsen (2017-03-12):
@@ -3358,7 +3390,7 @@ Zone America/Miquelon	-3:44:40 -	LMT	1911 May 15 # St Pierre
 # Turks and Caicos
 #
 # From Chris Dunn in
-# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=415007
+# https://bugs.debian.org/415007
 # (2007-03-15): In the Turks & Caicos Islands (America/Grand_Turk) the
 # daylight saving dates for time changes have been adjusted to match
 # the recent U.S. change of dates.
@@ -3380,12 +3412,25 @@ Zone America/Miquelon	-3:44:40 -	LMT	1911 May 15 # St Pierre
 # "permanent daylight saving time" by one year....
 # http://tcweeklynews.com/time-change-to-go-ahead-this-november-p5437-127.htm
 #
+# From the Turks & Caicos Cabinet (2017-07-20), heads-up from Steffen Thorsen:
+# ... agreed to the reintroduction in TCI of Daylight Saving Time (DST)
+# during the summer months and Standard Time, also known as Local
+# Time, during the winter months with effect from April 2018 ...
+# https://www.gov.uk/government/news/turks-and-caicos-post-cabinet-meeting-statement--3
+#
+# From Paul Eggert (2017-08-26):
+# The date of effect of the spring 2018 change appears to be March 11,
+# which makes more sense.  See: Hamilton D. Time change back
+# by March 2018 for TCI. Magnetic Media. 2017-08-25.
+# http://magneticmediatv.com/2017/08/time-change-back-by-march-2018-for-tci/
+#
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone America/Grand_Turk	-4:44:32 -	LMT	1890
 			-5:07:11 -	KMT	1912 Feb # Kingston Mean Time
 			-5:00	-	EST	1979
 			-5:00	US	E%sT	2015 Nov Sun>=1 2:00
-			-4:00	-	AST
+			-4:00	-	AST	2018 Mar 11 3:00
+			-5:00	US	E%sT
 
 # British Virgin Is
 # Virgin Is
diff --git a/jdk/make/data/tzdata/southamerica b/jdk/make/data/tzdata/southamerica
index 44dbd95756..d15e8344db 100644
--- a/jdk/make/data/tzdata/southamerica
+++ b/jdk/make/data/tzdata/southamerica
@@ -45,7 +45,7 @@
 #
 # For data circa 1899, a common source is:
 # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94.
-# http://www.jstor.org/stable/1774359
+# https://www.jstor.org/stable/1774359
 #
 # These tables use numeric abbreviations like -03 and -0330 for
 # integer hour and minute UTC offsets.  Although earlier editions used
@@ -288,8 +288,8 @@ Rule	Arg	2008	only	-	Oct	Sun>=15	0:00	1:00	S
 #
 # Es inminente que en San Luis atrasen una hora los relojes
 # (It is imminent in San Luis clocks one hour delay)
-# http://www.lagaceta.com.ar/nota/253414/Economia/Es-inminente-que-en-San-Luis-atrasen-una-hora-los-relojes.html
-# http://www.worldtimezone.net/dst_news/dst_news_argentina02.html
+# https://www.lagaceta.com.ar/nota/253414/Economia/Es-inminente-que-en-San-Luis-atrasen-una-hora-los-relojes.html
+# http://www.worldtimezone.com/dst_news/dst_news_argentina02.html
 
 # From Jesper Nørgaard Welen (2008-01-18):
 # The page of the San Luis provincial government
@@ -408,7 +408,7 @@ Rule	Arg	2008	only	-	Oct	Sun>=15	0:00	1:00	S
 # Perhaps San Luis operates on the legal fiction that it is at -04
 # with perpetual summer time, but ordinary usage typically seems to
 # just say it's at -03; see, for example,
-# http://es.wikipedia.org/wiki/Hora_oficial_argentina
+# https://es.wikipedia.org/wiki/Hora_oficial_argentina
 # We've documented similar situations as being plain changes to
 # standard time, so let's do that here too.  This does not change UTC
 # offsets, only tm_isdst and the time zone abbreviations.  One minor
@@ -739,7 +739,7 @@ Zone	America/La_Paz	-4:32:36 -	LMT	1890
 # (Portuguese)
 #
 # We have a written a short article about it as well:
-# http://www.timeanddate.com/news/time/brazil-dst-2008-2009.html
+# https://www.timeanddate.com/news/time/brazil-dst-2008-2009.html
 #
 # From Alexander Krivenyshev (2011-10-04):
 # State Bahia will return to Daylight savings time this year after 8 years off.
@@ -748,7 +748,7 @@ Zone	America/La_Paz	-4:32:36 -	LMT	1890
 
 # In Portuguese:
 # http://g1.globo.com/bahia/noticia/2011/10/governador-jaques-wagner-confirma-horario-de-verao-na-bahia.html
-# http://noticias.terra.com.br/brasil/noticias/0,,OI5390887-EI8139,00-Bahia+volta+a+ter+horario+de+verao+apos+oito+anos.html
+# https://noticias.terra.com.br/brasil/noticias/0,,OI5390887-EI8139,00-Bahia+volta+a+ter+horario+de+verao+apos+oito+anos.html
 
 # From Guilherme Bernardes Rodrigues (2011-10-07):
 # There is news in the media, however there is still no decree about it.
@@ -774,16 +774,16 @@ Zone	America/La_Paz	-4:32:36 -	LMT	1890
 
 # From Rodrigo Severo (2012-10-16):
 # Tocantins state will have DST.
-# http://noticias.terra.com.br/brasil/noticias/0,,OI6232536-EI306.html
+# https://noticias.terra.com.br/brasil/noticias/0,,OI6232536-EI306.html
 
 # From Steffen Thorsen (2013-09-20):
 # Tocantins in Brazil is very likely not to observe DST from October....
 # http://conexaoto.com.br/2013/09/18/ministerio-confirma-que-tocantins-esta-fora-do-horario-de-verao-em-2013-mas-falta-publicacao-de-decreto
 # We will keep this article updated when this is confirmed:
-# http://www.timeanddate.com/news/time/brazil-starts-dst-2013.html
+# https://www.timeanddate.com/news/time/brazil-starts-dst-2013.html
 
 # From Steffen Thorsen (2013-10-17):
-# http://www.timeanddate.com/news/time/acre-amazonas-change-time-zone.html
+# https://www.timeanddate.com/news/time/acre-amazonas-change-time-zone.html
 # Senator Jorge Viana announced that Acre will change time zone on November 10.
 # He did not specify the time of the change, nor if western parts of Amazonas
 # will change as well.
@@ -1099,18 +1099,18 @@ Zone America/Rio_Branco	-4:31:12 -	LMT	1914
 # the following source, cited by Oscar van Vlijmen (2006-10-08):
 # [1] Chile Law
 # http://www.webexhibits.org/daylightsaving/chile.html
-# This contains a copy of a this official table:
+# This contains a copy of this official table:
 # Cambios en la hora oficial de Chile desde 1900 (retrieved 2008-03-30)
-# http://web.archive.org/web/20080330200901/http://www.horaoficial.cl/cambio.htm
+# https://web.archive.org/web/20080330200901/http://www.horaoficial.cl/cambio.htm
 # [1] needs several corrections, though.
 #
 # The first set of corrections is from:
 # [2] History of the Official Time of Chile
 # http://www.horaoficial.cl/ing/horaof_ing.html (retrieved 2012-03-06).  See:
-# http://web.archive.org/web/20120306042032/http://www.horaoficial.cl/ing/horaof_ing.html
+# https://web.archive.org/web/20120306042032/http://www.horaoficial.cl/ing/horaof_ing.html
 # This is an English translation of:
 # Historia de la hora oficial de Chile (retrieved 2012-10-24).  See:
-# http://web.archive.org/web/20121024234627/http://www.horaoficial.cl/horaof.htm
+# https://web.archive.org/web/20121024234627/http://www.horaoficial.cl/horaof.htm
 # A fancier Spanish version (requiring mouse-clicking) is at:
 # http://www.horaoficial.cl/historia_hora.html
 # Conflicts between [1] and [2] were resolved as follows:
@@ -1386,10 +1386,10 @@ Link	America/Curacao	America/Kralendijk	# Caribbean Netherlands
 # Milne says the Central and South American Telegraph Company used -5:24:15.
 #
 # From Alois Treindl (2016-12-15):
-# http://www.elcomercio.com/actualidad/hora-sixto-1993.html
+# https://www.elcomercio.com/actualidad/hora-sixto-1993.html
 # ... Whether the law applied also to Galápagos, I do not know.
 # From Paul Eggert (2016-12-15):
-# http://www.elcomercio.com/afull/modificacion-husohorario-ecuador-presidentes-decreto.html
+# https://www.elcomercio.com/afull/modificacion-husohorario-ecuador-presidentes-decreto.html
 # This says President Sixto Durán Ballén signed decree No. 285, which
 # established DST from 1992-11-28 to 1993-02-05; it does not give transition
 # times.  The people called it "hora de Sixto" ("Sixto hour").  The change did
@@ -1801,7 +1801,7 @@ Zone America/Montevideo	-3:44:44 -	LMT	1898 Jun 28
 # hours of presidential broadcasts, hours of lines,' quipped comedian
 # Jean Mary Curró ...". See: Cawthorne A, Kai D. Venezuela scraps
 # half-hour time difference set by Chavez. Reuters 2016-04-15 14:50 -0400
-# http://www.reuters.com/article/us-venezuela-timezone-idUSKCN0XC2BE
+# https://www.reuters.com/article/us-venezuela-timezone-idUSKCN0XC2BE
 #
 # From Matt Johnson (2016-04-20):
 # ... published in the official Gazette [2016-04-18], here:
diff --git a/jdk/make/data/tzdata/zone.tab b/jdk/make/data/tzdata/zone.tab
index 8d6247d21a..b1a7f07724 100644
--- a/jdk/make/data/tzdata/zone.tab
+++ b/jdk/make/data/tzdata/zone.tab
@@ -209,7 +209,7 @@ GB	+513030-0000731	Europe/London
 GD	+1203-06145	America/Grenada
 GE	+4143+04449	Asia/Tbilisi
 GF	+0456-05220	America/Cayenne
-GG	+4927-00232	Europe/Guernsey
+GG	+492717-0023210	Europe/Guernsey
 GH	+0533-00013	Africa/Accra
 GI	+3608-00521	Europe/Gibraltar
 GL	+6411-05144	America/Godthab	Greenland (most areas)
@@ -244,7 +244,7 @@ IQ	+3321+04425	Asia/Baghdad
 IR	+3540+05126	Asia/Tehran
 IS	+6409-02151	Atlantic/Reykjavik
 IT	+4154+01229	Europe/Rome
-JE	+4912-00207	Europe/Jersey
+JE	+491101-0020624	Europe/Jersey
 JM	+175805-0764736	America/Jamaica
 JO	+3157+03556	Asia/Amman
 JP	+353916+1394441	Asia/Tokyo
diff --git a/jdk/src/java.base/share/classes/java/time/format/ZoneName.java b/jdk/src/java.base/share/classes/java/time/format/ZoneName.java
index 645241360d..b76e694993 100644
--- a/jdk/src/java.base/share/classes/java/time/format/ZoneName.java
+++ b/jdk/src/java.base/share/classes/java/time/format/ZoneName.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -192,7 +192,7 @@ class ZoneName {
         "Africa/Ndjamena", "Africa_Western", "Africa/Lagos",
         "Asia/Macau", "China", "Asia/Shanghai",
         "America/Lima", "Peru", "America/Lima",
-        "Africa/Windhoek", "Africa_Western", "Africa/Lagos",
+        "Africa/Windhoek", "Africa_Central", "Africa/Maputo",
         "America/Sitka", "Alaska", "America/Juneau",
         "America/Mazatlan", "America_Mountain", "America/Denver",
         "Asia/Saigon", "Indochina", "Asia/Saigon",
@@ -324,7 +324,7 @@ class ZoneName {
         "Atlantic/Faroe", "Europe_Western", "Atlantic/Canary",
         "America/Cambridge_Bay", "America_Mountain", "America/Denver",
         "America/Los_Angeles", "America_Pacific", "America/Los_Angeles",
-        "Africa/Khartoum", "Africa_Eastern", "Africa/Nairobi",
+        "Africa/Khartoum", "Africa_Central", "Africa/Maputo",
         "Europe/Simferopol", "Europe_Eastern", "Europe/Bucharest",
         "Australia/Currie", "Australia_Eastern", "Australia/Sydney",
         "Europe/Guernsey", "GMT", "Atlantic/Reykjavik",
@@ -744,7 +744,6 @@ class ZoneName {
         "UTC", "Etc/UTC",
         "Canada/Newfoundland", "America/St_Johns",
         "Europe/Skopje", "Europe/Belgrade",
-        "Canada/East-Saskatchewan", "America/Regina",
         "PRC", "Asia/Shanghai",
         "UCT", "Etc/UCT",
         "America/Mendoza", "America/Argentina/Mendoza",
diff --git a/jdk/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/jdk/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
index e9459d95fb..0636a44576 100644
--- a/jdk/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
+++ b/jdk/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -349,7 +349,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -374,7 +374,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -777,7 +777,6 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
index ba54268802..67ae3596ff 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -778,7 +778,6 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
index 100ac3356e..36326e49f8 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -778,7 +778,6 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
index 8407be0b03..d5475e3461 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -778,7 +778,6 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
index 6653a6241d..c1334d06b2 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -778,7 +778,6 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
index 0f70da38c9..6661bfdc83 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -778,7 +778,6 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
index 1f6a3585da..665ea8bb6a 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -778,7 +778,6 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
index 3a03cda7ec..ea890dd6eb 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -778,7 +778,6 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
index 7a13b7e87e..ced9600226 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -778,7 +778,6 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
index 6c6e647d3b..f0a99da162 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -778,7 +778,6 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
index fa62d62ba0..bb6ac9fcf5 100644
--- a/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
+++ b/jdk/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -350,7 +350,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
             {"Africa/Johannesburg", SAST},
             {"Africa/Juba", EAT},
             {"Africa/Kampala", EAT},
-            {"Africa/Khartoum", EAT},
+            {"Africa/Khartoum", CAT},
             {"Africa/Kigali", CAT},
             {"Africa/Kinshasa", WAT},
             {"Africa/Lagos", WAT},
@@ -375,7 +375,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
             {"Africa/Timbuktu", GMT},
             {"Africa/Tripoli", EET},
             {"Africa/Tunis", CET},
-            {"Africa/Windhoek", WAT},
+            {"Africa/Windhoek", CAT},
             {"America/Adak", HST},
             {"America/Anguilla", AST},
             {"America/Antigua", AST},
@@ -780,7 +780,6 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
             {"Brazil/West", AMT},
             {"Canada/Atlantic", AST},
             {"Canada/Central", CST},
-            {"Canada/East-Saskatchewan", CST},
             {"Canada/Eastern", EST},
             {"Canada/Mountain", MST},
             {"Canada/Newfoundland", NST},
diff --git a/jdk/test/java/time/tck/java/time/zone/TCKZoneRules.java b/jdk/test/java/time/tck/java/time/zone/TCKZoneRules.java
index 19f8239c23..8c36b38fe3 100644
--- a/jdk/test/java/time/tck/java/time/zone/TCKZoneRules.java
+++ b/jdk/test/java/time/tck/java/time/zone/TCKZoneRules.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -941,21 +941,21 @@ public class TCKZoneRules {
     }
 
     public void test_Apia_jumpForwardOverInternationalDateLine_P12_to_M12() {
-        // transition occurred at 1879-07-04T00:00+12:33:04
+        // transition occurred at 1892-07-04T00:00+12:33:04
         ZoneRules test = pacificApia();
-        Instant instantBefore = LocalDate.of(1879, 7, 2).atStartOfDay(ZoneOffset.UTC).toInstant();
+        Instant instantBefore = LocalDate.of(1892, 7, 2).atStartOfDay(ZoneOffset.UTC).toInstant();
         ZoneOffsetTransition trans = test.nextTransition(instantBefore);
-        assertEquals(trans.getDateTimeBefore(), LocalDateTime.of(1879, 7, 5, 0, 0));
-        assertEquals(trans.getDateTimeAfter(), LocalDateTime.of(1879, 7, 4, 0, 0));
+        assertEquals(trans.getDateTimeBefore(), LocalDateTime.of(1892, 7, 5, 0, 0));
+        assertEquals(trans.getDateTimeAfter(), LocalDateTime.of(1892, 7, 4, 0, 0));
         assertEquals(trans.isGap(), false);
         assertEquals(trans.isOverlap(), true);
         assertEquals(trans.isValidOffset(ZoneOffset.ofHoursMinutesSeconds(+12, 33, 4)), true);
         assertEquals(trans.isValidOffset(ZoneOffset.ofHoursMinutesSeconds(-11, -26, -56)), true);
         assertEquals(trans.getDuration(), Duration.ofHours(-24));
-        assertEquals(trans.getInstant(), LocalDateTime.of(1879, 7, 4, 0, 0).toInstant(ZoneOffset.ofHoursMinutesSeconds(-11, -26, -56)));
+        assertEquals(trans.getInstant(), LocalDateTime.of(1892, 7, 4, 0, 0).toInstant(ZoneOffset.ofHoursMinutesSeconds(-11, -26, -56)));
 
-        ZonedDateTime zdt = ZonedDateTime.of(1879, 7, 4, 23, 0, 0, 0, ZoneId.of("Pacific/Apia"));
-        assertEquals(zdt.plusHours(2).toLocalDateTime(), LocalDateTime.of(1879, 7, 4, 1, 0, 0));
+        ZonedDateTime zdt = ZonedDateTime.of(1892, 7, 4, 23, 0, 0, 0, ZoneId.of("Pacific/Apia"));
+        assertEquals(zdt.plusHours(2).toLocalDateTime(), LocalDateTime.of(1892, 7, 4, 1, 0, 0));
     }
 
     //-------------------------------------------------------------------------
diff --git a/jdk/test/java/time/test/java/time/format/ZoneName.java b/jdk/test/java/time/test/java/time/format/ZoneName.java
index 1fbb913acd..591626d198 100644
--- a/jdk/test/java/time/test/java/time/format/ZoneName.java
+++ b/jdk/test/java/time/test/java/time/format/ZoneName.java
@@ -104,7 +104,7 @@ class ZoneName {
         "Pacific/Chuuk", "Truk", "Pacific/Truk",
         "Africa/Gaborone", "Africa_Central", "Africa/Maputo",
         "Africa/Tunis", "Europe_Central", "Europe/Paris",
-        "Africa/Khartoum", "Africa_Eastern", "Africa/Nairobi",
+        "Africa/Khartoum", "Africa_Central", "Africa/Maputo",
         "Europe/Isle_of_Man", "GMT", "Atlantic/Reykjavik",
         "Europe/Skopje", "Europe_Central", "Europe/Paris",
         "America/Merida", "America_Central", "America/Chicago",
@@ -221,7 +221,7 @@ class ZoneName {
         "Africa/Algiers", "Europe_Central", "Europe/Paris",
         "America/Miquelon", "Pierre_Miquelon", "America/Miquelon",
         "Asia/Tokyo", "Japan", "Asia/Tokyo",
-        "Africa/Windhoek", "Africa_Western", "Africa/Lagos",
+        "Africa/Windhoek", "Africa_Central", "Africa/Maputo",
         "Africa/Bujumbura", "Africa_Central", "Africa/Maputo",
         "America/Guatemala", "America_Central", "America/Chicago",
         "Africa/Dakar", "GMT", "Atlantic/Reykjavik",
@@ -662,7 +662,6 @@ class ZoneName {
         "America/Rosario", "America/Argentina/Cordoba",
         "Jamaica", "America/Jamaica",
         "Asia/Katmandu", "Asia/Kathmandu",
-        "Canada/East-Saskatchewan", "America/Regina",
         "ROK", "Asia/Seoul",
         "Asia/Macao", "Asia/Macau",
         "Australia/South", "Australia/Adelaide",
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/VERSION b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
index eb5b4595f3..6642908310 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/VERSION
+++ b/jdk/test/sun/util/calendar/zi/tzdata/VERSION
@@ -21,4 +21,4 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
-tzdata2017b
+tzdata2017c
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/africa b/jdk/test/sun/util/calendar/zi/tzdata/africa
index d3de96d143..10d4dfaabb 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/africa
+++ b/jdk/test/sun/util/calendar/zi/tzdata/africa
@@ -49,7 +49,7 @@
 #
 # For data circa 1899, a common source is:
 # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94.
-# http://www.jstor.org/stable/1774359
+# https://www.jstor.org/stable/1774359
 #
 # A reliable and entertaining source about time zones is
 # Derek Howse, Greenwich time and longitude, Philip Wilson Publishers (1997).
@@ -241,7 +241,7 @@ Rule	Egypt	2006	only	-	Sep	21	24:00	0	-
 # saving time in Egypt will end in the night of 2007-09-06 to 2007-09-07.
 # From Jesper Nørgaard Welen (2007-08-15): [The following agree:]
 # http://www.nentjes.info/Bill/bill5.htm
-# http://www.timeanddate.com/worldclock/city.html?n=53
+# https://www.timeanddate.com/worldclock/city.html?n=53
 # From Steffen Thorsen (2007-09-04): The official information...:
 # http://www.sis.gov.eg/En/EgyptOnline/Miscellaneous/000002/0207000000000000001580.htm
 Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
@@ -279,8 +279,8 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
 # timeanddate[2] and another site I've found[3] also support that.
 #
 # [1] https://bugzilla.redhat.com/show_bug.cgi?id=492263
-# [2] http://www.timeanddate.com/worldclock/clockchange.html?n=53
-# [3] http://wwp.greenwichmeantime.com/time-zone/africa/egypt/
+# [2] https://www.timeanddate.com/worldclock/clockchange.html?n=53
+# [3] https://wwp.greenwichmeantime.com/time-zone/africa/egypt/
 
 # From Arthur David Olson (2009-04-20):
 # In 2009 (and for the next several years), Ramadan ends before the fourth
@@ -290,10 +290,10 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
 # From Steffen Thorsen (2009-08-11):
 # We have been able to confirm the August change with the Egyptian Cabinet
 # Information and Decision Support Center:
-# http://www.timeanddate.com/news/time/egypt-dst-ends-2009.html
+# https://www.timeanddate.com/news/time/egypt-dst-ends-2009.html
 #
 # The Middle East News Agency
-# http://www.mena.org.eg/index.aspx
+# https://www.mena.org.eg/index.aspx
 # also reports "Egypt starts winter time on August 21"
 # today in article numbered "71, 11/08/2009 12:25 GMT."
 # Only the title above is available without a subscription to their service,
@@ -343,7 +343,7 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
 # Thursday of April....  Clocks will still be turned back for Ramadan, but
 # dates not yet announced....
 # http://almogaz.com/news/weird-news/2015/04/05/1947105 ...
-# http://www.timeanddate.com/news/time/egypt-starts-dst-2015.html
+# https://www.timeanddate.com/news/time/egypt-starts-dst-2015.html
 
 # From Ahmed Nazmy (2015-04-20):
 # Egypt's ministers cabinet just announced ... that it will cancel DST at
@@ -470,11 +470,11 @@ Zone	Africa/Monrovia	-0:43:08 -	LMT	1882
 
 # From Even Scharning (2012-11-10):
 # Libya set their time one hour back at 02:00 on Saturday November 10.
-# http://www.libyaherald.com/2012/11/04/clocks-to-go-back-an-hour-on-saturday/
+# https://www.libyaherald.com/2012/11/04/clocks-to-go-back-an-hour-on-saturday/
 # Here is an official source [in Arabic]: http://ls.ly/fb6Yc
 #
 # Steffen Thorsen forwarded a translation (2012-11-10) in
-# http://mm.icann.org/pipermail/tz/2012-November/018451.html
+# https://mm.icann.org/pipermail/tz/2012-November/018451.html
 #
 # From Tim Parenti (2012-11-11):
 # Treat the 2012-11-10 change as a zone change from UTC+2 to UTC+1.
@@ -485,7 +485,7 @@ Zone	Africa/Monrovia	-0:43:08 -	LMT	1882
 # From Even Scharning (2013-10-25):
 # The scheduled end of DST in Libya on Friday, October 25, 2013 was
 # cancelled yesterday....
-# http://www.libyaherald.com/2013/10/24/correction-no-time-change-tomorrow/
+# https://www.libyaherald.com/2013/10/24/correction-no-time-change-tomorrow/
 #
 # From Paul Eggert (2013-10-25):
 # For now, assume they're reverting to the pre-2012 rules of permanent UT +02.
@@ -538,7 +538,7 @@ Zone	Africa/Tripoli	0:52:44 -	LMT	1920
 # basis....
 # It seems that Mauritius observed daylight saving time from 1982-10-10 to
 # 1983-03-20 as well, but that was not successful....
-# http://www.timeanddate.com/news/time/mauritius-daylight-saving-time.html
+# https://www.timeanddate.com/news/time/mauritius-daylight-saving-time.html
 
 # From Alex Krivenyshev (2008-06-25):
 # http://economicdevelopment.gov.mu/portal/site/Mainhomepage/menuitem.a42b24128104d9845dabddd154508a0c/?content_id=0a7cee8b5d69a110VgnVCM1000000a04a8c0RCRD
@@ -606,7 +606,7 @@ Zone	Africa/Tripoli	0:52:44 -	LMT	1920
 # http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-%C3%A9conomie-d-%C3%A9nergie-de-l-heure-d-%C3%A9t%C3%A9-ont-%C3%A9t%C3%A9-atteints-
 #
 # Our wrap-up:
-# http://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html
+# https://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html
 
 # From Arthur David Olson (2009-07-11):
 # The "mauritius-dst-will-not-repeat" wrapup includes this:
@@ -638,7 +638,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # be one hour ahead of GMT between 1 June and 27 September, according to
 # Communication Minister and Government Spokesman, Khalid Naciri...."
 #
-# http://www.worldtimezone.net/dst_news/dst_news_morocco01.html
+# http://www.worldtimezone.com/dst_news/dst_news_morocco01.html
 # http://en.afrik.com/news11892.html
 
 # From Alex Krivenyshev (2008-05-09):
@@ -651,7 +651,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 
 # From Patrice Scattolin (2008-05-09):
 # According to this article:
-# http://www.avmaroc.com/actualite/heure-dete-comment-a127896.html
+# https://www.avmaroc.com/actualite/heure-dete-comment-a127896.html
 # (and republished here: )
 # the changes occur at midnight:
 #
@@ -673,7 +673,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # posted in English).
 #
 # The following Google query will generate many relevant hits:
-# http://www.google.com/search?hl=en&q=Conseil+de+gouvernement+maroc+heure+avance&btnG=Search
+# https://www.google.com/search?hl=en&q=Conseil+de+gouvernement+maroc+heure+avance&btnG=Search
 
 # From Steffen Thorsen (2008-08-27):
 # Morocco will change the clocks back on the midnight between August 31
@@ -684,7 +684,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # http://www.menara.ma/fr/Actualites/Maroc/Societe/ci.retour_a_l_heure_gmt_a_partir_du_dimanche_31_aout_a_minuit_officiel_.default
 #
 # We have some further details posted here:
-# http://www.timeanddate.com/news/time/morocco-ends-dst-early-2008.html
+# https://www.timeanddate.com/news/time/morocco-ends-dst-early-2008.html
 
 # From Steffen Thorsen (2009-03-17):
 # Morocco will observe DST from 2009-06-01 00:00 to 2009-08-21 00:00 according
@@ -694,7 +694,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # (French)
 #
 # Our summary:
-# http://www.timeanddate.com/news/time/morocco-starts-dst-2009.html
+# https://www.timeanddate.com/news/time/morocco-starts-dst-2009.html
 
 # From Alexander Krivenyshev (2009-03-17):
 # Here is a link to official document from Royaume du Maroc Premier Ministre,
@@ -717,7 +717,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # http://www.lavieeco.com/actualites/4099-le-maroc-passera-a-l-heure-d-ete-gmt1-le-2-mai.html
 # (French)
 # Our page:
-# http://www.timeanddate.com/news/time/morocco-starts-dst-2010.html
+# https://www.timeanddate.com/news/time/morocco-starts-dst-2010.html
 
 # From Dan Abitol (2011-03-30):
 # ...Rules for Africa/Casablanca are the following (24h format)
@@ -734,7 +734,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # They said that the decision was already taken.
 #
 # More articles in the press
-# http://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html
+# https://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html
 # http://www.lematin.ma/Actualite/Express/Article.asp?id=148923
 # http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT%2B1-a-partir-de-dim
 
@@ -826,7 +826,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # 1433 (18 April 2012) and the decision of the Head of Government of
 # 16 N. 3-29-15 Chaaban 1435 (4 June 2015).
 # Source (french):
-# http://lnt.ma/le-maroc-reculera-dune-heure-le-dimanche-14-juin/
+# https://lnt.ma/le-maroc-reculera-dune-heure-le-dimanche-14-juin/
 #
 # From Milamber (2015-06-09):
 # http://www.mmsp.gov.ma/fr/actualites.aspx?id=863
@@ -835,7 +835,7 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # [The gov.ma announcement] would (probably) make the switch on 2015-07-19 go
 # from 03:00 to 04:00 rather than from 02:00 to 03:00, as in the patch....
 # I think the patch is correct and the quoted text is wrong; the text in
-#  agrees
+#  agrees
 # with the patch.
 
 # From Paul Eggert (2015-06-08):
@@ -960,9 +960,17 @@ Link Africa/Maputo Africa/Kigali	# Rwanda
 Link Africa/Maputo Africa/Lubumbashi	# E Dem. Rep. of Congo
 Link Africa/Maputo Africa/Lusaka	# Zambia
 
+
 # Namibia
-# The 1994-04-03 transition is from Shanks & Pottenger.
-# Shanks & Pottenger report no DST after 1998-04; go with IATA.
+
+# From Arthur David Olson (2017-08-09):
+# The text of the "Namibia Time Act, 1994" is available online at
+# www.lac.org.na/laws/1994/811.pdf
+# and includes this nugget:
+# Notwithstanding the provisions of subsection (2) of section 1, the
+# first winter period after the commencement of this Act shall
+# commence at OOhOO on Monday 21 March 1994 and shall end at 02h00 on
+# Sunday 4 September 1994.
 
 # From Petronella Sibeene (2007-03-30):
 # http://allafrica.com/stories/200703300178.html
@@ -978,19 +986,30 @@ Link Africa/Maputo Africa/Lusaka	# Zambia
 # observes Botswana time, we have no details about historical practice.
 # In the meantime people there can use Africa/Gaborone.
 # See: Immanuel S. The Namibian. 2017-02-23.
-# http://www.namibian.com.na/51480/read/Time-change-divides-lawmakers
+# https://www.namibian.com.na/51480/read/Time-change-divides-lawmakers
+
+# From Steffen Thorsen (2017-08-09):
+# Namibia is going to change their time zone to what is now their DST:
+# https://www.newera.com.na/2017/02/23/namibias-winter-time-might-be-repealed/
+# This video is from the government decision:
+# https://www.nbc.na/news/na-passes-namibia-time-bill-repealing-1994-namibia-time-act.8665
+# We have made the assumption so far that they will change their time zone at
+# the same time they would normally start DST, the first Sunday in September:
+# https://www.timeanddate.com/news/time/namibia-new-time-zone.html
 
 # RULE	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-Rule	Namibia	1994	max	-	Sep	Sun>=1	2:00	1:00	S
-Rule	Namibia	1995	max	-	Apr	Sun>=1	2:00	0	-
+Rule	Namibia	1994	only	-	Mar	21	0:00	0	-
+Rule	Namibia	1994	2016	-	Sep	Sun>=1	2:00	1:00	S
+Rule	Namibia	1995	2017	-	Apr	Sun>=1	2:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Windhoek	1:08:24 -	LMT	1892 Feb 8
 			1:30	-	+0130	1903 Mar
 			2:00	-	SAST	1942 Sep 20  2:00
 			2:00	1:00	SAST	1943 Mar 21  2:00
 			2:00	-	SAST	1990 Mar 21 # independence
-			2:00	-	CAT	1994 Apr  3
-			1:00	Namibia	WA%sT
+			2:00	-	CAT	1994 Mar 21  0:00
+			1:00	Namibia	WA%sT	2017 Sep  3  2:00
+			2:00	-	CAT
 
 # Niger
 # See Africa/Lagos.
@@ -1077,14 +1096,24 @@ Link Africa/Johannesburg Africa/Mbabane    # Swaziland
 # no information
 
 # Sudan
-#
+
 # From 
 # Sudan News Agency (2000-01-13),
 # also reported by Michaël De Beukelaer-Dossche via Steffen Thorsen:
 # Clocks will be moved ahead for 60 minutes all over the Sudan as of noon
 # Saturday....  This was announced Thursday by Caretaker State Minister for
 # Manpower Abdul-Rahman Nur-Eddin.
+
+# From Ahmed Atyya, National Telecommunications Corp. (NTC), Sudan (2017-10-17):
+# ... the Republic of Sudan is going to change the time zone from (GMT+3:00)
+# to (GMT+ 2:00) starting from Wednesday 1 November 2017.
 #
+# From Paul Eggert (2017-10-18):
+# A scanned copy (in Arabic) of Cabinet Resolution No. 352 for the
+# year 2017 can be found as an attachment in email today from Yahia
+# Abdalla of NTC, archived at:
+# https://mm.icann.org/pipermail/tz/2017-October/025333.html
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Sudan	1970	only	-	May	 1	0:00	1:00	S
 Rule	Sudan	1970	1985	-	Oct	15	0:00	0	-
@@ -1093,10 +1122,14 @@ Rule	Sudan	1972	1985	-	Apr	lastSun	0:00	1:00	S
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Khartoum	2:10:08 -	LMT	1931
 			2:00	Sudan	CA%sT	2000 Jan 15 12:00
-			3:00	-	EAT
+			3:00	-	EAT	2017 Nov  1
+			2:00	-	CAT
 
 # South Sudan
-Link Africa/Khartoum Africa/Juba
+# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
+Zone	Africa/Juba	2:06:28 -	LMT	1931
+			2:00	Sudan	CA%sT	2000 Jan 15 12:00
+			3:00	-	EAT
 
 # Swaziland
 # See Africa/Johannesburg.
@@ -1134,11 +1167,11 @@ Link Africa/Khartoum Africa/Juba
 # According to several news sources, Tunisia will not observe DST this year.
 # (Arabic)
 # http://www.elbashayer.com/?page=viewn&nid=42546
-# http://www.babnet.net/kiwidetail-15295.asp
+# https://www.babnet.net/kiwidetail-15295.asp
 #
 # We have also confirmed this with the US embassy in Tunisia.
 # We have a wrap-up about this on the following page:
-# http://www.timeanddate.com/news/time/tunisia-cancels-dst-2009.html
+# https://www.timeanddate.com/news/time/tunisia-cancels-dst-2009.html
 
 # From Alexander Krivenyshev (2009-03-17):
 # Here is a link to Tunis Afrique Presse News Agency
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/antarctica b/jdk/test/sun/util/calendar/zi/tzdata/antarctica
index c88c0b4107..c78ef7ed50 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/antarctica
+++ b/jdk/test/sun/util/calendar/zi/tzdata/antarctica
@@ -49,7 +49,7 @@
 # Heard Island, McDonald Islands (uninhabited)
 #	previously sealers and scientific personnel wintered
 #	Margaret Turner reports
-#	http://web.archive.org/web/20021204222245/http://www.dstc.qut.edu.au/DST/marg/daylight.html
+#	https://web.archive.org/web/20021204222245/http://www.dstc.qut.edu.au/DST/marg/daylight.html
 #	(1999-09-30) that they're UT +05, with no DST;
 #	presumably this is when they have visitors.
 #
@@ -70,7 +70,7 @@
 # http://www.aad.gov.au/default.asp?casid=37079
 #
 # We have more background information here:
-# http://www.timeanddate.com/news/time/antarctica-new-times.html
+# https://www.timeanddate.com/news/time/antarctica-new-times.html
 
 # From Steffen Thorsen (2010-03-10):
 # We got these changes from the Australian Antarctic Division: ...
@@ -85,7 +85,7 @@
 # - Mawson station stays on UTC+5.
 #
 # Background:
-# http://www.timeanddate.com/news/time/antartica-time-changes-2010.html
+# https://www.timeanddate.com/news/time/antartica-time-changes-2010.html
 
 # From Steffen Thorsen (2016-10-28):
 # Australian Antarctica Division informed us that Casey changed time
@@ -168,7 +168,7 @@ Zone Indian/Kerguelen	0	-	-00	1950 # Port-aux-Français
 #
 # year-round base in the main continent
 # Dumont d'Urville, Île des Pétrels, -6640+14001, since 1956-11
-#  (2005-12-05)
+#  (2005-12-05)
 #
 # Another base at Port-Martin, 50km east, began operation in 1947.
 # It was destroyed by fire on 1952-01-14.
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/asia b/jdk/test/sun/util/calendar/zi/tzdata/asia
index 306a2aa8bc..71f5d0cfc8 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/asia
+++ b/jdk/test/sun/util/calendar/zi/tzdata/asia
@@ -49,7 +49,7 @@
 #
 # For data circa 1899, a common source is:
 # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94.
-# http://www.jstor.org/stable/1774359
+# https://www.jstor.org/stable/1774359
 #
 # For Russian data circa 1919, a source is:
 # Byalokoz EL. New Counting of Time in Russia since July 1, 1919.
@@ -98,8 +98,8 @@ Rule E-EurAsia	1996	max	-	Oct	lastSun	 0:00	0	-
 Rule RussiaAsia	1981	1984	-	Apr	1	 0:00	1:00	S
 Rule RussiaAsia	1981	1983	-	Oct	1	 0:00	0	-
 Rule RussiaAsia	1984	1995	-	Sep	lastSun	 2:00s	0	-
-Rule RussiaAsia	1985	2011	-	Mar	lastSun	 2:00s	1:00	S
-Rule RussiaAsia	1996	2011	-	Oct	lastSun	 2:00s	0	-
+Rule RussiaAsia	1985	2010	-	Mar	lastSun	 2:00s	1:00	S
+Rule RussiaAsia	1996	2010	-	Oct	lastSun	 2:00s	0	-
 
 # Afghanistan
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -132,13 +132,17 @@ Zone	Asia/Kabul	4:36:48 -	LMT	1890
 # or
 # (brief)
 # http://www.worldtimezone.com/dst_news/dst_news_armenia03.html
+# Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
+Rule Armenia	2011	only	-	Mar	lastSun	 2:00s	1:00	S
+Rule Armenia	2011	only	-	Oct	lastSun	 2:00s	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Yerevan	2:58:00 -	LMT	1924 May  2
 			3:00	-	+03	1957 Mar
 			4:00 RussiaAsia +04/+05	1991 Mar 31  2:00s
 			3:00 RussiaAsia	+03/+04	1995 Sep 24  2:00s
 			4:00	-	+04	1997
-			4:00 RussiaAsia	+04/+05
+			4:00 RussiaAsia	+04/+05	2011
+			4:00	Armenia	+04/+05
 
 # Azerbaijan
 
@@ -150,7 +154,7 @@ Zone	Asia/Yerevan	2:58:00 -	LMT	1924 May  2
 # From Steffen Thorsen (2016-03-17):
 # ... the Azerbaijani Cabinet of Ministers has cancelled switching to
 # daylight saving time....
-# http://www.azernews.az/azerbaijan/94137.html
+# https://www.azernews.az/azerbaijan/94137.html
 # http://vestnikkavkaza.net/news/Azerbaijani-Cabinet-of-Ministers-cancels-daylight-saving-time.html
 # http://en.apa.az/xeber_azerbaijan_abolishes_daylight_savings_ti_240862.html
 
@@ -191,11 +195,11 @@ Zone	Asia/Baku	3:19:24 -	LMT	1924 May  2
 # the 19th and 20th, and they have not set the end date yet.
 #
 # Some sources:
-# http://in.reuters.com/article/southAsiaNews/idINIndia-40017620090601
+# https://in.reuters.com/article/southAsiaNews/idINIndia-40017620090601
 # http://bdnews24.com/details.php?id=85889&cid=2
 #
 # Our wrap-up:
-# http://www.timeanddate.com/news/time/bangladesh-daylight-saving-2009.html
+# https://www.timeanddate.com/news/time/bangladesh-daylight-saving-2009.html
 
 # From A. N. M. Kamrus Saadat (2009-06-15):
 # Finally we've got the official mail regarding DST start time where DST start
@@ -281,9 +285,15 @@ Zone	Asia/Brunei	7:39:40 -	LMT	1926 Mar # Bandar Seri Begawan
 
 # Milne says 6:24:40 was the meridian of the time ball observatory at Rangoon.
 
+# From Paul Eggert (2017-04-20):
+# Page 27 of Reed & Low (cited for Asia/Kolkata) says "Rangoon local time is
+# used upon the railways and telegraphs of Burma, and is 6h. 24m. 47s. ahead
+# of Greenwich."  This refers to the period before Burma's transition to +0630,
+# a transition for which Shanks is the only source.
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Asia/Yangon	6:24:40 -	LMT	1880        # or Rangoon
-			6:24:40	-	RMT	1920        # Rangoon Mean Time?
+Zone	Asia/Yangon	6:24:47 -	LMT	1880        # or Rangoon
+			6:24:47	-	RMT	1920        # Rangoon local time
 			6:30	-	+0630	1942 May
 			9:00	-	+09	1945 May  3
 			6:30	-	+0630
@@ -340,7 +350,7 @@ Rule	PRC	1987	1991	-	Apr	Sun>=10	0:00	1:00	D
 #
 # From Jesper Nørgaard Welen (2006-07-14):
 # I have investigated the timezones around 1970 on the
-# http://www.astro.com/atlas site [with provinces and county
+# https://www.astro.com/atlas site [with provinces and county
 # boundaries summarized below]....  A few other exceptions were two
 # counties on the Sichuan side of the Xizang-Sichuan border,
 # counties Dege and Baiyu which lies on the Sichuan side and are
@@ -492,7 +502,7 @@ Rule	PRC	1987	1991	-	Apr	Sun>=10	0:00	1:00	D
 
 # From David Cochrane (2014-03-26):
 # Just a confirmation that Ürümqi time was implemented in Ürümqi on 1 Feb 1986:
-# http://content.time.com/time/magazine/article/0,9171,960684,00.html
+# https://content.time.com/time/magazine/article/0,9171,960684,00.html
 
 # From Luther Ma (2014-04-22):
 # I have interviewed numerous people of various nationalities and from
@@ -649,7 +659,7 @@ Zone	Asia/Hong_Kong	7:36:42 -	LMT	1904 Oct 30
 # (both in Okinawa) adopt the Western Standard Time which is based on
 # 120E. The adoption began from Jan 1, 1896. The original text can be
 # found on Wikisource:
-# http://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
+# https://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
 # ... This could be the first adoption of time zone in Taiwan, because
 # during the Qing Dynasty, it seems that there was no time zone
 # declared officially.
@@ -662,7 +672,7 @@ Zone	Asia/Hong_Kong	7:36:42 -	LMT	1904 Oct 30
 # territory, including later occupations, adopt Japan Central Time
 # (UTC+9). The adoption began on Oct 1, 1937. The original text can
 # be found on Wikisource:
-# http://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
+# https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
 #
 # That is, the time zone of Taipei switched to UTC+9 on Oct 1, 1937.
 
@@ -798,6 +808,12 @@ Zone	Asia/Macau	7:34:20 -	LMT	1912 Jan  1
 # Looks like the time zone split in Cyprus went through last night.
 # http://cyprus-mail.com/2016/10/30/cyprus-new-division-two-time-zones-now-reality/
 
+# From Paul Eggert (2017-10-18):
+# Northern Cyprus will reinstate winter time on October 29, thus
+# staying in sync with the rest of Cyprus.  See: Anastasiou A.
+# Cyprus to remain united in time.  Cyprus Mail 2017-10-17.
+# https://cyprus-mail.com/2017/10/17/cyprus-remain-united-time/
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Cyprus	1975	only	-	Apr	13	0:00	1:00	S
 Rule	Cyprus	1975	only	-	Oct	12	0:00	0	-
@@ -815,7 +831,8 @@ Zone	Asia/Nicosia	2:13:28 -	LMT	1921 Nov 14
 Zone	Asia/Famagusta	2:15:48	-	LMT	1921 Nov 14
 			2:00	Cyprus	EE%sT	1998 Sep
 			2:00	EUAsia	EE%sT	2016 Sep  8
-			3:00	-	+03
+			3:00	-	+03	2017 Oct 29 1:00u
+			2:00	EUAsia	EE%sT
 
 # Classically, Cyprus belongs to Asia; e.g. see Herodotus, Histories, I.72.
 # However, for various reasons many users expect to find it under Europe.
@@ -875,7 +892,7 @@ Zone	Asia/Tbilisi	2:59:11 -	LMT	1880
 
 # From João Carrascalão, brother of the former governor of East Timor, in
 # East Timor may be late for its millennium
-#  (1999-12-26/31):
+#  (1999-12-26/31):
 # Portugal tried to change the time forward in 1974 because the sun
 # rises too early but the suggestion raised a lot of problems with the
 # Timorese and I still don't think it would work today because it
@@ -903,21 +920,62 @@ Zone	Asia/Dili	8:22:20 -	LMT	1912 Jan  1
 # India
 
 # From Ian P. Beacock, in "A brief history of (modern) time", The Atlantic
-# http://www.theatlantic.com/technology/archive/2015/12/the-creation-of-modern-time/421419/
+# https://www.theatlantic.com/technology/archive/2015/12/the-creation-of-modern-time/421419/
 # (2015-12-22):
 # In January 1906, several thousand cotton-mill workers rioted on the
 # outskirts of Bombay....  They were protesting the proposed abolition of
 # local time in favor of Indian Standard Time....  Journalists called this
 # dispute the "Battle of the Clocks."  It lasted nearly half a century.
 
+# From Paul Eggert (2017-04-20):
+# Good luck trying to nail down old timekeeping records in India.
+# "... in the nineteenth century ... Madras Observatory took its magnetic
+# measurements on Göttingen time, its meteorological measurements on Madras
+# (local) time, dropped its time ball on Greenwich (ocean navigator's) time,
+# and distributed civil (local time)." -- Bartky IR. Selling the true time:
+# 19th-century timekeeping in america. Stanford U Press (2000), 247 note 19.
+# "A more potent cause of resistance to the general adoption of the present
+# standard time lies in the fact that it is Madras time.  The citizen of
+# Bombay, proud of being 'primus in Indis' and of Calcutta, equally proud of
+# his city being the Capital of India, and - for a part of the year - the Seat
+# of the Supreme Government, alike look down on Madras, and refuse to change
+# the time they are using, for that of what they regard as a benighted
+# Presidency; while Madras, having for long given the standard time to the
+# rest of India, would resist the adoption of any other Indian standard in its
+# place." -- Oldham RD. On Time in India: a suggestion for its improvement.
+# Proceedings of the Asiatic Society of Bengal (April 1899), 49-55.
+#
+# "In 1870 ... Madras time - 'now used by the telegraph and regulated from the
+# only government observatory' - was suggested as a standard railway time,
+# first to be adopted on the Great Indian Peninsular Railway (GIPR)....
+# Calcutta, Bombay, and Karachi, were to be allowed to continue with their
+# local time for civil purposes." - Prasad R. Tracks of Change: Railways and
+# Everyday Life in Colonial India. Cambridge University Press (2016), 145.
+#
+# Reed S, Low F. The Indian Year Book 1936-37. Bennett, Coleman, pp 27-8.
+# https://archive.org/details/in.ernet.dli.2015.282212
+# This lists +052110 as Madras local time used in railways, and says that on
+# 1906-01-01 railways and telegraphs in India switched to +0530.  Some
+# municipalities retained their former time, and the time in Calcutta
+# continued to depend on whether you were at the railway station or at
+# government offices.  Government time was at +055320 (according to Shanks) or
+# at +0554 (according to the Indian Year Book).  Railway time is more
+# appropriate for our purposes, as it was better documented, it is what we do
+# elsewhere (e.g., Europe/London before 1880), and after 1906 it was
+# consistent in the region now identified by Asia/Kolkata.  So, use railway
+# time for 1870-1941.  Shanks is our only (and dubious) source for the
+# 1941-1945 data.
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Asia/Kolkata	5:53:28 -	LMT	1880        # Kolkata
-			5:53:20	-	HMT	1941 Oct    # Howrah Mean Time?
-			6:30	-	+0630	1942 May 15
+Zone	Asia/Kolkata	5:53:28 -	LMT	1854 Jun 28 # Kolkata
+			5:53:20	-	HMT	1870	    # Howrah Mean Time?
+			5:21:10	-	MMT	1906 Jan  1 # Madras local time
+			5:30	-	IST	1941 Oct
+			5:30	1:00	+0630	1942 May 15
 			5:30	-	IST	1942 Sep
 			5:30	1:00	+0630	1945 Oct 15
 			5:30	-	IST
-# The following are like Asia/Kolkata:
+# Since 1970 the following are like Asia/Kolkata:
 #	Andaman Is
 #	Lakshadweep (Laccadive, Minicoy and Amindivi Is)
 #	Nicobar Is
@@ -1059,7 +1117,7 @@ Zone Asia/Jayapura	9:22:48 -	LMT	1932 Nov
 # From Reuters (2007-09-16), with a heads-up from Jesper Nørgaard Welen:
 # ... the Guardian Council ... approved a law on Sunday to re-introduce
 # daylight saving time ...
-# http://uk.reuters.com/article/oilRpt/idUKBLA65048420070916
+# https://uk.reuters.com/article/oilRpt/idUKBLA65048420070916
 #
 # From Roozbeh Pournader (2007-11-05):
 # This is quoted from Official Gazette of the Islamic Republic of
@@ -1158,7 +1216,7 @@ Zone	Asia/Tehran	3:25:44	-	LMT	1916
 # http://www.aswataliraq.info/look/article.tpl?id=2047&IdLanguage=17&IdPublication=4&NrArticle=71743&NrIssue=1&NrSection=10
 #
 # We have published a short article in English about the change:
-# http://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html
+# https://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Iraq	1982	only	-	May	1	0:00	1:00	D
@@ -1466,12 +1524,12 @@ Rule	Japan	1950	1951	-	May	Sun>=1	2:00	1:00	D
 # From Yu-Cheng Chuang (2013-07-12):
 # ...the Meiji Emperor announced Ordinance No. 167 of Meiji Year 28 "The clause
 # about standard time" ... The adoption began from Jan 1, 1896.
-# http://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
+# https://ja.wikisource.org/wiki/標準時ニ關スル件_(公布時)
 #
 # ...the Showa Emperor announced Ordinance No. 529 of Showa Year 12 ... which
 # means the whole Japan territory, including later occupations, adopt Japan
 # Central Time (UTC+9). The adoption began on Oct 1, 1937.
-# http://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
+# https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Tokyo	9:18:59	-	LMT	1887 Dec 31 15:00u
@@ -1533,7 +1591,7 @@ Zone	Asia/Tokyo	9:18:59	-	LMT	1887 Dec 31 15:00u
 # Official, in Arabic:
 # http://www.petra.gov.jo/public_news/Nws_NewsDetails.aspx?Menu_ID=&Site_Id=2&lang=1&NewsID=133230&CatID=14
 # ... Our background/permalink about it
-# http://www.timeanddate.com/news/time/jordan-reverses-dst-decision.html
+# https://www.timeanddate.com/news/time/jordan-reverses-dst-decision.html
 # ...
 # http://www.petra.gov.jo/Public_News/Nws_NewsDetails.aspx?lang=2&site_id=1&NewsID=133313&Type=P
 # ... says midnight for the coming one and 1:00 for the ones in the future
@@ -1891,9 +1949,9 @@ Zone	Asia/Bishkek	4:58:24 -	LMT	1924 May  2
 # between 1987 and 1988 ...
 
 # From Sanghyuk Jung (2014-10-29):
-# http://mm.icann.org/pipermail/tz/2014-October/021830.html
+# https://mm.icann.org/pipermail/tz/2014-October/021830.html
 # According to the Korean Wikipedia
-# http://ko.wikipedia.org/wiki/한국_표준시
+# https://ko.wikipedia.org/wiki/한국_표준시
 # [oldid=12896437 2014-09-04 08:03 UTC]
 # DST in Republic of Korea was as follows....  And I checked old
 # newspapers in Korean, all articles correspond with data in Wikipedia.
@@ -2115,7 +2173,7 @@ Zone	Indian/Maldives	4:54:00 -	LMT	1880 # Male
 # +08:00 instead. Different sources appear to disagree with the tz
 # database on this, e.g.:
 #
-# http://www.timeanddate.com/worldclock/city.html?n=1026
+# https://www.timeanddate.com/worldclock/city.html?n=1026
 # http://www.worldtimeserver.com/current_time_in_MN.aspx
 #
 # both say GMT+08:00.
@@ -2245,7 +2303,7 @@ Zone	Asia/Kathmandu	5:41:16 -	LMT	1920
 # help reduce load shedding by approving the closure of commercial centres at
 # 9pm and moving clocks forward by one hour for the next three months. ...."
 #
-# http://www.worldtimezone.net/dst_news/dst_news_pakistan01.html
+# http://www.worldtimezone.com/dst_news/dst_news_pakistan01.html
 # http://www.dailytimes.com.pk/default.asp?page=2008%5C05%5C15%5Cstory_15-5-2008_pg1_4
 
 # From Arthur David Olson (2008-05-19):
@@ -2311,7 +2369,7 @@ Zone	Asia/Kathmandu	5:41:16 -	LMT	1920
 #
 # We have confirmed this year's end date with both with the Ministry of
 # Water and Power and the Pakistan Electric Power Company:
-# http://www.timeanddate.com/news/time/pakistan-ends-dst09.html
+# https://www.timeanddate.com/news/time/pakistan-ends-dst09.html
 
 # From Christoph Göhre (2009-10-01):
 # [T]he German Consulate General in Karachi reported me today that Pakistan
@@ -2493,7 +2551,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 #
 # We are not sure if Gaza will do the same, last year they had a different
 # end date, we will keep this page updated:
-# http://www.timeanddate.com/news/time/westbank-gaza-dst-2009.html
+# https://www.timeanddate.com/news/time/westbank-gaza-dst-2009.html
 
 # From Alexander Krivenyshev (2009-09-02):
 # Seems that Gaza Strip will go back to Winter Time same date as West Bank.
@@ -2531,7 +2589,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 # the clocks were set back one hour at 2010-08-11 00:00:00 local time in
 # Gaza and the West Bank.
 # Some more background info:
-# http://www.timeanddate.com/news/time/westbank-gaza-end-dst-2010.html
+# https://www.timeanddate.com/news/time/westbank-gaza-end-dst-2010.html
 
 # From Steffen Thorsen (2011-08-26):
 # Gaza and the West Bank did go back to standard time in the beginning of
@@ -2541,7 +2599,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 #
 # http://www.maannews.net/eng/ViewDetails.aspx?ID=416217
 # Additional info:
-# http://www.timeanddate.com/news/time/palestine-dst-2011.html
+# https://www.timeanddate.com/news/time/palestine-dst-2011.html
 
 # From Alexander Krivenyshev (2011-08-27):
 # According to the article in The Jerusalem Post:
@@ -2551,7 +2609,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 # The Hamas government said on Saturday that it won't observe summertime after
 # the Muslim feast of Id al-Fitr, which begins on Tuesday..."
 # ...
-# http://www.jpost.com/MiddleEast/Article.aspx?id=235650
+# https://www.jpost.com/MiddleEast/Article.aspx?id=235650
 # http://www.worldtimezone.com/dst_news/dst_news_gazastrip05.html
 # The rules for Egypt are stolen from the 'africa' file.
 
@@ -2572,7 +2630,7 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 # http://safa.ps/details/news/74352/%D8%A8%D8%AF%D8%A1-%D8%A7%D9%84%D8%AA%D9%88%D9%82%D9%8A%D8%AA-%D8%A7%D9%84%D8%B5%D9%8A%D9%81%D9%8A-%D8%A8%D8%A7%D9%84%D8%B6%D9%81%D8%A9-%D9%88%D8%BA%D8%B2%D8%A9-%D9%84%D9%8A%D9%84%D8%A9-%D8%A7%D9%84%D8%AC%D9%85%D8%B9%D8%A9.html
 #
 # Our brief summary:
-# http://www.timeanddate.com/news/time/gaza-west-bank-dst-2012.html
+# https://www.timeanddate.com/news/time/gaza-west-bank-dst-2012.html
 
 # From Steffen Thorsen (2013-03-26):
 # The following news sources tells that Palestine will "start daylight saving
@@ -2592,11 +2650,11 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 
 # From Steffen Thorsen (2015-03-03):
 # Sources such as http://www.alquds.com/news/article/view/id/548257
-# and http://www.raya.ps/ar/news/890705.html say Palestine areas will
+# and https://www.raya.ps/ar/news/890705.html say Palestine areas will
 # start DST on 2015-03-28 00:00 which is one day later than expected.
 #
 # From Paul Eggert (2015-03-03):
-# http://www.timeanddate.com/time/change/west-bank/ramallah?year=2014
+# https://www.timeanddate.com/time/change/west-bank/ramallah?year=2014
 # says that the fall 2014 transition was Oct 23 at 24:00.
 
 # From Hannah Kreitem (2016-03-09):
@@ -2620,8 +2678,8 @@ Zone	Asia/Karachi	4:28:12 -	LMT	1907
 #
 # From Paul Eggert (2016-10-19):
 # It's also consistent with predictions in the following URLs today:
-# http://www.timeanddate.com/time/change/gaza-strip/gaza
-# http://www.timeanddate.com/time/change/west-bank/hebron
+# https://www.timeanddate.com/time/change/gaza-strip/gaza
+# https://www.timeanddate.com/time/change/west-bank/hebron
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
@@ -2684,7 +2742,7 @@ Zone	Asia/Hebron	2:20:23	-	LMT	1900 Oct
 # Philippines, issued a proclamation announcing that 1844-12-30 was to
 # be immediately followed by 1845-01-01; see R.H. van Gent's
 # History of the International Date Line
-# http://www.staff.science.uu.nl/~gent0113/idl/idl_philippines.htm
+# https://www.staff.science.uu.nl/~gent0113/idl/idl_philippines.htm
 # The rest of the data entries are from Shanks & Pottenger.
 
 # From Jesper Nørgaard Welen (2006-04-26):
@@ -2948,7 +3006,7 @@ Rule	Syria	2007	only	-	Nov	 Fri>=1	0:00	0	-
 # We have not found any sources saying anything about when DST ends this year.
 #
 # Our summary
-# http://www.timeanddate.com/news/time/syria-dst-starts-march-27-2009.html
+# https://www.timeanddate.com/news/time/syria-dst-starts-march-27-2009.html
 
 # From Steffen Thorsen (2009-10-27):
 # The Syrian Arab News Network on 2009-09-29 reported that Syria will
@@ -2975,7 +3033,7 @@ Rule	Syria	2007	only	-	Nov	 Fri>=1	0:00	0	-
 # http://www.sana.sy/ara/2/2012/03/26/408215.htm
 #
 # Our brief summary:
-# http://www.timeanddate.com/news/time/syria-dst-2012.html
+# https://www.timeanddate.com/news/time/syria-dst-2012.html
 
 # From Arthur David Olson (2012-03-27):
 # Assume last Friday in March going forward XXX.
@@ -3058,7 +3116,7 @@ Zone	Asia/Tashkent	4:37:11 -	LMT	1924 May  2
 # is quoted verbatim in:
 # http://www.thoigian.com.vn/?mPage=P80D01
 # is translated by Brian Inglis in:
-# http://mm.icann.org/pipermail/tz/2014-October/021654.html
+# https://mm.icann.org/pipermail/tz/2014-October/021654.html
 # and is the basis for the information below.
 #
 # The 1906 transition was effective July 1 and standardized Indochina to
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/australasia b/jdk/test/sun/util/calendar/zi/tzdata/australasia
index db7e7f7bcb..6726ef3381 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/australasia
+++ b/jdk/test/sun/util/calendar/zi/tzdata/australasia
@@ -316,7 +316,7 @@ Zone	Indian/Cocos	6:27:40	-	LMT	1900
 # http://www.fiji.gov.fj/index.php?option=com_content&view=article&id=1096:3310-cabinet-approves-change-in-daylight-savings-dates&catid=49:cabinet-releases&Itemid=166
 #
 # A bit more background info here:
-# http://www.timeanddate.com/news/time/fiji-dst-ends-march-2010.html
+# https://www.timeanddate.com/news/time/fiji-dst-ends-march-2010.html
 
 # From Alexander Krivenyshev (2010-10-24):
 # According to Radio Fiji and Fiji Times online, Fiji will end DST 3
@@ -380,9 +380,12 @@ Zone	Indian/Cocos	6:27:40	-	LMT	1900
 # clocks go forward an hour at 2am to 3am....  Daylight Saving will
 # end at 3.00am on Sunday 15th January 2017."
 
-# From Paul Eggert (2016-10-03):
-# For now, guess DST from 02:00 the first Sunday in November to
-# 03:00 the third Sunday in January.  Although ad hoc, it matches
+# From Paul Eggert (2017-08-21):
+# Dominic Fok writes (2017-08-20) that DST ends 2018-01-14, citing
+# Extraordinary Government of Fiji Gazette Supplement No. 21 (2017-08-27),
+# [Legal Notice No. 41] of an order of the previous day by J Usamate.
+# For now, guess DST from 02:00 the first Sunday in November to 03:00
+# the first Sunday on or after January 14.  Although ad hoc, it matches
 # transitions since late 2014 and seems more likely to match future
 # practice than guessing no DST.
 
@@ -396,7 +399,7 @@ Rule	Fiji	2011	only	-	Mar	Sun>=1	3:00	0	-
 Rule	Fiji	2012	2013	-	Jan	Sun>=18	3:00	0	-
 Rule	Fiji	2014	only	-	Jan	Sun>=18	2:00	0	-
 Rule	Fiji	2014	max	-	Nov	Sun>=1	2:00	1:00	S
-Rule	Fiji	2015	max	-	Jan	Sun>=15	3:00	0	-
+Rule	Fiji	2015	max	-	Jan	Sun>=14	3:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Pacific/Fiji	11:55:44 -	LMT	1915 Oct 26 # Suva
 			12:00	Fiji	+12/+13
@@ -580,7 +583,7 @@ Zone Pacific/Port_Moresby 9:48:40 -	LMT	1880
 # The World War II entries below are instead based on Arawa-Kieta.
 # The Japanese occupied Kieta in July 1942,
 # according to the Pacific War Online Encyclopedia
-# http://pwencycl.kgbudge.com/B/o/Bougainville.htm
+# https://pwencycl.kgbudge.com/B/o/Bougainville.htm
 # and seem to have controlled it until their 1945-08-21 surrender.
 #
 # The Autonomous Region of Bougainville switched from UT +10 to +11
@@ -602,7 +605,7 @@ Zone Pacific/Pitcairn	-8:40:20 -	LMT	1901        # Adamstown
 			-8:00	-	-08
 
 # American Samoa
-Zone Pacific/Pago_Pago	 12:37:12 -	LMT	1879 Jul  5
+Zone Pacific/Pago_Pago	 12:37:12 -	LMT	1892 Jul  5
 			-11:22:48 -	LMT	1911
 			-11:00	-	SST	            # S=Samoa
 Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands
@@ -618,7 +621,7 @@ Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands
 # Sunday of April 2011."
 #
 # Background info:
-# http://www.timeanddate.com/news/time/samoa-dst-plan-2009.html
+# https://www.timeanddate.com/news/time/samoa-dst-plan-2009.html
 #
 # Samoa's Daylight Saving Time Act 2009 is available here, but does not
 # contain any dates:
@@ -682,7 +685,7 @@ Rule	WS	2011	only	-	Sep	lastSat	3:00	1	D
 Rule	WS	2012	max	-	Apr	Sun>=1	4:00	0	S
 Rule	WS	2012	max	-	Sep	lastSun	3:00	1	D
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone Pacific/Apia	 12:33:04 -	LMT	1879 Jul  5
+Zone Pacific/Apia	 12:33:04 -	LMT	1892 Jul  5
 			-11:26:56 -	LMT	1911
 			-11:30	-	-1130	1950
 			-11:00	WS	-11/-10	2011 Dec 29 24:00
@@ -709,7 +712,7 @@ Zone Pacific/Guadalcanal 10:39:48 -	LMT	1912 Oct # Honiara
 # From Paul Eggert (2012-07-25)
 # A Google Books snippet of Appendix to the Journals of the House of
 # Representatives of New Zealand, Session 1948,
-# , page 65, says Tokelau
+# , page 65, says Tokelau
 # was "11 hours slow on G.M.T."  Go with Thorsen and assume Shanks & Pottenger
 # are off by an hour starting in 1901.
 
@@ -724,8 +727,8 @@ Rule	Tonga	1999	only	-	Oct	 7	2:00s	1:00	S
 Rule	Tonga	2000	only	-	Mar	19	2:00s	0	-
 Rule	Tonga	2000	2001	-	Nov	Sun>=1	2:00	1:00	S
 Rule	Tonga	2001	2002	-	Jan	lastSun	2:00	0	-
-Rule	Tonga	2016	max	-	Nov	Sun>=1	2:00	1:00	S
-Rule	Tonga	2017	max	-	Jan	Sun>=15	3:00	0	-
+Rule	Tonga	2016	only	-	Nov	Sun>=1	2:00	1:00	S
+Rule	Tonga	2017	only	-	Jan	Sun>=15	3:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Pacific/Tongatapu	12:19:20 -	LMT	1901
 			12:20	-	+1220	1941
@@ -779,7 +782,7 @@ Zone Pacific/Funafuti	11:56:52 -	LMT	1901
 # Operation Fishbowl shot (Tightrope, 1962-11-04).... [See] Herman Hoerlin,
 # "The United States High-Altitude Test Experience: A Review Emphasizing the
 # Impact on the Environment", Los Alamos LA-6405, Oct 1976.
-# http://www.fas.org/sgp/othergov/doe/lanl/docs1/00322994.pdf
+# https://www.fas.org/sgp/othergov/doe/lanl/docs1/00322994.pdf
 # See the table on page 4 where he lists GMT and local times for the tests; a
 # footnote for the JI tests reads that local time is "JI time = Hawaii Time
 # Minus One Hour".
@@ -845,7 +848,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 #
 # For data circa 1899, a common source is:
 # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94.
-# http://www.jstor.org/stable/1774359
+# https://www.jstor.org/stable/1774359
 #
 # A reliable and entertaining source about time zones is
 # Derek Howse, Greenwich time and longitude, Philip Wilson Publishers (1997).
@@ -992,7 +995,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 #   AEST ACST AWST AEDT ACDT
 #
 #   Parliamentary Library (2008-11-10)
-#   http://www.aph.gov.au/binaries/library/pubs/rp/2008-09/09rp14.pdf
+#   https://www.aph.gov.au/binaries/library/pubs/rp/2008-09/09rp14.pdf
 #   EST CST WST preferred for standard time; AEST AEDT ACST ACDT also used
 #
 #   The Transport Safety Bureau has an extensive series of accident reports,
@@ -1028,13 +1031,13 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 #
 # NSW (including LHI and Broken Hill):
 # Standard Time Act 1987 (updated 1995-04-04)
-# http://www.austlii.edu.au/au/legis/nsw/consol_act/sta1987137/index.html
+# https://www.austlii.edu.au/au/legis/nsw/consol_act/sta1987137/index.html
 # ACT
 # Standard Time and Summer Time Act 1972
-# http://www.austlii.edu.au/au/legis/act/consol_act/stasta1972279/index.html
+# https://www.austlii.edu.au/au/legis/act/consol_act/stasta1972279/index.html
 # SA
 # Standard Time Act, 1898
-# http://www.austlii.edu.au/au/legis/sa/consol_act/sta1898137/index.html
+# https://www.austlii.edu.au/au/legis/sa/consol_act/sta1898137/index.html
 
 # From David Grosz (2005-06-13):
 # It was announced last week that Daylight Saving would be extended by
@@ -1329,7 +1332,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # http://abc.net.au/news/regionals/neweng/monthly/regeng-22jul1999-1.htm
 # (1999-07-22).  For now, we'll wait to see if this really happens.
 #
-# Victoria will following NSW.  See:
+# Victoria will follow NSW.  See:
 # Vic to extend daylight saving (1999-07-28)
 # http://abc.net.au/local/news/olympics/1999/07/item19990728112314_1.htm
 #
@@ -1432,7 +1435,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # the ACT for all 52 weeks of the year...
 #
 # We have a wrap-up here:
-# http://www.timeanddate.com/news/time/south-australia-extends-dst.html
+# https://www.timeanddate.com/news/time/south-australia-extends-dst.html
 ###############################################################################
 
 # New Zealand
@@ -1486,7 +1489,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # From Paul Eggert (2014-07-14):
 # Chatham Island time was formally standardized on 1957-01-01 by
 # New Zealand's Standard Time Amendment Act 1956 (1956-10-26).
-# http://www.austlii.edu.au/nz/legis/hist_act/staa19561956n100244.pdf
+# https://www.austlii.edu.au/nz/legis/hist_act/staa19561956n100244.pdf
 # According to Google Books snippet view, a speaker in the New Zealand
 # parliamentary debates in 1956 said "Clause 78 makes provision for standard
 # time in the Chatham Islands.  The time there is 45 minutes in advance of New
@@ -1601,7 +1604,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # the Norfolk Island Museum and the Australian Bureau of Meteorology's
 # Norfolk Island station, and found no record of Norfolk observing DST
 # other than in 1974/5.  See:
-# http://www.timeanddate.com/time/australia/norfolk-island.html
+# https://www.timeanddate.com/time/australia/norfolk-island.html
 
 # Pitcairn
 
@@ -1629,11 +1632,13 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 
 # (Western) Samoa and American Samoa
 
-# Howse writes (p 153, citing p 10 of the 1883-11-18 New York Herald)
-# that in 1879 the King of Samoa decided to change
+# Howse writes (p 153) that after the 1879 standardization on Antipodean
+# time by the British governor of Fiji, the King of Samoa decided to change
 # "the date in his kingdom from the Antipodean to the American system,
 # ordaining - by a masterpiece of diplomatic flattery - that
 # the Fourth of July should be celebrated twice in that year."
+# This happened in 1892, according to the Evening News (Sydney) of 1892-07-20.
+# https://www.staff.science.uu.nl/~gent0113/idl/idl.htm
 
 # Although Shanks & Pottenger says they both switched to UT -11:30
 # in 1911, and to -11 in 1950. many earlier sources give -11
@@ -1644,6 +1649,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # day in 2011.  Assume also that the Samoas follow the US and New
 # Zealand's "ST"/"DT" style of daylight-saving abbreviations.
 
+
 # Tonga
 
 # From Paul Eggert (1996-01-22):
@@ -1738,6 +1744,15 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # Assume Tonga will observe DST from the first Sunday in November at 02:00
 # through the third Sunday in January at 03:00, like Fiji, for now.
 
+# From David Wade (2017-10-18):
+# In August government was disolved by the King.  The current prime minister
+# continued in office in care taker mode.  It is easy to see that few
+# decisions will be made until elections 16th November.
+#
+# From Paul Eggert (2017-10-18):
+# For now, guess that DST is discontinued.  That's what the IATA is guessing.
+
+
 # Wake
 
 # From Vernice Anderson, Personal Secretary to Philip Jessup,
@@ -1750,7 +1765,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # making calculation of time in Washington difficult if not almost
 # impossible.
 #
-# http://www.trumanlibrary.org/wake/meeting.htm
+# https://www.trumanlibrary.org/oralhist/andrsonv.htm
 
 # From Paul Eggert (2003-03-23):
 # We have no other report of DST in Wake Island, so omit this info for now.
@@ -1778,7 +1793,7 @@ Zone	Pacific/Wallis	12:15:20 -	LMT	1901
 # an international standard, there are some places on the high seas where the
 # correct date is ambiguous.
 
-# From Wikipedia  (2005-08-31):
+# From Wikipedia  (2005-08-31):
 # Before 1920, all ships kept local apparent time on the high seas by setting
 # their clocks at night or at the morning sight so that, given the ship's
 # speed and direction, it would be 12 o'clock when the Sun crossed the ship's
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/backward b/jdk/test/sun/util/calendar/zi/tzdata/backward
index b4cf3be2d3..fca4ed1881 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/backward
+++ b/jdk/test/sun/util/calendar/zi/tzdata/backward
@@ -84,7 +84,9 @@ Link	America/Sao_Paulo	Brazil/East
 Link	America/Manaus		Brazil/West
 Link	America/Halifax		Canada/Atlantic
 Link	America/Winnipeg	Canada/Central
-Link	America/Regina		Canada/East-Saskatchewan
+# This line is commented out, as the name exceeded the 14-character limit
+# and was an unused misnomer.
+#Link	America/Regina		Canada/East-Saskatchewan
 Link	America/Toronto		Canada/Eastern
 Link	America/Edmonton	Canada/Mountain
 Link	America/St_Johns	Canada/Newfoundland
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/europe b/jdk/test/sun/util/calendar/zi/tzdata/europe
index 0d8a40e4f3..6359279d2f 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/europe
+++ b/jdk/test/sun/util/calendar/zi/tzdata/europe
@@ -60,14 +60,14 @@
 #	[PDF] (1914-03)
 #
 #	Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94
-#	.  He writes:
+#	.  He writes:
 #	"It is requested that corrections and additions to these tables
 #	may be sent to Mr. John Milne, Royal Geographical Society,
 #	Savile Row, London."  Nowadays please email them to tz@iana.org.
 #
 #	Byalokoz EL. New Counting of Time in Russia since July 1, 1919.
 #	This Russian-language source was consulted by Vladimir Karpinsky; see
-#	http://mm.icann.org/pipermail/tz/2014-August/021320.html
+#	https://mm.icann.org/pipermail/tz/2014-August/021320.html
 #	The full Russian citation is:
 #	Бялокоз, Евгений Людвигович. Новый счет времени в течении суток
 #	введенный декретом Совета народных комиссаров для всей России с 1-го
@@ -210,7 +210,7 @@
 # foundations of civilization throughout the world.
 #	-- "A Silent Toast to William Willett", Pictorial Weekly;
 #	republished in Finest Hour (Spring 2002) 1(114):26
-#	http://www.winstonchurchill.org/images/finesthour/Vol.01%20No.114.pdf
+#	https://www.winstonchurchill.org/publications/finest-hour/finest-hour-114/a-silent-toast-to-william-willett-by-winston-s-churchill
 
 # From Paul Eggert (2015-08-08):
 # The OED Supplement says that the English originally said "Daylight Saving"
@@ -248,8 +248,8 @@
 # official designation; the reply of the 21st was that there wasn't
 # but he couldn't think of anything better than the "Double British
 # Summer Time" that the BBC had been using informally.
-# http://www.polyomino.org.uk/british-time/bbc-19410418.png
-# http://www.polyomino.org.uk/british-time/ho-19410421.png
+# https://www.polyomino.org.uk/british-time/bbc-19410418.png
+# https://www.polyomino.org.uk/british-time/ho-19410421.png
 
 # From Sir Alexander Maxwell in the above-mentioned letter (1941-04-21):
 # [N]o official designation has as far as I know been adopted for the time
@@ -266,13 +266,13 @@
 # the history of summer time legislation in the United Kingdom.
 # Since 1998 Joseph S. Myers has been updating
 # and extending this list, which can be found in
-# http://www.polyomino.org.uk/british-time/
+# https://www.polyomino.org.uk/british-time/
 
 # From Joseph S. Myers (1998-01-06):
 #
 # The legal time in the UK outside of summer time is definitely GMT, not UTC;
 # see Lord Tanlaw's speech
-# http://www.publications.parliament.uk/pa/ld199798/ldhansrd/vo970611/text/70611-10.htm#70611-10_head0
+# https://www.publications.parliament.uk/pa/ld199798/ldhansrd/vo970611/text/70611-10.htm#70611-10_head0
 # (Lords Hansard 11 June 1997 columns 964 to 976).
 
 # From Paul Eggert (2006-03-22):
@@ -318,7 +318,7 @@
 # Irish 'public feeling (was) outraged by forcing of English time on us'."
 # -- Parsons M. Dublin lost its time zone - and 25 minutes - after 1916 Rising.
 # Irish Times 2014-10-27.
-# http://www.irishtimes.com/news/politics/dublin-lost-its-time-zone-and-25-minutes-after-1916-rising-1.1977411
+# https://www.irishtimes.com/news/politics/dublin-lost-its-time-zone-and-25-minutes-after-1916-rising-1.1977411
 
 # From Joseph S. Myers (2005-01-26):
 # Irish laws are available online at .
@@ -371,6 +371,12 @@
 # Justice (tel +353 1 678 9711) who confirmed to me that the correct name is
 # "Irish Summer Time", abbreviated to "IST".
 
+# Michael Deckers (2017-06-01) gave the following URLs for Ireland's
+# Summer Time Act, 1925 and Summer Time Orders, 1926 and 1947:
+# http://www.irishstatutebook.ie/eli/1925/act/8/enacted/en/print.html
+# http://www.irishstatutebook.ie/eli/1926/sro/919/made/en/print.html
+# http://www.irishstatutebook.ie/eli/1947/sro/71/made/en/print.html
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 # Summer Time Act, 1916
 Rule	GB-Eire	1916	only	-	May	21	2:00s	1:00	BST
@@ -495,14 +501,14 @@ Link	Europe/London	Europe/Isle_of_Man
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Dublin	-0:25:00 -	LMT	1880 Aug  2
-			-0:25:21 -	DMT	1916 May 21  2:00 # Dublin MT
+			-0:25:21 -	DMT	1916 May 21  2:00s # Dublin MT
 			-0:25:21 1:00	IST	1916 Oct  1  2:00s
 			 0:00	GB-Eire	%s	1921 Dec  6 # independence
-			 0:00	GB-Eire	GMT/IST	1940 Feb 25  2:00
-			 0:00	1:00	IST	1946 Oct  6  2:00
-			 0:00	-	GMT	1947 Mar 16  2:00
-			 0:00	1:00	IST	1947 Nov  2  2:00
-			 0:00	-	GMT	1948 Apr 18  2:00
+			 0:00	GB-Eire	GMT/IST	1940 Feb 25  2:00s
+			 0:00	1:00	IST	1946 Oct  6  2:00s
+			 0:00	-	GMT	1947 Mar 16  2:00s
+			 0:00	1:00	IST	1947 Nov  2  2:00s
+			 0:00	-	GMT	1948 Apr 18  2:00s
 			 0:00	GB-Eire	GMT/IST	1968 Oct 27
 			 1:00	-	IST	1971 Oct 31  2:00u
 			 0:00	GB-Eire	GMT/IST	1996
@@ -648,7 +654,7 @@ Rule	Russia	1996	2010	-	Oct	lastSun	 2:00s	0	-
 # Council of Ministers of the USSR from 1989-03-14 No. 227.
 #
 # I did not find full texts of these acts.  For the 1989 one we have
-# title at http://base.garant.ru/70754136/ :
+# title at https://base.garant.ru/70754136/ :
 # "About change in calculation of time on the territories of
 # Lithuanian SSR, Latvian SSR and Estonian SSR, Astrakhan,
 # Kaliningrad, Kirov, Kuybyshev, Ulyanovsk and Uralsk oblasts".
@@ -679,7 +685,7 @@ Rule	Russia	1996	2010	-	Oct	lastSun	 2:00s	0	-
 # http://bmockbe.ru/events/?ID=7583
 #
 # Medvedev signed a law on the calculation of the time (in russian):
-# http://www.regnum.ru/news/polit/1413906.html
+# https://www.regnum.ru/news/polit/1413906.html
 
 # From Arthur David Olson (2011-06-15):
 # Take "abolishing daylight saving time" to mean that time is now considered
@@ -806,7 +812,7 @@ Zone	Europe/Vienna	1:05:21 -	LMT	1893 Apr
 # Sources (Russian language):
 # http://www.belta.by/ru/all_news/society/V-Belarusi-otmenjaetsja-perexod-na-sezonnoe-vremja_i_572952.html
 # http://naviny.by/rubrics/society/2011/09/16/ic_articles_116_175144/
-# http://news.tut.by/society/250578.html
+# https://news.tut.by/society/250578.html
 #
 # From Alexander Bokovoy (2014-10-09):
 # Belarussian government decided against changing to winter time....
@@ -1127,7 +1133,7 @@ Zone America/Thule	-4:35:08 -	LMT	1916 Jul 28 # Pituffik air base
 # for their standard and summer times. He says no, they use "suveaeg"
 # (summer time) and "talveaeg" (winter time).
 
-# From The Baltic Times  (1999-09-09)
+# From The Baltic Times  (1999-09-09)
 # via Steffen Thorsen:
 # This year will mark the last time Estonia shifts to summer time,
 # a council of the ruling coalition announced Sept. 6....
@@ -1179,7 +1185,7 @@ Zone	Europe/Tallinn	1:39:00	-	LMT	1880
 # This is documented in Heikki Oja: Aikakirja 2007, published by The Almanac
 # Office of University of Helsinki, ISBN 952-10-3221-9, available online (in
 # Finnish) at
-# http://almanakka.helsinki.fi/aikakirja/Aikakirja2007kokonaan.pdf
+# https://almanakka.helsinki.fi/aikakirja/Aikakirja2007kokonaan.pdf
 #
 # Page 105 (56 in PDF version) has a handy table of all past daylight savings
 # transitions. It is easy enough to interpret without Finnish skills.
@@ -1192,7 +1198,7 @@ Zone	Europe/Tallinn	1:39:00	-	LMT	1880
 
 # From Konstantin Hyppönen (2014-06-13):
 # [Heikki Oja's book Aikakirja 2013]
-# http://almanakka.helsinki.fi/images/aikakirja/Aikakirja2013kokonaan.pdf
+# https://almanakka.helsinki.fi/images/aikakirja/Aikakirja2013kokonaan.pdf
 # pages 104-105, including a scan from a newspaper published on Apr 2 1942
 # say that ... [o]n Apr 2 1942, 24 o'clock (which means Apr 3 1942,
 # 00:00), clocks were moved one hour forward. The newspaper
@@ -1322,7 +1328,7 @@ Zone	Europe/Paris	0:09:21 -	LMT	1891 Mar 15  0:01
 
 # From Jörg Schilling (2002-10-23):
 # In 1945, Berlin was switched to Moscow Summer time (GMT+4) by
-# http://www.dhm.de/lemo/html/biografien/BersarinNikolai/
+# https://www.dhm.de/lemo/html/biografien/BersarinNikolai/
 # General [Nikolai] Bersarin.
 
 # From Paul Eggert (2003-03-08):
@@ -1547,7 +1553,7 @@ Zone Atlantic/Reykjavik	-1:28	-	LMT	1908
 # From Paul Eggert (2016-10-27):
 # Go with INRiM for DST rules, except as corrected by Inglis for 1944
 # for the Kingdom of Italy.  This is consistent with Renzo Baldini.
-# Model Rome's occupation by using using C-Eur rules from 1943-09-10
+# Model Rome's occupation by using C-Eur rules from 1943-09-10
 # to 1944-06-04; although Rome was an open city during this period, it
 # was effectively controlled by Germany.
 #
@@ -1862,14 +1868,14 @@ Zone	Europe/Malta	0:58:04 -	LMT	1893 Nov  2  0:00s # Valletta
 # Following Moldova and neighboring Ukraine- Transnistria (Pridnestrovie)-
 # Tiraspol will go back to winter time on October 30, 2011.
 # News from Moldova (in russian):
-# http://ru.publika.md/link_317061.html
+# https://ru.publika.md/link_317061.html
 
 # From Roman Tudos (2015-07-02):
 # http://lex.justice.md/index.php?action=view&view=doc&lang=1&id=355077
 # From Paul Eggert (2015-07-01):
 # The abovementioned official link to IGO1445-868/2014 states that
 # 2014-10-26's fallback transition occurred at 03:00 local time.  Also,
-# http://www.trm.md/en/social/la-30-martie-vom-trece-la-ora-de-vara
+# https://www.trm.md/en/social/la-30-martie-vom-trece-la-ora-de-vara
 # says the 2014-03-30 spring-forward transition was at 02:00 local time.
 # Guess that since 1997 Moldova has switched one hour before the EU.
 
@@ -1941,7 +1947,7 @@ Zone	Europe/Monaco	0:29:32 -	LMT	1891 Mar 15
 # Amsterdam mean time.
 
 # The data entries before 1945 are taken from
-# http://www.staff.science.uu.nl/~gent0113/wettijd/wettijd.htm
+# https://www.staff.science.uu.nl/~gent0113/wettijd/wettijd.htm
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Neth	1916	only	-	May	 1	0:00	1:00	NST	# Netherlands Summer Time
@@ -2022,7 +2028,7 @@ Zone	Europe/Oslo	0:43:00 -	LMT	1895 Jan  1
 # so it must have diverged from Oslo time during the war, as Oslo was
 # keeping Berlin time.
 #
-#  says that the meteorologists
+#  says that the meteorologists
 # burned down their station in 1940 and left the island, but returned in
 # 1941 with a small Norwegian garrison and continued operations despite
 # frequent air attacks from Germans.  In 1943 the Americans established a
@@ -2060,7 +2066,7 @@ Rule	Poland	1945	only	-	Apr	29	0:00	1:00	S
 Rule	Poland	1945	only	-	Nov	 1	0:00	0	-
 # For 1946 on the source is Kazimierz Borkowski,
 # Toruń Center for Astronomy, Dept. of Radio Astronomy, Nicolaus Copernicus U.,
-# http://www.astro.uni.torun.pl/~kb/Artykuly/U-PA/Czas2.htm#tth_tAb1
+# https://www.astro.uni.torun.pl/~kb/Artykuly/U-PA/Czas2.htm#tth_tAb1
 # Thanks to Przemysław Augustyniak (2005-05-28) for this reference.
 # He also gives these further references:
 # Mon Pol nr 13, poz 162 (1995) 
@@ -2094,7 +2100,7 @@ Zone	Europe/Warsaw	1:24:00 -	LMT	1880
 #
 # From Paul Eggert (2014-08-11), after a heads-up from Stephen Colebourne:
 # According to a Portuguese decree (1911-05-26)
-# http://dre.pt/pdf1sdip/1911/05/12500/23132313.pdf
+# https://dre.pt/application/dir/pdf1sdip/1911/05/12500/23132313.pdf
 # Lisbon was at -0:36:44.68, but switched to GMT on 1912-01-01 at 00:00.
 # Round the old offset to -0:36:45.  This agrees with Willett but disagrees
 # with Shanks, who says the transition occurred on 1911-05-24 at 00:00 for
@@ -2276,7 +2282,7 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # 2011 No. 725" and contains no other dates or "effective date" information.
 #
 # Another source is
-# http://www.rg.ru/2011/09/06/chas-zona-dok.html
+# https://rg.ru/2011/09/06/chas-zona-dok.html
 # which, according to translate.google.com, begins "Resolution of the
 # Government of the Russian Federation on August 31, 2011 N 725" and also
 # contains "Date first official publication: September 6, 2011 Posted on:
@@ -2284,7 +2290,7 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # does not contain any "effective date" information.
 #
 # Another source is
-# http://en.wikipedia.org/wiki/Oymyakonsky_District#cite_note-RuTime-7
+# https://en.wikipedia.org/wiki/Oymyakonsky_District#cite_note-RuTime-7
 # which, in note 8, contains "Resolution No. 725 of August 31, 2011...
 # Effective as of after 7 days following the day of the official publication"
 # but which does not contain any reference to September 6, 2011.
@@ -2320,7 +2326,7 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # http://itar-tass.com/obschestvo/1333711
 # http://www.pravo.gov.ru:8080/page.aspx?111660
 # http://www.kremlin.ru/acts/46279
-# From October 26, 2014 the new Russian time zone map will looks like this:
+# From October 26, 2014 the new Russian time zone map will look like this:
 # http://www.worldtimezone.com/dst_news/dst_news_russia-map-2014-07.html
 
 # From Paul Eggert (2006-03-22):
@@ -2367,7 +2373,7 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # with maintenance only and represent our best guesses as to which regions
 # are covered by each zone.  They are not meant to be taken as an authoritative
 # listing.  The region codes listed come from
-# http://en.wikipedia.org/w/?title=Federal_subjects_of_Russia&oldid=611810498
+# https://en.wikipedia.org/w/?title=Federal_subjects_of_Russia&oldid=611810498
 # and are used for convenience only; no guarantees are made regarding their
 # future stability.  ISO 3166-2:RU codes are also listed for first-level
 # divisions where available.
@@ -2532,7 +2538,7 @@ Zone Europe/Kaliningrad	 1:22:00 -	LMT	1893 Apr
 # http://www.kaliningradka.ru/site_pc/cherez/index.php?ELEMENT_ID=40091
 # says that Kaliningrad decided not to be an exception 2 days before the
 # 1991-03-31 switch and one person at
-# http://izhevsk.ru/forum_light_message/50/682597-m8369040.html
+# https://izhevsk.ru/forum_light_message/50/682597-m8369040.html
 # says he remembers that Samara opted out of the 1992-01-19 exception
 # 2 days before the switch.
 #
@@ -2604,7 +2610,7 @@ Zone Europe/Simferopol	 2:16:24 -	LMT	1880
 			 3:00	-	MSK	1997 Mar lastSun  1:00u
 # From Alexander Krivenyshev (2014-03-17):
 # time change at 2:00 (2am) on March 30, 2014
-# http://vz.ru/news/2014/3/17/677464.html
+# https://vz.ru/news/2014/3/17/677464.html
 # From Paul Eggert (2014-03-30):
 # Simferopol and Sevastopol reportedly changed their central town clocks
 # late the previous day, but this appears to have been ceremonial
@@ -2787,7 +2793,7 @@ Zone Asia/Omsk		 4:53:30 -	LMT	1919 Nov 14
 # suggests that Altai Republic transitioned to Moscow+3 on
 # 1995-05-28.
 #
-# http://regnum.ru/news/society/1957270.html
+# https://regnum.ru/news/society/1957270.html
 # has some historical data for Altai Krai:
 # before 1957: west part on UTC+6, east on UTC+7
 # after 1957: UTC+7
@@ -3161,8 +3167,8 @@ Zone Asia/Magadan	10:03:12 -	LMT	1924 May  2
 # districts, but have very similar populations.  In fact, Wikipedia currently
 # lists them both as having 3528 people, exactly 1668 males and 1860 females
 # each!  (Yikes!)
-# http://en.wikipedia.org/w/?title=Srednekolymsky_District&oldid=603435276
-# http://en.wikipedia.org/w/?title=Verkhnekolymsky_District&oldid=594378493
+# https://en.wikipedia.org/w/?title=Srednekolymsky_District&oldid=603435276
+# https://en.wikipedia.org/w/?title=Verkhnekolymsky_District&oldid=594378493
 # Assume this is a mistake, albeit an amusing one.
 #
 # Looking at censuses, the populations of the two municipalities seem to have
@@ -3483,7 +3489,7 @@ Zone Europe/Stockholm	1:12:12 -	LMT	1879 Jan  1
 #
 # From Alois Treindl (2013-09-11):
 # The Federal regulations say
-# http://www.admin.ch/opc/de/classified-compilation/20071096/index.html
+# https://www.admin.ch/opc/de/classified-compilation/20071096/index.html
 # ... the meridian for Bern mean time ... is 7 degrees 26' 22.50".
 # Expressed in time, it is 0h29m45.5s.
 
@@ -3560,9 +3566,9 @@ Zone	Europe/Zurich	0:34:08 -	LMT	1853 Jul 16 # See above comment.
 # According to the articles linked below, Turkey will change into summer
 # time zone (GMT+3) on March 28, 2011 at 3:00 a.m. instead of March 27.
 # This change is due to a nationwide exam on 27th.
-# http://www.worldbulletin.net/?aType=haber&ArticleID=70872
+# https://www.worldbulletin.net/?aType=haber&ArticleID=70872
 # Turkish:
-# http://www.hurriyet.com.tr/ekonomi/17230464.asp?gid=373
+# https://www.hurriyet.com.tr/yaz-saati-uygulamasi-bir-gun-ileri-alindi-17230464
 
 # From Faruk Pasin (2014-02-14):
 # The DST for Turkey has been changed for this year because of the
@@ -3698,7 +3704,7 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
 # http://www.segodnya.ua/news/14290482.html
 #
 # Deputies cancelled the winter time (in Russian)
-# http://www.pravda.com.ua/rus/news/2011/09/20/6600616/
+# https://www.pravda.com.ua/rus/news/2011/09/20/6600616/
 #
 # From Philip Pizzey (2011-10-18):
 # Today my Ukrainian colleagues have informed me that the
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/leapseconds b/jdk/test/sun/util/calendar/zi/tzdata/leapseconds
index 3823c9abc4..9b4ec9ad47 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/leapseconds
+++ b/jdk/test/sun/util/calendar/zi/tzdata/leapseconds
@@ -26,19 +26,18 @@
 # This file is in the public domain.
 
 # This file is generated automatically from the data in the public-domain
-# leap-seconds.list file available from most NIST time servers.
-# If the URL  does not work,
-# you should be able to pick up leap-seconds.list from a secondary NIST server.
-# See  for a list of secondary servers.
+# leap-seconds.list file, which is copied from:
+# ftp://ftp.nist.gov/pub/time/leap-seconds.list
 # For more about leap-seconds.list, please see
 # The NTP Timescale and Leap Seconds
-# http://www.eecis.udel.edu/~mills/leap.html
+# https://www.eecis.udel.edu/~mills/leap.html
 
 # The International Earth Rotation and Reference Systems Service
 # periodically uses leap seconds to keep UTC to within 0.9 s of UT1
 # (which measures the true angular orientation of the earth in space); see
-# Terry J Quinn, The BIPM and the accurate measure of time,
-# Proc IEEE 79, 7 (July 1991), 894-905 .
+# Levine J. Coordinated Universal Time and the leap second.
+# URSI Radio Sci Bull. 2016;89(4):30-6. doi:10.23919/URSIRSB.2016.7909995
+# http://ieeexplore.ieee.org/document/7909995/
 # There were no leap seconds before 1972, because the official mechanism
 # accounting for the discrepancy between atomic time and the earth's rotation
 # did not exist until the early 1970s.
@@ -81,5 +80,5 @@ Leap	2012	Jun	30	23:59:60	+	S
 Leap	2015	Jun	30	23:59:60	+	S
 Leap	2016	Dec	31	23:59:60	+	S
 
-#	Updated through IERS Bulletin C53
-#	File expires on:  28 December 2017
+#	Updated through IERS Bulletin C54
+#	File expires on:  28 June 2018
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/northamerica b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
index d59d2705b9..99dcc938fa 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/northamerica
+++ b/jdk/test/sun/util/calendar/zi/tzdata/northamerica
@@ -128,10 +128,13 @@
 # Last night I heard part of a rebroadcast of a 1945 Arch Oboler radio drama.
 # In the introduction, Oboler spoke of "Eastern Peace Time."
 # An AltaVista search turned up:
-# http://rowayton.org/rhs/hstaug45.html
+# https://web.archive.org/web/20000926032210/http://rowayton.org/rhs/hstaug45.html
 # "When the time is announced over the radio now, it is 'Eastern Peace
 # Time' instead of the old familiar 'Eastern War Time.'  Peace is wonderful."
 # (August 1945) by way of confirmation.
+#
+# From Paul Eggert (2017-09-23):
+# This was the V-J Day issue of the Clamdigger, a Rowayton, CT newsletter.
 
 # From Joseph Gallant citing
 # George H. Douglas, _The Early Days of Radio Broadcasting_ (1987):
@@ -280,7 +283,7 @@ Zone	PST8PDT		 -8:00	US	P%sT
 # HST and HDT are standardized abbreviations for Hawaii-Aleutian
 # standard and daylight times.  See section 9.47 (p 234) of the
 # U.S. Government Printing Office Style Manual (2008)
-# http://www.gpo.gov/fdsys/pkg/GPO-STYLEMANUAL-2008/pdf/GPO-STYLEMANUAL-2008.pdf
+# https://www.gpo.gov/fdsys/pkg/GPO-STYLEMANUAL-2008/pdf/GPO-STYLEMANUAL-2008.pdf
 
 # From Arthur David Olson, 2005-08-09
 # The following was signed into law on 2005-08-08.
@@ -369,7 +372,7 @@ Zone America/New_York	-4:56:02 -	LMT	1883 Nov 18 12:03:58
 # western Tennessee, most of Texas, Wisconsin
 
 # From Larry M. Smith (2006-04-26) re Wisconsin:
-# http://www.legis.state.wi.us/statutes/Stat0175.pdf ...
+# https://docs.legis.wisconsin.gov/statutes/statutes/175.pdf
 # is currently enforced at the 01:00 time of change.  Because the local
 # "bar time" in the state corresponds to 02:00, a number of citations
 # are issued for the "sale of class 'B' alcohol after prohibited
@@ -378,7 +381,7 @@ Zone America/New_York	-4:56:02 -	LMT	1883 Nov 18 12:03:58
 # From Douglas R. Bomberg (2007-03-12):
 # Wisconsin has enacted (nearly eleventh-hour) legislation to get WI
 # Statue 175 closer in synch with the US Congress' intent....
-# http://www.legis.state.wi.us/2007/data/acts/07Act3.pdf
+# https://docs.legis.wisconsin.gov/2007/related/acts/3
 
 # From an email administrator of the City of Fort Pierre, SD (2015-12-21):
 # Fort Pierre is technically located in the Mountain time zone as is
@@ -425,7 +428,7 @@ Zone America/North_Dakota/New_Salem -6:45:39 - LMT	1883 Nov 18 12:14:21
 # ...it appears that Mercer County, North Dakota, changed from the
 # mountain time zone to the central time zone at the last transition from
 # daylight-saving to standard time (on Nov. 7, 2010):
-# http://www.gpo.gov/fdsys/pkg/FR-2010-09-29/html/2010-24376.htm
+# https://www.gpo.gov/fdsys/pkg/FR-2010-09-29/html/2010-24376.htm
 # http://www.bismarcktribune.com/news/local/article_1eb1b588-c758-11df-b472-001cc4c03286.html
 
 # From Andy Lipscomb (2011-01-24):
@@ -476,7 +479,7 @@ Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 12:00:04
 # legal time, and is not part of the data here.)  See:
 # Ross SA. An energy crisis from the past: Northern California in 1948.
 # Working Paper No. 8, Institute of Governmental Studies, UC Berkeley,
-# 1973-11.  http://escholarship.org/uc/item/8x22k30c
+# 1973-11.  https://escholarship.org/uc/item/8x22k30c
 #
 # In another measure to save electricity, DST was instituted from 1948-03-14
 # at 02:01 to 1949-01-16 at 02:00, with the governor having the option to move
@@ -497,8 +500,8 @@ Zone America/Denver	-6:59:56 -	LMT	1883 Nov 18 12:00:04
 # which established DST from April's last Sunday at 01:00 until September's
 # last Sunday at 02:00. This was amended by 1962's Proposition 6, which changed
 # the fall-back date to October's last Sunday. See:
-# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props
-# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props
+# https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props
+# https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props
 #
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER
 Rule	CA	1948	only	-	Mar	14	2:01	1:00	D
@@ -515,20 +518,31 @@ Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 12:07:02
 # Alaska
 # AK%sT is the modern abbreviation for -09 per USNO.
 #
-# From Paul Eggert (2001-05-30):
+# From Paul Eggert (2017-06-15):
 # Howse writes that Alaska switched from the Julian to the Gregorian calendar,
 # and from east-of-GMT to west-of-GMT days, when the US bought it from Russia.
-# This was on 1867-10-18, a Friday; the previous day was 1867-10-06 Julian,
-# also a Friday.  Include only the time zone part of this transition,
-# ignoring the switch from Julian to Gregorian, since we can't represent
-# the Julian calendar.
+# On Friday, 1867-10-18 (Gregorian), at precisely 15:30 local time, the
+# Russian forts and fleet at Sitka fired salutes to mark the ceremony of
+# formal transfer.  See the Sacramento Daily Union (1867-11-14), p 3, col 2.
+# https://cdnc.ucr.edu/cgi-bin/cdnc?a=d&d=SDU18671114.2.12.1
+# Sitka workers did not change their calendars until Sunday, 1867-10-20,
+# and so celebrated two Sundays that week.  See: Ahllund T (tr Hallamaa P).
+# From the memoirs of a Finnish workman. Alaska History. 2006 Fall;21(2):1-25.
+# http://alaskahistoricalsociety.org/wp-content/uploads/2016/12/Ahllund-2006-Memoirs-of-a-Finnish-Workman.pdf
+# Include only the time zone part of this transition, ignoring the switch
+# from Julian to Gregorian, since we can't represent the Julian calendar.
 #
-# As far as we know, none of the exact locations mentioned below were
+# As far as we know, of the locations mentioned below only Sitka was
 # permanently inhabited in 1867 by anyone using either calendar.
-# (Yakutat was colonized by the Russians in 1799, but the settlement
-# was destroyed in 1805 by a Yakutat-kon war party.)  However, there
-# were nearby inhabitants in some cases and for our purposes perhaps
-# it's best to simply use the official transition.
+# (Yakutat was colonized by the Russians in 1799, but the settlement was
+# destroyed in 1805 by a Yakutat-kon war party.)  Many of Alaska's inhabitants
+# were unaware of the US acquisition of Alaska, much less of any calendar or
+# time change.  However, the Russian-influenced part of Alaska did observe
+# Russian time, and it is more accurate to model this than to ignore it.
+# The database format requires an exact transition time; use the Russian
+# salute as a somewhat-arbitrary time for the formal transfer of control for
+# all of Alaska.  Sitka's UTC offset is -9:01:13; adjust its 15:30 to the
+# local times of other Alaskan locations so that they change simultaneously.
 
 # From Paul Eggert (2014-07-18):
 # One opinion of the early-1980s turmoil in Alaska over time zones and
@@ -581,10 +595,10 @@ Zone America/Los_Angeles -7:52:58 -	LMT	1883 Nov 18 12:07:02
 # It seems Metlakatla did go off PST on Sunday, November 1, changing
 # their time to AKST and are going to follow Alaska's DST, switching
 # between AKST and AKDT from now on....
-# http://www.krbd.org/2015/10/30/annette-island-times-they-are-a-changing/
+# https://www.krbd.org/2015/10/30/annette-island-times-they-are-a-changing/
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone America/Juneau	 15:02:19 -	LMT	1867 Oct 18
+Zone America/Juneau	 15:02:19 -	LMT	1867 Oct 19 15:33:32
 			 -8:57:41 -	LMT	1900 Aug 20 12:00
 			 -8:00	-	PST	1942
 			 -8:00	US	P%sT	1946
@@ -594,7 +608,7 @@ Zone America/Juneau	 15:02:19 -	LMT	1867 Oct 18
 			 -8:00	US	P%sT	1983 Oct 30  2:00
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Sitka	 14:58:47 -	LMT	1867 Oct 18
+Zone America/Sitka	 14:58:47 -	LMT	1867 Oct 19 15:30
 			 -9:01:13 -	LMT	1900 Aug 20 12:00
 			 -8:00	-	PST	1942
 			 -8:00	US	P%sT	1946
@@ -602,7 +616,7 @@ Zone America/Sitka	 14:58:47 -	LMT	1867 Oct 18
 			 -8:00	US	P%sT	1983 Oct 30  2:00
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Metlakatla	 15:13:42 -	LMT	1867 Oct 18
+Zone America/Metlakatla	 15:13:42 -	LMT	1867 Oct 19 15:44:55
 			 -8:46:18 -	LMT	1900 Aug 20 12:00
 			 -8:00	-	PST	1942
 			 -8:00	US	P%sT	1946
@@ -610,14 +624,14 @@ Zone America/Metlakatla	 15:13:42 -	LMT	1867 Oct 18
 			 -8:00	US	P%sT	1983 Oct 30  2:00
 			 -8:00	-	PST	2015 Nov  1  2:00
 			 -9:00	US	AK%sT
-Zone America/Yakutat	 14:41:05 -	LMT	1867 Oct 18
+Zone America/Yakutat	 14:41:05 -	LMT	1867 Oct 19 15:12:18
 			 -9:18:55 -	LMT	1900 Aug 20 12:00
 			 -9:00	-	YST	1942
 			 -9:00	US	Y%sT	1946
 			 -9:00	-	YST	1969
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Anchorage	 14:00:24 -	LMT	1867 Oct 18
+Zone America/Anchorage	 14:00:24 -	LMT	1867 Oct 19 14:31:37
 			 -9:59:36 -	LMT	1900 Aug 20 12:00
 			-10:00	-	AST	1942
 			-10:00	US	A%sT	1967 Apr
@@ -625,7 +639,7 @@ Zone America/Anchorage	 14:00:24 -	LMT	1867 Oct 18
 			-10:00	US	AH%sT	1983 Oct 30  2:00
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Nome	 12:58:21 -	LMT	1867 Oct 18
+Zone America/Nome	 12:58:22 -	LMT	1867 Oct 19 13:29:35
 			-11:01:38 -	LMT	1900 Aug 20 12:00
 			-11:00	-	NST	1942
 			-11:00	US	N%sT	1946
@@ -634,7 +648,7 @@ Zone America/Nome	 12:58:21 -	LMT	1867 Oct 18
 			-11:00	US	B%sT	1983 Oct 30  2:00
 			 -9:00	US	Y%sT	1983 Nov 30
 			 -9:00	US	AK%sT
-Zone America/Adak	 12:13:21 -	LMT	1867 Oct 18
+Zone America/Adak	 12:13:22 -	LMT	1867 Oct 19 12:44:35
 			-11:46:38 -	LMT	1900 Aug 20 12:00
 			-11:00	-	NST	1942
 			-11:00	US	N%sT	1946
@@ -670,7 +684,7 @@ Zone America/Adak	 12:13:21 -	LMT	1867 Oct 18
 # "Hawaiian Time" by Robert C. Schmitt and Doak C. Cox appears on pages 207-225
 # of volume 26 of The Hawaiian Journal of History (1992). As of 2010-12-09,
 # the article is available at
-# http://evols.library.manoa.hawaii.edu/bitstream/10524/239/2/JL26215.pdf
+# https://evols.library.manoa.hawaii.edu/bitstream/10524/239/2/JL26215.pdf
 # and indicates that standard time was adopted effective noon, January
 # 13, 1896 (page 218), that in "1933, the Legislature decreed daylight
 # saving for the period between the last Sunday of each April and the
@@ -769,7 +783,7 @@ Zone America/Boise	-7:44:49 -	LMT	1883 Nov 18 12:15:11
 # Indiana
 #
 # For a map of Indiana's time zone regions, see:
-# http://en.wikipedia.org/wiki/Time_in_Indiana
+# https://en.wikipedia.org/wiki/Time_in_Indiana
 #
 # From Paul Eggert (2007-08-17):
 # Since 1970, most of Indiana has been like America/Indiana/Indianapolis,
@@ -996,7 +1010,7 @@ Zone America/Kentucky/Louisville -5:43:02 -	LMT	1883 Nov 18 12:16:58
 # From Paul Eggert (2001-07-16):
 # The final rule was published in the
 # Federal Register 65, 160 (2000-08-17), pp 50154-50158.
-# http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2000_register&docid=fr17au00-22
+# https://www.gpo.gov/fdsys/pkg/FR-2000-08-17/html/00-20854.htm
 #
 Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
 			-6:00	US	C%sT	1946
@@ -1022,7 +1036,7 @@ Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
 # West Wendover, NV officially switched from Pacific to mountain time on
 # 1999-10-31.  See the
 # Federal Register 64, 203 (1999-10-21), pp 56705-56707.
-# http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=1999_register&docid=fr21oc99-15
+# https://www.gpo.gov/fdsys/pkg/FR-1999-10-21/html/99-27240.htm
 # However, the Federal Register says that West Wendover already operated
 # on mountain time, and the rule merely made this official;
 # hence a separate tz entry is not needed.
@@ -1052,12 +1066,23 @@ Zone America/Kentucky/Monticello -5:39:24 - LMT	1883 Nov 18 12:20:36
 # one hour in 1914."  This change is not in Shanks.  We have no more
 # info, so omit this for now.
 #
+# From Paul Eggert (2017-07-26):
+# Although Shanks says Detroit observed DST in 1967 from 06-14 00:01
+# until 10-29 00:01, I now see multiple reports that this is incorrect.
+# For example, according to a 50-year anniversary report about the 1967
+# Detroit riots and a major-league doubleheader on 1967-07-23, "By the time
+# the last fly ball of the doubleheader settled into the glove of leftfielder
+# Lenny Green, it was after 7 p.m.  Detroit did not observe daylight saving
+# time, so light was already starting to fail.  Twilight was made even deeper
+# by billowing columns of smoke that ascended in an unbroken wall north of the
+# ballpark."  See: Dow B. Detroit '67: As violence unfolded, Tigers played two
+# at home vs. Yankees. Detroit Free Press 2017-07-23.
+# https://www.freep.com/story/sports/mlb/tigers/2017/07/23/detroit-tigers-1967-riot-new-york-yankees/499951001/
+#
 # Most of Michigan observed DST from 1973 on, but was a bit late in 1975.
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER
 Rule	Detroit	1948	only	-	Apr	lastSun	2:00	1:00	D
 Rule	Detroit	1948	only	-	Sep	lastSun	2:00	0	S
-Rule	Detroit	1967	only	-	Jun	14	2:00	1:00	D
-Rule	Detroit	1967	only	-	Oct	lastSun	2:00	0	S
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone America/Detroit	-5:32:11 -	LMT	1905
 			-6:00	-	CST	1915 May 15  2:00
@@ -1121,7 +1146,7 @@ Zone America/Menominee	-5:50:27 -	LMT	1885 Sep 18 12:00
 #	[PDF] (1914-03)
 #
 #	Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94
-#	.
+#	.
 #
 # See the 'europe' file for Greenland.
 
@@ -1167,19 +1192,19 @@ Zone America/Menominee	-5:50:27 -	LMT	1885 Sep 18 12:00
 # The British Columbia government announced yesterday that it will
 # adjust daylight savings next year to align with changes in the
 # U.S. and the rest of Canada....
-# http://www2.news.gov.bc.ca/news_releases_2005-2009/2006AG0014-000330.htm
+# https://archive.news.gov.bc.ca/releases/news_releases_2005-2009/2006AG0014-000330.htm
 # ...
 # Nova Scotia
 # Daylight saving time will be extended by four weeks starting in 2007....
-# http://www.gov.ns.ca/just/regulations/rg2/2006/ma1206.pdf
+# https://www.novascotia.ca/just/regulations/rg2/2006/ma1206.pdf
 #
 # [For New Brunswick] the new legislation dictates that the time change is to
 # be done at 02:00 instead of 00:01.
-# http://www.gnb.ca/0062/acts/BBA-2006/Chap-19.pdf
+# https://www.gnb.ca/0062/acts/BBA-2006/Chap-19.pdf
 # ...
 # Manitoba has traditionally changed the clock every fall at 03:00.
 # As of 2006, the transition is to take place one hour earlier at 02:00.
-# http://web2.gov.mb.ca/laws/statutes/ccsm/o030e.php
+# https://web2.gov.mb.ca/laws/statutes/ccsm/o030e.php
 # ...
 # [Alberta, Ontario, Quebec] will follow US rules.
 # http://www.qp.gov.ab.ca/documents/spring/CH03_06.CFM
@@ -1193,7 +1218,7 @@ Zone America/Menominee	-5:50:27 -	LMT	1885 Sep 18 12:00
 # http://www.hoa.gov.nl.ca/hoa/bills/Bill0634.htm
 # ...
 # Yukon
-# http://www.gov.yk.ca/legislation/regs/oic2006_127.pdf
+# https://www.gov.yk.ca/legislation/regs/oic2006_127.pdf
 # ...
 # N.W.T. will follow US rules.  Whoever maintains the government web site
 # does not seem to believe in bookmarks.  To see the news release, click the
@@ -1214,8 +1239,8 @@ Zone America/Menominee	-5:50:27 -	LMT	1885 Sep 18 12:00
 # time and daylight saving time arrangements in Canada circa 1998.
 #
 # National Research Council Canada maintains info about time zones and DST.
-# http://www.nrc-cnrc.gc.ca/eng/services/time/time_zones.html
-# http://www.nrc-cnrc.gc.ca/eng/services/time/faq/index.html#Q5
+# https://www.nrc-cnrc.gc.ca/eng/services/time/time_zones.html
+# https://www.nrc-cnrc.gc.ca/eng/services/time/faq/index.html#Q5
 # Its unofficial information is often taken from Matthews and Vincent.
 
 # From Paul Eggert (2006-06-27):
@@ -1252,11 +1277,13 @@ Rule	Canada	2007	max	-	Nov	Sun>=1	2:00	0	S
 
 # Newfoundland and Labrador
 
-# From Paul Eggert (2000-10-02):
-# Matthews and Vincent (1998) write that Labrador should use NST/NDT,
-# but the only part of Labrador that follows the rules is the
-# southeast corner, including Port Hope Simpson and Mary's Harbour,
-# but excluding, say, Black Tickle.
+# From Paul Eggert (2017-10-14):
+# Legally Labrador should observe Newfoundland time; see:
+# McLeod J. Labrador time - legal or not? St. John's Telegram, 2017-10-07
+# http://www.thetelegram.com/news/local/labrador-time--legal-or-not-154860/
+# Matthews and Vincent (1998) write that the only part of Labrador
+# that follows the rules is the southeast corner, including Port Hope
+# Simpson and Mary's Harbour, but excluding, say, Black Tickle.
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	StJohns	1917	only	-	Apr	 8	2:00	1:00	D
@@ -1456,7 +1483,7 @@ Zone America/Moncton	-4:19:08 -	LMT	1883 Dec  9
 # http://www.justice.gouv.qc.ca/english/publications/generale/temps-minganie-a.htm
 # that the coastal strip from just east of Natashquan to Blanc-Sablon
 # observes Atlantic standard time all year round.
-# http://www.assnat.qc.ca/Media/Process.aspx?MediaId=ANQ.Vigie.Bll.DocumentGenerique_8845en
+# https://www.assnat.qc.ca/Media/Process.aspx?MediaId=ANQ.Vigie.Bll.DocumentGenerique_8845en
 # says this common practice was codified into law as of 2007.
 # For lack of better info, guess this practice began around 1970, contra to
 # Shanks & Pottenger who have this region observing AST/ADT.
@@ -1488,6 +1515,11 @@ Zone America/Blanc-Sablon -3:48:28 -	LMT	1884
 # earlier in June).
 #
 # Kenora, Ontario, was to abandon DST on 1914-06-01 (-05-21).
+#
+# From Paul Eggert (2017-07-08):
+# For more on Orillia, see: Daubs K. Bold attempt at daylight saving
+# time became a comic failure in Orillia. Toronto Star 2017-07-08.
+# https://www.thestar.com/news/insight/2017/07/08/bold-attempt-at-daylight-saving-time-became-a-comic-failure-in-orillia.html
 
 # From Paul Eggert (1997-10-17):
 # Mark Brader writes that an article in the 1997-10-14 Toronto Star
@@ -1979,7 +2011,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #	* 1967. Paragraph 28(34)(g) of the Interpretation Act, S.C. 1967-68,
 #	c. 7 defines Yukon standard time as UTC-9....
 #	see Interpretation Act, R.S.C. 1985, c. I-21, s. 35(1).
-#	[http://canlii.ca/t/7vhg]
+#	[https://www.canlii.org/en/ca/laws/stat/rsc-1985-c-i-21/latest/rsc-1985-c-i-21.html]
 #	* C.O. 1973/214 switched Yukon to PST on 1973-10-28 00:00.
 #	* O.I.C. 1980/02 established DST.
 #	* O.I.C. 1987/056 changed DST to Apr firstSun 2:00 to Oct lastSun 2:00.
@@ -2044,7 +2076,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #     hours behind Greenwich Time.
 #
 # * Yukon Standard Time defined as Pacific Standard Time, YCO 1973/214
-#   http://www.canlii.org/en/yk/laws/regu/yco-1973-214/latest/yco-1973-214.html
+#   https://www.canlii.org/en/yk/laws/regu/yco-1973-214/latest/yco-1973-214.html
 #   C.O. 1973/214 INTERPRETATION ACT ...
 #
 #     1. Effective October 28, 1973 Commissioner's Order 1967/59 is hereby
@@ -2059,7 +2091,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #   http://? - no online source found
 #
 # * Yukon Daylight Saving Time, YOIC 1987/56
-#   http://www.canlii.org/en/yk/laws/regu/yoic-1987-56/latest/yoic-1987-56.html
+#   https://www.canlii.org/en/yk/laws/regu/yoic-1987-56/latest/yoic-1987-56.html
 #   O.I.C. 1987/056 INTERPRETATION ACT ...
 #
 #   In every year between
@@ -2071,7 +2103,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #   Dated ... 9th day of March, A.D., 1987.
 #
 # * Yukon Daylight Saving Time 2006, YOIC 2006/127
-#   http://www.canlii.org/en/yk/laws/regu/yoic-2006-127/latest/yoic-2006-127.html
+#   https://www.canlii.org/en/yk/laws/regu/yoic-2006-127/latest/yoic-2006-127.html
 #   O.I.C. 2006/127 INTERPRETATION ACT ...
 #
 #     1. In Yukon each year the time for general purposes shall be 7 hours
@@ -2085,7 +2117,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 #     3. This order comes into force January 1, 2007.
 #
 # * Interpretation Act, RSY 2002, c 125
-# http://www.canlii.org/en/yk/laws/stat/rsy-2002-c-125/latest/rsy-2002-c-125.html
+# https://www.canlii.org/en/yk/laws/stat/rsy-2002-c-125/latest/rsy-2002-c-125.html
 
 # From Rives McDow (1999-09-04):
 # Nunavut ... moved ... to incorporate the whole territory into one time zone.
@@ -2128,7 +2160,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 
 # From Michaela Rodrigue, writing in the
 # Nunatsiaq News (1999-11-19):
-# http://www.nunatsiaq.com/archives/nunavut991130/nvt91119_17.html
+# http://www.nunatsiaqonline.ca/archives/nunavut991130/nvt91119_17.html
 # Clyde River, Pangnirtung and Sanikiluaq now operate with two time zones,
 # central - or Nunavut time - for government offices, and eastern time
 # for municipal offices and schools....  Igloolik [was similar but then]
@@ -2146,7 +2178,7 @@ Zone America/Creston	-7:46:04 -	LMT	1884
 # Central Time and Southampton Island [in the Central zone] is not
 # required to use daylight savings.
 
-# From 
+# From 
 # Nunavut now has two time zones (2000-11-10):
 # The Nunavut government would allow its employees in Kugluktuk and
 # Cambridge Bay to operate on central time year-round, putting them
@@ -2477,7 +2509,7 @@ Zone America/Dawson	-9:17:40 -	LMT	1900 Aug 20
 # http://gaceta.diputados.gob.mx/Gaceta/61/2009/dic/V2-101209.html
 #
 # Our page:
-# http://www.timeanddate.com/news/time/north-mexico-dst-change.html
+# https://www.timeanddate.com/news/time/north-mexico-dst-change.html
 
 # From Arthur David Olson (2010-01-20):
 # The page
@@ -2896,7 +2928,7 @@ Zone America/Costa_Rica	-5:36:13 -	LMT	1890        # San José
 # http://www.nnc.cubaweb.cu/marzo-2008/cien-1-11-3-08.htm
 #
 # Some more background information is posted here:
-# http://www.timeanddate.com/news/time/cuba-starts-dst-march-16.html
+# https://www.timeanddate.com/news/time/cuba-starts-dst-march-16.html
 #
 # The article also says that Cuba has been observing DST since 1963,
 # while Shanks (and tzdata) has 1965 as the first date (except in the
@@ -2943,7 +2975,7 @@ Zone America/Costa_Rica	-5:36:13 -	LMT	1890        # San José
 # http://granma.co.cu/2011/03/08/nacional/artic01.html
 #
 # Our info:
-# http://www.timeanddate.com/news/time/cuba-starts-dst-2011.html
+# https://www.timeanddate.com/news/time/cuba-starts-dst-2011.html
 #
 # From Steffen Thorsen (2011-10-30)
 # Cuba will end DST two weeks later this year. Instead of going back
@@ -2953,7 +2985,7 @@ Zone America/Costa_Rica	-5:36:13 -	LMT	1890        # San José
 # http://www.radioangulo.cu/noticias/cuba/17105-cuba-restablecera-el-horario-del-meridiano-de-greenwich.html
 #
 # Our page:
-# http://www.timeanddate.com/news/time/cuba-time-changes-2011.html
+# https://www.timeanddate.com/news/time/cuba-time-changes-2011.html
 #
 # From Steffen Thorsen (2012-03-01)
 # According to Radio Reloj, Cuba will start DST on Midnight between March
@@ -2963,7 +2995,7 @@ Zone America/Costa_Rica	-5:36:13 -	LMT	1890        # San José
 # http://www.radioreloj.cu/index.php/noticias-radio-reloj/71-miscelaneas/7529-cuba-aplicara-el-horario-de-verano-desde-el-1-de-abril
 #
 # Our info on it:
-# http://www.timeanddate.com/news/time/cuba-starts-dst-2012.html
+# https://www.timeanddate.com/news/time/cuba-starts-dst-2012.html
 
 # From Steffen Thorsen (2012-11-03):
 # Radio Reloj and many other sources report that Cuba is changing back
@@ -3158,8 +3190,8 @@ Zone America/Guatemala	-6:02:04 -	LMT	1918 Oct 5
 # From Steffen Thorsen (2016-03-12):
 # Jean Antoine, editor of www.haiti-reference.com informed us that Haiti
 # are not going on DST this year.  Several other resources confirm this: ...
-# http://www.radiotelevisioncaraibes.com/presse/heure_d_t_pas_de_changement_d_heure_pr_vu_pour_cet_ann_e.html
-# http://www.vantbefinfo.com/changement-dheure-pas-pour-haiti/
+# https://www.radiotelevisioncaraibes.com/presse/heure_d_t_pas_de_changement_d_heure_pr_vu_pour_cet_ann_e.html
+# https://www.vantbefinfo.com/changement-dheure-pas-pour-haiti/
 # http://news.anmwe.com/haiti-lheure-nationale-ne-sera-ni-avancee-ni-reculee-cette-annee/
 
 # From Steffen Thorsen (2017-03-12):
@@ -3358,7 +3390,7 @@ Zone America/Miquelon	-3:44:40 -	LMT	1911 May 15 # St Pierre
 # Turks and Caicos
 #
 # From Chris Dunn in
-# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=415007
+# https://bugs.debian.org/415007
 # (2007-03-15): In the Turks & Caicos Islands (America/Grand_Turk) the
 # daylight saving dates for time changes have been adjusted to match
 # the recent U.S. change of dates.
@@ -3380,12 +3412,25 @@ Zone America/Miquelon	-3:44:40 -	LMT	1911 May 15 # St Pierre
 # "permanent daylight saving time" by one year....
 # http://tcweeklynews.com/time-change-to-go-ahead-this-november-p5437-127.htm
 #
+# From the Turks & Caicos Cabinet (2017-07-20), heads-up from Steffen Thorsen:
+# ... agreed to the reintroduction in TCI of Daylight Saving Time (DST)
+# during the summer months and Standard Time, also known as Local
+# Time, during the winter months with effect from April 2018 ...
+# https://www.gov.uk/government/news/turks-and-caicos-post-cabinet-meeting-statement--3
+#
+# From Paul Eggert (2017-08-26):
+# The date of effect of the spring 2018 change appears to be March 11,
+# which makes more sense.  See: Hamilton D. Time change back
+# by March 2018 for TCI. Magnetic Media. 2017-08-25.
+# http://magneticmediatv.com/2017/08/time-change-back-by-march-2018-for-tci/
+#
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone America/Grand_Turk	-4:44:32 -	LMT	1890
 			-5:07:11 -	KMT	1912 Feb # Kingston Mean Time
 			-5:00	-	EST	1979
 			-5:00	US	E%sT	2015 Nov Sun>=1 2:00
-			-4:00	-	AST
+			-4:00	-	AST	2018 Mar 11 3:00
+			-5:00	US	E%sT
 
 # British Virgin Is
 # Virgin Is
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/southamerica b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
index 44dbd95756..d15e8344db 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/southamerica
+++ b/jdk/test/sun/util/calendar/zi/tzdata/southamerica
@@ -45,7 +45,7 @@
 #
 # For data circa 1899, a common source is:
 # Milne J. Civil time. Geogr J. 1899 Feb;13(2):173-94.
-# http://www.jstor.org/stable/1774359
+# https://www.jstor.org/stable/1774359
 #
 # These tables use numeric abbreviations like -03 and -0330 for
 # integer hour and minute UTC offsets.  Although earlier editions used
@@ -288,8 +288,8 @@ Rule	Arg	2008	only	-	Oct	Sun>=15	0:00	1:00	S
 #
 # Es inminente que en San Luis atrasen una hora los relojes
 # (It is imminent in San Luis clocks one hour delay)
-# http://www.lagaceta.com.ar/nota/253414/Economia/Es-inminente-que-en-San-Luis-atrasen-una-hora-los-relojes.html
-# http://www.worldtimezone.net/dst_news/dst_news_argentina02.html
+# https://www.lagaceta.com.ar/nota/253414/Economia/Es-inminente-que-en-San-Luis-atrasen-una-hora-los-relojes.html
+# http://www.worldtimezone.com/dst_news/dst_news_argentina02.html
 
 # From Jesper Nørgaard Welen (2008-01-18):
 # The page of the San Luis provincial government
@@ -408,7 +408,7 @@ Rule	Arg	2008	only	-	Oct	Sun>=15	0:00	1:00	S
 # Perhaps San Luis operates on the legal fiction that it is at -04
 # with perpetual summer time, but ordinary usage typically seems to
 # just say it's at -03; see, for example,
-# http://es.wikipedia.org/wiki/Hora_oficial_argentina
+# https://es.wikipedia.org/wiki/Hora_oficial_argentina
 # We've documented similar situations as being plain changes to
 # standard time, so let's do that here too.  This does not change UTC
 # offsets, only tm_isdst and the time zone abbreviations.  One minor
@@ -739,7 +739,7 @@ Zone	America/La_Paz	-4:32:36 -	LMT	1890
 # (Portuguese)
 #
 # We have a written a short article about it as well:
-# http://www.timeanddate.com/news/time/brazil-dst-2008-2009.html
+# https://www.timeanddate.com/news/time/brazil-dst-2008-2009.html
 #
 # From Alexander Krivenyshev (2011-10-04):
 # State Bahia will return to Daylight savings time this year after 8 years off.
@@ -748,7 +748,7 @@ Zone	America/La_Paz	-4:32:36 -	LMT	1890
 
 # In Portuguese:
 # http://g1.globo.com/bahia/noticia/2011/10/governador-jaques-wagner-confirma-horario-de-verao-na-bahia.html
-# http://noticias.terra.com.br/brasil/noticias/0,,OI5390887-EI8139,00-Bahia+volta+a+ter+horario+de+verao+apos+oito+anos.html
+# https://noticias.terra.com.br/brasil/noticias/0,,OI5390887-EI8139,00-Bahia+volta+a+ter+horario+de+verao+apos+oito+anos.html
 
 # From Guilherme Bernardes Rodrigues (2011-10-07):
 # There is news in the media, however there is still no decree about it.
@@ -774,16 +774,16 @@ Zone	America/La_Paz	-4:32:36 -	LMT	1890
 
 # From Rodrigo Severo (2012-10-16):
 # Tocantins state will have DST.
-# http://noticias.terra.com.br/brasil/noticias/0,,OI6232536-EI306.html
+# https://noticias.terra.com.br/brasil/noticias/0,,OI6232536-EI306.html
 
 # From Steffen Thorsen (2013-09-20):
 # Tocantins in Brazil is very likely not to observe DST from October....
 # http://conexaoto.com.br/2013/09/18/ministerio-confirma-que-tocantins-esta-fora-do-horario-de-verao-em-2013-mas-falta-publicacao-de-decreto
 # We will keep this article updated when this is confirmed:
-# http://www.timeanddate.com/news/time/brazil-starts-dst-2013.html
+# https://www.timeanddate.com/news/time/brazil-starts-dst-2013.html
 
 # From Steffen Thorsen (2013-10-17):
-# http://www.timeanddate.com/news/time/acre-amazonas-change-time-zone.html
+# https://www.timeanddate.com/news/time/acre-amazonas-change-time-zone.html
 # Senator Jorge Viana announced that Acre will change time zone on November 10.
 # He did not specify the time of the change, nor if western parts of Amazonas
 # will change as well.
@@ -1099,18 +1099,18 @@ Zone America/Rio_Branco	-4:31:12 -	LMT	1914
 # the following source, cited by Oscar van Vlijmen (2006-10-08):
 # [1] Chile Law
 # http://www.webexhibits.org/daylightsaving/chile.html
-# This contains a copy of a this official table:
+# This contains a copy of this official table:
 # Cambios en la hora oficial de Chile desde 1900 (retrieved 2008-03-30)
-# http://web.archive.org/web/20080330200901/http://www.horaoficial.cl/cambio.htm
+# https://web.archive.org/web/20080330200901/http://www.horaoficial.cl/cambio.htm
 # [1] needs several corrections, though.
 #
 # The first set of corrections is from:
 # [2] History of the Official Time of Chile
 # http://www.horaoficial.cl/ing/horaof_ing.html (retrieved 2012-03-06).  See:
-# http://web.archive.org/web/20120306042032/http://www.horaoficial.cl/ing/horaof_ing.html
+# https://web.archive.org/web/20120306042032/http://www.horaoficial.cl/ing/horaof_ing.html
 # This is an English translation of:
 # Historia de la hora oficial de Chile (retrieved 2012-10-24).  See:
-# http://web.archive.org/web/20121024234627/http://www.horaoficial.cl/horaof.htm
+# https://web.archive.org/web/20121024234627/http://www.horaoficial.cl/horaof.htm
 # A fancier Spanish version (requiring mouse-clicking) is at:
 # http://www.horaoficial.cl/historia_hora.html
 # Conflicts between [1] and [2] were resolved as follows:
@@ -1386,10 +1386,10 @@ Link	America/Curacao	America/Kralendijk	# Caribbean Netherlands
 # Milne says the Central and South American Telegraph Company used -5:24:15.
 #
 # From Alois Treindl (2016-12-15):
-# http://www.elcomercio.com/actualidad/hora-sixto-1993.html
+# https://www.elcomercio.com/actualidad/hora-sixto-1993.html
 # ... Whether the law applied also to Galápagos, I do not know.
 # From Paul Eggert (2016-12-15):
-# http://www.elcomercio.com/afull/modificacion-husohorario-ecuador-presidentes-decreto.html
+# https://www.elcomercio.com/afull/modificacion-husohorario-ecuador-presidentes-decreto.html
 # This says President Sixto Durán Ballén signed decree No. 285, which
 # established DST from 1992-11-28 to 1993-02-05; it does not give transition
 # times.  The people called it "hora de Sixto" ("Sixto hour").  The change did
@@ -1801,7 +1801,7 @@ Zone America/Montevideo	-3:44:44 -	LMT	1898 Jun 28
 # hours of presidential broadcasts, hours of lines,' quipped comedian
 # Jean Mary Curró ...". See: Cawthorne A, Kai D. Venezuela scraps
 # half-hour time difference set by Chavez. Reuters 2016-04-15 14:50 -0400
-# http://www.reuters.com/article/us-venezuela-timezone-idUSKCN0XC2BE
+# https://www.reuters.com/article/us-venezuela-timezone-idUSKCN0XC2BE
 #
 # From Matt Johnson (2016-04-20):
 # ... published in the official Gazette [2016-04-18], here:
diff --git a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
index 8d6247d21a..b1a7f07724 100644
--- a/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
+++ b/jdk/test/sun/util/calendar/zi/tzdata/zone.tab
@@ -209,7 +209,7 @@ GB	+513030-0000731	Europe/London
 GD	+1203-06145	America/Grenada
 GE	+4143+04449	Asia/Tbilisi
 GF	+0456-05220	America/Cayenne
-GG	+4927-00232	Europe/Guernsey
+GG	+492717-0023210	Europe/Guernsey
 GH	+0533-00013	Africa/Accra
 GI	+3608-00521	Europe/Gibraltar
 GL	+6411-05144	America/Godthab	Greenland (most areas)
@@ -244,7 +244,7 @@ IQ	+3321+04425	Asia/Baghdad
 IR	+3540+05126	Asia/Tehran
 IS	+6409-02151	Atlantic/Reykjavik
 IT	+4154+01229	Europe/Rome
-JE	+4912-00207	Europe/Jersey
+JE	+491101-0020624	Europe/Jersey
 JM	+175805-0764736	America/Jamaica
 JO	+3157+03556	Asia/Amman
 JP	+353916+1394441	Asia/Tokyo

From 0311b86a5394b589f5ce1b1ac4c03fc7a0b2525a Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 13 Nov 2017 13:58:26 -0800
Subject: [PATCH 232/269] 8190550: Update milestone to fcs for 9.0.4+5

Reviewed-by: erikj
---
 common/conf/jib-profiles.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index 969a534947..53070dc129 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -1244,7 +1244,8 @@ var versionArgs = function(input, common) {
     if (input.build_type == "promoted") {
         args = concat(args,
                       // This needs to be changed when we start building release candidates
-                      "--with-version-pre=fcs",
+                      // 'ea' for EA builds and empty value for 'fcs'
+                      "--with-version-pre=",
                       "--without-version-opt");
     } else {
         args = concat(args, "--with-version-opt=" + common.build_id);

From ccc95b02af202c270847390103d4ed6f10814bb8 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 14 Nov 2017 13:01:35 -0800
Subject: [PATCH 233/269] Added tag jdk-9.0.4+6 for changeset 2a5ec60c231c

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index cced07f3b2..bda500f0e6 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -447,3 +447,4 @@ e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 572ea0db1d87a1d2fcc01f73ffbcfb78bd5688f4 jdk-9.0.4+3
 0053ace2e9e484fb52d00ec961e24805d0aae04a jdk-9.0.4+4
 73d63ccf56f46f258f367ed72633f0f5cc229680 jdk-9.0.4+5
+86219e4c9f8cd730bacd2f6080b6ac1dea7a0226 jdk-9.0.4+6

From c1470e702bd68aa401435ae0be21a4d0b6b0a759 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 14 Nov 2017 13:01:47 -0800
Subject: [PATCH 234/269] Added tag jdk-9.0.4+6 for changeset 6ac67458c381

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index b99f18cd0b..9ffbd8b73a 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -443,3 +443,4 @@ bcb2300e20962172f7b94ba422d3e634d4f2c62c jdk-9.0.4+2
 7e5bd44ac820cfb3ccceaf1c2e72d3701a625946 jdk-9.0.4+3
 37249aa145988b06ec51b490e0d3d343f8faf660 jdk-9.0.4+4
 ec450e8c90c53c4e4cd35468a038123ca4fe0129 jdk-9.0.4+5
+7582f72a39b79c6206cdd7e0ccdfaa1ab342b040 jdk-9.0.4+6

From 96d736972173ffa7548b50cd95875f13397c6eac Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 21 Nov 2017 21:00:27 -0800
Subject: [PATCH 235/269] Added tag jdk-9.0.4+7 for changeset 80811ba0dedc

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index f14e11536b..ce00cdc0ac 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -444,3 +444,4 @@ b46885be0c21ebb379e9f9835591dc8b12245971 jdk-9.0.4+3
 0d40ce5e2249fb4643614855694dd1909112bb97 jdk-9.0.4+4
 7ba3aa648bf9635a75bc124539acc08d06dea600 jdk-9.0.4+5
 46524cd9b1e84d2b60b15d5ef26c7ca6260c41a4 jdk-9.0.4+6
+d54fb6a3fb5546fcf56bfc3c5f93fa320e79887a jdk-9.0.4+7

From 97e6e350ac0c349e252011e6f31344f072c1d7de Mon Sep 17 00:00:00 2001
From: Rob McKenna 
Date: Tue, 21 Nov 2017 20:37:48 +0000
Subject: [PATCH 236/269] 8191137: keytool fails to format resource strings for
 keys for some languages after JDK-8171319

Reviewed-by: weijun, mullan
---
 .../sun/security/tools/keytool/Resources.java      | 14 +++++++-------
 .../sun/security/tools/jarsigner/Resources.java    |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java
index 6503ee3b82..8a2dfe62c1 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources.java
@@ -454,20 +454,20 @@ public class Resources extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "The TSA certificate"},
         {"the.input", "The input"},
         {"reply", "Reply"},
-        {"one.in.many", "%s #%d of %d"},
+        {"one.in.many", "%1$s #%2$d of %3$d"},
         {"alias.in.cacerts", "Issuer <%s> in cacerts"},
         {"alias.in.keystore", "Issuer <%s>"},
         {"with.weak", "%s (weak)"},
-        {"key.bit", "%d-bit %s key"},
-        {"key.bit.weak", "%d-bit %s key (weak)"},
+        {"key.bit", "%1$d-bit %2$s key"},
+        {"key.bit.weak", "%1$d-bit %2$s key (weak)"},
         {".PATTERN.printX509Cert.with.weak",
                 "Owner: {0}\nIssuer: {1}\nSerial number: {2}\nValid from: {3} until: {4}\nCertificate fingerprints:\n\t SHA1: {5}\n\t SHA256: {6}\nSignature algorithm name: {7}\nSubject Public Key Algorithm: {8}\nVersion: {9}"},
         {"PKCS.10.with.weak",
                 "PKCS #10 Certificate Request (Version 1.0)\n" +
-                        "Subject: %s\nFormat: %s\nPublic Key: %s\nSignature algorithm: %s\n"},
-        {"verified.by.s.in.s.weak", "Verified by %s in %s with a %s"},
-        {"whose.sigalg.risk", "%s uses the %s signature algorithm which is considered a security risk."},
-        {"whose.key.risk", "%s uses a %s which is considered a security risk."},
+                        "Subject: %1$s\nFormat: %2$s\nPublic Key: %3$s\nSignature algorithm: %4$s\n"},
+        {"verified.by.s.in.s.weak", "Verified by %1$s in %2$s with a %3$s"},
+        {"whose.sigalg.risk", "%1$s uses the %2$s signature algorithm which is considered a security risk."},
+        {"whose.key.risk", "%1$s uses a %2$s which is considered a security risk."},
         {"jks.storetype.warning", "The %1$s keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
         {"migrate.keystore.warning", "Migrated \"%1$s\" to %4$s. The %2$s keystore is backed up as \"%3$s\"."},
         {"backup.keystore.warning", "The original keystore \"%1$s\" is backed up as \"%3$s\"..."},
diff --git a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
index 26e0553ebb..e62499e288 100644
--- a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
+++ b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources.java
@@ -264,7 +264,7 @@ public class Resources extends java.util.ListResourceBundle {
         {"The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk.",
                 "The %1$s algorithm specified for the %2$s option is considered a security risk."},
         {"The.1.signing.key.has.a.keysize.of.2.which.is.considered.a.security.risk.",
-                "The %s signing key has a keysize of %d which is considered a security risk."},
+                "The %1$s signing key has a keysize of %2$d which is considered a security risk."},
         {"This.jar.contains.entries.whose.certificate.chain.is.not.validated.reason.1",
                  "This jar contains entries whose certificate chain is not validated. Reason: %s"},
         {"no.timestamp.signing",

From ec26f8b04bf99f06238ea9241578d1814237f53b Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 21 Nov 2017 20:59:27 -0800
Subject: [PATCH 237/269] Added tag jdk-9.0.4+7 for changeset dfcdd4eeb5fe

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index bda500f0e6..9d16b24a84 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -448,3 +448,4 @@ e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 0053ace2e9e484fb52d00ec961e24805d0aae04a jdk-9.0.4+4
 73d63ccf56f46f258f367ed72633f0f5cc229680 jdk-9.0.4+5
 86219e4c9f8cd730bacd2f6080b6ac1dea7a0226 jdk-9.0.4+6
+9aba57f3071362ed7f2326d737506863b9d2646f jdk-9.0.4+7

From 82d85c936d8242d093359eb38b835d80033a6fcd Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 21 Nov 2017 20:59:34 -0800
Subject: [PATCH 238/269] Added tag jdk-9.0.4+7 for changeset 7384ca2eb80d

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 9ffbd8b73a..68fba1e7ce 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -444,3 +444,4 @@ bcb2300e20962172f7b94ba422d3e634d4f2c62c jdk-9.0.4+2
 37249aa145988b06ec51b490e0d3d343f8faf660 jdk-9.0.4+4
 ec450e8c90c53c4e4cd35468a038123ca4fe0129 jdk-9.0.4+5
 7582f72a39b79c6206cdd7e0ccdfaa1ab342b040 jdk-9.0.4+6
+8d2b147370b7a6ed585f1b168fe3475a6e16cb5f jdk-9.0.4+7

From ab58037d858c54f33e62cdc650c7df4e30d6441f Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 5 Dec 2017 18:24:02 -0800
Subject: [PATCH 239/269] Added tag jdk-9.0.4+9 for changeset a70a1da8957c

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index 7ac047ef8c..d54b5fa81d 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -606,3 +606,4 @@ ce49d719fd4d5f0ff12a1906d9d8b651a7a7d60c jdk-9.0.4+4
 f3ba0e190ffcc82f1ed0dd8275a51096123514b6 jdk-9.0.4+6
 e020892c9b441ff0855479ad4de63a9eb4b59bf7 jdk-9.0.4+7
 d74a282dcd6d05cc3752c8e29a526eb9216fa08c jdk-9.0.4+8
+a825ddfdd78e3277e6275a469f3cd2be23759c13 jdk-9.0.4+9

From 6f37e385905a9389beb6103fd691be47a5c25303 Mon Sep 17 00:00:00 2001
From: Martin Doerr 
Date: Tue, 28 Nov 2017 01:07:22 +0300
Subject: [PATCH 240/269] 8191907: PPC64 and s390 parts of JDK-8174962: Better
 interface invocations

Reviewed-by: goetz
---
 hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp |  41 +++---
 hotspot/src/cpu/ppc/vm/macroAssembler_ppc.hpp |   3 +-
 .../src/cpu/ppc/vm/templateTable_ppc_64.cpp   |  73 ++++++-----
 hotspot/src/cpu/ppc/vm/vtableStubs_ppc_64.cpp | 120 ++++++++----------
 .../src/cpu/s390/vm/macroAssembler_s390.cpp   |  64 +++++-----
 .../src/cpu/s390/vm/macroAssembler_s390.hpp   |   8 +-
 .../src/cpu/s390/vm/methodHandles_s390.cpp    |   6 +-
 .../src/cpu/s390/vm/templateTable_s390.cpp    |  75 +++++------
 hotspot/src/cpu/s390/vm/vtableStubs_s390.cpp  |  85 ++++---------
 9 files changed, 207 insertions(+), 268 deletions(-)

diff --git a/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp b/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp
index 6eb27c78f1..09dfeece61 100644
--- a/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp
+++ b/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp
@@ -1786,11 +1786,10 @@ void MacroAssembler::lookup_interface_method(Register recv_klass,
                                              RegisterOrConstant itable_index,
                                              Register method_result,
                                              Register scan_temp,
-                                             Register sethi_temp,
-                                             Label& L_no_such_interface) {
+                                             Register temp2,
+                                             Label& L_no_such_interface,
+                                             bool return_method) {
   assert_different_registers(recv_klass, intf_klass, method_result, scan_temp);
-  assert(itable_index.is_constant() || itable_index.as_register() == method_result,
-         "caller must use same register for non-constant itable index as for method");
 
   // Compute start of first itableOffsetEntry (which is at the end of the vtable).
   int vtable_base = in_bytes(Klass::vtable_start_offset());
@@ -1808,15 +1807,17 @@ void MacroAssembler::lookup_interface_method(Register recv_klass,
   add(scan_temp, recv_klass, scan_temp);
 
   // Adjust recv_klass by scaled itable_index, so we can free itable_index.
-  if (itable_index.is_register()) {
-    Register itable_offset = itable_index.as_register();
-    sldi(itable_offset, itable_offset, logMEsize);
-    if (itentry_off) addi(itable_offset, itable_offset, itentry_off);
-    add(recv_klass, itable_offset, recv_klass);
-  } else {
-    long itable_offset = (long)itable_index.as_constant();
-    load_const_optimized(sethi_temp, (itable_offset<itable(); scan->interface() != NULL; scan += scan_step) {
@@ -1829,12 +1830,12 @@ void MacroAssembler::lookup_interface_method(Register recv_klass,
   for (int peel = 1; peel >= 0; peel--) {
     // %%%% Could load both offset and interface in one ldx, if they were
     // in the opposite order. This would save a load.
-    ld(method_result, itableOffsetEntry::interface_offset_in_bytes(), scan_temp);
+    ld(temp2, itableOffsetEntry::interface_offset_in_bytes(), scan_temp);
 
     // Check that this entry is non-null. A null entry means that
     // the receiver class doesn't implement the interface, and wasn't the
     // same as when the caller was compiled.
-    cmpd(CCR0, method_result, intf_klass);
+    cmpd(CCR0, temp2, intf_klass);
 
     if (peel) {
       beq(CCR0, found_method);
@@ -1847,7 +1848,7 @@ void MacroAssembler::lookup_interface_method(Register recv_klass,
 
     bind(search);
 
-    cmpdi(CCR0, method_result, 0);
+    cmpdi(CCR0, temp2, 0);
     beq(CCR0, L_no_such_interface);
     addi(scan_temp, scan_temp, scan_step);
   }
@@ -1855,9 +1856,11 @@ void MacroAssembler::lookup_interface_method(Register recv_klass,
   bind(found_method);
 
   // Got a hit.
-  int ito_offset = itableOffsetEntry::offset_offset_in_bytes();
-  lwz(scan_temp, ito_offset, scan_temp);
-  ldx(method_result, scan_temp, recv_klass);
+  if (return_method) {
+    int ito_offset = itableOffsetEntry::offset_offset_in_bytes();
+    lwz(scan_temp, ito_offset, scan_temp);
+    ldx(method_result, scan_temp, method_result);
+  }
 }
 
 // virtual method calling
diff --git a/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.hpp b/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.hpp
index 0b1b2a0bef..300b492927 100644
--- a/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.hpp
+++ b/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.hpp
@@ -517,7 +517,8 @@ class MacroAssembler: public Assembler {
                                RegisterOrConstant itable_index,
                                Register method_result,
                                Register temp_reg, Register temp2_reg,
-                               Label& no_such_interface);
+                               Label& no_such_interface,
+                               bool return_method = true);
 
   // virtual method calling
   void lookup_virtual_method(Register recv_klass,
diff --git a/hotspot/src/cpu/ppc/vm/templateTable_ppc_64.cpp b/hotspot/src/cpu/ppc/vm/templateTable_ppc_64.cpp
index 517a304d4e..2ed910e29d 100644
--- a/hotspot/src/cpu/ppc/vm/templateTable_ppc_64.cpp
+++ b/hotspot/src/cpu/ppc/vm/templateTable_ppc_64.cpp
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2013, 2016 SAP SE. All rights reserved.
+ * Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2017 SAP SE. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -3478,11 +3478,11 @@ void TemplateTable::invokestatic(int byte_no) {
 void TemplateTable::invokeinterface_object_method(Register Rrecv_klass,
                                                   Register Rret,
                                                   Register Rflags,
-                                                  Register Rindex,
+                                                  Register Rmethod,
                                                   Register Rtemp1,
                                                   Register Rtemp2) {
 
-  assert_different_registers(Rindex, Rret, Rrecv_klass, Rflags, Rtemp1, Rtemp2);
+  assert_different_registers(Rmethod, Rret, Rrecv_klass, Rflags, Rtemp1, Rtemp2);
   Label LnotFinal;
 
   // Check for vfinal.
@@ -3494,14 +3494,14 @@ void TemplateTable::invokeinterface_object_method(Register Rrecv_klass,
   // Final call case.
   __ profile_final_call(Rtemp1, Rscratch);
   // Argument and return type profiling.
-  __ profile_arguments_type(Rindex, Rscratch, Rrecv_klass /* scratch */, true);
+  __ profile_arguments_type(Rmethod, Rscratch, Rrecv_klass /* scratch */, true);
   // Do the final call - the index (f2) contains the method.
-  __ call_from_interpreter(Rindex, Rret, Rscratch, Rrecv_klass /* scratch */);
+  __ call_from_interpreter(Rmethod, Rret, Rscratch, Rrecv_klass /* scratch */);
 
   // Non-final callc case.
   __ bind(LnotFinal);
   __ profile_virtual_call(Rrecv_klass, Rtemp1, Rscratch, false);
-  generate_vtable_call(Rrecv_klass, Rindex, Rret, Rscratch);
+  generate_vtable_call(Rrecv_klass, Rmethod, Rret, Rscratch);
 }
 
 void TemplateTable::invokeinterface(int byte_no) {
@@ -3510,58 +3510,61 @@ void TemplateTable::invokeinterface(int byte_no) {
 
   const Register Rscratch1        = R11_scratch1,
                  Rscratch2        = R12_scratch2,
-                 Rscratch3        = R9_ARG7,
-                 Rscratch4        = R10_ARG8,
-                 Rtable_addr      = Rscratch2,
+                 Rmethod          = R6_ARG4,
+                 Rmethod2         = R9_ARG7,
                  Rinterface_klass = R5_ARG3,
-                 Rret_type        = R8_ARG6,
-                 Rret_addr        = Rret_type,
-                 Rindex           = R6_ARG4,
-                 Rreceiver        = R4_ARG2,
-                 Rrecv_klass      = Rreceiver,
+                 Rret_addr        = R8_ARG6,
+                 Rindex           = R10_ARG8,
+                 Rreceiver        = R3_ARG1,
+                 Rrecv_klass      = R4_ARG2,
                  Rflags           = R7_ARG5;
 
-  prepare_invoke(byte_no, Rinterface_klass, Rret_addr, Rindex, Rreceiver, Rflags, Rscratch1);
+  prepare_invoke(byte_no, Rinterface_klass, Rret_addr, Rmethod, Rreceiver, Rflags, Rscratch1);
 
   // Get receiver klass.
-  __ null_check_throw(Rreceiver, oopDesc::klass_offset_in_bytes(), Rscratch3);
+  __ null_check_throw(Rreceiver, oopDesc::klass_offset_in_bytes(), Rscratch2);
   __ load_klass(Rrecv_klass, Rreceiver);
 
   // Check corner case object method.
-  Label LobjectMethod;
-
+  Label LobjectMethod, L_no_such_interface, Lthrow_ame;
   __ testbitdi(CCR0, R0, Rflags, ConstantPoolCacheEntry::is_forced_virtual_shift);
   __ btrue(CCR0, LobjectMethod);
 
-  // Fallthrough: The normal invokeinterface case.
+  __ lookup_interface_method(Rrecv_klass, Rinterface_klass, noreg, noreg, Rscratch1, Rscratch2,
+                             L_no_such_interface, /*return_method=*/false);
+
   __ profile_virtual_call(Rrecv_klass, Rscratch1, Rscratch2, false);
 
   // Find entry point to call.
-  Label Lthrow_icc, Lthrow_ame;
-  // Result will be returned in Rindex.
-  __ mr(Rscratch4, Rrecv_klass);
-  __ mr(Rscratch3, Rindex);
-  __ lookup_interface_method(Rrecv_klass, Rinterface_klass, Rindex, Rindex, Rscratch1, Rscratch2, Lthrow_icc);
 
-  __ cmpdi(CCR0, Rindex, 0);
+  // Get declaring interface class from method
+  __ ld(Rinterface_klass, in_bytes(Method::const_offset()), Rmethod);
+  __ ld(Rinterface_klass, in_bytes(ConstMethod::constants_offset()), Rinterface_klass);
+  __ ld(Rinterface_klass, ConstantPool::pool_holder_offset_in_bytes(), Rinterface_klass);
+
+  // Get itable index from method
+  __ lwa(Rindex, in_bytes(Method::itable_index_offset()), Rmethod);
+  __ subfic(Rindex, Rindex, Method::itable_index_max);
+
+  __ lookup_interface_method(Rrecv_klass, Rinterface_klass, Rindex, Rmethod2, Rscratch1, Rscratch2,
+                             L_no_such_interface);
+
+  __ cmpdi(CCR0, Rmethod2, 0);
   __ beq(CCR0, Lthrow_ame);
   // Found entry. Jump off!
   // Argument and return type profiling.
-  __ profile_arguments_type(Rindex, Rscratch1, Rscratch2, true);
-  __ call_from_interpreter(Rindex, Rret_addr, Rscratch1, Rscratch2);
+  __ profile_arguments_type(Rmethod2, Rscratch1, Rscratch2, true);
+  //__ profile_called_method(Rindex, Rscratch1);
+  __ call_from_interpreter(Rmethod2, Rret_addr, Rscratch1, Rscratch2);
 
   // Vtable entry was NULL => Throw abstract method error.
   __ bind(Lthrow_ame);
-  __ mr(Rrecv_klass, Rscratch4);
-  __ mr(Rindex, Rscratch3);
   call_VM(noreg, CAST_FROM_FN_PTR(address, InterpreterRuntime::throw_AbstractMethodError));
 
   // Interface was not found => Throw incompatible class change error.
-  __ bind(Lthrow_icc);
-  __ mr(Rrecv_klass, Rscratch4);
+  __ bind(L_no_such_interface);
   call_VM(noreg, CAST_FROM_FN_PTR(address, InterpreterRuntime::throw_IncompatibleClassChangeError));
-
-  __ should_not_reach_here();
+  DEBUG_ONLY( __ should_not_reach_here(); )
 
   // Special case of invokeinterface called for virtual method of
   // java.lang.Object. See ConstantPoolCacheEntry::set_method() for details:
@@ -3569,7 +3572,7 @@ void TemplateTable::invokeinterface(int byte_no) {
   // to handle this corner case. This code isn't produced by javac, but could
   // be produced by another compliant java compiler.
   __ bind(LobjectMethod);
-  invokeinterface_object_method(Rrecv_klass, Rret_addr, Rflags, Rindex, Rscratch1, Rscratch2);
+  invokeinterface_object_method(Rrecv_klass, Rret_addr, Rflags, Rmethod, Rscratch1, Rscratch2);
 }
 
 void TemplateTable::invokedynamic(int byte_no) {
diff --git a/hotspot/src/cpu/ppc/vm/vtableStubs_ppc_64.cpp b/hotspot/src/cpu/ppc/vm/vtableStubs_ppc_64.cpp
index d2f6117b37..480e3e55fa 100644
--- a/hotspot/src/cpu/ppc/vm/vtableStubs_ppc_64.cpp
+++ b/hotspot/src/cpu/ppc/vm/vtableStubs_ppc_64.cpp
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2012, 2016 SAP SE. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2017 SAP SE. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@
 #include "code/vtableStubs.hpp"
 #include "interp_masm_ppc.hpp"
 #include "memory/resourceArea.hpp"
+#include "oops/compiledICHolder.hpp"
 #include "oops/instanceKlass.hpp"
 #include "oops/klassVtable.hpp"
 #include "runtime/sharedRuntime.hpp"
@@ -55,17 +56,22 @@ VtableStub* VtableStubs::create_vtable_stub(int vtable_index) {
   // PPC port: use fixed size.
   const int code_length = VtableStub::pd_code_size_limit(true);
   VtableStub* s = new (code_length) VtableStub(true, vtable_index);
+
+  // Can be NULL if there is no free space in the code cache.
+  if (s == NULL) {
+    return NULL;
+  }
+
   ResourceMark rm;
   CodeBuffer cb(s->entry_point(), code_length);
   MacroAssembler* masm = new MacroAssembler(&cb);
-  address start_pc;
 
 #ifndef PRODUCT
   if (CountCompiledCalls) {
-    __ load_const(R11_scratch1, SharedRuntime::nof_megamorphic_calls_addr());
-    __ lwz(R12_scratch2, 0, R11_scratch1);
+    int offs = __ load_const_optimized(R11_scratch1, SharedRuntime::nof_megamorphic_calls_addr(), R12_scratch2, true);
+    __ lwz(R12_scratch2, offs, R11_scratch1);
     __ addi(R12_scratch2, R12_scratch2, 1);
-    __ stw(R12_scratch2, 0, R11_scratch1);
+    __ stw(R12_scratch2, offs, R11_scratch1);
   }
 #endif
 
@@ -116,6 +122,7 @@ VtableStub* VtableStubs::create_vtable_stub(int vtable_index) {
   __ ld(R12_scratch2, in_bytes(Method::from_compiled_offset()), R19_method);
   __ mtctr(R12_scratch2);
   __ bctr();
+
   masm->flush();
 
   guarantee(__ pc() <= s->code_end(), "overflowed buffer");
@@ -125,10 +132,16 @@ VtableStub* VtableStubs::create_vtable_stub(int vtable_index) {
   return s;
 }
 
-VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
+VtableStub* VtableStubs::create_itable_stub(int itable_index) {
   // PPC port: use fixed size.
   const int code_length = VtableStub::pd_code_size_limit(false);
-  VtableStub* s = new (code_length) VtableStub(false, vtable_index);
+  VtableStub* s = new (code_length) VtableStub(false, itable_index);
+
+  // Can be NULL if there is no free space in the code cache.
+  if (s == NULL) {
+    return NULL;
+  }
+
   ResourceMark rm;
   CodeBuffer cb(s->entry_point(), code_length);
   MacroAssembler* masm = new MacroAssembler(&cb);
@@ -136,10 +149,10 @@ VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
 
 #ifndef PRODUCT
   if (CountCompiledCalls) {
-    __ load_const(R11_scratch1, SharedRuntime::nof_megamorphic_calls_addr());
-    __ lwz(R12_scratch2, 0, R11_scratch1);
+    int offs = __ load_const_optimized(R11_scratch1, SharedRuntime::nof_megamorphic_calls_addr(), R12_scratch2, true);
+    __ lwz(R12_scratch2, offs, R11_scratch1);
     __ addi(R12_scratch2, R12_scratch2, 1);
-    __ stw(R12_scratch2, 0, R11_scratch1);
+    __ stw(R12_scratch2, offs, R11_scratch1);
   }
 #endif
 
@@ -148,62 +161,28 @@ VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
   // Entry arguments:
   //  R19_method: Interface
   //  R3_ARG1:    Receiver
-  //
 
-  const Register rcvr_klass = R11_scratch1;
-  const Register vtable_len = R12_scratch2;
-  const Register itable_entry_addr = R21_tmp1;
-  const Register itable_interface = R22_tmp2;
+  Label L_no_such_interface;
+  const Register rcvr_klass = R11_scratch1,
+                 interface  = R12_scratch2,
+                 tmp1       = R21_tmp1,
+                 tmp2       = R22_tmp2;
 
-  // Get receiver klass.
-
-  // We might implicit NULL fault here.
   address npe_addr = __ pc(); // npe = null pointer exception
   __ null_check(R3_ARG1, oopDesc::klass_offset_in_bytes(), /*implicit only*/NULL);
   __ load_klass(rcvr_klass, R3_ARG1);
 
-  BLOCK_COMMENT("Load start of itable entries into itable_entry.");
-  __ lwz(vtable_len, in_bytes(Klass::vtable_length_offset()), rcvr_klass);
-  __ slwi(vtable_len, vtable_len, exact_log2(vtableEntry::size_in_bytes()));
-  __ add(itable_entry_addr, vtable_len, rcvr_klass);
+  // Receiver subtype check against REFC.
+  __ ld(interface, CompiledICHolder::holder_klass_offset(), R19_method);
+  __ lookup_interface_method(rcvr_klass, interface, noreg,
+                             R0, tmp1, tmp2,
+                             L_no_such_interface, /*return_method=*/ false);
 
-  // Loop over all itable entries until desired interfaceOop(Rinterface) found.
-  BLOCK_COMMENT("Increment itable_entry_addr in loop.");
-  const int vtable_base_offset = in_bytes(Klass::vtable_start_offset());
-  __ addi(itable_entry_addr, itable_entry_addr, vtable_base_offset + itableOffsetEntry::interface_offset_in_bytes());
-
-  const int itable_offset_search_inc = itableOffsetEntry::size() * wordSize;
-  Label search;
-  __ bind(search);
-  __ ld(itable_interface, 0, itable_entry_addr);
-
-  // Handle IncompatibleClassChangeError in itable stubs.
-  // If the entry is NULL then we've reached the end of the table
-  // without finding the expected interface, so throw an exception.
-  BLOCK_COMMENT("Handle IncompatibleClassChangeError in itable stubs.");
-  Label throw_icce;
-  __ cmpdi(CCR1, itable_interface, 0);
-  __ cmpd(CCR0, itable_interface, R19_method);
-  __ addi(itable_entry_addr, itable_entry_addr, itable_offset_search_inc);
-  __ beq(CCR1, throw_icce);
-  __ bne(CCR0, search);
-
-  // Entry found and itable_entry_addr points to it, get offset of vtable for interface.
-
-  const Register vtable_offset = R12_scratch2;
-  const Register itable_method = R11_scratch1;
-
-  const int vtable_offset_offset = (itableOffsetEntry::offset_offset_in_bytes() -
-                                    itableOffsetEntry::interface_offset_in_bytes()) -
-                                   itable_offset_search_inc;
-  __ lwz(vtable_offset, vtable_offset_offset, itable_entry_addr);
-
-  // Compute itableMethodEntry and get method and entry point for compiler.
-  const int method_offset = (itableMethodEntry::size() * wordSize * vtable_index) +
-    itableMethodEntry::method_offset_in_bytes();
-
-  __ add(itable_method, rcvr_klass, vtable_offset);
-  __ ld(R19_method, method_offset, itable_method);
+  // Get Method* and entrypoint for compiler
+  __ ld(interface, CompiledICHolder::holder_metadata_offset(), R19_method);
+  __ lookup_interface_method(rcvr_klass, interface, itable_index,
+                             R19_method, tmp1, tmp2,
+                             L_no_such_interface, /*return_method=*/ true);
 
 #ifndef PRODUCT
   if (DebugVtables) {
@@ -219,7 +198,7 @@ VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
   address ame_addr = __ pc(); // ame = abstract method error
 
   // Must do an explicit check if implicit checks are disabled.
-  __ null_check(R19_method, in_bytes(Method::from_compiled_offset()), &throw_icce);
+  __ null_check(R19_method, in_bytes(Method::from_compiled_offset()), &L_no_such_interface);
   __ ld(R12_scratch2, in_bytes(Method::from_compiled_offset()), R19_method);
   __ mtctr(R12_scratch2);
   __ bctr();
@@ -229,8 +208,8 @@ VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
   // We force resolving of the call site by jumping to the "handle
   // wrong method" stub, and so let the interpreter runtime do all the
   // dirty work.
-  __ bind(throw_icce);
-  __ load_const(R11_scratch1, SharedRuntime::get_handle_wrong_method_stub());
+  __ bind(L_no_such_interface);
+  __ load_const_optimized(R11_scratch1, SharedRuntime::get_handle_wrong_method_stub(), R12_scratch2);
   __ mtctr(R11_scratch1);
   __ bctr();
 
@@ -245,14 +224,15 @@ VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
 int VtableStub::pd_code_size_limit(bool is_vtable_stub) {
   if (DebugVtables || CountCompiledCalls || VerifyOops) {
     return 1000;
-  } else {
-    int decode_klass_size = MacroAssembler::instr_size_for_decode_klass_not_null();
-    if (is_vtable_stub) {
-      return 20 + decode_klass_size +  8 + 8;   // Plain + cOops + Traps + safety
-    } else {
-      return 96 + decode_klass_size + 12 + 8;   // Plain + cOops + Traps + safety
-    }
   }
+  int size = is_vtable_stub ? 20 + 8 : 164 + 20; // Plain + safety
+  if (UseCompressedClassPointers) {
+    size += MacroAssembler::instr_size_for_decode_klass_not_null();
+  }
+  if (!ImplicitNullChecks || !os::zero_page_read_protected()) {
+    size += is_vtable_stub ? 8 : 12;
+  }
+  return size;
 }
 
 int VtableStub::pd_code_alignment() {
diff --git a/hotspot/src/cpu/s390/vm/macroAssembler_s390.cpp b/hotspot/src/cpu/s390/vm/macroAssembler_s390.cpp
index d577611743..1648490c94 100644
--- a/hotspot/src/cpu/s390/vm/macroAssembler_s390.cpp
+++ b/hotspot/src/cpu/s390/vm/macroAssembler_s390.cpp
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2016 SAP SE. All rights reserved.
+ * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2017 SAP SE. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -2731,8 +2731,8 @@ void MacroAssembler::lookup_interface_method(Register           recv_klass,
                                              RegisterOrConstant itable_index,
                                              Register           method_result,
                                              Register           temp1_reg,
-                                             Register           temp2_reg,
-                                             Label&             no_such_interface) {
+                                             Label&             no_such_interface,
+                                             bool               return_method) {
 
   const Register vtable_len = temp1_reg;    // Used to compute itable_entry_addr.
   const Register itable_entry_addr = Z_R1_scratch;
@@ -2741,11 +2741,11 @@ void MacroAssembler::lookup_interface_method(Register           recv_klass,
   BLOCK_COMMENT("lookup_interface_method {");
 
   // Load start of itable entries into itable_entry_addr.
-  z_llgf(vtable_len, Address(recv_klass, InstanceKlass::vtable_length_offset()));
+  z_llgf(vtable_len, Address(recv_klass, Klass::vtable_length_offset()));
   z_sllg(vtable_len, vtable_len, exact_log2(vtableEntry::size_in_bytes()));
 
   // Loop over all itable entries until desired interfaceOop(Rinterface) found.
-  const int vtable_base_offset = in_bytes(InstanceKlass::vtable_start_offset());
+  const int vtable_base_offset = in_bytes(Klass::vtable_start_offset());
 
   add2reg_with_index(itable_entry_addr,
                      vtable_base_offset + itableOffsetEntry::interface_offset_in_bytes(),
@@ -2767,38 +2767,36 @@ void MacroAssembler::lookup_interface_method(Register           recv_klass,
   z_brne(search);
 
   // Entry found and itable_entry_addr points to it, get offset of vtable for interface.
+  if (return_method) {
+    const int vtable_offset_offset = (itableOffsetEntry::offset_offset_in_bytes() -
+                                      itableOffsetEntry::interface_offset_in_bytes()) -
+                                     itable_offset_search_inc;
 
-  const int vtable_offset_offset = (itableOffsetEntry::offset_offset_in_bytes() -
-                                    itableOffsetEntry::interface_offset_in_bytes()) -
-                                   itable_offset_search_inc;
+    // Compute itableMethodEntry and get method and entry point
+    // we use addressing with index and displacement, since the formula
+    // for computing the entry's offset has a fixed and a dynamic part,
+    // the latter depending on the matched interface entry and on the case,
+    // that the itable index has been passed as a register, not a constant value.
+    int method_offset = itableMethodEntry::method_offset_in_bytes();
+                             // Fixed part (displacement), common operand.
+    Register itable_offset = method_result;  // Dynamic part (index register).
 
-  // Compute itableMethodEntry and get method and entry point
-  // we use addressing with index and displacement, since the formula
-  // for computing the entry's offset has a fixed and a dynamic part,
-  // the latter depending on the matched interface entry and on the case,
-  // that the itable index has been passed as a register, not a constant value.
-  int method_offset = itableMethodEntry::method_offset_in_bytes();
-                           // Fixed part (displacement), common operand.
-  Register itable_offset;  // Dynamic part (index register).
+    if (itable_index.is_register()) {
+       // Compute the method's offset in that register, for the formula, see the
+       // else-clause below.
+       z_sllg(itable_offset, itable_index.as_register(), exact_log2(itableMethodEntry::size() * wordSize));
+       z_agf(itable_offset, vtable_offset_offset, itable_entry_addr);
+    } else {
+      // Displacement increases.
+      method_offset += itableMethodEntry::size() * wordSize * itable_index.as_constant();
 
-  if (itable_index.is_register()) {
-     // Compute the method's offset in that register, for the formula, see the
-     // else-clause below.
-     itable_offset = itable_index.as_register();
+      // Load index from itable.
+      z_llgf(itable_offset, vtable_offset_offset, itable_entry_addr);
+    }
 
-     z_sllg(itable_offset, itable_offset, exact_log2(itableMethodEntry::size() * wordSize));
-     z_agf(itable_offset, vtable_offset_offset, itable_entry_addr);
-  } else {
-    itable_offset = Z_R1_scratch;
-    // Displacement increases.
-    method_offset += itableMethodEntry::size() * wordSize * itable_index.as_constant();
-
-    // Load index from itable.
-    z_llgf(itable_offset, vtable_offset_offset, itable_entry_addr);
+    // Finally load the method's oop.
+    z_lg(method_result, method_offset, itable_offset, recv_klass);
   }
-
-  // Finally load the method's oop.
-  z_lg(method_result, method_offset, itable_offset, recv_klass);
   BLOCK_COMMENT("} lookup_interface_method");
 }
 
diff --git a/hotspot/src/cpu/s390/vm/macroAssembler_s390.hpp b/hotspot/src/cpu/s390/vm/macroAssembler_s390.hpp
index 2b4002a3bf..ba920ee5fd 100644
--- a/hotspot/src/cpu/s390/vm/macroAssembler_s390.hpp
+++ b/hotspot/src/cpu/s390/vm/macroAssembler_s390.hpp
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2016 SAP SE. All rights reserved.
+ * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2017 SAP SE. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -650,8 +650,8 @@ class MacroAssembler: public Assembler {
                                RegisterOrConstant itable_index,
                                Register           method_result,
                                Register           temp1_reg,
-                               Register           temp2_reg,
-                               Label&             no_such_interface);
+                               Label&             no_such_interface,
+                               bool               return_method = true);
 
   // virtual method calling
   void lookup_virtual_method(Register             recv_klass,
diff --git a/hotspot/src/cpu/s390/vm/methodHandles_s390.cpp b/hotspot/src/cpu/s390/vm/methodHandles_s390.cpp
index e2f0d32cc8..8204715c60 100644
--- a/hotspot/src/cpu/s390/vm/methodHandles_s390.cpp
+++ b/hotspot/src/cpu/s390/vm/methodHandles_s390.cpp
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2016 SAP SE. All rights reserved.
+ * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2017 SAP SE. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -491,7 +491,7 @@ void MethodHandles::generate_method_handle_dispatch(MacroAssembler* _masm,
       Label L_no_such_interface;
       __ lookup_interface_method(temp1_recv_klass, temp3_intf,
                                  // Note: next two args must be the same:
-                                 Z_index, Z_method, temp2, noreg,
+                                 Z_index, Z_method, temp2,
                                  L_no_such_interface);
       jump_from_method_handle(_masm, Z_method, temp2, Z_R0, for_compiler_entry);
 
diff --git a/hotspot/src/cpu/s390/vm/templateTable_s390.cpp b/hotspot/src/cpu/s390/vm/templateTable_s390.cpp
index 1e471d7b02..729a3075ed 100644
--- a/hotspot/src/cpu/s390/vm/templateTable_s390.cpp
+++ b/hotspot/src/cpu/s390/vm/templateTable_s390.cpp
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2016 SAP SE. All rights reserved.
+ * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2017 SAP SE. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -3545,66 +3545,67 @@ void TemplateTable::invokeinterface(int byte_no) {
   transition(vtos, vtos);
 
   assert(byte_no == f1_byte, "use this argument");
-  Register interface = Z_tos;
-  Register index = Z_ARG3;
-  Register receiver = Z_tmp_1;
-  Register flags = Z_ARG5;
+  Register klass     = Z_ARG2,
+           method    = Z_ARG3,
+           interface = Z_ARG4,
+           flags     = Z_ARG5,
+           receiver  = Z_tmp_1;
 
   BLOCK_COMMENT("invokeinterface {");
 
-  // Destroys Z_ARG1 and Z_ARG2, thus use Z_ARG4 and copy afterwards.
-  prepare_invoke(byte_no, Z_ARG4, index,  // Get f1 klassOop, f2 itable index.
+  prepare_invoke(byte_no, interface, method,  // Get f1 klassOop, f2 itable index.
                  receiver, flags);
 
   // Z_R14 (== Z_bytecode) : return entry
 
-  __ z_lgr(interface, Z_ARG4);
-
   // Special case of invokeinterface called for virtual method of
   // java.lang.Object. See cpCacheOop.cpp for details.
   // This code isn't produced by javac, but could be produced by
   // another compliant java compiler.
-  Label notMethod;
+  NearLabel notMethod, no_such_interface, no_such_method;
   __ testbit(flags, ConstantPoolCacheEntry::is_forced_virtual_shift);
   __ z_brz(notMethod);
-  invokevirtual_helper(index, receiver, flags);
+  invokevirtual_helper(method, receiver, flags);
   __ bind(notMethod);
 
   // Get receiver klass into klass - also a null check.
-  Register klass = flags;
-
   __ restore_locals();
   __ load_klass(klass, receiver);
 
+  __ lookup_interface_method(klass, interface, noreg, noreg, /*temp*/Z_ARG1,
+                             no_such_interface, /*return_method=*/false);
+
   // Profile this call.
-  __ profile_virtual_call(klass, Z_ARG2/*mdp*/, Z_ARG4/*scratch*/);
+  __ profile_virtual_call(klass, Z_ARG1/*mdp*/, flags/*scratch*/);
 
-  NearLabel  no_such_interface, no_such_method;
-  Register   method = Z_tmp_2;
+  // Find entry point to call.
 
-  // TK 2010-08-24: save the index to Z_ARG4. needed in case of an error
-  //                in throw_AbstractMethodErrorByTemplateTable
-  __ z_lgr(Z_ARG4, index);
-  // TK 2011-03-24: copy also klass because it could be changed in
-  //                lookup_interface_method
-  __ z_lgr(Z_ARG2, klass);
-  __ lookup_interface_method(// inputs: rec. class, interface, itable index
-                              klass, interface, index,
-                              // outputs: method, scan temp. reg
-                              method, Z_tmp_2, Z_R1_scratch,
-                              no_such_interface);
+  // Get declaring interface class from method
+  __ z_lg(interface, Address(method, Method::const_offset()));
+  __ z_lg(interface, Address(interface, ConstMethod::constants_offset()));
+  __ z_lg(interface, Address(interface, ConstantPool::pool_holder_offset_in_bytes()));
+
+  // Get itable index from method
+  Register index   = receiver,
+           method2 = flags;
+  __ z_lgf(index, Address(method, Method::itable_index_offset()));
+  __ z_aghi(index, -Method::itable_index_max);
+  __ z_lcgr(index, index);
+
+  __ lookup_interface_method(klass, interface, index, method2, Z_tmp_2,
+                             no_such_interface);
 
   // Check for abstract method error.
   // Note: This should be done more efficiently via a throw_abstract_method_error
   // interpreter entry point and a conditional jump to it in case of a null
   // method.
-  __ compareU64_and_branch(method, (intptr_t) 0,
+  __ compareU64_and_branch(method2, (intptr_t) 0,
                             Assembler::bcondZero, no_such_method);
 
-  __ profile_arguments_type(Z_ARG3, method, Z_ARG5, true);
+  __ profile_arguments_type(Z_tmp_1, method2, Z_tmp_2, true);
 
   // Do the call.
-  __ jump_from_interpreted(method, Z_ARG5);
+  __ jump_from_interpreted(method2, Z_tmp_2);
   __ should_not_reach_here();
 
   // exception handling code follows...
@@ -3616,12 +3617,8 @@ void TemplateTable::invokeinterface(int byte_no) {
   // Throw exception.
   __ restore_bcp();      // Bcp must be correct for exception handler   (was destroyed).
   __ restore_locals();   // Make sure locals pointer is correct as well (was destroyed).
-  // TK 2010-08-24: Call throw_AbstractMethodErrorByTemplateTable now with the
-  //                relevant information for generating a better error message
   __ call_VM(noreg,
-              CAST_FROM_FN_PTR(address,
-                               InterpreterRuntime::throw_AbstractMethodError),
-              Z_ARG2, interface, Z_ARG4);
+             CAST_FROM_FN_PTR(address, InterpreterRuntime::throw_AbstractMethodError));
   // The call_VM checks for exception, so we should never return here.
   __ should_not_reach_here();
 
@@ -3630,12 +3627,8 @@ void TemplateTable::invokeinterface(int byte_no) {
   // Throw exception.
   __ restore_bcp();      // Bcp must be correct for exception handler   (was destroyed).
   __ restore_locals();   // Make sure locals pointer is correct as well (was destroyed).
-  // TK 2010-08-24: Call throw_IncompatibleClassChangeErrorByTemplateTable now with the
-  //                relevant information for generating a better error message
   __ call_VM(noreg,
-             CAST_FROM_FN_PTR(address,
-                              InterpreterRuntime::throw_IncompatibleClassChangeError),
-             Z_ARG2, interface);
+             CAST_FROM_FN_PTR(address, InterpreterRuntime::throw_IncompatibleClassChangeError));
   // The call_VM checks for exception, so we should never return here.
   __ should_not_reach_here();
 
diff --git a/hotspot/src/cpu/s390/vm/vtableStubs_s390.cpp b/hotspot/src/cpu/s390/vm/vtableStubs_s390.cpp
index c2c3ab246b..fb27b67a17 100644
--- a/hotspot/src/cpu/s390/vm/vtableStubs_s390.cpp
+++ b/hotspot/src/cpu/s390/vm/vtableStubs_s390.cpp
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * Copyright (c) 2016 SAP SE. All rights reserved.
+ * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2017 SAP SE. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@
 #include "code/vtableStubs.hpp"
 #include "interp_masm_s390.hpp"
 #include "memory/resourceArea.hpp"
+#include "oops/compiledICHolder.hpp"
 #include "oops/instanceKlass.hpp"
 #include "oops/klassVtable.hpp"
 #include "runtime/sharedRuntime.hpp"
@@ -57,7 +58,6 @@ VtableStub* VtableStubs::create_vtable_stub(int vtable_index) {
   ResourceMark    rm;
   CodeBuffer      cb(s->entry_point(), code_length);
   MacroAssembler *masm = new MacroAssembler(&cb);
-  address start_pc;
   int     padding_bytes = 0;
 
 #if (!defined(PRODUCT) && defined(COMPILER2))
@@ -144,9 +144,9 @@ VtableStub* VtableStubs::create_vtable_stub(int vtable_index) {
   return s;
 }
 
-VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
+VtableStub* VtableStubs::create_itable_stub(int itable_index) {
   const int   code_length = VtableStub::pd_code_size_limit(false);
-  VtableStub *s = new(code_length) VtableStub(false, vtable_index);
+  VtableStub *s = new(code_length) VtableStub(false, itable_index);
   if (s == NULL) { // Indicates OOM in the code cache.
     return NULL;
   }
@@ -154,7 +154,6 @@ VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
   ResourceMark    rm;
   CodeBuffer      cb(s->entry_point(), code_length);
   MacroAssembler *masm = new MacroAssembler(&cb);
-  address start_pc;
   int     padding_bytes = 0;
 
 #if (!defined(PRODUCT) && defined(COMPILER2))
@@ -174,11 +173,9 @@ VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
   // Entry arguments:
   //  Z_method: Interface
   //  Z_ARG1:   Receiver
-  const Register rcvr_klass = Z_tmp_1;    // Used to compute itable_entry_addr.
-                                          // Use extra reg to avoid re-load.
-  const Register vtable_len = Z_tmp_2;    // Used to compute itable_entry_addr.
-  const Register itable_entry_addr = Z_R1_scratch;
-  const Register itable_interface  = Z_R0_scratch;
+  NearLabel no_such_interface;
+  const Register rcvr_klass = Z_tmp_1,
+                 interface  = Z_tmp_2;
 
   // Get receiver klass.
   // Must do an explicit check if implicit checks are disabled.
@@ -186,50 +183,15 @@ VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
   __ null_check(Z_ARG1, Z_R1_scratch, oopDesc::klass_offset_in_bytes());
   __ load_klass(rcvr_klass, Z_ARG1);
 
-  // Load start of itable entries into itable_entry.
-  __ z_llgf(vtable_len, Address(rcvr_klass, InstanceKlass::vtable_length_offset()));
-  __ z_sllg(vtable_len, vtable_len, exact_log2(vtableEntry::size_in_bytes()));
+  // Receiver subtype check against REFC.
+  __ z_lg(interface, Address(Z_method, CompiledICHolder::holder_klass_offset()));
+  __ lookup_interface_method(rcvr_klass, interface, noreg,
+                             noreg, Z_R1, no_such_interface, /*return_method=*/ false);
 
-  // Loop over all itable entries until desired interfaceOop(Rinterface) found.
-  const int vtable_base_offset = in_bytes(InstanceKlass::vtable_start_offset());
-  // Count unused bytes.
-  start_pc = __ pc();
-  __ add2reg_with_index(itable_entry_addr, vtable_base_offset + itableOffsetEntry::interface_offset_in_bytes(), rcvr_klass, vtable_len);
-  padding_bytes += 20 - (__ pc() - start_pc);
-
-  const int itable_offset_search_inc = itableOffsetEntry::size() * wordSize;
-  Label search;
-  __ bind(search);
-
-  // Handle IncompatibleClassChangeError in itable stubs.
-  // If the entry is NULL then we've reached the end of the table
-  // without finding the expected interface, so throw an exception.
-  NearLabel   throw_icce;
-  __ load_and_test_long(itable_interface, Address(itable_entry_addr));
-  __ z_bre(throw_icce); // Throw the exception out-of-line.
-  // Count unused bytes.
-  start_pc = __ pc();
-  __ add2reg(itable_entry_addr, itable_offset_search_inc);
-  padding_bytes += 20 - (__ pc() - start_pc);
-  __ z_cgr(itable_interface, Z_method);
-  __ z_brne(search);
-
-  // Entry found. Itable_entry_addr points to the subsequent entry (itable_offset_search_inc too far).
-  // Get offset of vtable for interface.
-
-  const Register vtable_offset = Z_R1_scratch;
-  const Register itable_method = rcvr_klass;   // Calculated before.
-
-  const int vtable_offset_offset = (itableOffsetEntry::offset_offset_in_bytes() -
-                                    itableOffsetEntry::interface_offset_in_bytes()) -
-                                   itable_offset_search_inc;
-  __ z_llgf(vtable_offset, vtable_offset_offset, itable_entry_addr);
-
-  // Compute itableMethodEntry and get method and entry point for compiler.
-  const int method_offset = (itableMethodEntry::size() * wordSize * vtable_index) +
-                            itableMethodEntry::method_offset_in_bytes();
-
-  __ z_lg(Z_method, method_offset, vtable_offset, itable_method);
+  // Get Method* and entrypoint for compiler
+  __ z_lg(interface, Address(Z_method, CompiledICHolder::holder_metadata_offset()));
+  __ lookup_interface_method(rcvr_klass, interface, itable_index,
+                             Z_method, Z_R1, no_such_interface, /*return_method=*/ true);
 
 #ifndef PRODUCT
   if (DebugVtables) {
@@ -244,13 +206,13 @@ VtableStub* VtableStubs::create_itable_stub(int vtable_index) {
   address ame_addr = __ pc();
   // Must do an explicit check if implicit checks are disabled.
   if (!ImplicitNullChecks) {
-    __ compare64_and_branch(Z_method, (intptr_t) 0, Assembler::bcondEqual, throw_icce);
+    __ compare64_and_branch(Z_method, (intptr_t) 0, Assembler::bcondEqual, no_such_interface);
   }
   __ z_lg(Z_R1_scratch, in_bytes(Method::from_compiled_offset()), Z_method);
   __ z_br(Z_R1_scratch);
 
   // Handle IncompatibleClassChangeError in itable stubs.
-  __ bind(throw_icce);
+  __ bind(no_such_interface);
   // Count unused bytes
   //                  worst case          actual size
   // We force resolving of the call site by jumping to
@@ -273,13 +235,12 @@ int VtableStub::pd_code_size_limit(bool is_vtable_stub) {
   if (CountCompiledCalls) {
     size += 6 * 4;
   }
-  if (is_vtable_stub) {
-    size += 52;
-  } else {
-    size += 104;
+  size += is_vtable_stub ? 36 : 140;
+  if (UseCompressedClassPointers) {
+    size += MacroAssembler::instr_size_for_decode_klass_not_null();
   }
-  if (Universe::narrow_klass_base() != NULL) {
-    size += 16; // A guess.
+  if (!ImplicitNullChecks) {
+    size += 36;
   }
   return size;
 }

From 11539f9dc339c2ecefdf2b3cc7d659effddb829f Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 29 Nov 2017 13:11:21 -0800
Subject: [PATCH 241/269] Added tag jdk-9.0.4+8 for changeset 483d31cd3f4c

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index ce00cdc0ac..b08ef87e32 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -445,3 +445,4 @@ b46885be0c21ebb379e9f9835591dc8b12245971 jdk-9.0.4+3
 7ba3aa648bf9635a75bc124539acc08d06dea600 jdk-9.0.4+5
 46524cd9b1e84d2b60b15d5ef26c7ca6260c41a4 jdk-9.0.4+6
 d54fb6a3fb5546fcf56bfc3c5f93fa320e79887a jdk-9.0.4+7
+b9669a87f3eafe9c538346b8997413f4d8252147 jdk-9.0.4+8

From 89951ea90336c0f3d343b76ed620f3b2410d15c3 Mon Sep 17 00:00:00 2001
From: Ivan Gerasimov 
Date: Tue, 28 Nov 2017 14:09:11 -0800
Subject: [PATCH 242/269] 8189284: More refactoring for deserialization cases

Reviewed-by: rriggs, igerasim, rhalade, skoivu
---
 .../util/concurrent/ArrayBlockingQueue.java   | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/jdk/src/java.base/share/classes/java/util/concurrent/ArrayBlockingQueue.java b/jdk/src/java.base/share/classes/java/util/concurrent/ArrayBlockingQueue.java
index 557ce73a7a..03f77879b2 100644
--- a/jdk/src/java.base/share/classes/java/util/concurrent/ArrayBlockingQueue.java
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/ArrayBlockingQueue.java
@@ -1608,4 +1608,30 @@ public class ArrayBlockingQueue extends AbstractQueue
         }
     }
 
+    /**
+     * Deserializes this queue and then checks some invariants.
+     *
+     * @param s the input stream
+     * @throws ClassNotFoundException if the class of a serialized object
+     *         could not be found
+     * @throws java.io.InvalidObjectException if invariants are violated
+     * @throws java.io.IOException if an I/O error occurs
+     */
+    private void readObject(java.io.ObjectInputStream s)
+        throws java.io.IOException, ClassNotFoundException {
+
+        // Read in items array and various fields
+        s.defaultReadObject();
+
+        // Check invariants over count and index fields. Note that
+        // if putIndex==takeIndex, count can be either 0 or items.length.
+        if (items.length == 0 ||
+            takeIndex < 0 || takeIndex >= items.length ||
+            putIndex  < 0 || putIndex  >= items.length ||
+            count < 0     || count     >  items.length ||
+            Math.floorMod(putIndex - takeIndex, items.length) !=
+            Math.floorMod(count, items.length)) {
+            throw new java.io.InvalidObjectException("invariants violated");
+        }
+    }
 }

From def47931ebfc3bc2045e5f803bb78524fa1efaf1 Mon Sep 17 00:00:00 2001
From: Ivan Gerasimov 
Date: Wed, 29 Nov 2017 14:50:13 -0800
Subject: [PATCH 243/269] 8191142: More refactoring for naming deserialization
 cases

Reviewed-by: chegar, rriggs
---
 .../classes/javax/naming/directory/BasicAttributes.java     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttributes.java b/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttributes.java
index 0b8178c91c..5ff5dc26e0 100644
--- a/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttributes.java
+++ b/jdk/src/java.naming/share/classes/javax/naming/directory/BasicAttributes.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -302,8 +302,8 @@ public class BasicAttributes implements Attributes {
         s.defaultReadObject();  // read in the ignoreCase flag
         int n = s.readInt();    // number of attributes
         attrs = (n >= 1)
-            ? new Hashtable(n * 2)
-            : new Hashtable(2); // can't have initial size of 0 (grrr...)
+                ? new Hashtable<>(1 + (int) (Math.min(768, n) / .75f))
+                : new Hashtable<>(2); // can't have initial size of 0 (grrr...)
         while (--n >= 0) {
             put((Attribute)s.readObject());
         }

From d6b2c937f9e40492963127d23d12903d77f492ee Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Thu, 30 Nov 2017 17:31:20 -0800
Subject: [PATCH 244/269] 8139653: Freetype bundled on macosx, but not
 correctly linked

Reviewed-by: tbell, prr
---
 jdk/make/copy/Copy-java.desktop.gmk |  9 +++++----
 jdk/make/lib/Awt2dLibraries.gmk     | 17 +++++++++++++++--
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/jdk/make/copy/Copy-java.desktop.gmk b/jdk/make/copy/Copy-java.desktop.gmk
index 710375594e..106d3c6c22 100644
--- a/jdk/make/copy/Copy-java.desktop.gmk
+++ b/jdk/make/copy/Copy-java.desktop.gmk
@@ -44,7 +44,8 @@ $(INCLUDE_DST_OS_DIR)/%.h: \
 ################################################################################
 
 ifneq ($(FREETYPE_BUNDLE_LIB_PATH), )
-  # We need to bundle the freetype library, so it will be available at runtime as well as link time.
+  # We need to bundle the freetype library, so it will be available at runtime
+  # as well as link time.
   #
   # NB: Default freetype build system uses -h linker option and
   # result .so contains hardcoded library name that is later
@@ -61,10 +62,10 @@ ifneq ($(FREETYPE_BUNDLE_LIB_PATH), )
   #
   #TODO: rework this to avoid hardcoding library name in the makefile
   #
-  ifeq ($(OPENJDK_TARGET_OS), windows)
-    FREETYPE_TARGET_LIB := $(LIB_DST_DIR)/$(call SHARED_LIBRARY,freetype)
-  else
+  ifneq ($(filter $(OPENJDK_TARGET_OS), linux solaris), )
     FREETYPE_TARGET_LIB := $(LIB_DST_DIR)/$(call SHARED_LIBRARY,freetype).6
+  else
+    FREETYPE_TARGET_LIB := $(LIB_DST_DIR)/$(call SHARED_LIBRARY,freetype)
   endif
 
   # We can't use $(install-file) in this rule because it preserves symbolic links and
diff --git a/jdk/make/lib/Awt2dLibraries.gmk b/jdk/make/lib/Awt2dLibraries.gmk
index 3eafa4a47e..27acf11014 100644
--- a/jdk/make/lib/Awt2dLibraries.gmk
+++ b/jdk/make/lib/Awt2dLibraries.gmk
@@ -658,7 +658,7 @@ endif
 
 $(eval $(call SetupNativeCompilation,BUILD_LIBFONTMANAGER, \
     LIBRARY := fontmanager, \
-    OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
+    OUTPUT_DIR := $(SUPPORT_OUTPUTDIR)/native/$(MODULE)/libfontmanager, \
     SRC := $(LIBFONTMANAGER_SRC), \
     EXCLUDE_FILES := $(LIBFONTMANAGER_EXCLUDE_FILES) \
         AccelGlyphCache.c, \
@@ -708,7 +708,20 @@ ifneq (, $(findstring $(OPENJDK_TARGET_OS), solaris aix))
   $(BUILD_LIBFONTMANAGER): $(BUILD_LIBAWT_HEADLESS)
 endif
 
-TARGETS += $(BUILD_LIBFONTMANAGER)
+$(INSTALL_LIBRARIES_HERE)/$(call SHARED_LIBRARY,fontmanager): $(BUILD_LIBFONTMANAGER_TARGET)
+	$(install-file)
+        ifneq ($(FREETYPE_BUNDLE_LIB_PATH), )
+          ifeq ($(OPENJDK_TARGET_OS), macosx)
+            # If bundling freetype on macosx, we need to rewrite the rpath location
+            # in the libfontmanager library to point to the bundled location
+	    $(INSTALL_NAME_TOOL) -change \
+	        `$(OTOOL) -D $(FREETYPE_BUNDLE_LIB_PATH)/$(call SHARED_LIBRARY,freetype) | $(TAIL) -n1` \
+	        '@rpath/$(call SHARED_LIBRARY,freetype)' \
+	        $@
+          endif
+        endif
+
+TARGETS += $(INSTALL_LIBRARIES_HERE)/$(call SHARED_LIBRARY,fontmanager)
 
 ################################################################################
 

From 5142f425a7b915cb577397b34e47bc065a7051bc Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Fri, 1 Dec 2017 09:54:22 -0800
Subject: [PATCH 245/269] 8192876: MacOS build fails intermittently after
 JDK-8139653

Reviewed-by: tbell
---
 jdk/make/lib/Awt2dLibraries.gmk | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/jdk/make/lib/Awt2dLibraries.gmk b/jdk/make/lib/Awt2dLibraries.gmk
index 27acf11014..497268241d 100644
--- a/jdk/make/lib/Awt2dLibraries.gmk
+++ b/jdk/make/lib/Awt2dLibraries.gmk
@@ -702,12 +702,6 @@ $(eval $(call SetupNativeCompilation,BUILD_LIBFONTMANAGER, \
     OBJECT_DIR := $(SUPPORT_OUTPUTDIR)/native/$(MODULE)/libfontmanager, \
 ))
 
-$(BUILD_LIBFONTMANAGER): $(BUILD_LIBAWT)
-
-ifneq (, $(findstring $(OPENJDK_TARGET_OS), solaris aix))
-  $(BUILD_LIBFONTMANAGER): $(BUILD_LIBAWT_HEADLESS)
-endif
-
 $(INSTALL_LIBRARIES_HERE)/$(call SHARED_LIBRARY,fontmanager): $(BUILD_LIBFONTMANAGER_TARGET)
 	$(install-file)
         ifneq ($(FREETYPE_BUNDLE_LIB_PATH), )
@@ -721,7 +715,15 @@ $(INSTALL_LIBRARIES_HERE)/$(call SHARED_LIBRARY,fontmanager): $(BUILD_LIBFONTMAN
           endif
         endif
 
-TARGETS += $(INSTALL_LIBRARIES_HERE)/$(call SHARED_LIBRARY,fontmanager)
+BUILD_LIBFONTMANAGER += $(INSTALL_LIBRARIES_HERE)/$(call SHARED_LIBRARY,fontmanager)
+
+$(BUILD_LIBFONTMANAGER): $(BUILD_LIBAWT)
+
+ifneq (, $(findstring $(OPENJDK_TARGET_OS), solaris aix))
+  $(BUILD_LIBFONTMANAGER): $(BUILD_LIBAWT_HEADLESS)
+endif
+
+TARGETS += $(BUILD_LIBFONTMANAGER)
 
 ################################################################################
 

From 5bbf0d63d192f63c3bcd1851885ac8954f26dbd1 Mon Sep 17 00:00:00 2001
From: Li Jiang 
Date: Tue, 5 Dec 2017 17:31:48 -0800
Subject: [PATCH 246/269] 8192796: 9.0.4 L10n resource file update md20

Reviewed-by: coffeys
---
 .../sun/launcher/resources/launcher_ko.properties  |  2 +-
 .../sun/security/tools/keytool/Resources_de.java   | 14 +++++++-------
 .../sun/security/tools/keytool/Resources_es.java   | 14 +++++++-------
 .../sun/security/tools/keytool/Resources_fr.java   | 14 +++++++-------
 .../sun/security/tools/keytool/Resources_it.java   | 14 +++++++-------
 .../sun/security/tools/keytool/Resources_ja.java   | 14 +++++++-------
 .../sun/security/tools/keytool/Resources_ko.java   | 14 +++++++-------
 .../security/tools/keytool/Resources_pt_BR.java    | 14 +++++++-------
 .../sun/security/tools/keytool/Resources_sv.java   | 14 +++++++-------
 .../security/tools/keytool/Resources_zh_CN.java    | 12 ++++++------
 .../security/tools/keytool/Resources_zh_TW.java    | 12 ++++++------
 .../classes/sun/awt/resources/awt_de.properties    |  2 +-
 .../sun/security/tools/jarsigner/Resources_ja.java |  4 ++--
 .../security/tools/jarsigner/Resources_zh_CN.java  |  4 ++--
 14 files changed, 74 insertions(+), 74 deletions(-)

diff --git a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ko.properties b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ko.properties
index a128a8126e..d7b4123ef8 100644
--- a/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ko.properties
+++ b/jdk/src/java.base/share/classes/sun/launcher/resources/launcher_ko.properties
@@ -45,7 +45,7 @@ java.launcher.cls.error1=\uC624\uB958: \uAE30\uBCF8 \uD074\uB798\uC2A4 {0}\uC744
 java.launcher.cls.error2=\uC624\uB958: {1} \uD074\uB798\uC2A4\uC5D0\uC11C \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uAC00 {0}\uC774(\uAC00) \uC544\uB2D9\uB2C8\uB2E4. \uB2E4\uC74C \uD615\uC2DD\uC73C\uB85C \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB97C \uC815\uC758\uD558\uC2ED\uC2DC\uC624.\n   public static void main(String[] args)
 java.launcher.cls.error3=\uC624\uB958: \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB294 {0} \uD074\uB798\uC2A4\uC5D0\uC11C void \uC720\uD615\uC758 \uAC12\uC744 \uBC18\uD658\uD574\uC57C \uD569\uB2C8\uB2E4. \n\uB2E4\uC74C \uD615\uC2DD\uC73C\uB85C \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB97C \uC815\uC758\uD558\uC2ED\uC2DC\uC624.\n   public static void main(String[] args)
 java.launcher.cls.error4=\uC624\uB958: {0} \uD074\uB798\uC2A4\uC5D0\uC11C \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4. \uB2E4\uC74C \uD615\uC2DD\uC73C\uB85C \uAE30\uBCF8 \uBA54\uC18C\uB4DC\uB97C \uC815\uC758\uD558\uC2ED\uC2DC\uC624.\r\n   public static void main(String[] args)\r\n\uB610\uB294 JavaFX \uC560\uD50C\uB9AC\uCF00\uC774\uC158 \uD074\uB798\uC2A4\uB294 {1}\uC744(\uB97C) \uD655\uC7A5\uD574\uC57C \uD569\uB2C8\uB2E4.
-java.launcher.cls.error5=\uC624\uB958: \uC774 \uC560\uD50C\uB9AC\uCF00\uC774\uC158\uC744 \uC2E4\uD589\uD558\uB294 \uB370 \uD544\uC694\uD55C JavaFX \uB7F0\uD0C0\uC784 \uAD6C\uC131 \uC694\uC18C\uAC00 \uB204\uB77D\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
+java.launcher.cls.error5=\uC624\uB958: \uC774 \uC560\uD50C\uB9AC\uCF00\uC774\uC158\uC744 \uC2E4\uD589\uD558\uB294 \uB370 \uD544\uC694\uD55C JavaFX \uB7F0\uD0C0\uC784 \uAD6C\uC131\uC694\uC18C\uAC00 \uB204\uB77D\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
 java.launcher.cls.error6=\uC624\uB958: \uAE30\uBCF8 \uD074\uB798\uC2A4 {0}\uC744(\uB97C) \uB85C\uB4DC\uD558\uB294 \uC911 LinkageError\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4.\n\t{1}
 java.launcher.cls.error7=\uC624\uB958: \uAE30\uBCF8 \uD074\uB798\uC2A4 {0}\uC744(\uB97C) \uCD08\uAE30\uD654\uD560 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.\n\uC6D0\uC778: {1}: {2}
 java.launcher.jar.error1=\uC624\uB958: {0} \uD30C\uC77C\uC744 \uC5F4\uB824\uACE0 \uC2DC\uB3C4\uD558\uB294 \uC911 \uC608\uC0C1\uCE58 \uC54A\uC740 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4.
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_de.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_de.java
index 9f1c612f2b..097f1bbf44 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_de.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_de.java
@@ -447,19 +447,19 @@ public class Resources_de extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "Das TSA-Zertifikat"},
         {"the.input", "Die Eingabe"},
         {"reply", "Antwort"},
-        {"one.in.many", "%s #%d von %d"},
+        {"one.in.many", "%1$s #%2$d von %3$d"},
         {"alias.in.cacerts", "Aussteller <%s> in cacerts"},
         {"alias.in.keystore", "Aussteller <%s>"},
         {"with.weak", "%s (schwach)"},
-        {"key.bit", "%d-Bit-%s-Schl\u00FCssel"},
-        {"key.bit.weak", "%d-Bit-%s-Schl\u00FCssel (schwach)"},
+        {"key.bit", "%1$d-Bit-%2$s-Schl\u00FCssel"},
+        {"key.bit.weak", "%1$d-Bit-%2$s-Schl\u00FCssel (schwach)"},
         {".PATTERN.printX509Cert.with.weak",
                 "Eigent\u00FCmer: {0}\nAussteller: {1}\nSeriennummer: {2}\nG\u00FCltig von: {3} bis: {4}\nZertifikatsfingerprints:\n\t SHA1: {5}\n\t SHA256: {6}\nSignaturalgorithmusname: {7}\nPublic Key-Algorithmus von Subject: {8}\nVersion: {9}"},
         {"PKCS.10.with.weak",
-                "PKCS #10-Zertifikatsanforderung (Version 1.0)\nSubject: %s\nFormat: %s\nPublic Key: %s\nSignaturalgorithmus: %s\n"},
-        {"verified.by.s.in.s.weak", "Von %s in %s mit %s verifiziert"},
-        {"whose.sigalg.risk", "%s verwendet den Signaturalgorithmus %s. Dies gilt als Sicherheitsrisiko."},
-        {"whose.key.risk", "%s verwendet %s. Dies gilt als Sicherheitsrisiko."},
+                "PKCS #10-Zertifikatsanforderung (Version 1.0)\nSubject: %1$s\nFormat: %2$s\nPublic Key: %3$s\nSignaturalgorithmus: %4$s\n"},
+        {"verified.by.s.in.s.weak", "Von %1$s in %2$s mit %3$s verifiziert"},
+        {"whose.sigalg.risk", "%1$s verwendet den Signaturalgorithmus %2$s. Dies gilt als Sicherheitsrisiko."},
+        {"whose.key.risk", "%1$s verwendet %2$s. Dies gilt als Sicherheitsrisiko."},
         {"jks.storetype.warning", "Der %1$s-Keystore verwendet ein propriet\u00E4res Format. Es wird empfohlen, auf PKCS12 zu migrieren, das ein Industriestandardformat mit \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\" ist."},
         {"migrate.keystore.warning", "\"%1$s\" zu %4$s migriert. Der %2$s-Keystore wurde als \"%3$s\" gesichert."},
         {"backup.keystore.warning", "Der urspr\u00FCngliche Keystore \"%1$s\" wird als \"%3$s\" gesichert..."},
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_es.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_es.java
index 9689db8219..19141d6ab5 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_es.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_es.java
@@ -447,19 +447,19 @@ public class Resources_es extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "El certificado de TSA"},
         {"the.input", "La entrada"},
         {"reply", "Responder"},
-        {"one.in.many", "%s #%d de %d"},
+        {"one.in.many", "%1$s #%2$d de %3$d"},
         {"alias.in.cacerts", "Emisor <%s> en cacerts"},
         {"alias.in.keystore", "Emisor <%s>"},
         {"with.weak", "%s (d\u00E9bil)"},
-        {"key.bit", "Clave %s de %d bits"},
-        {"key.bit.weak", "Clave %s de %d bits (d\u00E9bil)"},
+        {"key.bit", "Clave %2$s de %1$d bits"},
+        {"key.bit.weak", "Clave %2$s de %1$d bits (d\u00E9bil)"},
         {".PATTERN.printX509Cert.with.weak",
                 "Propietario: {0}\nEmisor: {1}\nN\u00FAmero de serie: {2}\nV\u00E1lido desde: {3} hasta: {4}\nHuellas digitales del certificado:\n\t SHA1: {5}\n\t SHA256: {6}\nNombre del algoritmo de firma: {7}\nAlgoritmo de clave p\u00FAblica de asunto: {8}\nVersi\u00F3n: {9}"},
         {"PKCS.10.with.weak",
-                "Solicitud de certificado PKCS #10 (Versi\u00F3n 1.0)\nAsunto: %s\nFormato: %s\nClave p\u00FAblica:%s\nAlgoritmo de firma: %s\n"},
-        {"verified.by.s.in.s.weak", "Verificado por %s en %s con %s"},
-        {"whose.sigalg.risk", "%s usa el algoritmo de firma %s, lo que se considera un riesgo de seguridad."},
-        {"whose.key.risk", "%s usa %s, lo que se considera un riesgo de seguridad."},
+                "Solicitud de certificado PKCS #10 (Versi\u00F3n 1.0)\nAsunto: %1$s\nFormato: %2$s\nClave p\u00FAblica: %3$s\nAlgoritmo de firma %4$s\n"},
+        {"verified.by.s.in.s.weak", "Verificado por %1$s en %2$s con un %3$s"},
+        {"whose.sigalg.risk", "%1$s utiliza el algoritmo de firma %2$s, lo que se considera un riesgo de seguridad."},
+        {"whose.key.risk", "%1$s utiliza %2$s, lo que se considera un riesgo de seguridad."},
         {"jks.storetype.warning", "El almac\u00E9n de claves %1$s utiliza un formato propietario. Se recomienda migrar a PKCS12, que es un formato est\u00E1ndar del sector que utiliza \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
         {"migrate.keystore.warning", "Se ha migrado \"%1$s\" a %4$s. Se ha realizado la copia de seguridad del almac\u00E9n de claves %2$s como \"%3$s\"."},
         {"backup.keystore.warning", "La copia de seguridad del almac\u00E9n de claves \"%1$s\" se ha realizado como \"%3$s\"..."},
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_fr.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_fr.java
index 448eb451ed..676fdbc6f6 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_fr.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_fr.java
@@ -447,19 +447,19 @@ public class Resources_fr extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "Certificat TSA"},
         {"the.input", "Entr\u00E9e"},
         {"reply", "R\u00E9pondre"},
-        {"one.in.many", "%s #%d sur %d"},
+        {"one.in.many", "%1$s #%2$d sur %3$d"},
         {"alias.in.cacerts", "Emetteur <%s> dans les certificats CA"},
         {"alias.in.keystore", "Emetteur <%s>"},
         {"with.weak", "%s (faible)"},
-        {"key.bit", "Cl\u00E9 %s %d bits"},
-        {"key.bit.weak", "Cl\u00E9 %s %d bits (faible)"},
+        {"key.bit", "Cl\u00E9 %2$s %1$d bits"},
+        {"key.bit.weak", "Cl\u00E9 %2$s %1$d bits (faible)"},
         {".PATTERN.printX509Cert.with.weak",
                 "Propri\u00E9taire : {0}\nEmetteur : {1}\nNum\u00E9ro de s\u00E9rie : {2}\nValide du {3} au {4}\nEmpreintes du certificat :\n\t SHA 1: {5}\n\t SHA 256: {6}\nNom de l''algorithme de signature : {7}\nAlgorithme de cl\u00E9 publique du sujet : {8}\nVersion : {9}"},
         {"PKCS.10.with.weak",
-                "Demande de certificat PKCS #10 (version 1.0)\nSujet : %s\nFormat : %s\nCl\u00E9 publique : %s\nAlgorithme de signature : %s\n"},
-        {"verified.by.s.in.s.weak", "V\u00E9rifi\u00E9 par %s dans %s avec un \u00E9l\u00E9ment %s"},
-        {"whose.sigalg.risk", "%s utilise l'algorithme de signature %s, qui repr\u00E9sente un risque pour la s\u00E9curit\u00E9."},
-        {"whose.key.risk", "%s utilise un \u00E9l\u00E9ment %s, qui repr\u00E9sente un risque pour la s\u00E9curit\u00E9."},
+                "Demande de certificat PKCS #10 (version 1.0)\nSujet : %1$s\nFormat : %2$s\nCl\u00E9 publique : %3$s\nAlgorithme de signature : %4$s\n"},
+        {"verified.by.s.in.s.weak", "V\u00E9rifi\u00E9 par %1$s dans %2$s avec un \u00E9l\u00E9ment %3$s"},
+        {"whose.sigalg.risk", "%1$s utilise l'algorithme de signature %2$s, qui repr\u00E9sente un risque pour la s\u00E9curit\u00E9."},
+        {"whose.key.risk", "%1$s utilise un \u00E9l\u00E9ment %2$s, qui repr\u00E9sente un risque pour la s\u00E9curit\u00E9."},
         {"jks.storetype.warning", "Le fichier de cl\u00E9s %1$s utilise un format propri\u00E9taire. Il est recommand\u00E9 de migrer vers PKCS12, qui est un format standard de l'industrie en utilisant \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
         {"migrate.keystore.warning", "El\u00E9ment \"%1$s\" migr\u00E9 vers %4$s. Le fichier de cl\u00E9s %2$s est sauvegard\u00E9 en tant que \"%3$s\"."},
         {"backup.keystore.warning", "Le fichier de cl\u00E9s d'origine \"%1$s\" est sauvegard\u00E9 en tant que \"%3$s\"..."},
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_it.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_it.java
index 31dd6904d5..313a244354 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_it.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_it.java
@@ -447,19 +447,19 @@ public class Resources_it extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "Il certificato TSA"},
         {"the.input", "L'input"},
         {"reply", "Rispondi"},
-        {"one.in.many", "%s #%d di %d"},
+        {"one.in.many", "%1$s #%2$d di %3$d"},
         {"alias.in.cacerts", "Emittente <%s> in cacerts"},
         {"alias.in.keystore", "Emittente <%s>"},
         {"with.weak", "%s (debole)"},
-        {"key.bit", "Chiave %s a %d bit"},
-        {"key.bit.weak", "Chiave %s a %d bit (debole)"},
+        {"key.bit", "Chiave %2$s a %1$d bit"},
+        {"key.bit.weak", "Chiave %2$s a %1$d bit (debole)"},
         {".PATTERN.printX509Cert.with.weak",
                 "Proprietario: {0}\nEmittente: {1}\nNumero di serie: {2}\nValido da: {3} a: {4}\nImpronte digitali certificato:\n\t SHA1: {5}\n\t SHA256: {6}\nNome algoritmo firma: {7}\nAlgoritmo di chiave pubblica oggetto: {8}\nVersione: {9}"},
         {"PKCS.10.with.weak",
-                "Richiesta di certificato PKCS #10 (versione 1.0)\nOggetto: %s\nFormato: %s\nChiave pubblica: %s\nAlgoritmo firma: %s\n"},
-        {"verified.by.s.in.s.weak", "Verificato da %s in %s con un %s"},
-        {"whose.sigalg.risk", "%s utilizza l'algoritmo firma %s che \u00E8 considerato un rischio per la sicurezza."},
-        {"whose.key.risk", "%s utilizza un %s che \u00E8 considerato un rischio per la sicurezza."},
+                "Richiesta di certificato PKCS #10 (versione 1.0)\nOggetto: %1$s\nFormato: %2$s\nChiave pubblica: %3$s\nAlgoritmo firma: %4$s\n"},
+        {"verified.by.s.in.s.weak", "Verificato da %1$s in %2$s con un %3$s"},
+        {"whose.sigalg.risk", "%1$s utilizza l'algoritmo firma %2$s che \u00E8 considerato un rischio per la sicurezza."},
+        {"whose.key.risk", "%1$s utilizza un %2$s che \u00E8 considerato un rischio per la sicurezza."},
         {"jks.storetype.warning", "Il keystore %1$s utilizza un formato proprietario. Si consiglia di eseguire la migrazione a PKCS12, un formato standard di settore, utilizzando il comando \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
         {"migrate.keystore.warning", "Migrazione di \"%1$s\" in %4$s eseguita. Backup del keystore %2$s eseguito con il nome \"%3$s\"."},
         {"backup.keystore.warning", "Backup del keystore originale \"%1$s\" eseguito con il nome \"%3$s\"..."},
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ja.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ja.java
index feb3f200d3..c08be5cf25 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ja.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ja.java
@@ -447,19 +447,19 @@ public class Resources_ja extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "TSA\u8A3C\u660E\u66F8"},
         {"the.input", "\u5165\u529B"},
         {"reply", "\u5FDC\u7B54"},
-        {"one.in.many", "%s #%d / %d"},
+        {"one.in.many", "%1$s #%2$d / %3$d"},
         {"alias.in.cacerts", "cacerts\u5185\u306E\u767A\u884C\u8005<%s>"},
         {"alias.in.keystore", "\u767A\u884C\u8005<%s>"},
         {"with.weak", "%s (\u5F31)"},
-        {"key.bit", "%d\u30D3\u30C3\u30C8%s\u9375"},
-        {"key.bit.weak", "%d\u30D3\u30C3\u30C8%s\u9375(\u5F31)"},
+        {"key.bit", "%1$d\u30D3\u30C3\u30C8%2$s\u9375"},
+        {"key.bit.weak", "%1$d\u30D3\u30C3\u30C8%2$s\u9375(\u5F31)"},
         {".PATTERN.printX509Cert.with.weak",
                 "\u6240\u6709\u8005: {0}\n\u767A\u884C\u8005: {1}\n\u30B7\u30EA\u30A2\u30EB\u756A\u53F7: {2}\n\u6709\u52B9\u671F\u9593\u306E\u958B\u59CB\u65E5: {3}\u7D42\u4E86\u65E5: {4}\n\u8A3C\u660E\u66F8\u306E\u30D5\u30A3\u30F3\u30AC\u30D7\u30EA\u30F3\u30C8:\n\t SHA1: {5}\n\t SHA256: {6}\n\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u540D: {7}\n\u30B5\u30D6\u30B8\u30A7\u30AF\u30C8\u516C\u958B\u9375\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: {8}\n\u30D0\u30FC\u30B8\u30E7\u30F3: {9}"},
         {"PKCS.10.with.weak",
-                "PKCS #10\u8A3C\u660E\u66F8\u30EA\u30AF\u30A8\u30B9\u30C8(\u30D0\u30FC\u30B8\u30E7\u30F31.0)\n\u30B5\u30D6\u30B8\u30A7\u30AF\u30C8: %s\n\u30D5\u30A9\u30FC\u30DE\u30C3\u30C8 %s\n\u516C\u958B\u9375: %s\n\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %s\n"},
-        {"verified.by.s.in.s.weak", "%s(%s\u5185)\u306B\u3088\u308A%s\u3067\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F"},
-        {"whose.sigalg.risk", "%s\u306F\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u308B%s\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3092\u4F7F\u7528\u3057\u3066\u3044\u307E\u3059\u3002"},
-        {"whose.key.risk", "%s\u306F\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u308B%s\u3092\u4F7F\u7528\u3057\u3066\u3044\u307E\u3059\u3002"},
+                "PKCS #10\u8A3C\u660E\u66F8\u30EA\u30AF\u30A8\u30B9\u30C8(\u30D0\u30FC\u30B8\u30E7\u30F31.0)\n\u30B5\u30D6\u30B8\u30A7\u30AF\u30C8: %1$s\n\u30D5\u30A9\u30FC\u30DE\u30C3\u30C8: %2$s\n\u516C\u958B\u9375: %3$s\n\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %4$s\n"},
+        {"verified.by.s.in.s.weak", "%2$s\u5185\u306E%1$s\u306B\u3088\u308A%3$s\u3067\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F"},
+        {"whose.sigalg.risk", "%1$s\u306F%2$s\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3092\u4F7F\u7528\u3057\u3066\u304A\u308A\u3001\u3053\u308C\u306F\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u307E\u3059\u3002"},
+        {"whose.key.risk", "%1$s\u306F%2$s\u3092\u4F7F\u7528\u3057\u3066\u304A\u308A\u3001\u3053\u308C\u306F\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u307E\u3059\u3002"},
         {"jks.storetype.warning", "%1$s\u30AD\u30FC\u30B9\u30C8\u30A2\u306F\u72EC\u81EA\u306E\u5F62\u5F0F\u3092\u4F7F\u7528\u3057\u3066\u3044\u307E\u3059\u3002\"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"\u3092\u4F7F\u7528\u3059\u308B\u696D\u754C\u6A19\u6E96\u306E\u5F62\u5F0F\u3067\u3042\u308BPKCS12\u306B\u79FB\u884C\u3059\u308B\u3053\u3068\u3092\u304A\u85A6\u3081\u3057\u307E\u3059\u3002"},
         {"migrate.keystore.warning", "\"%1$s\"\u304C%4$s\u306B\u79FB\u884C\u3055\u308C\u307E\u3057\u305F\u3002%2$s\u30AD\u30FC\u30B9\u30C8\u30A2\u306F\"%3$s\"\u3068\u3057\u3066\u30D0\u30C3\u30AF\u30A2\u30C3\u30D7\u3055\u308C\u307E\u3059\u3002"},
         {"backup.keystore.warning", "\u5143\u306E\u30AD\u30FC\u30B9\u30C8\u30A2\"%1$s\"\u306F\"%3$s\"\u3068\u3057\u3066\u30D0\u30C3\u30AF\u30A2\u30C3\u30D7\u3055\u308C\u307E\u3059..."},
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ko.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ko.java
index f1c90261e0..78f219780a 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ko.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_ko.java
@@ -447,19 +447,19 @@ public class Resources_ko extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "TSA \uC778\uC99D\uC11C"},
         {"the.input", "\uC785\uB825"},
         {"reply", "\uD68C\uC2E0"},
-        {"one.in.many", "%s #%d/%d"},
+        {"one.in.many", "%1$s #%2$d/%3$d"},
         {"alias.in.cacerts", "cacerts\uC758 <%s> \uBC1C\uD589\uC790"},
         {"alias.in.keystore", "<%s> \uBC1C\uD589\uC790"},
         {"with.weak", "%s(\uC57D\uD568)"},
-        {"key.bit", "%d\uBE44\uD2B8 %s \uD0A4"},
-        {"key.bit.weak", "%d\uBE44\uD2B8 %s \uD0A4(\uC57D\uD568)"},
+        {"key.bit", "%1$d\uBE44\uD2B8 %2$s \uD0A4"},
+        {"key.bit.weak", "%1$d\uBE44\uD2B8 %2$s \uD0A4(\uC57D\uD568)"},
         {".PATTERN.printX509Cert.with.weak",
                 "\uC18C\uC720\uC790: {0}\n\uBC1C\uD589\uC790: {1}\n\uC77C\uB828 \uBC88\uD638: {2}\n\uC801\uD569\uD55C \uC2DC\uC791 \uB0A0\uC9DC: {3} \uC885\uB8CC \uB0A0\uC9DC: {4}\n\uC778\uC99D\uC11C \uC9C0\uBB38:\n\t SHA1: {5}\n\t SHA256: {6}\n\uC11C\uBA85 \uC54C\uACE0\uB9AC\uC998 \uC774\uB984: {7}\n\uC8FC\uCCB4 \uACF5\uC6A9 \uD0A4 \uC54C\uACE0\uB9AC\uC998: {8}\n\uBC84\uC804: {9}"},
         {"PKCS.10.with.weak",
-                "PKCS #10 \uC778\uC99D\uC11C \uC694\uCCAD(1.0 \uBC84\uC804)\n\uC81C\uBAA9: %s\n\uD615\uC2DD: %s\n\uACF5\uC6A9 \uD0A4: %s\n\uC11C\uBA85 \uC54C\uACE0\uB9AC\uC998: %s\n"},
-        {"verified.by.s.in.s.weak", "%s\uC774(\uAC00) %s\uC5D0\uC11C %s\uC744(\uB97C) \uC0AC\uC6A9\uD558\uC5EC \uD655\uC778"},
-        {"whose.sigalg.risk", "%s\uC774(\uAC00) \uBCF4\uC548 \uC704\uD5D8\uC73C\uB85C \uAC04\uC8FC\uB418\uB294 %s \uC11C\uBA85 \uC54C\uACE0\uB9AC\uC998\uC744 \uC0AC\uC6A9\uD569\uB2C8\uB2E4."},
-        {"whose.key.risk", "%s\uC774(\uAC00) \uBCF4\uC548 \uC704\uD5D8\uC73C\uB85C \uAC04\uC8FC\uB418\uB294 %s\uC744(\uB97C) \uC0AC\uC6A9\uD569\uB2C8\uB2E4."},
+                "PKCS #10 \uC778\uC99D\uC11C \uC694\uCCAD(1.0 \uBC84\uC804)\n\uC81C\uBAA9: %1$s\n\uD615\uC2DD: %2$s\n\uACF5\uC6A9 \uD0A4: %3$s\n\uC11C\uBA85 \uC54C\uACE0\uB9AC\uC998: %4$s\n"},
+        {"verified.by.s.in.s.weak", "%3$s\uC744(\uB97C) \uD3EC\uD568\uD558\uB294 %2$s\uC758 %1$s\uC5D0 \uC758\uD574 \uD655\uC778\uB428"},
+        {"whose.sigalg.risk", "%1$s\uC774(\uAC00) \uBCF4\uC548 \uC704\uD5D8\uC73C\uB85C \uAC04\uC8FC\uB418\uB294 %2$s \uC11C\uBA85 \uC54C\uACE0\uB9AC\uC998\uC744 \uC0AC\uC6A9\uD569\uB2C8\uB2E4."},
+        {"whose.key.risk", "%1$s\uC774(\uAC00) \uBCF4\uC548 \uC704\uD5D8\uC73C\uB85C \uAC04\uC8FC\uB418\uB294 %2$s\uC744(\uB97C) \uC0AC\uC6A9\uD569\uB2C8\uB2E4."},
         {"jks.storetype.warning", "%1$s \uD0A4 \uC800\uC7A5\uC18C\uB294 \uACE0\uC720 \uD615\uC2DD\uC744 \uC0AC\uC6A9\uD569\uB2C8\uB2E4. \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"\uB97C \uC0AC\uC6A9\uD558\uB294 \uC0B0\uC5C5 \uD45C\uC900 \uD615\uC2DD\uC778 PKCS12\uB85C \uC774\uC804\uD558\uB294 \uAC83\uC774 \uC88B\uC2B5\uB2C8\uB2E4."},
         {"migrate.keystore.warning", "\"%1$s\"\uC744(\uB97C) %4$s(\uC73C)\uB85C \uC774\uC804\uD588\uC2B5\uB2C8\uB2E4. %2$s \uD0A4 \uC800\uC7A5\uC18C\uAC00 \"%3$s\"(\uC73C)\uB85C \uBC31\uC5C5\uB418\uC5C8\uC2B5\uB2C8\uB2E4."},
         {"backup.keystore.warning", "\uC6D0\uBCF8 \uD0A4 \uC800\uC7A5\uC18C \"%1$s\"\uC774(\uAC00) \"%3$s\"(\uC73C)\uB85C \uBC31\uC5C5\uB418\uC5C8\uC2B5\uB2C8\uB2E4."},
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_pt_BR.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_pt_BR.java
index 288f93ba42..1faf1a624d 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_pt_BR.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_pt_BR.java
@@ -447,19 +447,19 @@ public class Resources_pt_BR extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "O certificado TSA"},
         {"the.input", "A entrada"},
         {"reply", "Resposta"},
-        {"one.in.many", "%s #%d de %d"},
+        {"one.in.many", "%1$s #%2$d de %3$d"},
         {"alias.in.cacerts", "Emissor <%s> no cacerts"},
         {"alias.in.keystore", "Emissor <%s>"},
         {"with.weak", "%s (fraca)"},
-        {"key.bit", "Chave %s de %d bits"},
-        {"key.bit.weak", "Chave %s de %d bits (fraca)"},
+        {"key.bit", "Chave %2$s de %1$d bits"},
+        {"key.bit.weak", "Chave %2$s de %1$d bits (fraca)"},
         {".PATTERN.printX509Cert.with.weak",
                 "Propriet\u00E1rio: {0}\nEmissor: {1}\nN\u00FAmero de s\u00E9rie: {2}\nV\u00E1lido de: {3} at\u00E9: {4}\nFingerprints do certificado:\n\t SHA1: {5}\n\t SHA256: {6}\nNome do algoritmo de assinatura: {7}\nAlgoritmo de Chave P\u00FAblica do Assunto: {8}\nVers\u00E3o: {9}"},
         {"PKCS.10.with.weak",
-                "Solicita\u00E7\u00E3o do Certificado PKCS #10 (Vers\u00E3o 1.0)\nAssunto: %s\nFormato: %s\nChave P\u00FAblica: %s\nAlgoritmo de assinatura: %s\n"},
-        {"verified.by.s.in.s.weak", "Verificado por %s em %s com um %s"},
-        {"whose.sigalg.risk", "%s usa o algoritmo de assinatura %s que \u00E9 considerado um risco \u00E0 seguran\u00E7a."},
-        {"whose.key.risk", "%s usa um %s que \u00E9 considerado um risco \u00E0 seguran\u00E7a."},
+                "Solicita\u00E7\u00E3o do Certificado PKCS #10 (Vers\u00E3o 1.0)\nAssunto: %1$s\nFormato: %2$s\nChave P\u00FAblica: %3$s\nAlgoritmo de assinatura:%4$s\n"},
+        {"verified.by.s.in.s.weak", "Verificado por %1$s em %2$s com um %3$s"},
+        {"whose.sigalg.risk", "%1$s usa o algoritmo de assinatura %2$s que \u00E9 considerado um risco \u00E0 seguran\u00E7a."},
+        {"whose.key.risk", "%1$s usa um %2$s que \u00E9 considerado um risco \u00E0 seguran\u00E7a."},
         {"jks.storetype.warning", "O armazenamento de chaves %1$s usa um formato propriet\u00E1rio. \u00C9 recomendada a migra\u00E7\u00E3o para PKCS12, que \u00E9 um formato de padr\u00E3o industrial que usa \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
         {"migrate.keystore.warning", "\"%1$s\" foi migrado para %4$s. O backup do armazenamento de chaves %2$s \u00E9 feito como \"%3$s\"."},
         {"backup.keystore.warning", "O backup do armazenamento de chaves original \"%1$s\" \u00E9 feito como \"%3$s\"..."},
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_sv.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_sv.java
index 3bd7b2eda6..9ac381f51f 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_sv.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_sv.java
@@ -447,19 +447,19 @@ public class Resources_sv extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "TSA-certifikatet"},
         {"the.input", "Indata"},
         {"reply", "Svar"},
-        {"one.in.many", "%s %d av %d"},
+        {"one.in.many", "%1$s %2$d av %3$d"},
         {"alias.in.cacerts", "Utf\u00E4rdaren <%s> i cacerts"},
         {"alias.in.keystore", "Utf\u00E4rdaren <%s>"},
         {"with.weak", "%s (svag)"},
-        {"key.bit", "%d-bitars %s-nyckel"},
-        {"key.bit.weak", "%d-bitars %s-nyckel (svag)"},
+        {"key.bit", "%1$d-bitars %2$s-nyckel"},
+        {"key.bit.weak", "%1$d-bitars %2$s-nyckel (svag)"},
         {".PATTERN.printX509Cert.with.weak",
                 "\u00C4gare: {0}\nUtf\u00E4rdare: {1}\nSerienummer: {2}\nGiltigt fr\u00E5n: {3}, till: {4}\nCertifikatfingeravtryck:\n\t SHA1: {5}\n\t SHA256: {6}\nSignaturalgoritmnamn: {7}\nAlgoritm f\u00F6r \u00F6ppen nyckel f\u00F6r \u00E4mne: {8}\nVersion: {9}"},
         {"PKCS.10.with.weak",
-                "PKCS #10-certifikatbeg\u00E4ran (version 1.0)\n\u00C4mne: %s\nFormat: %s\n\u00D6ppen nyckel: %s\nSignaturalgoritm: %s\n"},
-        {"verified.by.s.in.s.weak", "Verifierades av %s i %s med en %s"},
-        {"whose.sigalg.risk", "%s anv\u00E4nder signaturalgoritmen %s, vilket anses utg\u00F6ra en s\u00E4kerhetsrisk."},
-        {"whose.key.risk", "%s anv\u00E4nder en %s, vilket anses utg\u00F6ra en s\u00E4kerhetsrisk."},
+                "PKCS #10-certifikatbeg\u00E4ran (version 1.0)\n\u00C4mne: %1$s\nFormat: %2$s\n\u00D6ppen nyckel: %3$s\nSignaturalgoritm: %4$s\n"},
+        {"verified.by.s.in.s.weak", "Verifierades av %1$s i %2$s med en %3$s"},
+        {"whose.sigalg.risk", "%1$s anv\u00E4nder signaturalgoritmen %2$s, vilket anses utg\u00F6ra en s\u00E4kerhetsrisk."},
+        {"whose.key.risk", "%1$s anv\u00E4nder en %2$s, vilket anses utg\u00F6ra en s\u00E4kerhetsrisk."},
         {"jks.storetype.warning", "Nyckellagret %1$s anv\u00E4nder ett propriet\u00E4rt format. Du b\u00F6r migrera till PKCS12, som \u00E4r ett branschstandardformat, med \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\"."},
         {"migrate.keystore.warning", "Migrerade \"%1$s\" till %4$s. Nyckellagret %2$s s\u00E4kerhetskopierades som \"%3$s\"."},
         {"backup.keystore.warning", "Det ursprungliga nyckellagret, \"%1$s\", s\u00E4kerhetskopieras som \"%3$s\"..."},
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_CN.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_CN.java
index 9b0e065d08..2062cba179 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_CN.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_CN.java
@@ -447,19 +447,19 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "TSA \u8BC1\u4E66"},
         {"the.input", "\u8F93\u5165"},
         {"reply", "\u56DE\u590D"},
-        {"one.in.many", "%s #%d/%d"},
+        {"one.in.many", "%1$s #%2$d/%3$d"},
         {"alias.in.cacerts", "cacerts \u4E2D\u7684\u53D1\u5E03\u8005 <%s>"},
         {"alias.in.keystore", "\u53D1\u5E03\u8005 <%s>"},
         {"with.weak", "%s (\u5F31)"},
-        {"key.bit", "%d \u4F4D %s \u5BC6\u94A5"},
-        {"key.bit.weak", "%d \u4F4D %s \u5BC6\u94A5 (\u5F31)"},
+        {"key.bit", "%1$d \u4F4D %2$s \u5BC6\u94A5"},
+        {"key.bit.weak", "%1$d \u4F4D %2$s \u5BC6\u94A5 (\u5F31)"},
         {".PATTERN.printX509Cert.with.weak",
                 "\u6240\u6709\u8005: {0}\n\u53D1\u5E03\u8005: {1}\n\u5E8F\u5217\u53F7: {2}\n\u751F\u6548\u65F6\u95F4: {3}, \u5931\u6548\u65F6\u95F4: {4}\n\u8BC1\u4E66\u6307\u7EB9:\n\t SHA1: {5}\n\t SHA256: {6}\n\u7B7E\u540D\u7B97\u6CD5\u540D\u79F0: {7}\n\u4E3B\u4F53\u516C\u5171\u5BC6\u94A5\u7B97\u6CD5: {8}\n\u7248\u672C: {9}"},
         {"PKCS.10.with.weak",
-                "PKCS #10 \u8BC1\u4E66\u8BF7\u6C42 (\u7248\u672C 1.0)\n\u4E3B\u4F53: %s\n\u683C\u5F0F: %s\n\u516C\u5171\u5BC6\u94A5: %s\n\u7B7E\u540D\u7B97\u6CD5: %s\n"},
+                "PKCS #10 \u8BC1\u4E66\u8BF7\u6C42 (\u7248\u672C 1.0)\n\u4E3B\u4F53: %1$s\n\u683C\u5F0F: %2$s\n\u516C\u5171\u5BC6\u94A5: %3$s\n\u7B7E\u540D\u7B97\u6CD5: %4$s\n"},
         {"verified.by.s.in.s.weak", "\u7531 %2$s \u4E2D\u7684 %1$s \u4EE5 %3$s \u9A8C\u8BC1"},
-        {"whose.sigalg.risk", "%s \u4F7F\u7528\u7684 %s \u7B7E\u540D\u7B97\u6CD5\u5B58\u5728\u5B89\u5168\u98CE\u9669\u3002"},
-        {"whose.key.risk", "%s \u4F7F\u7528\u7684 %s \u5B58\u5728\u5B89\u5168\u98CE\u9669\u3002"},
+        {"whose.sigalg.risk", "%1$s \u4F7F\u7528\u7684 %2$s \u7B7E\u540D\u7B97\u6CD5\u5B58\u5728\u5B89\u5168\u98CE\u9669\u3002"},
+        {"whose.key.risk", "%1$s \u4F7F\u7528\u7684 %2$s \u5B58\u5728\u5B89\u5168\u98CE\u9669\u3002"},
         {"jks.storetype.warning", "%1$s \u5BC6\u94A5\u5E93\u4F7F\u7528\u4E13\u7528\u683C\u5F0F\u3002\u5EFA\u8BAE\u4F7F\u7528 \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\" \u8FC1\u79FB\u5230\u884C\u4E1A\u6807\u51C6\u683C\u5F0F PKCS12\u3002"},
         {"migrate.keystore.warning", "\u5DF2\u5C06 \"%1$s\" \u8FC1\u79FB\u5230 %4$s\u3002\u5C06 %2$s \u5BC6\u94A5\u5E93\u4F5C\u4E3A \"%3$s\" \u8FDB\u884C\u4E86\u5907\u4EFD\u3002"},
         {"backup.keystore.warning", "\u5DF2\u5C06\u539F\u59CB\u5BC6\u94A5\u5E93 \"%1$s\" \u5907\u4EFD\u4E3A \"%3$s\"..."},
diff --git a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_TW.java b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_TW.java
index a0638cacc5..9e101fb44d 100644
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_TW.java
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_TW.java
@@ -447,19 +447,19 @@ public class Resources_zh_TW extends java.util.ListResourceBundle {
         {"the.tsa.certificate", "TSA \u6191\u8B49"},
         {"the.input", "\u8F38\u5165"},
         {"reply", "\u56DE\u8986"},
-        {"one.in.many", "%s #%d / %d"},
+        {"one.in.many", "%1$s #%2$d / %3$d"},
         {"alias.in.cacerts", "cacerts \u4E2D\u7684\u767C\u884C\u4EBA <%s>"},
         {"alias.in.keystore", "\u767C\u884C\u4EBA <%s>"},
         {"with.weak", "%s (\u4F4E\u5F37\u5EA6)"},
-        {"key.bit", "%d \u4F4D\u5143\u7684 %s \u91D1\u9470"},
-        {"key.bit.weak", "%d \u4F4D\u5143\u7684 %s \u91D1\u9470 (\u4F4E\u5F37\u5EA6)"},
+        {"key.bit", "%1$d \u4F4D\u5143\u7684 %2$s \u91D1\u9470"},
+        {"key.bit.weak", "%1$d \u4F4D\u5143\u7684 %2$s \u91D1\u9470 (\u4F4E\u5F37\u5EA6)"},
         {".PATTERN.printX509Cert.with.weak",
                 "\u64C1\u6709\u8005: {0}\n\u767C\u884C\u4EBA: {1}\n\u5E8F\u865F: {2}\n\u6709\u6548\u671F\u81EA: {3} \u5230: {4}\n\u6191\u8B49\u6307\u7D0B:\n\t SHA1: {5}\n\t SHA256: {6}\n\u7C3D\u7AE0\u6F14\u7B97\u6CD5\u540D\u7A31: {7}\n\u4E3B\u9AD4\u516C\u958B\u91D1\u9470\u6F14\u7B97\u6CD5: {8}\n\u7248\u672C: {9}"},
         {"PKCS.10.with.weak",
-                "PKCS #10 \u6191\u8B49\u8981\u6C42 (\u7248\u672C 1.0)\n\u4E3B\u9AD4: %s\n\u683C\u5F0F: %s\n\u516C\u7528\u91D1\u9470: %s\n\u7C3D\u7AE0\u6F14\u7B97\u6CD5: %s\n"},
+                "PKCS #10 \u6191\u8B49\u8981\u6C42 (\u7248\u672C 1.0)\n\u4E3B\u9AD4: %1$s\n\u683C\u5F0F: %2$s\n\u516C\u7528\u91D1\u9470: %3$s\n\u7C3D\u7AE0\u6F14\u7B97\u6CD5: %4$s\n"},
         {"verified.by.s.in.s.weak", "\u7531 %2$s \u4E2D\u7684 %1$s \u4EE5 %3$s \u9A57\u8B49"},
-        {"whose.sigalg.risk", "%s \u4F7F\u7528\u7684 %s \u7C3D\u7AE0\u6F14\u7B97\u6CD5\u5B58\u5728\u5B89\u5168\u98A8\u96AA\u3002"},
-        {"whose.key.risk", "%s \u4F7F\u7528\u7684 %s \u5B58\u5728\u5B89\u5168\u98A8\u96AA\u3002"},
+        {"whose.sigalg.risk", "%1$s \u4F7F\u7528\u7684 %2$s \u7C3D\u7AE0\u6F14\u7B97\u6CD5\u5B58\u5728\u5B89\u5168\u98A8\u96AA\u3002"},
+        {"whose.key.risk", "%1$s \u4F7F\u7528\u7684 %2$s \u5B58\u5728\u5B89\u5168\u98A8\u96AA\u3002"},
         {"jks.storetype.warning", "%1$s \u91D1\u9470\u5132\u5B58\u5EAB\u4F7F\u7528\u5C08\u6709\u683C\u5F0F\u3002\u5EFA\u8B70\u60A8\u4F7F\u7528 \"keytool -importkeystore -srckeystore %2$s -destkeystore %2$s -deststoretype pkcs12\" \u79FB\u8F49\u6210\u70BA\u4F7F\u7528 PKCS12 (\u696D\u754C\u6A19\u6E96\u683C\u5F0F)\u3002"},
         {"migrate.keystore.warning", "\u5DF2\u5C07 \"%1$s\" \u79FB\u8F49\u6210\u70BA %4$s\u3002%2$s \u91D1\u9470\u5132\u5B58\u5EAB\u5DF2\u5099\u4EFD\u70BA \"%3$s\"\u3002"},
         {"backup.keystore.warning", "\u539F\u59CB\u7684\u91D1\u9470\u5132\u5B58\u5EAB \"%1$s\" \u5DF2\u5099\u4EFD\u70BA \"%3$s\"..."},
diff --git a/jdk/src/java.desktop/share/classes/sun/awt/resources/awt_de.properties b/jdk/src/java.desktop/share/classes/sun/awt/resources/awt_de.properties
index 0d4d3f7f79..83e9b667e9 100644
--- a/jdk/src/java.desktop/share/classes/sun/awt/resources/awt_de.properties
+++ b/jdk/src/java.desktop/share/classes/sun/awt/resources/awt_de.properties
@@ -44,7 +44,7 @@ AWT.separater=NumPad ,
 AWT.subtract=NumPad -
 AWT.decimal=NumPad .
 AWT.divide=NumPad /
-AWT.delete=L\u00F6schen
+AWT.delete=Entf
 AWT.numLock=Num
 AWT.scrollLock=Rollen
 AWT.f1=F1
diff --git a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources_ja.java b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources_ja.java
index 6eece7d960..431ae1e426 100644
--- a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources_ja.java
+++ b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources_ja.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -260,7 +260,7 @@ public class Resources_ja extends java.util.ListResourceBundle {
         {"The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk.",
                 "%1$s\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0(%2$s\u30AA\u30D7\u30B7\u30E7\u30F3\u306B\u6307\u5B9A)\u306F\u3001\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u307E\u3059\u3002"},
         {"The.1.signing.key.has.a.keysize.of.2.which.is.considered.a.security.risk.",
-                "%s\u7F72\u540D\u9375\u306B\u306F\u3001\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u308B%d\u306E\u9375\u30B5\u30A4\u30BA\u304C\u3042\u308A\u307E\u3059\u3002"},
+                "%1$s\u7F72\u540D\u9375\u306B\u306F\u3001\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u308B%2$d\u306E\u9375\u30B5\u30A4\u30BA\u304C\u3042\u308A\u307E\u3059\u3002"},
         {"This.jar.contains.entries.whose.certificate.chain.is.not.validated.reason.1",
                  "\u3053\u306Ejar\u306B\u306F\u3001\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u304C\u307E\u3060\u691C\u8A3C\u3055\u308C\u3066\u3044\u306A\u3044\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002\u7406\u7531: %s"},
         {"no.timestamp.signing",
diff --git a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources_zh_CN.java b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources_zh_CN.java
index f6d4329da3..5673e65cbf 100644
--- a/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources_zh_CN.java
+++ b/jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Resources_zh_CN.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -260,7 +260,7 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
         {"The.1.algorithm.specified.for.the.2.option.is.considered.a.security.risk.",
                 "\u4E3A %2$s \u9009\u9879\u6307\u5B9A\u7684 %1$s \u7B97\u6CD5\u88AB\u89C6\u4E3A\u5B58\u5728\u5B89\u5168\u98CE\u9669\u3002"},
         {"The.1.signing.key.has.a.keysize.of.2.which.is.considered.a.security.risk.",
-                "%s \u7B7E\u540D\u5BC6\u94A5\u7684\u5BC6\u94A5\u5927\u5C0F\u4E3A %d, \u8FD9\u88AB\u89C6\u4E3A\u5B58\u5728\u5B89\u5168\u98CE\u9669\u3002"},
+                "%1$s \u7B7E\u540D\u5BC6\u94A5\u7684\u5BC6\u94A5\u5927\u5C0F\u4E3A %2$d, \u8FD9\u88AB\u89C6\u4E3A\u5B58\u5728\u5B89\u5168\u98CE\u9669\u3002"},
         {"This.jar.contains.entries.whose.certificate.chain.is.not.validated.reason.1",
                  "\u6B64 jar \u5305\u542B\u5176\u8BC1\u4E66\u94FE\u672A\u7ECF\u8FC7\u9A8C\u8BC1\u7684\u6761\u76EE\u3002\u539F\u56E0: %s"},
         {"no.timestamp.signing",

From 857fca5621e610279b90dda0155dc2b1d1cd237a Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 5 Dec 2017 18:24:45 -0800
Subject: [PATCH 247/269] Added tag jdk-9.0.4+9 for changeset cfd239b22e03

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index b08ef87e32..bfe2341af1 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -446,3 +446,4 @@ b46885be0c21ebb379e9f9835591dc8b12245971 jdk-9.0.4+3
 46524cd9b1e84d2b60b15d5ef26c7ca6260c41a4 jdk-9.0.4+6
 d54fb6a3fb5546fcf56bfc3c5f93fa320e79887a jdk-9.0.4+7
 b9669a87f3eafe9c538346b8997413f4d8252147 jdk-9.0.4+8
+9ccab3ab6ac8e3a0158e538374232e4b76664bbc jdk-9.0.4+9

From 7d3b2983d998eb6f9bfdce40ebb81e8aa6ec835d Mon Sep 17 00:00:00 2001
From: Rajan Halade 
Date: Fri, 8 Dec 2017 03:06:19 -0800
Subject: [PATCH 248/269] 8189131: Open-source the Oracle JDK Root Certificates

Open-source the Oracle JDK Root Certificates

Reviewed-by: mullan, pkoppula
---
 jdk/src/java.base/share/lib/security/cacerts  | Bin 32 -> 88998 bytes
 jdk/test/TEST.groups                          |   3 +
 .../lib/security/cacerts/VerifyCACerts.java   | 314 ++++++++
 .../certification/ActalisCA.java              | 253 +++++++
 .../certification/BuypassCA.java              | 291 ++++++++
 .../certification/ComodoCA.java               | 674 ++++++++++++++++++
 .../certification/DTrustCA.java               | 280 ++++++++
 .../certification/LetsEncryptCA.java          | 181 +++++
 .../certification/QuoVadisCA.java             | 473 ++++++++++++
 .../certification/ValidatePathWithParams.java | 354 +++++++++
 10 files changed, 2823 insertions(+)
 create mode 100644 jdk/test/lib/security/cacerts/VerifyCACerts.java
 create mode 100644 jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
 create mode 100644 jdk/test/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java
 create mode 100644 jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java
 create mode 100644 jdk/test/security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java
 create mode 100644 jdk/test/security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java
 create mode 100644 jdk/test/security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java
 create mode 100644 jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithParams.java

diff --git a/jdk/src/java.base/share/lib/security/cacerts b/jdk/src/java.base/share/lib/security/cacerts
index c408465500cb0af9cfd1f7371422ef8899ae6725..606625d12d4e87141f02d20f062dfac365ae647b 100644
GIT binary patch
literal 88998
zcmdqJ1z1&E*EURdcXvtdO@oAV2+}Rx-6`D-5>nD7-6bvEA&qp2bXX|zZ@|EF&hwn-
zx&HS%*ZX~5ddXTl)?BP{-{YR+9&>&>_;vsW1_lB8Cx7!lo{O=AxudzMjiHskqa&*+
ztD!!bmW7d}HW(PV9_Hf$cra*nW)1)k7#Jihz#kG4;16L1fezNhqBk6xne8DC->7A0
z6S*1R?_9VIWnYU@#$6lz_MZ?CS#rOcYhn^^`!@Vy`|WcXw+!n&@!*T5-~r{+>h6juaU#tDY`_(=)q5rs>ro$92uN@+@VmnU
z1r{V|Tn@~ieI`!qzjSAO=+RLKe~{d0_9=}hU~WCV_39vd+vFV!{Q2PQyL^Vk4^(==
zvZBlZ`Q1!eugl%cZ5#U~ldn0vraK!4C?I0@45s
z3V)}iRMhxjq)|})OH`Fwkth>1_URGg6`E6Koq?jRi8txi8$vO6#Nl2gg!CwFi1{Lo
zWeCj=iS#H@+|uDvy)C_v+_1VT3*PWH>pnW;Vq~ZqE@(4ZRL4xqoTpazcyfgS4*;m3
zUlTDVIQSJ5GyoFx9{}b01nTt(DA0onzTpRA6et`htfBGNqP1jbg=|@_oB;RHC}R4}
zz`IWk(i99}1OcGV^Am%x#CYiJB-c;5VR!26u=;}NgvC*XNDHW
zVsVM!wKuUx{DZTdZOlPGI_g_FfS&4I;znKQQTrKxP^|!es3s73XMc~s2L#1VS1$(&Cv$W|f$|}T5VsB$Ugy<{|H!(QL
zkT^c}rRjmCQKXveS4?#GzylrS5A2z6;Ad#mFu2kSC&V5mmdSc1dGkk;%>F0GNAT}N
z2e2*HA#K=Rmu9Mf^?iV|NNCc1v&wc7sP|cm7QOZ>&S|r%g)eo~P2$M)s|NU0{2j<)
z0M;;Y3@{+g0t=1=r4P`}*3QxbXaLjzDmd^U0b***Vrp&zAP0~FU_tzZ0trC?g%z{)
znjp9|D%!GZ%-3Q{5|8l-J~MzChtkZ+$&QzW#md&ymiY%nuPK?u#qs9c^*3E>j$2Nt
zcfBx|l*m-Vn11yRmemDzA_*4%?qdZZ5%gHW!K6QZs)XETG<~v};A%K*BlFn{1^G>X
z6GxMsoZ$u4g;hYLMEZThv((Qntcg#nTw6+0+p0E!Cqy5Yb(7aWB**sb1p|6H+K;cg
zR6+wD9zn;!*q=5g$2aVc`0Jl=Z_6bm(`!cEP#)or6z6m;(Tt6*3D1=MZo)N<{z-Vy
z2>^fSSP%<>pOoX+8i2z?^OWRUtL=06G6@
z_?*V8wR?s9>Lo6zBjryB1ChG{q-TVA+&Fuxy-C)@CDrbygXoi+x--yxil~aDy&2f~
z-ffvhYB(Ay4i#qccCV^mI;U7TvL;NRiJ~#D_@BWBZadw#wqIvLB0MCU9v~w&yvH=U
zuk)xs{u8-=8v7n}ug<;}LCfC2*hne+1KlbQlS9{j$rmPSYMILF(MSvpa)p3-)x*Ij
z+8bp9aynZaJHVlZc%3)VF}@4+Pm>?Sx_7zt)mL@bS>SO)qD9S3apf^XdxgID7eISz
zSEAxC#5%hOk9nMjt!PLtTxG<`
zJxX<>1P5AP3!!6ZZK28U0ec1=a46tcJY}2(4fn})yU7$RZL3OxBjjGqi0P)2ea$B6
z>4?dx@e!i%hc#H6sIR8s+v_HGyKWVRRB(uV7D!B79xts`9?hgQi
zybi8r{dun-&!WscQmZ+!JYY_#n&8ppXW^vq3XJ4v
z992%(Y5<|-P~?KwKEGdfS7eMi$VDyRjqUJ0&NVxAwrrk2E3j&QR!`c
zn6*}m*%am52!$Ng&&LJ6Su-RxEvTqU&i9JnVY+TENBWVM!JHui9?ZqR4W09#34ZCh6pWZ)j;JSM6j_6ZpqQAyu0yrQ*Idi
zox%U76f3Br!1JG16vO}`w^@Mir((S=Y5@O>qQ=eCjE4sZ0D%7fn3{0{xPY8L>kj`f
z-R$3K*`>g#rrOVib7xR)&zJe%SYhJKdn{2Ym~`~fXdsuuz`aVCU?V*a;2^aj>|ZXn
z!G5Gnd(>@Bu#dQbax9v!*7rc2Bv*peeqZl{bwWQL&%rlgJk^y=87VZkN8m0Th8Ubn
zCN1DloVhAy(>a{*r6uGv$}nYugIKGjgJm$piR+)zPgeD=UimmP$P6!h3rQh=_wt*7
z^6aFB+ajOMSQaK2K_hMUW}E4=!K|K|=Su_58GC?K-Q1D+ayNWI%H79{_gc$T`U#aI
z4L`gsc-O~;@i_M$3B>#&>HXSSR8|FQ^jEelIbqGoGe_NCTutBgaRWCEi!i|32QX;AGC^2?M|4ZtPnMR&gmIw4}F
zHJ!^6R!`_w*H4B%uE`u3nkt;vOAO@w)X7DxKe$ubv-NaAxu6v2SDv&y0$1ADk>u-R
z71OK%Yt_VdYn&CRmqyw@zpV1+IMqFcC^Dw)x%EUSfwQ(HbuQn*Xw
zqgE3MkU7m;bhVw*xnZih%UR36Bdn}btKu?Ir#yRux`GhWeH08m&5fm(lKXHO=9xX?
z>0&);-jU$p4V~bc8yVZ&NJ6`ts^MKWL0$OL^pj1XEkKgc1jHtfzDq&`aA99iiBpVn
zOx*MOtL`$&^&D9CcS6Ac)hTZ3m+(@cE8b{3AU%NY7VhLf&;7u;lChx^sO)&7{X~Sw
zfH&%o9aLZ81afh(v9Vs4TkanIPhalugkC*G!q+^>inkJ$2w!MjHcth^?|Voy0_h{8
zDvP>+mM>gg0%__?{e+R>_EglHJwCMZ+X!lJV{
zI?gEA{h
z6BUXrqM0QumH`e&&b|vUY=qkV3x>V2Bc&$5k%?u25H!xUraX@$J^AXP!2;D)u8Io~R&oxYf1UeI&nC%GV7hU)AyGDST_4W&r((XiX!CmT&br|AFjPeD1m(By-emAo
zwav+
zx`_@4*18`hA+;`h=(9dJQU;OH$iLU$bO>*{s0_#*>bo?<3|B
z5(Vc3DXj@6=&A7MgKBV(+-!=}Cn#U{VIDY8`)F4=+Kv0bB*6#X^VKK5(7AFf&DscS
zB(lfuT?YDKyjinOtJry)>Fg#`B7Q%0v>h5xTNaxSCly~FDz!S*);K~@mrosvj=IA{
zAL!k*>fA)|!f(a_x26XY$bs(Wmb1DGi1hJYQD5PEN&9Twm)&|J`Lz*ksiZfZ>*HQ(
zeduB~{To^FKYwm=e?vO5S5bnpM7Sun>9GT`o~ZrR{8-6c
zKhfD8QAcH)n<$}3gDs=q-pSoZA*{aNq7l$5;^jnV`cS^#}NQ#D$+9ig3L#)07+Adu8ObT#G$_uB=SJLNuFXuN)ga
zPnNF4;8PN_{tnP0&vkSnQRn5!2(@pPUMnSvcJA;N`SkYn_}bliU@!bXez1aous-HL%=Dv9VBw5X&+
zE4*p`W`GW9ec}@ql#4d^kNK2GDhkg6M;14lYy^OF2xO*x=kx6edlFCr5To=t+96Qz
z9{}li;YroSL|=s_vpI*p@IQUIGjGRnvAGl5m6n_Kn(sYEifdH^{HobDQR7*HVW@@0
zH$<0#wsVS2)20#v9oNnv*d=7E_CuIHR|}zxLe$wWhY7e1UxV86O1g=FOSAP8o5x2h
zI5E|V@w3@eVcD?E?Q7r|!XyN1bBXMWM(%W1FPYI_ZN1fsll&rq_{wUbj5R>$EPqSL
z?$S8c`r<;N`*Z6v27D;S*Vct^j(uzcjMptnLV}&Y7ZfW1ex(3JPyi64-Z%uk|Bfve
z4vd_zo@4QqETt5+YSGC?@D0oXgs(qL3Uwa<3X3d`EVf|a_fRu*u=+jJSpF)&m_cs?
z+`Ik`YA6Z-*^kO4B;?PZ;9w9y)l4XGe=Y<_s6W8wrkV&xs#wJ(>b7_}+O&}PEV)?4
z$hS`O!4i3XPv@B~qfEbqrunkwRar
za?GQzRg#}Asi~P1>KU!YI+OduRkZ~UMIH%Q(ngQ-J`6(CeSKh2=sYx`8N$NjjH&5R
z3E`L7c8nUROa^jyr`BY9kyAv#kujb{x}~?v=TwOnTa4j)jM<`2eWFs)J!Z#|G7*p$
zA277%1{yRPG@U7xS=BM*U=-ua!7u3S#P>#H!F@Xh_~K;+2g&w(%|<|evzh*wj#C=P
zm_@nu{HY>o!U}GJV^>XQr#&5irvJ8*;)oHMYG0^-lxkcW%nH|H)0z
zRv_VM1`>|)x55$pkB%fj>~}800bpHI1Og_qgt6_7P`ov|zq1b{Cic(szw8VVp&Qcz
z#1bIeg5&$FkCo@n;s4ZS{!SSdV5?;1_O6mfrjyIhcD6BS)#YVm&pW8Mf)UEJ>knWN
zi}{!I68p~Z@1Z^Ct+1y0)M5{w0rTEdm!uO#WiTLB15l1X1dvQTpx}x+mrivs5hzRS
zSj7QbMI&VZqRb{JzZPc8VkagMb6Jub#N*lz!uG(2`#RnC{P?tp8LcR8n_r#32*-?%
z#hDz>ht4&BO&_dI>>wL&?T@nfymhSh?6J18
zhdKPSnML%@DCZZoV?6z%d@WR-+XjPctzLz#YQ~70->47j&C%Y_5s0^f6OSj=ttH>@
z;4+%wPdG$edrw!6sM>BHL3vLoI=JVd;*&Z164G$&g8KoQv+Cdqy)r`cK665*4mory
zdI3cl{ZGCsIXY;(kN3cJK^gtH^>`jpg*~TOtIk4s2XjzuKgs%B2Zlu~LVb!7CvFqR
zhR#p}up$rs+%SwFa}hVe-;S$`DkD{5Msx7d3-d4s(x+C7-Wh~teWZ>{jB@zKmp<_i
z(3mHW5BM^e=>*Ja*m|DaQk@|{|KD<3GjnkzQe!BMg41Jb$k!cnF&;BF6>wroC_Dg;
zFV@0ez2SGM8T==90@VnCZrgozD~$;c2JE|EaO{f{zY02|QxC30{2E=&6CEu`~K@{Fh5$!@e3ix>y?EgdmisQ;x3?Y`X7jiM20<
zT|UyPHqRCp>4myyd6U)!T%)_nMsfu;5!S4w*__
z;+y8dqa@K@e0k3ue6onp+ZvclDYQJ}Y8x~aL?pjjt`Pn*O2B2kX^{3*H}l9w0~uzH
z0XJ{b)3R9?i$F4lKxU^#f+$)>jDhS>a%E=;J{s@E!h@(d8gwOnNA11Voo?BCT>5*Z
zJWQs{I5Y3T0)n!KeO$V|HX9zA96^fdnb#vJK8p*~DaftM6JVGho+FefJ{4V%`waQ^
z7;8xIEMR%OQ+cD|EdrNp1epdT06&|tzZIQyrF=lT=Zx0GB)HV<>DBzU5)o>|V{>B!
zntl@YE^UP;vqjHgvN@Ng!xCENH<^%h;H}`2JahRyu?olPwD%SliMm}@LYrE}
zpc4tpzlvMPR7h@&mZMI3?`>N>m-DmmFe+^pnBEz3VeToE?0g)HI@B+CvCX;`MQEG1
z9XG;FzF}1Qaxb?Pw@2$|^`bp0aA|UfZ5afLJ{IGgdR9jAU@;ErU
z@=&Ks#2oIr^Z@P;f81B`4-Da7^i(Vr&NqiQB7Q;i
zA)h>MYjZqf(;dpo)@uj|&g1C1EQ|4i`ArkIBtlj&uK;{Pl&)*6P
zS>G>vork5t>6Q*Da)^d$<*-~HT9|EFCo*dKhVlxMD0f}pzwN20S(MECoZT~5&M7pE
zZfI_BujOIy-KPa<1_m&O0D_gZoLUKDNKY{FbRobeIi81dMuyThZ-++72NfEA&R|_O
ziAOydu7ZzQvMRZ-^vQw%@R(@5GKy-w8p`AF6-;Vci^jlRen
zh995Z^L&4GNWZ$f`%=q@A~n^Pk(b6?0Xl`|%`}mPeQ&B4N&1qfRd1xJskFc+`$~M;
zB6y^N#P)}gNEa%}_vhYHWIwd$b}vneGp`Bren)NwlZ^E&WKy5A#hO+%L+!AmL-mq%
zEN?#g73FNyi?ccE(xgp0?(=%y+VuNLG$Og#Em9f|GL(Q2aP<$5+K9|lO)5r&wEJsh
z=~cu_NEb-fAMh`Zcs0fOKId9OdS;aVhT@}9#ESkhc7h^ymY3qd!x!WOy;TQ8U5R=V
zsK+ICpH_xsz4vD>O6FUAluz?_-7n^6T&Uu_uIF!y@nv{xryTYUS{mS)}F2W_oE
z)=hNWun?#YVR#{lb0n9K_)$9fR1lQZB`gg`;UxAH1>K%k$d-SamK#e=rbiRvQS4rt
zPeVD12QRN?9yAlC61J+W;T0I!U6Aa?9@_m3iy9{{6}|*a(jD04D!#8_oRq*iP?IUZ
zYoOjERc3%(N7rho{y=Eo3MU#x
zvc|hg=`X4{jy9#TA1Sis%7{If#AvqwojRurm_yXU3W*YskyhlxPQnLDS8Ne6sA}Li
zEMo*8X{8`mCa&&V0t*!2Z{x2v#0zvV*wT|^W^@~~f;yr$FlC(FSnifU;a)G+3cW$K<8-llF!RADO
z`Tb+K=X^5(=9_3~`1JMn)Hb&G(=v}Cw11T?|E6~j<_<8s3#;;;Fxp=%u04!(zUs!-
z3kpN~LulMUFPDHZ4HxWj5y>H)2^VjBK%d~lF8HiOGVP6d4be#fWP#T3hgnXfqiFum
zod}4%lL?lFFdx>CiEcjK9scT-zi6@bZToWd(NY5#Z=Ib~#p%`_#K{Ci1pZJ0ua0Cl
z9*H`>E(wI@G15s@SZ`hYA>!^8!K>AhEV258DC(9}Bi;
zWT=;h(-Jy>u|4VaG~zQqYm{;Au4k2+%e$U>I-YiHW1{{KuFotGqFfQ@o+3g;!!F*d
zM>tIP=iorQfgU<22ih9h8XFoK-suBJT_AG&i93iW5az-_|4_fukZ>^8cQSS$lhwB|G&2S@^*8|0Zdx#*U@>7q
zr8^T_2O}T>0Pi+^qJxsBoTwZb$W4(kw>Ag0009|pN+BRIM)CbMF%gk})h>QBz2*j`
zQO@hh^{;+c?w_XW|B`Y33-Jai@r1>Bz#lv4i}U7FoT(Cnl=lLPh%loEA=@J>-nQp~NYJw?CIYr<1S!7D{9zXvM+;uc4K%g~*n&
z-o+pG*@E$?`Zdh%jd=T2>UXv;#FxZxNl$+#B(ajvE$N!_+Wimhv44@z?zA!g5N}72
zS{|hhZU_zyp(|H);#lwq7g^h0aJ>W}t#~gSTWJRMkkUs}GRGdH0@m8FfbSpxSm*J4
zQiW_DvEmXnhF+Lyj~Z<8xO|nqEs?Eqq;gL5fj4cxSvtESX5__Dn~&p}xd~e$&^*D(
z+}hRwq~VN=ua`5J+nD|y!3u{zBN(z6lsO7O5gdIR!BC*(5bb}U1c2$CxRnwE{xSfC
ze_RTP2|&M9a0nvq2F4Dzt{@A5>G~ujCe6<`lKpy_OawH(o2&yG;7xA1iA(@!nE}^z
z8o7x~R*vh#>&OHh{&NHQyX@0%pNfYO?Xmbd^{Y_D-03-dbeZ5cQ!c)R0UG(LDuJQ5
zj~u~HtKXdUh<|}U!h1GaxcWR$n+(MxtC%z5g09|;xn}>Z#2M6aEM@JxiY=u^=#LWG
z48bRbdA;{J>L-yEg=Wv=oY!&?UF?Bemz4PJ`
zQTnr|OV3-K;9ofC7gv(=p71k5s=`lpzUiv#Q|2n!rpc)mw|5*w4?S$zG5R=;PT=@J
zvtNo4wc#k%$IKUs8<7z8{?z-dnpe?l?6tlr))_8SarYinB~EhXnPT{?8Z?)4^rUe5
zi#Be%;j!u4$7?Y~Wx6H$?^)kwA5DPzO-nwg1dDXdbhpi;pvL`Q=;;??e~gU{we{e1
zq9oOpD$XNBSQCH&ii+EAb2tDDsK*=v9P&?y`U^p*=v18ekRq~=|5@HQ?F*K=mc3)d
zT~%)432Wr+7PE-s9^ZT__RG^}c<8~|obS1IlpjnRk#_0Y30pGp^kpbQkM3AFOh!2f
zO2`M4^hHq*RBjY1;UpGVD80i=k8vw=3U+yCtuPl9tY?IeCn=QE+N!T(va}W;;_5`Hu_e-Lt6;;
zC$yn>K~@qc2;L;$=VyN^*V^8}wUQVR>*m3L%C(3>Mn<>gS|MQ|4S?zv*~CB3ihaK{
znXmYR!Vs+
zGACX(4z_b~Gm!{96)Lk+?K_qee9M~QG}s@jyxXgb>Xx4RfDffqzgPz=CL<)Z1zingaWT=k_)7dI)`(>D;iv5HEILnA70JmdI4fQI_z^1q$=pJn61}02Ek@N@zF2?t4cU%)_WyVUfZB)t
zknL^+aAn$R5cR7W%5~IdFmdTZ$0u(Agv-0nJ
z{Xm1+=ZllyuK6`&%*{QFJat_L79p6U<#bu0d-7Ss8}CPlc9%pvdq@xpSWMBaIIEp2
z;?6r%W&7vCwL$TAXr?dIVK}7mUNd+MD+p(M7*1?AXZJ9?;%vi2-flJYc7IX`kNlv-
zVksuP>%)gg0%2%{DY5sNg$Cqi*kmGnDLbC6RC7g7aUDYiRSALIc(wMZsU!U;8PUvy
zYmvzTL!`hHQJG#SM=2LQ)V@!xxW1OmyTdXlnyK!nWC+aD8HO|@Dsc&O{z+oahGIk}C1})+-cK^Xeu$YLqC;l_rni;@&%R$sPmiEmOMnxr|
zf2V{&G6S?6=3gn{|2;$fJG06c!x)znrE3w?XH=?&>~b(d`&y<K3$mrRN$7*Snk+-Di0EY29{wABQX!
zUSR#L(*R!W(XGDeU_1W@yp$PNGofs<-_s!72Fa{BM$jhzafpAqY|Q?QPWtmS%0*VxNsEN@I6PtM4
zix9}v9#czbTtJb;Ptk}=%llO?x4AWZHN{>VPzxkMHJsTscsZl1!u;-WFC82dHBTc7
zL(!>B5)rH*vf}%LBNl(uU-f`r;!DZBU9*@$dQ91OZ7!`N{j?g=Wav*q>rdr_JIV_L
z*PAw`$5WojV;{l2gi?%=9D5Wqhdzy^!1xd@h+t=CK&Yra!#YvqqYX)*J0Rr+=gM*U
zswCeLnAU6g=w&3iTu!u#!P7Hy?75cEjqYN^%cB>&4^`-4$gEY|?%^Nm0v
zO106UXE;QZ&Gh*Q&YggjC;|)rMX%_Ps01T2D^;g3*+RoQLJ;mt|Abft9=1^|2C5?+
zbI&@}qp#}w$LC_-C~Edtq9^CY^r1VGY+txI#6(1LRZPDYjo)YqE;u!_YQfXjQ|g7qPtBT9!3IR~Snv-^Z!cLft1e>1($KXuV8I2<%%>r=$E(ggAG
zeNt*2$3mBBWr%bUT?S?J)ni)AwMw}&*h4VpDUFaJMWMuZ=MuArMnWo{Q5q15O9tt$
znhrJToC5RH8e;p9U{~IUaXPWi&~;W;BCbA{=^~o>x?x@?A@0YL<6rXHP}HtF>WYc&
zWm(LVI=j$v0sOHCbaP+(W1F>8DBde>tM`zG0!0o(iD!GG`9v&;3-Ok{_;F4QJ`cve
zxV%XR#6P^KpUZr2{ee67z=Boo&%6NH49W=&pqXXn_q>3#v$};lC;lyFOYbY;F{th1
zPM}?PGW`>)eZMysZ~}qfDgS1*FX-s!;XgHuzf+!NDA=Q$BEFBSLe3iWKHFpDm%pJ&
z2rWJzeNV=+e$#$WImZS2D?FN!P39zu_58Vrc1pR>$LLkr>J5{A}qnRmm;TN!S(1Hb2LL
z_l*vx==R6@wIL82F-U&<4h
z%w|Qg8#2zSne!6UAN_y_H$8>dA$$8GZ+;pV=v*G;MNuvYE*|`W&b_~CVN(sa+nWfb
zvNo7cmqxS{8TU?R@=Rra$zI9)tfxm!NFHsAl~mH&ybei5G7UQWe%+>k$z
zNg<-JkUag&x*zp7GyX5%@OvEI=)WA4mX-B`;|&K#52J+kj}9httee8l2IV1pr_=Mx
zsx_IzqgZrJ$VqySF=W&?U-Jh@iK!=Xm=nB^c&FOyUV<@a>KC};1J9SR-AKbo*2-T)
z7xq#2iefz}kaXAhC}ee|(^RTPd#@UvevjtBt<6i2;jDp%!&)~Cyk1Hx6C66NgrB-|
zxZda0iEVK2g^}5wA5+4faKl9;$&$fIo4jd*RqNRasU;F8ERGMCXOWh*#|ehGUcf9Z
zRNKSRq_!?odNcGD-yI}2lXgsGESobQQbRP7izq^BYpa<227U0V$y}OjH2d_j^{&rd
zDGCh?uyCWy+w#?g7YJf3Imf3rfG79?_&eq^>s_>KefWj;I1t*SL1=gRj&?}ilkGzE
zqO4{*qbg$fi>LPsWT3yXB$%1ORgJVq#o9ms=yY-B-YeY
zHp^Ix9e*gQP6X6m%BV!rN~>Xc`lpXL#=XXohCzyypNJuWZ^O;rCLg>E*g|Uw$Vccl
zrTgHBg~c!K(iMUgM$Rrb$iQ@rUgFTS1#X`kJ;MF!lJN?k`+dR9yx
zKU3jA%2P2@j{VT~PcfDHNbGs#WHN!hi=Q~wT;^8_gq!rsIj8{rEJ&jdIy^L39u+sWHW
z2%)RtKkA4nhv`nl#AP9*&U8MlicZP4#jFyt{}xK$FNa2^GJA$4wzVpH{w^euH6G=g
zlK2H<`c(u))5CdqvApHH##HqsLNCS4Xbq82zq|~ZY1^_Tl=d1J#)wFZC^m^L%tj8f6CnRo4P--4BZZz(OqZn+*>Te
zsUe^z33qP{{}IEMcP4UD%0LtV()H{M771F`+)CdDNC_anK1M(y5V{=$nG&-dvk)^2
zfQ^lVn}Zd=!^!o-`iDd!`SGUfeQkb?^oQwqgJzJ$$a-x!vI1_FjercupND{dbTEH6
z8!PPX&cBz(c(jGrQz@Tot8hOPL37}hBsan%v)u&90TUkiDu}4NwR-mj!#KY0J_f>YaWNTK#}dE#I)Q(m{fekUjY9RJ(15E4G)54m_$0l{cH
z$^tKVU8v;z$a^+WAwIJf1|D$x$+lVSO*b8I7>KvZ2k9=2nUwTh8BQ(|_N}t4yKf;pJ5c`0nL#JE$R#0qg
ztRl_!OWG)5gPAbS|1Ygkz4UE#QR}-_k5@6Mkv9?>GzcglUuSBf(?sz}@pw#2bE>EX^j3IB2
z3wXKhX4rCGU6#gB{cVjWQs*TiS;F#@fX1s0)u;ya-TRTJRh`=Dd5AI$^VN9o>oOny
zQZK(~OK~ogw?EU(=tnFg$$~j`1Qa<;juj5#sRI~bzn_4`^wNC-*27qS^hxIP=q^KMN|Q>{
zHrx6ROdh@B9Cqq>XT{~h^fHu?FhzR{96o&FfKRFSjN8ryQ|FJ*G(*VkePxGMxzhxj
zFIEAvW5KVD(eUvmk|3%W9E8nEvsxc%F5tCWCi{(Frnc!|OOBvpH+9^5T>CckqX1`l
zgTW<<~*L4D~r
z8JDpy39KC)nJ$7hTd_7-1vEL0jBOJPL6?PQ{V%~8s;r!d8yypO4jcNYkHKWXs=ezG
zBZ$sA#eaU%h5pYkJh;lP5$TE96?hL;5abBXiuu
z7J9$f#k<`SCu^^+?`xbg3j;bWHJ6)=f<@)ou(~$ZiG?Kg)hpQgswmXx$MWJe{O#b$
za@88j5(4Z`+^kjOnH}Gm(7BBeW3^|+urN0=N1tMa5AW7_ez8hN%3phSL;QcSE7Nb{
z%>nu+;X|f^$o?5fym@~YZ;0_kyfZwe?@TG%yDC!8AO0c8{*gJ7#NP|Je`3Z68phv=
zxcMDA7DYi$2dU6__OnkGBtT`~%ra%6I*FBMFQzJdnVJyBoG-)jy{IlWD3BOh5^)jP
z+VN$DU}C{qkz~=n!Pe~%*-)qejgwkm<4%$ooGreyl8+P&M0z&XFa)_eXq}BELm0Mn
z09L8!S@G1WiW_rc7Xz*XtdfWUeZkd^Gp&5oJ>-qQ-8Q_For-xyu32XLQoVc4X}aA#
zmGhFTME$dY2e!l$ZSl>oL+P8-+Z{Aj?e7atolPKoqdUqyoKLBMd>y0La2l6g)fyH?
z3K;1sU^ZYY$ANGa)!gwz;42hmc5f7fYI&R$vPM{;5IwTbc=73*^)at!am1!+BJlej
zGymmQ38P)oO(`m;jf;BiMc%EdbxE9sGk*xPo0-^PzDndqzmSbNZJ{&z5nnK;?PPkd
z8#l4}vz$0{W^SuAFQ}=o{3;+<_yGBEiPcC1QR+;)1X$FWs`G>3K>(8uEL`~2{W6GfSKDn0`5WeMNPgfey
zFV0b{kha4Ke#P5gg=xn*H+FcAz&@=da|!!A=jA-O!{amA&Lxy8BIItvwz6}qFJb#R
zLMSrB{b~=!Z6J$BkfOs^KBuF=bhH|yc^`gn=LXBTj;`j8j@MqksjZdK?;8`MF5ch!
ziDc+DkaT+qLUYb7lHtLc9}tPW*O9Bd`@6lawus%)ZX%MvU;V#I*O$8P1tSxZ_^~k{
zBqq+U(-NQ|T=$+_?>czn=y3u8Ae)|>4Zy~6y_omz;s4ZS{!VXIY#w??P@!Ph6v;E;
zh~AHjdpy{v9T+E!N#A0u=KnxIjcP%Ofs2ZaXDGC;h?ec>
zEDmm&%yRykI!N;lVN{(8C=jtc1u2ZsJ7xj^g+*{X5_*ogXfFG
zwt_8$VwC(9XvGGVJ_>DCi=-q&%*BC4cg`n4ywW|2VV|jX(p`)EuT+Tg?adh`AgE4j
zXr?R|pj5Ux5&EnFT(R_<8CYyOIJhc3T6IJ0VR0wvG%?w*Q@z!0@{34Fh@Oa%LbFY~
zOOc@;b7iYphv#q?MjA#<(x)zUu3D1>?m6#x7aFKnP_yR?_3^hL%MU_AqQYsCCOWzq
zv{yJ_nWN-yL87=t)6fYY!y+1xp_%fCUlc(OLveeU9FYaoMM|qiKLz_5{n&pwG^=af
z%*HF~h;PaGT)R}^h|0ITST)J^bD7tIzF@K|U;fj2qDYzr;~aSF&UNLDra>7Q-x${?
zdZ{EU^{0{~C@&u=TPLrs{+#%|z!d@6PezZ}pfr1Fsk41g-%N0rC;A-KXz8
z5D?%vWZ##wIT+j7I+}x)z`Ha5MDfi|Sbsp|jdG)Xxsl*`Qr@wQyS+6x{a(2;;JkT6
z2l|Ozrn5-}-&Bg5>SoV0x9K5BjsW!yPSj!iBw)-EeWhD
z$d8>60#s4rD*c1z0){AzT9_KCrbrT1bpBBdR7U4~?cSTGSR)
zFABj0)4G1N$P%_fH7wZZ_PkQ|>D;-=Ql+ttqOO>iC;y96YO#Ke{$^aVTW
zNt-h*=ey0qELdbb6maDw!=wNoZ#T;@)U)J}MYMjI&EFBf>O)zhQszMYNc{68&QYaN
zCwRv0V3tKP%GjLVDT`F&rtlg!2hMrFjoe2+)weHm+bAo_FKr=LA?^cQE(ooK#=xs~
z8wX6z7irFT^PEnlsI&$u$JIJ71U%M~25#Bj-r3eg-^kqYc9zci+lr4xVxM1ZZvL{o6KRlUCI
z&!)m(%k+M}blt^q&Hb!D_RR!&r=b2{ZVsNCjT}Ht`M(bT2e0&Z^q*Z$T@8-+MlDoO
zeD8C``W~hIdg_F}3At`@1+BuC4I$1Hlb3v@l549Quim;5M4D%C+6+N-*%c|a&vYUQ
z#?UraAXMiHXAMqf_{P9uGW+Np8!nyr*TRA0$=YdIcn7J^ry(0f3trh?mest}Mb?U<
zrJvetzPu@Ld>X4?0EtC*x)YKcT2_`7c~yW&tw_Ct13o>}$l-^Sd;fTC?W?BtsIR^C
zC#e#F`!5@3eZjxv?`hTa=;+Y{vnsgWlJRD~U}Z!ah9`cV5v|=KlYH1iVD@BRsbCk2
zBX?!QHxo(n3(@&WyL98lbfmp>A8FY)q12iH?bATjqkJ`y(R*c)B`WRRU$nrND9N+c
z!J@myEiex-H!v7{-9}Uh
zPNY?yg<2l9x)P3J2lD#?piReCJjiVtS>e2hS)XD{8#s(@xMsIZqZ7J-o5HOMA$ILy
z+kDEypU)|&Sf^D~Wq=50#G?A#E)3C5)88AjYQycN#I$vgT$5;M=JT23d?mC;k0Y+b
z)0{{jWDD#qBUT7Np@|u*%X3#qo@&(Nobn;ZLiE}(gO~AP&;G|{#JkPV2RpVdn(cb~
zQd+(FuFVcO_G#Vxe*nu3CqG^B6%>K@wtw|;uO>8RO`*Dl-}y70c7IDs+7s>Kt-&>f
zk8i7AXD*onyhT&-sjd)z+?Y4ADX;EN6Y8yH!>d#GVJ;p#GysBZ)H
z-|;yVxNZuUhvtf?yL*=p<|`o=@!PeM;p^vFaeozIUF(#%`m}$7PQm)@`Ku3F=Fgsx
zA&Cg3YJJea4_#IXIOlj9A6O@5;`F5OZ;x!MnIpLvzY^h
z_SvNg`+a=}#}k~#5-`eAU>@oil?X>cmsO2y&KB`R7~6U}w!}UIq?AK}`k5sDqMvok
z3{aYI>c`07(+<5=p5{-w
z-gAl#>)YtaB=qQ%zeUlBX#Y5}dXSAm$abiV_YJk}$UD$dWWz3bQQNs1Spzl*o04bd
zWTl7(bw;wUrhwu-8<%FHMCOy1c-XdAGgw9eQj-X#7@U(FMgcj{Flbl*Unt9+zW&$)%i
z__H*DL{8JN5Vr48ZGcfa^S$XDqwb*AAO#NhyhmoS
zPl!D7;$GmMCS#w*4-e$ACN?9<0a}x@5Fgtd0{~VeAB2b4rSv7P`?(@q)-X~Ie=`|!z`&_iT`l>hue_+-6Q}7*3F0p;*eU&R(mV2o$EhfpeE
zbB|1>b~{6!*Eo#9Uef2y#x~XpqVLVtmFjsJccW9+g6gRdfV_CD)8Pvg<2XT9ZgT7}1F
zoVZ`RpkEI{N-N(m942VdCus54O>eQ`-32d;a!-FU8e|KI%^E?K!mRI%hIAbL7!D`D
zOxWjmj}}j3{Qu+bEx@wc+O1)_8|iLPfrsvtMj8d_?k?#Pk&sf5mQE4rZjcs`?vf5^
zq?CUVD!TW6_xpX{KL2^o+1JIE^*oDbtp#)5bIki5_ZYuNw3}!X2x!+$!w8r-myMo=
zS1jXu)^;}5c9*UOH#*LKIpazc0^n@`>VI4;OiY*DVJ<+%nu&=Ekcj{~&i=V8{ap-r
zlkT$^_2J;~R%nx4=it0^lxl*|9CEB6B@R~vi_vP`+>>{D8i60rDAjd~XVKAx2#Kt=
zE2@vCvwW&DC0dh+YU@ICg!n5WH|g*PL;E3#Ah#@$jR{poVBU7NAACc3XGA3d^$Jll
ztqQvtPVS@F(JhVLb}jH&%dY|5{@IPzOu`n5{3cy{c&szk&u|}lQ@8X@HdxP0CpSf4
zCmWzki_{PwE}!U68|68r+oo->N1C`kPA^ckv}Dlo-e=?_Zo;)v`|QH*lnqOn<38jZeqf7-NBZhJY)K#TS0SylCQ
z3`hj|!~yhw_-m1sTM$q%#86=Oz=UoF2LC@+IDT%wg_+B+PoTbj)0B2?{`%#nV^l}faq?1vqD9FCn
zpn2(_so5RGpyX{-dQG`nYYq_Zp9esj3gUApg$
zM$nk>LY&MTtSro&9N(Mf5HK->fDX4Gj{=mIg&3IVKr~k{hV$2gv-U@a>zDRJJE$KV#iNi6s}mM&qJ$fol$HVnYlM*fb`(-aCw)U+*@l-ueFSB&c|Z6
ze$j*3OgWhu@6k7s;1NC@|EHAJpU{gR^OL?}BQr0C8?#|B_~Q3MX&9v-JSgbXvk;hp
z+HjQl*c1YPl<_!(YD8Um7{#5}UQQcbsC~r9y|ExZ!WL09)x6<>m664@_u#OPhZU9}
zy@Dh%WK0|@S8HC&;@KWBOD9CEL~uSJE@sj>bT1GdXRNZjt_
z8~NsScqaqaey(ySba-SZ(UzQiKC^eF9)^sOs%RS;?(aP3%W%i~;$_t&XL5`XyLnrk
z-Ln#iKJ|nu)j?0|pqek@PY8UPBkQ1R+*yZBP$U2sQQ&o>8fjTnRMw<|?ZhUnc)K9<
z*%j_vto4)32#5j;_6KIm9tW?MI(>$tcOsvxZWa`pW0(@>ooeR1k6A5IS9Pu9OBLbP
ze>8|lHBBH_y9oaJLqFY65)K}Mbv;t}0KE3try#a&7d06?ju+)Ejc?!WyHLgzfg={a
z(|EP#&3vlC7qgQrAT?e0E|OvFK^%^iPNKd=g?>lAj|MK=Y&Il7
ze4IX~65~vKcRmFk^p)0n&dRr71Qt`op)oz3$hY3&WWjYpzlz$v;DCq|xXGWiU?JUT
z@HnQ-LoF&ja%nix2_R@0lYw}Rg9q~YbOG6b7LEy!pUKRYMIrzG8{@PFLg@r4Kb
z5!Ze%uk&3zG%3(W1$bz{Kmp%^fiA>Of981!uW_r5HDJ}`@>?wXElghK6T&gxk+U_W
zacwh9ua>SlyGzswc!<8xS{*OMJHzHpDp5CjZMNK8sTr_>`nHz>b()G>t6MIkv6McK
zvR@T;IOmS
z=g_5O4f&zGWRfa)Jbwe5h>?2!(ij+E>#!yTfVSB!<
z)0GeQc$gy8CQIS4-a1hsAiFU
z+v}Glcsxq&#}W+b4IplJ0C5{!BW~QhQnRn7Wmw$$7VpMST2g)+Vj$J;S%WLLvA@z_
zV*)W=EtRxCG}!*eX6(Aw$HdI>vs>mDG4B7mEB_rLudBdvJ0EoSFn;^Qz^z?aiGJqL
z4~|rK82pi0f(ZJ%EvK(ho;|vtYS$;)5Vhb&ou9EntW!Vp^18ivQxcynJ!hi;Yry5u?0d3_~vyQ88q4^Tq0wrdvY1<*^Kraon
z6dNAdkh7@-1nop2JQ=BBvIl3~+!C{$HHXM%vonv5H=6AtbkQEghcY1+hgeF~nP-m%
zpXp(HF;i#UX8HILPgvq`I96nhFe_Rk*Kr{Yzvpm}G;Jmyw?-j-RP
zji8LrvKAoYKVJR>7qg{$lHga){;p{zuYVs6#>STI|0@4^cSv3+8Y_4^j9ph<>ePHJ
zwu9xxZ-eO)HLKZp-JL3Dl{@fP$f2&2uE^c7MV{1cOI~9oc72Qr#kN8dW)WT=flVpK
zFD2V^2YU!nk?4%XI2A&aNv>z_1TxDdQORsEy(V?XY|8{6RYJ
z9bU3M2K`x+P?b-_IJO#7`EiM@H-<#4oxR#4rAB>4md&h=el7@`li5OHBf8vpg-wt$
z`7Q0SH$;sKk=sWHcfPE3I*ScgM10LezJq@YoZov}I5`Sd%ko3Fbh>EB8;q6WX|=^<
z_Z3ufBDK{=m-7|xhYky%3UPrZO##J}ALf9lvy?byind4AMAyV&DWP4}Qi;W;LGhmStU?jPdG
z-rSqdd#mMdwFe(WqQ+dCx*mDFqJgk+9@GEMwzxzoN%q;+i<;UEIc89RG>(=^i&E1e
zM0CiQ-ko|%61|X_<_bD#NoU@dIsxQovE%IRO{s%-mBEbJtnBL{RJYTo77J3TT{~yl
zGw`qvzLsz03kV)qszH72VeO=xbf6&6WWmJHYyqb_1WiF`Ce03s*Osgkq*O~vjwY!?
z>;)}QhA-&J$u+(UMsdK&{%99q<_a#^T_Wbvic>fqLk#=q#F6Z&;Z*p;p3^rOI*Bcb
z$BG5Pwa<>j?oc35IPrX8nd<=CGd-40ot3Tee97ep`$fdY^Bb(%VqxA#-0oerMM+7x
z&W9a*r>M9d!90zaO)_B}awr_DBq=CnGkOeNY%mHgciX8r_fMp=0yPr)KOuAZOF6g?
zJ$lw8Ad94-xX<@R(RXJpE$^!&D?aU>PyjdP=auR6SR(DJt`*|lN_m|IrUCoKt-9n*
z7DR_SQqmSV%i6mD@wvoqn4zmnaH3Kb-k6Q`%j`2~U@phW3M&@)lLi
zC%Euqx{-VnxVcC$)hz}FPbJ0YWg4(+0adZV@{uFH-ZQ%JU@zYSWY3<)U5-fS0_}w2
zRQrlB=$D)yLih_RP8)g)cQ@$i3A#6OoXs?D*1kt>w
zboR%0o+Zpn%(uShIE6twaeQRNBu+Q(6i2w~o4*xTsqiI$BF;2Qk9YBbH~WY(#Q9F8
zX3rpn^{A+yl)B+oAkx&WEYdFA45||3WAN?N{(Z1^htQPU5}}3@m@V^EI3DYD&(v{9
zl@(q}DM2D`Xm+w}>U|Y$V^p71P4?zmIvM$fc`I|1FH%a_VX*n}Bl{0wVs#HVw@y|f
znAf6Jp~$B>o4ac)J6O2Q5KIM<+t=*Ep6mNl)LQbsdL1<@c|SL`@-{&NyN~l`^NQF!
z^&=5S;xWfSg%4R>T8=S6$c`gS_|19oW0HY|s2((aoxp@YWY4KNN(_(fUot&>6xPM8b=
zskuo`dfv%5B;oi&QVE|w+E{dd-d8!ot@5*ab{Ulk987c{I~ZPLsH<}MFV*t#vY8)o
z8Hxd@#@q(b6vj1@(gBYy7t2~JDTy1FX8aO<`r9!3bsGaDFMo2Rt}c6R+e!h)DAOApqhx>}^Y3`m*jH*vLyAiy8Y~<6$U*n#?mq`=Hnr6ae
z%gLg*uxD%JQkY|ymJvJ@rb90v+?{LA+(6NFS7>Ts=1ezX-oA)D3jH3gc1szFiUk6+
zDtSBmeQx)RkG=ly091+|y7oM@!t}^#cO;lf&swD=un~-)`;qmhF
zAb~2Oj-M@2%M<5&P%%?J(b=JP;DS(y|u`V)JfP}I6vV>aJZun`K9d9FN#0k+h_0v
zN23h$;9mr`a_yrn=AalUX*y4zP)1ZQizv*rVzVM_nTaT@-GL2)bZuT2K)9=joqXqB
zB~`e9O%4l{r6@iv4^3}wGo3KO4A1=r7FKnkfO_*ghVN*%iVm7{je6W3elBnCGH&ch
zz{jmWZR`IUh7aRRCt{Q8?CYMPkx_3SA?;1d91+ZH&4GQAxv9b%Wf#>JxCtpSw
zEImgT8=&F!(h~X?hbGjq_0=D-1zHnGl0E`ri_leU0sjNYlf41*WaXHy)$^ea>i*+
zzTw&IRl>Uy&giS5CJI<~ZF?-w7Lqj)HD*;{Z-Wj#v~WD8mBEczsvlDPYD;g!zuejq
z^l6(Gao;H>CHUEcB5usHa()_)Q1VaNa<{j1s`<*fno+>TV>L14Chnc6q--81)}f12
zt7FEz(Zmia;2=~<6g>}k#a>_C3F~J4On;=0*=$(T0%@n%ifi7SiGd4@=GHW4!v>y_
zKgLR;9X6(cVp|Re;a6YKrXMcRe!j-J4JO!n;Q@=Q^zeft=n!esf`ejOc8yyt3idMQ
zh&!yX6F6KWleBK;2T6MjjdD1*(e}DKSJuCpzhQ_=qW86e8dL;-Nzdnh=6N==B}|lQ
zzEw%u`lU8GE9z_3QXu7M_j6W@c?!lc41BW62NBkY5iWR0Zv_JoZRTD3QASN9s(mrJ
z&{S7PZ^O1?OsG!u^E^NkhsHA2^TgH96cd0)QD)YvN7i$t+45eQ7?Xxk<4~jOgTr_{
zXbmqP&DT!UJo8)>^ssfn;EmB6s<~k)HP9JGsl5bFMScc__qh}sKvmn%r6CH+
z%Kt?u`U&pDD?XerT7Nz&+F+DLIi@NIy>*A;K-*fxG
zrK4*$PWFGSn#+m6+A#44(YG0OMWvYGDlVfDad
z+(qR-^r?!hZmzC3bnf?eIhW+Ye}c3XvffsI4-6hN-cy$J9eeYO9RC48@q=ePkVeSEFf2{Sk;E
zN`O>Z0q}))4f2fJ=T<(|5!RkX@PuYkJd?Z$@-8Vi!8Zc4n$UNU2ZxEIaw)`U1r(WV
z3~%Vsh&bBm=~_9NT38q|p#q-9xMgo)f@dtfigcV8V
zs0*=is+Mf*m_$}&L(~@rj{81^Q5i5T-#)?(V8>T{k1WJSU|LRnfYaTGrzP#KG5^Fn
z;)L-ut{nSveE;eP$zsf^f0KnV-h1+6kV6IlNW%~KLbx8}jNacUo}-YXN*H6%Mm)fEyM2hDv8m}Q=cmP!3
zEJ(LFUlTmbZQ8x4uG3H#%s+oT%&jl*tqjqlIHAHCaqr33ddhDNbfqy+~aE@@}ua>8+K=d
z>G@z<8;(3-At6kJk}C`d>?iO^a8Yon;$vYvGJCx>^r(nP@ouc`hc>zyg4?=owjZbW
z8WxecrE=-BM*VM3Fjuo*$G`%meKmJ41Xn9>hS7^f
zN$tj(^nW6_`cs4PPX$*mk_DGloC}RrfVIyGC;$T+hf9rBAX$8+vHD+m?Z4a4r$JSd
zzlq^fS)sOzD|H#9o1a^W@-8g+q#k;QF3w;kMRT(N9@=t(mZ3*4RqtC#z&OS_=Q>$p
zgU}stMYn**1B791Rh0pyX7J1QE9in*AGF#%4RL0izS9D{gMAlg0J%@XI&;!;w5Ri(p*$p02GALgs7v@oS%BZJO2`bFtew_C8jW+3N_uTgkWB
zL7^l-LK#D*0UJwK+seJMY~{~w9_^sdQfq?CwCx{?!&7{R3ZL?avR-g
zo}8^5=yID=CQPCC`-{OHKG!*F!AjtJ*_>l*_%*mZt$_aORcDBvhS~s8a-_(?1vQkz
z-CC@+y&RHCMsp_
z7w_j}==Ud+G0tv#O1{dPWqCkD-C#&(N!Nuh}KO~Y#m8>ls9e~`R
z{dF?&S~CL@6aTjpZ+NR*Okpm7y99{afB<8xOV;(};rA*0-*j953Jyl0CYNo?C#<-(
z1$>yoL18F}>?7bqIgD%wifn^v507rIFu-^9wBS{mW4SL^zicoNFmT0Q{*6vg$L@qk*TnFHNbR
z+DLc{U|_Yml#oC(^6150!olDEd>6>ia-9HvRclOP!kAn){Wh<}<4?)%nbY>Ew;-SL
zoxVWh{{6M&VenFmYu=lx)?>(7gMB
ziEe%926VKxdcjEAQ`Q#BEM(NEms?$tqpwL4HJ)0w<>t$gke7aldRvv%ef$Q|)$31@
zAM?%Oh^bL!@?$tc!T_rW1TZAcA<#U=zQOip6PKg87@uYZvbNrQy33tSdSy9xWFgz)ajA&a0nhx=3mRF5#U2J}4x)jB`Nh
z9Q%h$_!T2q*3jXxwVnC(NM{2w=a>IoELNAKy^E2~#s%~j{4aRMe>H8owLYS2YMA!D
z8K^Y7A4~Em1{8|@lvK=8Tww4iso$Js@lpCF(hd$P&vDi<)ktHnpZ>19es8MyZmT*=
zsDU7qNuzhA0io#Qwo$8tC^}yG71j}FlI$wWdl6A#qAFUR?@v3^q1M-;Ig~-x)!^dH
zEFUIS;tfo7kK&041LZV~|1fQ?H%tmLAL=x^V(=2Miom&?8Dvn6ZERv&(bOW-m1LAH
z@4Q3S6bv>P82LQ?Q1^v)W(yITF8jb;8r~H;_)2sGhwf7QBtnUt8eQ~F{In7-Juz17T>XPXrPZ@pj(Q(W~(h1vz|@CZ4T1w=cTtD2mcXc}=PNQiIY
z=zIybe(ICmoH(cx@IPB6AuoIjfxe#0~ecqu*HwjcE3O+
zPQzKy`AjrqJi>UATcOg@eyN-*)QKC2rU#}Ej$igV2T0ZB#*es(tBXP1_r=a+J3Mok
z87_G@I$uhI?(itJ$>^>L!dy&10B;bq8>`Fn7F@n($zOt|l8GNj|vzq&9@$MB)(
zc0P+~JPHCOoba;@Wwb!T&V701fD1;$N%QeeZtk3rXt4DTRnuf@bX1%0Ef!4|KMJ#D
z!v>Y)QOz8E@a2Mq;FY8I`W1^74&i)lkI(K@xvZwQVmN1=U+w;NKw6iQR799i&>%=a
zX#Nkm#+zz8I9N{u;Tb8PSql&mEbP8=c_M+?a|4I{>DxC_3E#^mYTJZ;gYvyXo=X*p
z9?dp=TI}amp{|V666iy$47}x{P0CbRbB)9tPs$?m%S0t0*P`my6U<6DG)Nc*%zb_C
zsUrxWKhV!RafgH8Nap2&V)+)$+^)DdMkQ0w`q_lUCfB}41#;2@0hwjDUu_1#f~Ol@
zAsRoOEcGcH#E3U}zhBW&L#|2v(0Xn&;+qurJ6{fXp3Nz%Y(P_Pxd_Yd1)C%-Satcv
zc68sKRB9rzdGdw~^u*c}M&}lmBCPM=9`jT8+wE72
zKYYm>qd&(|9ZT_|^oh#~QIhdnz2U&&!!w#`W|}U)@yAceQZUFaS2XgUl~vwBg6v2Gt1EXKR6JnsGHn|G?n~dEJ7^OAIa%@7BaE*PxsjG2D!o&J(Lez|wL^cw@r>seSY*)_mC2lVSN4q4Uy`)|+}
zob+Z`yGY6Tf+K?g_!SPq7aSa{oc+OKh9)j(c05oy;;g+*@rY4=Y^x9u`WE*fP_J@)
zf0hzJdBV8a2`9y++@j!GI|MZ%q^4j>uZkPC8T)!Ce?DsIP&|7W3AI2~b)wmb<8^$5G7Cq4B%zr^N5^i)cm@*1
z7YdXF<_B7~34YKDar9r8WN)*oO?L`%7$Yf@J$O8hfYcqG?>!mGF163!!wwk9E#%2^
zLvKvv+a+)Y_i^zABJe-{<_I`Vr1^r20KX5xKiNYefp`HZ12mto0q!_V$&AVL{&#M4
zrF|dC*CU4U`|$bF&;juXe+h8^
zBVlmx3ln89*vs|>B6KLAP0EMx=Enjac2V#?{
zY!mfj{?B?IW8NzWj;`gOOAO=4!e?{)Vrn=`?RkTbCNE>(EqiM#Lp$Beit#T<9(6+M
zMh=$}h;*a?Ac4D%c0|AZLILOW>-JxO$SWp!qt>8w`T5_K8z3>!u3jL$MDNVkWdxvV
zzzR4#aWDhzaaSPZ=i&d$NB
z38mKa>=@e)OGTP!EPgqa8np4!cxITspY`1r&WxTn*p+V>-PyYG`cO;m-#PQ%GJhVS
z&F=JNqL=`0ZNCWptFEm`J#8^JQGM~fm8AMfCOF%I#E@ZDapv$=L&`77QtnXpVO-WY
z&+STUrQ2PP+@3Vk$|k_C84DB{LlHFJ8b4Z=q>ShzGCR@b+A?1zbA*8%#V8>owGp=U
z8Rv~-ugg?NHnWH$iEukU-V&~om3`ff6cRZ(CYqqNAuO+-zpvR+h%wp8lg*HLOAXqw
zd}Bm^zKX333NB)0JTc+Ws1!F3Ayb)}m8GAcanK8&I}|aO*=piUjw)%4x$TvjP2SA?
z%L#?)YzI`x{v=T|p{(!|J+K1k0R+q`+^hM7CLd|Bfx9-8ATt!bVjc`msE^P(rh!6r}v%G=M929=>C0Oss8Lb=|do2%Q34yR17GVXl*%N
zwe5xDh&RhbJT)u5`{wkl?(-75grR%7BHh->QaOcbi
z!?wz$^1pda=R!<11~{4Y9U
z|J3Iu0*eb0oWS^0itrdgM?Ga+CR*>9Qi*27*FZL$p;?mPPTb^KwzDzY4$(GxZMnoJ
zv_s?>f&PxN+z06rRS*-?j~KAjc@nWb#78*Rv}K$y*sDoKQhcDqNYn0G=DY^?6rk$?
zdpYy9!nFT
zizf^~E(kIZVyZx~2&YVs*RTz%s`ex#m@xB3C97GT$SfD!FAB~nT-b`k@8dI#{hUpk
zHpg4MU4)*{>n^x7wS3Pbb(Fg_CuEm3wq+1)4(2Po9~#f+mizk~H15Jp4(`4|@Es+P
zR5h3J1@8~NIKOg8UwizFGC=MP@*A*fFI`6&tURkoydoEAp+lOSW?WQ~n^EQ>so)dy
zYn1t!Rrt|%1B49*CN2=iRTd5OgBtqF3IBo{`cu2($4~qlrPP0eE&88(>wg!KCg-*E
zREbzrxR_Z^*1MiP&l;4Pf(ckN2xW@N;0z~@>1EKrvn^I5QWTidK#L@4Ll%`}(2)5O
z1HzEnzcnLp`((r~+2)-bezX9L$WX_+9h%1i6YVLX?h-Ami2Vz4(=5mUi$wi)#qk)L
zWw`q`{3RV2jqi=0XtL}Db0VZV%LfEt_DD$I*#XzU?lMyD(8j()Xd;g#VgFAVL*iEv>EBS~
zys3xO;?fzKA`3}GIB7n?q#nsH0P_09yXkv^gZ@2c??Z1lSLfQK{JXKsTjMj4TJWY>
z%T^}OYwha9b5No&Dx`J{2DoOZSO*(F$og!fLbXs9v%YH0%mvMu=-Q7QhdvG5LeYw%
zmAXw6h8D`;?%x9OdK~GoA&Lm{i?3gcvDr`1k%^w8zy_MpJ^W&~KZTX>n9WG#4W`m)
zXrti!5ln0~yS8#u@D|s?C*UR?AwnsUxQ$dAXWQSNKs<9tM($;R(~uHG=HKwqU80=m
zoJFCBE#iMT8FC=>6jmZ039(C3z+Fr**
zB>|2o(^cGn2kZDSusY;H(Q`9kTxRX_ZUl_~w!ZW0)Cwdf@pl08Gh6akZS*XFY3Bui
zxo)GsJOugt&w8A{W4SiWJRDfyj&~9*!JIg6EW-=t5W}w4j-%-qoPl^j<=*}C%+?PRB8CId5Q`lQUO4FN9rohN=@e1)wej@mO2>vZA@vCs
z#Y`e+%cfN#GcwV;~;TLAeItq5*qnrsxjm{MTmlBl5
zQRVJ^7C68VlFxn9m=clbj|f&Hmn~m#Ga!Rx^rso5pJdlc_|634i2)04^ZZTa9rc$mYz$f;pSg=o
zAkaiV2J#v9zV&D4r1%u2`@H)fHgkX$`X3SP_inF$zJ=a9z{_U(1??Dgq}X}5O3n`B
z3_h~?i8~6RB&7?@s93Hw-6O>S8;rFnzJqurW$QVe)NJ_5jrB+Ft!z7!xT`zHi|?vL
zXW^$iMNpe?P##B!y0U0%zq)G@+$bIv6VKPM(RDE7`@)ayV;wu^LpvsQar#`GbbW<&
z1n{?B8;-BLQb=~ZFbXRd47`koDQ@pqaB0S@kY&x)@(JTR#M!(vv5?o4>^(n4(OkMK
zKH|gu2&~lJT%YuiNfeF?W#7hA&_+$5&s;difsd9E!qU+$3O+?5tkLVc|N5+NjEDU*9U#vddX2_#OMM2Ww~5BCX%gTjGL}8u}GeU
zNGeAyvjcK#bALJ8DyT%oZ#`Y0?{jYMGj;uym-FV?gB5np<^-Eu3z}W=xzC2=WWm0T
znI-Wuq0&Ntd&I0{6{H%xb~%#R#mebkY8P1-aE{$|v*qXAiOG78iy^R7P0J#@DvIE4
zx$E!3_}&-K13u8bNZBbMf4Xt6d(LWtY4~M+Z1NVBnSD&4IyVDm0C9c8i%3?2Pc-Gh
z#MZ*+%c~sm@pR8_fcYfL`nHohaIB}tv6Fck1v%a0ux1@&Sg%VBl+)nrM~
zAAu+ykBUjVSROv#M$`?;>fwf`mA@jv4>
z|AMBNI+Wn+7L~Z8==|(k5OzKE(o7nJ95QSxm_ij2gd#n8x-eJEx3IO2#=1e7^CZ{T
z^M&qlZ?pX2?Vo*Ij{D@Ak!y8YRczB>9FWR32&fr-ecQCfbdp`UcM8`U@$r-{>e8qE
z4@tJ)gU`=+95)IE0$VosdW!owxU44#=?HzU`sQC9(i9A21aJVSj%HQF)w7lmnrjcd
zgQD4x2?BYQ{U6hIrtG^+mo9M@Y#Z7<_kvJvsy`o1;UDV-exxNN@@!J6e=^Y-n*@u6
zLP_zH8k1&XXMQavod`0GdiJtO0>&3r0R}q=m9(&wTMU=um&(xA(bP!S`AXC3D!pZ>
z=V)(g1xO?5>oVPJFArw=Ig&4o8UVK~@YAc242i^s^E-&V$>9TrFChs3VsnXri79$@
z$*bg*A?fAT^JmKHw|B3hpP}&eJpq|z`pXV;K=P3tsA{uba564(%OK#8`TFn|?&3dv
z?SDm;s9MGehcGN;eZVW(q%bs-^^qg&ZcZpL!biQrra337C~ytel`=0@56iT
zM7y#dHGE)66i9ou{*;A`ke`@e$I2|_T!d2_&cnPT)b
z`@C4i+{EHWQTb2b{==C5lS0vr!t*sHBcYfjO+b&V75B)(5}k6xBP$jO)?+gO3-s{=
z!q^flo7hXKVNse2+Qw0dJPIoN5?p*l+@SoFKm$wUIpdSru}yRe^XylcsMcW!%nKSC
z@f7b~?7xICt6B0NDlY!oUhQtKb*Jr~72E-Y`Emd2D*87Ba9Lcn2zsjBGbN<&!QWnv
z>0deQfO7TC9TBER-q#<)7>WqU*Wv-$6mSSMU7Ie+=h`u%bjt;qWAf^*zYk}h{~}U1
zKvv@V_sL2CE%Ra)L1Oa$AS+$*rI`N@80?p67cMTKzvE|%2g@%iD*vk<_U{rk?+}oi
zhVD)nSJE#=(oAL4%@)Xn73)6a9d>Wt|G@9xl^QTVH=1txzI496F;iS#ON=Xc=v7sz
z^{sle9vaNo(Bkn-u9%}FV*?Nz!Ef)1Z-@H8WFdo)*1zzgk`hhYiG9w1XjgCUcxZb6
zJ#J%!8{!ZqSbWV^vjo4G4(Zd|L*Zo~f|I+Mr^>$yJ}8nWe3;)I@>r&gR3?kbY0KnA
zP&hH1&%>g(rfG_OU4$(Zd?c~o?yq3$hql6n9x@&FpDa2}l@h*4ll<@j{DaAd9Mh__
zbt2@1bkfYm0LePPR6b$1eUMm9Q>qi&O=F;APPG
zZMa`nQdz07cpE}w?nx5Wu9CeNF-j<(eqYhIpsDRd-aviq$IX5Gy!3QKXJ@4cs-S%;
z3o;C}7c-N-l+H9WK!_+dX-6uM{~4M$okakVE6>K+UOM*945&%DAe-kw$~SD<55lz$
zR^AgdB3V5mnu7%4G04Qik%eG)q52%sAfUf?qL;ac^{K%&6wl$~lks&9w#7S0r|x49Svm-0cV9y}CLWO!!$64ku0Xl_OL
z+d8q8;aMsg?Cg
zOV8ZCj3z$~$PM-NZ$=W-aq9O!A_>GxU_lH6zOb&Lokno%d$q{-{k9LMKLmPrQ{Pi#mkN>M%{R@bPpQo&rb8JGf>^ekgt<0$f!Z4EV*NNmn$O`CN8!A1YH3jC$ihI5c2D!|pJ@KTE?$d4AiJhd1
z(0}6vN-MFMZ%biG*sEvIP%6|e_F(o3V*TXeatZN%A~^0jc>lp(yrx%94w6ojvuv&U
z`f-0?Rs3P~M1X<2?Jv>82L%av-5A1doPrHExeyH|L?l}`rw`uClPipFkenFF1%d9O
z;YM^~Q27~KxVS#33BF}xp-=`uc&oQ{#h)umNz3Be91e>NTOB;9vQ(|59D69Sw$+j<
z<`ZDXE%q@dUZz8L{G+Cd8SdryCDsT2@-`NZ*WKeb*E$uyj^vqvA0rtu7FZ9XfRXHR
zHImW6>NO_Hb_uN-WY%3Fc-U85ehU>K{u}!gF-4}UW;X!n!Cj2Giz|P}evp`$*W_OL
zpS0dfQQb@ZZVsUScm?JzDiHvjyXM#azkdGT#s4=P=j%H0Le8cKlBxyMB(|oRcRuCI
zx8~HmTqUhrXuFLXP%#|&N0?i_@6;y?C$y^?oq
zR4;l8__%AA*)Mvyg`Q$KXp+EaJtfH0!W99lsu{5QsE7jdcKvf{Nn>@*Iwz_Gc|@Ca
ze}x@Sl~+TEMR|?5J=yK2=Xt}lsdz)tX55u|mZBR=GR+g&n(sAzWAdcba+mJFA)z_c
z=pAxPLK%%J5K?E3IwmF5=j$l&Y1E|3xdj@3P`Uz*J|Q5VpliMW6dVW!U@Ag@Bm7DZ
z_&E#w=jMED>&-BB5O%>A+D`?0OuPd@e}IVKm$Yo4a0m#!f#{Qg(xE@ib>Z-m{dPS*
zE(KTbDc)ziq^q#VU-FoK1D6-f9;)0qa>1r_Z{G4$&DanUS7A0zBOLUZ+IMGI=rMRK
zOVGl8%GuKE1&I?JWP$JRhX@#Av{K
z377>)`zh=m_Tk0&wa4Q{uSyNGpfoA+zq~Bc3Q{o89`Ak5C!{`ooVI$~T^x<%keS!h
zW_2cIhyl3}U$mqKW0MwVl^AH!0)qg<`(fZ?Z)yQ_BmZv1CHj+Z3=NPOp>L2G;p7Mg
z8I`LUf3ecL$oGrin8APT!$o$vsQ|Di?oS^srOSH&Hf0x`k-s`|F|)E?Wa8Pcjkzuk
z|G5kOU5>nE=b6`lGt(E&j-%$-do^ueYB-ioW@flPw@lL7?&9SaqRrz8nX4$$ff1kz2rPC9w
zO`?+5$!zK=FS@oRUwnIt0L{NNhBz-*JsHJu7O~3AM*fk6TbAZ&VgXhp^SCauxQvc)
z{tNMyCu;Jlt3kn)nkkc0u~H=L#?=xFPs%vfCAi)4OQd-Kp!J=mWMDnyJ%8g$3tR_crVgo
zv#9f`pYtxE)QH1Q+AHkX7%;*emxvRAEJW7mIG(;RF{*jO`OS@sVL*PHy&IoL2b;@AY+)%&9vU&Jv;96l<%_TOttr4U54
zpODU6wugD%n7rEfC{OHUiSek{HbKm?vIQ%I(*;sgVyi`S1n%=QE^_}OWK`9AUu<(E
z7{0CzlU&EN|5Gn6oa7IU3qobw>O5VdiM51HF(>}2zig%d^n^e2;sTi7|AZHpeXGwb
zO+P*AY!qldPRL9CuC}(GZjQg1DK3(Ohook$wX~+H5t9+a;!#16M;bsWHWKX(929hOU3VN~xeVI3%sKIYyzz
z4r!Ry2>DhBv?oUJH2j@m=}_SUwz{(;QM9Y&qnz7eZqv=r0?}e6?Va2CY8BWVZV&Bv
zniAZu=BcHsh*RUU(+xLz_8DndW)R&0(d-){pkT6gEQ)HVfV=5M>`9c9rRuVtIge$g-LTYJJz%N1TVK9j{;7y
zlT__KIcb3&O;xm8qJOI&=C<+kCkH)iu%mHi#2X6;)wl1j!|QPMbn1;VSY3vEEQ70d
zUJF122uNo9l3rf_*(M0Z0c0~+0Q5$1os@%rvUd}!T~I+}ZbW(!(eFYN2uMgG^jGaA
z;+A?6-%0I&A2#r^;sYh+YsH_78z5!5i1y4E%3)lW)G;oAI(Ff_$aX0J#C-GcpT6AR
zA-RDfsa{v{Eys9@6K=*~dC@>N?pE`OZxdi9*|U)7L>%&PNitFO*S;a^x8`Bj+rSP}p1xz*ZyhNMZz{3-epfB+xWjEwM1y*&BTd$=MyhKWt)r1}@5kBv3wGAfI-S
zk9V?Xvb(>lg@LXOHzT8gshy#|!-b)s0sZCZWUw-HV7w>GcRgaLm_Zkv-oQVXkRSM$
z<>GrG;D5{)U%=?OD|d0SoumE5Sr_B(?ma#cQGtv7%GFNQ(9Y1wTL03L12B(w0NqO#
zN*3_vyMZ8YUK_AxV7xxozF@;^U!qBE7Hxf9ZD#F@3;vEPzmrM4q9;J@GwBH)WUk&e
zJ-0AS18zm>h=Au6t%Bs@<(rH~JwrgHHcYGYrfqvR6Qo%FeaPE&dEkzIJ)TK2_2oJ|
z345JH^I9gOX^GK`f;#=|WZ(KqDsaXf(!2&|3SuDgtj*2uQc>Ea7=ETwTU=sZ-ko_P
zd9oL7N-+U7wydFgW;hsK*L}u-&`oul4eCfI0?Uz4=$wKCuiawZR|zU};Xb)c$n&Zm
zb^8qiWqHew2@g(9o7tP6*YG~gG)JIDo_!gklkeF|86Bjn9T95u0{$8Mhv0a6{zHX9
z`N2oDwNG}tY2B3kEk~&XY(~~1KJZs|HiTQLwQ4ySj%a*Ko4*V)I2MKu_J&sab}lv!
zfa{;J^Ud7<1T@c&4I;EPfGW*_Fr)N+gXoLaThK4~>5+*3Y_+~`@GrI(7ePnvM$iGW
z@z(|k2$(?X-@(uh7&kw8tcr&AhPrn8CZyta){Zvc;}aw%lBANN_*E2Ay%LyZ1Bm4p
ztW{Q)3*9k*vHJ7ypTFSW!OgcTl=l0#IQHUS-%+6@d{#GEKEoOQ+=_QeCE59lV^iw4
z12d~bFgeO!kI6JVEu&Qqom4nZ-=sR
z#y-vvH%J>Y0>@nt?@3tx)VTheb!@q&P;_a}Uc{C2(#H(@MQ&2F_c5rDY(gOElIN5t
zH!#OO%F{
zMIoS$&J5LJkgze*;#l;@G-ksaJhl?&sOrgkq-B!mWj7r79!7|c{}KNb^#NrEdX`$+
zeL)hjl-SZNZUrlUp4T3BSs2jHk2d)goUsrg!$SHPp^Nz4qzI+$p)t-{*JkB0-S540
zDDHGv4kZDH>jMp{+p?FyRyBe^8WQEcJTaLbIzg#vbiUnHwNIc3QlCHyr3^#w5Hyu-
zXS@6Jh-FLM4w!U`bE+pX%izNcTj$&}m~Ov=j6i$-Wnvync#yo0Msv>P8}71Az+2g+
zv0(1jDH;W<^BRK#mV0tnf%k&z_Iv5?51F8!LD;3_(UM!);sUt6H(WqFzUtv>ywz{(
z^`*+}0}|Donxbs^KBU4?d{a^yI=DPtM~xt>Bi}_+#-YQ9(v=nVXpaWSqCJ=I+nyHn
z>%8U4MqI-od-!xm9_7(`&+Mbsst&9z|HLpq@56=Fi110Acs&BqZKJ4uck8A#o-LBz
zuHk%|ot%R9{I4FKaVO+Z>*r%$YY}(I3vp1wc7s^eRY%XjJCrLcsJnv#SOV|U`|*A9eSlT_>DbM${*)lrQO<9e1@ePS5jb
zAsFgL+^Rp>x`ks8z-oypxpTk@KObm$l`s@rdV4ks-&-R8J{N3Hw|Kf@)Saq|)3^OB
zN*;?uGL}Org>AytOM*0P8fmoUup!GKEaA%(NvHA&E*4@#C0NC;tUTk9UU63_(hCf$
z&z-_G`F*3zP755*Gn>P`U6_4OSABqFk|)GzmwqM0aR!IQf=}txtxHJzd@{99mvin_
zMV@9b$B5$)OG7MrexgvLougkJgpjbdF{MQ0$9S4LSb@q4IUfgwIoI;dM2h*k*&$je
zOkO6)*Hf+*VXd&ZtzOgOq5mIuUjbItqOD7JN=Qp1z3A@lF6r*>kZvTUOQfU(k!}zW
z2}$V&LApd5dWMYPf4F5VY?a%bWH(oM%hnr`;nQbt30D7G_9|jA|qXr)%g2IAg
zV%y!GL3{h_;CH&=KfBH*T|1^6Kvv2-1+L#X%>I9S;D1(?9%f~=h!}sPnK|VrU=Yo|
zBLSf@Hn@w2n}8{{izUv&sdz|j0TsNMRyv&~&gK
zF%Amd@x#;JBr1?}Em?%dGYrLx17VvfR7o3{XY{nor$wB>j@6<{>hHoJn*va49r=o&
zBM${-KJjPZ{d+WM#xW(K$f}d80Ok+mU4!!badVa*I6`5G-{u`4V0txyUuU(hcuH=^c6&Hh-GQB8P7EpFe`d5KA=K>yms$7zDl{A~((TrdEssQVQ}
zh+PuD<4|jx8g{CA9z{xVhC$$wLK{st3C6_3nqo4vD$&JYu&?A#Izr>{Rj;s34^%$-
z=2)f|yDlo&BN9%dq)s=vxI??9Jbam|GgU4pOv4hDm)La~u&4gkeJt6lAo41h7aB8e
z(eo4j7L$v&Af05;X>6ETAh=&%T59t$Tc>idDi;>5KrX_G;B-pXf`e^?_9CX75}eVg
z>|u+na+8}?=tfIA8tEH5^K2jFcib;wx?d&p=TLnL4cK;#cDm8lUmHFce$9xZX{A*E
z)Yv=JHPT%hMajJOBTrFIcsRpie_uQDe^2Ye@NcwY{J%B_khhAaep_h5*ZE
z+-Blzkp>^Al68vQ_R12~qnNh3j(m)PcOskl+EMAedq$)#dGCvHY^x_c74&WLeL~(X
z)vPej2!w9H@;5ui@mPLxzR~^PoULodr$V`Q#4gijn%>ER_q5KRyfHGl95%f-wP;~O
z#w@M%yjDs(V@MFRBnQjNwLf=N!%Z(>JVl%ZZ|rgjubP!>PeXIA1#MmJ*0jv44Vx*+
zopsojeSR$02sN_t&dAC0O@ctWv7`EaOe(iUd2)A0NaKKrwaAhUG2c}qGK1FI!Q_qF
zpaM;tt&y$1zW%R{B<9bN5#Y)(e+WjPmBaaF;eH?B19;xCaAJZCxB%>H(*=WYPt3ts
z9~j*e%IMn|n%%J2GN9Z*90W81w35D+iLHYX0}cS|#vme~0u3DSUanJ%(&pCYPR2$I
z-~B-ZECB%^na0no(2rr)8{>D)IR3MZi4nMBhUo`W?f>Y_{gqv8=Fd2^S=?|5!IKdY
zj%pTt7XX#fMs+y`EX1I_*AIDPCMfF612*OebqK*qVP%^z0#zujSjLK
z`xvE%%BlC@+C5$~=`Br#seC3@|2#J{up1DZ{Ul!Qnb|>djA$T5mrKiX9}7){4z!W6
zf2;Vbg4k32XD)>D1+iTwRhw=G;HrD!IA|LTIRsfLm+VJJ6pZS&&|fTT&(W#NYKr>C
z40Ro!OhKj;uov{+cVks3S=eOLs)+
z``GkNW)S$kEXLp;92CIG*4ua9WH$fF`~Ji%!>C?>?WL`K%{?3Qd@JnRFW1p|1ft%T
zU)_ig)ouz-fVA0;r3{LYnarV(0q!(~0ZIBVg2=t$|I0vlQRA58q
zl=!XGcQ2}ojcp)~aA&v|9$~!AoZQzC2M`&9TWzfqIc}waKVM*bnT3HBeO3?F|AM9v
z1&!vz3JiHMagyFijE>WX>{O+ugF>@~Y@0XZR^>U!nJt@UpHvS@50(EQ7|I
zX}9@sYF-;IeKDZ%|6ls|LssH8{v=X)a$O}zkQzdU+9+q-+Sx-puGyCeC-k(
zLujRBGlUJ*V0SoxRq?Ti8oXqrr!p6(jV=aQt9b%OhZ7Z5*o3lb;+1yg%vH0>^CbWKG6ZU;SvE{mFi$~oEV
zm*D0XpgCvFs4Am(r32g)1YiUPFiO#P@8cL$Vk+S+
z@VhtITR#{FU!9p)1c4lWV?(iTa}K{O|GC>UUy}1f#vy=YD-b}k74UClD=5seqiTes
z+glQc^!;qp)YiZG2>`#sJGS*74}kpZ8J0hcim?8xqaxop62Z|hZ=d%^`_^@h2WYf!
zEHQ8~I*@Vh=If^M1IUs6qlfGNrDypo!(EcKckZk4A-yYiAmh1)BP@yt0wRr#*}j#g
zxS50o+XXxm_8V89J`~ynX1vu+8Q2$i!?oQ>tY9@^A4qkfTKk0K<0HWgY&RdxqDDSU
z)e4M30n$4-nb2FXXDy8?3vc2>KZCBf-C4hsg{S<&8<+*UpI&@|=N*>2_I$$L7%@k|
zbEk2bSP!vIGh@E~LO~P0Ecx|1-8#gYLC75SyK&hzX(NK!fe`h2Nx2>~Xned3$+x5Q
zv3*|l4tSldrkjjFCIqecsi4-h7Ny73u!m1FVjm<~DE7|5vgW!@c!tOekMi13nxAt>
zkQ2b>`FirxZmv-TbzkXUdarsV;g4qg3~2w5-2OfL{WIeA)D#&g>+kirWQfDDsQxUv
zsU|M}o50`n9J`~oN>#*GU+k@$en7MlX;xW#I@}M=w>?Gn3SX_4fYT*QdQ0AA&By^E
zw{X8UVr(oVuz_(!0JYV1vO+Io6L)mTMp(EoA9PE_0N=G%D@t6#E1gRXwdAEETNJ&U
zR*ae0q@LdD1vC#a;r)(d%=L~5htqeCUh|mr7=^r-78KRbHy_m}KNww>F@noLd#7Lj
zg#$07zP8De*yre~gx`Io1jUvo8rR(=qJyo12rF=f6=c(pFr{w&iV31Y;9VQosjwko
zreD9{$QU1u%ZOpR#%y%{B2pHez%gBd*g)eY)8`|2eQ)nrYCo|z6o8!N&t4Dg%frLAO>D4Dt{Bt0H$G
zL{R2CT@xG{ih{GP>h%?VxZB@6cW|_OKVJH#+=RC@4M6o~WM%-C_ir~k0+s#x5WsrP
zIrleR=C8_ZeQJW3%IT}gBO@|9SKD3Bgg7LPE7mYWnWqsoVx0!!Y9aVvf=MwHH%7*q
zO%NjCfG**9%HG#r3a{Zy!Fj)_U;M^6|3OVnQ%&^6rCl_9mT5C+w#I<{Dl(N
z5$Xq-9?EMulq_bspmNB$bZoo0Ez8j;1rEjPYM+#Y-*tc1oT8c1j~V@?J137AV&?{hvu^G5n6Ga*dX
zFe)~E;M&hp+16fk<9IfyIH+BS!FTDQ)9{{tW#v3n9mbq))jKo3<-;Q>>6|;3k1Q)9
zYexIi-!$h*(PNfpnsGtdmOg%VGPl)7`64-oOo)DWUzdC_ROUp-W_%Le2Aj$J1y^9$
z(+(vSwC4(L{3o^D**l)~ih==|=-ZHrk2F+YBwb|i!BI}k$i*U|HO?jE&PSv)m!vU;
z?pFDg;l3qSdUw>dlZ5`N)5}fq-CnLIrh!{|Z*8WqImHL*6T!HOre%4h%fCeYuCmfdZmj;XIB$VD!gxcleYayRA6EvM
z)YMo0&0FO02L-k#gU0@`zu|VSnecY5831fwfW4ubYgPvV2l#aY{GR@xngav)1>^Vy
z2-vt20%->cZB2lN5U2}xA_GE0U>U>7+{xJqxI9na(9qb<2^h$JJJp!*k2>Irp0k<=GH?a$l0`DL7
z;~uo4E%*!Zp6}3`GA6QUP1p8<4FYVgqaqRrQ-HBA`k$TfTq0NOZ&F?VKVr{K?NaV#
z7LD{->w)dDiApgE^Uf#AsdmlkR{@iQgG)r`pY>jFY3nIbWTzd$5L10>$#PgpC$(TG
zkMW?G4nz&3$aj6jKHgFie6gb)&t$C9@WE`#5q*W*
zN=Hc8bQ^-asN?9?yz?SvQx;n&Y-zQNJVUPFW~DBozL0;ku@kgm+G5D`eA@Q0+Z>0d
z)l!z&dZ$=j=Ix+B8})|Vy%3#EkqN6W$zUT{6Dr|QDcIRru0w##l0N61fG@8MI0mfL
zmZXPc;gOsl;-(`n;#1w?kv7^ExnuuO(BGIIE;*XmGFy_ST2}?Q!>MGX3^`7}j%9ox+GJU4k8n{a~<7{fxh=up2Zp;}b
zuvQ6NJ_)2I`PRYq)1IMeRs5`{fbjz(KyILJ=YgSc$1?OjI2y!7O069fZn@X|o38-S
zy<^ybzVScg6=wsmTxXcz(dcgakbvE5{~E9Ow+bS|HMjls7to`<@xQ-45qOjRHZS+oWIz|AM~
zX{zC-D^&i2C`yK;hi&hv0FZ=(oplaWtKNObKeS#!ICKb5Bv
z_A2ECed1|;oO(qn!ZhQ8v5lN9!ZEyP{zS#!)Fo=CQF1lN!4^m--2ZzG%$`Kmn8NuL(6P-Hkaj%qB`Imw1k=~5&`
z55Is~`c&ry?1VF5eArlz$8=0w#o3%M_KP^Ym^rbze`0g@JN95n4;n{oadTNqFXI;E
z3%mZ%m_HFW2E#j5ax|@{&wsd2cg2m*oWL)AFIDohNw`)ryb-xFxJa7K6T)Gz#}H-R=(9!~QD#d8($B>ELuTvK4?=br{B#>CnqX`4Vm~
z1F7ix!0~$+xDR@?k=qpGsZdjb1(MDNjP_Q*N;@d!4oTDetE?pp|4H{xBz$Zmn
zCQrOHZ^g~j*!HFa^43z{6*uIm=)E7}2Cfc_{gtl~?$%oe2V++KUCac3MYVrK)b`U?
z|B=u7HYfir6lVmm+?|cTdkFYDuJKnP@>Cy|A>i`xJ_!zRnqZ#Wiv6Q~ja%%8#^)2#
zCj~;);OjC(&@iD>>hvZYlueLs5gF`jkTn+G_PMJadik$*eLsdhM9w4|+Yb2rGC#H}
zxmys61wG?svS=KgT+e=pP#b1~8m;_p7_F~|+RK9-UCUvR$U5{BbPSfsR?!?!hj+0p
z-73`Y2a|Zy$&LEv`vb7;dt_HXjCvMgzgL-iw>7N8uC$^h_k{LJo`m(nWVJUcmjfH5
zCIO5CXhN^p>4xwjQ;%eLZIPkz%V-Fq^*EN!Se4K?KIo8BPxBO@H!*Hvfj?A)uwN-=
z;#p*GfMyLeNO#}B1RUzNQm@%temuQ(RFwbvjRAf
zvT0H~lC~;}6{OGE;5Ln1sOV@uUvfFew4B*bbn&naS3xEi)aB2G@vwTbyNV~3;praCnb
zxwejv@NubRRc-o5{OaP>_`J5RfS1!>C_<1RtVX}iW@&GSDArJ8fR%FOTR5#xb$n`+
zVJ0Zll3~(~gQX8O(RNMh!goO{99`MRghgc;Etw{@x1&i`g`d1%Ikc=mt>e5lIyfW8
zy!{5!#P@mcD$|V`KKO;n!uTI>SOm5I&_}Qkpe_agy^XDJ(X+<#@9L=Zt2+L33JY=o
z>9wZ;j)wmmg~h+gUGX2e=s!dEetPW2`!%j}PYZP)A>Nl`#z9CvB%ajx&|xOJSIN>D
z1Wx$2OeBv;K}28^Q=OI3c1hmA==4${y@+)3Fe88}1deFr9y_yDB#6zUtVzKg9HN9%
zMQN2soyhERqG#48bSz`|UYkpMubh3~6{3|ihwgIP6zfv48-TsK=Xn*K4}PmGzmrx-
zx-lxEPHSMY>dd#Hv+`Src}YLNQz!btZb43*2l|$c2%!c!AP*
zGWPXS4^!q
znQZSqzI^d0E#rXy_!rh$^Tjfu$c&(ayj5qnl7&`uPPXZFwDigcROQs1qN1k_hMIEX
z?Lt}@I@$yGc@RE*oALNXe1A0}ev?0h7W_M7ci64aLa@vo4*d2^zpPyb`o`bNu5f73
z-vskJK`=ZT>2IQXHvkrJb~3wJv2){_05{$+GBU6-Gq5lKU18uZoS%n(`}O{ru(oNJ
ztDC|Y>|~|VK7g@~MK?=^BeVF2gPz$;z%e=J|o&aG~vTv!R3t7=?
z>f0g+7IifX3cIxkf-ZM)zK1X?RIf?B_`ugL1w-vA=00+gMa>&C61+Yc4M2$k0aqFI
z*p8uyXXm7@{P40oGH2+g7WB)7uDV-c^#_Fo0tY0(?mEJL0AUUQ#@JbgS^BxU0PSBf
zx6N!2@*mSIi}>8XCLn9(x1MJaQ$IFc9!5k-Sk}^J%$zlfdJkTE~F|G9l#JA465}v
z>ATh_^?u5Yi{rVfez3axRY5~_%L@s8WDJNP`EfQr)p3TI@(Dw!wjWXF41;WvcM85f
zdN-o-+QeRMu9aw$hw2511SmwXpy$PoPd27vm8t0n|1=l5`s;_TJf-Na`eSEQCKOqS
zXD=MJHthD}iHwDH&n|W;%?h(a+;`n~4QOuU$b*rYyfI)rYAcN(C_v%%P3|
zy|ac}r9#1)8pina$L(uVPGgdSTgkxiatqk$n|O_?C||H5`lL>!ro2X~;wsu3T5W4rXxhX8Lw`UIF?V9_WTD*vhDRA~Q=&&h
zIf#6PIvV%c=9lNOZ=a~%!puFp?2amC?m10+YD=k(B(`9>r*8m{-;~%W)@6{da@2N{r1PFbA?sM%dO@IbK4WNPvYi_M?
zYD{lxZUO+d@c^KqAgPhS!EhkZqgO_7f=eQ!EZYZsEk1~2(RgCh0mv{(z9l}bY)x(H
zzGsVWa-J@ZH$S`nq@SL%&xrAhH?vy}djQzaLL6scWlX>|gn!}~KP8m}=o$=6;3U)Y
zY|Nz4Hn|?z5K}g2w{tN}3ht-)uBbvK;k45+$qH2&Vk)Y0*Sj6pXGbkcDjCB!%
zUDAa;juNzvv>9QTa+RyG_{_8p1SNyml>>B#)@Tk&P{#_k4J~eP5XlhOI^}HrEBb++
z|3E)*6d>{;0L|Iqx40A(pfXN7Oz~#
z6I)*k$9I|vCuzeo4IogjF$^3n*!^5i2QaJX;GQV4iA;GEBg;I)ni}mFDqmxrChj%{*X6mn!3xxHMqhyBsD+agCcJ7n5LHXO|#pVCi?WjSn~
zJy-id_wK-llDI}lpNl@B`3kt25qs$Y0qEmelLj!pT3CCGga`0vc+PthKavlEQ>L0R7DB!oVbb?xAICP(_8QX;v4+2Melc&hkmiEK@
zD`N(`PTYJjxOzQLYxOs&5?6+d@RrM*ttG`=uhvFj6`r63yk%bKq+YaGX!k(zwt`&Ry3{Db{qO-E3O9`L=I=7{9m$5=#%I2?kL-&6*xnT973FXUlNXEhtPH#~ZcztpmO;fMA>HUOs~Yk(T`ZPW$~681MF`g~ZI<+)+GzOBKsGcqwT{Y^Dk
zV6P__@!bcw+1>?)3>zxYXT_AlL7(aU
zUNREIh_>Velj9IvdE;SmYNhMlr{Z)9U;;eWS4QpKE?!t2&i4LdX^T|@2Tyys&btfu
zwgP2+=8fq66Ya~~sjrz5kJ49}R!I|&`GEd8o(IdDG1IGJ6Zr`1hkDez<9h8~Pa7jy
zV?X}gPQA=|yzD`J>6$}|4t%wn-u|nIQn?33{
z3F8}b{u0+7I~pE37_&8FJs0-I*gi1=5&SZ}MH90mZhGU&-RtFM*)eAC^m{Vul?Ugk
z&z2PWIF%5@SCN{!D_x)zS5eV|91OuB79d!u39-S}oL)Sr?p8I~b0(WHZ9~%63$5TC
zD!9m*!hbbXPNF<7>|(twFwyp!xLOHso&|sAxhoaJN7^qdE7R{5zOML=!y9IOWqOWW
zPlJK6kyJ69UDbT>B#{6o8s92cpRF#~k!d_BF_Yx6f3CFO((|EuQ{4pU917GOOcc*X
z5lQLS5W~g0qn8K@{qhzt45zVE2+>Ab;O(3dgnTxUraYWuSC2JAyLHa{^k*WNTt|c%
zSzrwy;xJJrGAYE)xrmleHt{vTc?honelP#%A^Z}7{Iu6Nfd-A@(oAF!A9eZs#j$EefLJ2J`GPvg3R~$3OB+GwbvsXEaBXT=Va6dbtB@Z!C1-Rz3
zxiKlCsF(8TM;%y{?_zmNY8duJW~+|Apl?)tFu>8abPiX5LGxI~!|<(Dk}&tMZM)=s
zxRaP+wQOvKJlZ6IDQLMu`Kg%5c+o}Pz4%KM5cV%zYy69qHmW#;eYWb6+jJt)W9v`(
zK9$qVbB+-|nF(wlwjDhA_?BZGB9yzmepAK6+Bb#tixuekNz$u$&CSbU+kICvL>42G
zl3JDL;6pNk*fS^28mc*`1rqKjWk_|XSza|3+suR2;bR*kSnAbxv8JKXx0~sQJ8*PdKiBm$n*}4ca+o(&DcFnHz7h&R5=bug|OuQ(e{XpMHFPI}iag#pY`EVkD0KGAIbeL?>udp{+H!e>X14O$!)bDrY&
zg_A#mWgqMxNA$(4bj#xmk&X<{8x>7Dph2l?R3>f(l{Xj4Jbb-teX=#Rzg)gM9~-Sq
z1y9ySj@_Y%0%<(zkFxQG;r%TIF76LPB|9r1*MN<)^{)dY$kY73KjFR;2=_o*CGf&q
zX9-63HHaw!xVGF~%)IuPB<`dE{xPM}&rRDuDV5~E-Nkh;{2xe_SZ{&GmOH(%z1VOsO)2
zi!$aRYpRMcz$`Z)$p?`j-Q_DrhF%g#WOxwxmT&V0jSY%IT%Y%74%5V##GE=+*%9WZ
zlxGZMQeAz9`u>TU1O!30Hk940{q*T-PUg*p4vo_d)A%LKfP20LEl+(R5ciV-1
z@Vv6+?DK96fiz?U!G=eyNBj87IiS%B7ezh!7)N)Ik`WwDR7T$-NLtZ}9_oQ7>QZ3R
z+mz4NKI5hV-e_hM_75LT^v|xLpr>A0lZ4nrJ+k8-jf4exQPlW~fzA3|AUc6&lZYXq
zrIgc?rfE*3wt+{O(Rs-SE@7|H?s37px|TGoa8pXgIrQk`Q0qu91vt5$v50#F$wa0q
zbQ7JjGg>9kzlT-{CMf?4Cc=d&)6zJ>6|^+Bh6Ubl
z${wT8={~!sde15Sd8@HYq$X(H<2ipGquOS4ryMxt5t;<7`z&7+Ecv3d6ZJXVETvZR
zvrd%e6;PfUeDbAV8d_+KVik2|+NwQ|N~H;tVL(MD&xB~Gfrx}ZsJnQS!G&2v|1P=s
zDqLQJE{E%aQahqes(UFM4ZpmlK@eYYR(1ki2jwjT^sYU{F)jz}jQ>VNMMAL7<(DaK
zhWrJF>iAV*38zlXmE#BC`VTwb_1?=8lsdHxg^8?W#QN;~tiuOH4l*G<=RR0_g;H7(
zAqOS3$yr93PDR{sRsJH*DXoCHA9`hF)pi(9|9N2si=c2h9=fC702L@pD#Ivkv~}RT
zuZ-FIF!)wNOP0*N_mO7X@U51N?hGd~5d`YWq3e1my7
z1RSAnmn2j+wz?iMCKR%zqal=bGWt37i$G*7FD3Dfap}j@({=mUFBy3t`3aEk9B@7D
zbiLr4>Fy!mKYjhbvJ;DB$UBkKp-j%E?_WN6%qeS~F+z|2+0dyMl*oc@BTyb%id+*`
z$ciY_;@v3t7d`XnzCGfP4?Z1R5Hr-!U>q!5fmjHA4KaROh12#z+M3voD4gLS$teu>
z9ywlS&*Z)A1n#MI(-xR4qvbKd8j;W`DvrSux#k0Yj{F)0n{pL&dr
zyH%tz9fJh-XOYI-zeSV3KzUnJG$Y3sDORX$
zOj8%V{#kw`sTjXTiv#;>Rx7rzDMQ*w8gRwt$E~j+L_Cy1N}H9Asy;2AaOW@#7hVx5
z8g=HI?m0t4#iRSFyruXE8hyXb!hXD2>O5Zku{SDHx!|#Z71r1QtQoJ5)e%9o!OJ|u
zY1kJJhy?`*Y*WH{$4~kAJ=|aAfyNDI@W5c?p@7m>FuD{ZAXa#!ot`4_Jn)*9%nd!fT)Y6rTMGAS&b=fgPTlb
zzv;@ywx}8slckIpXXfNWR_gH7__~a(zVPxBvM{Yj)$~suSi6(HP&8`~WLYwaG(;kk
z8O46R>dy9pI76A?)=pRe%@71r2gb
z7Yd9u0kGc^hd_r4m_szB0tW$sKo@!SrVCEhYe&-!A>kBDsVyIG0_8Uayz%Z~D*}`>
zKzS1+>h}HWPhAK}swniFK3JqM>sWy(O+GuwFDHc-wxD{O7v*+uO>9yf7mZ5CJ?$AB
zm1#a1AC$SOV|%!X_&KGYniEt{`o_aGc2jcd{n08u7W=ujIj2KywV)h@^!((iBoqksQ;Z
zqLt}hJk$~92vMbFYYGyMUqq0iNpFt}V%G0Pu1%8^QoLg3d|bOuIpb3J4se2Q@B5a3
zRosbKKr6(54a+`4AWZm^x4LFQZ6wgVIR@p?dv7r(`LbhjPtTPYCojY9mYsoy>ob04OBfRij
z&-9a$92?94u6!dY#;|itOm^>0p`{Tg$u|aYj&QRQ6>7t;;DR#jx#x0vTNyutau5pP
zvJ5Fzl<#ytHTUPmta>Q=d~PEQc3Y?xQZzjHi-uS;t}Q4LO5J7Q@WUPy4%i+v)`9ew
zFZrF^sloV|zn&4AKOWi9|59J^2{6b;66~NaLMg6cX6u?y=hqA^V_VkWA%Yf*ZU+_p
z;Mqxtc{$Q
    fS2A=+fhgJB@7&v?;dHucF56T?H
zZazc8Exzdq>t1L*RRBmH@O1zW&DRtyb#V8B0Vgspty#p&E2qk4m@|PmZgpC-pZm(A
z(U(YmFCr*G4X4=B8D5wN^&z*Xe$7&}socsIx3r$Gxf(kGsAiY=8+J;6kNn
zQ^ye2ji-OSi^(@sdq6~I)}K_Zx)-7%Gn>Q0Ali@%?a-*JZ?Kkk4$oH3U0rcTnc)NW
zCAYiaX^n^dL-T0IMa7t@(Pqw-8W#&yU!r;K)pgFy72cz4^DZj5S6E^*gm#Y=b9gnp
z+UmRCVesqsIE>kq4A<=8eGI1D>)$mq9IPS?$Iwsp4o%3kW6fl&t39@#Uc;Vx
zUR65$aWt_CMXMC3HCGDa2mCZcQ~JRj#2%Bzc)9$S+ZQ{AC2D-eWCO2*qX%KW*1DkE
z%&kyt6}wd_)m8JY5uOegH0z7@gggoSe7c`ymPSnAN1lcP5o_NH^U72^#`rx@ZepruLT~8WlR2Q-Juh@X1Rs26BzF%8JX+anQ@Ga(PXIxJpqwX7
zFVQJERBfY&XnA275kzWK6NXewCZ@?f;4RVAwGQ`o>ew6UKFo-C(x83Z9x?|nvjyJc
zi38%&2J=Iv%6xH^A!H=-wXJG++804A?=LmpJsWz@`-qacjwi6c-1vh=Y^h(utV6F&ou|=ClEjoJ;?%q{!6lkLy-+C{dK2o#36a7>$3ET^K95U%zd%b@
z^QPM?r$9(us-Gqw-e5AOzR?{<(_b2Nk*B!ken2t=9ZU{v0ItIZ5)Cl1GhH{p06p)YhyPu-@mE!@#KaFo5_(IPYXZ;+a~%saXe963
zSh~)~WKrQvb-q9W*&<-LG$}DTKZU$zhU#pD%merG@1;a3T@3YW8p|BHqE&6f=wBw!
zz@S4phl&P3%)O{Ito&M@UdmnOTCLhyRh+$U&dGzs*87BKEoV_S#x9i#a}q1!L|y7>jTATb2Eh0PcJ&pzR~c`mT$=f6e#fF-%#tDvsMfxbigtc2lIe6A~8fBD&3Gl6!
z?^6gZhN)5)+B(QeFfBWHQIVuJ@_v0twVm@7kEC8m4c1gf$^eS?D~j)Z;1!
z`pH2r?UOmn04z5)HTpFsXw!LuE=#Hem(pmpoV`QE%0eZWfd#n{52c9920T^PgR9ro
zD=rPA#Ktf9u7*rr!Z%u`1n=@a{*1-gE*hn$_1e4lZAc5elmXG-DcM9;i^T+(>zT7t&FL*S(+X=}(57HUv
z05m``0(NeZ{pRxh`S~{}0|Xf0h$TC)pvQELGS`P}-wyxhZ}6}1r$xUiL8)Ht;_Sc_
zo)c#t)z>JYa;WjW$G{O~A|0tRKPme$PSA|HbZ;(&VA9~TfbjN@P~e&%c?tw}5Kc>N
zA2^H0UvfcXK}KB$lx&zxV&R&Fe^J9puK%*_!s9hL7jMBOb-!&iy2+TGGhvWNg;jRm
zU5$Z?U_!%KLY*+#yI9xz+4`8wR)AAsm(|1$rDPBl6#A+1>d2Habc7+>z45`Vc27b9
z;hgQ>tow`h#{Kvv496~@*zX>Lt5+vT;OE~XUwez-vaoE@yP=&=zO&M&+hqCzlmaQc
zN4c}yBLUx@K$0>Xe8xhgEf-tImi2vm_N$sJE%qhF#uH(o)tH7`{P71<1QttW0X#pt
zV?b{M+V95z(BPXvKSv;qvaO+`9o=^swly(v1h!lnUpKz|v9<=Jb-qR=LI{6QRA9FT
zBJdmb=Y%6D!0#O3_u>0Bz(UG{16*LeLFiVAQzp1l`)|sa4gbD-@%9w$n^u{umc`kPfi+{I{_0`
zj@N^g!1+oV!s`~4pWBD*zKuaT(%hW?%YEJLK)s!!qyrHDcq&j#%s&~Cq%*L-gZB|q
z*4rbLbx_z_92|vvNr4u(rz2~m_c4hOFFTh
z-uRLvM&_o#iCPEX{H`f*t-GVM!?n17XKuV>52n2Qf7k=?ZlF^MtmJ{c{FcuJE72mi
zfagz(hIcviel4=sTP(j%*TbWsTyMAeeq-0#%s>sGytM_y
zKi(k@ykSCt?{`f2jnfh6bAIp0{Kjhaz0>2zA>hCFZvG1O-}bFIuAYBrSfQn5%%5NJ
z?pA4D*v1Fdo
zJ@%c?64v&y-iFo1`MT}7fhTeX3e6{-Thr`u%TOyYu?QUx1ys&^ABACf+pn>-$T-0A
zG;^}cYq~PvMpkr@iln|Mu?9hZ1W{9uwy6M@EFeHEYpfsQCm^5it`#qeZq5fGWfaY9*!by?u9%&}=YNFA9^I&>FXc
z9=HPbVmPBWEhgFtfo;#p2tu@RuVO7-5Nz9B&WH=3&8KSKD=j)-#J
zc60EP7BSEd$>caNz#5wob^9+Bu|GZGPe1?<2P$c1JpCDWs0kE|8qqY7*a?+sQ41EM
z3qOilTli;>NmSz~mb1(Yk*dr|X$Gm<*fk-Vs0z3K>18E%`>_?Gc+e@8kW^Bmqi~bH
zxpcPo1+Q(3WAri`rS8MhSN0MJnRP=`v<+(=ZxGd)-Am_AZ^^vy)k-sb
zza>^gMq!%8_8G+gvGRD~$vPccj_cY3$v;c-G5nh3L%Y+h^?Q=fOU}Izh@@CveyiM|bJN$c+d^cD6t0Z4mvph=F`hgXH
zB}95q9YfCy?MKu?2yR@JwomE+eA3GH-JrQAG>dIK^Zu)HFU3NvwlpQ$Bu5*fw?ayM
z{8NLsc)(K>L5Eo~OQ!aex=px0lz@Rwk&bW`fQgpn;w_&zs=L%2A;ln8?G5yuoxYV`
zX%7a#Mc(&j+3cKeKuT|o3|S6k4>CRD?J8bCONYct9(ektJg)MBWMp8pgF<2x#IFRdE~+;IIZwukJh~GajB~FP)=iOtUPVQh1V!N61CQF0|dxQSd*G2$RHwK6^{GI{qcKLY;sf
z5C(&*oL!YnvIXOcm!Pdb)Ekzrn=Kiex=U0ffeBO4r2mki+v#P{(PU?N#Lx-~ql|6@
zAt$%Q1EwGi#OYpGXCZUPb4&Zjd-EOAkKg9dy-RTKbEl_5RX`3TYMfSXT2EAc4B
zV_XZCu*N68PHrC&PbX9m7q#Y7>~yBpp~d_YsATY$eGhl@#6Ex9`Sx!n`EruRKI>$o
zEEbDAStTRpL3to>dUDvLj`2pSbdma4R9~g^jEyhPNFhr9{
z@>XLsu~MX$Ukc{K^JJ~bxO;%_u>1bZW>;e?1Rbp?y}3y{ZuHd_??_L4
ziwhhXVxcD(Ug02@E_|yWCy&u$%L`iBCYg>2%D2Q=gPkP~VE%kXoY|bjNer_vhV9Pi
zb$SnJHO&?<3r+k<6uxXKO)#W+uGeHpZH8hFoNBX&O8}y`_cyT*U2zz&WK5N<=xvQp
zr+K!BwsZ~;BYO0Vm51z&4o~xQ{Fqpo?DulrbY))#5X~`5M6PL+WE{9WVm&}REL(u>
z(xI*u`l+JYVZJW`9N*n#+?+46k?=K|>MO=I1Uatuwte48LSxx~`9K**)P
zgetTYkoaIhzk=V6Ab)N&qA$6r^=z)9%oM!h!K}5mxtV#f4(FDad1Dt>kZdMKT_uKG
zdxD4hc(>KMRo!PwL!C;RJzAdaN5%_Zy3PRl0U%a0uMSdgkV
zN;FIed?WcDkB&5iNpGe729xoxow6T$CmH{A?c`MAPnQh1Q5-xD=#qKdx@4#zK}}Mh
zC#IIokK)I5+w+7;?n>HqhZWBqpX|@qPW~K|zD?)>cO*Li2NN9Jzd2dow@w1r7hOA9
zziyrUFMj-Ac}+9&iG%k}ScYNTJgOD#E^T)P>QH;NT^G03y&)pU`fMGA)bvW2;Doop
zb@6;jV^<1dRqy#9FHj#&m+I4np+s6*)mMNujk0!%vym+AJz`U2x_@tJNKdAjUI2CZ
z=sp=jL~JW=if4){V%g4cqnO&VyM!lm7zJtIT=~|zy6lzg{G(=pmnATrSV+6WN;_7A
z8TUZZB4>OJjuQ%nLnZBH^;9yaNwD2jp%M5D;k8~ZHG5-R#51W2usd}uMn}w(mprJ7
z;HnYQuzW?DZygiS;jp32lw8w0r{lRBzmLn?(@oUYnG9BxeWdA{_Qg9}Z>CFrES+TheK!zL!ft}B7s>;n!q~m@AACUORhbN`juk*-
zHrx4zLWS2!wSisoO@uY6+#pxh&!%H$#t#j~BJ8w3tw4wunt65a3x2lp>GbfzR|u^i
zhU2Bso}*Qe9YHfP|46qy@+l2AC4V6ytsiIHruvN4f+0i@P>3UjQVVsunVYt
ztih*JNM8Omd51^3SKIvg8G%k5bu$D(m{XLv!6YEv4Po9kzM%y4=#}841&p@fsbVyM
zX4SVZ1i|cZH~1&&A;ImSa}&Q_iZj72&gA*Uq{+-a{`Befd#!gC2`70+ksaD@FwLG&
zV-f?{tnwsuFsqr6GGbVxnCs
zb-49gNF`l#+B0ovyYS#xc0v<8_?H$L1fcr*1>Mo#JIujo|BN{p?GMbsXsAFUeK}#d
z>sf*0IUF@22+%TMK
zc?lxvZ0CTmsZ$CyTh3z=I}rOurTLCCs(aB=J}9b9&+Hs(^nJRekng|XS$+kfzw;F}
zsp~M97w(K#>-6a=v&SU5<)`$Dpe%n6mood9@vTe5vvjMo`B(mj=-#Kz9r^TfJ}Ev`
z7p6iEO$Z=kVVjmTBiqr*c<9C6E6X+)69pgRNT-A>4Qf>`H`*Glsv|xlMW%jCvocRP
zaT5oKjJ{k%p+#J)g+DkFkFk+v$8mOa%VvypdD6J)|xlvEaCo?7n7O*ccj8Le6>~?jUmpw+B?3+
zb?uI{GLe*}oJXXU^@XZD1GYt9CDfbu3ceoJzFcQJudh9X=R92#5+n$l2<%1MpKMqR
z)2n^*P_+adKOOFq{pJADEKgzLbMYqbNPtDh&
zq>cAu!D;QBz&0XGF(}Oy!5YTrigIYwr3a75EY5_KTL-bacS|#qNp4#
zt?ZRwwLFv#wg;@|&tnEJOnl{^Js%Vd^~qu4q|+i0K=m{1$FjGi-pUWJVbJ2V5L;+>
z*BB$jDLb%8E^=s8lN^@HXh6AmB`vVBjnAX=FeAOMr9xrqh1g2q9gps3l-W?`4aRep
zzt0^Q^>T+jd25o9@xyOXD%2mN)H@y>P*HDMY2fxpMFVR}6&kEw%Lt%@Je5xGU1?Pw
z$RdjZJH33BjrfHynH!C^L^b=>m^W(NI$eDxU8+NQ6SlCGK1+6LCFVWzM^6^Vd2?~r
z=)n(5_3=?~sd6JcIryq_}j3i941vuc1I4)$1
zrGT?*k4m_MP~vrMr4iymlbWl!z2>;!49u!Z_lj(xdul*Y!!dOqtF(z5*6eFw8u#cJ
zJovI&Ci?Nvrrf)x5R#f|2_g3&t@_P4_~&oe%nGD2%W+cR)|6=C8lJ;qIU^Vsc=nRi
z;JkSl)Q4_H1{3wRQ`Y8
zWUsRK-lM~@_a50>LiWh9x9k;VMl!Pr*;__-WQD9`OW8ssg!?+ARKNS_dH%2a|Gyuv
z*Kw}Pxm<(q=ly+uKjZzWl|viau>+$KUsZP7!1}hgap!0fu(7Bb8Emv}l-^SQH1c|ksUj=*
zGL?g_uoW*&1pt-%UO|Y8gQ6gu>qKX*U@*
zqstnpNDy+@H)ZC0^sPS-ew^s?xCyd_BY~uHtm&hr8%As
z)u7vu$*YPWAlx>9XmBFvHo`-32r)#`KRv&6ZY3fnoPi~a-l+fDPEPifpeVwCHi9ro
zyaU_MWSBX+DN@EXRGx2-hQ1TMGnsd6C^5qUI*b3{dhmb1k@h)xQw1x76*J^BWJ6@W
zleaUCB~w5%(cB3H^m=5461nr30zlsEZP^qqMkm{kAz=s|5{8oEXXNfDEPkq`Nf^wJ
z@yi{^rE1|y?{gQQANI{*%nnJCX!{@*oR$8l-E`z36@NYv)rse~
zb|taTEXxW-dWt%+om0MOrQU{d!PYOj?CV>bzIF=SQHbqCfQZn7wn$<+MMT#n2xD#F
zXv6FdDDSX%+ZJ+lGgEV7jQc#?e8XcV@rpayj>xz-^3IlJ-XJZ)$995x=@M_rYX7@%
zN|eqB-y|_pxgip+kLdzgas{IaXIh_?eg?%g$K?$WCd}(BWR()*8)NL_IBLZ59t)Mi
zklBRemdeCO)Tn#+ft35_R}@e;lTSPomze5F-jUW%S@*+Vr5Ag)<}7rgnvcbx^
z1bu)Y>HyFnehv$;SAItU+;RCkJ4}-
zNodvLd?Z51<~mXwBG(&Ns)=ax77-^>?{uD?NT-FiKETlY2&9`Bdk%Xsk!ycpNtU4c|sV(Cm5guOMW*O4N^AVcg
zuOgDTV`AVwm!-8{GXWtO6)2V3kbjxB=*i&y!F9Z#mu_j+8g=rTQmk@*M!y&9jt;C<
zEyi=C0N-#v626b9+DXEjRLj|W==js&>s(PO%%m`Q1d*0OZyeGIk^8YMN4u@n`#WSF
zPE~(?tL;p_@|YjKd3c6zrb=TSLYn2<@o}up&L^0C>ti_Xd-ZWfw(cOi<9pl)c<2%;l
z>LtyVg<_H!+T0pXIo_lww!r2MqlP?;8lf0nV9Lu@m$H~Qj^F(5>9?%Q@6kSoXMlWJ(-lx
z_4|tLGtaY&`TxMk-=PRdtkW>0+N&=UQ0Kq?sLTci=&VTj32`SrZ6(LW&lCS!?Ox3h
z9*JmSZi|yXX1U{Lqssf@A~;)CN7mAg_r=*S(6REWPUS1SFfl3ew8bl0N_Ma7jNQO|
z@R>@D3EX28QYuqOwjrQb_IO6>y*P4K>pI!ku}aO@jX_+ro{v4%Uhcl)6b3GnDqaifBzm
zo^nKfOu`XUr`K&zU9Uw=ZN471T5vUrugP79lV?^&HDp&k(2sjoY5kqr6GV613ni&h
zyVh#Z?*(4>w-ygWZdrS3J)4Bx8#Zd-j~+8ekIW
z*Ap^*tyxUF$XZ8rB0Fi`?j#b{gMkKb=25B_ijwY64E(Xg_3tFZaN6N$P7VrktTSB3-+wmYco0m@S%jYCN^At7OALBe_|W
zzqu)ojUuG)*w*B6*mmEN4DI+fqz`d0*+(;pxtpJus8oSj^0TSF?yUv3_hgID#s*Ob
z)0)QvP`10f=rM{C@o#3FLGgLpI%m`KT<2d(*1HchjutLcf{dKBp@xuN(U$^w80}&ps
z48hhf>{!w+vBKK^FAqYKdOj3dja0uAkH%~r8;!)Z%YdF(M!5gT@Aa!V+rm
zGk0@@L~pTxuh$Z;^KGN93l01MOMk%H?>GfeCPjg4siHdR@~&9lS7@jbvu3NLn>seg
z^`VAVJ@RpBo)3{;zLRzebi69?rq4dFDwC$+3vGHY!AV5!>$W$OeUaZBzriuJ+URo{
zn$?&KhT0Rl-QAnYlBFOLjf!2{J|x)eSAGwVtu^*xar#IE!Fz$spfj&ALB&#FZ-o_A
zvZhq~wuz;8?QwS4y^JE0CKiig5R|?>J!}RVuGR3^esRDX9B=2d{z#vf(
zh|2R1A;_WS)$j&9)sHCPGzehy&huedgDHvRJ+sr_rKvc7VNLIP{eIXgJUNiH2DEdB
zyK)5!=7}$&T(*cw-RNettRvGW?aKrT>Jk5U$x^ZN^Yj0QWvR{zBKY~Cp1B{ZI8L5l
zI*R<8WU2mF9`!75ukH}(c&Q1=L4JvDB{7gIV4
zGmie?M%jvm=u>#zE_V-0Jn9fs%xtWabBA7WaJf-k&w&#D){tj+4x}-Nz^oV{ym9c>
z>&S?`wJixbwA2KKI~;cNC9!y<4vmybY=kq99xU4gYhw|w_`avd(#(>M*9z(Zhb~XO
z&E8=47xnWn*A~H}v_NKyi)}8r!Im$Ru!X&F(uT^S_R;NQtxW9#Ms8nzyP}R(=*MM^
z+oY?hTPFBudEJKSTQhBLuS@r>b`HgJvp8|PKX{rBr`b;1kLhf2>in
znJG0{gB>KNJ@I^qO^j{%{Kz5+7gzdr$x;b~Ab>@ex7&buw{s!$w&s&uO_+hL?bfbD
zFtH#H{$#e@>Tz*J+q+L!Zs3HqY*(@utB}sCq?BGmPu;(Z@phN{rvJNITY`tF$
zCoiSzi>>QWJ(X1y?rkb;`%Gh#Fvpdgg{}oaYe=fw}ngKWgRBNte
zpHKgA@KV2P_f5%uaqsV0!z$0)i6Pb7GU)s5>wzkDyVMK|b2xI1@7LH}3wZ;+lJIpLqMb>|
zuWx1M(FvoZs&0)2|-szU}ud5{?-PR1V9xPv^+Ud<3y>1PL*dfxuQ
z34U@4WVilaq*K~2FZ(wdq8k_P@yfXF|G_CPQHYC>TyB0b^=nw+-0V}6LD|%B1E;dP
zQtzioOHqz#WDj33chqUYS7T;JGR&X_nhtKxp!0f&>rq#fC5zwAb(k9&bnm4ZhMBXu
z$u~T&J8w^iNkXTxvxUI^C8T;c4J6Q1|jBluk*htoJ>zf
zW4OZ2R4x{`bg-PF^?*obtd?uf_ced=1mCvWzRLA;n|F1w15#_9EFezKKu<0wGk0Sr
z^IvVA$MGkPxC_t-7r^dspW8g9R1Ks6
z05Z-MEzOH&3rILufj*utl#0gI=9H2U7Z3LDMUJRAc$z@2v6hCkx~968hUSH3UzFOQ
z;SgR5$U>ju47$z|C4Y7r)6!H1K~EtAeL|4z_eX>#N1ny)fh>7IOb*)c`Ydh_-R0-t
z(Eb1T&i@7)<@@b?qE-2R1N?z%cLr_K-<;n1yp+zejuEPvRL7TuzduLiA=}nq?1CLn
zCS>I_Duj7QfPaGpr{7{N4uvzvCZT+}bG_BoBSpp_vT)GqxQbutN-48PwVI;@`&RZ&pzB?|HY@#SGC)o0{X2rCNb6DACqYY}~NTxAfo7YB&_mc&OakmKQScJ$&j9eF;Oy39|<53@u>=L+NHr#z)%I^|H5EF
zFnkn<|
zKw!OdgXr3fOJ`C->9=A=1J|fE(49?XFP3ri(=Ri?GbZPsVn46kd;qgy~3?{fUmyPg%w45&2EJXE9|8kjSuq?iJYXKZr5Z=E
zB}l5>;DgI=!jjzm_z`n9HTr2Ny^kRc%Z+h7vS(IlY8cFFX#oc#f(8!QewZ97ww|)JY9AfdR4wIG`!lKph|dS-v&U
z*9`DR@NonBl;>>Y=kCAZihqNGr0siL4)tuc;Ebpj-tYrWCXGqQfeCLsQSZd_p?twq
zj-z%?ihPF$T0;0noi^Zi6C
zn}jNgw@Mbs$I$igbl(a*?;tcIf6rM_9qO)(-aPTx8YjUXJNqQ*8GIk!x{)Q%2C`S}
zUUTe*1$$6Lrz6*WWrEex@R&%_o8l$Zyav2GWD`Rm3^s^bUXw*`m;m#OF5>ce+^r@7
zvbq7ia;uZ7av933BXU89PqB$U5zg^DFFyr46f@C(BZn6u&3JpQS3StYdox@kF8Y~v
z)~YeW+XJNzhC{pJje~Kuee0*^E{H%_TA;{<^8aN2!;ixhO>mfrSo=zy!hCqflS!xU
z{J|jtrq2N(U=$nx6bIhV2)LIK5D?;LV`l6C)ZmywfSJ?9-pPa240Jvb0Th}|Qd#)>
z$f4r^L&pyAb{1g(-Z`P$;=nf!;3a(%x&e%%>nhOSaB_8q9ts_V*CmCeq(y(msmz_s
z-Rw;PjWK&W8;G+DSSCX%Ln1`%(p-4?1^}>P`@U}ob?6zM1y~F@4NZ*=ISkF+458Qj
zJ#FbCGR3vwr7M*4_`xS)ELSA9$`heOay9z3`(K!5=C(&VX;D^M2ee44z!R^DPY~5|
z@p3?)DioS28R_JPa(Udjmd$3>%dxtgJ^T67+KM9_sdjX&OJ{|YwMr}Qnd64mx%V=&
zHw|Rl4%o{+=8&;pa*W8xy+_20v;!xN!V==@J!=TjhMBZ`o9jfapgQ83cyqRv@KjP#
zwZv1(Ys*7zTv9l1IAD0ITcz$@XF|weVEdwk?Mc~!netWoB{44gYUI#yWK&Z<23K;<
zRlEG@^duD*rGQX>h3Vu3rrT^y0pfKLr>j0jh-v-f!o#fDc#ZiV=|9-FPd$gDT205_
zzOGq)20O$TB^c+OS)hN!Um22i#Si3xs{~M|6j&7{d}m0=f^#>cC1lDoU9GxxV!Hm&
z05`q_L;q4q$VC7Phu}v^$oD2L=ScPUI*|XsE&L6r76j+9oM!TKhO@N`RI?tUxkqA599j^zALfHo!o2Lw})!3KpfWT;{E<{pK-$xXK2|#)Mnk1-swqMXuW?{^t3!&1D
z0so;_8hM=0X02>C^1HE8Pjr4nb3b`~ibjI3g-x4`<3JSSZjw&0rQK~B4uxjrmStVr
z_YTeOn9bi{zXVU@OJUyPc;-qtI+WFPV}ZeHH<|OR9I{dPh+&n$z2?jUc|{+Q0Tn|V
zH-iiX-k7v0>W{Xsafzd>dQbW*am@(2^qA5(ns+u2htVWP3TwqV-l30t`Wi6W5P3_q
znq*myG0Wi{JN)#11^$jAsxngkhP<#rwO@90dnv;?Q2jp^f56SCa^D?^9WpZe6(1zUM#MNQ6ka23ihXu!I=YBtG@RX>s)w>Y8uead
zH_G%-G;gxXV%EfBY{*VLatBns>Moz2dTW72r$vlr1H>38E#jg1h(2-7UpAlj)7F@W
z5&lfk^3{I3A}InsHo156(jv@tJQ@Q6s)+ln%N^QsHpWzhqwvLdg{}+uTj#Bn;^D5m
z4Q;LCvss9-2|G2bbEne=w~)|g&rhw)-texjqD4jkuY+EoHA^?E);;^YmI#Yo{OUnx
zB9~z#s!-?3Xk47_%$b!FU8o5-x*FR62?6G2zZ$vBB|!mdfL;I|RXD_RBmbkY8hq!H
zRsXAk0zX9^e+UYwUECU!ctFkjjB|X~5a8nCzDQDmDh!UDHd<_`SRxpl|2ustlh4Hb--H`s(AIXu|59BP~{EVEN;
z?Bu$r+ib`Kj#ia-V0E_jWj>ePefs69gy(xdlD@&MTE=7M)wIg8I{1R)FI`pT&zUoh
zZfz4~*gMeqia_N3u2H}JRE&(3%#<`=ASIoQZ6K0rtNv{%L)emSOTob#hp)I1k8XSH
zbzxQu`xsmL+$pZkw|lV@_q`PX(f#xx5Y|^h0f8C1iTz=*jT}Vm4#D}D)|=d0xKrjl
zD0YQ8NL}1RZE&1Cdam@g65H6;lJ*LYj}N)XHgN2E{QVNyZ0gM4uAEzVzz8^C=u$j{
zKQ7!P{C4+iqhzea-zlNI|$KljN;6H`*;AC_asF;z65`M`CUDtXDXkD*LSdq2Rse$sE
z(JMDTA^X_~$q=s+O3u3V9aw~qDbx+3MQ>i);UK!fvJkUc&0@
zm)kxc-W}dw!{AoGGnkg(h7cXrt
zCtde9ru_rALSZCKMLqZjrOE>B#EF)t=UN}=4v{;?QqY23K9J|n2r=;b1(l?^4{U+U
fPZg4uJ2N9&g@<(Q@0wiOYG#2@Y{bfoYPtLu0!w|9

literal 32
ncmezO_TO6u1_mY|W_Xm5=la|E{*s%M?mC{^wn--0;QAy0^AQhj

diff --git a/jdk/test/TEST.groups b/jdk/test/TEST.groups
index 07f876ce3d..67b8c00b7d 100644
--- a/jdk/test/TEST.groups
+++ b/jdk/test/TEST.groups
@@ -203,6 +203,9 @@ jdk_security = \
     :jdk_security3 \
     :jdk_security4
 
+jdk_security_infra = \
+    security/infra/java/security/cert/CertPathValidator/certification
+
 jdk_text = \
     java/text \
     sun/text
diff --git a/jdk/test/lib/security/cacerts/VerifyCACerts.java b/jdk/test/lib/security/cacerts/VerifyCACerts.java
new file mode 100644
index 0000000000..6e104ee4ab
--- /dev/null
+++ b/jdk/test/lib/security/cacerts/VerifyCACerts.java
@@ -0,0 +1,314 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8189131
+ * @requires java.runtime.name ~= "OpenJDK.*"
+ * @summary Check root CA entries in cacerts file
+ */
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.security.MessageDigest;
+import java.security.cert.*;
+import java.util.*;
+
+public class VerifyCACerts {
+
+    private static final String CACERTS
+            = System.getProperty("java.home") + File.separator + "lib"
+            + File.separator + "security" + File.separator + "cacerts";
+
+    private static final String BASE = System.getProperty("test.src", "./");
+
+    // The numbers of certs now.
+    private static final int COUNT = 80;
+
+    // map of cert alias to SHA-256 fingerprint
+    private static final Map FINGERPRINT_MAP
+            = new HashMap() {{
+        put("actalisauthenticationrootca [jdk]",
+                "55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66");
+        put("buypassclass2ca [jdk]",
+                "9A:11:40:25:19:7C:5B:B9:5D:94:E6:3D:55:CD:43:79:08:47:B6:46:B2:3C:DF:11:AD:A4:A0:0E:FF:15:FB:48");
+        put("buypassclass3ca [jdk]",
+                "ED:F7:EB:BC:A2:7A:2A:38:4D:38:7B:7D:40:10:C6:66:E2:ED:B4:84:3E:4C:29:B4:AE:1D:5B:93:32:E6:B2:4D");
+        put("camerfirmachambersca [jdk]",
+                "06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0");
+        put("camerfirmachambersignca [jdk]",
+                "13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA");
+        put("camerfirmachamberscommerceca [jdk]",
+                "0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3");
+        put("certumca [jdk]",
+                "D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24");
+        put("certumtrustednetworkca [jdk]",
+                "5C:58:46:8D:55:F5:8E:49:7E:74:39:82:D2:B5:00:10:B6:D1:65:37:4A:CF:83:A7:D4:A3:2D:B7:68:C4:40:8E");
+        put("chunghwaepkirootca [jdk]",
+                "C0:A6:F4:DC:63:A2:4B:FD:CF:54:EF:2A:6A:08:2A:0A:72:DE:35:80:3E:2F:F5:FF:52:7A:E5:D8:72:06:DF:D5");
+        put("comodorsaca [jdk]",
+                "52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34");
+        put("comodoaaaca [jdk]",
+                "D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4");
+        put("comodoeccca [jdk]",
+                "17:93:92:7A:06:14:54:97:89:AD:CE:2F:8F:34:F7:F0:B6:6D:0F:3A:E3:A3:B8:4D:21:EC:15:DB:BA:4F:AD:C7");
+        put("usertrustrsaca [jdk]",
+                "E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2");
+        put("usertrusteccca [jdk]",
+                "4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A");
+        put("utnuserfirstobjectca [jdk]",
+                "6F:FF:78:E4:00:A7:0C:11:01:1C:D8:59:77:C4:59:FB:5A:F9:6A:3D:F0:54:08:20:D0:F4:B8:60:78:75:E5:8F");
+        put("utnuserfirstclientauthemailca [jdk]",
+                "43:F2:57:41:2D:44:0D:62:74:76:97:4F:87:7D:A8:F1:FC:24:44:56:5A:36:7A:E6:0E:DD:C2:7A:41:25:31:AE");
+        put("utnuserfirsthardwareca [jdk]",
+                "6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37");
+        put("addtrustclass1ca [jdk]",
+                "8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7");
+        put("addtrustexternalca [jdk]",
+                "68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2");
+        put("addtrustqualifiedca [jdk]",
+                "80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16");
+        put("baltimorecybertrustca [jdk]",
+                "16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB");
+        put("baltimorecodesigningca [jdk]",
+                "A9:15:45:DB:D2:E1:9C:4C:CD:F9:09:AA:71:90:0D:18:C7:35:1C:89:B3:15:F0:F1:3D:05:C1:3A:8F:FB:46:87");
+        put("digicertglobalrootca [jdk]",
+                "43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61");
+        put("digicertglobalrootg2 [jdk]",
+                "CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F");
+        put("digicertglobalrootg3 [jdk]",
+                "31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0");
+        put("digicerttrustedrootg4 [jdk]",
+                "55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88");
+        put("digicertassuredidrootca [jdk]",
+                "3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C");
+        put("digicertassuredidg2 [jdk]",
+                "7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85");
+        put("digicertassuredidg3 [jdk]",
+                "7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2");
+        put("digicerthighassuranceevrootca [jdk]",
+                "74:31:E5:F4:C3:C1:CE:46:90:77:4F:0B:61:E0:54:40:88:3B:A9:A0:1E:D0:0B:A6:AB:D7:80:6E:D3:B1:18:CF");
+        put("equifaxsecureca [jdk]",
+                "08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78");
+        put("equifaxsecureebusinessca1 [jdk]",
+                "2E:3A:2B:B5:11:25:05:83:6C:A8:96:8B:E2:CB:37:27:CE:9B:56:84:5C:6E:E9:8E:91:85:10:4A:FB:9A:F5:96");
+        put("equifaxsecureglobalebusinessca1 [jdk]",
+                "86:AB:5A:65:71:D3:32:9A:BC:D2:E4:E6:37:66:8B:A8:9C:73:1E:C2:93:B6:CB:A6:0F:71:63:40:A0:91:CE:AE");
+        put("geotrustglobalca [jdk]",
+                "FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA:DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A");
+        put("geotrustprimaryca [jdk]",
+                "37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8:2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C");
+        put("geotrustprimarycag2 [jdk]",
+                "5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F:7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66");
+        put("geotrustprimarycag3 [jdk]",
+                "B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E:E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4");
+        put("geotrustuniversalca [jdk]",
+                "A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93:42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12");
+        put("gtecybertrustglobalca [jdk]",
+                "A5:31:25:18:8D:21:10:AA:96:4B:02:C7:B7:C6:DA:32:03:17:08:94:E5:FB:71:FF:FB:66:67:D5:E6:81:0A:36");
+        put("thawteprimaryrootca [jdk]",
+                "8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A:97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F");
+        put("thawteprimaryrootcag2 [jdk]",
+                "A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB:43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57");
+        put("thawteprimaryrootcag3 [jdk]",
+                "4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C:06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C");
+        put("thawtepremiumserverca [jdk]",
+                "3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47:9C:36:93:65:08:80:50:56:98:10:5D:BC:E9");
+        put("verisigntsaca [jdk]",
+                "CB:6B:05:D9:E8:E5:7C:D8:82:B1:0B:4D:B7:0D:E4:BB:1D:E4:2B:A4:8A:7B:D0:31:8B:63:5B:F6:E7:78:1A:9D");
+        put("verisignclass1ca [jdk]",
+                "51:84:7C:8C:BD:2E:9A:72:C9:1E:29:2D:2A:E2:47:D7:DE:1E:3F:D2:70:54:7A:20:EF:7D:61:0F:38:B8:84:2C");
+        put("verisignclass1g2ca [jdk]",
+                "34:1D:E9:8B:13:92:AB:F7:F4:AB:90:A9:60:CF:25:D4:BD:6E:C6:5B:9A:51:CE:6E:D0:67:D0:0E:C7:CE:9B:7F");
+        put("verisignclass1g3ca [jdk]",
+                "CB:B5:AF:18:5E:94:2A:24:02:F9:EA:CB:C0:ED:5B:B8:76:EE:A3:C1:22:36:23:D0:04:47:E4:F3:BA:55:4B:65");
+        put("verisignclass2g2ca [jdk]",
+                "3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F:D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1");
+        put("verisignclass2g3ca [jdk]",
+                "92:A9:D9:83:3F:E1:94:4D:B3:66:E8:BF:AE:7A:95:B6:48:0C:2D:6C:6C:2A:1B:E6:5D:42:36:B6:08:FC:A1:BB");
+        put("verisignclass3ca [jdk]",
+                "A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09:CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05");
+        put("verisignclass3g2ca [jdk]",
+                "83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E:DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B");
+        put("verisignuniversalrootca [jdk]",
+                "23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C");
+        put("verisignclass3g3ca [jdk]",
+                "EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1:B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44");
+        put("verisignclass3g4ca [jdk]",
+                "69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60:32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79");
+        put("verisignclass3g5ca [jdk]",
+                "9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF");
+        put("certplusclass2primaryca [jdk]",
+                "0F:99:3C:8A:EF:97:BA:AF:56:87:14:0E:D5:9A:D1:82:1B:B4:AF:AC:F0:AA:9A:58:B5:D5:7A:33:8A:3A:FB:CB");
+        put("certplusclass3pprimaryca [jdk]",
+                "CC:C8:94:89:37:1B:AD:11:1C:90:61:9B:EA:24:0A:2E:6D:AD:D9:9F:9F:6E:1D:4D:41:E5:8E:D6:DE:3D:02:85");
+        put("keynectisrootca [jdk]",
+                "42:10:F1:99:49:9A:9A:C3:3C:8D:E0:2B:A6:DB:AA:14:40:8B:DD:8A:6E:32:46:89:C1:92:2D:06:97:15:A3:32");
+        put("dtrustclass3ca2 [jdk]",
+                "49:E7:A4:42:AC:F0:EA:62:87:05:00:54:B5:25:64:B6:50:E4:F4:9E:42:E3:48:D6:AA:38:E0:39:E9:57:B1:C1");
+        put("dtrustclass3ca2ev [jdk]",
+                "EE:C5:49:6B:98:8C:E9:86:25:B9:34:09:2E:EC:29:08:BE:D0:B0:F3:16:C2:D4:73:0C:84:EA:F1:F3:D3:48:81");
+        put("identrustdstx3 [jdk]",
+                "06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39");
+        put("identrustpublicca [jdk]",
+                "30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F");
+        put("identrustcommercial [jdk]",
+                "5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE");
+        put("letsencryptisrgx1 [jdk]",
+                "96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6");
+        put("luxtrustglobalrootca [jdk]",
+                "A1:B2:DB:EB:64:E7:06:C6:16:9E:3C:41:18:B2:3B:AA:09:01:8A:84:27:66:6D:8B:F0:E2:88:91:EC:05:19:50");
+        put("quovadisrootca [jdk]",
+                "A4:5E:DE:3B:BB:F0:9C:8A:E1:5C:72:EF:C0:72:68:D6:93:A2:1C:99:6F:D5:1E:67:CA:07:94:60:FD:6D:88:73");
+        put("quovadisrootca1g3 [jdk]",
+                "8A:86:6F:D1:B2:76:B5:7E:57:8E:92:1C:65:82:8A:2B:ED:58:E9:F2:F2:88:05:41:34:B7:F1:F4:BF:C9:CC:74");
+        put("quovadisrootca2 [jdk]",
+                "85:A0:DD:7D:D7:20:AD:B7:FF:05:F8:3D:54:2B:20:9D:C7:FF:45:28:F7:D6:77:B1:83:89:FE:A5:E5:C4:9E:86");
+        put("quovadisrootca2g3 [jdk]",
+                "8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40");
+        put("quovadisrootca3 [jdk]",
+                "18:F1:FC:7F:20:5D:F8:AD:DD:EB:7F:E0:07:DD:57:E3:AF:37:5A:9C:4D:8D:73:54:6B:F4:F1:FE:D1:E1:8D:35");
+        put("quovadisrootca3g3 [jdk]",
+                "88:EF:81:DE:20:2E:B0:18:45:2E:43:F8:64:72:5C:EA:5F:BD:1F:C2:D9:D2:05:73:07:09:C5:D8:B8:69:0F:46");
+        put("secomscrootca1 [jdk]",
+                "E7:5E:72:ED:9F:56:0E:EC:6E:B4:80:00:73:A4:3F:C3:AD:19:19:5A:39:22:82:01:78:95:97:4A:99:02:6B:6C");
+        put("secomscrootca2 [jdk]",
+                "51:3B:2C:EC:B8:10:D4:CD:E5:DD:85:39:1A:DF:C6:C2:DD:60:D8:7B:B7:36:D2:B5:21:48:4A:A4:7A:0E:BE:F6");
+        put("secomevrootca1 [jdk]",
+                "A2:2D:BA:68:1E:97:37:6E:2D:39:7D:72:8A:AE:3A:9B:62:96:B9:FD:BA:60:BC:2E:11:F6:47:F2:C6:75:FB:37");
+        put("swisssigngoldg2ca [jdk]",
+                "62:DD:0B:E9:B9:F5:0A:16:3E:A0:F8:E7:5C:05:3B:1E:CA:57:EA:55:C8:68:8F:64:7C:68:81:F2:C8:35:7B:95");
+        put("swisssignplatinumg2ca [jdk]",
+                "3B:22:2E:56:67:11:E9:92:30:0D:C0:B1:5A:B9:47:3D:AF:DE:F8:C8:4D:0C:EF:7D:33:17:B4:C1:82:1D:14:36");
+        put("swisssignsilverg2ca [jdk]",
+                "BE:6C:4D:A2:BB:B9:BA:59:B6:F3:93:97:68:37:42:46:C3:C0:05:99:3F:A9:8F:02:0D:1D:ED:BE:D4:8A:81:D5");
+        put("soneraclass2ca [jdk]",
+                "79:08:B4:03:14:C1:38:10:0B:51:8D:07:35:80:7F:FB:FC:F8:51:8A:00:95:33:71:05:BA:38:6B:15:3D:D9:27");
+        put("securetrustca [jdk]",
+                "F1:C1:B5:0A:E5:A2:0D:D8:03:0E:C9:F6:BC:24:82:3D:D3:67:B5:25:57:59:B4:E7:1B:61:FC:E9:F7:37:5D:73");
+        put("xrampglobalca [jdk]",
+                "CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2");
+    }};
+
+    // Ninety days in milliseconds
+    private static final long NINETY_DAYS = 7776000000L;
+
+    private static boolean atLeastOneFailed = false;
+
+    private static MessageDigest md;
+
+    public static void main(String[] args) throws Exception {
+        System.out.println("cacerts file: " + CACERTS);
+        md = MessageDigest.getInstance("SHA-256");
+        KeyStore ks = KeyStore.getInstance("JKS");
+        ks.load(new FileInputStream(CACERTS), "changeit".toCharArray());
+
+        // check the count of certs inside
+        if (ks.size() != COUNT) {
+            atLeastOneFailed = true;
+            System.err.println("ERROR: " + ks.size() + " entries, should be "
+                    + COUNT);
+        }
+
+        // check that all entries in the map are in the keystore
+        for (String alias : FINGERPRINT_MAP.keySet()) {
+            if (!ks.isCertificateEntry(alias)) {
+                atLeastOneFailed = true;
+                System.err.println("ERROR: " + alias + " is not in cacerts");
+            }
+        }
+
+        // pull all the trusted self-signed CA certs out of the cacerts file
+        // and verify their signatures
+        Enumeration aliases = ks.aliases();
+        while (aliases.hasMoreElements()) {
+            String alias = aliases.nextElement();
+            System.out.println("\nVerifying " + alias);
+            if (!ks.isCertificateEntry(alias)) {
+                atLeastOneFailed = true;
+                System.err.println("ERROR: " + alias
+                        + " is not a trusted cert entry");
+            }
+            X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
+            if (!checkFingerprint(alias, cert)) {
+                atLeastOneFailed = true;
+                System.err.println("ERROR: " + alias + " SHA-256 fingerprint is incorrect");
+            }
+            // Make sure cert can be self-verified
+            try {
+                cert.verify(cert.getPublicKey());
+            } catch (Exception e) {
+                atLeastOneFailed = true;
+                System.err.println("ERROR: cert cannot be verified:"
+                        + e.getMessage());
+            }
+
+            // Make sure cert is not expired or not yet valid
+            try {
+                cert.checkValidity();
+            } catch (CertificateExpiredException cee) {
+                atLeastOneFailed = true;
+                System.err.println("ERROR: cert is expired");
+            } catch (CertificateNotYetValidException cne) {
+                atLeastOneFailed = true;
+                System.err.println("ERROR: cert is not yet valid");
+            }
+
+            // If cert is within 90 days of expiring, mark as failure so
+            // that cert can be scheduled to be removed/renewed.
+            Date notAfter = cert.getNotAfter();
+            if (notAfter.getTime() - System.currentTimeMillis() < NINETY_DAYS) {
+                atLeastOneFailed = true;
+                System.err.println("WARNING: cert will expire within 90 days");
+            }
+        }
+
+        if (atLeastOneFailed) {
+            throw new Exception("At least one cacert test failed");
+        }
+    }
+
+    private static boolean checkFingerprint(String alias, Certificate cert)
+            throws Exception {
+        String fingerprint = FINGERPRINT_MAP.get(alias);
+        if (fingerprint == null) {
+            // no entry for alias
+            return true;
+        }
+        System.out.println("Checking fingerprint of " + alias);
+        byte[] digest = md.digest(cert.getEncoded());
+        return fingerprint.equals(toHexString(digest));
+    }
+
+    private static String toHexString(byte[] block) {
+        StringBuilder buf = new StringBuilder();
+        int len = block.length;
+        for (int i = 0; i < len; i++) {
+            buf.append(String.format("%02X", block[i]));
+            if (i < len - 1) {
+                buf.append(":");
+            }
+        }
+        return buf.toString();
+    }
+}
diff --git a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
new file mode 100644
index 0000000000..e76210b16d
--- /dev/null
+++ b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
@@ -0,0 +1,253 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ /*
+ * @test
+ * @bug 8189131
+ * @summary Interoperability tests with Actalis CA
+ * @build ValidatePathWithParams
+ * @run main/othervm/timeout=180 -Djava.security.debug=certpath ActalisCA OCSP
+ * @run main/othervm/timeout=180 -Djava.security.debug=certpath ActalisCA CRL
+ */
+
+ /*
+ * Obtain test artifacts for Actalis CA from:
+ *
+ * Test web site with *active *TLS Server certificate:
+ * https://ssltest-a.actalis.it:8443
+ * If doesn't work then use certificate of https://www.actalis.it
+ *
+ * Test web site with *revoked *TLS Server certificate:
+ * https://ssltest-r.actalis.it:8444
+ *
+ * Test web site with *expired *TLS Server certificate:
+ * https://ssltest-e.actalis.it:8445
+ */
+public class ActalisCA {
+
+    // Owner: CN=Actalis Extended Validation Server CA G1,
+    // O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
+    // Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
+    // L=Milan, C=IT
+    private static final String INT_VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGTDCCBDSgAwIBAgIIMtYr/GdQGsswDQYJKoZIhvcNAQELBQAwazELMAkGA1UE\n"
+            + "BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w\n"
+            + "MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290\n"
+            + "IENBMB4XDTE1MDUxNDA3MDAzOFoXDTMwMDUxNDA3MDAzOFowgYcxCzAJBgNVBAYT\n"
+            + "AklUMQ8wDQYDVQQIDAZNaWxhbm8xDzANBgNVBAcMBk1pbGFubzEjMCEGA1UECgwa\n"
+            + "QWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxMTAvBgNVBAMMKEFjdGFsaXMgRXh0\n"
+            + "ZW5kZWQgVmFsaWRhdGlvbiBTZXJ2ZXIgQ0EgRzEwggEiMA0GCSqGSIb3DQEBAQUA\n"
+            + "A4IBDwAwggEKAoIBAQD1Ygc1CwmqXqjd3dTEKMLUwGdb/3+00ytg0uBb4RB+89/O\n"
+            + "4K/STFZcGUjcCq6Job5cmxZBGyRRBYfCEn4vg8onedFztkO0NvD04z4wLFyxjSRT\n"
+            + "bcMm2d+/Xci5XLA3Q9wG8TGzHTVQKmdvFpQ7b7EsmOc0uXA7w3UGhLjb2EYpu/Id\n"
+            + "uZ1LUTyEOHc3XHXI3a3udkRBDs/bObTcbte80DPbNetRFB+jHbIw5sH171IeBFGN\n"
+            + "PB92Iebp01yE8g3X9RqPXrrV7ririEtwFMYp+KgA8BRHxsoNV3xZmhdzJm0AMzC2\n"
+            + "waLM3H562xPM0UntAYh2pRrAUUtgURRizCT1kr6tAgMBAAGjggHVMIIB0TBBBggr\n"
+            + "BgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDUuYWN0YWxpcy5p\n"
+            + "dC9WQS9BVVRILVJPT1QwHQYDVR0OBBYEFGHB5IYeTW10dLzZlzsxcXjLP5/cMA8G\n"
+            + "A1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbtifN7OHCUyQICNtAw\n"
+            + "RQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFj\n"
+            + "dGFsaXMuaXQvYXJlYS1kb3dubG9hZDCB4wYDVR0fBIHbMIHYMIGWoIGToIGQhoGN\n"
+            + "bGRhcDovL2xkYXAwNS5hY3RhbGlzLml0L2NuJTNkQWN0YWxpcyUyMEF1dGhlbnRp\n"
+            + "Y2F0aW9uJTIwUm9vdCUyMENBLG8lM2RBY3RhbGlzJTIwUy5wLkEuJTJmMDMzNTg1\n"
+            + "MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MD2g\n"
+            + "O6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEgtUk9P\n"
+            + "VC9nZXRMYXN0Q1JMMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEA\n"
+            + "OD8D2Z2fw76+GIu+mDEgygH/y7F9K4I6rZOc3LqGBecO3C0fGcIuuG7APtxGGk7Y\n"
+            + "nk97Qt+3pDoek9EP65/1u128pRncZcjEAeMgKb7UuJxwoR6Sj5zhOadotKcCQqmF\n"
+            + "Si99ExNo6dTq5Eyp1KrqepLmezbO9owx4Q44mtNpfKLMgzDqOn/dwNMo/pGYbMfP\n"
+            + "DjhxEnta1HXgcEcgCk1Au16xkdzapwY4sXpKuwB24phfWF+cveKAQ0Rncmvrm34i\n"
+            + "9B6leZUkSHDe4mRkbO5nObhKHYRmVSr0Q/wvGCmTgGTKuw/Gj8+RFb5MEkOKEcJn\n"
+            + "I32CPohpiW/jlpeLaFBIgJnXuZTxmfTX55sqtXDlKxRxFwq1W3kML4UfGZsgjx1l\n"
+            + "hX5fQ1QlEZeO9CyPpgGO5Py2KXXKhUxCtF7tawAYimWwslxvPCjHDND/WhM1Fz9e\n"
+            + "2yqwHcSQAOUVv5mk9uYc6/NSLwLb5in3R728GNEpHHhbx5QZhtdqR8mb56uJUDKI\n"
+            + "AwnnZckcR+SLGL2Agx7hY7YCMOQhSsO6PA81M/mGW2hGCiZw3GULJe9ejL/vdS0I\n"
+            + "PWrp7YLnXUa6mtXVSBKGrVrlbpJaN10+fB4Yrlk4O2sF4WNUAHMBn9T+zOXaBAhj\n"
+            + "vNlMU7+elLkTcKIB7qJJuSZChxzoevM2ciO3BpGuRxg=\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: OID.1.3.6.1.4.1.311.60.2.1.3=IT, STREET=Via S. Clemente 53,
+    // OID.2.5.4.15=Private Organization, CN=www.actalis.it,
+    // SERIALNUMBER=03358520967, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT
+    // Issuer: CN=Actalis Extended Validation Server CA G1,
+    // O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
+    // Serial number: eeeee6d6463bde2
+    // Valid from: Sat Jun 17 05:59:17 PDT 2017 until: Mon Jun 17 05:59:17 PDT 2019
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIHwTCCBqmgAwIBAgIIDu7ubWRjveIwDQYJKoZIhvcNAQELBQAwgYcxCzAJBgNV\n"
+            + "BAYTAklUMQ8wDQYDVQQIDAZNaWxhbm8xDzANBgNVBAcMBk1pbGFubzEjMCEGA1UE\n"
+            + "CgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxMTAvBgNVBAMMKEFjdGFsaXMg\n"
+            + "RXh0ZW5kZWQgVmFsaWRhdGlvbiBTZXJ2ZXIgQ0EgRzEwHhcNMTcwNjE3MTI1OTE3\n"
+            + "WhcNMTkwNjE3MTI1OTE3WjCB0zELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0Jlcmdh\n"
+            + "bW8xGTAXBgNVBAcMEFBvbnRlIFNhbiBQaWV0cm8xFzAVBgNVBAoMDkFjdGFsaXMg\n"
+            + "Uy5wLkEuMRQwEgYDVQQFEwswMzM1ODUyMDk2NzEXMBUGA1UEAwwOd3d3LmFjdGFs\n"
+            + "aXMuaXQxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRswGQYDVQQJDBJW\n"
+            + "aWEgUy4gQ2xlbWVudGUgNTMxEzARBgsrBgEEAYI3PAIBAxMCSVQwggEiMA0GCSqG\n"
+            + "SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwZ3++4pQYGfhXSqin1CKRJ6SOqkTcX3O0\n"
+            + "6b4jZbSNomyqyn6aHOz6ztOlj++fPzxmIzErEySOTd3G0pr+iwpYQVdeg1Y27KL8\n"
+            + "OiwwUrlV4ZMa8KKXr4BnWlDbFIo+eIcSew5V7CiodDyxpj9zjqJK497LF1jxgXtr\n"
+            + "IoMRwrh2Y0NbJCZGUCL30sQr/W4xBnO1+pi2DbCieGe/XoK8yEtx9FdnEFvyT9qn\n"
+            + "zYyrXvnTvfVSwzwtEIn+akjomI4WfCFLBF0M7v4dAHypfnPAAoW1c0BBqNB32zf0\n"
+            + "rYwNnD7UwZlcDihEYlgC70Dfy7bPsdq2spmOMk/VUqb3U0LHRVM3AgMBAAGjggPh\n"
+            + "MIID3TB9BggrBgEFBQcBAQRxMG8wOgYIKwYBBQUHMAKGLmh0dHA6Ly9jYWNlcnQu\n"
+            + "YWN0YWxpcy5pdC9jZXJ0cy9hY3RhbGlzLWF1dGV2ZzEwMQYIKwYBBQUHMAGGJWh0\n"
+            + "dHA6Ly9vY3NwMDUuYWN0YWxpcy5pdC9WQS9BVVRIRVYtRzEwHQYDVR0OBBYEFK9y\n"
+            + "954QoY/5XV6TayD1gWVy0gQOMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUYcHk\n"
+            + "hh5NbXR0vNmXOzFxeMs/n9wwUAYDVR0gBEkwRzA8BgYrgR8BEQEwMjAwBggrBgEF\n"
+            + "BQcCARYkaHR0cHM6Ly93d3cuYWN0YWxpcy5pdC9hcmVhLWRvd25sb2FkMAcGBWeB\n"
+            + "DAEBMIHvBgNVHR8EgecwgeQwgaKggZ+ggZyGgZlsZGFwOi8vbGRhcDA1LmFjdGFs\n"
+            + "aXMuaXQvY24lM2RBY3RhbGlzJTIwRXh0ZW5kZWQlMjBWYWxpZGF0aW9uJTIwU2Vy\n"
+            + "dmVyJTIwQ0ElMjBHMSxvJTNkQWN0YWxpcyUyMFMucC5BLi8wMzM1ODUyMDk2Nyxj\n"
+            + "JTNkSVQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0\n"
+            + "dHA6Ly9jcmwwNS5hY3RhbGlzLml0L1JlcG9zaXRvcnkvQVVUSEVWLUcxL2dldExh\n"
+            + "c3RDUkwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF\n"
+            + "BQcDAjAZBgNVHREEEjAQgg53d3cuYWN0YWxpcy5pdDCCAX4GCisGAQQB1nkCBAIE\n"
+            + "ggFuBIIBagFoAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFc\n"
+            + "tiwHywAABAMARzBFAiEA7GC5/kja3l8cBw1/wBpHl/AKH6eL1MKpmICtf5G09c4C\n"
+            + "IBM887DQEwD2E4Xx/IP+33NMvUOhSwZ4XODgqFVXsz0wAHYA7ku9t3XOYLrhQmkf\n"
+            + "q+GeZqMPfl+wctiDAMR7iXqo/csAAAFctiwIqwAABAMARzBFAiEAwwiR95ozXdKs\n"
+            + "+uULfrzgENbHc2rLgGIac6ZMv0xHDLACIFLQVpvQBRQfys2KVRGHQKGxqAeghQZw\n"
+            + "9nJL+U5huzfaAHYA3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswAAAFc\n"
+            + "tiwMqwAABAMARzBFAiEAifV9ocxbO6b3I22jb2zxBvG2e83hXHitOhYXkHdSmZkC\n"
+            + "IDJLuPvGOczF9axgphImlUbT9dX3wRpjEi5IeV+pxMiYMA0GCSqGSIb3DQEBCwUA\n"
+            + "A4IBAQB5U6k1Onv9Y7POHGnUOI0ATHevbpbS/7r68DZQ6cRmDIpsZyjW6PxYs9nc\n"
+            + "3ob3Pjomm+S7StDl9ehI7rYLlZC52QlXlsq1fzEQ9xSkf+VSD70A91dPIFAdI/jQ\n"
+            + "aWvIUvQEbhfUZc0ihIple0VyWGH5bza0DLW+C8ttF8KqICUfL8S8mZgjbXvVg2fY\n"
+            + "HLW9lWR/Pkco2yRc8gZyr9FGkXOcmJ8aFaCuJnGm/IVRCieYp60If4DoAKz49xpF\n"
+            + "CF6RjOAJ//UGSp/ySjHMmT8PLO7NvhsT4XDDGTSeIYYpO++tbEIcLcjW9m2k5Gnh\n"
+            + "kmEenr0hdcpeLgsP3Fsy7JxyQNpL\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner:  CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
+    // Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
+    // SN:     741d584a 72fc06bc
+    // Valid from: Wed Feb 12 22:32:23 PST 2014
+    // Valid till: Mon Feb 12 22:32:23 PST 2024
+    private static final String INT_REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGTTCCBDWgAwIBAgIIdB1YSnL8BrwwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE\n"
+            + "BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w\n"
+            + "MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290\n"
+            + "IENBMB4XDTE0MDIxMzE1MDIyM1oXDTI0MDIxMzE1MDIyM1owezELMAkGA1UEBhMC\n"
+            + "SVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpB\n"
+            + "Y3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzElMCMGA1UEAwwcQWN0YWxpcyBBdXRo\n"
+            + "ZW50aWNhdGlvbiBDQSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
+            + "AMzhDjmhNDym6ze3PegbIKmiavXpAjgVCZ344k1DOtdSCV6k3h3rqfHqFn3mrayA\n"
+            + "btmJ0NeC886WxUUsJwHJ3bOnNBQZIHxLV+1RVD/6TQqb6/bPJu4rDwEfhbJSmErc\n"
+            + "29wUJWqxXMhSAWTHi3Pq0vrkx59e5KTEyfB2kHo6InlR72sCCRdtCL9aDuDm8nYK\n"
+            + "pTSAJr36ultwME5NyCNSyN2JIK0wYbEi7MVNbp5KN9MusTp3cOMDoVBreYulmnEu\n"
+            + "TNazmoAv0K8oLS7iX7c9x+zGjUUAucFEuSlRn3sL6hFAiKjy4PDClvnyqQHBBdZr\n"
+            + "/3JOxAcgXv7aZ4/STeXeDXsCAwEAAaOCAeMwggHfMEEGCCsGAQUFBwEBBDUwMzAx\n"
+            + "BggrBgEFBQcwAYYlaHR0cDovL3BvcnRhbC5hY3RhbGlzLml0L1ZBL0FVVEgtUk9P\n"
+            + "VDAdBgNVHQ4EFgQUqqr9yowdTfEug+EG/PqO6g4jrj0wDwYDVR0TAQH/BAUwAwEB\n"
+            + "/zAfBgNVHSMEGDAWgBRS2Ig6yJ94Zu2J83s4cJTJAgI20DBUBgNVHSAETTBLMEkG\n"
+            + "BFUdIAAwQTA/BggrBgEFBQcCARYzaHR0cHM6Ly9wb3J0YWwuYWN0YWxpcy5pdC9S\n"
+            + "ZXBvc2l0b3J5L1BvbGljeS9TU0wvQ1BTMIHiBgNVHR8EgdowgdcwgZSggZGggY6G\n"
+            + "gYtsZGFwOi8vbGRhcC5hY3RhbGlzLml0L2NuJTNkQWN0YWxpcyUyMEF1dGhlbnRp\n"
+            + "Y2F0aW9uJTIwUm9vdCUyMENBLG8lM2RBY3RhbGlzJTIwUy5wLkEuJTJmMDMzNTg1\n"
+            + "MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MD6g\n"
+            + "PKA6hjhodHRwOi8vcG9ydGFsLmFjdGFsaXMuaXQvUmVwb3NpdG9yeS9BVVRILVJP\n"
+            + "T1QvZ2V0TGFzdENSTDAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIB\n"
+            + "ABP93l+9QBgzHF0Clf3gMAelGqwXT25DwZVFIkBw6YyqOPcaqzw1XKHJJEMQ8xOp\n"
+            + "8uuiPLP/ObxEXBBvH7ofNW7nRUIzGsuLPhzdfJhdzilCVAvz4WRsX44nWOQS4Qu0\n"
+            + "npo7dbq/KxFUCUO9yNEJp6YxNloy8XFIlazkHFTKGJqoUpsGoc7B9YmPchhE2FPb\n"
+            + "OZiOCg4Y2Qp43UJfnENgZ3gJFh16juQE1uS8Q/JJI7ZzJfJ/W0uQoDnCprOPUpLF\n"
+            + "G03e0asFxwQqhL84Jvf7rJZaWvwydHP4hH47nzpHWEGXwfJLXXoO7LHgqVB7K9Ar\n"
+            + "Zf3pY0S/3Fs+AN/PrEY3Z3rb7ypQLRiot1oJLl8matiGEF4aFL5DDkr9wfRAZ8S8\n"
+            + "WT69vN68ENGgEwyeZSlQxn+4g6quHRav0fmF2fGnLaq7tteSPVocT7XaMEpkHqNs\n"
+            + "x1q/PJbr39s/1QVZtS9CrdoCr0QAnBaX//PPB6ansSLFcvEqM9QcV9xQZex88ToX\n"
+            + "nk3TcHtA0ezWJlCkg626MhdQZrhHbkauHfIGSOmCkn3zHp0BZQ6Vo7UOdRMT7QS7\n"
+            + "y7AkET9Qmapwh2CFUdCJSXklVRd+06XhhOB37NQU0pGJQJ3xjEPrILZ8kLhW3Tyq\n"
+            + "Iv30LW7MXZ4yQn/JHEZbuiOOb4R45hsPZxe6gOq/e+sf\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner:  CN=ssltest-r.actalis.it, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT
+    // Issuer: CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
+    // SN:     0455de97 5c71c96f
+    // Valid from: Thu Jan 28 16:23:52 PST 2016
+    // Valid till: Mon Jan 28 16:23:52 PST 2019
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIFmDCCBICgAwIBAgIIBFXel1xxyW8wDQYJKoZIhvcNAQELBQAwezELMAkGA1UE\n"
+            + "BhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQK\n"
+            + "DBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzElMCMGA1UEAwwcQWN0YWxpcyBB\n"
+            + "dXRoZW50aWNhdGlvbiBDQSBHMzAeFw0xNjAxMjkwODUzNTJaFw0xOTAxMjkwODUz\n"
+            + "NTJaMHIxCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJnYW1vMRkwFwYDVQQHDBBQ\n"
+            + "b250ZSBTYW4gUGlldHJvMRcwFQYDVQQKDA5BY3RhbGlzIFMucC5BLjEdMBsGA1UE\n"
+            + "AwwUc3NsdGVzdC1yLmFjdGFsaXMuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+            + "ggEKAoIBAQClbzoXCvD21FD7Oy/TKZu4fmDFJrISrNfasLlC3krLHkgb1vg23Z1P\n"
+            + "+7rIymDgrJSzjvYmisl+VM7xXxTsyI2pp9Qp/uzTMAMML9ISd/s0LaMBiNN5iPyj\n"
+            + "W91gGzGe30Jc319afKwFBaveSv7NO3DWsmHw9koezWkKUug2dnQCVXk1uTSdobnq\n"
+            + "wOgwxdd86LpZnFLxBIYdU68S4vogAQZjdja/S1+tF6JnfvY6o/xRJmQckVtNmUs6\n"
+            + "Dj3KoN2o/8BEgSCYcJz8tfoZcVazVkWOp/u6moUnm1/IKSYNgtHnB1ub0fB2AttW\n"
+            + "Vi7cs3SG/tDMMP8yc1kWScWf8CYj/AI1AgMBAAGjggInMIICIzA/BggrBgEFBQcB\n"
+            + "AQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwMDMuYWN0YWxpcy5pdC9WQS9B\n"
+            + "VVRILUczMB0GA1UdDgQWBBRIKN5WmrjivlnT1rDzsH1WZ+PuvTAMBgNVHRMBAf8E\n"
+            + "AjAAMB8GA1UdIwQYMBaAFKqq/cqMHU3xLoPhBvz6juoOI649MGAGA1UdIARZMFcw\n"
+            + "SwYGK4EfARQBMEEwPwYIKwYBBQUHAgEWM2h0dHBzOi8vcG9ydGFsLmFjdGFsaXMu\n"
+            + "aXQvUmVwb3NpdG9yeS9Qb2xpY3kvU1NML0NQUzAIBgZngQwBAgIwgd8GA1UdHwSB\n"
+            + "1zCB1DCBlKCBkaCBjoaBi2xkYXA6Ly9sZGFwMDMuYWN0YWxpcy5pdC9jbiUzZEFj\n"
+            + "dGFsaXMlMjBBdXRoZW50aWNhdGlvbiUyMENBJTIwRzMsbyUzZEFjdGFsaXMlMjBT\n"
+            + "LnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9u\n"
+            + "TGlzdDtiaW5hcnkwO6A5oDeGNWh0dHA6Ly9jcmwwMy5hY3RhbGlzLml0L1JlcG9z\n"
+            + "aXRvcnkvQVVUSC1HMy9nZXRMYXN0Q1JMMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE\n"
+            + "FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIUc3NsdGVzdC1yLmFj\n"
+            + "dGFsaXMuaXQwDQYJKoZIhvcNAQELBQADggEBAHZLND53/CZoMlDtfln0ZByCEhoF\n"
+            + "/XtA9cYy2azRGgS/VY4WUccvg99MM50cwn5GPRsJpoaFXeDrjV3DkOUK1jERzjx4\n"
+            + "5y83K/AkCGe7uU17aS+tweETizBAfHNj78oHmZDmkDSEY2STaeuHNDJ9ft0v3QTb\n"
+            + "VW54R5W3OBU7L/sJoEUdRxzGN7vO82PboGvyApMCWDRLKE7bPP4genQtF3XPcaFl\n"
+            + "ekuSiEVYS+KnM2v9tCWHqw6x7raWHFB9w1kAKNwv0hbEJkeC+a2bCdPwv8hs//sa\n"
+            + "gUF4p61mIpf+5qmQ6gcZOClPWyrbYdQdfCvKgbEdKhwB0v5KS0NIRRn41SE=\n"
+            + "-----END CERTIFICATE-----";
+
+    public static void main(String[] args) throws Exception {
+
+        ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
+        boolean ocspEnabled = false;
+
+        if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
+            pathValidator.enableCRLCheck();
+        } else {
+            // OCSP check by default
+            pathValidator.enableOCSPCheck();
+            ocspEnabled = true;
+        }
+
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT_VALID},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Revoked certificate is using SHA1 signature
+        if (ocspEnabled) {
+            // Revoked test certificate is expired
+            // and backdated revocation check is only possible with OCSP
+            pathValidator.setValidationDate("July 01, 2016");
+        }
+
+        // Validate Revoked
+        pathValidator.validate(new String[]{REVOKED, INT_REVOKED},
+                ValidatePathWithParams.Status.REVOKED,
+                "Fri Jan 29 01:06:42 PST 2016", System.out);
+
+        // reset validation date back to current date
+        pathValidator.resetValidationDate();
+    }
+}
diff --git a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java
new file mode 100644
index 0000000000..2a1a846161
--- /dev/null
+++ b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java
@@ -0,0 +1,291 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ /*
+ * @test
+ * @bug 8189131
+ * @summary Interoperability tests with Buypass Class 2 and Class 3 CA
+ * @build ValidatePathWithParams
+ * @run main/othervm/timeout=180 -Djava.security.debug=certpath BuypassCA OCSP
+ * @run main/othervm/timeout=180 -Djava.security.debug=certpath BuypassCA CRL
+ */
+
+ /*
+ * Obtain test artifacts for Buypass Class 2 and Class 3 CAs from:
+ *  Class 2:
+ *      https://valid.domainplus.ca22.ssl.buypass.no/CA2Class2   (valid)
+ *      https://revoked.domainplus.ca22.ssl.buypass.no        (revoked)
+ *
+ *  Class3:
+ *      https://valid.business.ca23.ssl.buypass.no    (valid)
+ *      https://revoked.business.ca23.ssl.buypass.no    (revoked)
+ */
+public class BuypassCA {
+
+    public static void main(String[] args) throws Exception {
+
+        ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
+
+        boolean ocspEnabled = true;
+
+        if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
+            pathValidator.enableCRLCheck();
+            ocspEnabled = false;
+        } else {
+            // OCSP check by default
+            pathValidator.enableOCSPCheck();
+        }
+
+        new BuypassClass2().runTest(pathValidator);
+        new BuypassClass3().runTest(pathValidator, ocspEnabled);
+    }
+}
+
+class BuypassClass2 {
+
+    // Owner: CN=Buypass Class 2 CA 2, O=Buypass AS-983163327, C=NO
+    // Issuer: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
+    private static final String INT_CLASS_2 = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIFCzCCAvOgAwIBAgIBGDANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd\n"
+            + "MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg\n"
+            + "Q2xhc3MgMiBSb290IENBMB4XDTEwMTAyNjEwMTYxN1oXDTMwMTAyNjEwMTYxN1ow\n"
+            + "SzELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0w\n"
+            + "GwYDVQQDDBRCdXlwYXNzIENsYXNzIDIgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQAD\n"
+            + "ggEPADCCAQoCggEBAJyrZ8aWSw0PkdLsyswzK/Ny/A5/uU6EqQ99c6omDMpI+yNo\n"
+            + "HjUO42ryrATs4YHla+xj+MieWyvz9HYaCnrGL0CE4oX8M7WzD+g8h6tUCS0AakJx\n"
+            + "dC5PBocUkjQGZ5ZAoF92ms6C99qfQXhHx7lBP/AZT8sCWP0chOf9/cNxCplspYVJ\n"
+            + "HkQjKN3VGa+JISavCcBqf33ihbPZ+RaLjOTxoaRaWTvlkFxHqsaZ3AsW71qSJwaE\n"
+            + "55l9/qH45vn5mPrHQJ8h5LjgQcN5KBmxUMoA2iT/VSLThgcgl+Iklbcv9rs6aaMC\n"
+            + "JH+zKbub+RyRijmyzD9YBr+ZTaowHvJs9G59uZMCAwEAAaOB9jCB8zAPBgNVHRMB\n"
+            + "Af8EBTADAQH/MB8GA1UdIwQYMBaAFMmAd+BikoL1RpzzuvdMw964o605MB0GA1Ud\n"
+            + "DgQWBBSSrWWJsgAPy1ENwSPslE6PwQQ/dzAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0g\n"
+            + "BAowCDAGBgRVHSAAMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwuYnV5cGFz\n"
+            + "cy5uby9jcmwvQlBDbGFzczJSb290Q0EuY3JsMD4GCCsGAQUFBwEBBDIwMDAuBggr\n"
+            + "BgEFBQcwAYYiaHR0cDovL29jc3AuYnV5cGFzcy5uby9vY3NwL0JQT2NzcDANBgkq\n"
+            + "hkiG9w0BAQsFAAOCAgEAq8IVUouNdeHQljyp8xpa9GC7rpSRXGRRTolSXNa9TUfU\n"
+            + "48Z0Vj3x9jT58I+I8P7fKp+p4Wdu0kcwxOXsooP8hdGLqXY4nV9amkNRiTs99xa3\n"
+            + "Qu/KdLeAPEeeKztxDCLXGmsC4+1G6DuDrOkwSm9Tm+HxSZRGR4Qo3mU3CCSz37us\n"
+            + "q7I0mnY4cCeBPQ3zW5J7k7KmMpUlxOPnLpaASY2JhoeiWIWddH6LUsMkZk1jDv+M\n"
+            + "Hyw2JWZUEUMCZoxLZ7F+4xP7v8wcEtICFo6tZIaawq9p/S6+mJLcoQ7wdQBM0+NA\n"
+            + "cc1MnSbPz75WP4cFhVf1SFq5gBBMCgzYaw+A9bJxDgqV3IMG6TtWfOWz7KhMV+EL\n"
+            + "iVp0fXua2GITRwr+htWnID3ShbHOtCMUm9qrqC6aWNPvJqqKLdhgU9bQ/s5o05a0\n"
+            + "D8NFT07l8yY6+ge+PPHOidnZrTNFIF9dtEdtyXGNrcqhZF0QvqeV1yZ/Kf2+W4pa\n"
+            + "Wor82CuDZNfcf0lje3guk+oZexxpIO57eGJQh9iGLM5dBeEMF7+f5j/1/rGsf6vA\n"
+            + "KkudpjiTl1v/GoO2zMDTTQVcjEsLSYSV0+s2p5QTXuAXrL0/ER3KQRvewIAtmzFg\n"
+            + "IaPy7t2TV0olHISRMvaEz4Guh2biuO/N6SP3pkk3dsMxiEVw7Xc+ouCb03Rz3aA=\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=valid.domainplus.ca22.ssl.buypass.no
+    // Issuer: CN=Buypass Class 2 CA 2, O=Buypass AS-983163327, C=NO
+    // Serial number: f0673c7183c95b38c93
+    // Valid from: Mon Jan 25 00:20:55 PST 2016 until: Fri Jan 25 14:59:00 PST 2019
+    private static final String VALID_CLASS_2 = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIEgzCCA2ugAwIBAgIKDwZzxxg8lbOMkzANBgkqhkiG9w0BAQsFADBLMQswCQYD\n"
+            + "VQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMM\n"
+            + "FEJ1eXBhc3MgQ2xhc3MgMiBDQSAyMB4XDTE2MDEyNTA4MjA1NVoXDTE5MDEyNTIy\n"
+            + "NTkwMFowLzEtMCsGA1UEAwwkdmFsaWQuZG9tYWlucGx1cy5jYTIyLnNzbC5idXlw\n"
+            + "YXNzLm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhA0eVz8ADqx\n"
+            + "dcrIZUzCf1n+kaBFyEF4WteUMtM4ta7szTm19f1/O4LRwr+pI5qQDgWHnHMX9sit\n"
+            + "rKOJPfMRgWrViaQ5y9QCZ4h2BIuDe61XVGkEcUiOoNojLRvDrbjpknI69nb1wbjn\n"
+            + "fpmCQVjYXoandr7RsexdWG4e+s6rk5Jk/zAUzU3Vbi0lmDJ62Dd+Dk3/IVrSebOp\n"
+            + "eIDniRX4vjIeucnDDTQ1VqSIN+gYNR/bMxXKFbScGAG+BpgZMwetJBJhTi7zlOgR\n"
+            + "4zAtdvvpJNN1pmNCsmJaM25WQgH6a05cTQtgYN//MKqTDww7z+LfK37mOxh3vBTu\n"
+            + "TR5S6VxzQQIDAQABo4IBgzCCAX8wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSSrWWJ\n"
+            + "sgAPy1ENwSPslE6PwQQ/dzAdBgNVHQ4EFgQUIs9OWkfc6S1c8mbYgi6Ns1kzh0Mw\n"
+            + "DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAf\n"
+            + "BgNVHSAEGDAWMAoGCGCEQgEaAQIEMAgGBmeBDAECATA6BgNVHR8EMzAxMC+gLaAr\n"
+            + "hilodHRwOi8vY3JsLmJ1eXBhc3Mubm8vY3JsL0JQQ2xhc3MyQ0EyLmNybDAvBgNV\n"
+            + "HREEKDAmgiR2YWxpZC5kb21haW5wbHVzLmNhMjIuc3NsLmJ1eXBhc3Mubm8wdQYI\n"
+            + "KwYBBQUHAQEEaTBnMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5idXlwYXNzLm5v\n"
+            + "L29jc3AvQlBPY3NwMDUGCCsGAQUFBzAChilodHRwOi8vY3J0LmJ1eXBhc3Mubm8v\n"
+            + "Y3J0L0JQQ2xhc3MyQ0EyLmNlcjANBgkqhkiG9w0BAQsFAAOCAQEAjDPxDQnnzH+v\n"
+            + "Mnj8dRM6NPBVXl4JNofWlwqzYdu+HauFeF3AOZVVyr/YbOR9/ewDrScOvrGohndV\n"
+            + "7Si0l5hz3fo51Ra81TyR8kWR7nJC2joidT1X4a0hF9zu8CNQNVmkOhoACgeuv42R\n"
+            + "NDwmj9TfpNRyC4RA7/NzXMeRJYfOrh18S9VHhCzsWScd9td3u7hrhBOPPOql9f2K\n"
+            + "t9Hcevo+cceE6bGYwbW6xNr3iPOh31shMxgRUMojVamtH70tYMi+0e0lrzXdxgGO\n"
+            + "ISnXBS2HptakUIxF3feTOjBhhh5vb9RJxfdJA///ggkR3L51MfjrusucpNoz3k3P\n"
+            + "f5e7ZlSJ6g==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=revoked.domainplus.ca22.ssl.buypass.no
+    // Issuer: CN=Buypass Class 2 CA 2, O=Buypass AS-983163327, C=NO
+    // Serial number: f07a517dfc19ea8bf8f
+    // Valid from: Mon Jan 25 00:22:09 PST 2016 until: Fri Jan 25 14:59:00 PST 2019
+    private static final String REVOKED_CLASS_2 = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIEhzCCA2+gAwIBAgIKDwelF9/Bnqi/jzANBgkqhkiG9w0BAQsFADBLMQswCQYD\n"
+            + "VQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMM\n"
+            + "FEJ1eXBhc3MgQ2xhc3MgMiBDQSAyMB4XDTE2MDEyNTA4MjIwOVoXDTE5MDEyNTIy\n"
+            + "NTkwMFowMTEvMC0GA1UEAwwmcmV2b2tlZC5kb21haW5wbHVzLmNhMjIuc3NsLmJ1\n"
+            + "eXBhc3Mubm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDjp/5BLRjH\n"
+            + "03XNNT2YXqg+txclRaUu88Rjbj4oEudFbkGTl+oBhmXX4QjM4WGvgw1AHW7nePWF\n"
+            + "/j3aR1kWJCl/ZOe097mb0V0dIwK6u6RVx9ERd4ITa/cmUJjy1+D+vCsT0elJY1vf\n"
+            + "vbwCdaloS7MZDG3wmJGxrUz7fo7t/JdsW481Ymau3xVTQ+45MusPmOE8RZ6nggIQ\n"
+            + "dZIA00XPhlQwg5ivuPwtcNNZIkk1fkU+5J+RUOI5qHA9zH2s1Hly6PzTATCxSDSi\n"
+            + "zqAmBH0ehrWqCWiKH5P3J8dCRA6qa2n5pD71CweLrUsbmztkBHUlYKlZ0fP6bGiI\n"
+            + "ZDMBLL/aFQybAgMBAAGjggGFMIIBgTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFJKt\n"
+            + "ZYmyAA/LUQ3BI+yUTo/BBD93MB0GA1UdDgQWBBQZICByGObE/pJISOcMavbKRl2L\n"
+            + "+zAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\n"
+            + "MB8GA1UdIAQYMBYwCgYIYIRCARoBAgQwCAYGZ4EMAQIBMDoGA1UdHwQzMDEwL6At\n"
+            + "oCuGKWh0dHA6Ly9jcmwuYnV5cGFzcy5uby9jcmwvQlBDbGFzczJDQTIuY3JsMDEG\n"
+            + "A1UdEQQqMCiCJnJldm9rZWQuZG9tYWlucGx1cy5jYTIyLnNzbC5idXlwYXNzLm5v\n"
+            + "MHUGCCsGAQUFBwEBBGkwZzAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuYnV5cGFz\n"
+            + "cy5uby9vY3NwL0JQT2NzcDA1BggrBgEFBQcwAoYpaHR0cDovL2NydC5idXlwYXNz\n"
+            + "Lm5vL2NydC9CUENsYXNzMkNBMi5jZXIwDQYJKoZIhvcNAQELBQADggEBAAdjMdlP\n"
+            + "qYNK+YkrqTgQV0dblIazL/cIhMPByjnEkfxew9tDxpcMWafIFKcgM/QxYJG/mzoL\n"
+            + "sSQ9pzzuGLQX7eAPA3rlWoQBusOeOaC3HQqy73kGStd7H8HPa3m+q47Z6JG0w+Fb\n"
+            + "rk8odrml+8rAEPLBlldB39xJuNVHjmlyTEDSC4azEXjfV4+kj8uE86sm+AoTt4Ba\n"
+            + "tEZSbKp70oH63QKBAEHORMM4gXeP+WG276p3kTcL1VUfgQw7vVmGN0C8DjhK4BAC\n"
+            + "0PUChr8agu0F5YcqpGxjLemMnDrqW+Bi/JYmGhEjWTiLSyYSlvJb1dAFUyPlc958\n"
+            + "pmOu5xTMEatiPFI=\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator) throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID_CLASS_2, INT_CLASS_2},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        pathValidator.validate(new String[]{REVOKED_CLASS_2, INT_CLASS_2},
+                ValidatePathWithParams.Status.REVOKED,
+                "Mon Jan 25 00:24:47 PST 2016", System.out);
+    }
+}
+
+class BuypassClass3 {
+
+    // Owner: CN=Buypass Class 3 CA 2, O=Buypass AS-983163327, C=NO
+    // Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
+    private static final String INT_CLASS_3 = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIFCzCCAvOgAwIBAgIBGDANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd\n"
+            + "MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg\n"
+            + "Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA5MTYxN1oXDTMwMTAyNjA5MTYxN1ow\n"
+            + "SzELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0w\n"
+            + "GwYDVQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMjCCASIwDQYJKoZIhvcNAQEBBQAD\n"
+            + "ggEPADCCAQoCggEBAL1OFdoURRXuCuwTBJpuCKDE8Euzcg0AeCRGq3VdagbChyCE\n"
+            + "CQ5vYWwmpHCyFl1b+r2KyWdQBBdG+msAcIYZal5cjZzrTWvbkfiAD/OneMjhqYB0\n"
+            + "pTQIXbTjpPUMOjFM8waNZcqGJqC9H+Z9NkjK5THAK0oOOfKNPHg1MeImbOHVw0fR\n"
+            + "48WnNrPpnQDt+SbPFSvw+dACDAybx1XgjMPq7pmZDWbkajOz4yCvrgZm6jvAPeT3\n"
+            + "qkBFh7zOZ3IZVdfmRjVahx0iXp5TJ1SsrRr/uCiae1O+NR//XDG3dl9j17HsFlhY\n"
+            + "Rl6EvEfVV0OcW94Ret9uBUF73ANZl0b+gwCXnV0CAwEAAaOB9jCB8zAPBgNVHRMB\n"
+            + "Af8EBTADAQH/MB8GA1UdIwQYMBaAFEe4zf/lb+74suwvTg75JbCOPGvDMB0GA1Ud\n"
+            + "DgQWBBQiMC7S+/ZLysC4O9IExOly5pebDDAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0g\n"
+            + "BAowCDAGBgRVHSAAMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwuYnV5cGFz\n"
+            + "cy5uby9jcmwvQlBDbGFzczNSb290Q0EuY3JsMD4GCCsGAQUFBwEBBDIwMDAuBggr\n"
+            + "BgEFBQcwAYYiaHR0cDovL29jc3AuYnV5cGFzcy5uby9vY3NwL0JQT2NzcDANBgkq\n"
+            + "hkiG9w0BAQsFAAOCAgEAaOLyxpj2t9k9Rzkxkcj/teTNOWxBLPZDi+eFx3u7laf2\n"
+            + "mX/ZUSSE4g7OiKnD7ozWk9Qgocn3rBWGDKsp676RwWV97Elofz73Oebei6P3Gg/9\n"
+            + "CD8y6rf8xHRxru5d1ZQ1NkWdPwYI38jlt3LaDjJKZjJW7pOPIMRvw1Y1AY3mYgCJ\n"
+            + "Qqpw8jgukHIP0454DPzkUXzg/ZVJG0swmFmjYfARleSPidcs5BJx5ngpcUS4745g\n"
+            + "mN9PQ578+ROIbML4Jx83myivlyTQSPdYSwzSswb1RVBJmiF9qC0B1hivCrs4BATu\n"
+            + "YeaPV6CiNDr0jGnbxAskz7QDNR6uJSUKX3L9iY2TB/4/5hJ9TZ/YDI6OEG/wVtBz\n"
+            + "5FkU0ucztyQa4UG1mXR8Zbs/zt9Fj0Xn8f5IM3dB/s/r8c1AFDIcLRUqP/LkI9Wj\n"
+            + "XovWr79PEJcIfIln0AfzYfBBxCRE+4QHcVhci6p/mbyl2a+Rf8ZGNTiDLaWSZp5x\n"
+            + "jqdaq5UQaoZK8XQ+JVR0etep/KPgVMXq5Zv16YEb2vjs//RfxT8psDZLe/37+Bs4\n"
+            + "AG9sdT/bsH7HDQwodTon/HvMmxt4EiU/1Sjco4Fok9VmSE2UVjIghajbbTSKR3LV\n"
+            + "UuU19x12fKp+htO8L+wVlGgxXb9WvDBNHCe6RmR4jqavmvrAyCPtrx3cXwqGmXA=\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: SERIALNUMBER=983163327, CN=valid.business.ca23.ssl.buypass.no,
+    // O=BUYPASS AS, L=OSLO, OID.2.5.4.17=0484, C=NO
+    // Issuer: CN=Buypass Class 3 CA 2, O=Buypass AS-983163327, C=NO
+    // Serial number: 97631b91e98293b35c8
+    // Valid from: Fri Feb 06 00:57:04 PST 2015 until: Fri Feb 09 14:59:00 PST 2018
+    private static final String VALID_CLASS_3 = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIE1DCCA7ygAwIBAgIKCXYxuR6YKTs1yDANBgkqhkiG9w0BAQsFADBLMQswCQYD\n"
+            + "VQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMM\n"
+            + "FEJ1eXBhc3MgQ2xhc3MgMyBDQSAyMB4XDTE1MDIwNjA4NTcwNFoXDTE4MDIwOTIy\n"
+            + "NTkwMFowgYExCzAJBgNVBAYTAk5PMQ0wCwYDVQQRDAQwNDg0MQ0wCwYDVQQHDARP\n"
+            + "U0xPMRMwEQYDVQQKDApCVVlQQVNTIEFTMSswKQYDVQQDDCJ2YWxpZC5idXNpbmVz\n"
+            + "cy5jYTIzLnNzbC5idXlwYXNzLm5vMRIwEAYDVQQFEwk5ODMxNjMzMjcwggEiMA0G\n"
+            + "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbahUoF2A7upqIxDQKraZ+aEOzNkHF\n"
+            + "1fIQEtUMQS1OTB8la7pWsBnv1gk9Ja2ifIrwdSxAjefL3SXR47h4vxUMnufMnkTk\n"
+            + "PERXft/XR8/jZQZRpznnN/V89ctb8qcVhHCooTIELOBzF9QAmDnawZQogwhDNLNy\n"
+            + "kLtWsl75X547DS/Z5hsqCqXPyOiFzkHY59uamYu48TF9d7HwQ741H0YhehoxTl/O\n"
+            + "YqzW2wqYxqhQuCX5IuYER7G/P3G6UAm+VB9aujtWW+TBT9+iWh0aT+C7ezDtREse\n"
+            + "lwb44svf8S3iW18KlSF8EMT0qwqNpA8njOCQiSgluYD+Uk9E5f8505UzAgMBAAGj\n"
+            + "ggGBMIIBfTAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFCIwLtL79kvKwLg70gTE6XLm\n"
+            + "l5sMMB0GA1UdDgQWBBQncKIaP6HdQV8RIBO+dddWDSKvJjAOBgNVHQ8BAf8EBAMC\n"
+            + "BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIAQYMBYwCgYI\n"
+            + "YIRCARoBAwQwCAYGZ4EMAQICMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwu\n"
+            + "YnV5cGFzcy5uby9jcmwvQlBDbGFzczNDQTIuY3JsMC0GA1UdEQQmMCSCInZhbGlk\n"
+            + "LmJ1c2luZXNzLmNhMjMuc3NsLmJ1eXBhc3Mubm8wdQYIKwYBBQUHAQEEaTBnMC4G\n"
+            + "CCsGAQUFBzABhiJodHRwOi8vb2NzcC5idXlwYXNzLm5vL29jc3AvQlBPY3NwMDUG\n"
+            + "CCsGAQUFBzAChilodHRwOi8vY3J0LmJ1eXBhc3Mubm8vY3J0L0JQQ2xhc3MzQ0Ey\n"
+            + "LmNlcjANBgkqhkiG9w0BAQsFAAOCAQEAqeA3IqMPn/az52twbNnimXIhIb7tWj7U\n"
+            + "NSBqr+httoQvNo7NbtVCgO/fM3/t0YN7rgZfP07QTn7L7CwoddrgHbnuCuFr9UhD\n"
+            + "df7cfY3cwDhWx+YKgXTkRZpXXrOPqeY2+9gaJlcQCnw66t5EBa4lSBnN0ZtkB4lT\n"
+            + "ujFP6BAyzZAjRdXWUidtErDWZri1uLmWAP0kQNez2toOcQ0XpbrbL8+nQtvOVOJv\n"
+            + "b/c8WoaoC14C32mAeC5bx4dQ3mpf3hQv9man1SPjY/rsDsWWjsaJAijl3YPtP2bU\n"
+            + "JRCCM7qfZWrY8/uBLG2llfjviKV9I6sT76w7TnawPsz+SkDXFm/nwg==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: SERIALNUMBER=983163327, CN=revoked.business.ca23.ssl.buypass.no,
+    // O=BUYPASS AS, L=OSLO, OID.2.5.4.17=0402, C=NO
+    // Issuer: CN=Buypass Class 3 CA 2, O=Buypass AS-983163327, C=NO
+    private static final String REVOKED_CLASS_3 = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIE2DCCA8CgAwIBAgIKARno/wYhPtNtmjANBgkqhkiG9w0BAQsFADBLMQswCQYD\n"
+            + "VQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMM\n"
+            + "FEJ1eXBhc3MgQ2xhc3MgMyBDQSAyMB4XDTEzMDIwMTA5MTE0NFoXDTE2MDIwMTA5\n"
+            + "MTE0NFowgYMxCzAJBgNVBAYTAk5PMQ0wCwYDVQQRDAQwNDAyMQ0wCwYDVQQHDARP\n"
+            + "U0xPMRMwEQYDVQQKDApCVVlQQVNTIEFTMS0wKwYDVQQDDCRyZXZva2VkLmJ1c2lu\n"
+            + "ZXNzLmNhMjMuc3NsLmJ1eXBhc3Mubm8xEjAQBgNVBAUTCTk4MzE2MzMyNzCCASIw\n"
+            + "DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmBUI0wNCz4kLikR5wog4QTUEmO\n"
+            + "XoGgjnQv0cKfDogbewK+0ngdyyR8dZOqSauQTGLlPTpo6DEWpD3Jqrr444MV6Vc1\n"
+            + "AGWnjk3T+KT5tKl6qJOQq17Y+HEnsTEzCo1kieVygpSu7FBa2OnhHNmLWThhGUEi\n"
+            + "mLqrEyfjMSb9zacvo06Zr7S8BauLRB3aM5BeMVF7Bj/9f/FvnB/y1cRDLG32WRCx\n"
+            + "K9IAFwCaJkfWsXx+bnaO4uEQwLFZ96p7L5mr+QNvI6QuweIY1hDM3RDM6HQkGTK9\n"
+            + "8iHSzGBSCGwOM24Ym3XM5vTbiV5uLno+QEYlJL/+qbYvarbO2gPF+6A6M10CAwEA\n"
+            + "AaOCAYMwggF/MAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUIjAu0vv2S8rAuDvSBMTp\n"
+            + "cuaXmwwwHQYDVR0OBBYEFNI2C2XKZkNRHZrHLkBhCMeDRN0KMA4GA1UdDwEB/wQE\n"
+            + "AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0gBBgwFjAK\n"
+            + "BghghEIBGgEDBDAIBgZngQwBAgIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2Ny\n"
+            + "bC5idXlwYXNzLm5vL2NybC9CUENsYXNzM0NBMi5jcmwwLwYDVR0RBCgwJoIkcmV2\n"
+            + "b2tlZC5idXNpbmVzcy5jYTIzLnNzbC5idXlwYXNzLm5vMHUGCCsGAQUFBwEBBGkw\n"
+            + "ZzAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuYnV5cGFzcy5uby9vY3NwL0JQT2Nz\n"
+            + "cDA1BggrBgEFBQcwAoYpaHR0cDovL2NydC5idXlwYXNzLm5vL2NydC9CUENsYXNz\n"
+            + "M0NBMi5jZXIwDQYJKoZIhvcNAQELBQADggEBAGNQe9cgrw/mN7bChof205NRS+TH\n"
+            + "A8f0JcKk1KrPYYW+ilyp6j3My26Sm9a4ZyKRhAS8fCxYUXWzfNvJNFYv2ttLuegl\n"
+            + "SFfeXjSJJZW9+wC5oRLta++62UTTxXp0Zf5UkMsHZCIjvnk0yGWZa0phyRCH89ca\n"
+            + "4vfRTOGNTNfX3d0jm/+fm70UNYHKZ/VcxVj0vH2Ij/kDUy7r2cw1gQ65RDUotnTu\n"
+            + "Yt59y3COyMZeYNMcuoss2XWnedFoD7fwCSkNqVbwjCxGVkL1+ivbWhqlCefaniZX\n"
+            + "Wy35oP1635RSxHbCMU9msmUO7FS8n1VH2edEC797gduK5pn2aBhy/MW0unU=\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator, boolean ocspEnabled)
+            throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID_CLASS_3, INT_CLASS_3},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        if (ocspEnabled) {
+            // Revoked test certificate is expired
+            // and backdated revocation check is only possible with OCSP
+            pathValidator.setValidationDate("July 01, 2013");
+        }
+
+        // Validate Revoked
+        pathValidator.validate(new String[]{REVOKED_CLASS_3, INT_CLASS_3},
+                ValidatePathWithParams.Status.REVOKED,
+                "Wed Feb 06 02:56:32 PST 2013", System.out);
+    }
+}
diff --git a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java
new file mode 100644
index 0000000000..6707043b3d
--- /dev/null
+++ b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java
@@ -0,0 +1,674 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ /*
+ * @test
+ * @bug 8189131
+ * @summary Interoperability tests with Comodo RSA, ECC, userTrust RSA, and
+ *          userTrust ECC CAs
+ * @build ValidatePathWithParams
+ * @run main/othervm -Djava.security.debug=certpath ComodoCA OCSP
+ * @run main/othervm -Djava.security.debug=certpath ComodoCA CRL
+ */
+
+ /*
+ * Obtain TLS test artifacts for Comodo CAs from:
+ *
+ * Valid TLS Certificates:
+ * https://comodorsacertificationauthority-ev.comodoca.com
+ * https://comodoecccertificationauthority-ev.comodoca.com
+ * https://usertrustrsacertificationauthority-ev.comodoca.com
+ * https://usertrustecccertificationauthority-ev.comodoca.com
+ *
+ * Revoked TLS Certificates:
+ * https://comodorsacertificationauthority-ev.comodoca.com:444
+ * https://comodoecccertificationauthority-ev.comodoca.com:444
+ * https://usertrustrsacertificationauthority-ev.comodoca.com:444
+ * https://usertrustecccertificationauthority-ev.comodoca.com:444
+ */
+public class ComodoCA {
+
+    public static void main(String[] args) throws Exception {
+
+        ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
+
+        if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
+            pathValidator.enableCRLCheck();
+        } else {
+            // OCSP check by default
+            pathValidator.enableOCSPCheck();
+        }
+
+        new ComodoRSA().runTest(pathValidator);
+        new ComodoECC().runTest(pathValidator);
+        new ComodoUserTrustRSA().runTest(pathValidator);
+        new ComodoUserTrustECC().runTest(pathValidator);
+    }
+}
+
+class ComodoRSA {
+
+    // Owner: CN=COMODO RSA Extended Validation Secure Server CA,
+    // O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
+    // Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited,
+    // L=Salford, ST=Greater Manchester, C=GB
+    // Serial number: 6a74380d4ebfed435b5a3f7e16abdd8
+    // Valid from: Sat Feb 11 16:00:00 PST 2012 until: Thu Feb 11 15:59:59 PST 2027
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGDjCCA/agAwIBAgIQBqdDgNTr/tQ1taP34Wq92DANBgkqhkiG9w0BAQwFADCB\n"
+            + "hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G\n"
+            + "A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV\n"
+            + "BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTIwMjEy\n"
+            + "MDAwMDAwWhcNMjcwMjExMjM1OTU5WjCBkjELMAkGA1UEBhMCR0IxGzAZBgNVBAgT\n"
+            + "EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR\n"
+            + "Q09NT0RPIENBIExpbWl0ZWQxODA2BgNVBAMTL0NPTU9ETyBSU0EgRXh0ZW5kZWQg\n"
+            + "VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC\n"
+            + "AQ8AMIIBCgKCAQEAlVbeVLTf1QJJe9FbXKKyHo+cK2JMK40SKPMalaPGEP0p3uGf\n"
+            + "CzhAk9HvbpUQ/OGQF3cs7nU+e2PsYZJuTzurgElr3wDqAwB/L3XVKC/sVmePgIOj\n"
+            + "vdwDmZOLlJFWW6G4ajo/Br0OksxgnP214J9mMF/b5pTwlWqvyIqvgNnmiDkBfBzA\n"
+            + "xSr3e5Wg8narbZtyOTDr0VdVAZ1YEZ18bYSPSeidCfw8/QpKdhQhXBZzQCMZdMO6\n"
+            + "WAqmli7eNuWf0MLw4eDBYuPCGEUZUaoXHugjddTI0JYT/8ck0YwLJ66eetw6YWNg\n"
+            + "iJctXQUL5Tvrrs46R3N2qPos3cCHF+msMJn4HwIDAQABo4IBaTCCAWUwHwYDVR0j\n"
+            + "BBgwFoAUu69+Aj36pvE8hI6t7jiY7NkyMtQwHQYDVR0OBBYEFDna/8ooFIqodBMI\n"
+            + "ueQOqdL6fp1pMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMD4G\n"
+            + "A1UdIAQ3MDUwMwYEVR0gADArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5j\n"
+            + "b21vZG8uY29tL0NQUzBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9k\n"
+            + "b2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggr\n"
+            + "BgEFBQcBAQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29t\n"
+            + "L0NPTU9ET1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz\n"
+            + "cC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAERCnUFRK0iIXZebeV4R\n"
+            + "AUpSGXtBLMeJPNBy3IX6WK/VJeQT+FhlZ58N/1eLqYVeyqZLsKeyLeCMIs37/3mk\n"
+            + "jCuN/gI9JN6pXV/kD0fQ22YlPodHDK4ixVAihNftSlka9pOlk7DgG4HyVsTIEFPk\n"
+            + "1Hax0VtpS3ey4E/EhOfUoFDuPPpE/NBXueEoU/1Tzdy5H3pAvTA/2GzS8+cHnx8i\n"
+            + "teoiccsq8FZ8/qyo0QYPFBRSTP5kKwxpKrgNUG4+BAe/eiCL+O5lCeHHSQgyPQ0o\n"
+            + "fkkdt0rvAucNgBfIXOBhYsvss2B5JdoaZXOcOBCgJjqwyBZ9kzEi7nQLiMBciUEA\n"
+            + "KKlHMd99SUWa9eanRRrSjhMQ34Ovmw2tfn6dNVA0BM7pINae253UqNpktNEvWS5e\n"
+            + "ojZh1CSggjMziqHRbO9haKPl0latxf1eYusVqHQSTC8xjOnB3xBLAer2VBvNfzu9\n"
+            + "XJ/B288ByvK6YBIhMe2pZLiySVgXbVrXzYxtvp5/4gJYp9vDLVj2dAZqmvZh+fYA\n"
+            + "tmnYOosxWd2R5nwnI4fdAw+PKowegwFOAWEMUnNt/AiiuSpm5HZNMaBWm9lTjaK2\n"
+            + "jwLI5jqmBNFI+8NKAnb9L9K8E7bobTQk+p0pisehKxTxlgBzuRPpwLk6R1YCcYAn\n"
+            + "pLwltum95OmYdBbxN4SBB7SC\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=COMODO RSA Extended Validation Secure Server CA,
+    // O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
+    // Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited,
+    // L=Salford, ST=Greater Manchester, C=GB
+    // Serial number: 6a74380d4ebfed435b5a3f7e16abdd8
+    // Valid from: Sat Feb 11 16:00:00 PST 2012 until: Thu Feb 11 15:59:59 PST 2027
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIH8jCCBtqgAwIBAgIQcgqiz6QAlFISJPkBqYSxZzANBgkqhkiG9w0BAQsFADCB\n"
+            + "kjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G\n"
+            + "A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNV\n"
+            + "BAMTL0NPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVy\n"
+            + "IENBMB4XDTE3MDYzMDAwMDAwMFoXDTE5MDkyOTIzNTk1OVowggFdMREwDwYDVQQF\n"
+            + "EwgwNDA1ODY5MDETMBEGCysGAQQBgjc8AgEDEwJHQjEdMBsGA1UEDxMUUHJpdmF0\n"
+            + "ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAkdCMQ8wDQYDVQQREwZNNSAzRVExGzAZ\n"
+            + "BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEWMBQG\n"
+            + "A1UECRMNVHJhZmZvcmQgUm9hZDEWMBQGA1UECRMNRXhjaGFuZ2UgUXVheTElMCMG\n"
+            + "A1UECRMcM3JkIEZsb29yLCAyNiBPZmZpY2UgVmlsbGFnZTEaMBgGA1UEChMRQ09N\n"
+            + "T0RPIENBIExpbWl0ZWQxGjAYBgNVBAsTEUNPTU9ETyBFViBTR0MgU1NMMTgwNgYD\n"
+            + "VQQDEy9jb21vZG9yc2FjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5LWV2LmNvbW9kb2Nh\n"
+            + "LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAND/eZQBTjpBDsut\n"
+            + "eKwl+zpTitF8tJzwHAhcQHC2AaLF/GJl1rnjx4OfelMhKhN1Od9KU6onHGOd2w4m\n"
+            + "D4EiYK9TpXwuwTyzfkCmnkqxZjYK3KAJN013o4L+8y1zsGVUulpN/GfMaxTb4Xdm\n"
+            + "eSekTP91Phw3xezijBq3sa++1rO5RBaT1IHeHhHviC9WNrG8CIg/j5MyC9i43LZH\n"
+            + "iRXLER1LzT/MCIRsiG5AEbiYXV5BNd5SiiHtBJ1q0ZJH+AxL2ERaT41VCppboZwT\n"
+            + "hmJGGoky9FWjp6z8U6Enx0fAMJIZNEzW6LAJFKPEynEU004jFFCEumPUqqCC4ogx\n"
+            + "ulphY80CAwEAAaOCA3QwggNwMB8GA1UdIwQYMBaAFDna/8ooFIqodBMIueQOqdL6\n"
+            + "fp1pMB0GA1UdDgQWBBQ+S4ZhIrwOoeGs9BBT4uXq89Ux/jAOBgNVHQ8BAf8EBAMC\n"
+            + "BaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw\n"
+            + "TwYDVR0gBEgwRjA7BgwrBgEEAbIxAQIBBQEwKzApBggrBgEFBQcCARYdaHR0cHM6\n"
+            + "Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwBwYFZ4EMAQEwVgYDVR0fBE8wTTBLoEmg\n"
+            + "R4ZFaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRXh0ZW5kZWRWYWxp\n"
+            + "ZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGHBggrBgEFBQcBAQR7MHkwUQYIKwYB\n"
+            + "BQUHMAKGRWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUV4dGVuZGVk\n"
+            + "VmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov\n"
+            + "L29jc3AuY29tb2RvY2EuY29tMDoGA1UdEQQzMDGCL2NvbW9kb3JzYWNlcnRpZmlj\n"
+            + "YXRpb25hdXRob3JpdHktZXYuY29tb2RvY2EuY29tMIIBgAYKKwYBBAHWeQIEAgSC\n"
+            + "AXAEggFsAWoAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAVz5\n"
+            + "cV7GAAAEAwBHMEUCIQCpgc0Eqw3g4pr+oX88h5xgL1VEAiDpqAhbRtilgYwBbgIg\n"
+            + "UaIm+n8AHi55nB//Sb4Nz18GYVcfELfpIzRh1vW9HbYAdwBWFAaaL9fC7NP14b1E\n"
+            + "sj7HRna5vJkRXMDvlJhV1onQ3QAAAVz5cVybAAAEAwBIMEYCIQDdsgC4KZ++OP44\n"
+            + "X7LbUcNaxe0kFzbctF2L3bnmhp9nXQIhAM0/g+PrZBIBpYlOtzidePi8bBHrLWn2\n"
+            + "uBiP3pYIntl4AHcA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFc\n"
+            + "+XFeoQAABAMASDBGAiEAoySTb/QKw7JwtZtPHnECEMzgENQSFy58Kl+Mvcd3SmcC\n"
+            + "IQD8cU66Ih3ejvt0OTX+lfxQPKyggQfm4Uk/lwn5LEJXbDANBgkqhkiG9w0BAQsF\n"
+            + "AAOCAQEAKEaSYWn3Hi8rfJS4cMTJoMkVp2vpPH2dGXySBEy67TEGRw9+f75w3q95\n"
+            + "r1m3P+xsR6dBoidTq/6wqUYI51lB4Fq9ylh1Stp5Gj54CuyT+S31l7lD7sl0KMsn\n"
+            + "HDUDQHId7hKeORYpiIZOcrKOglKdi1uiGwDgoiLKh98lUrZA6durrhH+sl69wqp2\n"
+            + "0XAu+3hurXzCoZFJfyngTO1kt9qcFUAxc5LofIa9QvC6VR7dI4aAh7dUpIRlnjG3\n"
+            + "jJ1mUMTqWO6TFTtddb+uQjDqNgkYYYNuSax1WMEIZWbIi13EjXK1GPQUXJe6gQin\n"
+            + "NUq9JH9NPK6m8A1YKT+wgzfTDeaV2Q==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=comodorsacertificationauthority-ev.comodoca.com,
+    // OU=COMODO EV SGC SSL, O=COMODO CA Limited, STREET="3rd Floor, 26 Office Village",
+    // STREET=Exchange Quay, STREET=Trafford Road, L=Salford, ST=Greater Manchester,
+    // OID.2.5.4.17=M5 3EQ, C=GB, OID.2.5.4.15=Private Organization,
+    // OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=04058690
+    // Issuer: CN=COMODO RSA Extended Validation Secure Server CA,
+    // O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
+    // Serial number: ff6ecae8c73f9b5ca811a1d2b14768be
+    // Valid from: Tue Aug 16 17:00:00 PDT 2016 until: Fri Nov 16 15:59:59 PST 2018
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIIGzCCBwOgAwIBAgIRAP9uyujHP5tcqBGh0rFHaL4wDQYJKoZIhvcNAQELBQAw\n"
+            + "gZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO\n"
+            + "BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYD\n"
+            + "VQQDEy9DT01PRE8gUlNBIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZl\n"
+            + "ciBDQTAeFw0xNjA4MTcwMDAwMDBaFw0xODExMTYyMzU5NTlaMIIBXTERMA8GA1UE\n"
+            + "BRMIMDQwNTg2OTAxEzARBgsrBgEEAYI3PAIBAxMCR0IxHTAbBgNVBA8TFFByaXZh\n"
+            + "dGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJHQjEPMA0GA1UEERMGTTUgM0VRMRsw\n"
+            + "GQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxFjAU\n"
+            + "BgNVBAkTDVRyYWZmb3JkIFJvYWQxFjAUBgNVBAkTDUV4Y2hhbmdlIFF1YXkxJTAj\n"
+            + "BgNVBAkTHDNyZCBGbG9vciwgMjYgT2ZmaWNlIFZpbGxhZ2UxGjAYBgNVBAoTEUNP\n"
+            + "TU9ETyBDQSBMaW1pdGVkMRowGAYDVQQLExFDT01PRE8gRVYgU0dDIFNTTDE4MDYG\n"
+            + "A1UEAxMvY29tb2RvcnNhY2VydGlmaWNhdGlvbmF1dGhvcml0eS1ldi5jb21vZG9j\n"
+            + "YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQ/3mUAU46QQ7L\n"
+            + "rXisJfs6U4rRfLSc8BwIXEBwtgGixfxiZda548eDn3pTISoTdTnfSlOqJxxjndsO\n"
+            + "Jg+BImCvU6V8LsE8s35App5KsWY2CtygCTdNd6OC/vMtc7BlVLpaTfxnzGsU2+F3\n"
+            + "ZnknpEz/dT4cN8Xs4owat7GvvtazuUQWk9SB3h4R74gvVjaxvAiIP4+TMgvYuNy2\n"
+            + "R4kVyxEdS80/zAiEbIhuQBG4mF1eQTXeUooh7QSdatGSR/gMS9hEWk+NVQqaW6Gc\n"
+            + "E4ZiRhqJMvRVo6es/FOhJ8dHwDCSGTRM1uiwCRSjxMpxFNNOIxRQhLpj1KqgguKI\n"
+            + "MbpaYWPNAgMBAAGjggOcMIIDmDAfBgNVHSMEGDAWgBQ52v/KKBSKqHQTCLnkDqnS\n"
+            + "+n6daTAdBgNVHQ4EFgQUPkuGYSK8DqHhrPQQU+Ll6vPVMf4wDgYDVR0PAQH/BAQD\n"
+            + "AgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\n"
+            + "MEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQUBMCswKQYIKwYBBQUHAgEWHWh0dHBz\n"
+            + "Oi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6\n"
+            + "Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUV4dGVuZGVkVmFsaWRhdGlvblNl\n"
+            + "Y3VyZVNlcnZlckNBLmNybDCBhwYIKwYBBQUHAQEEezB5MFEGCCsGAQUFBzAChkVo\n"
+            + "dHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FFeHRlbmRlZFZhbGlkYXRp\n"
+            + "b25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNv\n"
+            + "bW9kb2NhLmNvbTBvBgNVHREEaDBmgi9jb21vZG9yc2FjZXJ0aWZpY2F0aW9uYXV0\n"
+            + "aG9yaXR5LWV2LmNvbW9kb2NhLmNvbYIzd3d3LmNvbW9kb3JzYWNlcnRpZmljYXRp\n"
+            + "b25hdXRob3JpdHktZXYuY29tb2RvY2EuY29tMIIBfAYKKwYBBAHWeQIEAgSCAWwE\n"
+            + "ggFoAWYAdQBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVaYyfL5\n"
+            + "AAAEAwBGMEQCIBW1F2heN1IccknFpDVED66I/tb4BpkqWLwqzn5dwWQXAiAzSPv7\n"
+            + "1zuXUelPvK6l1gOLB/6VlD7gwVGg7M3B1+Vt7wB1AFYUBpov18Ls0/XhvUSyPsdG\n"
+            + "drm8mRFcwO+UmFXWidDdAAABVpjJ8k0AAAQDAEYwRAIgfTjxLr4edpWLyOGi32TW\n"
+            + "48I3c0YWQMM5qsMe7zDzdrACIBng0I2+XksdOXoz5CKMAZGYict+TnZ/p7sRPAYo\n"
+            + "dl05AHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFWmMnyzgAA\n"
+            + "BAMARzBFAiBiTeFCsfBnC4gKolnPUpL5S0eEkb0esucY40qhPqUnDgIhAOZrZz3G\n"
+            + "fLtEq73nEdAfvocUQC7IdMTEJRceb25Pk5J/MA0GCSqGSIb3DQEBCwUAA4IBAQBB\n"
+            + "YldVJKeAwqpPejxa0h3n3G8WefmAJXJtBcMKMDZ8thofgOyVDnVTkNVtY5UwwV8D\n"
+            + "a0bt0UhCzr88v7BrZ8PNci3qiTQgGz9q27s4x64og47sGREoil/0h3xdZ8cWVsAa\n"
+            + "i/aIHD0frCktX/PUZClpAuTQwJgKHurl1Apn1+RVZ3gozebOOopXmopscgp3FQV0\n"
+            + "RqBVietPoq6koeaJKf2ux102yW/Ef4RxXLJOLZ7ynV4tbIGyz4q+RhXbDknNrUcZ\n"
+            + "ugRTCaWUQ3cxtFQjA6MvY4G4eTycyiQTf/qFH5D7mrqY9ZLUuwH3AgLx49UZvQMk\n"
+            + "03iaUVSV6CNAsQVv4S5p\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator) throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Fri Jun 30 07:20:56 PDT 2017", System.out);
+    }
+}
+
+class ComodoECC {
+
+    // Owner: CN=COMODO ECC Extended Validation Secure Server CA,
+    // O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
+    // Issuer: CN=COMODO ECC Certification Authority, O=COMODO CA Limited,
+    // L=Salford, ST=Greater Manchester, C=GB
+    // Serial number: 61d4643b412b5d8d715499d8553aa03
+    // Valid from: Sun Apr 14 17:00:00 PDT 2013 until: Fri Apr 14 16:59:59 PDT 2028
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIDojCCAyigAwIBAgIQBh1GQ7QStdjXFUmdhVOqAzAKBggqhkjOPQQDAzCBhTEL\n"
+            + "MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n"
+            + "BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT\n"
+            + "IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTMwNDE1MDAw\n"
+            + "MDAwWhcNMjgwNDE0MjM1OTU5WjCBkjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy\n"
+            + "ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N\n"
+            + "T0RPIENBIExpbWl0ZWQxODA2BgNVBAMTL0NPTU9ETyBFQ0MgRXh0ZW5kZWQgVmFs\n"
+            + "aWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\n"
+            + "QgAEV3AaPyeTQy0aWXXkBJMR42DsJ5pnbliJe7ndaHzCDslVlY8ofpxeFiqluZrK\n"
+            + "KNcJeBU/Jl1YI9jLMyMZKsfSoaOCAWkwggFlMB8GA1UdIwQYMBaAFHVxpxlIGbyd\n"
+            + "nepBR9+UxEh3mdN5MB0GA1UdDgQWBBTTTsMZulhZ0Rxgt2FTRzund4/4ijAOBgNV\n"
+            + "HQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1MDMGBFUd\n"
+            + "IAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw\n"
+            + "TAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RP\n"
+            + "RUNDQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsG\n"
+            + "CCsGAQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9FQ0NBZGRU\n"
+            + "cnVzdENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29t\n"
+            + "MAoGCCqGSM49BAMDA2gAMGUCMQDmPWS98nREWdt4xB83r9MVvgG5INpKHi6V1dUY\n"
+            + "lCqvSvXXjK0QvZSrOB7cj9RavGgCMG2xJNG+SvlTWEYpmK7eXSgmRUgoBDeQ0yDK\n"
+            + "lnxmeeOBnnCaDIxAcA3aCj2Gtdt3sA==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=comodoecccertificationauthority-ev.comodoca.com, OU=COMODO EV SSL,
+    // O=COMODO CA Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay,
+    // STREET=Trafford Road, L=Salford, ST=Greater Manchester, OID.2.5.4.17=M5 3EQ,
+    // C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB,
+    // SERIALNUMBER=04058690
+    // Issuer: CN=COMODO ECC Extended Validation Secure Server CA, O=COMODO CA Limited,
+    // L=Salford, ST=Greater Manchester, C=GB
+    // Serial number: 414e5d66ec7d15ca504213f2811d57af
+    // Valid from: Mon Jul 03 17:00:00 PDT 2017 until: Thu Oct 03 16:59:59 PDT 2019
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGYDCCBgWgAwIBAgIQQU5dZux9FcpQQhPygR1XrzAKBggqhkjOPQQDAjCBkjEL\n"
+            + "MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n"
+            + "BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNVBAMT\n"
+            + "L0NPTU9ETyBFQ0MgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB\n"
+            + "MB4XDTE3MDcwNDAwMDAwMFoXDTE5MTAwMzIzNTk1OVowggFZMREwDwYDVQQFEwgw\n"
+            + "NDA1ODY5MDETMBEGCysGAQQBgjc8AgEDEwJHQjEdMBsGA1UEDxMUUHJpdmF0ZSBP\n"
+            + "cmdhbml6YXRpb24xCzAJBgNVBAYTAkdCMQ8wDQYDVQQREwZNNSAzRVExGzAZBgNV\n"
+            + "BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEWMBQGA1UE\n"
+            + "CRMNVHJhZmZvcmQgUm9hZDEWMBQGA1UECRMNRXhjaGFuZ2UgUXVheTElMCMGA1UE\n"
+            + "CRMcM3JkIEZsb29yLCAyNiBPZmZpY2UgVmlsbGFnZTEaMBgGA1UEChMRQ09NT0RP\n"
+            + "IENBIExpbWl0ZWQxFjAUBgNVBAsTDUNPTU9ETyBFViBTU0wxODA2BgNVBAMTL2Nv\n"
+            + "bW9kb2VjY2NlcnRpZmljYXRpb25hdXRob3JpdHktZXYuY29tb2RvY2EuY29tMFkw\n"
+            + "EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt26qBS7TRu/yfR+RiqLAzW2C+UspFZlO\n"
+            + "Rc4EhLfNYMgFkoZKjEnwJzudH6a+uRPqPOhPgUd6PFfRQFOcLjmhgaOCA3EwggNt\n"
+            + "MB8GA1UdIwQYMBaAFNNOwxm6WFnRHGC3YVNHO6d3j/iKMB0GA1UdDgQWBBTpZ0tz\n"
+            + "KscFw6Z3vCEDFzGR5VSkVzAOBgNVHQ8BAf8EBAMCBYAwDAYDVR0TAQH/BAIwADAd\n"
+            + "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA7BgwrBgEE\n"
+            + "AbIxAQIBBQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv\n"
+            + "bS9DUFMwBwYFZ4EMAQEwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5jb21v\n"
+            + "ZG9jYS5jb20vQ09NT0RPRUNDRXh0ZW5kZWRWYWxpZGF0aW9uU2VjdXJlU2VydmVy\n"
+            + "Q0EuY3JsMIGHBggrBgEFBQcBAQR7MHkwUQYIKwYBBQUHMAKGRWh0dHA6Ly9jcnQu\n"
+            + "Y29tb2RvY2EuY29tL0NPTU9ET0VDQ0V4dGVuZGVkVmFsaWRhdGlvblNlY3VyZVNl\n"
+            + "cnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29t\n"
+            + "MDoGA1UdEQQzMDGCL2NvbW9kb2VjY2NlcnRpZmljYXRpb25hdXRob3JpdHktZXYu\n"
+            + "Y29tb2RvY2EuY29tMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdgCkuQmQtBhY\n"
+            + "FIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAV0NLqsqAAAEAwBHMEUCIAz9Jjq3\n"
+            + "qLUd/a2PYZnLGsEG/MrL7vab5rmGBg8RGAJxAiEA7JJnar07NIjCLLO77xJ3UFcu\n"
+            + "UMM3M8JgGC8wbuRwxbUAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ\n"
+            + "3QAAAV0NLqjmAAAEAwBHMEUCIHRvPWKr7vPMBWx1gLPkt8inPINWPNSoax178e5A\n"
+            + "D0cPAiEAvRL/VP4DLiyHvcU9AOqTzQXGuWCzswWKG59hSm7gS4kAdQDuS723dc5g\n"
+            + "uuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAV0NLqsDAAAEAwBGMEQCIFALT043\n"
+            + "X5IffLsxIAGXTrWgkZHf12QKgrYKXVB629eOAiAIeci2xi3fUW6mU8tT4LwyjowV\n"
+            + "DkrSCw1ZMo0JApsfzTAKBggqhkjOPQQDAgNJADBGAiEA7HUxjwx0MBC+4PuPx4Z1\n"
+            + "WpKz7jdHOMTh1sdaoVV5hNoCIQDrnjBFUopXHTvm/rj+aMFIeYejggPqv14KJOqT\n"
+            + "gym+uA==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=comodoecccertificationauthority-ev.comodoca.com, OU=COMODO EV SSL,
+    // O=COMODO CA Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay,
+    // STREET=Trafford Road, L=Salford, ST=Greater Manchester, OID.2.5.4.17=M5 3EQ,
+    // C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB,
+    // SERIALNUMBER=04058690
+    // Issuer: CN=COMODO ECC Extended Validation Secure Server CA, O=COMODO CA Limited,
+    // L=Salford, ST=Greater Manchester, C=GB
+    // Serial number: 6923086d88824ee9800742fcb82fdaa
+    // Valid from: Tue Aug 16 17:00:00 PDT 2016 until: Fri Nov 16 15:59:59 PST 2018
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGizCCBjGgAwIBAgIQBpIwhtiIJO6YAHQvy4L9qjAKBggqhkjOPQQDAjCBkjEL\n"
+            + "MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n"
+            + "BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNVBAMT\n"
+            + "L0NPTU9ETyBFQ0MgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB\n"
+            + "MB4XDTE2MDgxNzAwMDAwMFoXDTE4MTExNjIzNTk1OVowggFZMREwDwYDVQQFEwgw\n"
+            + "NDA1ODY5MDETMBEGCysGAQQBgjc8AgEDEwJHQjEdMBsGA1UEDxMUUHJpdmF0ZSBP\n"
+            + "cmdhbml6YXRpb24xCzAJBgNVBAYTAkdCMQ8wDQYDVQQREwZNNSAzRVExGzAZBgNV\n"
+            + "BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEWMBQGA1UE\n"
+            + "CRMNVHJhZmZvcmQgUm9hZDEWMBQGA1UECRMNRXhjaGFuZ2UgUXVheTElMCMGA1UE\n"
+            + "CRMcM3JkIEZsb29yLCAyNiBPZmZpY2UgVmlsbGFnZTEaMBgGA1UEChMRQ09NT0RP\n"
+            + "IENBIExpbWl0ZWQxFjAUBgNVBAsTDUNPTU9ETyBFViBTU0wxODA2BgNVBAMTL2Nv\n"
+            + "bW9kb2VjY2NlcnRpZmljYXRpb25hdXRob3JpdHktZXYuY29tb2RvY2EuY29tMFkw\n"
+            + "EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt26qBS7TRu/yfR+RiqLAzW2C+UspFZlO\n"
+            + "Rc4EhLfNYMgFkoZKjEnwJzudH6a+uRPqPOhPgUd6PFfRQFOcLjmhgaOCA50wggOZ\n"
+            + "MB8GA1UdIwQYMBaAFNNOwxm6WFnRHGC3YVNHO6d3j/iKMB0GA1UdDgQWBBTpZ0tz\n"
+            + "KscFw6Z3vCEDFzGR5VSkVzAOBgNVHQ8BAf8EBAMCBYAwDAYDVR0TAQH/BAIwADAd\n"
+            + "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwRgYDVR0gBD8wPTA7BgwrBgEE\n"
+            + "AbIxAQIBBQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv\n"
+            + "bS9DUFMwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5jb21vZG9jYS5jb20v\n"
+            + "Q09NT0RPRUNDRXh0ZW5kZWRWYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGH\n"
+            + "BggrBgEFBQcBAQR7MHkwUQYIKwYBBQUHMAKGRWh0dHA6Ly9jcnQuY29tb2RvY2Eu\n"
+            + "Y29tL0NPTU9ET0VDQ0V4dGVuZGVkVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy\n"
+            + "dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMG8GA1UdEQRo\n"
+            + "MGaCL2NvbW9kb2VjY2NlcnRpZmljYXRpb25hdXRob3JpdHktZXYuY29tb2RvY2Eu\n"
+            + "Y29tgjN3d3cuY29tb2RvZWNjY2VydGlmaWNhdGlvbmF1dGhvcml0eS1ldi5jb21v\n"
+            + "ZG9jYS5jb20wggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB3AGj2mPgfZIK+Oozu\n"
+            + "uSgdTPxxUV1nk9RE0QpnrLtPT/vEAAABVpjKocAAAAQDAEgwRgIhAKIobm0UJdom\n"
+            + "Hrg1HZv6ESYoYQtlqBj5bR5Ge8RGF+7pAiEAupYu0q3X27KNIsrQpmSzfiEsCQWY\n"
+            + "C97ToQgEhbBNZUYAdQBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAA\n"
+            + "AVaYyqEdAAAEAwBGMEQCIEWbMoAJpig9oTbuW2R1x/sZwDbt0Z1iUhkbEwqhkRWu\n"
+            + "AiByCmEY/MEtEmVcsu3uMXtJ/SMBo1JcfFCHbPf5VleQpAB1AO5Lvbd1zmC64UJp\n"
+            + "H6vhnmajD35fsHLYgwDEe4l6qP3LAAABVpjKoaYAAAQDAEYwRAIgVB/p/u8amjg4\n"
+            + "Qlq0rKv4oYYqIVKL/kFtpeH3Lm4hpnwCIDYdBZBo2cpF+KjKDn68kqFysy7MbP9r\n"
+            + "h/zPjAm72GeRMAoGCCqGSM49BAMCA0gAMEUCIHL5pdruv0yoFggKHPN7PXT4BfRr\n"
+            + "1ksLXKgF/xANjsuFAiEA9bt7u96U5OrAzJBgSkJFmNE20vEdwoQDL+99JeX4bAc=\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator) throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Tue Jul 04 03:34:40 PDT 2017", System.out);
+    }
+}
+
+class ComodoUserTrustRSA {
+
+    // Owner: CN=USERTrust RSA Extended Validation Secure Server CA,
+    // O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
+    // Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network,
+    // L=Jersey City, ST=New Jersey, C=US
+    // Serial number: f6bb751efa7d2e8368e606407334f83
+    // Valid from: Sat Feb 11 16:00:00 PST 2012 until: Thu Feb 11 15:59:59 PST 2027
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGGTCCBAGgAwIBAgIQD2u3Ue+n0ug2jmBkBzNPgzANBgkqhkiG9w0BAQwFADCB\n"
+            + "iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl\n"
+            + "cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV\n"
+            + "BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTIw\n"
+            + "MjEyMDAwMDAwWhcNMjcwMjExMjM1OTU5WjCBlTELMAkGA1UEBhMCVVMxEzARBgNV\n"
+            + "BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU\n"
+            + "aGUgVVNFUlRSVVNUIE5ldHdvcmsxOzA5BgNVBAMTMlVTRVJUcnVzdCBSU0EgRXh0\n"
+            + "ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0B\n"
+            + "AQEFAAOCAQ8AMIIBCgKCAQEAlJwjjGNzAgMFwLu05RnhYFJS1PpbcyPH6VZOij+z\n"
+            + "PyvCILGvwXC8A+EgBthY080+kIlSxrNyOdnrUfNj8IsBtBlmtOF9nMWgD0Cb4HB1\n"
+            + "Y/tCNas8IHMtKr6eI4nJa4NjPhTcST+GtC8r+bVGHk0QpX4LbT+Z8WeE7pXIOUGs\n"
+            + "9j66/hsMwgnBxkQ9xXN0jhTFITUZfnCuM0vOo5hRYlCNtwD8iaHJPaKxYe6qHSKH\n"
+            + "WCBK7GUQiQRngry+YKLx3YtC3k/NQIyhaTLY/gUFi57kPcpZoa0h3RGfS9MpPFoe\n"
+            + "mk3rGH3jwjVFxR1ep1FtP/kprzLaR1UL81gxENhWvZEWXQIDAQABo4IBbjCCAWow\n"
+            + "HwYDVR0jBBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFC+BT+Jm\n"
+            + "+rxov5lDhFKJIDqC86SlMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\n"
+            + "AgEAMDoGA1UdIAQzMDEwLwYEVR0gADAnMCUGCCsGAQUFBwIBFhlodHRwczovL2Nw\n"
+            + "cy51c2VydHJ1c3QuY29tMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl\n"
+            + "cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy\n"
+            + "bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy\n"
+            + "dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ\n"
+            + "aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAa2bX\n"
+            + "Xf22zjY/QLzzdZwJ9JO86qH/czwCFPK4o9Cb7rixQL9S7zHw1dm3n/+Lx5kT9lqx\n"
+            + "wB0dqoZ8o0XwFgVcksGz7QRhEBjrB0nSUNYG8kuFaMxRWa9ze6Ovov44WDrq1uyF\n"
+            + "npi3eeQiwMr3xHmY76b1NX0WqvlTTFw4L5DrcIohBz1zKVkRp7LH/s5vxjDECM+/\n"
+            + "erdy1WTILNFv09gwz4iFyfu/WmYYNUKlQJaSoUqja/KHcqY8zYKKjq5o982Ji3Ti\n"
+            + "/Odkx1NJA1Yf5ivDxxRFQmij6knL1pi1wgQxGjd67V3/+HfHF7MCRWk8mXnT32B9\n"
+            + "1Hk3jm10GL0R6y/XFsLhv0mGkmKD1vTP7vz1hdMLlVgxEs1k5dLMybtjUJ3LuENz\n"
+            + "avmZ/G/vOi284ZRo/gA/YjT5CeeWgI11IHbpRDAqKy4BWhmtIi11u12i9ftPxxrD\n"
+            + "/VwHtC0hTTOBnYgbJAK9ZLvaJUBU22EimU4Jv3ELkeV7SWedbAdfjXolI1mCcAbq\n"
+            + "RgzRC+RaTloSmO2dWicDBW7KlRHmKZXrkDUAExSBY/1j9HmNcYzWv4NCTtK7t0en\n"
+            + "gsE/OP2b7zHrHWtC/F1JwOCrH1JkbPA7c/6nNJVY2AscGM16pIU89OL0Ez1PyZYG\n"
+            + "4fokbdNREXoShKClNIPbB5iY+WdSzb9CKLyb96g=\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=usertrustrsacertificationauthority-ev.comodoca.com, OU=COMODO EV SGC SSL,
+    // O=COMODO CA Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay,
+    // STREET=Trafford Road, L=Salford, ST=Greater Manchester, OID.2.5.4.17=M5 3EQ,
+    // C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB,
+    // SERIALNUMBER=04058690
+    // Issuer: CN=USERTrust RSA Extended Validation Secure Server CA, O=The USERTRUST Network,
+    // L=Jersey City, ST=New Jersey, C=US
+    // Serial number: ffcada019c9fb1155a32300083cb99c9
+    // Valid from: Mon Jul 03 17:00:00 PDT 2017 until: Thu Oct 03 16:59:59 PDT 2019
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIIATCCBumgAwIBAgIRAP/K2gGcn7EVWjIwAIPLmckwDQYJKoZIhvcNAQELBQAw\n"
+            + "gZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK\n"
+            + "ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMTswOQYD\n"
+            + "VQQDEzJVU0VSVHJ1c3QgUlNBIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VjdXJlIFNl\n"
+            + "cnZlciBDQTAeFw0xNzA3MDQwMDAwMDBaFw0xOTEwMDMyMzU5NTlaMIIBYDERMA8G\n"
+            + "A1UEBRMIMDQwNTg2OTAxEzARBgsrBgEEAYI3PAIBAxMCR0IxHTAbBgNVBA8TFFBy\n"
+            + "aXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJHQjEPMA0GA1UEERMGTTUgM0VR\n"
+            + "MRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx\n"
+            + "FjAUBgNVBAkTDVRyYWZmb3JkIFJvYWQxFjAUBgNVBAkTDUV4Y2hhbmdlIFF1YXkx\n"
+            + "JTAjBgNVBAkTHDNyZCBGbG9vciwgMjYgT2ZmaWNlIFZpbGxhZ2UxGjAYBgNVBAoT\n"
+            + "EUNPTU9ETyBDQSBMaW1pdGVkMRowGAYDVQQLExFDT01PRE8gRVYgU0dDIFNTTDE7\n"
+            + "MDkGA1UEAxMydXNlcnRydXN0cnNhY2VydGlmaWNhdGlvbmF1dGhvcml0eS1ldi5j\n"
+            + "b21vZG9jYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeH+vF\n"
+            + "6JjCktrrnV4u8adH5ESuENaRNm2plwfD07Lskva4QvIQ9sz6/RrPjRwEdLRtBkll\n"
+            + "taZc26QxQxLAhvjPu3w5eXHP26/ES5++WoGXip4L/PcukUFFEcR6ujfIYpXCSh7V\n"
+            + "o/Y+rtR2L7uLt5Vll0DW2JzFlaj9QFT2bBsg5ip//jHNnobz3WEpv40C64R/Ebna\n"
+            + "9dmXyh0xOF8e4OWR9LudkxAFo7jQol5IQGGv7lMhLt3u1ZbJ78XqgRDT50cGIX0/\n"
+            + "JnV1eg7xq57/zSY/7QUxhOZEWwoeB7pmOiN8f1wuVHmROq0/lOqHkYFDjOne7IgE\n"
+            + "FTrKUqn080eR7AZRAgMBAAGjggN8MIIDeDAfBgNVHSMEGDAWgBQvgU/iZvq8aL+Z\n"
+            + "Q4RSiSA6gvOkpTAdBgNVHQ4EFgQUfPty8OfUth7Yz7PimXBCfuu33fwwDgYDVR0P\n"
+            + "AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG\n"
+            + "AQUFBwMCMEsGA1UdIAREMEIwNwYMKwYBBAGyMQECAQUBMCcwJQYIKwYBBQUHAgEW\n"
+            + "GWh0dHBzOi8vY3BzLnVzZXJ0cnVzdC5jb20wBwYFZ4EMAQEwWgYDVR0fBFMwUTBP\n"
+            + "oE2gS4ZJaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUV4dGVu\n"
+            + "ZGVkVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBjQYIKwYBBQUHAQEEgYAw\n"
+            + "fjBVBggrBgEFBQcwAoZJaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVz\n"
+            + "dFJTQUV4dGVuZGVkVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAlBggrBgEF\n"
+            + "BQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTA9BgNVHREENjA0gjJ1c2Vy\n"
+            + "dHJ1c3Ryc2FjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5LWV2LmNvbW9kb2NhLmNvbTCC\n"
+            + "AX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5\n"
+            + "G9+443fNDsgN3BAAAAFdDU2iYQAABAMARzBFAiB0o4GnVHD8MeVQ32D0XYu+EQQW\n"
+            + "jvN78rmCfk0OEBxyFAIhAKgyctIn0IaDJiZzsrtAiqEnkcMtuh8o+R0Rqw1ygAjk\n"
+            + "AHcAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFdDU2gFgAABAMA\n"
+            + "SDBGAiEA7mcmZ8H5uHuNCdI0CVxsqDZQcZX/gVk94KckePkzQoACIQCHwm5hcvNC\n"
+            + "M8vNmFkboQN79DglRctHrlh143A6mUTk8QB2AO5Lvbd1zmC64UJpH6vhnmajD35f\n"
+            + "sHLYgwDEe4l6qP3LAAABXQ1NojoAAAQDAEcwRQIhAPqwijgE0Fr6uJ+yF+TvyXco\n"
+            + "Hduv9h7R5WWwJfghXiMyAiBB4+fJm4rIcOnJBZmOqFnRpIjPN0jwDqJT0nDHxaXA\n"
+            + "nDANBgkqhkiG9w0BAQsFAAOCAQEACXitF1bTEvV1HX11WrT/XuoMhsoPK4TS16rs\n"
+            + "FqztV4iXKlA1/h5qbsjYY1gVrM+/6kQkmEs5qrxsek2WNxY80NO3WAzroRJ3H9Sd\n"
+            + "mPn0No2P8LZ5Fs5hvaD/PfWO5xxey80c3kGyvWOej90P3IrL/1RiULyh95TrXBjI\n"
+            + "ddCBsZ28904wsQUrPBPMpiu0DKl1HR/em9WkcipMi+onJxxFWjucssz5PW/BzGYF\n"
+            + "jfWLDEI0tN5L4CWV3iVXFXOURY1Mwhtsey9jvlEyxSsys55QdKF40yGgtV9VC+os\n"
+            + "7hJP33+qA0cvCTaRytiPP6z/l2G/KSIXTyv6SxzGhsTFfzLAOg==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=usertrustrsacertificationauthority-ev.comodoca.com, OU=COMODO EV SGC SSL,
+    // O=COMODO CA Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay,
+    // STREET=Trafford Road, L=Salford, ST=Greater Manchester, OID.2.5.4.17=M5 3EQ,
+    // C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB,
+    // SERIALNUMBER=04058690
+    // Issuer: CN=USERTrust RSA Extended Validation Secure Server CA, O=The USERTRUST Network,
+    // L=Jersey City, ST=New Jersey, C=US
+    // Serial number: 643d7e2b0112d51a05a4efb266ebd70d
+    // Valid from: Tue Aug 16 17:00:00 PDT 2016 until: Fri Nov 16 15:59:59 PST 2018
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIILjCCBxagAwIBAgIQZD1+KwES1RoFpO+yZuvXDTANBgkqhkiG9w0BAQsFADCB\n"
+            + "lTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl\n"
+            + "cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxOzA5BgNV\n"
+            + "BAMTMlVTRVJUcnVzdCBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2Vy\n"
+            + "dmVyIENBMB4XDTE2MDgxNzAwMDAwMFoXDTE4MTExNjIzNTk1OVowggFgMREwDwYD\n"
+            + "VQQFEwgwNDA1ODY5MDETMBEGCysGAQQBgjc8AgEDEwJHQjEdMBsGA1UEDxMUUHJp\n"
+            + "dmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAkdCMQ8wDQYDVQQREwZNNSAzRVEx\n"
+            + "GzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEW\n"
+            + "MBQGA1UECRMNVHJhZmZvcmQgUm9hZDEWMBQGA1UECRMNRXhjaGFuZ2UgUXVheTEl\n"
+            + "MCMGA1UECRMcM3JkIEZsb29yLCAyNiBPZmZpY2UgVmlsbGFnZTEaMBgGA1UEChMR\n"
+            + "Q09NT0RPIENBIExpbWl0ZWQxGjAYBgNVBAsTEUNPTU9ETyBFViBTR0MgU1NMMTsw\n"
+            + "OQYDVQQDEzJ1c2VydHJ1c3Ryc2FjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5LWV2LmNv\n"
+            + "bW9kb2NhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4f68Xo\n"
+            + "mMKS2uudXi7xp0fkRK4Q1pE2bamXB8PTsuyS9rhC8hD2zPr9Gs+NHAR0tG0GSWW1\n"
+            + "plzbpDFDEsCG+M+7fDl5cc/br8RLn75agZeKngv89y6RQUURxHq6N8hilcJKHtWj\n"
+            + "9j6u1HYvu4u3lWWXQNbYnMWVqP1AVPZsGyDmKn/+Mc2ehvPdYSm/jQLrhH8Rudr1\n"
+            + "2ZfKHTE4Xx7g5ZH0u52TEAWjuNCiXkhAYa/uUyEu3e7VlsnvxeqBENPnRwYhfT8m\n"
+            + "dXV6DvGrnv/NJj/tBTGE5kRbCh4HumY6I3x/XC5UeZE6rT+U6oeRgUOM6d7siAQV\n"
+            + "OspSqfTzR5HsBlECAwEAAaOCA6owggOmMB8GA1UdIwQYMBaAFC+BT+Jm+rxov5lD\n"
+            + "hFKJIDqC86SlMB0GA1UdDgQWBBR8+3Lw59S2HtjPs+KZcEJ+67fd/DAOBgNVHQ8B\n"
+            + "Af8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB\n"
+            + "BQUHAwIwQgYDVR0gBDswOTA3BgwrBgEEAbIxAQIBBQEwJzAlBggrBgEFBQcCARYZ\n"
+            + "aHR0cHM6Ly9jcHMudXNlcnRydXN0LmNvbTBaBgNVHR8EUzBRME+gTaBLhklodHRw\n"
+            + "Oi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBRXh0ZW5kZWRWYWxpZGF0\n"
+            + "aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGNBggrBgEFBQcBAQSBgDB+MFUGCCsGAQUF\n"
+            + "BzAChklodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBRXh0ZW5k\n"
+            + "ZWRWYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRw\n"
+            + "Oi8vb2NzcC51c2VydHJ1c3QuY29tMHUGA1UdEQRuMGyCMnVzZXJ0cnVzdHJzYWNl\n"
+            + "cnRpZmljYXRpb25hdXRob3JpdHktZXYuY29tb2RvY2EuY29tgjZ3d3cudXNlcnRy\n"
+            + "dXN0cnNhY2VydGlmaWNhdGlvbmF1dGhvcml0eS1ldi5jb21vZG9jYS5jb20wggF+\n"
+            + "BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AGj2mPgfZIK+OozuuSgdTPxxUV1nk9RE\n"
+            + "0QpnrLtPT/vEAAABVpjLYnEAAAQDAEcwRQIhAL6/noD1PEwlZBByj9MKJSXPrEpW\n"
+            + "jpL335zhD+hrmvuqAiBizohmz9W29E8DoEuhca5PzKL8lSl5DpAOUGjMN0ihmgB2\n"
+            + "AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABVpjLYOgAAAQDAEcw\n"
+            + "RQIhAIRRWFG7M/XEgivLEdgEHWVNN7hk2QdVTvjr1DfRV2c3AiADq0LWpJ3dV7Je\n"
+            + "2Z3zKvqJEmRFNj5Pn9TwsIcEe1iNNgB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLY\n"
+            + "gwDEe4l6qP3LAAABVpjLYZ8AAAQDAEcwRQIge8b8UhHJWJ8/XWGIg6rQpaVXGP6q\n"
+            + "evL01KFNB28t8VQCIQCzddHCr/LLTVE+dB4kZHxuW5pOB+AtZlrAAQcuLoEauDAN\n"
+            + "BgkqhkiG9w0BAQsFAAOCAQEAPYqfbjlMjMJ2CEoIOUih/1BBnzXXkmmqXsXFI9gJ\n"
+            + "/tV1u4OzYOXHwOPhy/1JHv5dtNDSzyoeagYcjxEpl64kAJHrtzYwFlrqCU1xSIwd\n"
+            + "qrfmupyc5JwRqGE0Q01lryCxflUikh/pyDBtsxED4r+Topb+QwVZCzIMtOr49/S9\n"
+            + "GHA7HJo6nwSoV6rfrnLDCtcJN4ezEzOs7MOOq9K1MiAoAOXa/maelXwqbNGVpN2p\n"
+            + "HihRuBRDqusdS8zNGPxhvbviCDf8mJRvFoPgk/5o6mxf6bKfjmtkWOxMApvJU3Nd\n"
+            + "ib1aMX9KArEiNFwHFxOSYmE8c8x/zhLlk1btOo7gQrVNyw==\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator) throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Tue Jul 04 04:09:55 PDT 2017", System.out);
+    }
+}
+
+class ComodoUserTrustECC {
+
+    // Owner: CN=USERTrust ECC Extended Validation Secure Server CA, O=The USERTRUST Network,
+    // L=Jersey City, ST=New Jersey, C=US
+    // Issuer: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network,
+    // L=Jersey City, ST=New Jersey, C=US
+    // Serial number: 3d09b24f5c08a7ce8eb85a51d3c1aa52
+    // Valid from: Sun Apr 14 17:00:00 PDT 2013 until: Fri Apr 14 16:59:59 PDT 2028
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIDwTCCA0igAwIBAgIQPQmyT1wIp86OuFpR08GqUjAKBggqhkjOPQQDAzCBiDEL\n"
+            + "MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl\n"
+            + "eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT\n"
+            + "JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTMwNDE1\n"
+            + "MDAwMDAwWhcNMjgwNDE0MjM1OTU5WjCBlTELMAkGA1UEBhMCVVMxEzARBgNVBAgT\n"
+            + "Ck5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg\n"
+            + "VVNFUlRSVVNUIE5ldHdvcmsxOzA5BgNVBAMTMlVTRVJUcnVzdCBFQ0MgRXh0ZW5k\n"
+            + "ZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMFkwEwYHKoZIzj0CAQYIKoZI\n"
+            + "zj0DAQcDQgAEkSRGk0F0N82ZCZ+kVZ/StqVUiWRirw1ebViS06+j+HgS9xZKRGh7\n"
+            + "bqSas/gNMyg1LZusGu5IvEmXmNC5hzOT06OCAYMwggF/MB8GA1UdIwQYMBaAFDrh\n"
+            + "CYbUzxnClnZ0SXbc4DXGY2OaMB0GA1UdDgQWBBQqnFr5TqEw2kBLK+lL8fWc3AL5\n"
+            + "LjAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADA/BgNVHSAEODA2\n"
+            + "MDQGBFUdIAAwLDAqBggrBgEFBQcCARYeaHR0cHM6Ly9jcHMudHJ1c3QtcHJvdmlk\n"
+            + "ZXIuY29tMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly9jcmwudHJ1c3QtcHJvdmlk\n"
+            + "ZXIuY29tL1VTRVJUcnVzdEVDQ0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMIGA\n"
+            + "BggrBgEFBQcBAQR0MHIwRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQudHJ1c3QtcHJv\n"
+            + "dmlkZXIuY29tL1VTRVJUcnVzdEVDQ0FkZFRydXN0Q0EuY3J0MCoGCCsGAQUFBzAB\n"
+            + "hh5odHRwOi8vb2NzcC50cnVzdC1wcm92aWRlci5jb20wCgYIKoZIzj0EAwMDZwAw\n"
+            + "ZAIwSzIqrW8TN9/aCfkhUtz0t8IIK+Z46z3wm+crwjThpQ/VoPgTNbvP/lGTi1xR\n"
+            + "qJvLAjBFa27l4uqeAQZHNJnIx1Mu9OXzoJelx1cYP7ToQUms/g+PK77yImJcXUU3\n"
+            + "s1rWGRU=\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=usertrustecccertificationauthority-ev.comodoca.com, OU=COMODO EV SGC SSL,
+    // O=COMODO CA Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay,
+    // STREET=Trafford Road, L=Salford, ST=Greater Manchester, OID.2.5.4.17=M5 3EQ,
+    // C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB,
+    // SERIALNUMBER=04058690
+    // Issuer: CN=USERTrust ECC Extended Validation Secure Server CA, O=The USERTRUST Network,
+    // L=Jersey City, ST=New Jersey, C=US
+    // Serial number: 9bd0c93cac9ca2edc1a7dd923316b3c6
+    // Valid from: Mon Jul 03 17:00:00 PDT 2017 until: Thu Oct 03 16:59:59 PDT 2019
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGhzCCBi2gAwIBAgIRAJvQyTysnKLtwafdkjMWs8YwCgYIKoZIzj0EAwIwgZUx\n"
+            + "CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz\n"
+            + "ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMTswOQYDVQQD\n"
+            + "EzJVU0VSVHJ1c3QgRUNDIEV4dGVuZGVkIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZl\n"
+            + "ciBDQTAeFw0xNzA3MDQwMDAwMDBaFw0xOTEwMDMyMzU5NTlaMIIBYDERMA8GA1UE\n"
+            + "BRMIMDQwNTg2OTAxEzARBgsrBgEEAYI3PAIBAxMCR0IxHTAbBgNVBA8TFFByaXZh\n"
+            + "dGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJHQjEPMA0GA1UEERMGTTUgM0VRMRsw\n"
+            + "GQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxFjAU\n"
+            + "BgNVBAkTDVRyYWZmb3JkIFJvYWQxFjAUBgNVBAkTDUV4Y2hhbmdlIFF1YXkxJTAj\n"
+            + "BgNVBAkTHDNyZCBGbG9vciwgMjYgT2ZmaWNlIFZpbGxhZ2UxGjAYBgNVBAoTEUNP\n"
+            + "TU9ETyBDQSBMaW1pdGVkMRowGAYDVQQLExFDT01PRE8gRVYgU0dDIFNTTDE7MDkG\n"
+            + "A1UEAxMydXNlcnRydXN0ZWNjY2VydGlmaWNhdGlvbmF1dGhvcml0eS1ldi5jb21v\n"
+            + "ZG9jYS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQtMl8R33ZaWD6H8BW0\n"
+            + "+wybBf0+6+L5YYK/eyAVGm6vwjLaQZWlcdFBMKfaP1qTLi0VAabs4baSUkD8wR56\n"
+            + "8pVpo4IDjjCCA4owHwYDVR0jBBgwFoAUKpxa+U6hMNpASyvpS/H1nNwC+S4wHQYD\n"
+            + "VR0OBBYEFLOtYfOaIfDHZGubtKNELRR6A2srMA4GA1UdDwEB/wQEAwIFgDAMBgNV\n"
+            + "HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBQBgNVHSAE\n"
+            + "STBHMDwGDCsGAQQBsjEBAgEFATAsMCoGCCsGAQUFBwIBFh5odHRwczovL2Nwcy50\n"
+            + "cnVzdC1wcm92aWRlci5jb20wBwYFZ4EMAQEwXwYDVR0fBFgwVjBUoFKgUIZOaHR0\n"
+            + "cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vVVNFUlRydXN0RUNDRXh0ZW5kZWRW\n"
+            + "YWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGYBggrBgEFBQcBAQSBizCBiDBa\n"
+            + "BggrBgEFBQcwAoZOaHR0cDovL2NydC50cnVzdC1wcm92aWRlci5jb20vVVNFUlRy\n"
+            + "dXN0RUNDRXh0ZW5kZWRWYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCoGCCsG\n"
+            + "AQUFBzABhh5odHRwOi8vb2NzcC50cnVzdC1wcm92aWRlci5jb20wPQYDVR0RBDYw\n"
+            + "NIIydXNlcnRydXN0ZWNjY2VydGlmaWNhdGlvbmF1dGhvcml0eS1ldi5jb21vZG9j\n"
+            + "YS5jb20wggF8BgorBgEEAdZ5AgQCBIIBbASCAWgBZgB1AKS5CZC0GFgUh7sTosxn\n"
+            + "cAo8NZgE+RvfuON3zQ7IDdwQAAABXQ0/jQ0AAAQDAEYwRAIgPbaNWgoi6OfyNwL2\n"
+            + "+jiySsoLrkx+0d4NJE1WnZQcfzwCICW4yvsXaMxoOXpQp3EPgrYk5Ajfvy/dY3Ui\n"
+            + "0/dbQtHxAHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFdDT+K\n"
+            + "xwAABAMARzBFAiB3GQasrX+akoHX02ZvXCcvhWCqv6qQOhLCUqflPoRbuAIhALwe\n"
+            + "hrQo8S1Tm5vbMcxGiViq5ZcawxENWhxZ9hS0BZweAHUA7ku9t3XOYLrhQmkfq+Ge\n"
+            + "ZqMPfl+wctiDAMR7iXqo/csAAAFdDT+M4AAABAMARjBEAiAjvp8w/fdTVW1VGE0T\n"
+            + "I0YcCIXTYFDgzUMsEUiKHANAgwIgETQUcac7Hiis2fgQ+GdGF9yuh+xMo2Z8QXNu\n"
+            + "1Cknf+8wCgYIKoZIzj0EAwIDSAAwRQIgQ5UiUI7xodmmMYNs3CmqlZHw/04BQRAR\n"
+            + "4gRm7blZSIMCIQDHvIWTaPzSO6vwVzs6wSD6FqebLiFxoddC6aZG8Nm0wQ==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=usertrustecccertificationauthority-ev.comodoca.com, OU=COMODO EV SGC SSL,
+    // O=COMODO CA Limited, STREET="3rd Floor, 26 Office Village", STREET=Exchange Quay,
+    // STREET=Trafford Road, L=Salford, ST=Greater Manchester, OID.2.5.4.17=M5 3EQ,
+    // C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB,
+    // SERIALNUMBER=04058690
+    // Issuer: CN=USERTrust ECC Extended Validation Secure Server CA, O=The USERTRUST Network,
+    // L=Jersey City, ST=New Jersey, C=US
+    // Serial number: 4a2545ad661540057c81281ff8c101b9
+    // Valid from: Tue Aug 16 17:00:00 PDT 2016 until: Fri Nov 16 15:59:59 PST 2018
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGtzCCBlygAwIBAgIQSiVFrWYVQAV8gSgf+MEBuTAKBggqhkjOPQQDAjCBlTEL\n"
+            + "MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl\n"
+            + "eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxOzA5BgNVBAMT\n"
+            + "MlVTRVJUcnVzdCBFQ0MgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVy\n"
+            + "IENBMB4XDTE2MDgxNzAwMDAwMFoXDTE4MTExNjIzNTk1OVowggFgMREwDwYDVQQF\n"
+            + "EwgwNDA1ODY5MDETMBEGCysGAQQBgjc8AgEDEwJHQjEdMBsGA1UEDxMUUHJpdmF0\n"
+            + "ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAkdCMQ8wDQYDVQQREwZNNSAzRVExGzAZ\n"
+            + "BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEWMBQG\n"
+            + "A1UECRMNVHJhZmZvcmQgUm9hZDEWMBQGA1UECRMNRXhjaGFuZ2UgUXVheTElMCMG\n"
+            + "A1UECRMcM3JkIEZsb29yLCAyNiBPZmZpY2UgVmlsbGFnZTEaMBgGA1UEChMRQ09N\n"
+            + "T0RPIENBIExpbWl0ZWQxGjAYBgNVBAsTEUNPTU9ETyBFViBTR0MgU1NMMTswOQYD\n"
+            + "VQQDEzJ1c2VydHJ1c3RlY2NjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5LWV2LmNvbW9k\n"
+            + "b2NhLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC0yXxHfdlpYPofwFbT7\n"
+            + "DJsF/T7r4vlhgr97IBUabq/CMtpBlaVx0UEwp9o/WpMuLRUBpuzhtpJSQPzBHnry\n"
+            + "lWmjggO+MIIDujAfBgNVHSMEGDAWgBQqnFr5TqEw2kBLK+lL8fWc3AL5LjAdBgNV\n"
+            + "HQ4EFgQUs61h85oh8Mdka5u0o0QtFHoDayswDgYDVR0PAQH/BAQDAgWAMAwGA1Ud\n"
+            + "EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEcGA1UdIARA\n"
+            + "MD4wPAYMKwYBBAGyMQECAQUBMCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vY3BzLnRy\n"
+            + "dXN0LXByb3ZpZGVyLmNvbTBfBgNVHR8EWDBWMFSgUqBQhk5odHRwOi8vY3JsLnRy\n"
+            + "dXN0LXByb3ZpZGVyLmNvbS9VU0VSVHJ1c3RFQ0NFeHRlbmRlZFZhbGlkYXRpb25T\n"
+            + "ZWN1cmVTZXJ2ZXJDQS5jcmwwgZgGCCsGAQUFBwEBBIGLMIGIMFoGCCsGAQUFBzAC\n"
+            + "hk5odHRwOi8vY3J0LnRydXN0LXByb3ZpZGVyLmNvbS9VU0VSVHJ1c3RFQ0NFeHRl\n"
+            + "bmRlZFZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwKgYIKwYBBQUHMAGGHmh0\n"
+            + "dHA6Ly9vY3NwLnRydXN0LXByb3ZpZGVyLmNvbTB1BgNVHREEbjBsgjJ1c2VydHJ1\n"
+            + "c3RlY2NjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5LWV2LmNvbW9kb2NhLmNvbYI2d3d3\n"
+            + "LnVzZXJ0cnVzdGVjY2NlcnRpZmljYXRpb25hdXRob3JpdHktZXYuY29tb2RvY2Eu\n"
+            + "Y29tMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdQBo9pj4H2SCvjqM7rkoHUz8\n"
+            + "cVFdZ5PURNEKZ6y7T0/7xAAAAVaYy/EsAAAEAwBGMEQCIATN694opYRAY9yCNZXZ\n"
+            + "TBJapGSqKHg1GBtlifmy+WB+AiACeljNAF3VK9Ma1bbJiRtB9ZRAN7mPbzaC3wha\n"
+            + "+5riaAB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABVpjL8F8A\n"
+            + "AAQDAEcwRQIgLq1mfWnNQWNTtQYtNCWm8wUm1Jez6AqfzmFLKJc4NC8CIQCsaHIH\n"
+            + "b/nKPPyKL9hxi2o5n0K3DpnHFv5V+0dtTBjOCgB2AO5Lvbd1zmC64UJpH6vhnmaj\n"
+            + "D35fsHLYgwDEe4l6qP3LAAABVpjL8RMAAAQDAEcwRQIhAOR5Hx0Mq6iX7lE6mfIR\n"
+            + "efJknMqXCnjcDsvzk6ZiXwSQAiB31TTkVHIVyscNYsup34Vcid7nWMuZiLjEElBo\n"
+            + "vYYh3jAKBggqhkjOPQQDAgNJADBGAiEA0CZ8Utr9boJ2y9mfVkOv2US4Nk9oWT/y\n"
+            + "P5YGb+ox/EICIQCBHZdD3tPNJ5BDkIdUCjnaFkNsHJchsU8e5a+1CV4knQ==\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator) throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Tue Jul 04 03:51:20 PDT 2017", System.out);
+    }
+}
diff --git a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java
new file mode 100644
index 0000000000..152e77907b
--- /dev/null
+++ b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/DTrustCA.java
@@ -0,0 +1,280 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ /*
+ * @test
+ * @bug 8189131
+ * @summary Interoperability tests with "D-Trust Root Class 3 CA 2 2009" and
+ *          "D-Trust Root Class 3 CA 2 EV 2009" CAs
+ * @build ValidatePathWithParams
+ * @run main/othervm -Djava.security.debug=certpath DTrustCA OCSP
+ * @run main/othervm -Djava.security.debug=certpath DTrustCA CRL
+ */
+public class DTrustCA {
+
+    public static void main(String[] args) throws Exception {
+
+        ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
+
+        boolean ocspEnabled = true;
+
+        if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
+            pathValidator.enableCRLCheck();
+            ocspEnabled = false;
+        } else {
+            // OCSP check by default
+            pathValidator.enableOCSPCheck();
+        }
+
+        new RootClass3CA2().runTest(pathValidator, ocspEnabled);
+        new RootClass3CA2EV().runTest(pathValidator, ocspEnabled);
+    }
+}
+
+class RootClass3CA2 {
+
+    // Owner: CN=D-TRUST SSL Class 3 CA 1 2009, O=D-Trust GmbH, C=DE
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIFMjCCBBqgAwIBAgIDCZBjMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRF\n"
+            + "MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBD\n"
+            + "bGFzcyAzIENBIDIgMjAwOTAeFw0wOTExMTIxMjQ2NTVaFw0yOTExMDUwODM1NTha\n"
+            + "MEwxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJjAkBgNVBAMM\n"
+            + "HUQtVFJVU1QgU1NMIENsYXNzIDMgQ0EgMSAyMDA5MIIBIjANBgkqhkiG9w0BAQEF\n"
+            + "AAOCAQ8AMIIBCgKCAQEAoal0SyLSijE0JkuhHJmOCbmQznyxuSY7DaEwhUsdUpI+\n"
+            + "2llkDLz6s9BWQe1zCVXDhrt3qz5U5H4h6jxm5Ec+ZbFiU3Gv2yxpI5cRPrqj9mJU\n"
+            + "1CGgy1+29khuUnoopzSq66HPuGZGh06I7bJkXTQ7AQ92z1MdL2wATj1UWdNid3sQ\n"
+            + "NiWIm+69nURHY6tmCNenNcG6aV4qjHMUPsjpCRabNY9nUO12rsmiDW2mbAC3gcxQ\n"
+            + "lqLgLYur9HvB8cW0xu2JZ/B3PXmNphVuWskp3Y1u0SvIYzuEsE7lWDbBmtWZtabB\n"
+            + "hzThkDQvd+3keQ1sU/beq1NeXfgKzQ5G+4Ql2PUY/wIDAQABo4ICGjCCAhYwHwYD\n"
+            + "VR0jBBgwFoAU/doUxJ8w3iG9HkI5/KtjI0ng8YQwRAYIKwYBBQUHAQEEODA2MDQG\n"
+            + "CCsGAQUFBzABhihodHRwOi8vcm9vdC1jMy1jYTItMjAwOS5vY3NwLmQtdHJ1c3Qu\n"
+            + "bmV0MF8GA1UdIARYMFYwVAYEVR0gADBMMEoGCCsGAQUFBwIBFj5odHRwOi8vd3d3\n"
+            + "LmQtdHJ1c3QubmV0L2ludGVybmV0L2ZpbGVzL0QtVFJVU1RfUm9vdF9QS0lfQ1BT\n"
+            + "LnBkZjAzBgNVHREELDAqgRBpbmZvQGQtdHJ1c3QubmV0hhZodHRwOi8vd3d3LmQt\n"
+            + "dHJ1c3QubmV0MIHTBgNVHR8EgcswgcgwgYCgfqB8hnpsZGFwOi8vZGlyZWN0b3J5\n"
+            + "LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xhc3MlMjAzJTIwQ0El\n"
+            + "MjAyJTIwMjAwOSxPPUQtVHJ1c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZv\n"
+            + "Y2F0aW9ubGlzdDBDoEGgP4Y9aHR0cDovL3d3dy5kLXRydXN0Lm5ldC9jcmwvZC10\n"
+            + "cnVzdF9yb290X2NsYXNzXzNfY2FfMl8yMDA5LmNybDAdBgNVHQ4EFgQUUBkylJrE\n"
+            + "tQRNVtDAgyHVNVWwsXowDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C\n"
+            + "AQAwDQYJKoZIhvcNAQELBQADggEBABM5QRHX/yInsmZLWVlvmWmKb3c4IB3hAIVR\n"
+            + "sAGhkvQJ/RD1GZjZUBBYMWkD1P37fTQxlqTOe3NecVvElkYZuCq7HSM6o7awzb3m\n"
+            + "yLn1kN+hDCsxX0EYbVSNjEjkW3QEkqJH9owH4qeMDxf7tfXB7BVKO+rarYPa2PR8\n"
+            + "Wz2KhjFDmAeFg2J89YcpeJJEEJXoweAkgJEEwwEIfJ2yLjYo78RD0Rvij/+zkfj9\n"
+            + "+dSvTiZTuqicyo37qNoYHgchuqXnKodhWkW89oo2NKhfeNHHbqvXEJmx0PbI6YyQ\n"
+            + "50GnYECZRHNKhgbPEtNy/QetU53aWlTlvu4NIwLW5XVsrxlQ2Zw=\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=certdemo-ov-valid.ssl.d-trust.net, O=D-Trust GmbH, OU=IT,
+    // L=Berlin, ST=Berlin, C=DE, SERIALNUMBER=DTRWS354803406304201, DNQ=7223150018
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIF1jCCBL6gAwIBAgIDD07RMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAkRF\n"
+            + "MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJjAkBgNVBAMMHUQtVFJVU1QgU1NMIENs\n"
+            + "YXNzIDMgQ0EgMSAyMDA5MB4XDTEyMTIxMTEwMTgzN1oXDTE1MTIyMTExMTgwOVow\n"
+            + "gbMxEzARBgNVBC4TCjcyMjMxNTAwMTgxHTAbBgNVBAUTFERUUldTMzU0ODAzNDA2\n"
+            + "MzA0MjAxMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZC\n"
+            + "ZXJsaW4xCzAJBgNVBAsMAklUMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV\n"
+            + "BAMMIWNlcnRkZW1vLW92LXZhbGlkLnNzbC5kLXRydXN0Lm5ldDCCASIwDQYJKoZI\n"
+            + "hvcNAQEBBQADggEPADCCAQoCggEBAMbo9ih0Bo4zKaKwl+mClCxhedC3YOpBzrun\n"
+            + "zbqYJuy6vbHuZdMtU3nO7ziTPbnoVFboKmyEtAMwJ+qudHdWaa/nA4Hlhmg5+CWZ\n"
+            + "OolX3VmMlrZ+LpaeajduOgDa7DQDcixZ+ndd24Xc/u9L83CH7ziQDs4XNJxx63Wf\n"
+            + "lSMKBKkmvry7CfCXcsR4dYW8tTBm1PESJZVNqOKkOiwHwMA69knpXwghmDbKgZro\n"
+            + "01chjeyYb39ZhwHNWlxh5rgd2HZpgrl8kUY3yV9PrQcjFPbKT6ZgHfRiHlax4vbX\n"
+            + "qiHHcHRr7iVPruyCf0DU3BqhDVUhnrJ+vqTyg+m/OJduznF2nXcCAwEAAaOCAlcw\n"
+            + "ggJTMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRQ\n"
+            + "GTKUmsS1BE1W0MCDIdU1VbCxejBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAGG\n"
+            + "J2h0dHA6Ly9zc2wtYzMtY2ExLTIwMDkub2NzcC5kLXRydXN0Lm5ldDBmBgNVHSAE\n"
+            + "XzBdMFsGCysGAQQBpTQCgUgBMEwwSgYIKwYBBQUHAgEWPmh0dHA6Ly93d3cuZC10\n"
+            + "cnVzdC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9Sb290X1BLSV9DUFMucGRm\n"
+            + "MIHRBgNVHR8EgckwgcYwgcOggcCggb2GeWxkYXA6Ly9kaXJlY3RvcnkuZC10cnVz\n"
+            + "dC5uZXQvQ049RC1UUlVTVCUyMFNTTCUyMENsYXNzJTIwMyUyMENBJTIwMSUyMDIw\n"
+            + "MDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxp\n"
+            + "c3SGQGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3Rfc3NsX2NsYXNz\n"
+            + "XzNfY2FfMV8yMDA5LmRlci5jcmwwMwYDVR0SBCwwKoEQaW5mb0BkLXRydXN0Lm5l\n"
+            + "dIYWaHR0cDovL3d3dy5kLXRydXN0Lm5ldDAdBgNVHQ4EFgQUHjGMR/EdDBRf+Ejf\n"
+            + "WW5a8beoBrwwDgYDVR0PAQH/BAQDAgSwMCwGA1UdEQQlMCOCIWNlcnRkZW1vLW92\n"
+            + "LXZhbGlkLnNzbC5kLXRydXN0Lm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAGN4yxyF3\n"
+            + "sszODgDSkCNX1s4R874jmBmMYy4Af9/kwKNp2GtqPPhnDu8VFtq0bqs1e06XZ4/W\n"
+            + "6pUPRZIlynjPASkQl+aJGzyZlaH+K0Al80M/7FRRmLCW9Do/RszRihdhcjeyG+Bi\n"
+            + "2k+A35aVqKMAWzoH4M7TCPg4+ECltaFgJ+25loXl3j0yiP/DmBwATO80Nx78ILl5\n"
+            + "D6cDyftMKUwdKKlUsB2RMOJsVBcotBMGTB1i/YoSKIu6t7QnoVFMHEia2wZegPCj\n"
+            + "hBKhLf/Zde/VrSN3IIft93XRabqXWqjpDCvpb/b06/0o5aZIycrj+Kya54dsdXMO\n"
+            + "FRy9N0HZYzvt9g==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=certdemo-ov-revoked.ssl.d-trust.net, O=D-Trust GmbH, OU=IT,
+    // L=Berlin, ST=Berlin, C=DE, DNQ=5562882417
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIFuzCCBKOgAwIBAgIDExFnMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAkRF\n"
+            + "MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJjAkBgNVBAMMHUQtVFJVU1QgU1NMIENs\n"
+            + "YXNzIDMgQ0EgMSAyMDA5MB4XDTE0MDYyNjE2MTg1NloXDTE1MDYyOTE2MTg1Nlow\n"
+            + "gZYxEzARBgNVBC4TCjU1NjI4ODI0MTcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZC\n"
+            + "ZXJsaW4xDzANBgNVBAcTBkJlcmxpbjELMAkGA1UECxMCSVQxFTATBgNVBAoTDEQt\n"
+            + "VHJ1c3QgR21iSDEsMCoGA1UEAxMjY2VydGRlbW8tb3YtcmV2b2tlZC5zc2wuZC10\n"
+            + "cnVzdC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtdH2wqHgG\n"
+            + "tqlekrfRQzJuhMzRllfYcmmsxr7jsnwgPe0+zib+GeTDm9U5+XKjT1uYETL501ov\n"
+            + "HfKsZ/aK+k58iFF5evEtdHic/2v868uwxcm/Kcn+zt2uX9QvfSUzJPQkW/Ynu3w2\n"
+            + "IhuBNBlFAJgxjYr2xMUmDrVDx1/ZfBc0ddyo87MccLZOdmqLhef8bJQ+3q6DA+Z1\n"
+            + "bGk1wHl9KgFNtOjlKws5nKzCzyugy+MhLo+4wPxi0UhUA7QA7fk7lWBwJ9fZRTT/\n"
+            + "cKfP4lUucXdQBS2ZhvpEZggjjBDhTHtZLwdfEUlf1GZ+GwD8IB9whlwqT2cS9WUR\n"
+            + "XI9b14TJM2zfAgMBAAGjggJZMIICVTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB\n"
+            + "BQUHAwIwHwYDVR0jBBgwFoAUUBkylJrEtQRNVtDAgyHVNVWwsXowQwYIKwYBBQUH\n"
+            + "AQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vc3NsLWMzLWNhMS0yMDA5Lm9jc3Au\n"
+            + "ZC10cnVzdC5uZXQwZgYDVR0gBF8wXTBbBgsrBgEEAaU0AoFIATBMMEoGCCsGAQUF\n"
+            + "BwIBFj5odHRwOi8vd3d3LmQtdHJ1c3QubmV0L2ludGVybmV0L2ZpbGVzL0QtVFJV\n"
+            + "U1RfUm9vdF9QS0lfQ1BTLnBkZjCB0QYDVR0fBIHJMIHGMIHDoIHAoIG9hnlsZGFw\n"
+            + "Oi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBTU0wlMjBDbGFz\n"
+            + "cyUyMDMlMjBDQSUyMDElMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1ERT9jZXJ0\n"
+            + "aWZpY2F0ZXJldm9jYXRpb25saXN0hkBodHRwOi8vY3JsLmQtdHJ1c3QubmV0L2Ny\n"
+            + "bC9kLXRydXN0X3NzbF9jbGFzc18zX2NhXzFfMjAwOS5kZXIuY3JsMDMGA1UdEgQs\n"
+            + "MCqBEGluZm9AZC10cnVzdC5uZXSGFmh0dHA6Ly93d3cuZC10cnVzdC5uZXQwHQYD\n"
+            + "VR0OBBYEFC4+5qwI2S+t/TaZ/kMADTR7FjdOMA4GA1UdDwEB/wQEAwIEsDAuBgNV\n"
+            + "HREEJzAlgiNjZXJ0ZGVtby1vdi1yZXZva2VkLnNzbC5kLXRydXN0Lm5ldDANBgkq\n"
+            + "hkiG9w0BAQsFAAOCAQEAO3sbXee7GbEyXSRZOgwk2LloPNIFriFGP8WAWnsaf056\n"
+            + "jxHRnjjPQRyqhBmGQAGwrEp3a3uF+6gbM2XuoKPjNFqjqnQNR2+lVRs8pVTTjJ+r\n"
+            + "SekcOUbCx6nIe98OBheAljAxfeal3e8bBrP3VA+QvOscaLJiC1ZsGfqvrGYJDt6b\n"
+            + "UFMKbNuwDcfpKkrB0AyW0NvYALwgTPr+SgbxB0Xrp0W+dg6XfHmpuRSSPUkZqzEY\n"
+            + "uPTmIgs7qCtVEIpV91gDFBDNfr4QbFVCNvDmMIZNMnXUEmTW81N1KUVTNdz8k5TY\n"
+            + "HO/7TeeAi2u0m3ERrLXE9SKtNwUMJujEOQ/UmQkIQw==\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator, boolean ocspEnabled)
+            throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        if (ocspEnabled) {
+            // Test certificates are expired in 2015
+            // and backdated revocation check is only possible with OCSP
+            pathValidator.setValidationDate("Jan 01, 2015");
+        }
+
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Thu Jun 26 09:28:39 PDT 2014", System.out);
+
+        // reset validation date back to current date
+        pathValidator.resetValidationDate();
+    }
+}
+
+class RootClass3CA2EV {
+
+    // Owner: CN=D-TRUST SSL Class 3 CA 1 EV 2009, O=D-Trust GmbH, C=DE
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIFRTCCBC2gAwIBAgIDCZBkMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF\n"
+            + "MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD\n"
+            + "bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMTIxMjUyNDNaFw0yOTExMDUwODUw\n"
+            + "NDZaME8xCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKTAnBgNV\n"
+            + "BAMMIEQtVFJVU1QgU1NMIENsYXNzIDMgQ0EgMSBFViAyMDA5MIIBIjANBgkqhkiG\n"
+            + "9w0BAQEFAAOCAQ8AMIIBCgKCAQEAygp+ZziakFyPq80fk1QIT9UCcPy0R3UIyq56\n"
+            + "hXA6lhgfs1l9R9wRM9/DIVX2olb0gHCXdpnHRm+jwzeL3dHJO8Im5Om/c24ZfSVE\n"
+            + "zBcgKxS5X7X5e7oCYb9tozd9xs04WqYd5kWrvCJsSQf5gtv5gAeJt+QiU7dtXs3A\n"
+            + "YDflWv4g9eEaDExxM0VQmceEAo5qc7I7dk5ry356G14zQmr29cxie6YS0kH+7qn5\n"
+            + "g+c21M01sENle0tBPxIfkv+nV95Ih3JkpHSPm/wgFKfCtwRtG+5VehUoMEpgfi0X\n"
+            + "fmVkag558aQpaaeQCtYZnXuq6g1D1LAcjIqMpOP4wNRp1ldLzQIDAQABo4ICJzCC\n"
+            + "AiMwHwYDVR0jBBgwFoAU05SKTGITKhkuzK9yin0215oc3GcwRwYIKwYBBQUHAQEE\n"
+            + "OzA5MDcGCCsGAQUFBzABhitodHRwOi8vcm9vdC1jMy1jYTItZXYtMjAwOS5vY3Nw\n"
+            + "LmQtdHJ1c3QubmV0MF8GA1UdIARYMFYwVAYEVR0gADBMMEoGCCsGAQUFBwIBFj5o\n"
+            + "dHRwOi8vd3d3LmQtdHJ1c3QubmV0L2ludGVybmV0L2ZpbGVzL0QtVFJVU1RfUm9v\n"
+            + "dF9QS0lfQ1BTLnBkZjAzBgNVHREELDAqgRBpbmZvQGQtdHJ1c3QubmV0hhZodHRw\n"
+            + "Oi8vd3d3LmQtdHJ1c3QubmV0MIHdBgNVHR8EgdUwgdIwgYeggYSggYGGf2xkYXA6\n"
+            + "Ly9kaXJlY3RvcnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3QlMjBDbGFz\n"
+            + "cyUyMDMlMjBDQSUyMDIlMjBFViUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURF\n"
+            + "P2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwRqBEoEKGQGh0dHA6Ly93d3cuZC10\n"
+            + "cnVzdC5uZXQvY3JsL2QtdHJ1c3Rfcm9vdF9jbGFzc18zX2NhXzJfZXZfMjAwOS5j\n"
+            + "cmwwHQYDVR0OBBYEFKztpZ16orZD8RiKJWpsscyo8lrUMA4GA1UdDwEB/wQEAwIB\n"
+            + "BjASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQA6I3sGyvb4\n"
+            + "MdTyEZFBBWBN/5Kx1SVkkPsll8DvgosJiuuK4I7mD6FFKDjKgogr407EoDSS2t1+\n"
+            + "pSmQCb0rNXoJT3YIlpZGqPYU2rcwrelabJQZWAfoRnbkDx2aqofhp5u45dyQpM2t\n"
+            + "R93/oA36iuHYc9Ewq8CaLGolrpT138RD7i4nN7sZFuFH0IseNz0+EZm88NHi9WeJ\n"
+            + "UyshWFKBKARi+589Y4P/G2XnbckxFKUxa7uEroZcMwvKBy469K0Au0zVTxs1zNtf\n"
+            + "Ol3QkNgPwzOPeHhOnpzcenyPgNEm+HQ0FPTnB4HeKBqTeLpkM7h4gq5MZ2TPmfuX\n"
+            + "KDz3AHrWLLdH\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=certdemo-ev-revoked.ssl.d-trust.net, O=D-Trust GmbH, OU=IT,
+    // STREET=Berlin, OID.2.5.4.17=10969, L=Berlin, ST=Berlin, C=DE,
+    // SERIALNUMBER=HRB74346, OID.2.5.4.15=Private Organization,
+    // OID.1.3.6.1.4.1.311.60.2.1.1=Berlin, OID.1.3.6.1.4.1.311.60.2.1.2=Berlin,
+    // OID.1.3.6.1.4.1.311.60.2.1.3=DE, DNQ=4028175542
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGZDCCBUygAwIBAgIDExFtMA0GCSqGSIb3DQEBCwUAME8xCzAJBgNVBAYTAkRF\n"
+            + "MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKTAnBgNVBAMMIEQtVFJVU1QgU1NMIENs\n"
+            + "YXNzIDMgQ0EgMSBFViAyMDA5MB4XDTE0MDYyNjE2NDMyOFoXDTE1MDYyOTE2NDMy\n"
+            + "OFowggEwMRMwEQYDVQQuEwo0MDI4MTc1NTQyMRMwEQYLKwYBBAGCNzwCAQMMAkRF\n"
+            + "MRcwFQYLKwYBBAGCNzwCAQIMBkJlcmxpbjEXMBUGCysGAQQBgjc8AgEBDAZCZXJs\n"
+            + "aW4xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMREwDwYDVQQFEwhIUkI3\n"
+            + "NDM0NjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy\n"
+            + "bGluMQ4wDAYDVQQRDAUxMDk2OTEPMA0GA1UECRMGQmVybGluMQswCQYDVQQLEwJJ\n"
+            + "VDEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSwwKgYDVQQDEyNjZXJ0ZGVtby1ldi1y\n"
+            + "ZXZva2VkLnNzbC5kLXRydXN0Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\n"
+            + "AQoCggEBAMjX4zZxaSl+7eLXXVyO1HzQTymgsI4WlMpVMczyA21kXnx4iBZ9JeHW\n"
+            + "W3Jv4SxxqtHut98eCq30r7yniCy7zGX35iuSy2zMf0u0tRraP5b2c590UMRgKOSU\n"
+            + "DvahC+SlyJWGimt2Dtej2T1kcQvhUmonUkIimQOpM0MOIFxB5d494TzkQAYOV6yb\n"
+            + "AHoIsMWMeMm24Rr6o8QnJqhb9A13keYRK8t0u7F5+fvONlFT2YnjbCoRlxa48i1b\n"
+            + "PZwtE/NZ4bpZmv765tyfl9R5FatANnuja04Dd9StbTbjDezYzilF4qpSWtSKwmEl\n"
+            + "J6fRxJ1kNAEThyzNZMnFjh8htZ7PL18CAwEAAaOCAmQwggJgMB0GA1UdJQQWMBQG\n"
+            + "CCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSs7aWdeqK2Q/EYiiVqbLHM\n"
+            + "qPJa1DBGBggrBgEFBQcBAQQ6MDgwNgYIKwYBBQUHMAGGKmh0dHA6Ly9zc2wtYzMt\n"
+            + "Y2ExLWV2LTIwMDkub2NzcC5kLXRydXN0Lm5ldDBmBgNVHSAEXzBdMFsGCysGAQQB\n"
+            + "pTQCgUoBMEwwSgYIKwYBBQUHAgEWPmh0dHA6Ly93d3cuZC10cnVzdC5uZXQvaW50\n"
+            + "ZXJuZXQvZmlsZXMvRC1UUlVTVF9Sb290X1BLSV9DUFMucGRmMIHZBgNVHR8EgdEw\n"
+            + "gc4wgcuggciggcWGfmxkYXA6Ly9kaXJlY3RvcnkuZC10cnVzdC5uZXQvQ049RC1U\n"
+            + "UlVTVCUyMFNTTCUyMENsYXNzJTIwMyUyMENBJTIwMSUyMEVWJTIwMjAwOSxPPUQt\n"
+            + "VHJ1c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdIZDaHR0\n"
+            + "cDovL2NybC5kLXRydXN0Lm5ldC9jcmwvZC10cnVzdF9zc2xfY2xhc3NfM19jYV8x\n"
+            + "X2V2XzIwMDkuZGVyLmNybDAzBgNVHRIELDAqgRBpbmZvQGQtdHJ1c3QubmV0hhZo\n"
+            + "dHRwOi8vd3d3LmQtdHJ1c3QubmV0MB0GA1UdDgQWBBTFei056yoNM1HWYbBCixQw\n"
+            + "wXnf0TAOBgNVHQ8BAf8EBAMCBLAwLgYDVR0RBCcwJYIjY2VydGRlbW8tZXYtcmV2\n"
+            + "b2tlZC5zc2wuZC10cnVzdC5uZXQwDQYJKoZIhvcNAQELBQADggEBALv0OA+x401T\n"
+            + "CvGQL1Ah7rclRgtxT3UjmphiLs9EE1YbweIUrN3R4tZuryyv9xslAoLCfMrHUe+f\n"
+            + "jv1hsKqw+gGlrA8d5VnAqKfUR+KCiZivdlQ2sl4PDTZWpUQYlBnjQrD8h6UrcgTA\n"
+            + "g1zUpDnioAKAQSWWxHVpcOX0IXCl3RgRz0GqUIZQ0Q8ZwYbIDEI+JzDEJgKkTzet\n"
+            + "uzin8P54PjuJO801gENp43z++xHVuBcEWkU0TMDbmdL9vPZqnxsaoL5e/llGzor5\n"
+            + "6JbU6Fc0MkuziaLPUsIxVVx3ZhZ6UFdv34swKyq6ycvKW2fgccwsQCFMrVjIo6HR\n"
+            + "qiZC9Z+23vM=\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator, boolean ocspEnabled)
+            throws Exception {
+        // Validate valid
+        // Valid cert received as test artifact was revoked so remove test
+
+        // Validate Revoked
+        if (ocspEnabled) {
+            // Revoked certificates are expired in 2015
+            // and backdated revocation check is only possible with OCSP
+            pathValidator.setValidationDate("Jan 01, 2015");
+        }
+
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Thu Jun 26 09:45:14 PDT 2014", System.out);
+
+        // reset validation date back to current date
+        pathValidator.resetValidationDate();
+    }
+}
diff --git a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java
new file mode 100644
index 0000000000..f7cdbe0638
--- /dev/null
+++ b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java
@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ /*
+ * @test
+ * @bug 8189131
+ * @summary Interoperability tests with Let's Encrypt CA
+ * @build ValidatePathWithParams
+ * @run main/othervm -Djava.security.debug=certpath LetsEncryptCA OCSP
+ * @run main/othervm -Djava.security.debug=certpath LetsEncryptCA CRL
+ */
+
+ /*
+ * "Lets Encrypt Authority X1" intermediate CA is retired.
+ * Test certs should be chained through "Lets Encrypt Authority X3" CA.
+ *
+ * Obtain TLS test artifacts for Let's Encrypt CA from:
+ *
+ * Valid TLS Certificates:
+ * https://valid-isrgrootx1.letsencrypt.org/
+ *
+ * Revoked TLS Certificates:
+ * https://revoked-isrgrootx1.letsencrypt.org/
+ *
+ * Test artifacts don't have CRLs listed.
+ */
+public class LetsEncryptCA {
+
+    // Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
+    // Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw\n"
+            + "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
+            + "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1\n"
+            + "WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n"
+            + "RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi\n"
+            + "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX\n"
+            + "NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf\n"
+            + "89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl\n"
+            + "Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc\n"
+            + "Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz\n"
+            + "uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB\n"
+            + "AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU\n"
+            + "BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB\n"
+            + "FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo\n"
+            + "SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js\n"
+            + "LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF\n"
+            + "BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG\n"
+            + "AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD\n"
+            + "VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB\n"
+            + "ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx\n"
+            + "A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM\n"
+            + "UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2\n"
+            + "DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1\n"
+            + "eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu\n"
+            + "OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw\n"
+            + "p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY\n"
+            + "2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0\n"
+            + "ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR\n"
+            + "PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b\n"
+            + "rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=valid-isrgrootx1.letsencrypt.org
+    // Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
+    // Serial number: 36916d6db9151ad4428d458a32eae518671
+    // Valid from: Wed Nov 08 07:00:24 PST 2017 until: Tue Feb 06 07:00:24 PST 2018
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIFIzCCBAugAwIBAgISA2kW1tuRUa1EKNRYoy6uUYZxMA0GCSqGSIb3DQEBCwUA\n"
+            + "MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\n"
+            + "ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzExMDgxNTAwMjRaFw0x\n"
+            + "ODAyMDYxNTAwMjRaMCsxKTAnBgNVBAMTIHZhbGlkLWlzcmdyb290eDEubGV0c2Vu\n"
+            + "Y3J5cHQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyugIOCxl\n"
+            + "4p0Rrs4aggnzKGYezhMyyvqlBgVBkf3DJV5uHbz/B/CxcoFo2rZzIetJEsb7Qnt1\n"
+            + "U8L2O5BKnBeOsI5eFv6WUAQs96VayQ09+xCV3jSNjVpbmKKp1TNWboF/V+EDFq6f\n"
+            + "fxK9h+b88RhBn4gfe+BorPnVTmZZQHgcZCjMGyzlXt68r45dXmZOuh0855Y7z6Et\n"
+            + "wCHTT8k/7VC0DTIs0+veKv+yblUqwGD0htdOh7POkQGfBeJ432FsCCcLCDjg2Jj2\n"
+            + "oYQNpLao55ZnVJGXfP8dJpHqJvuEQVuNT1TbHTs4x7IMftqGcPuhXKhA5FCVf0Hb\n"
+            + "osbVmZ/b2b/WswIDAQABo4ICIDCCAhwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW\n"
+            + "MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQZ\n"
+            + "Mod3QzNPUL56tDMtELpCiwkQOTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv\n"
+            + "86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmlu\n"
+            + "dC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu\n"
+            + "dC14My5sZXRzZW5jcnlwdC5vcmcvMCsGA1UdEQQkMCKCIHZhbGlkLWlzcmdyb290\n"
+            + "eDEubGV0c2VuY3J5cHQub3JnMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsr\n"
+            + "BgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlw\n"
+            + "dC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25s\n"
+            + "eSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4g\n"
+            + "YWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQg\n"
+            + "aHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQEL\n"
+            + "BQADggEBAFBiwKeCZfIh8a7x0Y5QEqGwejil/BY6MOVuIU9FRIJKmhJGdh6lI6ln\n"
+            + "zlBbMZBAjZ+TqDxU0pvM1AsRDyCqt8GbCAC2xQsGyATLdCjedLQ7U7ORm7pBZdbe\n"
+            + "cT7h9Sblj53o5MKa1yFeS89WGjI4UueUemGxp7EQjat0NeAvbnpU+YmuevNYKX2M\n"
+            + "kK33reMC+rgD+wKet1CXcB/ZYl3fDzVH3SwkT/bKW5bsuwxBuD2noScnKCitRgiv\n"
+            + "Ew7YjwqNOm2naki/xr2sfJirR+lJtZ9KC3H8xWeEHrD8Cf7pnmMYqV59uR+hJwMP\n"
+            + "YsjjDbDFCmNN9FBqDwvXs7g86ttkdC8=\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=revoked-isrgrootx1.letsencrypt.org
+    // Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
+    // Serial number: 3ddd39c0755648d6687a5d8ded37775657e
+    // Valid from: Wed Nov 08 07:00:32 PST 2017 until: Tue Feb 06 07:00:32 PST 2018
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIFJzCCBA+gAwIBAgISA93TnAdVZI1mh6XY3tN3dWV+MA0GCSqGSIb3DQEBCwUA\n"
+            + "MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\n"
+            + "ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzExMDgxNTAwMzJaFw0x\n"
+            + "ODAyMDYxNTAwMzJaMC0xKzApBgNVBAMTInJldm9rZWQtaXNyZ3Jvb3R4MS5sZXRz\n"
+            + "ZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5qlZ0\n"
+            + "jslNLn/1uICdZPwflcvsoA2S2Nk+O7cPNew+KQmSIf+LK9AbaWHCkABKx1GdMtfN\n"
+            + "4Q/nKBtzqZ5jX1V1XbPqPd1eeyJo0rNaDFk/gEUHw/zIYi1AtsxVHztMqOXRcsw+\n"
+            + "6QHRKU2XFVsfSctMv+MKnMTEJZARyhr5ur9bQ4/LmxPMhrlHAst97hiSsXKXeyMK\n"
+            + "DWPHmUDn1vz/1mwLMaeYYmuhuRP5HNwYq+LdYvjMV580i6LHY72TwQCfVgOHfqI0\n"
+            + "larISk2p4q6DmTEEiAzJB3yEYaxDn0kEXbKhL9efDC+eirVFa0ta2OnH87s9L8z9\n"
+            + "fm9JIiSFM9ATQ16/AgMBAAGjggIiMIICHjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l\n"
+            + "BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE\n"
+            + "FP64lxiV8KwkkzoNaM7iuwX8UBG/MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZF\n"
+            + "Ze/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3Au\n"
+            + "aW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQu\n"
+            + "aW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wLQYDVR0RBCYwJIIicmV2b2tlZC1pc3Jn\n"
+            + "cm9vdHgxLmxldHNlbmNyeXB0Lm9yZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB\n"
+            + "5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu\n"
+            + "Y3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5\n"
+            + "IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5\n"
+            + "IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5k\n"
+            + "IGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3\n"
+            + "DQEBCwUAA4IBAQCBiokogdgIZxwuPSr43S4GZ9FwrpZNMHADMEZB8ykuotJBGyr1\n"
+            + "QLWDVeoAJ8OIi1AzjcdwKFQks/MKUJwxJ9hYmm9aM14d5lMKGTyoLSI/Z/Vrpx8w\n"
+            + "0GpktSK0WfPeLBHuSpMdrIMWyziSu/bdZtiOIIvMasFwyRhDgII++CIdsnboWXF+\n"
+            + "DZcwy0Yd6XzirXuwENwaWrkrbZPr/JB0xLFmydqXAnA1VFTudwL87q4CTlEo8EiD\n"
+            + "ucKZ/vAhD+ip3/kQFXg90om+9TdHo8D8GxTC1CLZteJt+nqWFRj0e/7eCXIZuUBE\n"
+            + "aSsFCd5RNTHs6tioN9vYJqLojObgF75MgIAC\n"
+            + "-----END CERTIFICATE-----";
+
+    public static void main(String[] args) throws Exception {
+
+        ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
+
+        if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
+            pathValidator.enableCRLCheck();
+
+            // Validate int, EE certs don't have CRLs
+            pathValidator.validate(new String[]{INT},
+                    ValidatePathWithParams.Status.GOOD, null, System.out);
+
+            return;
+        } else {
+            // OCSP check by default
+            pathValidator.enableOCSPCheck();
+        }
+
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Wed Nov 08 08:00:35 PST 2017", System.out);
+
+    }
+}
diff --git a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java
new file mode 100644
index 0000000000..82b851b27b
--- /dev/null
+++ b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java
@@ -0,0 +1,473 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ /*
+ * @test
+ * @bug 8189131
+ * @summary Interoperability tests with QuoVadis Root CA1, CA2, and CA3 CAs
+ * @build ValidatePathWithParams
+ * @run main/othervm -Djava.security.debug=certpath QuoVadisCA OCSP
+ * @run main/othervm -Djava.security.debug=certpath QuoVadisCA CRL
+ */
+
+ /*
+ * Obtain TLS test artifacts for QuoVadis CAs from:
+ *
+ * Valid TLS Certificates:
+ * CA1: https://qvica1g3-v.quovadisglobal.com
+ * CA2: https://qvsslicag3-v.quovadisglobal.com
+ * CA2 EV: https://evsslicag3-v.quovadisglobal.com
+ * CA3: https://qvica3g3-v.quovadisglobal.com
+ *
+ * Revoked TLS Certificates:
+ * CA1: https://qvica1g3-r.quovadisglobal.com
+ * CA2: https://qvsslicag3-r.quovadisglobal.com
+ * CA2 EV: https://evsslicag3-r.quovadisglobal.com
+ * CA3: https://qvica3g3-r.quovadisglobal.com
+ */
+public class QuoVadisCA {
+
+    public static void main(String[] args) throws Exception {
+
+        ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
+
+        boolean ocspEnabled = true;
+
+        if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
+            pathValidator.enableCRLCheck();
+            ocspEnabled = false;
+        } else {
+            // OCSP check by default
+            pathValidator.enableOCSPCheck();
+        }
+
+        new RootCA1().runTest(pathValidator, ocspEnabled);
+        new RootCA2().runTest(pathValidator, ocspEnabled);
+        new RootCA3().runTest(pathValidator, ocspEnabled);
+    }
+}
+
+class RootCA1 {
+
+    // Owner: CN=QuoVadis Issuing CA 1 G3, O=QuoVadis Limited, C=BM
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGFTCCA/2gAwIBAgIUPybG62jqpxKYOV5MlXAGPJYDy9MwDQYJKoZIhvcNAQEL\n"
+            + "BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc\n"
+            + "BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMSBHMzAeFw0xMjExMDYxNjA5NTJaFw0y\n"
+            + "MjExMDYxNjA5NTJaMEsxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM\n"
+            + "aW1pdGVkMSEwHwYDVQQDExhRdW9WYWRpcyBJc3N1aW5nIENBIDEgRzMwggIiMA0G\n"
+            + "CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2Ud42yCfjYm4WlQ+nhTpZ9aPp0r8a\n"
+            + "yz+kKpPxc8ZWvEi7HDPhr7f5nWnEruHE0HbH8WyFGE+sICF788VpZLbFhL4wbIWV\n"
+            + "tHIrYan7+yL2yoNbHUBgeWxa48P96WxrW34K/OyQkJoSvY4iNk4BGI0wOYD9wsl9\n"
+            + "6wIaQFNu25Wsv0CcDSsyNjw8O8Ib6dmS6iib+KnZlKJnYqSTrzbnzf/2CU+Wb9V0\n"
+            + "yExk7shcfDpqxo9yyyEBPP1GUEb5SSr9qXYP2d4UsrRIgzKpD5feqdjk6ZGA4xeM\n"
+            + "JHo6GLjddNvVvopaKaLrDzlOXgqgbMIPQu+xkzpKW3IJOylxN55oVuH25MwbS9IL\n"
+            + "kDMv//kdiTUl1wXERZiUmcBdpWt9D9liyVxe5+HeI5VlhDuHsxDoPFmoOGTa6brX\n"
+            + "PXlNc0xji+grBQjIRNs43T5+GyYzCyjzG3dSb0BTYGLnfUAEQ1+MCC3K33DKL/me\n"
+            + "iUrWNclh85BQQigJr5HNLym3+J6Jf0OCnq4VmD1OFrhZrui02Xmz/hOECK2Mciga\n"
+            + "DxRgXBKjLebV0RW3j6libuPiKbxSinfqNqf2Q9eCfKrzgWQkuCHZvkt0Cqgzjbm1\n"
+            + "n5xu9zXR8YG5/680Nyb3tywUb6FhA8l1L/KLoK79RGjKgPotCog6Ykvy/667jlyo\n"
+            + "ZII0YUf6S3uyeQIDAQABo4HzMIHwMBIGA1UdEwEB/wQIMAYBAf8CAQEwEQYDVR0g\n"
+            + "BAowCDAGBgRVHSAAMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDov\n"
+            + "L29jc3AucXVvdmFkaXNnbG9iYWwuY29tMA4GA1UdDwEB/wQEAwIBBjAfBgNVHSME\n"
+            + "GDAWgBSjl9bzXqIQ4atFnzwXZDzuAXCczDA7BgNVHR8ENDAyMDCgLqAshipodHRw\n"
+            + "Oi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdnJjYTFnMy5jcmwwHQYDVR0OBBYE\n"
+            + "FF0EGBL7w+p4fbRXCaH+bf6Cn2TNMA0GCSqGSIb3DQEBCwUAA4ICAQAF6qNCo3LP\n"
+            + "Qk8jthU1aiuo5WW9jQC+PqWeyVe4JjHK+5PRM+BtoErOItfZyPqoIBMedC/Ya9L1\n"
+            + "Sv0gncvifjtTD3jIBz0FVCbIMJLRp63b4qtmAGuB00XTXgCFcYoiIq5kyNedJnLe\n"
+            + "IxMqb0xx8IAqvP9kfEVNdGfvYraSswiGXADftZ3yM24zIc3Ysewi3JeTbzDhEGfb\n"
+            + "yv9eBplkfKfcoKyOds4sLcxj1QpUxcXgjX1mKTbfOSD5ac/Cjrz6Kqnl2+PNrc5N\n"
+            + "kXBVKhcCAjpqX5OyI86IUg9XY8i7Lz+tXzAQhllh+rPyTyAmieGf2iV9wrl//OZB\n"
+            + "l2nXwbgfA7QwQ2VdsmGJfW3a7Zc13GCNx0M2RUGJKLMJOavY72d41wAYPQ46AXls\n"
+            + "Ic7RJi6EWmwLi6lvw4kKFfWZ0c6vIJur1hLUUmLOt0UBZ226eIREVpmFbDGOLzfl\n"
+            + "gU0xKhqmU0aIOORzBGDfOrnctvaXORNNhCZ78zS96Egzu2w2OC47Zry7k+EOatzA\n"
+            + "5zrdJJM3UP7aMSNPvEygbcFUw2I04vpxUuPYTwCtogqNMHqFbCjLM9YxhzsGMdh/\n"
+            + "9aD1krboaSXUjrS9cOr5P2A9kFHCMsXBaDoaijQXNeyhu+oCeYsdv4S3djFwDW3+\n"
+            + "iPLo51aqZGsTZ1S22vYdkp+QFByLtArVMQ==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=qvica1g3-v.quovadisglobal.com, O=QuoVadis Limited, L=Hamilton,
+    // ST=Pembroke, C=BM
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIF9DCCA9ygAwIBAgIUGug3BoLw4/auIdDQ0mHS6QnPHB8wDQYJKoZIhvcNAQEL\n"
+            + "BQAwSzELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxITAf\n"
+            + "BgNVBAMTGFF1b1ZhZGlzIElzc3VpbmcgQ0EgMSBHMzAeFw0xNDExMTQxNDA1MDda\n"
+            + "Fw0xNzExMTQxNDA0NTFaMHYxCzAJBgNVBAYTAkJNMREwDwYDVQQIEwhQZW1icm9r\n"
+            + "ZTERMA8GA1UEBxMISGFtaWx0b24xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQx\n"
+            + "JjAkBgNVBAMTHXF2aWNhMWczLXYucXVvdmFkaXNnbG9iYWwuY29tMIIBIjANBgkq\n"
+            + "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwHoNPHE0C/tEwI5jeYvKJdo5SXSccB/c\n"
+            + "nCHJVs/4i9F8oRmPqNiFMD99UVylk4nn8iqi8MoxrFAhqtmplPslgRDLwyLMmnGO\n"
+            + "1cNoPKGMKxQq9EerBgSk4wqeSsSH+7qnZhCamIlvEm0PUaEH8rcjXokTs0fyjadF\n"
+            + "UmVwcmSZdmnNjseOMgm+G6C8tEPHRQl/Oezy6DzS9PQVLUFCBSyOaAgDnr4EvwGE\n"
+            + "u2fd3m+ys80XXGq4eLy1MmuC7U+bIQuupuydk/S7kVh7Rl+5nT1eTv0LEOj5gYFc\n"
+            + "C5SBnhiLibuRTOr+LsC9HpvN4vnoCaOogWxDQj/f1KRn45PNJncsbwIDAQABo4IB\n"
+            + "ozCCAZ8wdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x\n"
+            + "dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92\n"
+            + "YWRpc2dsb2JhbC5jb20vcXZpY2ExZzMuY3J0MCgGA1UdEQQhMB+CHXF2aWNhMWcz\n"
+            + "LXYucXVvdmFkaXNnbG9iYWwuY29tMFEGA1UdIARKMEgwRgYMKwYBBAG+WAACZAEB\n"
+            + "MDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3Jl\n"
+            + "cG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr\n"
+            + "BgEFBQcDAjAfBgNVHSMEGDAWgBRdBBgS+8PqeH20Vwmh/m3+gp9kzTA7BgNVHR8E\n"
+            + "NDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdmljYTFn\n"
+            + "My5jcmwwHQYDVR0OBBYEFJO98+S7NZMTz2JRogpUwLuxjTa0MA0GCSqGSIb3DQEB\n"
+            + "CwUAA4ICAQCq1O/BnzpQjbTbmEob/bWH/p92ZYRV0Lr01CdYkRXl4XKL2ZLusel6\n"
+            + "126AIvAK51o65wiGVaLGs49AKXOjcaAnTfwoFembqFRlBiGFSOdglTIsZUGdmhtP\n"
+            + "x1meetkOY8bY79viGkVCufAVq0hAF+AYh4nYM+/n7IijIcM5uhzIDb2Vw8+wKPTB\n"
+            + "7k2K/e1GGwbqrIAkjrZ6kpRg632RkbR18anaDVOgXuKzmZMRbIAii/N+lo7u3DhC\n"
+            + "5mJEIjP4cQXd569AfKQzvBO+syGDAJyX5PbTrd59IXZ+EjiisIq/DNQi6QalWMfS\n"
+            + "BnK97nUzH/BjAofMaUufbB8dxg+RT0QC/Yl1lmlA3CYmr6YWn06DiAuWL14ZFFwh\n"
+            + "2HQ7juU9oQ1I/HTfhVBoTzuKGCW1ZNXA64IdKlBsYp8NO9xKjBWIxwU/+S/IgoQP\n"
+            + "aTNkY4Mc353bdLi9082JwaiQ9B5eH0V9pZ17OSRU44o2TeDDT85sjF+krqCnnolR\n"
+            + "3lk7iqYDRHsvgqJqtkhhX/boF3wJAnKqaZ6j97PVqV75kwAak7XaH7C50RsPQGk2\n"
+            + "j5OFa6ioobW7tN5PfWAZPMZn98yX2Wh8Z95aGhdsHSJHsrlcUiWa+X2D1kF/dOKd\n"
+            + "R8rPqdPIPjUglrXS4yP+cJHx6fCJxW7me1R60lpuL6JNvHp54u7GGA==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=qvica1g3-r.quovadisglobal.com, O=QuoVadis Limited, L=Hamilton,
+    // ST=Pembroke, C=BM
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIF9DCCA9ygAwIBAgIUBAG4l0ZPYhEdLJSMWYCr7LHngvswDQYJKoZIhvcNAQEL\n"
+            + "BQAwSzELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxITAf\n"
+            + "BgNVBAMTGFF1b1ZhZGlzIElzc3VpbmcgQ0EgMSBHMzAeFw0xMjExMTQxMzQ4MDda\n"
+            + "Fw0xNDExMTQxMzQ4MDdaMHYxCzAJBgNVBAYTAkJNMREwDwYDVQQIEwhQZW1icm9r\n"
+            + "ZTERMA8GA1UEBxMISGFtaWx0b24xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQx\n"
+            + "JjAkBgNVBAMTHXF2aWNhMWczLXIucXVvdmFkaXNnbG9iYWwuY29tMIIBIjANBgkq\n"
+            + "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqlof1qJLTiqI7bf0IU7zOxy0HqjIn0pW\n"
+            + "lNIEVAjQRR1jnfpsMapicIGZfnnNaYpwdsIjGPwpvWXGA+30ezJNGfWMjhb/tiis\n"
+            + "qjrHdwXAob5MyXOXP5ZS8K34GwKeL45oJZZG0cf2FSta9/CSsRC9wnDUp/kA+VkH\n"
+            + "n5vlg7VpUExYO0CBXe4C4ehnvCZHjW5nqpVpm993f9i8E0W3vHPxjGuyuqVEEfma\n"
+            + "WfOV78+HF4hxALnr+73mp0i6Do2oa/v85mZzyKeBm2YHhwdQ6CC7UZtABlHyWuz9\n"
+            + "h/ocTGbX92rbUaW6icu9bKQkQ9jsomnQkU5b8CWseo2O0NXBevvCowIDAQABo4IB\n"
+            + "ozCCAZ8wdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x\n"
+            + "dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92\n"
+            + "YWRpc2dsb2JhbC5jb20vcXZpY2ExZzMuY3J0MCgGA1UdEQQhMB+CHXF2aWNhMWcz\n"
+            + "LXIucXVvdmFkaXNnbG9iYWwuY29tMFEGA1UdIARKMEgwRgYMKwYBBAG+WAACZAEB\n"
+            + "MDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3Jl\n"
+            + "cG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr\n"
+            + "BgEFBQcDAjAfBgNVHSMEGDAWgBRdBBgS+8PqeH20Vwmh/m3+gp9kzTA7BgNVHR8E\n"
+            + "NDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdmljYTFn\n"
+            + "My5jcmwwHQYDVR0OBBYEFNrefqnat67/DMlw0Z/xdQ478leyMA0GCSqGSIb3DQEB\n"
+            + "CwUAA4ICAQBG1TxJNbWzG4ShZefK4wEdScBzxSB7StYO3mmIP2D3LTlEk+zWjDVP\n"
+            + "ERPL41Si92asMHvMai7GcFT82XyHxsQGZIPcgIm+rC2NiSPDx2Vd6lkMaO8J9mrU\n"
+            + "3Z4Ks3G5HmszQ/gXRT3DCoNng+k+JqdZjrvMcsGTH+AzRdoinwOi+QnpphAcZRhS\n"
+            + "Io8C7w9osUPYFdDaE3Io+oYr2mWJg4n+FGsjxunQgIhLiiNaVF8zHxER7gW0YsCW\n"
+            + "vw1jX0dmfQZSdo2ybVeHuznUxtUWRHJ/nv6v2B2anUsVEbPyrpQ3i9+BzWaYolPU\n"
+            + "ZYxfMHBQ7HvncRP6rgrHF4x+iOnIxWsErYdEj5nQJkptYbVl41VzO6xMP7WvXFPa\n"
+            + "dqxwihqILRmAZrI9p/6k/HqV9xMPKprUhnWDGQ/bYnPKyXoTx6uwamaonX4DpW83\n"
+            + "b3CJTvBHwKh5eJQoBykAkakPdrmbOhe4/XWnDqQVUgJNmEvkg33AexviJo4mW3HG\n"
+            + "K2MdM60GRIC3Lcnd+Q8SnSCCxp+YtuE/C3Fu8VI/8vz9MC159GGtDzyC7OeKPCpU\n"
+            + "7H1X0X/OhBkiv7anK/oIhtSw+4DrM2eaVjdWkEa+di2jvI/2us8TXxO1LL+eeSxT\n"
+            + "E+LbdNO0jSp8azw2Aw4zL+Q41Fzt7OlH7mTkw1mxLF3aWsUNUz/p4w==\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator, boolean ocspEnabled)
+            throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        if (ocspEnabled) {
+            // Revoked certificates are expired in Nov 2014
+            // and backdated revocation check is only possible with OCSP
+            pathValidator.setValidationDate("Jan 01, 2014");
+        }
+
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Thu Jan 03 23:47:34 PST 2013", System.out);
+
+        // reset validation date back to current date
+        pathValidator.resetValidationDate();
+    }
+}
+
+class RootCA2 {
+
+    // Owner: CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGFzCCA/+gAwIBAgIUftbnnMmtgcTIGT75XUQodw40ExcwDQYJKoZIhvcNAQEL\n"
+            + "BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc\n"
+            + "BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBHMzAeFw0xMjExMDYxNDUwMThaFw0y\n"
+            + "MjExMDYxNDUwMThaME0xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM\n"
+            + "aW1pdGVkMSMwIQYDVQQDExpRdW9WYWRpcyBHbG9iYWwgU1NMIElDQSBHMzCCAiIw\n"
+            + "DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANf8Od17be6c6lTGJDhEXpmkTs4y\n"
+            + "Q39Rr5VJyBeWCg06nSS71s6xF3sZvKcV0MbXlXCYM2ZX7cNTbJ81gs7uDsKFp+vK\n"
+            + "EymiKyEiI2SImOtECNnSg+RVR4np/xz/UlC0yFUisH75cZsJ8T1pkGMfiEouR0EM\n"
+            + "7O0uFgoboRfUP582TTWy0F7ynSA6YfGKnKj0OFwZJmGHVkLs1VevWjhj3R1fsPan\n"
+            + "H05P5moePFnpQdj1FofoSxUHZ0c7VB+sUimboHm/uHNY1LOsk77qiSuVC5/yrdg3\n"
+            + "2EEfP/mxJYT4r/5UiD7VahySzeZHzZ2OibQm2AfgfMN3l57lCM3/WPQBhMAPS1jz\n"
+            + "kE+7MjajM2f0aZctimW4Hasrj8AQnfAdHqZehbhtXaAlffNEzCdpNK584oCTVR7N\n"
+            + "UR9iZFx83ruTqpo+GcLP/iSYqhM4g7fy45sNhU+IS+ca03zbxTl3TTlkofXunI5B\n"
+            + "xxE30eGSQpDZ5+iUJcEOAuVKrlYocFbB3KF45hwcbzPWQ1DcO2jFAapOtQzeS+MZ\n"
+            + "yZzT2YseJ8hQHKu8YrXZWwKaNfyl8kFkHUBDICowNEoZvBwRCQp8sgqL6YRZy0uD\n"
+            + "JGxmnC2e0BVKSjcIvmq/CRWH7yiTk9eWm73xrsg9iIyD/kwJEnLyIk8tR5V8p/hc\n"
+            + "1H2AjDrZH12PsZ45AgMBAAGjgfMwgfAwEgYDVR0TAQH/BAgwBgEB/wIBATARBgNV\n"
+            + "HSAECjAIMAYGBFUdIAAwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRw\n"
+            + "Oi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20wDgYDVR0PAQH/BAQDAgEGMB8GA1Ud\n"
+            + "IwQYMBaAFO3nb3Zav2DsSVvGpXe7chZxm8Q9MDsGA1UdHwQ0MDIwMKAuoCyGKmh0\n"
+            + "dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNhMmczLmNybDAdBgNVHQ4E\n"
+            + "FgQUsxKJtalLNbwVAPCA6dh4h/ETfHYwDQYJKoZIhvcNAQELBQADggIBAFGm1Fqp\n"
+            + "RMiKr7a6h707M+km36PVXZnX1NZocCn36MrfRvphotbOCDm+GmRkar9ZMGhc8c/A\n"
+            + "Vn7JSCjwF9jNOFIOUyNLq0w4luk+Pt2YFDbgF8IDdx53xIo8Gv05e9xpTvQYaIto\n"
+            + "qeHbQjGXfSGc91olfX6JUwZlxxbhdJH+rxTFAg0jcbqToJoScWTfXSr1QRcNbSTs\n"
+            + "Y4CPG6oULsnhVvrzgldGSK+DxFi2OKcDsOKkV7W4IGg8Do2L/M588AfBnV8ERzpl\n"
+            + "qgMBBQxC2+0N6RdFHbmZt0HQE/NIg1s0xcjGx1XW3YTOfje31rmAXKHOehm4Bu48\n"
+            + "gr8gePq5cdQ2W9tA0Dnytb9wzH2SyPPIXRI7yNxaX9H8wYeDeeiKSSmQtfh1v5cV\n"
+            + "7RXvm8F6hLJkkco/HOW3dAUwZFcKsUH+1eUJKLN18eDGwB8yGawjHvOKqcfg5Lf/\n"
+            + "TvC7hgcx7pDYaCCaqHaekgUwXbB2Enzqr1fdwoU1c01W5YuQAtAx5wk1bf34Yq/J\n"
+            + "ph7wNXGvo88N0/EfP9AdVGmJzy7VuRXeVAOyjKAIeADMlwpjBRhcbs9m3dkqvoMb\n"
+            + "SXKJxv/hFmNgEOvOlaFsXX1dbKg1v+C1AzKAFdiuAIa62JzASiEhigqNSdqdTsOh\n"
+            + "8W8hdONuKKpe9zKedhBFAvuxhDgKmnySglYc\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=qvsslicag3-v.quovadisglobal.com, O=QuoVadis Limited, L=Hamilton,
+    // ST=Pembroke, C=BM
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIF+DCCA+CgAwIBAgIUE3XHqPhbZc2CY3aRtVHRlQwm3tcwDQYJKoZIhvcNAQEL\n"
+            + "BQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAh\n"
+            + "BgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEczMB4XDTE0MTExNDE0MDUz\n"
+            + "MVoXDTE3MTExNDE0MDUxM1oweDELMAkGA1UEBhMCQk0xETAPBgNVBAgTCFBlbWJy\n"
+            + "b2tlMREwDwYDVQQHEwhIYW1pbHRvbjEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRl\n"
+            + "ZDEoMCYGA1UEAxMfcXZzc2xpY2FnMy12LnF1b3ZhZGlzZ2xvYmFsLmNvbTCCASIw\n"
+            + "DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK621GAU2/hywjuxi2Q9rCMncWIY\n"
+            + "FbDngS69N6+qe9NUktfs/Rlh+jKUDHyf27G79xYGmDGZ0NTYI7tUyOvRanaq8ngd\n"
+            + "NkZI4DS/Au2vpwuXucrtm3V/XRcsWHAsyevVzfiqfZzu+vU7/2KT/k7sByRzED4x\n"
+            + "B4tMGaodvzIAzhFAmnmVXSUw7zvU07G/6/mfwYy9gwegJwVby/ZPWXefzHbLGDUz\n"
+            + "xtO/6Ow9e5T2hedpo3IgfKptkzy0kA501DNaTMulW1gJwB+1duJ9OxZOAVgGCANX\n"
+            + "IzWvgbONLEdkYGK+K8EAuMaa57WlG0wBZ9Y62iuvgw4XRd90/PS2RAFf/DsCAwEA\n"
+            + "AaOCAaMwggGfMHMGCCsGAQUFBwEBBGcwZTAqBggrBgEFBQcwAYYeaHR0cDovL29j\n"
+            + "c3AucXVvdmFkaXNnbG9iYWwuY29tMDcGCCsGAQUFBzAChitodHRwOi8vdHJ1c3Qu\n"
+            + "cXVvdmFkaXNnbG9iYWwuY29tL3F2c3NsZzMuY3J0MCoGA1UdEQQjMCGCH3F2c3Ns\n"
+            + "aWNhZzMtdi5xdW92YWRpc2dsb2JhbC5jb20wUQYDVR0gBEowSDBGBgwrBgEEAb5Y\n"
+            + "AAJkAQEwNjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5j\n"
+            + "b20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH\n"
+            + "AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFLMSibWpSzW8FQDwgOnYeIfxE3x2MDoG\n"
+            + "A1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2\n"
+            + "c3NsZzMuY3JsMB0GA1UdDgQWBBSSYP84MQGz6cU/fyXfebv/8zn93TANBgkqhkiG\n"
+            + "9w0BAQsFAAOCAgEAbqX71QIeoOJ36Aoiwg+oEwdDSRzXkR05kZU2y9qOCArrkgSj\n"
+            + "ycdIRQFjHYNAWJrPP17PErk6+6NDWiwxLXbeHaY7pFIDCsgcCTWpixVlpVPKKxAE\n"
+            + "uaomHo5K2AWWkJYNNPSLF411CmyN4eJjYQVrkCfJwFSUrQml8pFDedNDNuTaDsZo\n"
+            + "klvUDYWM18gFrAbNF4Wi+dvj3qPOpTVyrTk2oBXtVUesNu4JF/O6li10YJ+kdox+\n"
+            + "DUeq4Gk4B8zoWRTKa9Pp/RALI8TeNcfjBKbPtuXyfly1Cm8AXoQA5sus2SMMPQXE\n"
+            + "S1+IsdnnKb60pT1EOX571SIBKV16xpRpbC3mDU6IG/+Sjm0TJxwSGbBO5bX69+bq\n"
+            + "F8Im1QAKqVSYCtoypvieG3iGqHmj4SAaSqdmDDzmOPEtgX63ZmYVs+ey6tN+VThi\n"
+            + "eaLRs+pHeBLMhh7Npt85c+xqRlIFBp0e84EzST0oE7pjuZcFFWstFXD2Pt1JQfXo\n"
+            + "9szkw6EMhYbrgNqsh8lxkg8cZKHnP8KGLefyHajp3EIfC2MX7nUOeNmNoCxdsfBW\n"
+            + "lmzRbv7H7eeAmQYHmxUaRnDMGR6QVX8/NrF1w0hqLkIpDj+29Mvv/Gp2azJrvqrL\n"
+            + "w2bJ2mPD8rzBDmEFY317RWc8VBd8ZUxO/dYPWqsXNwBTdPMRQpYcN55po3g=\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=qvsslicag3-r.quovadisglobal.com, O=QuoVadis Limited, L=Hamilton,
+    // ST=Pembroke, C=BM
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIF+DCCA+CgAwIBAgIUMJWFWsVjz9o3zQoG9bZ/IsdRWDkwDQYJKoZIhvcNAQEL\n"
+            + "BQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAh\n"
+            + "BgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEczMB4XDTEyMTExNDEzMTI1\n"
+            + "NFoXDTE0MTExNDEzMTI1NFoweDELMAkGA1UEBhMCQk0xETAPBgNVBAgTCFBlbWJy\n"
+            + "b2tlMREwDwYDVQQHEwhIYW1pbHRvbjEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRl\n"
+            + "ZDEoMCYGA1UEAxMfcXZzc2xpY2FnMy1yLnF1b3ZhZGlzZ2xvYmFsLmNvbTCCASIw\n"
+            + "DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALlwpCyabhrQYeRzEn0O7S505Fv4\n"
+            + "ScJlJRHskcyZHBt0vt2tsDJNh2xJKJpnXzW14oGh+xrccEGeUw77qeFgfy+LTIHD\n"
+            + "YDkYVHVhfs4NJD5wdyWL9Fn3A7pMFpapPBPJdsAAwByfzYFjRJsPHMSlGcroyGNm\n"
+            + "+LquU5r965afaRkWQzZy+lY+OHO19Jis8EfUusYj2fQ3SXB8tBwFylDTnbCoM1HZ\n"
+            + "BlbksbtLjFYKtyaNeQuoA7NnB3Q9XEONNK9KZ0S87KIqEKjIWK7ThO6lvhMQy2Zk\n"
+            + "k+UVXVLpop7+Nkz3Fn08pE4OMfLjn1KVnk5l40WGabinfE6hz4vk0XREaKcCAwEA\n"
+            + "AaOCAaMwggGfMHMGCCsGAQUFBwEBBGcwZTAqBggrBgEFBQcwAYYeaHR0cDovL29j\n"
+            + "c3AucXVvdmFkaXNnbG9iYWwuY29tMDcGCCsGAQUFBzAChitodHRwOi8vdHJ1c3Qu\n"
+            + "cXVvdmFkaXNnbG9iYWwuY29tL3F2c3NsZzMuY3J0MCoGA1UdEQQjMCGCH3F2c3Ns\n"
+            + "aWNhZzMtci5xdW92YWRpc2dsb2JhbC5jb20wUQYDVR0gBEowSDBGBgwrBgEEAb5Y\n"
+            + "AAJkAQEwNjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5j\n"
+            + "b20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH\n"
+            + "AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFLMSibWpSzW8FQDwgOnYeIfxE3x2MDoG\n"
+            + "A1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2\n"
+            + "c3NsZzMuY3JsMB0GA1UdDgQWBBSS2t3Itp/XsAppEeGyH+Ew8vEQ0zANBgkqhkiG\n"
+            + "9w0BAQsFAAOCAgEAo8MJ2ek95Cs3chn1ecEMdGkUANnCBmgdvQjFt6XVLzYWs37n\n"
+            + "j6Ac/nGj+Tzb30nTVdE2laRuTeLuGfYmd1AdBLHuRhWYG6A6jnlzqhmDRL3fvRYk\n"
+            + "wjeWQn6Kx/lOoWC1xOa2EJYOWDr/rUY2PKo9rSVdGKmU6NFI/+FOFLaUD8tU77Qq\n"
+            + "p9rfOYJwekckA2I2891lTRbnJfQhPD8mQjttd+nS46RwZxxAI5Pr6Jcr+BG3ARP5\n"
+            + "oM/ifTCLXCc4L/0nozUDSweU17TCuFXWGEpIXbOVmE3kpmHaVe1FRQ0PUr2XHCbJ\n"
+            + "H1vumQcJmOaUxiB4EzP+M+HnKg6rwhWlfgQEAnCcKkMF5ei1NAaHCwhRMC7ijJFA\n"
+            + "Wt7s0/PpP2tChU7uXctMk2d36Dpibyn6Rc5a/QJX444ZRFEGrSe4nO/MXt3iEcat\n"
+            + "fgYHOWoBunLIm7x/fd611xvyhifjqKVCPpqodpwFrXOlCQhXehhRvJSPDXWgDJeR\n"
+            + "cDLLIcit4Sn1uyebQcZafaxgYPWpaYHFd7dzkO+kTVqOVAm7LukC5QQ9qFY1z7a5\n"
+            + "IDUAFtEYg/c4XxX+pReOxydnnHeYZBrfRTTxOfMrg6dxsb1QcOeElXHgXRpHyiMh\n"
+            + "XYsZWE2WHT7of4wMfNzCUrVSN0tCGDRW0MI48RM4BYbRnz3YNKafjnszeXI=\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator, boolean ocspEnabled)
+            throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        if (ocspEnabled) {
+            // Revoked certificates are expired in Nov 2014
+            // and backdated revocation check is only possible with OCSP
+            pathValidator.setValidationDate("Jan 01, 2014");
+        }
+
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Fri Jan 04 03:49:46 PST 2013", System.out);
+
+        // reset validation date back to current date
+        pathValidator.resetValidationDate();
+    }
+}
+
+class RootCA3 {
+
+    // wner: CN=QuoVadis Issuing CA 3 G3, O=QuoVadis Limited, C=BM
+    private static final String INT = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIGFTCCA/2gAwIBAgIUHZxbikClihb+1PM2ck0SDEZ8/dIwDQYJKoZIhvcNAQEL\n"
+            + "BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc\n"
+            + "BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMyBHMzAeFw0xMjExMDYxODM5MDVaFw0y\n"
+            + "MjExMDYxODM5MDVaMEsxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM\n"
+            + "aW1pdGVkMSEwHwYDVQQDExhRdW9WYWRpcyBJc3N1aW5nIENBIDMgRzMwggIiMA0G\n"
+            + "CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCs6x3rpBdA1tTXgPYNjL1MKHuoDyb9\n"
+            + "d4mxxk41t5Cvo3BnS0/cBlRIl91oqu3Iv9goVCMStla+GW9iRdX/53jYM1rXePDa\n"
+            + "OnE/MJNLcVjmABZmEUtpzxUYLftwGEg1w/Wgi6z68vqZn7vbHJtFV8inlMIsdBVY\n"
+            + "o3VmU9h+pGZU8JrF8x8U3voX4vm56OBCAM/1osUGXsVL2AY3z2Gjyb1Hv6fqHma7\n"
+            + "PWrWV1hYS/EAnRUPO8iQqJwrbT/j7Mlo3khULV+T02M+oqs1ckIihl38n1eGvYcp\n"
+            + "z40cceA2Ej5aglyF9i+ypA4XnxKF3f+6vvEYRPCMQB8Hiwuyy6naj6lPoLZ+nolT\n"
+            + "t++xSkZ5imAoTXewA9JxyGCdiO9G4sZFIy4jjW7HBmKx6pZy3wWf48eawXPIpjop\n"
+            + "EC+Kayf3foeyq40CAOjysVkblhUBawvVjAqKJ5aoKD4Ghnv02jdVvI4W7ME/fYYb\n"
+            + "gm+XD7KJv4gHks+SIV93eXiUhYHvofJ3AG/1kp1p4tvIKCUtm2LCihmp53n9uLGA\n"
+            + "NvizEnkuQmwlXtqOquKDluwSpHVFPxePMdRICUOnoZBdHv6f3LQCOU7AczRJYh8+\n"
+            + "WYSKQy675/Itucgd+ABfY1H07F4FisCP75j8YknBdv4nfQsb0RcTg2P89dJNwAhL\n"
+            + "rpk452WD4LuvsQIDAQABo4HzMIHwMBIGA1UdEwEB/wQIMAYBAf8CAQEwEQYDVR0g\n"
+            + "BAowCDAGBgRVHSAAMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDov\n"
+            + "L29jc3AucXVvdmFkaXNnbG9iYWwuY29tMA4GA1UdDwEB/wQEAwIBBjAfBgNVHSME\n"
+            + "GDAWgBTGF9C8qOoCQ/IbBpldK5Agudec5DA7BgNVHR8ENDAyMDCgLqAshipodHRw\n"
+            + "Oi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdnJjYTNnMy5jcmwwHQYDVR0OBBYE\n"
+            + "FBPyQfSNOURHBZ37q8ZaNQwelu9eMA0GCSqGSIb3DQEBCwUAA4ICAQAsbJU89ZB9\n"
+            + "1XVlOLmw8MaoWwOgI3DwM/g30YyIV1SERtDMKDOUnLVGTORTGv7Y8X789nGkMbKq\n"
+            + "OEEa9Hty4jwyTnt2OISpCAb4GwBtH+FxNcLkJwZU2qtpTX8zDndofE/JLGo0rte5\n"
+            + "bKchF2JTg+oby/Wpu2IO0CMd1phou3LLi8sWQGcY/f5vk+MUDnskH6NRXte4m8HW\n"
+            + "FtYb7nOgLzY5FOJDtQuUFFioNoQzUHuj3SpUjIBxXf4VRFXz+FKIQ4jqzD/SnHG6\n"
+            + "/7g/28x66LNpYjvaQ0T45EqxqPDCztfJO67GsNLXeSKq+BteqXcnKI77ZkqmwnWl\n"
+            + "cYt5qek0GBYRYVOM8dUIvDryWHZIEqbeI0DAu06dyPuvIJNQ6WweqxJ+hH++BqGh\n"
+            + "P4bViNNuP/Lqarb1RP7JiJW3wlyIUDD34JLzkusBgU++ptdYg1o0VnEB8KWDG8Of\n"
+            + "cABL+TMoUldUp9DFFgFJIfnPX5XjXyG9mw2wwiUvClo93qFvC8+rhEGeZFd29rKi\n"
+            + "dmmCc8FaCfBV9XdHHx/0ORTQp3HxnRDDiz+MN7p1Y4SXbHE3XXyQAUVTISGpPe3X\n"
+            + "TUhmoARNmBBPALDm3EAvEBikTUMBFGR63wtu0pjA2cF5nvOyY8mBSsNk0R6+ZJSl\n"
+            + "Cok3lH5oBM2H+KBk+sNZIBQ8BHcgbwlghg==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=qvica3g3-v.quovadisglobal.com, O=QuoVadis Limited, L=Hamilton,
+    // ST=Pembroke, C=BM
+    private static final String VALID = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIF9DCCA9ygAwIBAgIUTkK7g7zoijtiLY/YV9ASX+pEsx0wDQYJKoZIhvcNAQEL\n"
+            + "BQAwSzELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxITAf\n"
+            + "BgNVBAMTGFF1b1ZhZGlzIElzc3VpbmcgQ0EgMyBHMzAeFw0xNDExMTQxNDA1NTJa\n"
+            + "Fw0xNzExMTQxNDA1MzhaMHYxCzAJBgNVBAYTAkJNMREwDwYDVQQIEwhQZW1icm9r\n"
+            + "ZTERMA8GA1UEBxMISGFtaWx0b24xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQx\n"
+            + "JjAkBgNVBAMTHXF2aWNhM2czLXYucXVvdmFkaXNnbG9iYWwuY29tMIIBIjANBgkq\n"
+            + "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAosZjGbZtvAM45zdlTtT+uL12F5nebQrE\n"
+            + "F9Fb8z1uhRJKgXAfjlfsMIjv7Xc7F80Li39yO0CmWHTMJS41auktW8IGVEkVV2og\n"
+            + "EL7SKLjtgDJ1I3HAX02hfuOW0b/jkfPEcqTeZVE5Xew/HTAuTJMTqCEHM5hFieWL\n"
+            + "tADPm7kANu5q6HaFXndKN/k1ozZXQn9YNTpDvvH6oD0Kqn/Peezi+C+6asTMSCk0\n"
+            + "Xoi2TBHNi9dl2tfb6hu+T5VFwFsC9dGqYt07V8TbvKRAVV0MC8DnXnS89quFVmPS\n"
+            + "I3ZSKeU4dlp8FzmTrd5nk3y9GL8GTkCsSN3RZbeAbLCpzcG5weS3GQIDAQABo4IB\n"
+            + "ozCCAZ8wdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x\n"
+            + "dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92\n"
+            + "YWRpc2dsb2JhbC5jb20vcXZpY2EzZzMuY3J0MCgGA1UdEQQhMB+CHXF2aWNhM2cz\n"
+            + "LXYucXVvdmFkaXNnbG9iYWwuY29tMFEGA1UdIARKMEgwRgYMKwYBBAG+WAACZAEB\n"
+            + "MDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3Jl\n"
+            + "cG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr\n"
+            + "BgEFBQcDAjAfBgNVHSMEGDAWgBQT8kH0jTlERwWd+6vGWjUMHpbvXjA7BgNVHR8E\n"
+            + "NDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdmljYTNn\n"
+            + "My5jcmwwHQYDVR0OBBYEFINCE86z3wESNeL4rz3eiaYA5LIWMA0GCSqGSIb3DQEB\n"
+            + "CwUAA4ICAQBPe+Y5xDGZLYaVNOxxiyqFZrntGJGGQW1w4GtEfkH9oD8WGs5kBhMM\n"
+            + "/XPGqw2FzzrvA5GfSdh+EMuXUfJY933AxwPcNfwGHzYGAHIDFsW17y5ZdKfBMN4Y\n"
+            + "82e13iSfHQrbI0P6l8IIExfCw4HC8PxuEalg6H9fj9/1Q7mzdpwT3uG/HP6Dr2z+\n"
+            + "PGYFMaH77MsOjfANT8UIdo5SAyXiJI5Y0cyKjuXhR6eJEKwNfri27UaV5cJJuV7I\n"
+            + "fRcjb0h0Grr6gpKFb7JnhDZVGR3fDHTzuybuCqZk9TYKQ2sn1YfBFDqDpWODpykt\n"
+            + "vyFO7eugpvSUgdTKRMPCtyppYgo2RwIsMmLrU4wPzdnPi8oo+cM0f5zXrmrkOLY0\n"
+            + "PZo+K8QT/SrNT+9yZnHupLy01aYGJ4RJ047Wthr7a9S6i6DxbQ+ps4Ajh0X1bvOK\n"
+            + "KCEKq5aoivYQMLn8pjudiMjbnKU4mgpmZK15D6lLmAprW3L6F8AEBJsK1BunPWhJ\n"
+            + "nkQUyBnFgq2epmDfZ4f6SztNoLfDbatYNRb2KJfW1lks7UHDjuZ4PM20KkmmFJEE\n"
+            + "LKR76WJzKi/+aks/csdFD7+/TMXrkY+JWlT4mCoHR1ol0m3DiqApKvRFZkMARfJq\n"
+            + "npjt2cXyzDnguyQuLrHhdkKW+/LYeNckmVX+cPIxShLbuVhqMgdnWg==\n"
+            + "-----END CERTIFICATE-----";
+
+    // Owner: CN=qvica3g3-r.quovadisglobal.com, O=QuoVadis Limited, L=Hamilton,
+    // ST=Pembroke, C=BM
+    private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n"
+            + "MIIF9DCCA9ygAwIBAgIUSTXTLsMPxg4n9YY6GASBcJsgcaEwDQYJKoZIhvcNAQEL\n"
+            + "BQAwSzELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxITAf\n"
+            + "BgNVBAMTGFF1b1ZhZGlzIElzc3VpbmcgQ0EgMyBHMzAeFw0xMjExMTQxMzQ4MTda\n"
+            + "Fw0xNDExMTQxMzQ4MTdaMHYxCzAJBgNVBAYTAkJNMREwDwYDVQQIEwhQZW1icm9r\n"
+            + "ZTERMA8GA1UEBxMISGFtaWx0b24xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQx\n"
+            + "JjAkBgNVBAMTHXF2aWNhM2czLXIucXVvdmFkaXNnbG9iYWwuY29tMIIBIjANBgkq\n"
+            + "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtaZUVAvasDtoFhZqL2fH+rI/IKeY0zj7\n"
+            + "hGuYpLlT32JZX8cmkWUywZt6VxA8A5o82Ay0xT9vHy4MPnmmZExEvmkaECBmOh6+\n"
+            + "WzWydYGKeeheUERJ1hLj2T7MKz/CCFY6NxD9XzvYOyhDpCUQKCOx4LMn0nMFrXrS\n"
+            + "6IVirDUmH26dpl3IfsdVXyn6N3wLSNf+UX7in/PXsfD/A6RVtqYsfx4fxFJIPIhv\n"
+            + "XG/cDOVIyfq6Oo1hthzGm8cnOSjvK/UfQV5iVBK68rqoGG+r9uBG9BfZtd7o0wrf\n"
+            + "SSJkJAPJVpWTLvnD8RYpJIBz01vNgEOCEgF54bvjhBOjx15mrH7roQIDAQABo4IB\n"
+            + "ozCCAZ8wdAYIKwYBBQUHAQEEaDBmMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5x\n"
+            + "dW92YWRpc2dsb2JhbC5jb20wOAYIKwYBBQUHMAKGLGh0dHA6Ly90cnVzdC5xdW92\n"
+            + "YWRpc2dsb2JhbC5jb20vcXZpY2EzZzMuY3J0MCgGA1UdEQQhMB+CHXF2aWNhM2cz\n"
+            + "LXIucXVvdmFkaXNnbG9iYWwuY29tMFEGA1UdIARKMEgwRgYMKwYBBAG+WAACZAEB\n"
+            + "MDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3Jl\n"
+            + "cG9zaXRvcnkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr\n"
+            + "BgEFBQcDAjAfBgNVHSMEGDAWgBQT8kH0jTlERwWd+6vGWjUMHpbvXjA7BgNVHR8E\n"
+            + "NDAyMDCgLqAshipodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdmljYTNn\n"
+            + "My5jcmwwHQYDVR0OBBYEFLnaKDrPemoRtOZaUReSV5rWp3OoMA0GCSqGSIb3DQEB\n"
+            + "CwUAA4ICAQA+B+R1TDmE4jC6itHBMPgqRoETJxtTdKyp6/egk5My4MATXRCSrStA\n"
+            + "gp1c86hljmlN2gq05HKlAz9cC4W80pypJGfEbhYIi9B4Jxdo6zJNJqcFz3zj/otx\n"
+            + "hvZ2nOO5qqEupAP8aHju0LhUlkcFQlbqaA+IiuQUh0VFQxk8LwkKEA8oIib7wLie\n"
+            + "P1zBMXeRyDM5CnFWQmIFKXR4+9f51Dfv40Gy2RKQT7I8oXuADhrG9iXFJPXz4yYK\n"
+            + "LazlDjnn0wv4vB9BmlcVdM2HPYqIPdvWBtPxT9vpNYHnB9Dq/zGqKJNUh8I4jB9k\n"
+            + "8iQYJgoj62mQW2o1fObkVwrGgglAyzUzUzJfJyy9OEECjLY5o/9TJAKBAnewJ5B9\n"
+            + "PagYo+klH937s2MOLqzl/uvbjXUBBvql1UU/lb8tSK9xCaXMEDhgiVricr13k32y\n"
+            + "XmUcA/im96CI5cF5i4xHMnqprzPehFB/Mmi6g2tpiE0bmLkYj7MMJcmtUowa3FqA\n"
+            + "QHtqKrK8wOfHep6qPx6VMD6Ypaf6yq66/kkSg05i6VO7V371UTibHeVLTr7LPRQJ\n"
+            + "Emp8k/6qCXOtf5OdXwHBIDqvszf8ry85Rl3q813TntF0pPRvqLEYadC4Bwq7Snf+\n"
+            + "PR0MPNhuwZBCmxZcyZqhVG2PyvvEmhPxhEdbO5DWUFwUP17WHNlgeQ==\n"
+            + "-----END CERTIFICATE-----";
+
+    public void runTest(ValidatePathWithParams pathValidator, boolean ocspEnabled)
+            throws Exception {
+        // Validate valid
+        pathValidator.validate(new String[]{VALID, INT},
+                ValidatePathWithParams.Status.GOOD, null, System.out);
+
+        // Validate Revoked
+        if (ocspEnabled) {
+            // Revoked certificates are expired in Nov 2014
+            // and backdated revocation check is only possible with OCSP
+            pathValidator.setValidationDate("Jan 01, 2014");
+        }
+
+        pathValidator.validate(new String[]{REVOKED, INT},
+                ValidatePathWithParams.Status.REVOKED,
+                "Thu Jan 03 23:47:02 PST 2013", System.out);
+
+        // reset validation date back to current date
+        pathValidator.resetValidationDate();
+    }
+}
diff --git a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithParams.java b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithParams.java
new file mode 100644
index 0000000000..8572340121
--- /dev/null
+++ b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/ValidatePathWithParams.java
@@ -0,0 +1,354 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateRevokedException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.PKIXRevocationChecker;
+import java.security.cert.X509Certificate;
+import java.text.DateFormat;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.EnumSet;
+import java.util.Locale;
+
+/**
+ * Utility class to validate certificate path. It supports OCSP and/or CRL
+ * validation.
+ */
+public class ValidatePathWithParams {
+
+    private static final String FS = System.getProperty("file.separator");
+    private static final String CACERTS_STORE = System.getProperty("test.jdk")
+            + FS + "lib" + FS + "security" + FS + "cacerts";
+
+    private final String[] trustedRootCerts;
+
+    // use this for expired cert validation
+    private Date validationDate = null;
+
+    // expected certificate status
+    private Status expectedStatus = Status.UNKNOWN;
+    private Date expectedRevDate = null;
+
+    private final CertPathValidator certPathValidator;
+    private final PKIXRevocationChecker certPathChecker;
+    private final CertificateFactory cf;
+
+    /**
+     * Possible status values supported for EE certificate
+     */
+    public static enum Status {
+        UNKNOWN, GOOD, REVOKED, EXPIRED;
+    }
+
+    /**
+     * Constructor
+     *
+     * @param additionalTrustRoots trusted root certificates
+     * @throws IOException
+     * @throws CertificateException
+     * @throws NoSuchAlgorithmException
+     */
+    public ValidatePathWithParams(String[] additionalTrustRoots)
+            throws IOException, CertificateException, NoSuchAlgorithmException {
+
+        cf = CertificateFactory.getInstance("X509");
+        certPathValidator = CertPathValidator.getInstance("PKIX");
+        certPathChecker
+                = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
+
+        if ((additionalTrustRoots == null) || (additionalTrustRoots[0] == null)) {
+            trustedRootCerts = null;
+        } else {
+            trustedRootCerts = additionalTrustRoots.clone();
+        }
+    }
+
+    /**
+     * Validate certificates
+     *
+     * @param certsToValidate Certificates to validate
+     * @param st expected certificate status
+     * @param revDate if revoked, expected revocation date
+     * @param out PrintStream to log messages
+     * @throws IOException
+     * @throws CertificateException
+     * @throws InvalidAlgorithmParameterException
+     * @throws ParseException
+     * @throws NoSuchAlgorithmException
+     * @throws KeyStoreException
+     */
+    public void validate(String[] certsToValidate,
+            Status st,
+            String revDate,
+            PrintStream out)
+            throws IOException, CertificateException,
+            InvalidAlgorithmParameterException, ParseException,
+            NoSuchAlgorithmException, KeyStoreException {
+
+        expectedStatus = st;
+        if (expectedStatus == Status.REVOKED) {
+            if (revDate != null) {
+                expectedRevDate = new SimpleDateFormat("EEE MMM dd HH:mm:ss Z yyyy",
+                        Locale.US).parse(revDate);
+            }
+        }
+
+        Status certStatus = null;
+        Date revocationDate = null;
+
+        logSettings(out);
+
+        try {
+            doCertPathValidate(certsToValidate, out);
+            certStatus = Status.GOOD;
+        } catch (IOException ioe) {
+            // Some machines don't have network setup correctly to be able to
+            // reach outside world, skip such failures
+            out.println("WARNING: Network setup issue, skip this test");
+            ioe.printStackTrace(System.err);
+            return;
+        } catch (CertPathValidatorException cpve) {
+            out.println("Received exception: " + cpve);
+
+            if (cpve.getCause() instanceof IOException) {
+                out.println("WARNING: CertPathValidatorException caused by IO"
+                        + " error, skip this test");
+                return;
+            }
+
+            if (cpve.getReason() == CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED) {
+                out.println("WARNING: CertPathValidatorException caused by"
+                        + " restricted algorithm, skip this test");
+                return;
+            }
+
+            if (cpve.getReason() == CertPathValidatorException.BasicReason.REVOKED
+                    || cpve.getCause() instanceof CertificateRevokedException) {
+                certStatus = Status.REVOKED;
+                if (cpve.getCause() instanceof CertificateRevokedException) {
+                    CertificateRevokedException cre
+                            = (CertificateRevokedException) cpve.getCause();
+                    revocationDate = cre.getRevocationDate();
+                }
+            } else if (cpve.getReason() == CertPathValidatorException.BasicReason.EXPIRED
+                    || cpve.getCause() instanceof CertificateExpiredException) {
+                certStatus = Status.EXPIRED;
+            } else {
+                throw new RuntimeException(
+                        "TEST FAILED: couldn't determine EE certificate status");
+            }
+        }
+
+        out.println("Expected Certificate status: " + expectedStatus);
+        out.println("Certificate status after validation: " + certStatus.name());
+
+        // Don't want test to fail in case certificate is expired when not expected
+        // Simply skip the test.
+        if (expectedStatus != Status.EXPIRED && certStatus == Status.EXPIRED) {
+            out.println("WARNING: Certificate expired, skip the test");
+            return;
+        }
+
+        if (certStatus != expectedStatus) {
+            throw new RuntimeException(
+                    "TEST FAILED: unexpected status of EE certificate");
+        }
+
+        if (certStatus == Status.REVOKED) {
+            // Check revocation date
+            if (revocationDate != null) {
+                out.println(
+                        "Certificate revocation date:" + revocationDate.toString());
+                if (expectedRevDate != null) {
+                    out.println(
+                            "Expected revocation date:" + expectedRevDate.toString());
+                    if (!expectedRevDate.equals(revocationDate)) {
+                        throw new RuntimeException(
+                                "TEST FAILED: unexpected revocation date");
+                    }
+                }
+            } else {
+                throw new RuntimeException("TEST FAILED: no revocation date");
+            }
+        }
+    }
+
+    private void logSettings(PrintStream out) {
+        out.println();
+        out.println("=====================================================");
+        out.println("CONFIGURATION");
+        out.println("=====================================================");
+        out.println("http.proxyHost :" + System.getProperty("http.proxyHost"));
+        out.println("http.proxyPort :" + System.getProperty("http.proxyPort"));
+        out.println("https.proxyHost :" + System.getProperty("https.proxyHost"));
+        out.println("https.proxyPort :" + System.getProperty("https.proxyPort"));
+        out.println("https.socksProxyHost :"
+                + System.getProperty("https.socksProxyHost"));
+        out.println("https.socksProxyPort :"
+                + System.getProperty("https.socksProxyPort"));
+        out.println("jdk.certpath.disabledAlgorithms :"
+                + Security.getProperty("jdk.certpath.disabledAlgorithms"));
+        out.println("Revocation options :" + certPathChecker.getOptions());
+        out.println("OCSP responder set :" + certPathChecker.getOcspResponder());
+        out.println("Trusted root set: " + (trustedRootCerts != null));
+
+        if (validationDate != null) {
+            out.println("Validation Date:" + validationDate.toString());
+        }
+        out.println("Expected EE Status:" + expectedStatus.name());
+        if (expectedStatus == Status.REVOKED && expectedRevDate != null) {
+            out.println(
+                    "Expected EE Revocation Date:" + expectedRevDate.toString());
+        }
+        out.println("=====================================================");
+    }
+
+    private void doCertPathValidate(String[] certsToValidate, PrintStream out)
+            throws IOException, CertificateException,
+            InvalidAlgorithmParameterException, ParseException,
+            NoSuchAlgorithmException, CertPathValidatorException, KeyStoreException {
+
+        if (certsToValidate == null) {
+            throw new RuntimeException("Require atleast one cert to validate");
+        }
+
+        // Generate CertPath with certsToValidate
+        ArrayList certs = new ArrayList();
+        for (String cert : certsToValidate) {
+            if (cert != null) {
+                certs.add(getCertificate(cert));
+            }
+        }
+        CertPath certPath = (CertPath) cf.generateCertPath(certs);
+
+        // Set cacerts as anchor
+        KeyStore cacerts = KeyStore.getInstance("JKS");
+        try (FileInputStream fis = new FileInputStream(CACERTS_STORE)) {
+            cacerts.load(fis, "changeit".toCharArray());
+        } catch (IOException | NoSuchAlgorithmException | CertificateException ex) {
+            throw new RuntimeException(ex);
+        }
+
+        // Set additional trust certificates
+        if (trustedRootCerts != null) {
+            for (int i = 0; i < trustedRootCerts.length; i++) {
+                X509Certificate rootCACert = getCertificate(trustedRootCerts[i]);
+                cacerts.setCertificateEntry("tempca" + i, rootCACert);
+            }
+        }
+
+        PKIXParameters params;
+        params = new PKIXParameters(cacerts);
+        params.addCertPathChecker(certPathChecker);
+
+        // Set backdated validation if requested, if null, current date is set
+        params.setDate(validationDate);
+
+        // Validate
+        certPathValidator.validate(certPath, params);
+        out.println("Successful CertPath validation");
+    }
+
+    private X509Certificate getCertificate(String encodedCert)
+            throws IOException, CertificateException {
+        ByteArrayInputStream is
+                = new ByteArrayInputStream(encodedCert.getBytes());
+        X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
+        return cert;
+    }
+
+    /**
+     * Set list of disabled algorithms
+     *
+     * @param algos algorithms to disable
+     */
+    public static void setDisabledAlgorithms(String algos) {
+        Security.setProperty("jdk.certpath.disabledAlgorithms", algos);
+    }
+
+    /**
+     * Enable OCSP only revocation checks, treat network error as success
+     */
+    public void enableOCSPCheck() {
+        // OCSP is by default, disable fallback to CRL
+        certPathChecker.setOptions(EnumSet.of(
+                PKIXRevocationChecker.Option.NO_FALLBACK));
+    }
+
+    /**
+     * Enable CRL only revocation check, treat network error as success
+     */
+    public void enableCRLCheck() {
+        certPathChecker.setOptions(EnumSet.of(
+                PKIXRevocationChecker.Option.PREFER_CRLS,
+                PKIXRevocationChecker.Option.NO_FALLBACK));
+    }
+
+    /**
+     * Overrides OCSP responder URL in AIA extension of certificate
+     *
+     * @param url OCSP responder
+     * @throws URISyntaxException
+     */
+    public void setOCSPResponderURL(String url) throws URISyntaxException {
+        certPathChecker.setOcspResponder(new URI(url));
+    }
+
+    /**
+     * Set validation date for EE certificate
+     *
+     * @param vDate string formatted date
+     * @throws ParseException if vDate is incorrect
+     */
+    public void setValidationDate(String vDate) throws ParseException {
+        validationDate = DateFormat.getDateInstance(DateFormat.MEDIUM,
+                Locale.US).parse(vDate);
+    }
+
+    /**
+     * Reset validation date for EE certificate to current date
+     */
+    public void resetValidationDate() {
+        validationDate = null;
+    }
+}

From 09a0bd358609b303beac3d8279e4d00af64a8c3f Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Mon, 11 Dec 2017 19:19:30 +0100
Subject: [PATCH 249/269] 8193208: Add missing file

Reviewed-by: asaha, tbell
---
 jdk/ADDITIONAL_LICENSE_INFO      | 37 ++++++++++++++++++++++++++++++++
 jdk/make/copy/Copy-java.base.gmk |  3 ++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 jdk/ADDITIONAL_LICENSE_INFO

diff --git a/jdk/ADDITIONAL_LICENSE_INFO b/jdk/ADDITIONAL_LICENSE_INFO
new file mode 100644
index 0000000000..ff700cd09f
--- /dev/null
+++ b/jdk/ADDITIONAL_LICENSE_INFO
@@ -0,0 +1,37 @@
+                      ADDITIONAL INFORMATION ABOUT LICENSING
+
+Certain files distributed by Oracle America, Inc. and/or its affiliates are 
+subject to the following clarification and special exception to the GPLv2, 
+based on the GNU Project exception for its Classpath libraries, known as the 
+GNU Classpath Exception.
+
+Note that Oracle includes multiple, independent programs in this software 
+package.  Some of those programs are provided under licenses deemed 
+incompatible with the GPLv2 by the Free Software Foundation and others. 
+For example, the package includes programs licensed under the Apache 
+License, Version 2.0 and may include FreeType. Such programs are licensed 
+to you under their original licenses. 
+
+Oracle facilitates your further distribution of this package by adding the 
+Classpath Exception to the necessary parts of its GPLv2 code, which permits 
+you to use that code in combination with other independent modules not 
+licensed under the GPLv2. However, note that this would not permit you to 
+commingle code under an incompatible license with Oracle's GPLv2 licensed 
+code by, for example, cutting and pasting such code into a file also 
+containing Oracle's GPLv2 licensed code and then distributing the result. 
+
+Additionally, if you were to remove the Classpath Exception from any of the 
+files to which it applies and distribute the result, you would likely be 
+required to license some or all of the other code in that distribution under 
+the GPLv2 as well, and since the GPLv2 is incompatible with the license terms 
+of some items included in the distribution by Oracle, removing the Classpath 
+Exception could therefore effectively compromise your ability to further 
+distribute the package. 
+
+Failing to distribute notices associated with some files may also create 
+unexpected legal consequences.
+ 
+Proceed with caution and we recommend that you obtain the advice of a lawyer 
+skilled in open source matters before removing the Classpath Exception or 
+making modifications to this package which may subsequently be redistributed 
+and/or involve the use of third party software.
diff --git a/jdk/make/copy/Copy-java.base.gmk b/jdk/make/copy/Copy-java.base.gmk
index 0176490418..ac66c3cbb5 100644
--- a/jdk/make/copy/Copy-java.base.gmk
+++ b/jdk/make/copy/Copy-java.base.gmk
@@ -239,9 +239,10 @@ endif
 # different license.
 JDK_LICENSE ?= $(wildcard $(TOPDIR)/LICENSE)
 JDK_NOTICE  ?= $(wildcard $(TOPDIR)/ASSEMBLY_EXCEPTION)
+JDK_ADDITIONAL_LICENSE_INFO ?= $(wildcard $(TOPDIR)/ADDITIONAL_LICENSE_INFO)
 
 $(eval $(call SetupCopyFiles, COPY_JDK_NOTICES, \
-    FILES := $(JDK_LICENSE) $(JDK_NOTICE), \
+    FILES := $(JDK_LICENSE) $(JDK_NOTICE) $(JDK_ADDITIONAL_LICENSE_INFO), \
     DEST := $(LEGAL_DST_DIR), \
     FLATTEN := true, \
 ))

From 24c2daa6c36f63948e04c067a29f535bb70e9830 Mon Sep 17 00:00:00 2001
From: Xue-Lei Andrew Fan 
Date: Tue, 28 Nov 2017 22:58:10 +0000
Subject: [PATCH 250/269] 8148421: Transport Layer Security (TLS) Session Hash
 and Extended Master Secret Extension

Co-authored-by: Martin Balao 
Reviewed-by: jnimeh, ahgross, rhalade, wetmore
---
 .../com/sun/crypto/provider/SunJCE.java       |   4 +-
 .../provider/TlsMasterSecretGenerator.java    |  31 +++--
 .../sun/crypto/provider/TlsPrfGenerator.java  |   7 +-
 .../spec/TlsMasterSecretParameterSpec.java    |  61 ++++++++-
 .../sun/security/ssl/ClientHandshaker.java    | 116 ++++++++++++++++--
 .../ssl/ExtendedMasterSecretExtension.java    |  70 +++++++++++
 .../sun/security/ssl/ExtensionType.java       |   6 +-
 .../sun/security/ssl/HandshakeMessage.java    |   6 +-
 .../classes/sun/security/ssl/Handshaker.java  |  77 ++++++++++--
 .../sun/security/ssl/HelloExtensions.java     |   2 +
 .../sun/security/ssl/SSLSessionImpl.java      |  19 ++-
 .../sun/security/ssl/ServerHandshaker.java    |  70 ++++++++++-
 .../net/ssl/DTLS/NoMacInitialClientHello.java |   3 +-
 .../ssl/DHKeyExchange/DHEKeySizing.java       |  36 +++---
 .../ssl/ExtensionType/OptimalListSize.java    |   4 +-
 15 files changed, 448 insertions(+), 64 deletions(-)
 create mode 100644 jdk/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java

diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
index e44a8476dc..3e681a5728 100644
--- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
+++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -769,6 +769,8 @@ public final class SunJCE extends Provider {
                         "com.sun.crypto.provider.TlsMasterSecretGenerator");
                     put("Alg.Alias.KeyGenerator.SunTls12MasterSecret",
                         "SunTlsMasterSecret");
+                    put("Alg.Alias.KeyGenerator.SunTlsExtendedMasterSecret",
+                        "SunTlsMasterSecret");
 
                     put("KeyGenerator.SunTlsKeyMaterial",
                         "com.sun.crypto.provider.TlsKeyMaterialGenerator");
diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
index c772396e99..fda0828f6d 100644
--- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
+++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -102,21 +102,32 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
 
         try {
             byte[] master;
-            byte[] clientRandom = spec.getClientRandom();
-            byte[] serverRandom = spec.getServerRandom();
-
             if (protocolVersion >= 0x0301) {
-                byte[] seed = concat(clientRandom, serverRandom);
+                byte[] label;
+                byte[] seed;
+                byte[] extendedMasterSecretSessionHash =
+                        spec.getExtendedMasterSecretSessionHash();
+                if (extendedMasterSecretSessionHash.length != 0) {
+                    label = LABEL_EXTENDED_MASTER_SECRET;
+                    seed = extendedMasterSecretSessionHash;
+                } else {
+                    byte[] clientRandom = spec.getClientRandom();
+                    byte[] serverRandom = spec.getServerRandom();
+                    label = LABEL_MASTER_SECRET;
+                    seed = concat(clientRandom, serverRandom);
+                }
                 master = ((protocolVersion >= 0x0303) ?
-                    doTLS12PRF(premaster, LABEL_MASTER_SECRET, seed, 48,
-                        spec.getPRFHashAlg(), spec.getPRFHashLength(),
-                        spec.getPRFBlockSize()) :
-                    doTLS10PRF(premaster, LABEL_MASTER_SECRET, seed, 48));
+                        doTLS12PRF(premaster, label, seed, 48,
+                                spec.getPRFHashAlg(), spec.getPRFHashLength(),
+                                spec.getPRFBlockSize()) :
+                        doTLS10PRF(premaster, label, seed, 48));
             } else {
                 master = new byte[48];
                 MessageDigest md5 = MessageDigest.getInstance("MD5");
                 MessageDigest sha = MessageDigest.getInstance("SHA");
 
+                byte[] clientRandom = spec.getClientRandom();
+                byte[] serverRandom = spec.getServerRandom();
                 byte[] tmp = new byte[20];
                 for (int i = 0; i < 3; i++) {
                     sha.update(SSL3_CONST[i]);
@@ -175,5 +186,5 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
         }
 
     }
-
 }
+
diff --git a/jdk/src/java.base/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java b/jdk/src/java.base/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
index 90cde7c6bf..2f945361c3 100644
--- a/jdk/src/java.base/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
+++ b/jdk/src/java.base/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -55,6 +55,11 @@ abstract class TlsPrfGenerator extends KeyGeneratorSpi {
     static final byte[] LABEL_MASTER_SECRET = // "master secret"
         { 109, 97, 115, 116, 101, 114, 32, 115, 101, 99, 114, 101, 116 };
 
+    static final byte[] LABEL_EXTENDED_MASTER_SECRET =
+                                            // "extended master secret"
+        { 101, 120, 116, 101, 110, 100, 101, 100, 32, 109, 97, 115, 116,
+          101, 114, 32, 115, 101, 99, 114, 101, 116 };
+
     static final byte[] LABEL_KEY_EXPANSION = // "key expansion"
         { 107, 101, 121, 32, 101, 120, 112, 97, 110, 115, 105, 111, 110 };
 
diff --git a/jdk/src/java.base/share/classes/sun/security/internal/spec/TlsMasterSecretParameterSpec.java b/jdk/src/java.base/share/classes/sun/security/internal/spec/TlsMasterSecretParameterSpec.java
index 832b38edd7..e563360481 100644
--- a/jdk/src/java.base/share/classes/sun/security/internal/spec/TlsMasterSecretParameterSpec.java
+++ b/jdk/src/java.base/share/classes/sun/security/internal/spec/TlsMasterSecretParameterSpec.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -48,6 +48,7 @@ public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
     private final SecretKey premasterSecret;
     private final int majorVersion, minorVersion;
     private final byte[] clientRandom, serverRandom;
+    private final byte[] extendedMasterSecretSessionHash;
     private final String prfHashAlg;
     private final int prfHashLength;
     private final int prfBlockSize;
@@ -80,6 +81,50 @@ public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
             int majorVersion, int minorVersion,
             byte[] clientRandom, byte[] serverRandom,
             String prfHashAlg, int prfHashLength, int prfBlockSize) {
+        this(premasterSecret, majorVersion, minorVersion,
+                clientRandom, serverRandom,
+                new byte[0],
+                prfHashAlg, prfHashLength, prfBlockSize);
+    }
+
+    /**
+     * Constructs a new TlsMasterSecretParameterSpec.
+     *
+     * 
    The getAlgorithm() method of premasterSecret
+     * should return "TlsRsaPremasterSecret" if the key exchange
+     * algorithm was RSA and "TlsPremasterSecret" otherwise.
+     *
+     * @param premasterSecret the premaster secret
+     * @param majorVersion the major number of the protocol version
+     * @param minorVersion the minor number of the protocol version
+     * @param extendedMasterSecretSessionHash the session hash for
+     *        Extended Master Secret
+     * @param prfHashAlg the name of the TLS PRF hash algorithm to use.
+     *        Used only for TLS 1.2+.  TLS1.1 and earlier use a fixed PRF.
+     * @param prfHashLength the output length of the TLS PRF hash algorithm.
+     *        Used only for TLS 1.2+.
+     * @param prfBlockSize the input block size of the TLS PRF hash algorithm.
+     *        Used only for TLS 1.2+.
+     *
+     * @throws NullPointerException if premasterSecret is null
+     * @throws IllegalArgumentException if minorVersion or majorVersion are
+     *   negative or larger than 255
+     */
+    public TlsMasterSecretParameterSpec(SecretKey premasterSecret,
+            int majorVersion, int minorVersion,
+            byte[] extendedMasterSecretSessionHash,
+            String prfHashAlg, int prfHashLength, int prfBlockSize) {
+        this(premasterSecret, majorVersion, minorVersion,
+                new byte[0], new byte[0],
+                extendedMasterSecretSessionHash,
+                prfHashAlg, prfHashLength, prfBlockSize);
+    }
+
+    private TlsMasterSecretParameterSpec(SecretKey premasterSecret,
+            int majorVersion, int minorVersion,
+            byte[] clientRandom, byte[] serverRandom,
+            byte[] extendedMasterSecretSessionHash,
+            String prfHashAlg, int prfHashLength, int prfBlockSize) {
         if (premasterSecret == null) {
             throw new NullPointerException("premasterSecret must not be null");
         }
@@ -88,6 +133,9 @@ public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
         this.minorVersion = checkVersion(minorVersion);
         this.clientRandom = clientRandom.clone();
         this.serverRandom = serverRandom.clone();
+        this.extendedMasterSecretSessionHash =
+                (extendedMasterSecretSessionHash != null ?
+                        extendedMasterSecretSessionHash.clone() : new byte[0]);
         this.prfHashAlg = prfHashAlg;
         this.prfHashLength = prfHashLength;
         this.prfBlockSize = prfBlockSize;
@@ -146,6 +194,17 @@ public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
         return serverRandom.clone();
     }
 
+    /**
+     * Returns a copy of the Extended Master Secret session hash.
+     *
+     * @return a copy of the Extended Master Secret session hash, or an empty
+     *         array if no extended master secret session hash was provided
+     *         at instantiation time
+     */
+    public byte[] getExtendedMasterSecretSessionHash() {
+        return extendedMasterSecretSessionHash.clone();
+    }
+
     /**
      * Obtains the PRF hash algorithm to use in the PRF calculation.
      *
diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java b/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java
index 1d6c74eab3..cc12ab581c 100644
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java
@@ -655,7 +655,8 @@ final class ClientHandshaker extends Handshaker {
 
                 // validate subject identity
                 ClientKeyExchangeService p =
-                        ClientKeyExchangeService.find(sessionSuite.keyExchange.name);
+                        ClientKeyExchangeService.find(
+                                sessionSuite.keyExchange.name);
                 if (p != null) {
                     Principal localPrincipal = session.getLocalPrincipal();
 
@@ -663,8 +664,9 @@ final class ClientHandshaker extends Handshaker {
                         if (debug != null && Debug.isOn("session"))
                             System.out.println("Subject identity is same");
                     } else {
-                        throw new SSLProtocolException("Server resumed" +
-                                " session with wrong subject identity or no subject");
+                        throw new SSLProtocolException(
+                                "Server resumed session with " +
+                                "wrong subject identity or no subject");
                     }
                 }
 
@@ -707,6 +709,54 @@ final class ClientHandshaker extends Handshaker {
         }   // Otherwise, using the value negotiated during the original
             // session initiation
 
+        // check the "extended_master_secret" extension
+        ExtendedMasterSecretExtension extendedMasterSecretExt =
+                (ExtendedMasterSecretExtension)mesg.extensions.get(
+                        ExtensionType.EXT_EXTENDED_MASTER_SECRET);
+        if (extendedMasterSecretExt != null) {
+            // Is it the expected server extension?
+            if (!useExtendedMasterSecret ||
+                    !mesgVersion.useTLS10PlusSpec() || !requestedToUseEMS) {
+                fatalSE(Alerts.alert_unsupported_extension,
+                        "Server sent the extended_master_secret " +
+                        "extension improperly");
+            }
+
+            // For abbreviated handshake, if the original session did not use
+            // the "extended_master_secret" extension but the new ServerHello
+            // contains the extension, the client MUST abort the handshake.
+            if (resumingSession && (session != null) &&
+                    !session.getUseExtendedMasterSecret()) {
+                fatalSE(Alerts.alert_unsupported_extension,
+                        "Server sent an unexpected extended_master_secret " +
+                        "extension on session resumption");
+            }
+        } else {
+            if (useExtendedMasterSecret && !allowLegacyMasterSecret) {
+                // For full handshake, if a client receives a ServerHello
+                // without the extension, it SHOULD abort the handshake if
+                // it does not wish to interoperate with legacy servers.
+                fatalSE(Alerts.alert_handshake_failure,
+                    "Extended Master Secret extension is required");
+            }
+
+            if (resumingSession && (session != null)) {
+                if (session.getUseExtendedMasterSecret()) {
+                    // For abbreviated handshake, if the original session used
+                    // the "extended_master_secret" extension but the new
+                    // ServerHello does not contain the extension, the client
+                    // MUST abort the handshake.
+                    fatalSE(Alerts.alert_handshake_failure,
+                            "Missing Extended Master Secret extension " +
+                            "on session resumption");
+                } else if (useExtendedMasterSecret && !allowLegacyResumption) {
+                    // Unlikely, abbreviated handshake should be discarded.
+                    fatalSE(Alerts.alert_handshake_failure,
+                        "Extended Master Secret extension is required");
+                }
+            }
+        }
+
         // check the ALPN extension
         ALPNExtension serverHelloALPN =
             (ALPNExtension) mesg.extensions.get(ExtensionType.EXT_ALPN);
@@ -777,7 +827,8 @@ final class ClientHandshaker extends Handshaker {
                     && (type != ExtensionType.EXT_ALPN)
                     && (type != ExtensionType.EXT_RENEGOTIATION_INFO)
                     && (type != ExtensionType.EXT_STATUS_REQUEST)
-                    && (type != ExtensionType.EXT_STATUS_REQUEST_V2)) {
+                    && (type != ExtensionType.EXT_STATUS_REQUEST_V2)
+                    && (type != ExtensionType.EXT_EXTENDED_MASTER_SECRET)) {
                 // Note: Better to check client requested extensions rather
                 // than all supported extensions.
                 fatalSE(Alerts.alert_unsupported_extension,
@@ -788,7 +839,8 @@ final class ClientHandshaker extends Handshaker {
         // Create a new session, we need to do the full handshake
         session = new SSLSessionImpl(protocolVersion, cipherSuite,
                             getLocalSupportedSignAlgs(),
-                            mesg.sessionId, getHostSE(), getPortSE());
+                            mesg.sessionId, getHostSE(), getPortSE(),
+                            (extendedMasterSecretExt != null));
         session.setRequestedServerNames(requestedServerNames);
         session.setNegotiatedMaxFragSize(requestedMFLength);
         session.setMaximumPacketSize(maximumPacketSize);
@@ -1430,6 +1482,44 @@ final class ClientHandshaker extends Handshaker {
                 session = null;
             }
 
+            if ((session != null) && useExtendedMasterSecret) {
+                boolean isTLS10Plus = sessionVersion.useTLS10PlusSpec();
+                if (isTLS10Plus && !session.getUseExtendedMasterSecret()) {
+                    if (!allowLegacyResumption) {
+                        // perform full handshake instead
+                        //
+                        // The client SHOULD NOT offer an abbreviated handshake
+                        // to resume a session that does not use an extended
+                        // master secret.  Instead, it SHOULD offer a full
+                        // handshake.
+                        session = null;
+                    }
+                }
+
+                if ((session != null) && !allowUnsafeServerCertChange) {
+                    // It is fine to move on with abbreviate handshake if
+                    // endpoint identification is enabled.
+                    String identityAlg = getEndpointIdentificationAlgorithmSE();
+                    if ((identityAlg == null || identityAlg.length() == 0)) {
+                        if (isTLS10Plus) {
+                            if (!session.getUseExtendedMasterSecret()) {
+                                // perform full handshake instead
+                                session = null;
+                            }   // Otherwise, use extended master secret.
+                        } else {
+                            // The extended master secret extension does not
+                            // apply to SSL 3.0.  Perform a full handshake
+                            // instead.
+                            //
+                            // Note that the useExtendedMasterSecret is
+                            // extended to protect SSL 3.0 connections,
+                            // by discarding abbreviate handshake.
+                            session = null;
+                        }
+                    }
+                }
+            }
+
             if (session != null) {
                 if (debug != null) {
                     if (Debug.isOn("handshake") || Debug.isOn("session")) {
@@ -1539,6 +1629,14 @@ final class ClientHandshaker extends Handshaker {
             clientHelloMessage.addSignatureAlgorithmsExtension(localSignAlgs);
         }
 
+        // add Extended Master Secret extension
+        if (useExtendedMasterSecret && maxProtocolVersion.useTLS10PlusSpec()) {
+            if ((session == null) || session.getUseExtendedMasterSecret()) {
+                clientHelloMessage.addExtendedMasterSecretExtension();
+                requestedToUseEMS = true;
+            }
+        }
+
         // add server_name extension
         if (enableSNIExtension) {
             if (session != null) {
@@ -1647,10 +1745,14 @@ final class ClientHandshaker extends Handshaker {
         // Allow server certificate change in client side during renegotiation
         // after a session-resumption abbreviated initial handshake?
         //
-        // DO NOT need to check allowUnsafeServerCertChange here. We only
+        // DO NOT need to check allowUnsafeServerCertChange here.  We only
         // reserve server certificates when allowUnsafeServerCertChange is
         // flase.
-        if (reservedServerCerts != null) {
+        //
+        // Allow server certificate change if it is negotiated to use the
+        // extended master secret.
+        if ((reservedServerCerts != null) &&
+                !session.getUseExtendedMasterSecret()) {
             // It is not necessary to check the certificate update if endpoint
             // identification is enabled.
             String identityAlg = getEndpointIdentificationAlgorithmSE();
diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java b/jdk/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java
new file mode 100644
index 0000000000..bf7f7aefd7
--- /dev/null
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2017, Red Hat, Inc. and/or its affiliates.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import javax.net.ssl.SSLProtocolException;
+
+/**
+ * Extended Master Secret TLS extension (TLS 1.0+). This extension
+ * defines how to calculate the TLS connection master secret and
+ * mitigates some types of man-in-the-middle attacks.
+ *
+ * See further information in
+ * RFC 7627.
+ *
+ * @author Martin Balao (mbalao@redhat.com)
+ */
+final class ExtendedMasterSecretExtension extends HelloExtension {
+    ExtendedMasterSecretExtension() {
+        super(ExtensionType.EXT_EXTENDED_MASTER_SECRET);
+    }
+
+    ExtendedMasterSecretExtension(HandshakeInStream s,
+            int len) throws IOException {
+        super(ExtensionType.EXT_EXTENDED_MASTER_SECRET);
+
+        if (len != 0) {
+            throw new SSLProtocolException("Invalid " + type + " extension");
+        }
+    }
+
+    @Override
+    int length() {
+        return 4;       // 4: extension type and length fields
+    }
+
+    @Override
+    void send(HandshakeOutStream s) throws IOException {
+        s.putInt16(type.id);    // ExtensionType extension_type;
+        s.putInt16(0);          // extension_data length
+    }
+
+    @Override
+    public String toString() {
+        return "Extension " + type;
+    }
+}
+
diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java b/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java
index 5338807bbd..0b908a2aa7 100644
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/ExtensionType.java
@@ -43,7 +43,7 @@ final class ExtensionType {
         return name;
     }
 
-    static List knownExtensions = new ArrayList<>(15);
+    static List knownExtensions = new ArrayList<>(16);
 
     static ExtensionType get(int id) {
         for (ExtensionType ext : knownExtensions) {
@@ -105,6 +105,10 @@ final class ExtensionType {
     static final ExtensionType EXT_STATUS_REQUEST_V2 =
             e(0x0011, "status_request_v2");      // IANA registry value: 17
 
+    // extensions defined in RFC 7627
+    static final ExtensionType EXT_EXTENDED_MASTER_SECRET =
+            e(0x0017, "extended_master_secret"); // IANA registry value: 23
+
     // extensions defined in RFC 5746
     static final ExtensionType EXT_RENEGOTIATION_INFO =
             e(0xff01, "renegotiation_info");     // IANA registry value: 65281
diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java b/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java
index 8477456c4d..83cacb6c10 100644
--- a/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java
@@ -368,6 +368,10 @@ static final class ClientHello extends HandshakeMessage {
         extensions.add(signatureAlgorithm);
     }
 
+    void addExtendedMasterSecretExtension() {
+        extensions.add(new ExtendedMasterSecretExtension());
+    }
+
     void addMFLExtension(int maximumPacketSize) {
         HelloExtension maxFragmentLength =
                 new MaxFragmentLengthExtension(maximumPacketSize);
@@ -1420,7 +1424,7 @@ class ECDH_ServerKeyExchange extends ServerKeyExchange {
         } else {
             sig = getSignature(privateKey.getAlgorithm());
         }
-        sig.initSign(privateKey);  // where is the SecureRandom?
+        sig.initSign(privateKey, sr);
 
         updateSignature(sig, clntNonce, svrNonce);
         signatureBytes = sig.sign();
diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java b/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java
index e26495b3c5..8b05020f87 100644
--- a/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java
@@ -30,12 +30,6 @@ import java.io.*;
 import java.util.*;
 import java.security.*;
 import java.nio.ByteBuffer;
-import java.security.NoSuchAlgorithmException;
-import java.security.AccessController;
-import java.security.AlgorithmConstraints;
-import java.security.AccessControlContext;
-import java.security.PrivilegedExceptionAction;
-import java.security.PrivilegedActionException;
 import java.util.function.BiFunction;
 
 import javax.crypto.*;
@@ -225,6 +219,20 @@ abstract class Handshaker {
             Debug.getBooleanProperty(
                 "jdk.tls.rejectClientInitiatedRenegotiation", false);
 
+    // To switch off the extended_master_secret extension.
+    static final boolean useExtendedMasterSecret;
+
+    // Allow session resumption without Extended Master Secret extension.
+    static final boolean allowLegacyResumption =
+            Debug.getBooleanProperty("jdk.tls.allowLegacyResumption", true);
+
+    // Allow full handshake without Extended Master Secret extension.
+    static final boolean allowLegacyMasterSecret =
+            Debug.getBooleanProperty("jdk.tls.allowLegacyMasterSecret", true);
+
+    // Is it requested to use extended master secret extension?
+    boolean requestedToUseEMS = false;
+
     // need to dispose the object when it is invalidated
     boolean invalidated;
 
@@ -233,6 +241,24 @@ abstract class Handshaker {
      */
     final boolean isDTLS;
 
+    // Is the extended_master_secret extension supported?
+    static {
+        boolean supportExtendedMasterSecret = true;
+        try {
+            KeyGenerator kg =
+                JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret");
+        } catch (NoSuchAlgorithmException nae) {
+            supportExtendedMasterSecret = false;
+        }
+
+        if (supportExtendedMasterSecret) {
+            useExtendedMasterSecret = Debug.getBooleanProperty(
+                    "jdk.tls.useExtendedMasterSecret", true);
+        } else {
+            useExtendedMasterSecret = false;
+        }
+    }
+
     Handshaker(SSLSocketImpl c, SSLContextImpl context,
             ProtocolList enabledProtocols, boolean needCertVerify,
             boolean isClient, ProtocolVersion activeProtocolVersion,
@@ -243,7 +269,7 @@ abstract class Handshaker {
         init(context, enabledProtocols, needCertVerify, isClient,
             activeProtocolVersion, isInitialHandshake, secureRenegotiation,
             clientVerifyData, serverVerifyData);
-    }
+   }
 
     Handshaker(SSLEngineImpl engine, SSLContextImpl context,
             ProtocolList enabledProtocols, boolean needCertVerify,
@@ -1220,6 +1246,7 @@ abstract class Handshaker {
      * SHA1 hashes are of (different) constant strings, the pre-master
      * secret, and the nonces provided by the client and the server.
      */
+    @SuppressWarnings("deprecation")
     private SecretKey calculateMasterSecret(SecretKey preMasterSecret,
             ProtocolVersion requestedVersion) {
 
@@ -1270,11 +1297,37 @@ abstract class Handshaker {
         int prfHashLength = prf.getPRFHashLength();
         int prfBlockSize = prf.getPRFBlockSize();
 
-        @SuppressWarnings("deprecation")
-        TlsMasterSecretParameterSpec spec = new TlsMasterSecretParameterSpec(
-                preMasterSecret, (majorVersion & 0xFF), (minorVersion & 0xFF),
-                clnt_random.random_bytes, svr_random.random_bytes,
-                prfHashAlg, prfHashLength, prfBlockSize);
+        TlsMasterSecretParameterSpec spec;
+        if (session.getUseExtendedMasterSecret()) {
+            // reset to use the extended master secret algorithm
+            masterAlg = "SunTlsExtendedMasterSecret";
+
+            byte[] sessionHash = null;
+            if (protocolVersion.useTLS12PlusSpec()) {
+                sessionHash = handshakeHash.getFinishedHash();
+            } else {
+                // TLS 1.0/1.1, DTLS 1.0
+                sessionHash = new byte[36];
+                try {
+                    handshakeHash.getMD5Clone().digest(sessionHash, 0, 16);
+                    handshakeHash.getSHAClone().digest(sessionHash, 16, 20);
+                } catch (DigestException de) {
+                    throw new ProviderException(de);
+                }
+            }
+
+            spec = new TlsMasterSecretParameterSpec(
+                    preMasterSecret,
+                    (majorVersion & 0xFF), (minorVersion & 0xFF),
+                    sessionHash,
+                    prfHashAlg, prfHashLength, prfBlockSize);
+        } else {
+            spec = new TlsMasterSecretParameterSpec(
+                    preMasterSecret,
+                    (majorVersion & 0xFF), (minorVersion & 0xFF),
+                    clnt_random.random_bytes, svr_random.random_bytes,
+                    prfHashAlg, prfHashLength, prfBlockSize);
+        }
 
         try {
             KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java b/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java
index 82975c962f..013b4fb7aa 100644
--- a/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java
@@ -93,6 +93,8 @@ final class HelloExtensions {
                 extension = new CertStatusReqExtension(s, extlen);
             } else if (extType == ExtensionType.EXT_STATUS_REQUEST_V2) {
                 extension = new CertStatusReqListV2Extension(s, extlen);
+            } else if (extType == ExtensionType.EXT_EXTENDED_MASTER_SECRET) {
+                extension = new ExtendedMasterSecretExtension(s, extlen);
             } else {
                 extension = new UnknownExtension(s, extlen, extType);
             }
diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java b/jdk/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
index 59472f18b8..c747844f1f 100644
--- a/jdk/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -91,6 +91,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
     private byte                compressionMethod;
     private CipherSuite         cipherSuite;
     private SecretKey           masterSecret;
+    private final boolean       useExtendedMasterSecret;
 
     /*
      * Information not part of the SSLv3 protocol spec, but used
@@ -148,7 +149,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
      */
     private SSLSessionImpl() {
         this(ProtocolVersion.NONE, CipherSuite.C_NULL, null,
-            new SessionId(false, null), null, -1);
+            new SessionId(false, null), null, -1, false);
     }
 
     /*
@@ -158,9 +159,11 @@ final class SSLSessionImpl extends ExtendedSSLSession {
      */
     SSLSessionImpl(ProtocolVersion protocolVersion, CipherSuite cipherSuite,
             Collection algorithms,
-            SecureRandom generator, String host, int port) {
+            SecureRandom generator, String host, int port,
+            boolean useExtendedMasterSecret) {
         this(protocolVersion, cipherSuite, algorithms,
-             new SessionId(defaultRejoinable, generator), host, port);
+             new SessionId(defaultRejoinable, generator), host, port,
+             useExtendedMasterSecret);
     }
 
     /*
@@ -168,7 +171,8 @@ final class SSLSessionImpl extends ExtendedSSLSession {
      */
     SSLSessionImpl(ProtocolVersion protocolVersion, CipherSuite cipherSuite,
             Collection algorithms,
-            SessionId id, String host, int port) {
+            SessionId id, String host, int port,
+            boolean useExtendedMasterSecret) {
         this.protocolVersion = protocolVersion;
         sessionId = id;
         peerCerts = null;
@@ -182,6 +186,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
             SignatureAndHashAlgorithm.getAlgorithmNames(algorithms);
         negotiatedMaxFragLen = -1;
         statusResponses = null;
+        this.useExtendedMasterSecret = useExtendedMasterSecret;
 
         if (debug != null && Debug.isOn("session")) {
             System.out.println("%% Initialized:  " + this);
@@ -203,6 +208,10 @@ final class SSLSessionImpl extends ExtendedSSLSession {
         return masterSecret;
     }
 
+    boolean getUseExtendedMasterSecret() {
+        return useExtendedMasterSecret;
+    }
+
     void setPeerCertificates(X509Certificate[] peer) {
         if (peerCerts == null) {
             peerCerts = peer;
diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java b/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java
index 85b96cd3f8..c6555e8a84 100644
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java
@@ -529,6 +529,27 @@ final class ServerHandshaker extends Handshaker {
             }
         }
 
+        // check out the "extended_master_secret" extension
+        if (useExtendedMasterSecret) {
+            ExtendedMasterSecretExtension extendedMasterSecretExtension =
+                    (ExtendedMasterSecretExtension)mesg.extensions.get(
+                            ExtensionType.EXT_EXTENDED_MASTER_SECRET);
+            if (extendedMasterSecretExtension != null) {
+                requestedToUseEMS = true;
+            } else if (mesg.protocolVersion.useTLS10PlusSpec()) {
+                if (!allowLegacyMasterSecret) {
+                    // For full handshake, if the server receives a ClientHello
+                    // without the extension, it SHOULD abort the handshake if
+                    // it does not wish to interoperate with legacy clients.
+                    //
+                    // As if extended master extension is required for full
+                    // handshake, it MUST be used in abbreviated handshake too.
+                    fatalSE(Alerts.alert_handshake_failure,
+                        "Extended Master Secret extension is required");
+                }
+            }
+        }
+
         // check the ALPN extension
         ALPNExtension clientHelloALPN = (ALPNExtension)
             mesg.extensions.get(ExtensionType.EXT_ALPN);
@@ -592,11 +613,45 @@ final class ServerHandshaker extends Handshaker {
                 if (resumingSession) {
                     ProtocolVersion oldVersion = previous.getProtocolVersion();
                     // cannot resume session with different version
-                    if (oldVersion != protocolVersion) {
+                    if (oldVersion != mesg.protocolVersion) {
                         resumingSession = false;
                     }
                 }
 
+                if (resumingSession && useExtendedMasterSecret) {
+                    if (requestedToUseEMS &&
+                            !previous.getUseExtendedMasterSecret()) {
+                        // For abbreviated handshake request, If the original
+                        // session did not use the "extended_master_secret"
+                        // extension but the new ClientHello contains the
+                        // extension, then the server MUST NOT perform the
+                        // abbreviated handshake.  Instead, it SHOULD continue
+                        // with a full handshake.
+                        resumingSession = false;
+                    } else if (!requestedToUseEMS &&
+                            previous.getUseExtendedMasterSecret()) {
+                        // For abbreviated handshake request, if the original
+                        // session used the "extended_master_secret" extension
+                        // but the new ClientHello does not contain it, the
+                        // server MUST abort the abbreviated handshake.
+                        fatalSE(Alerts.alert_handshake_failure,
+                                "Missing Extended Master Secret extension " +
+                                "on session resumption");
+                    } else if (!requestedToUseEMS &&
+                            !previous.getUseExtendedMasterSecret()) {
+                        // For abbreviated handshake request, if neither the
+                        // original session nor the new ClientHello uses the
+                        // extension, the server SHOULD abort the handshake.
+                        if (!allowLegacyResumption) {
+                            fatalSE(Alerts.alert_handshake_failure,
+                                "Missing Extended Master Secret extension " +
+                                "on session resumption");
+                        } else {  // Otherwise, continue with a full handshake.
+                            resumingSession = false;
+                        }
+                    }
+                }
+
                 // cannot resume session with different server name indication
                 if (resumingSession) {
                     List oldServerNames =
@@ -630,7 +685,7 @@ final class ServerHandshaker extends Handshaker {
                 if (resumingSession) {
                     CipherSuite suite = previous.getSuite();
                     ClientKeyExchangeService p =
-                            ClientKeyExchangeService.find(suite.keyExchange.name);
+                        ClientKeyExchangeService.find(suite.keyExchange.name);
                     if (p != null) {
                         Principal localPrincipal = previous.getLocalPrincipal();
 
@@ -784,7 +839,9 @@ final class ServerHandshaker extends Handshaker {
             session = new SSLSessionImpl(protocolVersion, CipherSuite.C_NULL,
                         getLocalSupportedSignAlgs(),
                         sslContext.getSecureRandom(),
-                        getHostAddressSE(), getPortSE());
+                        getHostAddressSE(), getPortSE(),
+                        (requestedToUseEMS &&
+                                protocolVersion.useTLS10PlusSpec()));
 
             if (protocolVersion.useTLS12PlusSpec()) {
                 if (peerSupportedSignAlgs != null) {
@@ -886,6 +943,10 @@ final class ServerHandshaker extends Handshaker {
             m1.extensions.add(maxFragLenExt);
         }
 
+        if (session.getUseExtendedMasterSecret()) {
+            m1.extensions.add(new ExtendedMasterSecretExtension());
+        }
+
         StaplingParameters staplingParams = processStapling(mesg);
         if (staplingParams != null) {
             // We now can safely assert status_request[_v2] in our
@@ -963,7 +1024,8 @@ final class ServerHandshaker extends Handshaker {
          * defined in the protocol spec are explicitly stated to require
          * using RSA certificates.
          */
-        if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
+        if (ClientKeyExchangeService.find(
+                cipherSuite.keyExchange.name) != null) {
             // No external key exchange provider needs a cert now.
         } else if ((keyExchange != K_DH_ANON) && (keyExchange != K_ECDH_ANON)) {
             if (certs == null) {
diff --git a/jdk/test/javax/net/ssl/DTLS/NoMacInitialClientHello.java b/jdk/test/javax/net/ssl/DTLS/NoMacInitialClientHello.java
index 2a5c74fa68..0f4b6b992d 100644
--- a/jdk/test/javax/net/ssl/DTLS/NoMacInitialClientHello.java
+++ b/jdk/test/javax/net/ssl/DTLS/NoMacInitialClientHello.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -44,6 +44,7 @@ public class NoMacInitialClientHello extends DTLSOverDatagram {
     boolean needInvalidRecords = true;
 
     public static void main(String[] args) throws Exception {
+        System.setProperty("jdk.tls.useExtendedMasterSecret", "false");
         NoMacInitialClientHello testCase = new NoMacInitialClientHello();
         testCase.runTest(testCase);
     }
diff --git a/jdk/test/sun/security/ssl/DHKeyExchange/DHEKeySizing.java b/jdk/test/sun/security/ssl/DHKeyExchange/DHEKeySizing.java
index c00337789f..26e30608bd 100644
--- a/jdk/test/sun/security/ssl/DHKeyExchange/DHEKeySizing.java
+++ b/jdk/test/sun/security/ssl/DHKeyExchange/DHEKeySizing.java
@@ -31,45 +31,45 @@
  * @bug 6956398
  * @summary make ephemeral DH key match the length of the certificate key
  * @run main/othervm
- *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1639 267
+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1643 267
  * @run main/othervm -Djsse.enableFFDHE=false
- *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1255 75
+ *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1259 75
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=matched
- *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1255 75
+ *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1259 75
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=legacy
- *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1255 75
+ *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1259 75
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=1024
- *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1255 75
+ *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1259 75
  *
  * @run main/othervm -Djsse.enableFFDHE=false
- *      DHEKeySizing SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA true 229 75
+ *      DHEKeySizing SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA true 233 75
  *
  * @run main/othervm -Djsse.enableFFDHE=false
- *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1383 139
+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1387 139
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=legacy
- *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1319 107
+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1323 107
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=matched
- *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1639 267
+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1643 267
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=1024
- *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1383 139
+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1387 139
  *
  * @run main/othervm -Djsse.enableFFDHE=false
- *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 357 139
+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 361 139
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=legacy
- *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 293 107
+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 297 107
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=matched
- *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 357 139
+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 361 139
  * @run main/othervm -Djsse.enableFFDHE=false
  *      -Djdk.tls.ephemeralDHKeySize=1024
- *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 357 139
+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 361 139
  */
 
 /*
@@ -101,10 +101,10 @@
  * Here is a summary of the record length in the test case.
  *
  *            |  ServerHello Series  |  ClientKeyExchange | ServerHello Anon
- *   512-bit  |          1255 bytes  |           75 bytes |        229 bytes
- *   768-bit  |          1319 bytes  |          107 bytes |        293 bytes
- *  1024-bit  |          1383 bytes  |          139 bytes |        357 bytes
- *  2048-bit  |          1639 bytes  |          267 bytes |        357 bytes
+ *   512-bit  |          1259 bytes  |           75 bytes |        233 bytes
+ *   768-bit  |          1323 bytes  |          107 bytes |        297 bytes
+ *  1024-bit  |          1387 bytes  |          139 bytes |        361 bytes
+ *  2048-bit  |          1643 bytes  |          267 bytes |        361 bytes
  */
 
 import javax.net.ssl.*;
diff --git a/jdk/test/sun/security/ssl/ExtensionType/OptimalListSize.java b/jdk/test/sun/security/ssl/ExtensionType/OptimalListSize.java
index 89c50b2602..375a060e39 100644
--- a/jdk/test/sun/security/ssl/ExtensionType/OptimalListSize.java
+++ b/jdk/test/sun/security/ssl/ExtensionType/OptimalListSize.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -38,6 +38,6 @@ public class OptimalListSize {
     public static void main(String[] args) throws Throwable {
         OptimalCapacity.ofArrayList(
                 Class.forName("sun.security.ssl.ExtensionType"),
-                "knownExtensions", 15);
+                "knownExtensions", 16);
     }
 }

From 1448c3992d1b6c8c755a636c7f76ee67e4711e48 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 29 Nov 2017 13:09:10 -0800
Subject: [PATCH 251/269] Added tag jdk-9.0.4+8 for changeset 41ce3a47830c

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 9d16b24a84..78ae8d1f79 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -449,3 +449,4 @@ e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 73d63ccf56f46f258f367ed72633f0f5cc229680 jdk-9.0.4+5
 86219e4c9f8cd730bacd2f6080b6ac1dea7a0226 jdk-9.0.4+6
 9aba57f3071362ed7f2326d737506863b9d2646f jdk-9.0.4+7
+a4f0515fe6da55cfe74dec3e6e30b69c9693d133 jdk-9.0.4+8

From e16adfa7fe45c2819a9d2db68ab77b5b90dd3c17 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 29 Nov 2017 13:09:44 -0800
Subject: [PATCH 252/269] Added tag jdk-9.0.4+8 for changeset 5b8b7116040f

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 68fba1e7ce..6a472bbfe7 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -445,3 +445,4 @@ bcb2300e20962172f7b94ba422d3e634d4f2c62c jdk-9.0.4+2
 ec450e8c90c53c4e4cd35468a038123ca4fe0129 jdk-9.0.4+5
 7582f72a39b79c6206cdd7e0ccdfaa1ab342b040 jdk-9.0.4+6
 8d2b147370b7a6ed585f1b168fe3475a6e16cb5f jdk-9.0.4+7
+019e9e48d195e2aad4373e4301b068800f2ae5e6 jdk-9.0.4+8

From be74b326fcfb1a3c0dd9c5e8b4d31c1d79f4ec7f Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 29 Nov 2017 14:19:55 -0800
Subject: [PATCH 253/269] 8192773: Remove and retag 9.0.4+8 to include 8192772

Reviewed-by: erikj
---
 .hgtags-top-repo | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 78ae8d1f79..ef1c8f02c3 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -450,3 +450,5 @@ e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 86219e4c9f8cd730bacd2f6080b6ac1dea7a0226 jdk-9.0.4+6
 9aba57f3071362ed7f2326d737506863b9d2646f jdk-9.0.4+7
 a4f0515fe6da55cfe74dec3e6e30b69c9693d133 jdk-9.0.4+8
+a4f0515fe6da55cfe74dec3e6e30b69c9693d133 jdk-9.0.4+8
+0000000000000000000000000000000000000000 jdk-9.0.4+8

From 1aade8fb1f19dd0edd1749204adbde88bb7a6e33 Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Wed, 29 Nov 2017 23:00:43 +0100
Subject: [PATCH 254/269] 8191940: OpenJDK bundle contains closed repository
 information in release file

Reviewed-by: ihse
---
 make/SourceRevision.gmk  | 12 +++++++++---
 make/common/MakeBase.gmk | 22 ++++++++++++++++++----
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/make/SourceRevision.gmk b/make/SourceRevision.gmk
index a14b3ef0e2..2218b21c37 100644
--- a/make/SourceRevision.gmk
+++ b/make/SourceRevision.gmk
@@ -39,8 +39,6 @@ include MakeBase.gmk
 # revisions of all repos will be stored in a file in the top dir, which is then
 # used when creating the tracker file.
 
-STORED_SOURCE_REVISION := $(TOPDIR)/.src-rev
-
 # Are we using mercurial?
 ifneq ($(and $(HG), $(wildcard $(TOPDIR)/.hg)), )
 
@@ -108,7 +106,15 @@ else
 	$(call LogInfo, No mercurial configuration present$(COMMA) not updating .src-rev)
 
     $(SOURCE_REVISION_TRACKER): $(STORED_SOURCE_REVISION)
-	$(install-file)
+	$(call MakeDir, $(@D))
+	$(RM) $@
+        # Only include revisions for repos that are included in the current
+        # source set.
+	for r in `cat $<`; do \
+	  if [ -d "$(TOPDIR)/`$(ECHO) $$r | $(CUT) -d':' -f1`" ]; then \
+	    $(PRINTF) "$$r " >> $@; \
+	  fi; \
+	done
 
     create-source-revision-tracker: $(SOURCE_REVISION_TRACKER)
   else
diff --git a/make/common/MakeBase.gmk b/make/common/MakeBase.gmk
index ff8ced0fcf..6f7b31dea2 100644
--- a/make/common/MakeBase.gmk
+++ b/make/common/MakeBase.gmk
@@ -342,11 +342,25 @@ endif # HAS_FILE_FUNCTION
 # the build was created from
 SOURCE_REVISION_TRACKER := $(SUPPORT_OUTPUTDIR)/src-rev/source-revision-tracker
 
-# Locate all hg repositories included in the forest, as absolute paths
+# A cache of the mercurial information which can be dropped in the top of the
+# source tree for inclusion in a source bundle.
+STORED_SOURCE_REVISION := $(TOPDIR)/.src-rev
+
+# Locate all hg repositories included in the forest, as absolute paths. Use .hg
+# dirs if present, otherwise parse the .src-rev file and match dirs.
 FindAllReposAbs = \
-    $(strip $(sort $(dir $(filter-out $(SRC_ROOT)/build/%, $(wildcard \
-        $(addprefix $(SRC_ROOT)/, .hg */.hg */*/.hg */*/*/.hg) \
-    )))))
+    $(if $(and $(HG), $(wildcard $(TOPDIR)/.hg)), \
+      $(strip $(sort $(dir $(filter-out $(SRC_ROOT)/build/%, $(wildcard \
+      $(addprefix $(SRC_ROOT)/, .hg */.hg */*/.hg */*/*/.hg)))))) \
+      , \
+      $(if $(wildcard $(STORED_SOURCE_REVISION)), \
+        $(strip $(foreach r, $(call ReadFile, $(STORED_SOURCE_REVISION)), \
+          $(wildcard $(TOPDIR)/$(firstword $(subst :,$(SPACE),$r))/) \
+        )) \
+      , \
+        $(error No mercurial or .src-rev available, cannot list repositories) \
+      ) \
+    )
 
 # Locate all hg repositories included in the forest, as relative paths
 FindAllReposRel = \

From 046202306a1f93cb0d56a2607273095a79c7cb79 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 29 Nov 2017 14:21:00 -0800
Subject: [PATCH 255/269] Added tag jdk-9.0.4+8 for changeset b1f1b5dee37f

---
 .hgtags-top-repo | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index ef1c8f02c3..d1eca2c831 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -452,3 +452,5 @@ e6edc89f5b2dc6dacd6041305e942a3f04a25ce5 jdk-9.0.1+11
 a4f0515fe6da55cfe74dec3e6e30b69c9693d133 jdk-9.0.4+8
 a4f0515fe6da55cfe74dec3e6e30b69c9693d133 jdk-9.0.4+8
 0000000000000000000000000000000000000000 jdk-9.0.4+8
+0000000000000000000000000000000000000000 jdk-9.0.4+8
+953d306b203e7d0808cb842a51e006fddc41b6c2 jdk-9.0.4+8

From b3f875ab18a54700e412a85cd4b0735091af53fe Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Mon, 4 Dec 2017 10:17:19 -0800
Subject: [PATCH 256/269] 8139653: Freetype bundled on macosx, but not
 correctly linked

Reviewed-by: tbell, prr
---
 common/autoconf/basics.m4              |    4 -
 common/autoconf/generated-configure.sh | 1192 ++++++++++++++++++++----
 common/autoconf/spec.gmk.in            |    1 +
 common/autoconf/toolchain.m4           |    4 +
 4 files changed, 993 insertions(+), 208 deletions(-)

diff --git a/common/autoconf/basics.m4 b/common/autoconf/basics.m4
index 187ad8ac16..3e2ae6b80e 100644
--- a/common/autoconf/basics.m4
+++ b/common/autoconf/basics.m4
@@ -1090,10 +1090,6 @@ AC_DEFUN_ONCE([BASIC_SETUP_COMPLEX_TOOLS],
     # We can build without it.
     LDD="true"
   fi
-  BASIC_PATH_PROGS(OTOOL, otool)
-  if test "x$OTOOL" = "x"; then
-    OTOOL="true"
-  fi
   BASIC_PATH_PROGS(READELF, [greadelf readelf])
   BASIC_PATH_PROGS(DOT, dot)
   BASIC_PATH_PROGS(HG, hg)
diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
index ab0642affe..bd39f6c736 100644
--- a/common/autoconf/generated-configure.sh
+++ b/common/autoconf/generated-configure.sh
@@ -818,6 +818,8 @@ MSBUILD
 DUMPBIN
 RC
 MT
+INSTALL_NAME_TOOL
+OTOOL
 LIPO
 ac_ct_AR
 AR
@@ -939,7 +941,6 @@ STAT
 HG
 DOT
 READELF
-OTOOL
 LDD
 ZIPEXE
 UNZIP
@@ -1293,7 +1294,6 @@ MAKE
 UNZIP
 ZIPEXE
 LDD
-OTOOL
 READELF
 DOT
 HG
@@ -1324,6 +1324,8 @@ CXXCPP
 AS
 AR
 LIPO
+OTOOL
+INSTALL_NAME_TOOL
 STRIP
 NM
 GNM
@@ -2261,7 +2263,6 @@ Some influential environment variables:
   UNZIP       Override default value for UNZIP
   ZIPEXE      Override default value for ZIPEXE
   LDD         Override default value for LDD
-  OTOOL       Override default value for OTOOL
   READELF     Override default value for READELF
   DOT         Override default value for DOT
   HG          Override default value for HG
@@ -2293,6 +2294,9 @@ Some influential environment variables:
   AS          Override default value for AS
   AR          Override default value for AR
   LIPO        Override default value for LIPO
+  OTOOL       Override default value for OTOOL
+  INSTALL_NAME_TOOL
+              Override default value for INSTALL_NAME_TOOL
   STRIP       Override default value for STRIP
   NM          Override default value for NM
   GNM         Override default value for GNM
@@ -5186,7 +5190,7 @@ VS_SDK_PLATFORM_NAME_2013=
 #CUSTOM_AUTOCONF_INCLUDE
 
 # Do not change or remove the following line, it is needed for consistency checks:
-DATE_WHEN_GENERATED=1496926402
+DATE_WHEN_GENERATED=1512407603
 
 ###############################################################################
 #
@@ -22094,206 +22098,6 @@ $as_echo "$tool_specified" >&6; }
   # Publish this variable in the help.
 
 
-  if [ -z "${OTOOL+x}" ]; then
-    # The variable is not set by user, try to locate tool using the code snippet
-    for ac_prog in otool
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_path_OTOOL+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  case $OTOOL in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_OTOOL="$OTOOL" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-    for ac_exec_ext in '' $ac_executable_extensions; do
-  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_OTOOL="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-  done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-OTOOL=$ac_cv_path_OTOOL
-if test -n "$OTOOL"; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5
-$as_echo "$OTOOL" >&6; }
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
-  test -n "$OTOOL" && break
-done
-
-  else
-    # The variable is set, but is it from the command line or the environment?
-
-    # Try to remove the string !OTOOL! from our list.
-    try_remove_var=${CONFIGURE_OVERRIDDEN_VARIABLES//!OTOOL!/}
-    if test "x$try_remove_var" = "x$CONFIGURE_OVERRIDDEN_VARIABLES"; then
-      # If it failed, the variable was not from the command line. Ignore it,
-      # but warn the user (except for BASH, which is always set by the calling BASH).
-      if test "xOTOOL" != xBASH; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring value of OTOOL from the environment. Use command line variables instead." >&5
-$as_echo "$as_me: WARNING: Ignoring value of OTOOL from the environment. Use command line variables instead." >&2;}
-      fi
-      # Try to locate tool using the code snippet
-      for ac_prog in otool
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_path_OTOOL+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  case $OTOOL in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_OTOOL="$OTOOL" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-    for ac_exec_ext in '' $ac_executable_extensions; do
-  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_OTOOL="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-  done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-OTOOL=$ac_cv_path_OTOOL
-if test -n "$OTOOL"; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5
-$as_echo "$OTOOL" >&6; }
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
-  test -n "$OTOOL" && break
-done
-
-    else
-      # If it succeeded, then it was overridden by the user. We will use it
-      # for the tool.
-
-      # First remove it from the list of overridden variables, so we can test
-      # for unknown variables in the end.
-      CONFIGURE_OVERRIDDEN_VARIABLES="$try_remove_var"
-
-      # Check if we try to supply an empty value
-      if test "x$OTOOL" = x; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: Setting user supplied tool OTOOL= (no value)" >&5
-$as_echo "$as_me: Setting user supplied tool OTOOL= (no value)" >&6;}
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OTOOL" >&5
-$as_echo_n "checking for OTOOL... " >&6; }
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
-      else
-        # Check if the provided tool contains a complete path.
-        tool_specified="$OTOOL"
-        tool_basename="${tool_specified##*/}"
-        if test "x$tool_basename" = "x$tool_specified"; then
-          # A command without a complete path is provided, search $PATH.
-          { $as_echo "$as_me:${as_lineno-$LINENO}: Will search for user supplied tool OTOOL=$tool_basename" >&5
-$as_echo "$as_me: Will search for user supplied tool OTOOL=$tool_basename" >&6;}
-          # Extract the first word of "$tool_basename", so it can be a program name with args.
-set dummy $tool_basename; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_path_OTOOL+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  case $OTOOL in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_OTOOL="$OTOOL" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-    for ac_exec_ext in '' $ac_executable_extensions; do
-  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_OTOOL="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-  done
-IFS=$as_save_IFS
-
-  ;;
-esac
-fi
-OTOOL=$ac_cv_path_OTOOL
-if test -n "$OTOOL"; then
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5
-$as_echo "$OTOOL" >&6; }
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
-          if test "x$OTOOL" = x; then
-            as_fn_error $? "User supplied tool $tool_basename could not be found" "$LINENO" 5
-          fi
-        else
-          # Otherwise we believe it is a complete path. Use it as it is.
-          { $as_echo "$as_me:${as_lineno-$LINENO}: Will use user supplied tool OTOOL=$tool_specified" >&5
-$as_echo "$as_me: Will use user supplied tool OTOOL=$tool_specified" >&6;}
-          { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OTOOL" >&5
-$as_echo_n "checking for OTOOL... " >&6; }
-          if test ! -x "$tool_specified"; then
-            { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
-$as_echo "not found" >&6; }
-            as_fn_error $? "User supplied tool OTOOL=$tool_specified does not exist or is not executable" "$LINENO" 5
-          fi
-          { $as_echo "$as_me:${as_lineno-$LINENO}: result: $tool_specified" >&5
-$as_echo "$tool_specified" >&6; }
-        fi
-      fi
-    fi
-
-  fi
-
-
-  if test "x$OTOOL" = "x"; then
-    OTOOL="true"
-  fi
-
-
-  # Publish this variable in the help.
-
-
   if [ -z "${READELF+x}" ]; then
     # The variable is not set by user, try to locate tool using the code snippet
     for ac_prog in greadelf readelf
@@ -39301,6 +39105,986 @@ $as_echo "$as_me: Rewriting LIPO to \"$new_complete\"" >&6;}
     fi
   fi
 
+
+
+
+  # Publish this variable in the help.
+
+
+  if [ -z "${OTOOL+x}" ]; then
+    # The variable is not set by user, try to locate tool using the code snippet
+    for ac_prog in otool
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_OTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $OTOOL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_OTOOL="$OTOOL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_OTOOL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+OTOOL=$ac_cv_path_OTOOL
+if test -n "$OTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5
+$as_echo "$OTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$OTOOL" && break
+done
+
+  else
+    # The variable is set, but is it from the command line or the environment?
+
+    # Try to remove the string !OTOOL! from our list.
+    try_remove_var=${CONFIGURE_OVERRIDDEN_VARIABLES//!OTOOL!/}
+    if test "x$try_remove_var" = "x$CONFIGURE_OVERRIDDEN_VARIABLES"; then
+      # If it failed, the variable was not from the command line. Ignore it,
+      # but warn the user (except for BASH, which is always set by the calling BASH).
+      if test "xOTOOL" != xBASH; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring value of OTOOL from the environment. Use command line variables instead." >&5
+$as_echo "$as_me: WARNING: Ignoring value of OTOOL from the environment. Use command line variables instead." >&2;}
+      fi
+      # Try to locate tool using the code snippet
+      for ac_prog in otool
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_OTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $OTOOL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_OTOOL="$OTOOL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_OTOOL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+OTOOL=$ac_cv_path_OTOOL
+if test -n "$OTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5
+$as_echo "$OTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$OTOOL" && break
+done
+
+    else
+      # If it succeeded, then it was overridden by the user. We will use it
+      # for the tool.
+
+      # First remove it from the list of overridden variables, so we can test
+      # for unknown variables in the end.
+      CONFIGURE_OVERRIDDEN_VARIABLES="$try_remove_var"
+
+      # Check if we try to supply an empty value
+      if test "x$OTOOL" = x; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: Setting user supplied tool OTOOL= (no value)" >&5
+$as_echo "$as_me: Setting user supplied tool OTOOL= (no value)" >&6;}
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OTOOL" >&5
+$as_echo_n "checking for OTOOL... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+      else
+        # Check if the provided tool contains a complete path.
+        tool_specified="$OTOOL"
+        tool_basename="${tool_specified##*/}"
+        if test "x$tool_basename" = "x$tool_specified"; then
+          # A command without a complete path is provided, search $PATH.
+          { $as_echo "$as_me:${as_lineno-$LINENO}: Will search for user supplied tool OTOOL=$tool_basename" >&5
+$as_echo "$as_me: Will search for user supplied tool OTOOL=$tool_basename" >&6;}
+          # Extract the first word of "$tool_basename", so it can be a program name with args.
+set dummy $tool_basename; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_OTOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $OTOOL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_OTOOL="$OTOOL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_OTOOL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+OTOOL=$ac_cv_path_OTOOL
+if test -n "$OTOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5
+$as_echo "$OTOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+          if test "x$OTOOL" = x; then
+            as_fn_error $? "User supplied tool $tool_basename could not be found" "$LINENO" 5
+          fi
+        else
+          # Otherwise we believe it is a complete path. Use it as it is.
+          { $as_echo "$as_me:${as_lineno-$LINENO}: Will use user supplied tool OTOOL=$tool_specified" >&5
+$as_echo "$as_me: Will use user supplied tool OTOOL=$tool_specified" >&6;}
+          { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OTOOL" >&5
+$as_echo_n "checking for OTOOL... " >&6; }
+          if test ! -x "$tool_specified"; then
+            { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+            as_fn_error $? "User supplied tool OTOOL=$tool_specified does not exist or is not executable" "$LINENO" 5
+          fi
+          { $as_echo "$as_me:${as_lineno-$LINENO}: result: $tool_specified" >&5
+$as_echo "$tool_specified" >&6; }
+        fi
+      fi
+    fi
+
+  fi
+
+
+
+  if test "x$OTOOL" = x; then
+    as_fn_error $? "Could not find required tool for OTOOL" "$LINENO" 5
+  fi
+
+
+
+  # Only process if variable expands to non-empty
+
+  if test "x$OTOOL" != x; then
+    if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+
+  # First separate the path from the arguments. This will split at the first
+  # space.
+  complete="$OTOOL"
+  path="${complete%% *}"
+  tmp="$complete EOL"
+  arguments="${tmp#* }"
+
+  # Input might be given as Windows format, start by converting to
+  # unix format.
+  new_path=`$CYGPATH -u "$path"`
+
+  # Now try to locate executable using which
+  new_path=`$WHICH "$new_path" 2> /dev/null`
+  # bat and cmd files are not always considered executable in cygwin causing which
+  # to not find them
+  if test "x$new_path" = x \
+      && test "x`$ECHO \"$path\" | $GREP -i -e \"\\.bat$\" -e \"\\.cmd$\"`" != x \
+      && test "x`$LS \"$path\" 2>/dev/null`" != x; then
+    new_path=`$CYGPATH -u "$path"`
+  fi
+  if test "x$new_path" = x; then
+    # Oops. Which didn't find the executable.
+    # The splitting of arguments from the executable at a space might have been incorrect,
+    # since paths with space are more likely in Windows. Give it another try with the whole
+    # argument.
+    path="$complete"
+    arguments="EOL"
+    new_path=`$CYGPATH -u "$path"`
+    new_path=`$WHICH "$new_path" 2> /dev/null`
+    # bat and cmd files are not always considered executable in cygwin causing which
+    # to not find them
+    if test "x$new_path" = x \
+        && test "x`$ECHO \"$path\" | $GREP -i -e \"\\.bat$\" -e \"\\.cmd$\"`" != x \
+        && test "x`$LS \"$path\" 2>/dev/null`" != x; then
+      new_path=`$CYGPATH -u "$path"`
+    fi
+    if test "x$new_path" = x; then
+      # It's still not found. Now this is an unrecoverable error.
+      { $as_echo "$as_me:${as_lineno-$LINENO}: The path of OTOOL, which resolves as \"$complete\", is not found." >&5
+$as_echo "$as_me: The path of OTOOL, which resolves as \"$complete\", is not found." >&6;}
+      has_space=`$ECHO "$complete" | $GREP " "`
+      if test "x$has_space" != x; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: You might be mixing spaces in the path and extra arguments, which is not allowed." >&5
+$as_echo "$as_me: You might be mixing spaces in the path and extra arguments, which is not allowed." >&6;}
+      fi
+      as_fn_error $? "Cannot locate the the path of OTOOL" "$LINENO" 5
+    fi
+  fi
+
+  # Cygwin tries to hide some aspects of the Windows file system, such that binaries are
+  # named .exe but called without that suffix. Therefore, "foo" and "foo.exe" are considered
+  # the same file, most of the time (as in "test -f"). But not when running cygpath -s, then
+  # "foo.exe" is OK but "foo" is an error.
+  #
+  # This test is therefore slightly more accurate than "test -f" to check for file presence.
+  # It is also a way to make sure we got the proper file name for the real test later on.
+  test_shortpath=`$CYGPATH -s -m "$new_path" 2> /dev/null`
+  if test "x$test_shortpath" = x; then
+    # Short path failed, file does not exist as specified.
+    # Try adding .exe or .cmd
+    if test -f "${new_path}.exe"; then
+      input_to_shortpath="${new_path}.exe"
+    elif test -f "${new_path}.cmd"; then
+      input_to_shortpath="${new_path}.cmd"
+    else
+      { $as_echo "$as_me:${as_lineno-$LINENO}: The path of OTOOL, which resolves as \"$new_path\", is invalid." >&5
+$as_echo "$as_me: The path of OTOOL, which resolves as \"$new_path\", is invalid." >&6;}
+      { $as_echo "$as_me:${as_lineno-$LINENO}: Neither \"$new_path\" nor \"$new_path.exe/cmd\" can be found" >&5
+$as_echo "$as_me: Neither \"$new_path\" nor \"$new_path.exe/cmd\" can be found" >&6;}
+      as_fn_error $? "Cannot locate the the path of OTOOL" "$LINENO" 5
+    fi
+  else
+    input_to_shortpath="$new_path"
+  fi
+
+  # Call helper function which possibly converts this using DOS-style short mode.
+  # If so, the updated path is stored in $new_path.
+  new_path="$input_to_shortpath"
+
+  input_path="$input_to_shortpath"
+  # Check if we need to convert this using DOS-style short mode. If the path
+  # contains just simple characters, use it. Otherwise (spaces, weird characters),
+  # take no chances and rewrite it.
+  # Note: m4 eats our [], so we need to use [ and ] instead.
+  has_forbidden_chars=`$ECHO "$input_path" | $GREP [^-._/a-zA-Z0-9]`
+  if test "x$has_forbidden_chars" != x; then
+    # Now convert it to mixed DOS-style, short mode (no spaces, and / instead of \)
+    shortmode_path=`$CYGPATH -s -m -a "$input_path"`
+    path_after_shortmode=`$CYGPATH -u "$shortmode_path"`
+    if test "x$path_after_shortmode" != "x$input_to_shortpath"; then
+      # Going to short mode and back again did indeed matter. Since short mode is
+      # case insensitive, let's make it lowercase to improve readability.
+      shortmode_path=`$ECHO "$shortmode_path" | $TR 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+      # Now convert it back to Unix-style (cygpath)
+      input_path=`$CYGPATH -u "$shortmode_path"`
+      new_path="$input_path"
+    fi
+  fi
+
+  test_cygdrive_prefix=`$ECHO $input_path | $GREP ^/cygdrive/`
+  if test "x$test_cygdrive_prefix" = x; then
+    # As a simple fix, exclude /usr/bin since it's not a real path.
+    if test "x`$ECHO $input_to_shortpath | $GREP ^/usr/bin/`" = x; then
+      # The path is in a Cygwin special directory (e.g. /home). We need this converted to
+      # a path prefixed by /cygdrive for fixpath to work.
+      new_path="$CYGWIN_ROOT_PATH$input_path"
+    fi
+  fi
+
+  # remove trailing .exe if any
+  new_path="${new_path/%.exe/}"
+
+    elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+
+  # First separate the path from the arguments. This will split at the first
+  # space.
+  complete="$OTOOL"
+  path="${complete%% *}"
+  tmp="$complete EOL"
+  arguments="${tmp#* }"
+
+  # Input might be given as Windows format, start by converting to
+  # unix format.
+  new_path="$path"
+
+  windows_path="$new_path"
+  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+    unix_path=`$CYGPATH -u "$windows_path"`
+    new_path="$unix_path"
+  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+    unix_path=`$ECHO "$windows_path" | $SED -e 's,^\\(.\\):,/\\1,g' -e 's,\\\\,/,g'`
+    new_path="$unix_path"
+  fi
+
+
+  # Now try to locate executable using which
+  new_path=`$WHICH "$new_path" 2> /dev/null`
+
+  if test "x$new_path" = x; then
+    # Oops. Which didn't find the executable.
+    # The splitting of arguments from the executable at a space might have been incorrect,
+    # since paths with space are more likely in Windows. Give it another try with the whole
+    # argument.
+    path="$complete"
+    arguments="EOL"
+    new_path="$path"
+
+  windows_path="$new_path"
+  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+    unix_path=`$CYGPATH -u "$windows_path"`
+    new_path="$unix_path"
+  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+    unix_path=`$ECHO "$windows_path" | $SED -e 's,^\\(.\\):,/\\1,g' -e 's,\\\\,/,g'`
+    new_path="$unix_path"
+  fi
+
+
+    new_path=`$WHICH "$new_path" 2> /dev/null`
+    # bat and cmd files are not always considered executable in MSYS causing which
+    # to not find them
+    if test "x$new_path" = x \
+        && test "x`$ECHO \"$path\" | $GREP -i -e \"\\.bat$\" -e \"\\.cmd$\"`" != x \
+        && test "x`$LS \"$path\" 2>/dev/null`" != x; then
+      new_path="$path"
+
+  windows_path="$new_path"
+  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+    unix_path=`$CYGPATH -u "$windows_path"`
+    new_path="$unix_path"
+  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+    unix_path=`$ECHO "$windows_path" | $SED -e 's,^\\(.\\):,/\\1,g' -e 's,\\\\,/,g'`
+    new_path="$unix_path"
+  fi
+
+    fi
+
+    if test "x$new_path" = x; then
+      # It's still not found. Now this is an unrecoverable error.
+      { $as_echo "$as_me:${as_lineno-$LINENO}: The path of OTOOL, which resolves as \"$complete\", is not found." >&5
+$as_echo "$as_me: The path of OTOOL, which resolves as \"$complete\", is not found." >&6;}
+      has_space=`$ECHO "$complete" | $GREP " "`
+      if test "x$has_space" != x; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: You might be mixing spaces in the path and extra arguments, which is not allowed." >&5
+$as_echo "$as_me: You might be mixing spaces in the path and extra arguments, which is not allowed." >&6;}
+      fi
+      as_fn_error $? "Cannot locate the the path of OTOOL" "$LINENO" 5
+    fi
+  fi
+
+  # Now new_path has a complete unix path to the binary
+  if test "x`$ECHO $new_path | $GREP ^/bin/`" != x; then
+    # Keep paths in /bin as-is, but remove trailing .exe if any
+    new_path="${new_path/%.exe/}"
+    # Do not save /bin paths to all_fixpath_prefixes!
+  else
+    # Not in mixed or Windows style, start by that.
+    new_path=`cmd //c echo $new_path`
+
+  input_path="$new_path"
+  # Check if we need to convert this using DOS-style short mode. If the path
+  # contains just simple characters, use it. Otherwise (spaces, weird characters),
+  # take no chances and rewrite it.
+  # Note: m4 eats our [], so we need to use [ and ] instead.
+  has_forbidden_chars=`$ECHO "$input_path" | $GREP [^-_/:a-zA-Z0-9]`
+  if test "x$has_forbidden_chars" != x; then
+    # Now convert it to mixed DOS-style, short mode (no spaces, and / instead of \)
+    new_path=`cmd /c "for %A in (\"$input_path\") do @echo %~sA"|$TR \\\\\\\\ / | $TR 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+  fi
+
+    # Output is in $new_path
+
+  windows_path="$new_path"
+  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+    unix_path=`$CYGPATH -u "$windows_path"`
+    new_path="$unix_path"
+  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+    unix_path=`$ECHO "$windows_path" | $SED -e 's,^\\(.\\):,/\\1,g' -e 's,\\\\,/,g'`
+    new_path="$unix_path"
+  fi
+
+    # remove trailing .exe if any
+    new_path="${new_path/%.exe/}"
+
+    # Save the first 10 bytes of this path to the storage, so fixpath can work.
+    all_fixpath_prefixes=("${all_fixpath_prefixes[@]}" "${new_path:0:10}")
+  fi
+
+    else
+      # We're on a unix platform. Hooray! :)
+      # First separate the path from the arguments. This will split at the first
+      # space.
+      complete="$OTOOL"
+      path="${complete%% *}"
+      tmp="$complete EOL"
+      arguments="${tmp#* }"
+
+      # Cannot rely on the command "which" here since it doesn't always work.
+      is_absolute_path=`$ECHO "$path" | $GREP ^/`
+      if test -z "$is_absolute_path"; then
+        # Path to executable is not absolute. Find it.
+        IFS_save="$IFS"
+        IFS=:
+        for p in $PATH; do
+          if test -f "$p/$path" && test -x "$p/$path"; then
+            new_path="$p/$path"
+            break
+          fi
+        done
+        IFS="$IFS_save"
+      else
+        # This is an absolute path, we can use it without further modifications.
+        new_path="$path"
+      fi
+
+      if test "x$new_path" = x; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: The path of OTOOL, which resolves as \"$complete\", is not found." >&5
+$as_echo "$as_me: The path of OTOOL, which resolves as \"$complete\", is not found." >&6;}
+        has_space=`$ECHO "$complete" | $GREP " "`
+        if test "x$has_space" != x; then
+          { $as_echo "$as_me:${as_lineno-$LINENO}: This might be caused by spaces in the path, which is not allowed." >&5
+$as_echo "$as_me: This might be caused by spaces in the path, which is not allowed." >&6;}
+        fi
+        as_fn_error $? "Cannot locate the the path of OTOOL" "$LINENO" 5
+      fi
+    fi
+
+    # Now join together the path and the arguments once again
+    if test "x$arguments" != xEOL; then
+      new_complete="$new_path ${arguments% *}"
+    else
+      new_complete="$new_path"
+    fi
+
+    if test "x$complete" != "x$new_complete"; then
+      OTOOL="$new_complete"
+      { $as_echo "$as_me:${as_lineno-$LINENO}: Rewriting OTOOL to \"$new_complete\"" >&5
+$as_echo "$as_me: Rewriting OTOOL to \"$new_complete\"" >&6;}
+    fi
+  fi
+
+
+
+
+  # Publish this variable in the help.
+
+
+  if [ -z "${INSTALL_NAME_TOOL+x}" ]; then
+    # The variable is not set by user, try to locate tool using the code snippet
+    for ac_prog in install_name_tool
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_INSTALL_NAME_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $INSTALL_NAME_TOOL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_INSTALL_NAME_TOOL="$INSTALL_NAME_TOOL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_INSTALL_NAME_TOOL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+INSTALL_NAME_TOOL=$ac_cv_path_INSTALL_NAME_TOOL
+if test -n "$INSTALL_NAME_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL_NAME_TOOL" >&5
+$as_echo "$INSTALL_NAME_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$INSTALL_NAME_TOOL" && break
+done
+
+  else
+    # The variable is set, but is it from the command line or the environment?
+
+    # Try to remove the string !INSTALL_NAME_TOOL! from our list.
+    try_remove_var=${CONFIGURE_OVERRIDDEN_VARIABLES//!INSTALL_NAME_TOOL!/}
+    if test "x$try_remove_var" = "x$CONFIGURE_OVERRIDDEN_VARIABLES"; then
+      # If it failed, the variable was not from the command line. Ignore it,
+      # but warn the user (except for BASH, which is always set by the calling BASH).
+      if test "xINSTALL_NAME_TOOL" != xBASH; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring value of INSTALL_NAME_TOOL from the environment. Use command line variables instead." >&5
+$as_echo "$as_me: WARNING: Ignoring value of INSTALL_NAME_TOOL from the environment. Use command line variables instead." >&2;}
+      fi
+      # Try to locate tool using the code snippet
+      for ac_prog in install_name_tool
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_INSTALL_NAME_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $INSTALL_NAME_TOOL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_INSTALL_NAME_TOOL="$INSTALL_NAME_TOOL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_INSTALL_NAME_TOOL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+INSTALL_NAME_TOOL=$ac_cv_path_INSTALL_NAME_TOOL
+if test -n "$INSTALL_NAME_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL_NAME_TOOL" >&5
+$as_echo "$INSTALL_NAME_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+  test -n "$INSTALL_NAME_TOOL" && break
+done
+
+    else
+      # If it succeeded, then it was overridden by the user. We will use it
+      # for the tool.
+
+      # First remove it from the list of overridden variables, so we can test
+      # for unknown variables in the end.
+      CONFIGURE_OVERRIDDEN_VARIABLES="$try_remove_var"
+
+      # Check if we try to supply an empty value
+      if test "x$INSTALL_NAME_TOOL" = x; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: Setting user supplied tool INSTALL_NAME_TOOL= (no value)" >&5
+$as_echo "$as_me: Setting user supplied tool INSTALL_NAME_TOOL= (no value)" >&6;}
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for INSTALL_NAME_TOOL" >&5
+$as_echo_n "checking for INSTALL_NAME_TOOL... " >&6; }
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+      else
+        # Check if the provided tool contains a complete path.
+        tool_specified="$INSTALL_NAME_TOOL"
+        tool_basename="${tool_specified##*/}"
+        if test "x$tool_basename" = "x$tool_specified"; then
+          # A command without a complete path is provided, search $PATH.
+          { $as_echo "$as_me:${as_lineno-$LINENO}: Will search for user supplied tool INSTALL_NAME_TOOL=$tool_basename" >&5
+$as_echo "$as_me: Will search for user supplied tool INSTALL_NAME_TOOL=$tool_basename" >&6;}
+          # Extract the first word of "$tool_basename", so it can be a program name with args.
+set dummy $tool_basename; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_INSTALL_NAME_TOOL+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $INSTALL_NAME_TOOL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_INSTALL_NAME_TOOL="$INSTALL_NAME_TOOL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_INSTALL_NAME_TOOL="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+INSTALL_NAME_TOOL=$ac_cv_path_INSTALL_NAME_TOOL
+if test -n "$INSTALL_NAME_TOOL"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL_NAME_TOOL" >&5
+$as_echo "$INSTALL_NAME_TOOL" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+          if test "x$INSTALL_NAME_TOOL" = x; then
+            as_fn_error $? "User supplied tool $tool_basename could not be found" "$LINENO" 5
+          fi
+        else
+          # Otherwise we believe it is a complete path. Use it as it is.
+          { $as_echo "$as_me:${as_lineno-$LINENO}: Will use user supplied tool INSTALL_NAME_TOOL=$tool_specified" >&5
+$as_echo "$as_me: Will use user supplied tool INSTALL_NAME_TOOL=$tool_specified" >&6;}
+          { $as_echo "$as_me:${as_lineno-$LINENO}: checking for INSTALL_NAME_TOOL" >&5
+$as_echo_n "checking for INSTALL_NAME_TOOL... " >&6; }
+          if test ! -x "$tool_specified"; then
+            { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+            as_fn_error $? "User supplied tool INSTALL_NAME_TOOL=$tool_specified does not exist or is not executable" "$LINENO" 5
+          fi
+          { $as_echo "$as_me:${as_lineno-$LINENO}: result: $tool_specified" >&5
+$as_echo "$tool_specified" >&6; }
+        fi
+      fi
+    fi
+
+  fi
+
+
+
+  if test "x$INSTALL_NAME_TOOL" = x; then
+    as_fn_error $? "Could not find required tool for INSTALL_NAME_TOOL" "$LINENO" 5
+  fi
+
+
+
+  # Only process if variable expands to non-empty
+
+  if test "x$INSTALL_NAME_TOOL" != x; then
+    if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+
+  # First separate the path from the arguments. This will split at the first
+  # space.
+  complete="$INSTALL_NAME_TOOL"
+  path="${complete%% *}"
+  tmp="$complete EOL"
+  arguments="${tmp#* }"
+
+  # Input might be given as Windows format, start by converting to
+  # unix format.
+  new_path=`$CYGPATH -u "$path"`
+
+  # Now try to locate executable using which
+  new_path=`$WHICH "$new_path" 2> /dev/null`
+  # bat and cmd files are not always considered executable in cygwin causing which
+  # to not find them
+  if test "x$new_path" = x \
+      && test "x`$ECHO \"$path\" | $GREP -i -e \"\\.bat$\" -e \"\\.cmd$\"`" != x \
+      && test "x`$LS \"$path\" 2>/dev/null`" != x; then
+    new_path=`$CYGPATH -u "$path"`
+  fi
+  if test "x$new_path" = x; then
+    # Oops. Which didn't find the executable.
+    # The splitting of arguments from the executable at a space might have been incorrect,
+    # since paths with space are more likely in Windows. Give it another try with the whole
+    # argument.
+    path="$complete"
+    arguments="EOL"
+    new_path=`$CYGPATH -u "$path"`
+    new_path=`$WHICH "$new_path" 2> /dev/null`
+    # bat and cmd files are not always considered executable in cygwin causing which
+    # to not find them
+    if test "x$new_path" = x \
+        && test "x`$ECHO \"$path\" | $GREP -i -e \"\\.bat$\" -e \"\\.cmd$\"`" != x \
+        && test "x`$LS \"$path\" 2>/dev/null`" != x; then
+      new_path=`$CYGPATH -u "$path"`
+    fi
+    if test "x$new_path" = x; then
+      # It's still not found. Now this is an unrecoverable error.
+      { $as_echo "$as_me:${as_lineno-$LINENO}: The path of INSTALL_NAME_TOOL, which resolves as \"$complete\", is not found." >&5
+$as_echo "$as_me: The path of INSTALL_NAME_TOOL, which resolves as \"$complete\", is not found." >&6;}
+      has_space=`$ECHO "$complete" | $GREP " "`
+      if test "x$has_space" != x; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: You might be mixing spaces in the path and extra arguments, which is not allowed." >&5
+$as_echo "$as_me: You might be mixing spaces in the path and extra arguments, which is not allowed." >&6;}
+      fi
+      as_fn_error $? "Cannot locate the the path of INSTALL_NAME_TOOL" "$LINENO" 5
+    fi
+  fi
+
+  # Cygwin tries to hide some aspects of the Windows file system, such that binaries are
+  # named .exe but called without that suffix. Therefore, "foo" and "foo.exe" are considered
+  # the same file, most of the time (as in "test -f"). But not when running cygpath -s, then
+  # "foo.exe" is OK but "foo" is an error.
+  #
+  # This test is therefore slightly more accurate than "test -f" to check for file presence.
+  # It is also a way to make sure we got the proper file name for the real test later on.
+  test_shortpath=`$CYGPATH -s -m "$new_path" 2> /dev/null`
+  if test "x$test_shortpath" = x; then
+    # Short path failed, file does not exist as specified.
+    # Try adding .exe or .cmd
+    if test -f "${new_path}.exe"; then
+      input_to_shortpath="${new_path}.exe"
+    elif test -f "${new_path}.cmd"; then
+      input_to_shortpath="${new_path}.cmd"
+    else
+      { $as_echo "$as_me:${as_lineno-$LINENO}: The path of INSTALL_NAME_TOOL, which resolves as \"$new_path\", is invalid." >&5
+$as_echo "$as_me: The path of INSTALL_NAME_TOOL, which resolves as \"$new_path\", is invalid." >&6;}
+      { $as_echo "$as_me:${as_lineno-$LINENO}: Neither \"$new_path\" nor \"$new_path.exe/cmd\" can be found" >&5
+$as_echo "$as_me: Neither \"$new_path\" nor \"$new_path.exe/cmd\" can be found" >&6;}
+      as_fn_error $? "Cannot locate the the path of INSTALL_NAME_TOOL" "$LINENO" 5
+    fi
+  else
+    input_to_shortpath="$new_path"
+  fi
+
+  # Call helper function which possibly converts this using DOS-style short mode.
+  # If so, the updated path is stored in $new_path.
+  new_path="$input_to_shortpath"
+
+  input_path="$input_to_shortpath"
+  # Check if we need to convert this using DOS-style short mode. If the path
+  # contains just simple characters, use it. Otherwise (spaces, weird characters),
+  # take no chances and rewrite it.
+  # Note: m4 eats our [], so we need to use [ and ] instead.
+  has_forbidden_chars=`$ECHO "$input_path" | $GREP [^-._/a-zA-Z0-9]`
+  if test "x$has_forbidden_chars" != x; then
+    # Now convert it to mixed DOS-style, short mode (no spaces, and / instead of \)
+    shortmode_path=`$CYGPATH -s -m -a "$input_path"`
+    path_after_shortmode=`$CYGPATH -u "$shortmode_path"`
+    if test "x$path_after_shortmode" != "x$input_to_shortpath"; then
+      # Going to short mode and back again did indeed matter. Since short mode is
+      # case insensitive, let's make it lowercase to improve readability.
+      shortmode_path=`$ECHO "$shortmode_path" | $TR 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+      # Now convert it back to Unix-style (cygpath)
+      input_path=`$CYGPATH -u "$shortmode_path"`
+      new_path="$input_path"
+    fi
+  fi
+
+  test_cygdrive_prefix=`$ECHO $input_path | $GREP ^/cygdrive/`
+  if test "x$test_cygdrive_prefix" = x; then
+    # As a simple fix, exclude /usr/bin since it's not a real path.
+    if test "x`$ECHO $input_to_shortpath | $GREP ^/usr/bin/`" = x; then
+      # The path is in a Cygwin special directory (e.g. /home). We need this converted to
+      # a path prefixed by /cygdrive for fixpath to work.
+      new_path="$CYGWIN_ROOT_PATH$input_path"
+    fi
+  fi
+
+  # remove trailing .exe if any
+  new_path="${new_path/%.exe/}"
+
+    elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+
+  # First separate the path from the arguments. This will split at the first
+  # space.
+  complete="$INSTALL_NAME_TOOL"
+  path="${complete%% *}"
+  tmp="$complete EOL"
+  arguments="${tmp#* }"
+
+  # Input might be given as Windows format, start by converting to
+  # unix format.
+  new_path="$path"
+
+  windows_path="$new_path"
+  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+    unix_path=`$CYGPATH -u "$windows_path"`
+    new_path="$unix_path"
+  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+    unix_path=`$ECHO "$windows_path" | $SED -e 's,^\\(.\\):,/\\1,g' -e 's,\\\\,/,g'`
+    new_path="$unix_path"
+  fi
+
+
+  # Now try to locate executable using which
+  new_path=`$WHICH "$new_path" 2> /dev/null`
+
+  if test "x$new_path" = x; then
+    # Oops. Which didn't find the executable.
+    # The splitting of arguments from the executable at a space might have been incorrect,
+    # since paths with space are more likely in Windows. Give it another try with the whole
+    # argument.
+    path="$complete"
+    arguments="EOL"
+    new_path="$path"
+
+  windows_path="$new_path"
+  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+    unix_path=`$CYGPATH -u "$windows_path"`
+    new_path="$unix_path"
+  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+    unix_path=`$ECHO "$windows_path" | $SED -e 's,^\\(.\\):,/\\1,g' -e 's,\\\\,/,g'`
+    new_path="$unix_path"
+  fi
+
+
+    new_path=`$WHICH "$new_path" 2> /dev/null`
+    # bat and cmd files are not always considered executable in MSYS causing which
+    # to not find them
+    if test "x$new_path" = x \
+        && test "x`$ECHO \"$path\" | $GREP -i -e \"\\.bat$\" -e \"\\.cmd$\"`" != x \
+        && test "x`$LS \"$path\" 2>/dev/null`" != x; then
+      new_path="$path"
+
+  windows_path="$new_path"
+  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+    unix_path=`$CYGPATH -u "$windows_path"`
+    new_path="$unix_path"
+  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+    unix_path=`$ECHO "$windows_path" | $SED -e 's,^\\(.\\):,/\\1,g' -e 's,\\\\,/,g'`
+    new_path="$unix_path"
+  fi
+
+    fi
+
+    if test "x$new_path" = x; then
+      # It's still not found. Now this is an unrecoverable error.
+      { $as_echo "$as_me:${as_lineno-$LINENO}: The path of INSTALL_NAME_TOOL, which resolves as \"$complete\", is not found." >&5
+$as_echo "$as_me: The path of INSTALL_NAME_TOOL, which resolves as \"$complete\", is not found." >&6;}
+      has_space=`$ECHO "$complete" | $GREP " "`
+      if test "x$has_space" != x; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: You might be mixing spaces in the path and extra arguments, which is not allowed." >&5
+$as_echo "$as_me: You might be mixing spaces in the path and extra arguments, which is not allowed." >&6;}
+      fi
+      as_fn_error $? "Cannot locate the the path of INSTALL_NAME_TOOL" "$LINENO" 5
+    fi
+  fi
+
+  # Now new_path has a complete unix path to the binary
+  if test "x`$ECHO $new_path | $GREP ^/bin/`" != x; then
+    # Keep paths in /bin as-is, but remove trailing .exe if any
+    new_path="${new_path/%.exe/}"
+    # Do not save /bin paths to all_fixpath_prefixes!
+  else
+    # Not in mixed or Windows style, start by that.
+    new_path=`cmd //c echo $new_path`
+
+  input_path="$new_path"
+  # Check if we need to convert this using DOS-style short mode. If the path
+  # contains just simple characters, use it. Otherwise (spaces, weird characters),
+  # take no chances and rewrite it.
+  # Note: m4 eats our [], so we need to use [ and ] instead.
+  has_forbidden_chars=`$ECHO "$input_path" | $GREP [^-_/:a-zA-Z0-9]`
+  if test "x$has_forbidden_chars" != x; then
+    # Now convert it to mixed DOS-style, short mode (no spaces, and / instead of \)
+    new_path=`cmd /c "for %A in (\"$input_path\") do @echo %~sA"|$TR \\\\\\\\ / | $TR 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+  fi
+
+    # Output is in $new_path
+
+  windows_path="$new_path"
+  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+    unix_path=`$CYGPATH -u "$windows_path"`
+    new_path="$unix_path"
+  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+    unix_path=`$ECHO "$windows_path" | $SED -e 's,^\\(.\\):,/\\1,g' -e 's,\\\\,/,g'`
+    new_path="$unix_path"
+  fi
+
+    # remove trailing .exe if any
+    new_path="${new_path/%.exe/}"
+
+    # Save the first 10 bytes of this path to the storage, so fixpath can work.
+    all_fixpath_prefixes=("${all_fixpath_prefixes[@]}" "${new_path:0:10}")
+  fi
+
+    else
+      # We're on a unix platform. Hooray! :)
+      # First separate the path from the arguments. This will split at the first
+      # space.
+      complete="$INSTALL_NAME_TOOL"
+      path="${complete%% *}"
+      tmp="$complete EOL"
+      arguments="${tmp#* }"
+
+      # Cannot rely on the command "which" here since it doesn't always work.
+      is_absolute_path=`$ECHO "$path" | $GREP ^/`
+      if test -z "$is_absolute_path"; then
+        # Path to executable is not absolute. Find it.
+        IFS_save="$IFS"
+        IFS=:
+        for p in $PATH; do
+          if test -f "$p/$path" && test -x "$p/$path"; then
+            new_path="$p/$path"
+            break
+          fi
+        done
+        IFS="$IFS_save"
+      else
+        # This is an absolute path, we can use it without further modifications.
+        new_path="$path"
+      fi
+
+      if test "x$new_path" = x; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: The path of INSTALL_NAME_TOOL, which resolves as \"$complete\", is not found." >&5
+$as_echo "$as_me: The path of INSTALL_NAME_TOOL, which resolves as \"$complete\", is not found." >&6;}
+        has_space=`$ECHO "$complete" | $GREP " "`
+        if test "x$has_space" != x; then
+          { $as_echo "$as_me:${as_lineno-$LINENO}: This might be caused by spaces in the path, which is not allowed." >&5
+$as_echo "$as_me: This might be caused by spaces in the path, which is not allowed." >&6;}
+        fi
+        as_fn_error $? "Cannot locate the the path of INSTALL_NAME_TOOL" "$LINENO" 5
+      fi
+    fi
+
+    # Now join together the path and the arguments once again
+    if test "x$arguments" != xEOL; then
+      new_complete="$new_path ${arguments% *}"
+    else
+      new_complete="$new_path"
+    fi
+
+    if test "x$complete" != "x$new_complete"; then
+      INSTALL_NAME_TOOL="$new_complete"
+      { $as_echo "$as_me:${as_lineno-$LINENO}: Rewriting INSTALL_NAME_TOOL to \"$new_complete\"" >&5
+$as_echo "$as_me: Rewriting INSTALL_NAME_TOOL to \"$new_complete\"" >&6;}
+    fi
+  fi
+
   fi
 
   if test "x$TOOLCHAIN_TYPE" = xmicrosoft; then
diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
index 877ede9d9b..aa86532e2f 100644
--- a/common/autoconf/spec.gmk.in
+++ b/common/autoconf/spec.gmk.in
@@ -483,6 +483,7 @@ GNM:=@GNM@
 STRIP:=@STRIP@
 
 LIPO:=@LIPO@
+INSTALL_NAME_TOOL:=@INSTALL_NAME_TOOL@
 
 # Options to linker to specify a mapfile.
 # (Note absence of := assignment, because we do not want to evaluate the macro body here)
diff --git a/common/autoconf/toolchain.m4 b/common/autoconf/toolchain.m4
index fca9b065aa..6af26625e0 100644
--- a/common/autoconf/toolchain.m4
+++ b/common/autoconf/toolchain.m4
@@ -628,6 +628,10 @@ AC_DEFUN_ONCE([TOOLCHAIN_DETECT_TOOLCHAIN_EXTRA],
   if test "x$OPENJDK_TARGET_OS" = "xmacosx"; then
     BASIC_PATH_PROGS(LIPO, lipo)
     BASIC_FIXUP_EXECUTABLE(LIPO)
+    BASIC_REQUIRE_PROGS(OTOOL, otool)
+    BASIC_FIXUP_EXECUTABLE(OTOOL)
+    BASIC_REQUIRE_PROGS(INSTALL_NAME_TOOL, install_name_tool)
+    BASIC_FIXUP_EXECUTABLE(INSTALL_NAME_TOOL)
   fi
 
   if test "x$TOOLCHAIN_TYPE" = xmicrosoft; then

From 3e3d6a162a6f5a2aaabbc3ad49b7c03500ba3551 Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Mon, 4 Dec 2017 10:45:44 -0800
Subject: [PATCH 257/269] 8190464: OpenJDK on macosx needs to bundle freetype

Reviewed-by: ihse
---
 common/autoconf/generated-configure.sh | 169 +++++++++++++++++++++++--
 common/autoconf/lib-freetype.m4        |  37 ++++--
 common/conf/jib-profiles.js            |  20 ++-
 3 files changed, 189 insertions(+), 37 deletions(-)

diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
index bd39f6c736..a78526170b 100644
--- a/common/autoconf/generated-configure.sh
+++ b/common/autoconf/generated-configure.sh
@@ -5190,7 +5190,7 @@ VS_SDK_PLATFORM_NAME_2013=
 #CUSTOM_AUTOCONF_INCLUDE
 
 # Do not change or remove the following line, it is needed for consistency checks:
-DATE_WHEN_GENERATED=1512407603
+DATE_WHEN_GENERATED=1512412485
 
 ###############################################################################
 #
@@ -64443,17 +64443,18 @@ $as_echo_n "checking if we should bundle freetype... " >&6; }
     { $as_echo "$as_me:${as_lineno-$LINENO}: result: $BUNDLE_FREETYPE" >&5
 $as_echo "$BUNDLE_FREETYPE" >&6; }
 
-  fi # end freetype needed
-
-  FREETYPE_LICENSE=""
-  if test "x$with_freetype_license" = "xyes"; then
-    as_fn_error $? "--with-freetype-license must have a value" "$LINENO" 5
-  elif test "x$with_freetype_license" != "x"; then
-    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for freetype license" >&5
+    if test "x$BUNDLE_FREETYPE" = xyes; then
+      FREETYPE_LICENSE=""
+      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for freetype license" >&5
 $as_echo_n "checking for freetype license... " >&6; }
-    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_freetype_license" >&5
+      if test "x$with_freetype_license" = "xyes"; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+        as_fn_error $? "--with-freetype-license must have a value" "$LINENO" 5
+      elif test "x$with_freetype_license" != "x"; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_freetype_license" >&5
 $as_echo "$with_freetype_license" >&6; }
-    FREETYPE_LICENSE="$with_freetype_license"
+        FREETYPE_LICENSE="$with_freetype_license"
 
   # Only process if variable expands to non-empty
 
@@ -64586,11 +64587,155 @@ $as_echo "$as_me: The path of FREETYPE_LICENSE, which resolves as \"$path\", is
     fi
   fi
 
-    if test ! -f "$FREETYPE_LICENSE"; then
-      as_fn_error $? "$FREETYPE_LICENSE cannot be found" "$LINENO" 5
+        if test ! -f "$FREETYPE_LICENSE"; then
+          as_fn_error $? "$FREETYPE_LICENSE cannot be found" "$LINENO" 5
+        fi
+      else
+        if test "x$with_freetype" != "x" && test -f $with_freetype/freetype.md; then
+          FREETYPE_LICENSE="$with_freetype/freetype.md"
+          { $as_echo "$as_me:${as_lineno-$LINENO}: result: $FREETYPE_LICENSE" >&5
+$as_echo "$FREETYPE_LICENSE" >&6; }
+
+  # Only process if variable expands to non-empty
+
+  if test "x$FREETYPE_LICENSE" != x; then
+    if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+
+  # Input might be given as Windows format, start by converting to
+  # unix format.
+  path="$FREETYPE_LICENSE"
+  new_path=`$CYGPATH -u "$path"`
+
+  # Cygwin tries to hide some aspects of the Windows file system, such that binaries are
+  # named .exe but called without that suffix. Therefore, "foo" and "foo.exe" are considered
+  # the same file, most of the time (as in "test -f"). But not when running cygpath -s, then
+  # "foo.exe" is OK but "foo" is an error.
+  #
+  # This test is therefore slightly more accurate than "test -f" to check for file precense.
+  # It is also a way to make sure we got the proper file name for the real test later on.
+  test_shortpath=`$CYGPATH -s -m "$new_path" 2> /dev/null`
+  if test "x$test_shortpath" = x; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: The path of FREETYPE_LICENSE, which resolves as \"$path\", is invalid." >&5
+$as_echo "$as_me: The path of FREETYPE_LICENSE, which resolves as \"$path\", is invalid." >&6;}
+    as_fn_error $? "Cannot locate the the path of FREETYPE_LICENSE" "$LINENO" 5
+  fi
+
+  # Call helper function which possibly converts this using DOS-style short mode.
+  # If so, the updated path is stored in $new_path.
+
+  input_path="$new_path"
+  # Check if we need to convert this using DOS-style short mode. If the path
+  # contains just simple characters, use it. Otherwise (spaces, weird characters),
+  # take no chances and rewrite it.
+  # Note: m4 eats our [], so we need to use [ and ] instead.
+  has_forbidden_chars=`$ECHO "$input_path" | $GREP [^-._/a-zA-Z0-9]`
+  if test "x$has_forbidden_chars" != x; then
+    # Now convert it to mixed DOS-style, short mode (no spaces, and / instead of \)
+    shortmode_path=`$CYGPATH -s -m -a "$input_path"`
+    path_after_shortmode=`$CYGPATH -u "$shortmode_path"`
+    if test "x$path_after_shortmode" != "x$input_to_shortpath"; then
+      # Going to short mode and back again did indeed matter. Since short mode is
+      # case insensitive, let's make it lowercase to improve readability.
+      shortmode_path=`$ECHO "$shortmode_path" | $TR 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+      # Now convert it back to Unix-style (cygpath)
+      input_path=`$CYGPATH -u "$shortmode_path"`
+      new_path="$input_path"
     fi
   fi
 
+  test_cygdrive_prefix=`$ECHO $input_path | $GREP ^/cygdrive/`
+  if test "x$test_cygdrive_prefix" = x; then
+    # As a simple fix, exclude /usr/bin since it's not a real path.
+    if test "x`$ECHO $new_path | $GREP ^/usr/bin/`" = x; then
+      # The path is in a Cygwin special directory (e.g. /home). We need this converted to
+      # a path prefixed by /cygdrive for fixpath to work.
+      new_path="$CYGWIN_ROOT_PATH$input_path"
+    fi
+  fi
+
+
+  if test "x$path" != "x$new_path"; then
+    FREETYPE_LICENSE="$new_path"
+    { $as_echo "$as_me:${as_lineno-$LINENO}: Rewriting FREETYPE_LICENSE to \"$new_path\"" >&5
+$as_echo "$as_me: Rewriting FREETYPE_LICENSE to \"$new_path\"" >&6;}
+  fi
+
+    elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+
+  path="$FREETYPE_LICENSE"
+  has_colon=`$ECHO $path | $GREP ^.:`
+  new_path="$path"
+  if test "x$has_colon" = x; then
+    # Not in mixed or Windows style, start by that.
+    new_path=`cmd //c echo $path`
+  fi
+
+
+  input_path="$new_path"
+  # Check if we need to convert this using DOS-style short mode. If the path
+  # contains just simple characters, use it. Otherwise (spaces, weird characters),
+  # take no chances and rewrite it.
+  # Note: m4 eats our [], so we need to use [ and ] instead.
+  has_forbidden_chars=`$ECHO "$input_path" | $GREP [^-_/:a-zA-Z0-9]`
+  if test "x$has_forbidden_chars" != x; then
+    # Now convert it to mixed DOS-style, short mode (no spaces, and / instead of \)
+    new_path=`cmd /c "for %A in (\"$input_path\") do @echo %~sA"|$TR \\\\\\\\ / | $TR 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+  fi
+
+
+  windows_path="$new_path"
+  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
+    unix_path=`$CYGPATH -u "$windows_path"`
+    new_path="$unix_path"
+  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
+    unix_path=`$ECHO "$windows_path" | $SED -e 's,^\\(.\\):,/\\1,g' -e 's,\\\\,/,g'`
+    new_path="$unix_path"
+  fi
+
+  if test "x$path" != "x$new_path"; then
+    FREETYPE_LICENSE="$new_path"
+    { $as_echo "$as_me:${as_lineno-$LINENO}: Rewriting FREETYPE_LICENSE to \"$new_path\"" >&5
+$as_echo "$as_me: Rewriting FREETYPE_LICENSE to \"$new_path\"" >&6;}
+  fi
+
+  # Save the first 10 bytes of this path to the storage, so fixpath can work.
+  all_fixpath_prefixes=("${all_fixpath_prefixes[@]}" "${new_path:0:10}")
+
+    else
+      # We're on a unix platform. Hooray! :)
+      path="$FREETYPE_LICENSE"
+      has_space=`$ECHO "$path" | $GREP " "`
+      if test "x$has_space" != x; then
+        { $as_echo "$as_me:${as_lineno-$LINENO}: The path of FREETYPE_LICENSE, which resolves as \"$path\", is invalid." >&5
+$as_echo "$as_me: The path of FREETYPE_LICENSE, which resolves as \"$path\", is invalid." >&6;}
+        as_fn_error $? "Spaces are not allowed in this path." "$LINENO" 5
+      fi
+
+      # Use eval to expand a potential ~
+      eval path="$path"
+      if test ! -f "$path" && test ! -d "$path"; then
+        as_fn_error $? "The path of FREETYPE_LICENSE, which resolves as \"$path\", is not found." "$LINENO" 5
+      fi
+
+      if test -d "$path"; then
+        FREETYPE_LICENSE="`cd "$path"; $THEPWDCMD -L`"
+      else
+        dir="`$DIRNAME "$path"`"
+        base="`$BASENAME "$path"`"
+        FREETYPE_LICENSE="`cd "$dir"; $THEPWDCMD -L`/$base"
+      fi
+    fi
+  fi
+
+        else
+          { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+        fi
+      fi
+    fi
+
+  fi # end freetype needed
+
 
 
 
diff --git a/common/autoconf/lib-freetype.m4 b/common/autoconf/lib-freetype.m4
index 17dd726e54..8169928bee 100644
--- a/common/autoconf/lib-freetype.m4
+++ b/common/autoconf/lib-freetype.m4
@@ -443,20 +443,31 @@ AC_DEFUN_ONCE([LIB_SETUP_FREETYPE],
     fi
     AC_MSG_RESULT([$BUNDLE_FREETYPE])
 
-  fi # end freetype needed
-
-  FREETYPE_LICENSE=""
-  if test "x$with_freetype_license" = "xyes"; then
-    AC_MSG_ERROR([--with-freetype-license must have a value])
-  elif test "x$with_freetype_license" != "x"; then
-    AC_MSG_CHECKING([for freetype license])
-    AC_MSG_RESULT([$with_freetype_license])
-    FREETYPE_LICENSE="$with_freetype_license"
-    BASIC_FIXUP_PATH(FREETYPE_LICENSE)
-    if test ! -f "$FREETYPE_LICENSE"; then
-      AC_MSG_ERROR([$FREETYPE_LICENSE cannot be found])
+    if test "x$BUNDLE_FREETYPE" = xyes; then
+      FREETYPE_LICENSE=""
+      AC_MSG_CHECKING([for freetype license])
+      if test "x$with_freetype_license" = "xyes"; then
+        AC_MSG_RESULT([no])
+        AC_MSG_ERROR([--with-freetype-license must have a value])
+      elif test "x$with_freetype_license" != "x"; then
+        AC_MSG_RESULT([$with_freetype_license])
+        FREETYPE_LICENSE="$with_freetype_license"
+        BASIC_FIXUP_PATH(FREETYPE_LICENSE)
+        if test ! -f "$FREETYPE_LICENSE"; then
+          AC_MSG_ERROR([$FREETYPE_LICENSE cannot be found])
+        fi
+      else
+        if test "x$with_freetype" != "x" && test -f $with_freetype/freetype.md; then
+          FREETYPE_LICENSE="$with_freetype/freetype.md"
+          AC_MSG_RESULT([$FREETYPE_LICENSE])
+          BASIC_FIXUP_PATH(FREETYPE_LICENSE)
+        else
+          AC_MSG_RESULT([no])
+        fi
+      fi
     fi
-  fi
+
+  fi # end freetype needed
 
   AC_SUBST(FREETYPE_BUNDLE_LIB_PATH)
   AC_SUBST(FREETYPE_CFLAGS)
diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index 53070dc129..1d8e19b951 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -435,7 +435,7 @@ var getJibProfilesProfiles = function (input, common, data) {
         "macosx-x64": {
             target_os: "macosx",
             target_cpu: "x64",
-            dependencies: ["devkit"],
+            dependencies: ["devkit", "freetype"],
             configure_args: concat(common.configure_args_64bit, "--with-zlib=system"),
         },
 
@@ -937,16 +937,6 @@ var getJibProfilesProfiles = function (input, common, data) {
             }
         });
 
-    // The windows ri profile needs to add the freetype license file
-    profilesRiFreetype = {
-        "windows-x64-ri": {
-            configure_args: "--with-freetype-license="
-                + input.get("freetype", "install_path")
-                + "/freetype-2.7.1-v120-x64/freetype.md"
-        }
-    };
-    profiles = concatObjects(profiles, profilesRiFreetype);
-
     // Generate the missing platform attributes
     profiles = generatePlatformAttributes(profiles);
     profiles = generateDefaultMakeTargetsConfigureArg(common, profiles);
@@ -978,6 +968,12 @@ var getJibProfilesDependencies = function (input, common) {
         ? input.target_os + "_x64"
         : input.target_platform);
 
+    var freetype_version = {
+        windows_x64: "2.7.1-v120+1.1",
+        windows_x86: "2.7.1-v120+1.1",
+        macosx_x64: "2.7.1-Xcode6.3-MacOSX10.9+1.0"
+    }[input.target_platform];
+
     var dependencies = {
 
         boot_jdk: {
@@ -1042,7 +1038,7 @@ var getJibProfilesDependencies = function (input, common) {
         freetype: {
             organization: common.organization,
             ext: "tar.gz",
-            revision: "2.7.1-v120+1.0",
+            revision: freetype_version,
             module: "freetype-" + input.target_platform
         },
 

From 52fda63f165e7aa1fed4fb3ef280b3cf4e47c021 Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Fri, 1 Dec 2017 09:37:24 -0800
Subject: [PATCH 258/269] 8190725: Freetype license file provided with
 configure not included in images

Reviewed-by: ihse, tbell
---
 make/CreateJmods.gmk    | 4 ++--
 make/common/Modules.gmk | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/make/CreateJmods.gmk b/make/CreateJmods.gmk
index 299198b900..c073631714 100644
--- a/make/CreateJmods.gmk
+++ b/make/CreateJmods.gmk
@@ -80,8 +80,8 @@ ifneq ($(MAN_DIR), )
 endif
 
 LEGAL_NOTICES := \
-    $(SUPPORT_OUTPUTDIR)/modules_legal/java.base \
-    $(call FindModuleLegalDirs, $(MODULE)) \
+    $(call uniq, $(SUPPORT_OUTPUTDIR)/modules_legal/java.base \
+    $(call FindModuleLegalDirs, $(MODULE))) \
     #
 
 LEGAL_NOTICES_PATH := $(call PathList, $(LEGAL_NOTICES))
diff --git a/make/common/Modules.gmk b/make/common/Modules.gmk
index 9bbcf6c8f5..a50528d1e0 100644
--- a/make/common/Modules.gmk
+++ b/make/common/Modules.gmk
@@ -397,8 +397,10 @@ LEGAL_SUBDIRS += share/legal
 # $1 - Module to find legal dirs for
 FindModuleLegalDirs = \
     $(strip $(wildcard \
-        $(addsuffix /$(strip $1), $(IMPORT_MODULES_LEGAL)) \
-        $(foreach sub, $(LEGAL_SUBDIRS), $(addsuffix /$(strip $1)/$(sub), $(TOP_SRC_DIRS)))))
+        $(addsuffix /$(strip $1), $(SUPPORT_OUTPUTDIR)/modules_legal \
+            $(IMPORT_MODULES_LEGAL)) \
+        $(foreach sub, $(LEGAL_SUBDIRS), $(addsuffix /$(strip $1)/$(sub), $(TOP_SRC_DIRS))) \
+    ))
 
 ################################################################################
 

From 60a26c8d8c82c45c8ea34bf4ce6ab7dbb4b9b67b Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Fri, 1 Dec 2017 18:39:26 -0800
Subject: [PATCH 259/269] 8188789: Update JDK 9.0.1 and Future OpenJDK bundle
 names

Reviewed-by: erikj
---
 common/conf/jib-profiles.js | 48 ++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/common/conf/jib-profiles.js b/common/conf/jib-profiles.js
index 1d8e19b951..0987f2a1b5 100644
--- a/common/conf/jib-profiles.js
+++ b/common/conf/jib-profiles.js
@@ -728,9 +728,9 @@ var getJibProfilesProfiles = function (input, common, data) {
                 jdk: {
                     local: "bundles/\\(jdk.*bin.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/linux-x64/jdk-" + data.version
+                        "bundles/openjdk/GPL/linux-x64/openjdk-" + data.version
                             + "_linux-x64_bin.tar.gz",
-                        "bundles/openjdk/GPL/linux-x64/\\1"
+                        "bundles/openjdk/GPL/linux-x64/open\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },
@@ -741,17 +741,17 @@ var getJibProfilesProfiles = function (input, common, data) {
                 test: {
                     local: "bundles/\\(jdk.*bin-tests.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/linux-x64/jdk-" + data.version
+                        "bundles/openjdk/GPL/linux-x64/openjdk-" + data.version
                             + "_linux-x64_bin-tests.tar.gz",
-                        "bundles/openjdk/GPL/linux-x64/\\1"
+                        "bundles/openjdk/GPL/linux-x64/open\\1"
                     ]
                 },
                 jdk_symbols: {
                     local: "bundles/\\(jdk.*bin-symbols.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/linux-x64/jdk-" + data.version
+                        "bundles/openjdk/GPL/linux-x64/openjdk-" + data.version
                             + "_linux-x64_bin-symbols.tar.gz",
-                        "bundles/openjdk/GPL/linux-x64/\\1"
+                        "bundles/openjdk/GPL/linux-x64/open\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },
@@ -771,27 +771,27 @@ var getJibProfilesProfiles = function (input, common, data) {
                 jdk: {
                     local: "bundles/\\(jdk.*bin.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/linux-x86/jdk-" + data.version
+                        "bundles/openjdk/GPL/linux-x86/openjdk-" + data.version
                             + "_linux-x86_bin.tar.gz",
-                        "bundles/openjdk/GPL/linux-x86/\\1"
+                        "bundles/openjdk/GPL/linux-x86/open\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },
                 jdk_symbols: {
                     local: "bundles/\\(jdk.*bin-symbols.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/linux-x86/jdk-" + data.version
+                        "bundles/openjdk/GPL/linux-x86/openjdk-" + data.version
                             + "_linux-x86_bin-symbols.tar.gz",
-                        "bundles/openjdk/GPL/linux-x86/\\1"
+                        "bundles/openjdk/GPL/linux-x86/open\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },
                 test: {
                     local: "bundles/\\(jdk.*bin-tests.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/linux-x86/jdk-" + data.version
+                        "bundles/openjdk/GPL/linux-x86/openjdk-" + data.version
                             + "_linux-x86_bin-tests.tar.gz",
-                        "bundles/openjdk/GPL/linux-x86/\\1"
+                        "bundles/openjdk/GPL/linux-x86/open\\1"
                     ]
                 },
                 jre: {
@@ -819,9 +819,9 @@ var getJibProfilesProfiles = function (input, common, data) {
                 jdk: {
                     local: "bundles/\\(jdk.*bin.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/osx-x64/jdk-" + data.version
+                        "bundles/openjdk/GPL/osx-x64/openjdk-" + data.version
                             + "_osx-x64_bin.tar.gz",
-                        "bundles/openjdk/GPL/osx-x64/\\1"
+                        "bundles/openjdk/GPL/osx-x64/open\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },
@@ -832,17 +832,17 @@ var getJibProfilesProfiles = function (input, common, data) {
                 test: {
                     local: "bundles/\\(jdk.*bin-tests.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/osx-x64/jdk-" + data.version
+                        "bundles/openjdk/GPL/osx-x64/openjdk-" + data.version
                             + "_osx-x64_bin-tests.tar.gz",
-                        "bundles/openjdk/GPL/osx-x64/\\1"
+                        "bundles/openjdk/GPL/osx-x64/open\\1"
                     ]
                 },
                 jdk_symbols: {
                     local: "bundles/\\(jdk.*bin-symbols.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/osx-x64/jdk-" + data.version
+                        "bundles/openjdk/GPL/osx-x64/openjdk-" + data.version
                             + "_osx-x64_bin-symbols.tar.gz",
-                        "bundles/openjdk/GPL/osx-x64/\\1"
+                        "bundles/openjdk/GPL/osx-x64/open\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },
@@ -862,9 +862,9 @@ var getJibProfilesProfiles = function (input, common, data) {
                 jdk: {
                     local: "bundles/\\(jdk.*bin.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/windows-x64/jdk-" + data.version
+                        "bundles/openjdk/GPL/windows-x64/openjdk-" + data.version
                             + "_windows-x64_bin.tar.gz",
-                        "bundles/openjdk/GPL/windows-x64/\\1"
+                        "bundles/openjdk/GPL/windows-x64/open\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },
@@ -875,17 +875,17 @@ var getJibProfilesProfiles = function (input, common, data) {
                 test: {
                     local: "bundles/\\(jdk.*bin-tests.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/windows-x64/jdk-" + data.version
+                        "bundles/openjdk/GPL/windows-x64/openjdk-" + data.version
                             + "_windows-x64_bin-tests.tar.gz",
-                        "bundles/openjdk/GPL/windows-x64/\\1"
+                        "bundles/openjdk/GPL/windows-x64/open\\1"
                     ]
                 },
                 jdk_symbols: {
                     local: "bundles/\\(jdk.*bin-symbols.tar.gz\\)",
                     remote: [
-                        "bundles/openjdk/GPL/windows-x64/jdk-" + data.version
+                        "bundles/openjdk/GPL/windows-x64/openjdk-" + data.version
                             + "_windows-x64_bin-symbols.tar.gz",
-                        "bundles/openjdk/GPL/windows-x64/\\1"
+                        "bundles/openjdk/GPL/windows-x64/open\\1"
                     ],
                     subdir: "jdk-" + data.version
                 },

From acadba6cb5c4fb0c7746ac6ce5b7d7f615bdec16 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 5 Dec 2017 18:23:40 -0800
Subject: [PATCH 260/269] Added tag jdk-9.0.4+9 for changeset 41c6d27fa7cb

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index d1eca2c831..64d9f9f48b 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -454,3 +454,4 @@ a4f0515fe6da55cfe74dec3e6e30b69c9693d133 jdk-9.0.4+8
 0000000000000000000000000000000000000000 jdk-9.0.4+8
 0000000000000000000000000000000000000000 jdk-9.0.4+8
 953d306b203e7d0808cb842a51e006fddc41b6c2 jdk-9.0.4+8
+c6f4c28a56ef14fb9a41303390b9584976765502 jdk-9.0.4+9

From 2c3a51fd35572e522595bc517b2efd060fad5cc1 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Tue, 5 Dec 2017 18:23:49 -0800
Subject: [PATCH 261/269] Added tag jdk-9.0.4+9 for changeset d03564831225

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index 6a472bbfe7..f8cf838545 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -446,3 +446,4 @@ ec450e8c90c53c4e4cd35468a038123ca4fe0129 jdk-9.0.4+5
 7582f72a39b79c6206cdd7e0ccdfaa1ab342b040 jdk-9.0.4+6
 8d2b147370b7a6ed585f1b168fe3475a6e16cb5f jdk-9.0.4+7
 019e9e48d195e2aad4373e4301b068800f2ae5e6 jdk-9.0.4+8
+ff3be2753e2fc6b9e05b71648c44c578a8fddc35 jdk-9.0.4+9

From a9dcd9921faffbd51799b1bf83e3b2aaafb5388a Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Mon, 11 Dec 2017 19:19:29 +0100
Subject: [PATCH 262/269] 8193208: Add missing file

Reviewed-by: asaha, tbell
---
 ADDITIONAL_LICENSE_INFO | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 ADDITIONAL_LICENSE_INFO

diff --git a/ADDITIONAL_LICENSE_INFO b/ADDITIONAL_LICENSE_INFO
new file mode 100644
index 0000000000..ff700cd09f
--- /dev/null
+++ b/ADDITIONAL_LICENSE_INFO
@@ -0,0 +1,37 @@
+                      ADDITIONAL INFORMATION ABOUT LICENSING
+
+Certain files distributed by Oracle America, Inc. and/or its affiliates are 
+subject to the following clarification and special exception to the GPLv2, 
+based on the GNU Project exception for its Classpath libraries, known as the 
+GNU Classpath Exception.
+
+Note that Oracle includes multiple, independent programs in this software 
+package.  Some of those programs are provided under licenses deemed 
+incompatible with the GPLv2 by the Free Software Foundation and others. 
+For example, the package includes programs licensed under the Apache 
+License, Version 2.0 and may include FreeType. Such programs are licensed 
+to you under their original licenses. 
+
+Oracle facilitates your further distribution of this package by adding the 
+Classpath Exception to the necessary parts of its GPLv2 code, which permits 
+you to use that code in combination with other independent modules not 
+licensed under the GPLv2. However, note that this would not permit you to 
+commingle code under an incompatible license with Oracle's GPLv2 licensed 
+code by, for example, cutting and pasting such code into a file also 
+containing Oracle's GPLv2 licensed code and then distributing the result. 
+
+Additionally, if you were to remove the Classpath Exception from any of the 
+files to which it applies and distribute the result, you would likely be 
+required to license some or all of the other code in that distribution under 
+the GPLv2 as well, and since the GPLv2 is incompatible with the license terms 
+of some items included in the distribution by Oracle, removing the Classpath 
+Exception could therefore effectively compromise your ability to further 
+distribute the package. 
+
+Failing to distribute notices associated with some files may also create 
+unexpected legal consequences.
+ 
+Proceed with caution and we recommend that you obtain the advice of a lawyer 
+skilled in open source matters before removing the Classpath Exception or 
+making modifications to this package which may subsequently be redistributed 
+and/or involve the use of third party software.

From 8bca7b1aeb35c83d7e839cf1e749b54300fa8816 Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Mon, 11 Dec 2017 19:19:29 +0100
Subject: [PATCH 263/269] 8193208: Add missing file

Reviewed-by: asaha, tbell
---
 corba/ADDITIONAL_LICENSE_INFO | 37 +++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 corba/ADDITIONAL_LICENSE_INFO

diff --git a/corba/ADDITIONAL_LICENSE_INFO b/corba/ADDITIONAL_LICENSE_INFO
new file mode 100644
index 0000000000..ff700cd09f
--- /dev/null
+++ b/corba/ADDITIONAL_LICENSE_INFO
@@ -0,0 +1,37 @@
+                      ADDITIONAL INFORMATION ABOUT LICENSING
+
+Certain files distributed by Oracle America, Inc. and/or its affiliates are 
+subject to the following clarification and special exception to the GPLv2, 
+based on the GNU Project exception for its Classpath libraries, known as the 
+GNU Classpath Exception.
+
+Note that Oracle includes multiple, independent programs in this software 
+package.  Some of those programs are provided under licenses deemed 
+incompatible with the GPLv2 by the Free Software Foundation and others. 
+For example, the package includes programs licensed under the Apache 
+License, Version 2.0 and may include FreeType. Such programs are licensed 
+to you under their original licenses. 
+
+Oracle facilitates your further distribution of this package by adding the 
+Classpath Exception to the necessary parts of its GPLv2 code, which permits 
+you to use that code in combination with other independent modules not 
+licensed under the GPLv2. However, note that this would not permit you to 
+commingle code under an incompatible license with Oracle's GPLv2 licensed 
+code by, for example, cutting and pasting such code into a file also 
+containing Oracle's GPLv2 licensed code and then distributing the result. 
+
+Additionally, if you were to remove the Classpath Exception from any of the 
+files to which it applies and distribute the result, you would likely be 
+required to license some or all of the other code in that distribution under 
+the GPLv2 as well, and since the GPLv2 is incompatible with the license terms 
+of some items included in the distribution by Oracle, removing the Classpath 
+Exception could therefore effectively compromise your ability to further 
+distribute the package. 
+
+Failing to distribute notices associated with some files may also create 
+unexpected legal consequences.
+ 
+Proceed with caution and we recommend that you obtain the advice of a lawyer 
+skilled in open source matters before removing the Classpath Exception or 
+making modifications to this package which may subsequently be redistributed 
+and/or involve the use of third party software.

From 909e5da4ba391ca48f9f2aacd2d0bb6005579f11 Mon Sep 17 00:00:00 2001
From: Erik Joelsson 
Date: Mon, 11 Dec 2017 19:19:29 +0100
Subject: [PATCH 264/269] 8193208: Add missing file

Reviewed-by: asaha, tbell
---
 hotspot/ADDITIONAL_LICENSE_INFO | 37 +++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 hotspot/ADDITIONAL_LICENSE_INFO

diff --git a/hotspot/ADDITIONAL_LICENSE_INFO b/hotspot/ADDITIONAL_LICENSE_INFO
new file mode 100644
index 0000000000..ff700cd09f
--- /dev/null
+++ b/hotspot/ADDITIONAL_LICENSE_INFO
@@ -0,0 +1,37 @@
+                      ADDITIONAL INFORMATION ABOUT LICENSING
+
+Certain files distributed by Oracle America, Inc. and/or its affiliates are 
+subject to the following clarification and special exception to the GPLv2, 
+based on the GNU Project exception for its Classpath libraries, known as the 
+GNU Classpath Exception.
+
+Note that Oracle includes multiple, independent programs in this software 
+package.  Some of those programs are provided under licenses deemed 
+incompatible with the GPLv2 by the Free Software Foundation and others. 
+For example, the package includes programs licensed under the Apache 
+License, Version 2.0 and may include FreeType. Such programs are licensed 
+to you under their original licenses. 
+
+Oracle facilitates your further distribution of this package by adding the 
+Classpath Exception to the necessary parts of its GPLv2 code, which permits 
+you to use that code in combination with other independent modules not 
+licensed under the GPLv2. However, note that this would not permit you to 
+commingle code under an incompatible license with Oracle's GPLv2 licensed 
+code by, for example, cutting and pasting such code into a file also 
+containing Oracle's GPLv2 licensed code and then distributing the result. 
+
+Additionally, if you were to remove the Classpath Exception from any of the 
+files to which it applies and distribute the result, you would likely be 
+required to license some or all of the other code in that distribution under 
+the GPLv2 as well, and since the GPLv2 is incompatible with the license terms 
+of some items included in the distribution by Oracle, removing the Classpath 
+Exception could therefore effectively compromise your ability to further 
+distribute the package. 
+
+Failing to distribute notices associated with some files may also create 
+unexpected legal consequences.
+ 
+Proceed with caution and we recommend that you obtain the advice of a lawyer 
+skilled in open source matters before removing the Classpath Exception or 
+making modifications to this package which may subsequently be redistributed 
+and/or involve the use of third party software.

From b256940acd7cdc1da66160aa4af6c6a790f52491 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 13 Dec 2017 21:31:15 -0800
Subject: [PATCH 265/269] Added tag jdk-9.0.4+10 for changeset b831c7b48468

---
 .hgtags-top-repo | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.hgtags-top-repo b/.hgtags-top-repo
index 64d9f9f48b..d5568b6f57 100644
--- a/.hgtags-top-repo
+++ b/.hgtags-top-repo
@@ -455,3 +455,4 @@ a4f0515fe6da55cfe74dec3e6e30b69c9693d133 jdk-9.0.4+8
 0000000000000000000000000000000000000000 jdk-9.0.4+8
 953d306b203e7d0808cb842a51e006fddc41b6c2 jdk-9.0.4+8
 c6f4c28a56ef14fb9a41303390b9584976765502 jdk-9.0.4+9
+409c6b8aa5cae19a701ddd2fb09f85fb9af7da78 jdk-9.0.4+10

From e5d5b1e4367b8512f0a5eeb0f83b4d3e6e5e8198 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 13 Dec 2017 21:31:24 -0800
Subject: [PATCH 266/269] Added tag jdk-9.0.4+10 for changeset 046fcdf628ba

---
 corba/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/corba/.hgtags b/corba/.hgtags
index f8cf838545..b8a1bd79ba 100644
--- a/corba/.hgtags
+++ b/corba/.hgtags
@@ -447,3 +447,4 @@ ec450e8c90c53c4e4cd35468a038123ca4fe0129 jdk-9.0.4+5
 8d2b147370b7a6ed585f1b168fe3475a6e16cb5f jdk-9.0.4+7
 019e9e48d195e2aad4373e4301b068800f2ae5e6 jdk-9.0.4+8
 ff3be2753e2fc6b9e05b71648c44c578a8fddc35 jdk-9.0.4+9
+33c6931961a507aff9364804427d55dca9f2dd02 jdk-9.0.4+10

From 5d66f125a857e5fa2fab5181eff5d11b0041b7a0 Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 13 Dec 2017 21:31:37 -0800
Subject: [PATCH 267/269] Added tag jdk-9.0.4+10 for changeset 67e3d8c96f02

---
 hotspot/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hotspot/.hgtags b/hotspot/.hgtags
index d54b5fa81d..4c6eb5fe8d 100644
--- a/hotspot/.hgtags
+++ b/hotspot/.hgtags
@@ -607,3 +607,4 @@ f3ba0e190ffcc82f1ed0dd8275a51096123514b6 jdk-9.0.4+6
 e020892c9b441ff0855479ad4de63a9eb4b59bf7 jdk-9.0.4+7
 d74a282dcd6d05cc3752c8e29a526eb9216fa08c jdk-9.0.4+8
 a825ddfdd78e3277e6275a469f3cd2be23759c13 jdk-9.0.4+9
+a8e5681c2532b4d21567bbee5d3dd42027118e72 jdk-9.0.4+10

From 449c34aaf594ae2a062db7990fa7684359a88a9d Mon Sep 17 00:00:00 2001
From: Abhijit Saha 
Date: Wed, 13 Dec 2017 21:32:21 -0800
Subject: [PATCH 268/269] Added tag jdk-9.0.4+10 for changeset 0c786c15ec69

---
 jdk/.hgtags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jdk/.hgtags b/jdk/.hgtags
index bfe2341af1..3220ba55c3 100644
--- a/jdk/.hgtags
+++ b/jdk/.hgtags
@@ -447,3 +447,4 @@ b46885be0c21ebb379e9f9835591dc8b12245971 jdk-9.0.4+3
 d54fb6a3fb5546fcf56bfc3c5f93fa320e79887a jdk-9.0.4+7
 b9669a87f3eafe9c538346b8997413f4d8252147 jdk-9.0.4+8
 9ccab3ab6ac8e3a0158e538374232e4b76664bbc jdk-9.0.4+9
+d45df2aa101573054dad00ea32252960c9e8594a jdk-9.0.4+10

From 507a351e1287ed5cb70c122e7cb4a7036bc60012 Mon Sep 17 00:00:00 2001
From: Xue-Lei Andrew Fan 
Date: Tue, 19 Dec 2017 16:24:38 +0000
Subject: [PATCH 269/269] 8193683: Increase the number of clones in the
 CloneableDigest

Reviewed-by: coffeys, wetmore
---
 .../sun/security/ssl/HandshakeHash.java       | 29 +++++++++++++++++--
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java b/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java
index 2a3775da7d..ba86dd8787 100644
--- a/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -108,7 +108,29 @@ final class HandshakeHash {
      * a hash for the certificate verify message is required.
      */
     HandshakeHash(boolean needCertificateVerify) {
-        clonesNeeded = needCertificateVerify ? 4 : 3;
+        // We may rework the code later, but for now we use hard-coded number
+        // of clones if the underlying MessageDigests are not cloneable.
+        //
+        // The number used here is based on the current handshake protocols and
+        // implementation.  It may be changed if the handshake processe gets
+        // changed in the future, for example adding a new extension that
+        // requires handshake hash.  Please be careful about the number of
+        // clones if additional handshak hash is required in the future.
+        //
+        // For the current implementation, the handshake hash is required for
+        // the following items:
+        //     . CertificateVerify handshake message (optional)
+        //     . client Finished handshake message
+        //     . server Finished Handshake message
+        //     . the extended Master Secret extension [RFC 7627]
+        //
+        // Note that a late call to server setNeedClientAuth dose not update
+        // the number of clones.  We may address the issue later.
+        //
+        // Note for safety, we allocate one more clone for the current
+        // implementation.  We may consider it more carefully in the future
+        // for the exact number or rework the code in a different way.
+        clonesNeeded = needCertificateVerify ? 5 : 4;
     }
 
     void reserve(ByteBuffer input) {
@@ -335,7 +357,8 @@ final class HandshakeHash {
         if (finMD != null) return;
 
         try {
-            finMD = CloneableDigest.getDigest(normalizeAlgName(s), 2);
+            // See comment in the contructor.
+            finMD = CloneableDigest.getDigest(normalizeAlgName(s), 4);
         } catch (NoSuchAlgorithmException e) {
             throw new Error(e);
         }