Merge

.hgtags

@@ -915,6 +915,7 @@ f26f68978e0e7ed0e6e61f9d64fa2d06f1c1a24c jdk8u181-b08
 22e01e7c5c39bfa3f5e2d18be76c7bf0dc71033a jdk8u181-b12
 0cb452d66676bc1b3824bea4a0c16ac76e58b070 jdk8u181-b13
 b01c6e5aa43c784fc66465b56227ddd9aa29eee6 jdk8u191-b01
+2db6890a956723ac347b573217d91bbbedbb0528 jdk8u201-b00
 2db6890a956723ac347b573217d91bbbedbb0528 jdk8u191-b02
 89e2889d02d2f5dabdeda7f60cf80a8df3100eb4 jdk8u191-b03
 94e4769c6d69241f9eb7164a85fc91fc83faab5c jdk8u191-b04
@@ -945,4 +946,38 @@ f47b81dbed2dd730d34a8dc3e3d14e2aa9f9c493 jdk8u192-b09
 2cd82eb879dd0f853dbfb7ffa2441e81e2413447 jdk8u192-b11
 f877dad22786f92aa495a595a1a4a16f0163c573 jdk8u192-b12
 996dd3ce1ec5437da8b5a742c60a5ff7b6028122 jdk8u192-b26
+38b4a5b97f38c467446f1767d148075ac98397d1 jdk8u181-b31
+d679861a9a1efc80e0671b1c6b870fcffbfb9d9c jdk8u181-b32
+078a06936ffe2db2a00e928f88c6e345a126985a jdk8u181-b33
+ecfdede1e6ddf37dcca415861ab031c18ec4b349 jdk8u181-b34
+ac943243eaf1cb3971b953d56527287ae3f8d223 jdk8u181-b35
+674963395b9f747e746af782f2f3ea7995385420 jdk8u181-b36
+92587df933606ff8f03c6073be6c4089211de2b3 jdk8u181-b37
+fbc886dd68cc0e2d877406f73a24bd332bf78244 jdk8u201-b01
+fbeb9b9cc0106ef9bd6b03a441c9a2e06db07bd9 jdk8u201-b02
+274162fd9a2334ac99157a87ff3caff9069e4a66 jdk8u201-b03
+c0b2b82d2478bd641adf21f807809979756485c2 jdk8u201-b04
+3d28c8134ca184ed00271cbec9862f688d04bd4f jdk8u201-b74
+df3e701ab0766c48fe9c72e259aa5ecc278e9fcf jdk8u201-b05
+9fe667a8402b606db5b0c4aa2fb2d65dec2fcddc jdk8u201-b75
+dc2aeed27f71f87d52a81520773e64a06f8c8978 jdk8u201-b06
+a1845b252425953875de75560822576eddc185a8 jdk8u201-b76
+0a19f694c42c6d8e545743e3df938e80d3d56b87 jdk8u201-b07
+f0611120a4b7deae2219f72c5919712f1662ad9b jdk8u201-b77
+21ffcdd4d850dd240338c211bbeecb79c38e5403 jdk8u201-b08
+72a1a252527bb1ef9a67b7318411e117e7814e3e jdk8u201-b09
+c44a78b5e3c5c8f49901a251c0626f0134833ea4 jdk8u201-b79
+91c1f8b2df32a70763018d69b745639b6b94b393 jdk8u201-b25
+7ce5e345e1d26b459c54ede2aedc99e5afe45a5d jdk8u201-b26
+72a1a252527bb1ef9a67b7318411e117e7814e3e jdk8u201-ga
 9da3ff5cd435240bc4941bc1c2ca170c567e012f jdk8u202-b01
+478a4add975beb90696a4ead5f8fcd9c17fc1a83 jdk8u202-b02
+03719dd7706173821b51f42b20ac3cb040696a56 jdk8u202-b03
+d1d759924a534328146368d9be0e49168ace93eb jdk8u202-b04
+620927565284a2cc75bbc3a9bf583997ffb4ea63 jdk8u202-b05
+a7d761df5f2b2a3506516c876381cfb1cdee9387 jdk8u202-b06
+eab55c31ad236f6c601deb5620dc029e9f1b9a72 jdk8u202-b07
+d10b8de706c1ea867abc5518dbb1cf92f6965f6a jdk8u202-b08
+96f7a4d6224a4cbf14c7ac54e39b7e35fee00c0c jdk8u202-b25
+4d01af1665277b6f5f5a6c9107f01bb6c1e0942d jdk8u202-b26
+d10b8de706c1ea867abc5518dbb1cf92f6965f6a jdk8u202-ga

THIRD_PARTY_README

@@ -1668,13 +1668,13 @@ THE SOFTWARE.
 
 -------------------------------------------------------------------------------
 
-%% This notice is provided with respect to Little CMS 2.7, which may be 
+%% This notice is provided with respect to Little CMS 2.9, which may be
 included with JRE 8, JDK 8, and OpenJDK 8.
 
 --- begin of LICENSE ---
 
 Little CMS
-Copyright (c) 1998-2015 Marti Maria Saguer
+Copyright (c) 1998-2011 Marti Maria Saguer
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

make/data/tzdata/VERSION

@@ -21,4 +21,4 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
-tzdata2018e
+tzdata2018g

make/data/tzdata/africa

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for Africa and environs
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -29,7 +31,7 @@
 # tz@iana.org for general use in the future).  For more, please see
 # the file CONTRIBUTING in the tz distribution.
 
-# From Paul Eggert (2017-04-09):
+# From Paul Eggert (2018-05-27):
 #
 # Unless otherwise specified, the source for data through 1990 is:
 # Thomas G. Shanks and Rique Pottenger, The International Atlas (6th edition),
@@ -74,13 +76,15 @@
 # I vaguely recall 'WAT' also being used for -01 in the past but
 # cannot now come up with solid citations.
 #
-# I invented the following abbreviations; corrections are welcome!
-#	 +02	WAST	West Africa Summer Time (no longer used)
-#	 +03	CAST	Central Africa Summer Time (no longer used)
-#	 +03	SAST	South Africa Summer Time (no longer used)
+# I invented the following abbreviations in the 1990s:
+#	 +02	WAST	West Africa Summer Time
+#	 +03	CAST	Central Africa Summer Time
+#	 +03	SAST	South Africa Summer Time
 #	 +03	EAT	East Africa Time
-# 'EAT' also seems to have caught on; the others are rare but are paired
-# with better-attested non-DST abbreviations.
+# 'EAT' seems to have caught on and is in current timestamps, and though
+# the other abbreviations are rarer and are only in past timestamps,
+# they are paired with better-attested non-DST abbreviations.
+# Corrections are welcome.
 
 # Algeria
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
@@ -385,6 +389,13 @@ Zone	Africa/Cairo	2:05:09 -	LMT	1900 Oct
 # Eritrea
 # Ethiopia
 # See Africa/Nairobi.
+#
+# Unfortunately tzdb records only Western clock time in use in Ethiopia,
+# as the tzdb format is not up to properly recording a common Ethiopian
+# timekeeping practice that is based on solar time.  See:
+# Mortada D. If you have a meeting in Ethiopia, you'd better double
+# check the time. PRI's The World. 2015-01-30 15:15 -05.
+# https://www.pri.org/stories/2015-01-30/if-you-have-meeting-ethiopia-you-better-double-check-time
 
 # Gabon
 # See Africa/Lagos.
@@ -856,94 +867,61 @@ Zone Indian/Mauritius	3:50:00 -	LMT	1907 # Port Louis
 # <https://lnt.ma/le-maroc-reculera-dune-heure-le-dimanche-14-juin/> agrees
 # with the patch.
 
-# From Paul Eggert (2015-06-08):
-# For now, guess that later spring and fall transitions will use 2015's rules,
-# and guess that Morocco will switch to standard time at 03:00 the last
-# Sunday before Ramadan, and back to DST at 02:00 the first Sunday after
-# Ramadan.  To implement this, transition dates for 2016 through 2037 were
-# determined by running the following program under GNU Emacs 24.3, with the
-# results integrated by hand into the table below.
-# (let ((islamic-year 1437))
-#   (require 'cal-islam)
-#   (while (< islamic-year 1460)
-#     (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year)))
-#           (b (calendar-islamic-to-absolute (list 10 1 islamic-year)))
-#           (sunday 0))
-#       (while (/= sunday (mod (setq a (1- a)) 7)))
-#       (while (/= sunday (mod b 7))
-#         (setq b (1+ b)))
-#       (setq a (calendar-gregorian-from-absolute a))
-#       (setq b (calendar-gregorian-from-absolute b))
-#       (insert
-#        (format
-#         (concat "Rule\tMorocco\t%d\tonly\t-\t%s\t%2d\t 3:00\t0\t-\n"
-#                 "Rule\tMorocco\t%d\tonly\t-\t%s\t%2d\t 2:00\t1:00\tS\n")
-#         (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a))
-#         (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b)))))
-#     (setq islamic-year (+ 1 islamic-year))))
+# From Mohamed Essedik Najd (2018-10-26):
+# Today, a Moroccan government council approved the perpetual addition
+# of 60 minutes to the regular Moroccan timezone.
+# From Brian Inglis (2018-10-26):
+# http://www.maroc.ma/fr/actualites/le-conseil-de-gouvernement-adopte-un-projet-de-decret-relatif-lheure-legale-stipulant-le
 
 # RULE	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-
-Rule	Morocco	1939	only	-	Sep	12	 0:00	1:00	S
+Rule	Morocco	1939	only	-	Sep	12	 0:00	1:00	-
 Rule	Morocco	1939	only	-	Nov	19	 0:00	0	-
-Rule	Morocco	1940	only	-	Feb	25	 0:00	1:00	S
+Rule	Morocco	1940	only	-	Feb	25	 0:00	1:00	-
 Rule	Morocco	1945	only	-	Nov	18	 0:00	0	-
-Rule	Morocco	1950	only	-	Jun	11	 0:00	1:00	S
+Rule	Morocco	1950	only	-	Jun	11	 0:00	1:00	-
 Rule	Morocco	1950	only	-	Oct	29	 0:00	0	-
-Rule	Morocco	1967	only	-	Jun	 3	12:00	1:00	S
+Rule	Morocco	1967	only	-	Jun	 3	12:00	1:00	-
 Rule	Morocco	1967	only	-	Oct	 1	 0:00	0	-
-Rule	Morocco	1974	only	-	Jun	24	 0:00	1:00	S
+Rule	Morocco	1974	only	-	Jun	24	 0:00	1:00	-
 Rule	Morocco	1974	only	-	Sep	 1	 0:00	0	-
-Rule	Morocco	1976	1977	-	May	 1	 0:00	1:00	S
+Rule	Morocco	1976	1977	-	May	 1	 0:00	1:00	-
 Rule	Morocco	1976	only	-	Aug	 1	 0:00	0	-
 Rule	Morocco	1977	only	-	Sep	28	 0:00	0	-
-Rule	Morocco	1978	only	-	Jun	 1	 0:00	1:00	S
+Rule	Morocco	1978	only	-	Jun	 1	 0:00	1:00	-
 Rule	Morocco	1978	only	-	Aug	 4	 0:00	0	-
-Rule	Morocco	2008	only	-	Jun	 1	 0:00	1:00	S
+Rule	Morocco	2008	only	-	Jun	 1	 0:00	1:00	-
 Rule	Morocco	2008	only	-	Sep	 1	 0:00	0	-
-Rule	Morocco	2009	only	-	Jun	 1	 0:00	1:00	S
+Rule	Morocco	2009	only	-	Jun	 1	 0:00	1:00	-
 Rule	Morocco	2009	only	-	Aug	21	 0:00	0	-
-Rule	Morocco	2010	only	-	May	 2	 0:00	1:00	S
+Rule	Morocco	2010	only	-	May	 2	 0:00	1:00	-
 Rule	Morocco	2010	only	-	Aug	 8	 0:00	0	-
-Rule	Morocco	2011	only	-	Apr	 3	 0:00	1:00	S
+Rule	Morocco	2011	only	-	Apr	 3	 0:00	1:00	-
 Rule	Morocco	2011	only	-	Jul	31	 0:00	0	-
-Rule	Morocco	2012	2013	-	Apr	lastSun	 2:00	1:00	S
+Rule	Morocco	2012	2013	-	Apr	lastSun	 2:00	1:00	-
 Rule	Morocco	2012	only	-	Jul	20	 3:00	0	-
-Rule	Morocco	2012	only	-	Aug	20	 2:00	1:00	S
+Rule	Morocco	2012	only	-	Aug	20	 2:00	1:00	-
 Rule	Morocco	2012	only	-	Sep	30	 3:00	0	-
 Rule	Morocco	2013	only	-	Jul	 7	 3:00	0	-
-Rule	Morocco	2013	only	-	Aug	10	 2:00	1:00	S
-Rule	Morocco	2013	max	-	Oct	lastSun	 3:00	0	-
-Rule	Morocco	2014	2021	-	Mar	lastSun	 2:00	1:00	S
+Rule	Morocco	2013	only	-	Aug	10	 2:00	1:00	-
+Rule	Morocco	2013	2018	-	Oct	lastSun	 3:00	0	-
+Rule	Morocco	2014	2018	-	Mar	lastSun	 2:00	1:00	-
 Rule	Morocco	2014	only	-	Jun	28	 3:00	0	-
-Rule	Morocco	2014	only	-	Aug	 2	 2:00	1:00	S
+Rule	Morocco	2014	only	-	Aug	 2	 2:00	1:00	-
 Rule	Morocco	2015	only	-	Jun	14	 3:00	0	-
-Rule	Morocco	2015	only	-	Jul	19	 2:00	1:00	S
+Rule	Morocco	2015	only	-	Jul	19	 2:00	1:00	-
 Rule	Morocco	2016	only	-	Jun	 5	 3:00	0	-
-Rule	Morocco	2016	only	-	Jul	10	 2:00	1:00	S
+Rule	Morocco	2016	only	-	Jul	10	 2:00	1:00	-
 Rule	Morocco	2017	only	-	May	21	 3:00	0	-
-Rule	Morocco	2017	only	-	Jul	 2	 2:00	1:00	S
+Rule	Morocco	2017	only	-	Jul	 2	 2:00	1:00	-
 Rule	Morocco	2018	only	-	May	13	 3:00	0	-
-Rule	Morocco	2018	only	-	Jun	17	 2:00	1:00	S
-Rule	Morocco	2019	only	-	May	 5	 3:00	0	-
-Rule	Morocco	2019	only	-	Jun	 9	 2:00	1:00	S
-Rule	Morocco	2020	only	-	Apr	19	 3:00	0	-
-Rule	Morocco	2020	only	-	May	24	 2:00	1:00	S
-Rule	Morocco	2021	only	-	Apr	11	 3:00	0	-
-Rule	Morocco	2021	only	-	May	16	 2:00	1:00	S
-Rule	Morocco	2022	only	-	May	 8	 2:00	1:00	S
-Rule	Morocco	2023	only	-	Apr	23	 2:00	1:00	S
-Rule	Morocco	2024	only	-	Apr	14	 2:00	1:00	S
-Rule	Morocco	2025	only	-	Apr	 6	 2:00	1:00	S
-Rule	Morocco	2026	max	-	Mar	lastSun	 2:00	1:00	S
-Rule	Morocco	2036	only	-	Oct	19	 3:00	0	-
-Rule	Morocco	2037	only	-	Oct	 4	 3:00	0	-
+Rule	Morocco	2018	only	-	Jun	17	 2:00	1:00	-
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Africa/Casablanca	-0:30:20 -	LMT	1913 Oct 26
-			 0:00	Morocco	WE%sT	1984 Mar 16
-			 1:00	-	CET	1986
-			 0:00	Morocco	WE%sT
+			 0:00	Morocco	+00/+01	1984 Mar 16
+			 1:00	-	+01	1986
+			 0:00	Morocco	+00/+01	2018 Oct 27
+			 1:00	-	+01
 
 # Western Sahara
 #
@@ -958,7 +936,8 @@ Zone Africa/Casablanca	-0:30:20 -	LMT	1913 Oct 26
 
 Zone Africa/El_Aaiun	-0:52:48 -	LMT	1934 Jan # El Aaiún
 			-1:00	-	-01	1976 Apr 14
-			 0:00	Morocco	WE%sT
+			 0:00	Morocco	+00/+01	2018 Oct 27
+			 1:00	-	+01
 
 # Mozambique
 #

make/data/tzdata/antarctica

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for Antarctica and environs
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 

make/data/tzdata/asia

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for Asia and environs
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -29,7 +31,7 @@
 # tz@iana.org for general use in the future).  For more, please see
 # the file CONTRIBUTING in the tz distribution.
 
-# From Paul Eggert (2017-01-13):
+# From Paul Eggert (2018-06-19):
 #
 # Unless otherwise specified, the source for data through 1990 is:
 # Thomas G. Shanks and Rique Pottenger, The International Atlas (6th edition),
@@ -58,7 +60,8 @@
 # A reliable and entertaining source about time zones is
 # Derek Howse, Greenwich time and longitude, Philip Wilson Publishers (1997).
 #
-# The following alphabetic abbreviations appear in these tables:
+# The following alphabetic abbreviations appear in these tables
+# (corrections are welcome):
 #	     std  dst
 #	     LMT	Local Mean Time
 #	2:00 EET  EEST	Eastern European Time
@@ -67,11 +70,13 @@
 #	7:00 WIB	west Indonesia (Waktu Indonesia Barat)
 #	8:00 WITA	central Indonesia (Waktu Indonesia Tengah)
 #	8:00 CST	China
+#	8:00 PST  PDT*	Philippine Standard Time
 #	8:30 KST  KDT	Korea when at +0830
 #	9:00 WIT	east Indonesia (Waktu Indonesia Timur)
 #	9:00 JST  JDT	Japan
 #	9:00 KST  KDT	Korea when at +09
 #	9:30 ACST	Australian Central Standard Time
+# *I invented the abbreviation PDT; see "Philippines" below.
 # Otherwise, these tables typically use numeric abbreviations like +03
 # and +0330 for integer hour and minute UT offsets.  Although earlier
 # editions invented alphabetic time zone abbreviations for every
@@ -304,6 +309,29 @@ Zone	Asia/Yangon	6:24:47 -	LMT	1880        # or Rangoon
 
 # China
 
+# From Paul Eggert (2018-10-02):
+# The following comes from Table 1 of:
+# Li Yu. Research on the daylight saving movement in 1940s Shanghai.
+# Nanjing Journal of Social Sciences. 2014;(2):144-50.
+# http://oversea.cnki.net/kns55/detail.aspx?dbname=CJFD2014&filename=NJSH201402020
+# The table lists dates only; I am guessing 00:00 and 24:00 transition times.
+# Also, the table lists the planned end of DST in 1949, but the corresponding
+# zone line cuts this off on May 28, when the Communists took power.
+#
+# Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
+Rule	Shang	1940	only	-	Jun	 1	 0:00	1:00	D
+Rule	Shang	1940	only	-	Oct	12	24:00	0	S
+Rule	Shang	1941	only	-	Mar	15	 0:00	1:00	D
+Rule	Shang	1941	only	-	Nov	 1	24:00	0	S
+Rule	Shang	1942	only	-	Jan	31	 0:00	1:00	D
+Rule	Shang	1945	only	-	Sep	 1	24:00	0	S
+Rule	Shang	1946	only	-	May	15	 0:00	1:00	D
+Rule	Shang	1946	only	-	Sep	30	24:00	0	S
+Rule	Shang	1947	only	-	Apr	15	 0:00	1:00	D
+Rule	Shang	1947	only	-	Oct	31	24:00	0	S
+Rule	Shang	1948	1949	-	May	 1	 0:00	1:00	D
+Rule	Shang	1948	1949	-	Sep	30	24:00	0	S #plan
+
 # From Guy Harris:
 # People's Republic of China.  Yes, they really have only one time zone.
 
@@ -330,18 +358,33 @@ Zone	Asia/Yangon	6:24:47 -	LMT	1880        # or Rangoon
 # time - sort of", Los Angeles Times, 1986-05-05 ... [says] that China began
 # observing daylight saving time in 1986.
 
-# From Paul Eggert (2014-06-30):
-# Shanks & Pottenger have China switching to a single time zone in 1980, but
-# this doesn't seem to be correct.  They also write that China observed summer
-# DST from 1986 through 1991, which seems to match the above commentary, so
-# go with them for DST rules as follows:
+# From P Chan (2018-05-07):
+# The start and end time of DST in China [from 1986 on] should be 2:00
+# (i.e. 2:00 to 3:00 at the start and 2:00 to 1:00 at the end)....
+# Government notices about summer time:
+#
+# 1986-04-12 http://www.zj.gov.cn/attach/zfgb/198608.pdf p.21-22
+# (To establish summer time from 1986. On 4 May, set the clocks ahead one hour
+# at 2 am. On 14 September, set the clocks backward one hour at 2 am.)
+#
+# 1987-02-15 http://www.gov.cn/gongbao/shuju/1987/gwyb198703.pdf p.114
+# (Summer time in 1987 to start from 12 April until 13 September)
+#
+# 1987-09-09 http://www.gov.cn/gongbao/shuju/1987/gwyb198721.pdf p.709
+# (From 1988, summer time to start from 2 am of the first Sunday of mid-April
+# until 2 am of the first Sunday of mid-September)
+#
+# 1992-03-03 http://www.gov.cn/gongbao/shuju/1992/gwyb199205.pdf p.152
+# (To suspend summer time from 1992)
+#
+# The first page of People's Daily on 12 April 1988 stating that summer time
+# to begin on 17 April.
+# http://data.people.com.cn/pic/101p/1988/04/1988041201.jpg
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-Rule	Shang	1940	only	-	Jun	 3	0:00	1:00	D
-Rule	Shang	1940	1941	-	Oct	 1	0:00	0	S
-Rule	Shang	1941	only	-	Mar	16	0:00	1:00	D
-Rule	PRC	1986	only	-	May	 4	0:00	1:00	D
-Rule	PRC	1986	1991	-	Sep	Sun>=11	0:00	0	S
-Rule	PRC	1987	1991	-	Apr	Sun>=10	0:00	1:00	D
+Rule	PRC	1986	only	-	May	 4	 2:00	1:00	D
+Rule	PRC	1986	1991	-	Sep	Sun>=11	 2:00	0	S
+Rule	PRC	1987	1991	-	Apr	Sun>=11	 2:00	1:00	D
 
 # From Anthony Fok (2001-12-20):
 # BTW, I did some research on-line and found some info regarding these five
@@ -363,10 +406,11 @@ Rule	PRC	1987	1991	-	Apr	Sun>=10	0:00	1:00	D
 # Alois Treindl kindly sent me translations of the following two sources:
 #
 # (1)
-# Guo Qingsheng (National Time-Service Center, CAS, Xi'an 710600, China)
+# Guo Qing-sheng (National Time-Service Center, CAS, Xi'an 710600, China)
 # Beijing Time at the Beginning of the PRC
 # China Historical Materials of Science and Technology
-# (Zhongguo ke ji shi liao, 中国科技史料), Vol. 24, No. 1 (2003)
+# (Zhongguo ke ji shi liao, 中国科技史料). 2003;24(1):5-9.
+# http://oversea.cnki.net/kcms/detail/detail.aspx?filename=ZGKS200301000&dbname=CJFD2003
 # It gives evidence that at the beginning of the PRC, Beijing time was
 # officially apparent solar time!  However, Guo also says that the
 # evidence is dubious, as the relevant institute of astronomy had not
@@ -543,7 +587,7 @@ Rule	PRC	1987	1991	-	Apr	Sun>=10	0:00	1:00	D
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 # Beijing time, used throughout China; represented by Shanghai.
 Zone	Asia/Shanghai	8:05:43	-	LMT	1901
-			8:00	Shang	C%sT	1949
+			8:00	Shang	C%sT	1949 May 28
 			8:00	PRC	C%sT
 # Xinjiang time, used by many in western China; represented by Ürümqi / Ürümchi
 # / Wulumuqi.  (Please use Asia/Shanghai if you prefer Beijing time.)
@@ -772,24 +816,140 @@ Zone	Asia/Taipei	8:06:00 -	LMT	1896 Jan  1
 			8:00	Taiwan	C%sT
 
 # Macau (Macao, Aomen)
+#
+# From P Chan (2018-05-10):
+# * LegisMac
+#   http://legismac.safp.gov.mo/legismac/descqry/Descqry.jsf?lang=pt
+#   A database for searching titles of legal documents of Macau in
+#   Chinese and Portuguese.  The term "HORÁRIO DE VERÃO" can be used for
+#   searching decrees about summer time.
+# * Archives of Macao
+#   http://www.archives.gov.mo/en/bo/
+#   It contains images of old official gazettes.
+# * The Macao Meteorological and Geophysical Bureau have a page listing the
+#   summer time history.  But it is not complete and has some mistakes.
+#   http://www.smg.gov.mo/smg/geophysics/e_t_Summer%20Time.htm
+# Macau adopted GMT+8 on 30 Oct 1904 to follow Hong Kong.  Clocks were
+# advanced by 25 minutes and 50 seconds.  Which means the LMT used was
+# +7:34:10.  As stated in the "Portaria No. 204" dated 21 October 1904
+# and published in the Official Gazette on 29 October 1904.
+# http://igallery.icm.gov.mo/Images/Archives/BO/MO_AH_PUB_BO_1904_10/MO_AH_PUB_BO_1904_10_00025_Grey.JPG
+#
+# Therefore the 1911 decree of Portugal did not change time in Macau.
+#
+# From LegisMac, here is a list of decrees that changed the time ...
+# [Decree Gazette-no. date; titles omitted in this quotation]
+#	DIL 732 BOCM 51 1941.12.20
+#	DIL 764 BOCM 9S 1942.04.30
+#	DIL 781 BOCM 21 1942.10.10
+#	PT 3434 BOCM 8S 1943.04.17
+#	PT 3504 BOCM 20 1943.09.25
+#	PT 3843 BOCM 39 1945.09.29
+#	PT 3961 BOCM 17 1946.04.27
+#	PT 4026 BOCM 39 1946.09.28
+#	PT 4153 BOCM 16 1947.04.10
+#	PT 4271 BOCM 48 1947.11.29
+#	PT 4374 BOCM 18 1948.05.01
+#	PT 4465 BOCM 44 1948.10.30
+#	PT 4590 BOCM 14 1949.04.02
+#	PT 4666 BOCM 44 1949.10.29
+#	PT 4771 BOCM 12 1950.03.25
+#	PT 4838 BOCM 43 1950.10.28
+#	PT 4946 BOCM 12 1951.03.24
+#	PT 5025 BO 43 1951.10.27
+#	PT 5149 BO 14 1952.04.05
+#	PT 5251 BO 43 1952.10.25
+#	PT 5366 BO 13 1953.03.28
+#	PT 5444 BO 44 1953.10.31
+#	PT 5540 BO 12 1954.03.20
+#	PT 5589 BO 44 1954.10.30
+#	PT 5676 BO 12 1955.03.19
+#	PT 5739 BO 45 1955.11.05
+#	PT 5823 BO 11 1956.03.17
+#	PT 5891 BO 44 1956.11.03
+#	PT 5981 BO 12 1957.03.23
+#	PT 6064 BO 43 1957.10.26
+#	PT 6172 BO 12 1958.03.22
+#	PT 6243 BO 43 1958.10.25
+#	PT 6341 BO 12 1959.03.21
+#	PT 6411 BO 43 1959.10.24
+#	PT 6514 BO 11 1960.03.12
+#	PT 6584 BO 44 1960.10.29
+#	PT 6721 BO 10 1961.03.11
+#	PT 6815 BO 43 1961.10.28
+#	PT 6947 BO 10 1962.03.10
+#	PT 7080 BO 43 1962.10.27
+#	PT 7218 BO 12 1963.03.23
+#	PT 7340 BO 43 1963.10.26
+#	PT 7491 BO 11 1964.03.14
+#	PT 7664 BO 43 1964.10.24
+#	PT 7846 BO 15 1965.04.10
+#	PT 7979 BO 42 1965.10.16
+#	PT 8146 BO 15 1966.04.09
+#	PT 8252 BO 41 1966.10.08
+#	PT 8429 BO 15 1967.04.15
+#	PT 8540 BO 41 1967.10.14
+#	PT 8735 BO 15 1968.04.13
+#	PT 8860 BO 41 1968.10.12
+#	PT 9035 BO 16 1969.04.19
+#	PT 9156 BO 42 1969.10.18
+#	PT 9328 BO 15 1970.04.11
+#	PT 9418 BO 41 1970.10.10
+#	PT 9587 BO 14 1971.04.03
+#	PT 9702 BO 41 1971.10.09
+#	PT 38-A/72 BO 14 1972.04.01
+#	PT 126-A/72 BO 41 1972.10.07
+#	PT 61/73 BO 14 1973.04.07
+#	PT 182/73 BO 40 1973.10.06
+#	PT 282/73 BO 51 1973.12.22
+#	PT 177/74 BO 41 1974.10.12
+#	PT 51/75 BO 15 1975.04.12
+#	PT 173/75 BO 41 1975.10.11
+#	PT 67/76/M BO 14 1976.04.03
+#	PT 169/76/M BO 41 1976.10.09
+#	PT 78/79/M BO 19 1979.05.12
+#	PT 166/79/M BO 42 1979.10.20
+# Note that DIL 732 does not belong to "HORÁRIO DE VERÃO" according to
+# LegisMac.... Note that between 1942 and 1945, the time switched
+# between GMT+9 and GMT+10.  Also in 1965 and 1965 the DST ended at 2:30am.
+
+# From Paul Eggert (2018-05-10):
+# The 1904 decree says that Macau changed from the meridian of
+# Fortaleza do Monte, presumably the basis for the 7:34:10 for LMT.
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-Rule	Macau	1961	1962	-	Mar	Sun>=16	3:30	1:00	D
-Rule	Macau	1961	1964	-	Nov	Sun>=1	3:30	0	S
-Rule	Macau	1963	only	-	Mar	Sun>=16	0:00	1:00	D
-Rule	Macau	1964	only	-	Mar	Sun>=16	3:30	1:00	D
-Rule	Macau	1965	only	-	Mar	Sun>=16	0:00	1:00	D
-Rule	Macau	1965	only	-	Oct	31	0:00	0	S
-Rule	Macau	1966	1971	-	Apr	Sun>=16	3:30	1:00	D
-Rule	Macau	1966	1971	-	Oct	Sun>=16	3:30	0	S
-Rule	Macau	1972	1974	-	Apr	Sun>=15	0:00	1:00	D
-Rule	Macau	1972	1973	-	Oct	Sun>=15	0:00	0	S
-Rule	Macau	1974	1977	-	Oct	Sun>=15	3:30	0	S
-Rule	Macau	1975	1977	-	Apr	Sun>=15	3:30	1:00	D
-Rule	Macau	1978	1980	-	Apr	Sun>=15	0:00	1:00	D
-Rule	Macau	1978	1980	-	Oct	Sun>=15	0:00	0	S
-# See Europe/Lisbon for info about the 1912 transition.
+Rule	Macau	1942	1943	-	Apr	30	23:00	1:00	-
+Rule	Macau	1942	only	-	Nov	17	23:00	0	-
+Rule	Macau	1943	only	-	Sep	30	23:00	0	S
+Rule	Macau	1946	only	-	Apr	30	23:00s	1:00	D
+Rule	Macau	1946	only	-	Sep	30	23:00s	0	S
+Rule	Macau	1947	only	-	Apr	19	23:00s	1:00	D
+Rule	Macau	1947	only	-	Nov	30	23:00s	0	S
+Rule	Macau	1948	only	-	May	 2	23:00s	1:00	D
+Rule	Macau	1948	only	-	Oct	31	23:00s	0	S
+Rule	Macau	1949	1950	-	Apr	Sat>=1	23:00s	1:00	D
+Rule	Macau	1949	1950	-	Oct	lastSat	23:00s	0	S
+Rule	Macau	1951	only	-	Mar	31	23:00s	1:00	D
+Rule	Macau	1951	only	-	Oct	28	23:00s	0	S
+Rule	Macau	1952	1953	-	Apr	Sat>=1	23:00s	1:00	D
+Rule	Macau	1952	only	-	Nov	 1	23:00s	0	S
+Rule	Macau	1953	1954	-	Oct	lastSat	23:00s	0	S
+Rule	Macau	1954	1956	-	Mar	Sat>=17	23:00s	1:00	D
+Rule	Macau	1955	only	-	Nov	 5	23:00s	0	S
+Rule	Macau	1956	1964	-	Nov	Sun>=1	03:30	0	S
+Rule	Macau	1957	1964	-	Mar	Sun>=18	03:30	1:00	D
+Rule	Macau	1965	1973	-	Apr	Sun>=16	03:30	1:00	D
+Rule	Macau	1965	1966	-	Oct	Sun>=16	02:30	0	S
+Rule	Macau	1967	1976	-	Oct	Sun>=16	03:30	0	S
+Rule	Macau	1973	only	-	Dec	30	03:30	1:00	D
+Rule	Macau	1975	1976	-	Apr	Sun>=16	03:30	1:00	D
+Rule	Macau	1979	only	-	May	13	03:30	1:00	D
+Rule	Macau	1979	only	-	Oct	Sun>=16	03:30	0	S
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Asia/Macau	7:34:20 -	LMT	1911 Dec 31 16:00u
+Zone	Asia/Macau	7:34:10 -	LMT	1904 Oct 30
+			8:00	-	CST	1941 Dec 21 23:00
+			9:00	Macau	+09/+10	1945 Sep 30 24:00
 			8:00	Macau	C%sT
 
 
@@ -1494,9 +1654,29 @@ Zone	Asia/Jerusalem	2:20:54 -	LMT	1880
 # http://www.shugiin.go.jp/internet/itdb_housei.nsf/html/houritsu/00719500331039.htm
 # ... In summary, it is written as follows.  From 24:00 on the first Saturday
 # in May, until 0:00 on the day after the second Saturday in September.
+
+# From Phake Nick (2018-09-27):
+# [T]he webpage authored by National Astronomical Observatory of Japan
+# https://eco.mtk.nao.ac.jp/koyomi/wiki/BBFEB9EF2FB2C6BBFEB9EF.html
+# ... mentioned that using Showa 23 (year 1948) as example, 13pm of September
+# 11 in summer time will equal to 0am of September 12 in standard time.
+# It cited a document issued by the Liaison Office which briefly existed
+# during the postwar period of Japan, where the detail on implementation
+# of the summer time is described in the document.
+# https://eco.mtk.nao.ac.jp/koyomi/wiki/BBFEB9EF2FB2C6BBFEB9EFB2C6BBFEB9EFA4CEBCC2BBDCA4CBA4C4A4A4A4C6.pdf
+# The text in the document do instruct a fall back to occur at
+# September 11, 13pm in summer time, while ordinary citizens can
+# change the clock before they sleep.
+#
+# From Paul Eggert (2018-09-27):
+# This instruction is equivalent to "Sat>=8 25:00", so use that.  zic treats
+# it like "Sun>=9 01:00", which is not quite the same but is the best we can
+# do in any POSIX or C platform.  The "25:00" assumes zic from 2007 or later,
+# which should be safe now.
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Japan	1948	only	-	May	Sat>=1	24:00	1:00	D
-Rule	Japan	1948	1951	-	Sep	Sun>=9	 0:00	0	S
+Rule	Japan	1948	1951	-	Sep	Sun>=9	 1:00	0	S
 Rule	Japan	1949	only	-	Apr	Sat>=1	24:00	1:00	D
 Rule	Japan	1950	1951	-	May	Sat>=1	24:00	1:00	D
 
@@ -1878,7 +2058,7 @@ Zone	Asia/Aqtobe	3:48:40	-	LMT	1924 May  2
 			5:00	-	+05
 # Mangghystaū (KZ-MAN)
 # Aqtau was not founded until 1963, but it represents an inhabited region,
-# so include time stamps before 1963.
+# so include timestamps before 1963.
 Zone	Asia/Aqtau	3:21:04	-	LMT	1924 May  2
 			4:00	-	+04	1930 Jun 21
 			5:00	-	+05	1981 Oct  1
@@ -2018,6 +2198,10 @@ Rule	ROK	1987	1988	-	Oct	Sun>=8	3:00	0	S
 # Assembly, as published in Rodong Sinmun.
 # From Tim Parenti (2018-04-29):
 # It appears to be the front page story at the top in the right-most column.
+#
+# From Paul Eggert (2018-05-04):
+# The BBC reported that the transition was from 23:30 to 24:00 today.
+# https://www.bbc.com/news/world-asia-44010705
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Seoul	8:27:52	-	LMT	1908 Apr  1
@@ -2030,7 +2214,7 @@ Zone	Asia/Pyongyang	8:23:00 -	LMT	1908 Apr  1
 			8:30	-	KST	1912 Jan  1
 			9:00	-	JST	1945 Aug 24
 			9:00	-	KST	2015 Aug 15 00:00
-			8:30	-	KST	2018 May  5
+			8:30	-	KST	2018 May  4 23:30
 			9:00	-	KST
 
 ###############################################################################
@@ -2780,19 +2964,35 @@ Zone	Asia/Hebron	2:20:23	-	LMT	1900 Oct
 # Philippine Star 2014-08-05
 # http://www.philstar.com/headlines/2014/08/05/1354152/pnoy-urged-declare-use-daylight-saving-time
 
+# From Paul Goyette (2018-06-15):
+# In the Philippines, there is a national law, Republic Act No. 10535
+# which declares the official time here as "Philippine Standard Time".
+# The act [1] even specifies use of PST as the abbreviation, although
+# the FAQ provided by PAGASA [2] uses the "acronym PhST to distinguish
+# it from the Pacific Standard Time (PST)."
+# [1] http://www.officialgazette.gov.ph/2013/05/15/republic-act-no-10535/
+# [2] https://www1.pagasa.dost.gov.ph/index.php/astronomy/philippine-standard-time#republic-act-10535
+#
+# From Paul Eggert (2018-06-19):
+# I surveyed recent news reports, and my impression is that "PST" is
+# more popular among reliable English-language news sources.  This is
+# not just a measure of Google hit counts: it's also the sizes and
+# influence of the sources.  There is no current abbreviation for DST,
+# so use "PDT", the usual American style.
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-Rule	Phil	1936	only	-	Nov	1	0:00	1:00	-
-Rule	Phil	1937	only	-	Feb	1	0:00	0	-
-Rule	Phil	1954	only	-	Apr	12	0:00	1:00	-
-Rule	Phil	1954	only	-	Jul	1	0:00	0	-
-Rule	Phil	1978	only	-	Mar	22	0:00	1:00	-
-Rule	Phil	1978	only	-	Sep	21	0:00	0	-
+Rule	Phil	1936	only	-	Nov	1	0:00	1:00	D
+Rule	Phil	1937	only	-	Feb	1	0:00	0	S
+Rule	Phil	1954	only	-	Apr	12	0:00	1:00	D
+Rule	Phil	1954	only	-	Jul	1	0:00	0	S
+Rule	Phil	1978	only	-	Mar	22	0:00	1:00	D
+Rule	Phil	1978	only	-	Sep	21	0:00	0	S
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Manila	-15:56:00 -	LMT	1844 Dec 31
 			8:04:00 -	LMT	1899 May 11
-			8:00	Phil	+08/+09	1942 May
-			9:00	-	+09	1944 Nov
-			8:00	Phil	+08/+09
+			8:00	Phil	P%sT	1942 May
+			9:00	-	JST	1944 Nov
+			8:00	Phil	P%sT
 
 # Qatar
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -2803,15 +3003,34 @@ Link Asia/Qatar Asia/Bahrain
 
 # Saudi Arabia
 #
-# From Paul Eggert (2014-07-15):
+# From Paul Eggert (2018-08-29):
 # Time in Saudi Arabia and other countries in the Arabian peninsula was not
-# standardized until relatively recently; we don't know when, and possibly it
+# standardized until 1968 or so; we don't know exactly when, and possibly it
 # has never been made official.  Richard P Hunt, in "Islam city yielding to
 # modern times", New York Times (1961-04-09), p 20, wrote that only airlines
 # observed standard time, and that people in Jeddah mostly observed quasi-solar
 # time, doing so by setting their watches at sunrise to 6 o'clock (or to 12
 # o'clock for "Arab" time).
 #
+# Timekeeping differed depending on who you were and which part of Saudi
+# Arabia you were in.  In 1969, Elias Antar wrote that although a common
+# practice had been to set one's watch to 12:00 (i.e., midnight) at sunset -
+# which meant that the time on one side of a mountain could differ greatly from
+# the time on the other side - many foreigners set their watches to 6pm
+# instead, while airlines instead used UTC +03 (except in Dhahran, where they
+# used UTC +04), Aramco used UTC +03 with DST, and the Trans-Arabian Pipe Line
+# Company used Aramco time in eastern Saudi Arabia and airline time in western.
+# (The American Military Aid Advisory Group used plain UTC.)  Antar writes,
+# "A man named Higgins, so the story goes, used to run a local power
+# station. One day, the whole thing became too much for Higgins and he
+# assembled his staff and laid down the law. 'I've had enough of this,' he
+# shrieked. 'It is now 12 o'clock Higgins Time, and from now on this station is
+# going to run on Higgins Time.' And so, until last year, it did."  See:
+# Antar E. Dinner at When? Saudi Aramco World, 1969 March/April. 2-3.
+# http://archive.aramcoworld.com/issue/196902/dinner.at.when.htm
+# newspapers.com says a similar story about Higgins was published in the Port
+# Angeles (WA) Evening News, 1965-03-10, page 5, but I lack access to the text.
+#
 # The TZ database cannot represent quasi-solar time; airline time is the best
 # we can do.  The 1946 foreign air news digest of the U.S. Civil Aeronautics
 # Board (OCLC 42299995) reported that the "... Arabian Government, inaugurated
@@ -2821,7 +3040,8 @@ Link Asia/Qatar Asia/Bahrain
 #
 # Shanks & Pottenger also state that until 1968-05-01 Saudi Arabia had two
 # time zones; the other zone, at UT +04, was in the far eastern part of
-# the country.  Ignore this, as it's before our 1970 cutoff.
+# the country.  Presumably this is documenting airline time.  Ignore this,
+# as it's before our 1970 cutoff.
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Riyadh	3:06:52 -	LMT	1947 Mar 14

make/data/tzdata/australasia

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for Australasia and environs, and for much of the Pacific
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -384,8 +386,15 @@ Zone	Indian/Cocos	6:27:40	-	LMT	1900
 # Dominic Fok writes (2017-08-20) that DST ends 2018-01-14, citing
 # Extraordinary Government of Fiji Gazette Supplement No. 21 (2017-08-27),
 # [Legal Notice No. 41] of an order of the previous day by J Usamate.
+
+# From Raymond Kumar (2018-07-13):
+# http://www.fijitimes.com/government-approves-2018-daylight-saving/
+# ... The daylight saving period will end at 3am on Sunday January 13, 2019.
+#
+# From Paul Eggert (2018-07-15):
 # For now, guess DST from 02:00 the first Sunday in November to 03:00
-# the first Sunday on or after January 14.  Although ad hoc, it matches
+# the first Sunday on or after January 13.  January transitions reportedly
+# depend on when school terms start.  Although the guess is ad hoc, it matches
 # transitions since late 2014 and seems more likely to match future
 # practice than guessing no DST.
 
@@ -399,7 +408,7 @@ Rule	Fiji	2011	only	-	Mar	Sun>=1	3:00	0	-
 Rule	Fiji	2012	2013	-	Jan	Sun>=18	3:00	0	-
 Rule	Fiji	2014	only	-	Jan	Sun>=18	2:00	0	-
 Rule	Fiji	2014	max	-	Nov	Sun>=1	2:00	1:00	-
-Rule	Fiji	2015	max	-	Jan	Sun>=14	3:00	0	-
+Rule	Fiji	2015	max	-	Jan	Sun>=13	3:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Pacific/Fiji	11:55:44 -	LMT	1915 Oct 26 # Suva
 			12:00	Fiji	+12/+13

make/data/tzdata/backward

@@ -21,10 +21,12 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb links for backward compatibility
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
-# This file provides links between current names for time zones
+# This file provides links between current names for timezones
 # and their old names.  Many names changed in late 1993.
 
 # Link	TARGET			LINK-NAME

make/data/tzdata/etcetera

@@ -21,12 +21,14 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for ships at sea and other miscellany
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
 # These entries are mostly present for historical reasons, so that
 # people in areas not otherwise covered by the tz files could "zic -l"
-# to a time zone that was right for their area.  These days, the
+# to a timezone that was right for their area.  These days, the
 # tz files cover almost all the inhabited world, and the only practical
 # need now for the entries that are not on UTC are for ships at sea
 # that cannot use POSIX TZ settings.

make/data/tzdata/europe

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for Europe and environs
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -540,7 +542,7 @@ Link	Europe/London	Europe/Isle_of_Man
 #
 # To work around this problem, the build procedure can translate the
 # following data into two forms, one with negative SAVE values and the
-# other form with a traditional approximation for Irish time stamps
+# other form with a traditional approximation for Irish timestamps
 # after 1971-10-31 02:00 UTC; although this approximation has tm_isdst
 # flags that are reversed, its UTC offsets are correct and this often
 # suffices.  This source file currently uses only nonnegative SAVE
@@ -2450,6 +2452,33 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # administratively part of Sakhalin oblast', they appear to have
 # remained on UTC+11 along with Magadan.
 
+# From Marat Nigametzianov (2018-07-16):
+# this is link to order from 1956 about timezone in USSR
+# http://astro.uni-altai.ru/~orion/blog/2011/11/novyie-granitsyi-chasovyih-poyasov-v-sssr/
+#
+# From Paul Eggert (2018-07-16):
+# Perhaps someone could translate the above-mentioned link and use it
+# to correct our data for the ex-Soviet Union.  It cites the following:
+# «Поясное время и новые границы часовых поясов» / сост. П.Н. Долгов,
+# отв. ред. Г.Д. Бурдун - М: Комитет стандартов, мер и измерительных
+# приборов при Совете Министров СССР, Междуведомственная комиссия
+# единой службы времени, 1956 г.
+# This book looks like it would be a helpful resource for the Soviet
+# Union through 1956.  Although a copy was in the Scientific Library
+# of Tomsk State University, I have not been able to track down a copy nearby.
+#
+# From Stepan Golosunov (2018-07-21):
+# http://astro.uni-altai.ru/~orion/blog/2015/05/center-reforma-ischisleniya-vremeni-br-na-territorii-sssr-v-1957-godu-center/
+# says that the 1956 decision to change time belts' borders was not
+# implemented as planned in 1956 and the change happened in 1957.
+# There is also the problem that actual time zones were different from
+# the official time belts (and from many time belts' maps) as there were
+# numerous exceptions to application of time belt rules.  For example,
+# https://ru.wikipedia.org/wiki/Московское_время#Перемещение_границы_применения_московского_времени_на_восток
+# says that by 1962 there were many regions in the 3rd time belt that
+# were on Moscow time, referring to a 1962 map.  By 1989 number of such
+# exceptions grew considerably.
+
 # From Tim Parenti (2014-07-06):
 # The comments detailing the coverage of each Russian zone are meant to assist
 # with maintenance only and represent our best guesses as to which regions
@@ -2460,9 +2489,6 @@ Zone Europe/Bucharest	1:44:24 -	LMT	1891 Oct
 # future stability.  ISO 3166-2:RU codes are also listed for first-level
 # divisions where available.
 
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-
-
 # From Tim Parenti (2014-07-03):
 # Europe/Kaliningrad covers...
 # 39	RU-KGD	Kaliningrad Oblast
@@ -2730,6 +2756,15 @@ Zone Europe/Astrakhan	 3:12:12 -	LMT	1924 May
 # 34	RU-VGG	Volgograd Oblast
 # The 1988 transition is from USSR act No. 5 (1988-01-04).
 
+# From Alexander Fetisov (2018-09-20):
+# Volgograd region in southern Russia (Europe/Volgograd) change
+# timezone from UTC+3 to UTC+4 from 28oct2018.
+# http://sozd.parliament.gov.ru/bill/452878-7
+#
+# From Stepan Golosunov (2018-10-11):
+# The law has been published today on
+# http://publication.pravo.gov.ru/Document/View/0001201810110037
+
 Zone Europe/Volgograd	 2:57:40 -	LMT	1920 Jan  3
 			 3:00	-	+03	1930 Jun 21
 			 4:00	-	+04	1961 Nov 11
@@ -2738,7 +2773,8 @@ Zone Europe/Volgograd	 2:57:40 -	LMT	1920 Jan  3
 			 4:00	-	+04	1992 Mar 29  2:00s
 			 3:00	Russia	+03/+04	2011 Mar 27  2:00s
 			 4:00	-	+04	2014 Oct 26  2:00s
-			 3:00	-	+03
+			 3:00	-	+03	2018 Oct 28  2:00s
+			 4:00	-	+04
 
 # From Paul Eggert (2016-11-11):
 # Europe/Saratov covers:
@@ -3427,7 +3463,8 @@ Rule	Spain	1978	only	-	Oct	 1	 2:00s	0	-
 #Rule NatSpain	1937	only	-	May	22	23:00	1:00	S
 #Rule NatSpain	1937	1938	-	Oct	Sat>=1	24:00s	0	-
 #Rule NatSpain	1938	only	-	Mar	26	23:00	1:00	S
-# The following rules are copied from Morocco from 1967 through 1978.
+# The following rules are copied from Morocco from 1967 through 1978,
+# except with "S" letters.
 Rule SpainAfrica 1967	only	-	Jun	 3	12:00	1:00	S
 Rule SpainAfrica 1967	only	-	Oct	 1	 0:00	0	-
 Rule SpainAfrica 1974	only	-	Jun	24	 0:00	1:00	S
@@ -3447,6 +3484,7 @@ Zone	Africa/Ceuta	-0:21:16 -	LMT	1900 Dec 31 23:38:44
 			 0:00	1:00	WEST	1918 Oct  7 23:00
 			 0:00	-	WET	1924
 			 0:00	Spain	WE%sT	1929
+			 0:00	-	WET	1967 # Help zishrink.awk.
 			 0:00 SpainAfrica WE%sT	1984 Mar 16
 			 1:00	-	CET	1986
 			 1:00	EU	CE%sT
@@ -3632,7 +3670,7 @@ Zone	Europe/Zurich	0:34:08 -	LMT	1853 Jul 16 # See above comment.
 # http://www.resmigazete.gov.tr/eskiler/2001/03/20010324.htm#2  - for 2001
 # http://www.resmigazete.gov.tr/eskiler/2002/03/20020316.htm#2  - for 2002-2006
 # From Paul Eggert (2016-09-25):
-# Prefer the above sources to Shanks & Pottenger for time stamps after 1985.
+# Prefer the above sources to Shanks & Pottenger for timestamps after 1985.
 
 # From Steffen Thorsen (2007-03-09):
 # Starting 2007 though, it seems that they are adopting EU's 1:00 UTC
@@ -3842,10 +3880,29 @@ Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
 # * Ukrainian Government's Resolution of 20.03.1992, No. 139.
 # http://www.uazakon.com/documents/date_8u/pg_grcasa.htm
 
+# From Paul Eggert (2018-10-03):
+# As is usual in tzdb, Ukrainian zones use the most common English spellings.
+# For example, tzdb uses Europe/Kiev, as "Kiev" is the most common spelling in
+# English for Ukraine's capital, even though it is certainly wrong as a
+# transliteration of the Ukrainian "Київ".  This is similar to tzdb's use of
+# Europe/Prague, which is certainly wrong as a transliteration of the Czech
+# "Praha".  ("Kiev" came from old Slavic via Russian to English, and "Prague"
+# came from old Slavic via French to English, so the two cases have something
+# in common.)  Admittedly English-language spelling of Ukrainian names is
+# controversial, and some day "Kyiv" may become substantially more popular in
+# English; in the meantime, stick with the traditional English "Kiev" as that
+# means less disruption for our users.
+#
+# Anyway, none of the common English-language spellings (Kiev, Kyiv, Kieff,
+# Kijeff, Kijev, Kiyef, Kiyeff) do justice to the common pronunciation in
+# Ukrainian, namely [ˈkɪjiu̯] (IPA).  This pronunciation has nothing like an
+# English "v" or "f", and instead trails off with what an English-speaker
+# would call a demure "oo" sound, and it would would be better anglicized as
+# "Kuiyu".  Here's a sound file, if you would like to do as the Kuiyuvians do:
+# https://commons.wikimedia.org/wiki/File:Uk-Київ.ogg
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-# Most of Ukraine since 1970 has been like Kiev.
-# "Kyiv" is the transliteration of the Ukrainian name, but
-# "Kiev" is more common in English.
+# This represents most of Ukraine.  See above for the spelling of "Kiev".
 Zone Europe/Kiev	2:02:04 -	LMT	1880
 			2:02:04	-	KMT	1924 May  2 # Kiev Mean Time
 			2:00	-	EET	1930 Jun 21

make/data/tzdata/factory

@@ -21,11 +21,13 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for noncommittal factory settings
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
-# For distributors who don't want to put time zone specification in
-# their installation procedures.  Users that run 'date' will get the
+# For distributors who don't want to specify a timezone in their
+# installation procedures.  Users who run 'date' will get the
 # time zone abbreviation "-00", indicating that the actual time zone
 # is unknown.
 

make/data/tzdata/leapseconds

@@ -26,21 +26,25 @@
 # This file is in the public domain.
 
 # This file is generated automatically from the data in the public-domain
-# leap-seconds.list file, which is copied from:
-# ftp://ftp.nist.gov/pub/time/leap-seconds.list
+# leap-seconds.list file, which can be copied from
+# <ftp://ftp.nist.gov/pub/time/leap-seconds.list>
+# or <ftp://ftp.boulder.nist.gov/pub/time/leap-seconds.list>
+# or <ftp://tycho.usno.navy.mil/pub/ntp/leap-seconds.list>.
 # For more about leap-seconds.list, please see
 # The NTP Timescale and Leap Seconds
-# https://www.eecis.udel.edu/~mills/leap.html
+# <https://www.eecis.udel.edu/~mills/leap.html>.
 
 # The International Earth Rotation and Reference Systems Service
 # periodically uses leap seconds to keep UTC to within 0.9 s of UT1
-# (which measures the true angular orientation of the earth in space); see
-# Levine J. Coordinated Universal Time and the leap second.
+# (which measures the true angular orientation of the earth in space)
+# and publishes leap second data in a copyrighted file
+# <https://hpiers.obspm.fr/iers/bul/bulc/Leap_Second.dat>.
+# See: Levine J. Coordinated Universal Time and the leap second.
 # URSI Radio Sci Bull. 2016;89(4):30-6. doi:10.23919/URSIRSB.2016.7909995
-# http://ieeexplore.ieee.org/document/7909995/
+# <https://ieeexplore.ieee.org/document/7909995>.
 # There were no leap seconds before 1972, because the official mechanism
 # accounting for the discrepancy between atomic time and the earth's rotation
-# did not exist until the early 1970s.
+# did not exist.
 
 # The correction (+ or -) is made at the given time, so lines
 # will typically look like:
@@ -48,10 +52,7 @@
 # or
 #	Leap	YEAR	MON	DAY	23:59:59	-	R/S
 
-# If the leapsecond is Rolling (R) the given time is local time.
-# If the leapsecond is Stationary (S) the given time is UTC.
-
-# Leap	YEAR	MONTH	DAY	HH:MM:SS	CORR	R/S
+# If the leap second is Rolling (R) the given time is local time (unused here).
 Leap	1972	Jun	30	23:59:60	+	S
 Leap	1972	Dec	31	23:59:60	+	S
 Leap	1973	Dec	31	23:59:60	+	S
@@ -80,5 +81,9 @@ Leap	2012	Jun	30	23:59:60	+	S
 Leap	2015	Jun	30	23:59:60	+	S
 Leap	2016	Dec	31	23:59:60	+	S
 
-#	Updated through IERS Bulletin C55
-#	File expires on:  28 December 2018
+# POSIX timestamps for the data in this file:
+#updated 1467936000
+#expires 1561680000
+
+#	Updated through IERS Bulletin C56
+#	File expires on:  28 June 2019

make/data/tzdata/northamerica

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for North and Central America and environs
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -71,7 +73,7 @@
 #
 # Most of the US soon followed suit.  See:
 # Bartky IR. The adoption of standard time. Technol Cult 1989 Jan;30(1):25-56.
-# http://dx.doi.org/10.2307/3105430
+# https://dx.doi.org/10.2307/3105430
 
 # From Paul Eggert (2005-04-16):
 # That 1883 transition occurred at 12:00 new time, not at 12:00 old time.
@@ -460,6 +462,19 @@ Zone America/North_Dakota/Beulah -6:47:07 - LMT	1883 Nov 18 12:12:53
 # western South Dakota, far western Texas (El Paso County, Hudspeth County,
 # and Pine Springs and Nickel Creek in Culberson County), Utah, Wyoming
 #
+# From Paul Eggert (2018-10-25):
+# On 1921-03-04 federal law placed all of Texas into the central time zone.
+# However, El Paso ignored the law for decades and continued to observe
+# mountain time, on the grounds that that's what they had always done
+# and they weren't about to let the federal government tell them what to do.
+# Eventually the federal government gave in and changed the law on
+# 1970-04-10 to match what El Paso was actually doing.  Although
+# that's slightly after our 1970 cutoff, there is no need to create a
+# separate zone for El Paso since they were ignoring the law anyway.  See:
+# Long T. El Pasoans were time rebels, fought to stay in Mountain zone.
+# El Paso Times. 2018-10-24 06:40 -06.
+# https://www.elpasotimes.com/story/news/local/el-paso/2018/10/24/el-pasoans-were-time-rebels-fought-stay-mountain-zone/1744509002/
+#
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER
 Rule	Denver	1920	1921	-	Mar	lastSun	2:00	1:00	D
 Rule	Denver	1920	only	-	Oct	lastSun	2:00	0	S
@@ -729,9 +744,7 @@ Zone America/Adak	 12:13:22 -	LMT	1867 Oct 19 12:44:35
 Zone Pacific/Honolulu	-10:31:26 -	LMT	1896 Jan 13 12:00
 			-10:30	-	HST	1933 Apr 30  2:00
 			-10:30	1:00	HDT	1933 May 21 12:00
-			-10:30	-	HST	1942 Feb  9  2:00
-			-10:30	1:00	HDT	1945 Sep 30  2:00
-			-10:30	-	HST	1947 Jun  8  2:00
+			-10:30	US	H%sT	1947 Jun  8  2:00
 			-10:00	-	HST
 
 # Now we turn to US areas that have diverged from the consensus since 1970.

make/data/tzdata/pacificnew

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for proposed US election time (this file is obsolete)
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 

make/data/tzdata/southamerica

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for South America and environs
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -415,7 +417,7 @@ Rule	Arg	2008	only	-	Oct	Sun>=15	0:00	1:00	-
 # standard time, so let's do that here too.  This does not change UTC
 # offsets, only tm_isdst and the time zone abbreviations.  One minor
 # plus is that this silences a zic complaint that there's no POSIX TZ
-# setting for time stamps past 2038.
+# setting for timestamps past 2038.
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 #
@@ -948,6 +950,14 @@ Rule	Brazil	2016	2022	-	Feb	Sun>=15	0:00	0	-
 # ... https://www.timeanddate.com/news/time/brazil-delays-dst-2018.html
 # From Steffen Thorsen (2017-12-20):
 # http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2017/decreto/D9242.htm
+#
+# From Fábio Gomes (2018-10-04):
+# The Brazilian president just announced a new change on this year DST.
+# It was scheduled to start on November 4th and it was changed to November 18th.
+# From Rodrigo Brüning Wessler (2018-10-15):
+# The Brazilian government just announced that the change in DST was
+# canceled....  Maybe the president Michel Temer also woke up one hour
+# earlier today. :)
 Rule	Brazil	2018	max	-	Nov	Sun>=1	0:00	1:00	-
 Rule	Brazil	2023	only	-	Feb	Sun>=22	0:00	0	-
 Rule	Brazil	2024	2025	-	Feb	Sun>=15	0:00	0	-
@@ -1254,6 +1264,24 @@ Zone America/Rio_Branco	-4:31:12 -	LMT	1914
 # they will switch from -03 to -04 one hour after Santiago does that day.
 # For now, assume that they will not revert.
 
+# From Juan Correa (2018-08-13):
+# As of moments ago, the Ministry of Energy in Chile has announced the new
+# schema for DST. ...  Announcement in video (in Spanish):
+# https://twitter.com/MinEnergia/status/1029000399129374720
+# From Yonathan Dossow (2018-08-13):
+# The video says "first Saturday of September", we all know it means Sunday at
+# midnight.
+# From Tim Parenti (2018-08-13):
+# Translating the captions on the video at 0:44-0:55, "We want to announce as
+# Government that from 2019, Winter Time will be increased to 5 months, between
+# the first Saturday of April and the first Saturday of September."
+# At 2:08-2:20, "The Magallanes region will maintain its current time, as
+# decided by the citizens during 2017, but our Government will promote a
+# regional dialogue table to gather their opinion on this matter."
+# https://twitter.com/MinEnergia/status/1029009354001973248
+# "We will keep the new time policy unchanged for at least the next 4 years."
+# So we extend the new rules on Saturdays at 24:00 mainland time indefinitely.
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Chile	1927	1931	-	Sep	 1	0:00	1:00	-
 Rule	Chile	1928	1932	-	Apr	 1	0:00	0	-
@@ -1287,8 +1315,10 @@ Rule	Chile	2011	only	-	May	Sun>=2	3:00u	0	-
 Rule	Chile	2011	only	-	Aug	Sun>=16	4:00u	1:00	-
 Rule	Chile	2012	2014	-	Apr	Sun>=23	3:00u	0	-
 Rule	Chile	2012	2014	-	Sep	Sun>=2	4:00u	1:00	-
-Rule	Chile	2016	max	-	May	Sun>=9	3:00u	0	-
-Rule	Chile	2016	max	-	Aug	Sun>=9	4:00u	1:00	-
+Rule	Chile	2016	2018	-	May	Sun>=9	3:00u	0	-
+Rule	Chile	2016	2018	-	Aug	Sun>=9	4:00u	1:00	-
+Rule	Chile	2019	max	-	Apr	Sun>=2	3:00u	0	-
+Rule	Chile	2019	max	-	Sep	Sun>=2	4:00u	1:00	-
 # IATA SSIM anomalies: (1992-02) says 1992-03-14;
 # (1996-09) says 1998-03-08.  Ignore these.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]

make/data/tzdata/systemv

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for System V rules (this file is obsolete)
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 

make/data/tzdata/zone.tab

@@ -21,12 +21,12 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
-# tz zone descriptions (deprecated version)
+# tzdb timezone descriptions (deprecated version)
 #
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 #
-# From Paul Eggert (2014-07-31):
+# From Paul Eggert (2018-06-27):
 # This file is intended as a backward-compatibility aid for older programs.
 # New programs should use zone1970.tab.  This file is like zone1970.tab (see
 # zone1970.tab's comments), but with the following additional restrictions:
@@ -35,13 +35,13 @@
 # 2.  The first data column contains exactly one country code.
 #
 # Because of (2), each row stands for an area that is the intersection
-# of a region identified by a country code and of a zone where civil
+# of a region identified by a country code and of a timezone where civil
 # clocks have agreed since 1970; this is a narrower definition than
 # that of zone1970.tab.
 #
-# This table is intended as an aid for users, to help them select time
-# zone data entries appropriate for their practical needs.  It is not
-# intended to take or endorse any position on legal or territorial claims.
+# This table is intended as an aid for users, to help them select timezones
+# appropriate for their practical needs.  It is not intended to take or
+# endorse any position on legal or territorial claims.
 #
 #country-
 #code	coordinates	TZ			comments
@@ -291,7 +291,7 @@ MM	+1647+09610	Asia/Yangon
 MN	+4755+10653	Asia/Ulaanbaatar	Mongolia (most areas)
 MN	+4801+09139	Asia/Hovd	Bayan-Olgiy, Govi-Altai, Hovd, Uvs, Zavkhan
 MN	+4804+11430	Asia/Choibalsan	Dornod, Sukhbaatar
-MO	+2214+11335	Asia/Macau
+MO	+221150+1133230	Asia/Macau
 MP	+1512+14545	Pacific/Saipan
 MQ	+1436-06105	America/Martinique
 MR	+1806-01557	Africa/Nouakchott

make/lib/NetworkingLibraries.gmk

@@ -75,7 +75,7 @@ $(eval $(call SetupNativeCompilation,BUILD_LIBNET, \
     LDFLAGS_SUFFIX_linux := $(LIBDL) -ljvm -lpthread -ljava, \
     LDFLAGS_SUFFIX_aix := $(LIBDL) -ljvm -ljava,\
     LDFLAGS_SUFFIX_windows := ws2_32.lib jvm.lib secur32.lib iphlpapi.lib \
-        delayimp.lib $(WIN_JAVA_LIB) advapi32.lib \
+        delayimp.lib urlmon.lib $(WIN_JAVA_LIB) advapi32.lib \
         -DELAYLOAD:secur32.dll -DELAYLOAD:iphlpapi.dll, \
     VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \
     RC_FLAGS := $(RC_FLAGS) \

src/macosx/native/sun/font/CCharToGlyphMapper.m

 /*
- * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
  *
  * This code is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

src/share/classes/com/sun/crypto/provider/RSACipher.java

 /*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -329,7 +329,7 @@ public final class RSACipher extends CipherSpi {
         if ((inLen == 0) || (in == null)) {
             return;
         }
-        if (bufOfs + inLen > buffer.length) {
+        if (inLen > (buffer.length - bufOfs)) {
             bufOfs = buffer.length + 1;
             return;
         }

src/share/classes/java/awt/Robot.java

@@ -391,6 +391,7 @@ public class Robot {
      * @return  Color of the pixel
      */
     public synchronized Color getPixelColor(int x, int y) {
+        checkScreenCaptureAllowed();
         Color color = new Color(peer.getRGBPixel(x, y));
         return color;
     }

src/share/classes/java/math/BigDecimal.java

 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,8 +29,8 @@
 
 package java.math;
 
-import java.util.Arrays;
 import static java.math.BigInteger.LONG_MASK;
+import java.util.Arrays;
 
 /**
  * Immutable, arbitrary-precision signed decimal numbers.  A
@@ -407,9 +407,12 @@ public class BigDecimal extends Number implements Comparable<BigDecimal> {
      * @since  1.5
      */
     public BigDecimal(char[] in, int offset, int len, MathContext mc) {
-        // protect against huge length.
-        if (offset + len > in.length || offset < 0)
-            throw new NumberFormatException("Bad offset or len arguments for char[] input.");
+        // protect against huge length, negative values, and integer overflow
+        if ((in.length | len | offset) < 0 || len > in.length - offset) {
+            throw new NumberFormatException
+                ("Bad offset or len arguments for char[] input.");
+        }
+
         // This is the primary string to BigDecimal constructor; all
         // incoming strings end up here; it uses explicit (inline)
         // parsing for speed and generates at most one intermediate

src/share/classes/java/math/BigInteger.java

 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1161,6 +1161,14 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
     private static final double LOG_TWO = Math.log(2.0);
 
     static {
+        assert 0 < KARATSUBA_THRESHOLD
+            && KARATSUBA_THRESHOLD < TOOM_COOK_THRESHOLD
+            && TOOM_COOK_THRESHOLD < Integer.MAX_VALUE
+            && 0 < KARATSUBA_SQUARE_THRESHOLD
+            && KARATSUBA_SQUARE_THRESHOLD < TOOM_COOK_SQUARE_THRESHOLD
+            && TOOM_COOK_SQUARE_THRESHOLD < Integer.MAX_VALUE :
+            "Algorithm thresholds are inconsistent";
+
         for (int i = 1; i <= MAX_CONSTANT; i++) {
             int[] magnitude = new int[1];
             magnitude[0] = i;
@@ -1482,6 +1490,18 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
      * @return {@code this * val}
      */
     public BigInteger multiply(BigInteger val) {
+        return multiply(val, false);
+    }
+
+    /**
+     * Returns a BigInteger whose value is {@code (this * val)}.  If
+     * the invocation is recursive certain overflow checks are skipped.
+     *
+     * @param  val value to be multiplied by this BigInteger.
+     * @param  isRecursion whether this is a recursive invocation
+     * @return {@code this * val}
+     */
+    private BigInteger multiply(BigInteger val, boolean isRecursion) {
         if (val.signum == 0 || signum == 0)
             return ZERO;
 
@@ -1509,6 +1529,63 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
             if ((xlen < TOOM_COOK_THRESHOLD) && (ylen < TOOM_COOK_THRESHOLD)) {
                 return multiplyKaratsuba(this, val);
             } else {
+                //
+                // In "Hacker's Delight" section 2-13, p.33, it is explained
+                // that if x and y are unsigned 32-bit quantities and m and n
+                // are their respective numbers of leading zeros within 32 bits,
+                // then the number of leading zeros within their product as a
+                // 64-bit unsigned quantity is either m + n or m + n + 1. If
+                // their product is not to overflow, it cannot exceed 32 bits,
+                // and so the number of leading zeros of the product within 64
+                // bits must be at least 32, i.e., the leftmost set bit is at
+                // zero-relative position 31 or less.
+                //
+                // From the above there are three cases:
+                //
+                //     m + n    leftmost set bit    condition
+                //     -----    ----------------    ---------
+                //     >= 32    x <= 64 - 32 = 32   no overflow
+                //     == 31    x >= 64 - 32 = 32   possible overflow
+                //     <= 30    x >= 64 - 31 = 33   definite overflow
+                //
+                // The "possible overflow" condition cannot be detected by
+                // examning data lengths alone and requires further calculation.
+                //
+                // By analogy, if 'this' and 'val' have m and n as their
+                // respective numbers of leading zeros within 32*MAX_MAG_LENGTH
+                // bits, then:
+                //
+                //     m + n >= 32*MAX_MAG_LENGTH        no overflow
+                //     m + n == 32*MAX_MAG_LENGTH - 1    possible overflow
+                //     m + n <= 32*MAX_MAG_LENGTH - 2    definite overflow
+                //
+                // Note however that if the number of ints in the result
+                // were to be MAX_MAG_LENGTH and mag[0] < 0, then there would
+                // be overflow. As a result the leftmost bit (of mag[0]) cannot
+                // be used and the constraints must be adjusted by one bit to:
+                //
+                //     m + n >  32*MAX_MAG_LENGTH        no overflow
+                //     m + n == 32*MAX_MAG_LENGTH        possible overflow
+                //     m + n <  32*MAX_MAG_LENGTH        definite overflow
+                //
+                // The foregoing leading zero-based discussion is for clarity
+                // only. The actual calculations use the estimated bit length
+                // of the product as this is more natural to the internal
+                // array representation of the magnitude which has no leading
+                // zero elements.
+                //
+                if (!isRecursion) {
+                    // The bitLength() instance method is not used here as we
+                    // are only considering the magnitudes as non-negative. The
+                    // Toom-Cook multiplication algorithm determines the sign
+                    // at its end from the two signum values.
+                    if (bitLength(mag, mag.length) +
+                        bitLength(val.mag, val.mag.length) >
+                        32L*MAX_MAG_LENGTH) {
+                        reportOverflow();
+                    }
+                }
+
                 return multiplyToomCook3(this, val);
             }
         }
@@ -1709,16 +1786,16 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
 
         BigInteger v0, v1, v2, vm1, vinf, t1, t2, tm1, da1, db1;
 
-        v0 = a0.multiply(b0);
+        v0 = a0.multiply(b0, true);
         da1 = a2.add(a0);
         db1 = b2.add(b0);
-        vm1 = da1.subtract(a1).multiply(db1.subtract(b1));
+        vm1 = da1.subtract(a1).multiply(db1.subtract(b1), true);
         da1 = da1.add(a1);
         db1 = db1.add(b1);
-        v1 = da1.multiply(db1);
+        v1 = da1.multiply(db1, true);
         v2 = da1.add(a2).shiftLeft(1).subtract(a0).multiply(
-             db1.add(b2).shiftLeft(1).subtract(b0));
-        vinf = a2.multiply(b2);
+             db1.add(b2).shiftLeft(1).subtract(b0), true);
+        vinf = a2.multiply(b2, true);
 
         // The algorithm requires two divisions by 2 and one by 3.
         // All divisions are known to be exact, that is, they do not produce
@@ -1884,6 +1961,17 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
      * @return {@code this<sup>2</sup>}
      */
     private BigInteger square() {
+        return square(false);
+    }
+
+    /**
+     * Returns a BigInteger whose value is {@code (this<sup>2</sup>)}. If
+     * the invocation is recursive certain overflow checks are skipped.
+     *
+     * @param isRecursion whether this is a recursive invocation
+     * @return {@code this<sup>2</sup>}
+     */
+    private BigInteger square(boolean isRecursion) {
         if (signum == 0) {
             return ZERO;
         }
@@ -1896,6 +1984,15 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
             if (len < TOOM_COOK_SQUARE_THRESHOLD) {
                 return squareKaratsuba();
             } else {
+                //
+                // For a discussion of overflow detection see multiply()
+                //
+                if (!isRecursion) {
+                    if (bitLength(mag, mag.length) > 16L*MAX_MAG_LENGTH) {
+                        reportOverflow();
+                    }
+                }
+
                 return squareToomCook3();
             }
         }
@@ -2046,13 +2143,13 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
         a0 = getToomSlice(k, r, 2, len);
         BigInteger v0, v1, v2, vm1, vinf, t1, t2, tm1, da1;
 
-        v0 = a0.square();
+        v0 = a0.square(true);
         da1 = a2.add(a0);
-        vm1 = da1.subtract(a1).square();
+        vm1 = da1.subtract(a1).square(true);
         da1 = da1.add(a1);
-        v1 = da1.square();
-        vinf = a2.square();
-        v2 = da1.add(a2).shiftLeft(1).subtract(a0).square();
+        v1 = da1.square(true);
+        vinf = a2.square(true);
+        v2 = da1.add(a2).shiftLeft(1).subtract(a0).square(true);
 
         // The algorithm requires two divisions by 2 and one by 3.
         // All divisions are known to be exact, that is, they do not produce
@@ -2223,10 +2320,11 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
         // The remaining part can then be exponentiated faster.  The
         // powers of two will be multiplied back at the end.
         int powersOfTwo = partToSquare.getLowestSetBit();
-        long bitsToShift = (long)powersOfTwo * exponent;
-        if (bitsToShift > Integer.MAX_VALUE) {
+        long bitsToShiftLong = (long)powersOfTwo * exponent;
+        if (bitsToShiftLong > Integer.MAX_VALUE) {
             reportOverflow();
         }
+        int bitsToShift = (int)bitsToShiftLong;
 
         int remainingBits;
 
@@ -2236,9 +2334,9 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
             remainingBits = partToSquare.bitLength();
             if (remainingBits == 1) {  // Nothing left but +/- 1?
                 if (signum < 0 && (exponent&1) == 1) {
-                    return NEGATIVE_ONE.shiftLeft(powersOfTwo*exponent);
+                    return NEGATIVE_ONE.shiftLeft(bitsToShift);
                 } else {
-                    return ONE.shiftLeft(powersOfTwo*exponent);
+                    return ONE.shiftLeft(bitsToShift);
                 }
             }
         } else {
@@ -2283,13 +2381,16 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
                 if (bitsToShift + scaleFactor <= 62) { // Fits in long?
                     return valueOf((result << bitsToShift) * newSign);
                 } else {
-                    return valueOf(result*newSign).shiftLeft((int) bitsToShift);
-                }
+                    return valueOf(result*newSign).shiftLeft(bitsToShift);
                 }
-            else {
+            } else {
                 return valueOf(result*newSign);
             }
         } else {
+            if ((long)bitLength() * exponent / Integer.SIZE > MAX_MAG_LENGTH) {
+                reportOverflow();
+            }
+
             // Large number algorithm.  This is basically identical to
             // the algorithm above, but calls multiply() and square()
             // which may use more efficient algorithms for large numbers.
@@ -2309,7 +2410,7 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
             // Multiply back the (exponentiated) powers of two (quickly,
             // by shifting left)
             if (powersOfTwo > 0) {
-                answer = answer.shiftLeft(powersOfTwo*exponent);
+                answer = answer.shiftLeft(bitsToShift);
             }
 
             if (signum < 0 && (exponent&1) == 1) {
@@ -3434,7 +3535,7 @@ public class BigInteger extends Number implements Comparable<BigInteger> {
                      for (int i=1; i< len && pow2; i++)
                          pow2 = (mag[i] == 0);
 
-                     n = (pow2 ? magBitLength -1 : magBitLength);
+                     n = (pow2 ? magBitLength - 1 : magBitLength);
                  } else {
                      n = magBitLength;
                  }

src/share/classes/java/time/chrono/JapaneseEra.java

@@ -73,6 +73,7 @@ import java.io.ObjectStreamException;
 import java.io.Serializable;
 import java.time.DateTimeException;
 import java.time.LocalDate;
+import java.time.format.DateTimeFormatterBuilder;
 import java.time.format.TextStyle;
 import java.time.temporal.ChronoField;
 import java.time.temporal.TemporalField;
@@ -283,7 +284,12 @@ public final class JapaneseEra
             Objects.requireNonNull(locale, "locale");
             return style.asNormal() == TextStyle.NARROW ? getAbbreviation() : getName();
         }
-        return Era.super.getDisplayName(style, locale);
+
+        return new DateTimeFormatterBuilder()
+            .appendText(ERA, style)
+            .toFormatter(locale)
+            .withChronology(JapaneseChronology.INSTANCE)
+            .format(this == MEIJI ? MEIJI_6_ISODATE : since);
     }
 
     //-----------------------------------------------------------------------

src/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java

@@ -33,8 +33,7 @@ import java.net.URL;
  * credentials without prompting) should only be tried with trusted sites.
  */
 public abstract class NTLMAuthenticationCallback {
-    private static volatile NTLMAuthenticationCallback callback =
-            new DefaultNTLMAuthenticationCallback();
+    private static volatile NTLMAuthenticationCallback callback;
 
     public static void setNTLMAuthenticationCallback(
             NTLMAuthenticationCallback callback) {
@@ -50,10 +49,5 @@ public abstract class NTLMAuthenticationCallback {
      * transparent Authentication.
      */
     public abstract boolean isTrustedSite(URL url);
-
-    static class DefaultNTLMAuthenticationCallback extends NTLMAuthenticationCallback {
-        @Override
-        public boolean isTrustedSite(URL url) { return true; }
-    }
 }
 

src/share/classes/sun/nio/ch/FileChannelImpl.java

@@ -551,11 +551,10 @@ public class FileChannelImpl
     {
         // Untrusted target: Use a newly-erased buffer
         int c = Math.min(icount, TRANSFER_SIZE);
-        ByteBuffer bb = Util.getTemporaryDirectBuffer(c);
+        ByteBuffer bb = ByteBuffer.allocate(c);
         long tw = 0;                    // Total bytes written
         long pos = position;
         try {
-            Util.erase(bb);
             while (tw < icount) {
                 bb.limit(Math.min((int)(icount - tw), TRANSFER_SIZE));
                 int nr = read(bb, pos);
@@ -576,8 +575,6 @@ public class FileChannelImpl
             if (tw > 0)
                 return tw;
             throw x;
-        } finally {
-            Util.releaseTemporaryDirectBuffer(bb);
         }
     }
 
@@ -661,11 +658,10 @@ public class FileChannelImpl
     {
         // Untrusted target: Use a newly-erased buffer
         int c = (int)Math.min(count, TRANSFER_SIZE);
-        ByteBuffer bb = Util.getTemporaryDirectBuffer(c);
+        ByteBuffer bb = ByteBuffer.allocate(c);
         long tw = 0;                    // Total bytes written
         long pos = position;
         try {
-            Util.erase(bb);
             while (tw < count) {
                 bb.limit((int)Math.min((count - tw), (long)TRANSFER_SIZE));
                 // ## Bug: Will block reading src if this channel
@@ -686,8 +682,6 @@ public class FileChannelImpl
             if (tw > 0)
                 return tw;
             throw x;
-        } finally {
-            Util.releaseTemporaryDirectBuffer(bb);
         }
     }
 

src/share/classes/sun/security/pkcs11/P11Signature.java

 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -472,6 +472,10 @@ final class P11Signature extends SignatureSpi {
         if (len == 0) {
             return;
         }
+        // check for overflow
+        if (len + bytesProcessed < 0) {
+            throw new ProviderException("Processed bytes limits exceeded.");
+        }
         switch (type) {
         case T_UPDATE:
             try {

src/share/classes/sun/security/provider/DSA.java

 /*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -491,7 +491,7 @@ abstract class DSA extends SignatureSpi {
                 }
             }
             protected void engineUpdate(byte[] input, int offset, int len) {
-                if (ofs + len > digestBuffer.length) {
+                if (len > (digestBuffer.length - ofs)) {
                     ofs = Integer.MAX_VALUE;
                 } else {
                     System.arraycopy(input, offset, digestBuffer, ofs, len);
@@ -500,7 +500,7 @@ abstract class DSA extends SignatureSpi {
             }
             protected final void engineUpdate(ByteBuffer input) {
                 int inputLen = input.remaining();
-                if (ofs + inputLen > digestBuffer.length) {
+                if (inputLen > (digestBuffer.length - ofs)) {
                     ofs = Integer.MAX_VALUE;
                 } else {
                     input.get(digestBuffer, ofs, inputLen);

src/share/classes/sun/security/tools/jarsigner/Resources.java

@@ -219,6 +219,7 @@ public class Resources extends java.util.ListResourceBundle {
         {"Error.", "Error: "},
         {"...Signer", ">>> Signer"},
         {"...TSA", ">>> TSA"},
+        {"trusted.certificate", "trusted certificate"},
         {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
                 "This jar contains unsigned entries which have not been integrity-checked. "},
         {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
@@ -235,8 +236,16 @@ public class Resources extends java.util.ListResourceBundle {
                 "Re-run with the -verbose and -certs options for more details."},
         {"The.signer.certificate.has.expired.",
                 "The signer certificate has expired."},
+        {"The.timestamp.expired.1.but.usable.2",
+                "The timestamp expired on %1$tY-%1$tm-%1$td. However, the JAR will be valid until the signer certificate expires on %2$tY-%2$tm-%2$td."},
+        {"The.timestamp.has.expired.",
+                "The timestamp has expired."},
         {"The.signer.certificate.will.expire.within.six.months.",
                 "The signer certificate will expire within six months."},
+        {"The.timestamp.will.expire.within.one.year.on.1",
+                "The timestamp will expire within one year on %1$tY-%1$tm-%1$td."},
+        {"The.timestamp.will.expire.within.one.year.on.1.but.2",
+                "The timestamp will expire within one year on %1$tY-%1$tm-%1$td. However, the JAR will be valid until the signer certificate expires on %2$tY-%2$tm-%2$td."},
         {"The.signer.certificate.is.not.yet.valid.",
                 "The signer certificate is not yet valid."},
         {"The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
@@ -267,10 +276,18 @@ public class Resources extends java.util.ListResourceBundle {
                 "This jar contains entries whose TSA certificate chain is invalid. Reason: %s"},
         {"no.timestamp.signing",
                 "No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
+        {"invalid.timestamp.signing",
+                "The timestamp is invalid. Without a valid timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td)."},
         {"no.timestamp.verifying",
-                "This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (%1$tY-%1$tm-%1$td) or after any future revocation date."},
+                "This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as %1$tY-%1$tm-%1$td)."},
         {"bad.timestamp.verifying",
                 "This jar contains signatures that include an invalid timestamp. Without a valid timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as %1$tY-%1$tm-%1$td).\nRerun jarsigner with -J-Djava.security.debug=jar for more information."},
+        {"The.signer.certificate.will.expire.on.1.",
+                "The signer certificate will expire on %1$tY-%1$tm-%1$td."},
+        {"The.timestamp.will.expire.on.1.",
+                "The timestamp will expire on %1$tY-%1$tm-%1$td."},
+        {"signer.cert.expired.1.but.timestamp.good.2.",
+                "The signer certificate expired on %1$tY-%1$tm-%1$td. However, the JAR will be valid until the timestamp expires on %2$tY-%2$tm-%2$td."},
         {"Unknown.password.type.", "Unknown password type: "},
         {"Cannot.find.environment.variable.",
                 "Cannot find environment variable: "},

src/share/classes/sun/security/tools/jarsigner/Resources_ja.java

@@ -217,6 +217,7 @@ public class Resources_ja extends java.util.ListResourceBundle {
         {"Error.", "\u30A8\u30E9\u30FC: "},
         {"...Signer", ">>> \u7F72\u540D\u8005"},
         {"...TSA", ">>> TSA"},
+        {"trusted.certificate", "\u4FE1\u983C\u3067\u304D\u308B\u8A3C\u660E\u66F8"},
         {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
                 "\u3053\u306Ejar\u306B\u306F\u3001\u6574\u5408\u6027\u30C1\u30A7\u30C3\u30AF\u3092\u3057\u3066\u3044\u306A\u3044\u7F72\u540D\u306A\u3057\u306E\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002 "},
         {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
@@ -233,8 +234,16 @@ public class Resources_ja extends java.util.ListResourceBundle {
                 "\u8A73\u7D30\u306F\u3001-verbose\u304A\u3088\u3073-certs\u30AA\u30D7\u30B7\u30E7\u30F3\u3092\u4F7F\u7528\u3057\u3066\u518D\u5B9F\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
         {"The.signer.certificate.has.expired.",
                 "\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u306F\u671F\u9650\u5207\u308C\u3067\u3059\u3002"},
+        {"The.timestamp.expired.1.but.usable.2",
+                "\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306F%1$tY-%1$tm-%1$td\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308A\u307E\u3059\u3002\u305F\u3060\u3057\u3001JAR\u306F\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u304C%2$tY-%2$tm-%2$td\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308B\u307E\u3067\u6709\u52B9\u3067\u3059\u3002"},
+        {"The.timestamp.has.expired.",
+                "\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306F\u671F\u9650\u5207\u308C\u306B\u306A\u308A\u307E\u3057\u305F\u3002"},
         {"The.signer.certificate.will.expire.within.six.months.",
                 "\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u306F6\u304B\u6708\u4EE5\u5185\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308A\u307E\u3059\u3002"},
+        {"The.timestamp.will.expire.within.one.year.on.1",
+                "\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306F1\u5E74\u4EE5\u5185\u306E%1$tY-%1$tm-%1$td\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308A\u307E\u3059\u3002"},
+        {"The.timestamp.will.expire.within.one.year.on.1.but.2",
+                "\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306F1\u5E74\u4EE5\u5185\u306E%1$tY-%1$tm-%1$td\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308A\u307E\u3059\u3002\u305F\u3060\u3057\u3001JAR\u306F\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u304C%2$tY-%2$tm-%2$td\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308B\u307E\u3067\u6709\u52B9\u3067\u3059\u3002"},
         {"The.signer.certificate.is.not.yet.valid.",
                 "\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u306F\u307E\u3060\u6709\u52B9\u306B\u306A\u3063\u3066\u3044\u307E\u305B\u3093\u3002"},
         {"The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
@@ -265,10 +274,18 @@ public class Resources_ja extends java.util.ListResourceBundle {
                 "\u3053\u306Ejar\u306B\u306F\u3001TSA\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u304C\u7121\u52B9\u306A\u30A8\u30F3\u30C8\u30EA\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002\u7406\u7531: %s"},
         {"no.timestamp.signing",
                 "-tsa\u307E\u305F\u306F-tsacert\u304C\u6307\u5B9A\u3055\u308C\u3066\u3044\u306A\u3044\u305F\u3081\u3001\u3053\u306Ejar\u306B\u306F\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u4ED8\u52A0\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u306A\u3044\u3068\u3001\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306E\u6709\u52B9\u671F\u9650(%1$tY-%1$tm-%1$td)\u5F8C\u307E\u305F\u306F\u5C06\u6765\u306E\u5931\u52B9\u65E5\u5F8C\u306B\u3001\u30E6\u30FC\u30B6\u30FC\u306F\u3053\u306Ejar\u3092\u691C\u8A3C\u3067\u304D\u306A\u3044\u53EF\u80FD\u6027\u304C\u3042\u308A\u307E\u3059\u3002"},
+        {"invalid.timestamp.signing",
+                "\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u7121\u52B9\u3067\u3059\u3002\u6709\u52B9\u306A\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u306A\u3044\u3068\u3001\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306E\u6709\u52B9\u671F\u9650(%1$tY-%1$tm-%1$td)\u5F8C\u306B\u3001\u30E6\u30FC\u30B6\u30FC\u306F\u3053\u306Ejar\u3092\u691C\u8A3C\u3067\u304D\u306A\u3044\u53EF\u80FD\u6027\u304C\u3042\u308A\u307E\u3059\u3002"},
         {"no.timestamp.verifying",
-                "\u3053\u306Ejar\u306B\u306F\u3001\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u306A\u3044\u7F72\u540D\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u306A\u3044\u3068\u3001\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306E\u6709\u52B9\u671F\u9650(%1$tY-%1$tm-%1$td)\u5F8C\u307E\u305F\u306F\u5C06\u6765\u306E\u5931\u52B9\u65E5\u5F8C\u306B\u3001\u30E6\u30FC\u30B6\u30FC\u306F\u3053\u306Ejar\u3092\u691C\u8A3C\u3067\u304D\u306A\u3044\u53EF\u80FD\u6027\u304C\u3042\u308A\u307E\u3059\u3002"},
+                "\u3053\u306Ejar\u306B\u306F\u3001\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u306A\u3044\u7F72\u540D\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u306A\u3044\u3068\u3001\u3044\u305A\u308C\u304B\u306E\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306E\u6709\u52B9\u671F\u9650\u5F8C\u306B(\u65E9\u3051\u308C\u3070%1$tY-%1$tm-%1$td)\u30E6\u30FC\u30B6\u30FC\u306F\u3053\u306Ejar\u3092\u691C\u8A3C\u3067\u304D\u306A\u3044\u53EF\u80FD\u6027\u304C\u3042\u308A\u307E\u3059\u3002"},
         {"bad.timestamp.verifying",
                 "\u3053\u306Ejar\u306B\u306F\u3001\u7121\u52B9\u306A\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306E\u3042\u308B\u7F72\u540D\u304C\u542B\u307E\u308C\u3066\u3044\u307E\u3059\u3002\u6709\u52B9\u306A\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C\u306A\u3044\u3068\u3001\u3044\u305A\u308C\u304B\u306E\u7F72\u540D\u8005\u8A3C\u660E\u66F8\u306E\u6709\u52B9\u671F\u9650\u5F8C\u306B(\u65E9\u3051\u308C\u3070%1$tY-%1$tm-%1$td)\u30E6\u30FC\u30B6\u30FC\u306F\u3053\u306Ejar\u3092\u691C\u8A3C\u3067\u304D\u306A\u3044\u53EF\u80FD\u6027\u304C\u3042\u308A\u307E\u3059\u3002\n\u8A73\u7D30\u306F\u3001-J-Djava.security.debug=jar\u3092\u6307\u5B9A\u3057\u3066jarsigner\u3092\u518D\u5B9F\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
+        {"The.signer.certificate.will.expire.on.1.",
+                "\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u306F%1$tY-%1$tm-%1$td\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308A\u307E\u3059\u3002"},
+        {"The.timestamp.will.expire.on.1.",
+                "\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306F%1$tY-%1$tm-%1$td\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308A\u307E\u3059\u3002"},
+        {"signer.cert.expired.1.but.timestamp.good.2.",
+                "\u7F72\u540D\u8005\u306E\u8A3C\u660E\u66F8\u306F%1$tY-%1$tm-%1$td\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308A\u307E\u3059\u3002\u305F\u3060\u3057\u3001JAR\u306F\u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u304C%2$tY-%2$tm-%2$td\u306B\u671F\u9650\u5207\u308C\u306B\u306A\u308B\u307E\u3067\u6709\u52B9\u3067\u3059\u3002"},
         {"Unknown.password.type.", "\u4E0D\u660E\u306A\u30D1\u30B9\u30EF\u30FC\u30C9\u30FB\u30BF\u30A4\u30D7: "},
         {"Cannot.find.environment.variable.",
                 "\u74B0\u5883\u5909\u6570\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093: "},

src/share/classes/sun/security/tools/jarsigner/Resources_zh_CN.java

@@ -217,6 +217,7 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
         {"Error.", "\u9519\u8BEF: "},
         {"...Signer", ">>> \u7B7E\u540D\u8005"},
         {"...TSA", ">>> TSA"},
+        {"trusted.certificate", "\u53EF\u4FE1\u8BC1\u4E66"},
         {"This.jar.contains.unsigned.entries.which.have.not.been.integrity.checked.",
                 "\u6B64 jar \u5305\u542B\u5C1A\u672A\u8FDB\u884C\u5B8C\u6574\u6027\u68C0\u67E5\u7684\u672A\u7B7E\u540D\u6761\u76EE\u3002 "},
         {"This.jar.contains.entries.whose.signer.certificate.has.expired.",
@@ -233,8 +234,16 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
                 "\u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u4F7F\u7528 -verbose \u548C -certs \u9009\u9879\u91CD\u65B0\u8FD0\u884C\u3002"},
         {"The.signer.certificate.has.expired.",
                 "\u7B7E\u540D\u8005\u8BC1\u4E66\u5DF2\u8FC7\u671F\u3002"},
+        {"The.timestamp.expired.1.but.usable.2",
+                "\u65F6\u95F4\u6233\u5230\u671F\u65E5\u671F\u4E3A %1$tY-%1$tm-%1$td\u3002\u4E0D\u8FC7\uFF0C\u5728\u7B7E\u540D\u8005\u8BC1\u4E66\u4E8E %2$tY-%2$tm-%2$td \u5230\u671F\u4E4B\u524D\uFF0CJAR \u5C06\u6709\u6548\u3002"},
+        {"The.timestamp.has.expired.",
+                "\u65F6\u95F4\u6233\u5DF2\u5230\u671F\u3002"},
         {"The.signer.certificate.will.expire.within.six.months.",
                 "\u7B7E\u540D\u8005\u8BC1\u4E66\u5C06\u5728\u516D\u4E2A\u6708\u5185\u8FC7\u671F\u3002"},
+        {"The.timestamp.will.expire.within.one.year.on.1",
+                "\u65F6\u95F4\u6233\u5C06\u5728\u4E00\u5E74\u5185\u4E8E %1$tY-%1$tm-%1$td \u5230\u671F\u3002"},
+        {"The.timestamp.will.expire.within.one.year.on.1.but.2",
+                "\u65F6\u95F4\u6233\u5C06\u5728\u4E00\u5E74\u5185\u4E8E %1$tY-%1$tm-%1$td \u5230\u671F\u3002\u4E0D\u8FC7\uFF0C\u5728\u7B7E\u540D\u8005\u8BC1\u4E66\u4E8E %2$tY-%2$tm-%2$td \u5230\u671F\u4E4B\u524D\uFF0CJAR \u5C06\u6709\u6548\u3002"},
         {"The.signer.certificate.is.not.yet.valid.",
                 "\u7B7E\u540D\u8005\u8BC1\u4E66\u4ECD\u65E0\u6548\u3002"},
         {"The.signer.certificate.s.KeyUsage.extension.doesn.t.allow.code.signing.",
@@ -265,10 +274,18 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
                 "\u6B64 jar \u5305\u542B\u5176 TSA \u8BC1\u4E66\u94FE\u65E0\u6548\u7684\u6761\u76EE\u3002\u539F\u56E0: %s"},
         {"no.timestamp.signing",
                 "\u672A\u63D0\u4F9B -tsa \u6216 -tsacert, \u6B64 jar \u6CA1\u6709\u65F6\u95F4\u6233\u3002\u5982\u679C\u6CA1\u6709\u65F6\u95F4\u6233, \u5219\u5728\u7B7E\u540D\u8005\u8BC1\u4E66\u7684\u5230\u671F\u65E5\u671F (%1$tY-%1$tm-%1$td) \u6216\u4EE5\u540E\u7684\u4EFB\u4F55\u64A4\u9500\u65E5\u671F\u4E4B\u540E, \u7528\u6237\u53EF\u80FD\u65E0\u6CD5\u9A8C\u8BC1\u6B64 jar\u3002"},
+        {"invalid.timestamp.signing",
+                "\u65F6\u95F4\u6233\u65E0\u6548\u3002\u5982\u679C\u6CA1\u6709\u6709\u6548\u7684\u65F6\u95F4\u6233\uFF0C\u5219\u5728\u7B7E\u540D\u8005\u8BC1\u4E66\u7684\u5230\u671F\u65E5\u671F (%1$tY-%1$tm-%1$td) \u4E4B\u540E\uFF0C\u7528\u6237\u53EF\u80FD\u65E0\u6CD5\u9A8C\u8BC1\u6B64 jar\u3002"},
         {"no.timestamp.verifying",
-                "\u6B64 jar \u5305\u542B\u7684\u7B7E\u540D\u6CA1\u6709\u65F6\u95F4\u6233\u3002\u5982\u679C\u6CA1\u6709\u65F6\u95F4\u6233, \u5219\u5728\u7B7E\u540D\u8005\u8BC1\u4E66\u7684\u5230\u671F\u65E5\u671F (%1$tY-%1$tm-%1$td) \u6216\u4EE5\u540E\u7684\u4EFB\u4F55\u64A4\u9500\u65E5\u671F\u4E4B\u540E, \u7528\u6237\u53EF\u80FD\u65E0\u6CD5\u9A8C\u8BC1\u6B64 jar\u3002"},
+                "\u6B64 jar \u5305\u542B\u7684\u7B7E\u540D\u6CA1\u6709\u65F6\u95F4\u6233\u3002\u5982\u679C\u6CA1\u6709\u65F6\u95F4\u6233, \u5219\u5728\u5176\u4E2D\u4EFB\u4E00\u7B7E\u540D\u8005\u8BC1\u4E66\u5230\u671F (\u6700\u65E9\u4E3A %1$tY-%1$tm-%1$td) \u4E4B\u540E, \u7528\u6237\u53EF\u80FD\u65E0\u6CD5\u9A8C\u8BC1\u6B64 jar\u3002"},
         {"bad.timestamp.verifying",
                 "\u6B64 jar \u5305\u542B\u5E26\u6709\u65E0\u6548\u65F6\u95F4\u6233\u7684\u7B7E\u540D\u3002\u5982\u679C\u6CA1\u6709\u6709\u6548\u65F6\u95F4\u6233, \u5219\u5728\u5176\u4E2D\u4EFB\u4E00\u7B7E\u540D\u8005\u8BC1\u4E66\u5230\u671F (\u6700\u65E9\u4E3A %1$tY-%1$tm-%1$td) \u4E4B\u540E, \u7528\u6237\u53EF\u80FD\u65E0\u6CD5\u9A8C\u8BC1\u6B64 jar\u3002\n\u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u4F7F\u7528 -J-Djava.security.debug=jar \u91CD\u65B0\u8FD0\u884C jarsigner\u3002"},
+        {"The.signer.certificate.will.expire.on.1.",
+                "\u7B7E\u540D\u8005\u8BC1\u4E66\u5C06\u4E8E %1$tY-%1$tm-%1$td \u5230\u671F\u3002"},
+        {"The.timestamp.will.expire.on.1.",
+                "\u65F6\u95F4\u6233\u5C06\u4E8E %1$tY-%1$tm-%1$td \u5230\u671F\u3002"},
+        {"signer.cert.expired.1.but.timestamp.good.2.",
+                "\u7B7E\u540D\u8005\u8BC1\u4E66\u5230\u671F\u65E5\u671F\u4E3A %1$tY-%1$tm-%1$td\u3002\u4E0D\u8FC7\uFF0C\u5728\u65F6\u95F4\u6233\u4E8E %2$tY-%2$tm-%2$td \u5230\u671F\u4E4B\u524D\uFF0CJAR \u5C06\u6709\u6548\u3002"},
         {"Unknown.password.type.", "\u672A\u77E5\u53E3\u4EE4\u7C7B\u578B: "},
         {"Cannot.find.environment.variable.",
                 "\u627E\u4E0D\u5230\u73AF\u5883\u53D8\u91CF: "},

src/share/classes/sun/security/util/Resources_sv.java

@@ -67,10 +67,10 @@ public class Resources_sv extends java.util.ListResourceBundle {
         {".Principal.", "\tIdentitetshavare: "},
         {".Public.Credential.", "\tOffentlig inloggning: "},
         {".Private.Credentials.inaccessible.",
-                "\tPrivat inloggning \u00E4r inte tillg\u00E4nglig\n"},
+                "\tPrivat inloggning \u00E4r inte m\u00F6jlig\n"},
         {".Private.Credential.", "\tPrivat inloggning: "},
         {".Private.Credential.inaccessible.",
-                "\tPrivat inloggning \u00E4r inte tillg\u00E4nglig\n"},
+                "\tPrivat inloggning \u00E4r inte m\u00F6jlig\n"},
         {"Subject.is.read.only", "Innehavare \u00E4r skrivskyddad"},
         {"attempting.to.add.an.object.which.is.not.an.instance.of.java.security.Principal.to.a.Subject.s.Principal.Set",
                 "f\u00F6rs\u00F6k att l\u00E4gga till ett objekt som inte \u00E4r en instans av java.security.Principal till ett subjekts upps\u00E4ttning av identitetshavare"},

src/share/classes/sun/util/resources/TimeZoneNames.java

@@ -666,9 +666,9 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
                                            "Magadan Summer Time", "MAGST",
                                            "Magadan Time", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"Philippines Time", "PHT",
-                                          "Philippines Summer Time", "PHST",
-                                          "Philippines Time", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/de/TimeZoneNames_de.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
                                            "Magadanische Sommerzeit", "MAGST",
                                            "Magadanische Zeit", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"Philippinische Zeit", "PHT",
-                                          "Philippinische Sommerzeit", "PHST",
-                                          "Philippinische Zeit", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/es/TimeZoneNames_es.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
                                            "Hora de verano de Magad\u00e1n", "MAGST",
                                            "Hora de Magad\u00E1n", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"Hora de Filipinas", "PHT",
-                                          "Hora de verano de Filipinas", "PHST",
-                                          "Hora de Filipinas", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/fr/TimeZoneNames_fr.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
                                            "Heure d'\u00e9t\u00e9 de Magadan", "MAGST",
                                            "Heure de Magadan", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"Heure des Philippines", "PHT",
-                                          "Heure d'\u00e9t\u00e9 des Philippines", "PHST",
-                                          "Heure des Philippines", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/it/TimeZoneNames_it.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
                                            "Ora estiva di Magadan", "MAGST",
                                            "Ora di Magadan", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"Ora delle Filippine", "PHT",
-                                          "Ora estiva delle Filippine", "PHST",
-                                          "Ora delle Filippine", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/ja/TimeZoneNames_ja.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
                                            "\u30de\u30ac\u30c0\u30f3\u590f\u6642\u9593", "MAGST",
                                            "\u30DE\u30AC\u30C0\u30F3\u6642\u9593", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"\u30d5\u30a3\u30ea\u30d4\u30f3\u6642\u9593", "PHT",
-                                          "\u30d5\u30a3\u30ea\u30d4\u30f3\u590f\u6642\u9593", "PHST",
-                                          "\u30D5\u30A3\u30EA\u30D4\u30F3\u6642\u9593", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/ko/TimeZoneNames_ko.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
                                            "\ub9c8\uac00\ub2e8 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "MAGST",
                                            "\uB9C8\uAC00\uB2E8 \uD45C\uC900\uC2DC", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"\ud544\ub9ac\ud540 \uc2dc\uac04", "PHT",
-                                          "\ud544\ub9ac\ud540 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "PHST",
-                                          "\uD544\uB9AC\uD540 \uD45C\uC900\uC2DC", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/pt/TimeZoneNames_pt_BR.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
                                            "Fuso hor\u00e1rio de ver\u00e3o de Magadan", "MAGST",
                                            "Hor\u00E1rio de Magadan", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"Fuso hor\u00e1rio das Filipinas", "PHT",
-                                          "Fuso hor\u00e1rio de ver\u00e3o das Filipinas", "PHST",
-                                          "Hor\u00E1rio das Filipinas", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/sv/TimeZoneNames_sv.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
                                            "Magadan, sommartid", "MAGST",
                                            "Magadan-tid", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"Filippinerna, normaltid", "PHT",
-                                          "Filippinerna, sommartid", "PHST",
-                                          "Filippinsk tid", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/zh/TimeZoneNames_zh_CN.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
                                            "Magadan \u590f\u4ee4\u65f6", "MAGST",
                                            "Magadan \u65F6\u95F4", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"\u83f2\u5f8b\u5bbe\u65f6\u95f4", "PHT",
-                                          "\u83f2\u5f8b\u5bbe\u590f\u4ee4\u65f6", "PHST",
-                                          "\u83F2\u5F8B\u5BBE\u65F6\u95F4", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/classes/sun/util/resources/zh/TimeZoneNames_zh_TW.java

@@ -667,9 +667,9 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
                                            "Magadan \u590f\u4ee4\u6642\u9593", "MAGST",
                                            "\u99AC\u52A0\u4E39\u6642\u9593", "MAGT"}},
             {"Asia/Makassar", CIT},
-            {"Asia/Manila", new String[] {"\u83f2\u5f8b\u8cd3\u6642\u9593", "PHT",
-                                          "\u83f2\u5f8b\u8cd3\u590f\u4ee4\u6642\u9593", "PHST",
-                                          "\u83F2\u5F8B\u8CD3\u6642\u9593", "PHT"}},
+            {"Asia/Manila", new String[] {"Philippines Standard Time", "PST",
+                                          "Philippines Daylight Time", "PDT",
+                                          "Philippines Time", "PT"}},
             {"Asia/Muscat", GST},
             {"Asia/Nicosia", EET},
             {"Asia/Novokuznetsk", KRAT},

src/share/lib/net.properties

@@ -99,3 +99,23 @@ ftp.nonProxyHosts=localhost|127.*|[::1]
 #jdk.http.auth.proxying.disabledSchemes=
 jdk.http.auth.tunneling.disabledSchemes=Basic
 
+#
+# Transparent NTLM HTTP authentication mode on Windows. Transparent authentication
+# can be used for the NTLM scheme, where the security credentials based on the
+# currently logged in user's name and password can be obtained directly from the
+# operating system, without prompting the user. This property has three possible
+# values which regulate the behavior as shown below. Other unrecognized values
+# are handled the same as 'disabled'. Note, that NTLM is not considered to be a
+# strongly secure authentication scheme and care should be taken before enabling
+# this mechanism.
+#
+# Transparent authentication never used.
+#jdk.http.ntlm.transparentAuth=disabled
+#
+# Enabled for all hosts.
+#jdk.http.ntlm.transparentAuth=allHosts
+#
+# Enabled for hosts that are trusted in Windows Internet settings
+#jdk.http.ntlm.transparentAuth=trustedHosts
+#
+jdk.http.ntlm.transparentAuth=disabled

src/share/lib/security/java.security-aix

@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/lib/security/java.security-linux

@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/lib/security/java.security-macosx

@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/lib/security/java.security-solaris

@@ -622,7 +622,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/lib/security/java.security-windows

@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/native/sun/awt/image/jpeg/jmemmgr.c

@@ -406,6 +406,9 @@ alloc_sarray (j_common_ptr cinfo, int pool_id,
   JDIMENSION rowsperchunk, currow, i;
   long ltemp;
 
+  if (samplesperrow == 0) {
+    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+  }
   /* Calculate max # of rows allowed in one allocation chunk */
   ltemp = (MAX_ALLOC_CHUNK-SIZEOF(large_pool_hdr)) /
           ((long) samplesperrow * SIZEOF(JSAMPLE));
@@ -454,6 +457,10 @@ alloc_barray (j_common_ptr cinfo, int pool_id,
   JDIMENSION rowsperchunk, currow, i;
   long ltemp;
 
+  if (blocksperrow == 0) {
+    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+  }
+
   /* Calculate max # of rows allowed in one allocation chunk */
   ltemp = (MAX_ALLOC_CHUNK-SIZEOF(large_pool_hdr)) /
           ((long) blocksperrow * SIZEOF(JBLOCK));

src/share/native/sun/java2d/cmm/lcms/cmscgats.c

@@ -1535,11 +1535,17 @@ void AllocateDataSet(cmsIT8* it8)
     t-> nSamples   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
     t-> nPatches   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
 
-    t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
+    if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
+    {
+        SynError(it8, "AllocateDataSet: too much data");
+    }
+    else {
+        t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
         if (t->Data == NULL) {
 
             SynError(it8, "AllocateDataSet: Unable to allocate data array");
         }
+    }
 
 }
 

src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java

@@ -90,10 +90,13 @@ public class NTLMAuthentication extends AuthenticationInfo {
 
     /**
      * Returns true if the given site is trusted, i.e. we can try
-     * transparent Authentication.
+     * transparent Authentication. Shouldn't be called since
+     * capability not supported on Unix
      */
     public static boolean isTrustedSite(URL url) {
+        if (NTLMAuthCallback != null)
             return NTLMAuthCallback.isTrustedSite(url);
+        return false;
     }
 
     private void init0() {

src/solaris/instrument/FileSystemSupport_md.c

 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2018 Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,6 +23,7 @@
  * questions.
  */
 
+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -50,6 +51,10 @@ char* basePath(const char* path) {
     } else {
         int len = last - path;
         char* str = (char*)malloc(len+1);
+        if (str == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         if (len > 0) {
             memcpy(str, path, len);
         }
@@ -80,6 +85,10 @@ static char* normalizePath(const char* pathname, int len, int off) {
     if (n == 0) return strdup("/");
 
     sb = (char*)malloc(strlen(pathname)+1);
+    if (sb == NULL) {
+        fprintf(stderr, "OOM error in native tmp buffer allocation");
+        return NULL;
+    }
     sbLen = 0;
 
     if (off > 0) {
@@ -128,6 +137,10 @@ char* resolve(const char* parent, const char* child) {
     len = parentEnd + cn - childStart;
     if (child[0] == slash) {
         theChars = (char*)malloc(len+1);
+        if (theChars == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         if (parentEnd > 0)
             memcpy(theChars, parent, parentEnd);
         if (cn > 0)
@@ -135,6 +148,10 @@ char* resolve(const char* parent, const char* child) {
         theChars[len] = '\0';
     } else {
         theChars = (char*)malloc(len+2);
+        if (theChars == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         if (parentEnd > 0)
             memcpy(theChars, parent, parentEnd);
         theChars[parentEnd] = slash;
@@ -150,10 +167,13 @@ char* fromURIPath(const char* path) {
     if (len > 1 && path[len-1] == slash) {
         // "/foo/" --> "/foo", but "/" --> "/"
         char* str = (char*)malloc(len);
-        if (str != NULL) {
+        if (str == NULL)
+        {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         memcpy(str, path, len-1);
         str[len-1] = '\0';
-        }
         return str;
     } else {
         return (char*)path;

src/solaris/native/java/net/net_util_md.c

@@ -608,6 +608,8 @@ static void initLoopbackRoutes() {
 
                 if (loRoutesTemp == 0) {
                     free(loRoutes);
+                    loRoutes = NULL;
+                    nRoutes = 0;
                     fclose (f);
                     return;
                 }

src/solaris/native/sun/awt/awt_UNIXToolkit.c

@@ -184,6 +184,7 @@ Java_sun_awt_UNIXToolkit_load_1stock_1icon(JNIEnv *env, jobject this,
         detail_str = (char *)SAFE_SIZE_ARRAY_ALLOC(malloc,
                 sizeof(char), len + 1);
         if (detail_str == NULL) {
+            free(stock_id_str);
             JNU_ThrowOutOfMemoryError(env, "OutOfMemoryError");
             return JNI_FALSE;
         }

src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java

@@ -30,6 +30,7 @@ import java.net.InetAddress;
 import java.net.PasswordAuthentication;
 import java.net.UnknownHostException;
 import java.net.URL;
+import sun.net.NetProperties;
 import sun.net.www.HeaderParser;
 import sun.net.www.protocol.http.AuthenticationInfo;
 import sun.net.www.protocol.http.AuthScheme;
@@ -52,6 +53,14 @@ public class NTLMAuthentication extends AuthenticationInfo {
     private static String defaultDomain; /* Domain to use if not specified by user */
     private static final boolean ntlmCache; /* Whether cache is enabled for NTLM */
 
+    enum TransparentAuth {
+        DISABLED,      // disable for all hosts (default)
+        TRUSTED_HOSTS, // use Windows trusted hosts settings
+        ALL_HOSTS      // attempt for all hosts
+    }
+
+    private static final TransparentAuth authMode;
+
     static {
         defaultDomain = java.security.AccessController.doPrivileged(
             new sun.security.action.GetPropertyAction("http.auth.ntlm.domain",
@@ -59,6 +68,19 @@ public class NTLMAuthentication extends AuthenticationInfo {
         String ntlmCacheProp = java.security.AccessController.doPrivileged(
             new sun.security.action.GetPropertyAction("jdk.ntlm.cache", "true"));
         ntlmCache = Boolean.parseBoolean(ntlmCacheProp);
+        String modeProp = java.security.AccessController.doPrivileged(
+            new java.security.PrivilegedAction<String>() {
+                public String run() {
+                    return NetProperties.get("jdk.http.ntlm.transparentAuth");
+                }
+            });
+
+        if ("trustedHosts".equalsIgnoreCase(modeProp))
+            authMode = TransparentAuth.TRUSTED_HOSTS;
+        else if ("allHosts".equalsIgnoreCase(modeProp))
+            authMode = TransparentAuth.ALL_HOSTS;
+        else
+            authMode = TransparentAuth.DISABLED;
     };
 
     private void init0() {
@@ -159,8 +181,20 @@ public class NTLMAuthentication extends AuthenticationInfo {
      * transparent Authentication.
      */
     public static boolean isTrustedSite(URL url) {
+        if (NTLMAuthCallback != null)
             return NTLMAuthCallback.isTrustedSite(url);
+
+        switch (authMode) {
+            case TRUSTED_HOSTS:
+                return isTrustedSite(url.toString());
+            case ALL_HOSTS:
+                return true;
+            default:
+                return false;
         }
+    }
+
+    static native boolean isTrustedSite(String url);
 
     /**
      * Not supported. Must use the setHeaders() method
@@ -211,5 +245,4 @@ public class NTLMAuthentication extends AuthenticationInfo {
             return false;
         }
     }
-
 }

src/windows/classes/sun/security/mscapi/KeyStore.java

@@ -753,6 +753,7 @@ abstract class KeyStore extends KeyStoreSpi {
     /**
      * Generates a certificate chain from the collection of
      * certificates and stores the result into a key entry.
+     * This method is called by native code in libsunmscapi.
      */
     private void generateCertificateChain(String alias,
         Collection<? extends Certificate> certCollection)
@@ -775,13 +776,15 @@ abstract class KeyStore extends KeyStoreSpi {
         catch (Throwable e)
         {
             // Ignore the exception and skip this entry
-            // TODO - throw CertificateException?
+            // If e is thrown, remember to deal with it in
+            // native code.
         }
     }
 
     /**
      * Generates RSA key and certificate chain from the private key handle,
      * collection of certificates and stores the result into key entries.
+     * This method is called by native code in libsunmscapi.
      */
     private void generateRSAKeyAndCertificateChain(String alias,
         long hCryptProv, long hCryptKey, int keyLength,
@@ -807,12 +810,14 @@ abstract class KeyStore extends KeyStoreSpi {
         catch (Throwable e)
         {
             // Ignore the exception and skip this entry
-            // TODO - throw CertificateException?
+            // If e is thrown, remember to deal with it in
+            // native code.
         }
     }
 
     /**
      * Generates certificates from byte data and stores into cert collection.
+     * This method is called by native code in libsunmscapi.
      *
      * @param data Byte data.
      * @param certCollection Collection of certificates.
@@ -836,12 +841,14 @@ abstract class KeyStore extends KeyStoreSpi {
         catch (CertificateException e)
         {
             // Ignore the exception and skip this certificate
-            // TODO - throw CertificateException?
+            // If e is thrown, remember to deal with it in
+            // native code.
         }
         catch (Throwable te)
         {
             // Ignore the exception and skip this certificate
-            // TODO - throw CertificateException?
+            // If e is thrown, remember to deal with it in
+            // native code.
         }
     }
 

src/windows/classes/sun/security/mscapi/RSASignature.java

 /*
- * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -132,7 +132,7 @@ abstract class RSASignature extends java.security.SignatureSpi
         @Override
         protected void engineUpdate(byte[] b, int off, int len)
                 throws SignatureException {
-            if (offset + len > precomputedDigest.length) {
+            if (len > (precomputedDigest.length - offset)) {
                 offset = RAW_RSA_MAX + 1;
                 return;
             }
@@ -147,7 +147,7 @@ abstract class RSASignature extends java.security.SignatureSpi
             if (len <= 0) {
                 return;
             }
-            if (offset + len > precomputedDigest.length) {
+            if (len > (precomputedDigest.length - offset)) {
                 offset = RAW_RSA_MAX + 1;
                 return;
             }

src/windows/instrument/FileSystemSupport_md.c

 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2018 Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,6 +23,7 @@
  * questions.
  */
 
+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <malloc.h>
@@ -66,6 +67,10 @@ char* basePath(const char* path) {
     } else {
         int len = (int)(last - path);
         char* str = (char*)malloc(len+1);
+        if (str == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         if (len > 0) {
             memcpy(str, path, len);
         }
@@ -135,6 +140,10 @@ static char* normalizePath(const char* path, int len, int off) {
     if (off < 3) off = 0;       /* Avoid fencepost cases with UNC pathnames */
 
     sb = (char*)malloc(len+1);
+    if (sb == NULL) {
+        fprintf(stderr, "OOM error in native tmp buffer allocation");
+        return NULL;
+    }
     sbLen = 0;
 
     if (off == 0) {
@@ -261,11 +270,19 @@ char* resolve(const char* parent, const char* child) {
 
     if (child[childStart] == slash) {
         theChars = (char*)malloc(len+1);
+        if (theChars == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         memcpy(theChars, parent, parentEnd);
         memcpy(theChars+parentEnd, child+childStart, (cn-childStart));
         theChars[len] = '\0';
     } else {
         theChars = (char*)malloc(len+2);
+        if (theChars == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         memcpy(theChars, parent, parentEnd);
         theChars[parentEnd] = slash;
         memcpy(theChars+parentEnd+1, child+childStart, (cn-childStart));
@@ -320,10 +337,12 @@ char* fromURIPath(const char* path) {
         return (char*)path;
     } else {
         char* p = (char*)malloc(len+1);
-        if (p != NULL) {
+        if (p == NULL) {
+            fprintf(stderr, "OOM error in native tmp buffer allocation");
+            return NULL;
+        }
         memcpy(p, path+start, len);
         p[len] = '\0';
-        }
         return p;
     }
 }

src/windows/native/java/net/NetworkInterface.c

@@ -279,7 +279,7 @@ int enumInterfaces(JNIEnv *env, netif **netifPP)
                 // But in rare case it fails, we allow 'char' to be displayed
                 curr->displayName = (char *)malloc(ifrowP->dwDescrLen + 1);
             } else {
-                curr->displayName = (wchar_t *)malloc(wlen*(sizeof(wchar_t))+1);
+                curr->displayName = (wchar_t *)malloc((wlen+1)*sizeof(wchar_t));
             }
 
             curr->name = (char *)malloc(strlen(dev_name) + 1);
@@ -322,7 +322,7 @@ int enumInterfaces(JNIEnv *env, netif **netifPP)
                 free(curr);
                 return -1;
             } else {
-                curr->displayName[wlen*(sizeof(wchar_t))] = '\0';
+                ((wchar_t *)curr->displayName)[wlen] = L'\0';
                 curr->dNameIsUnicode = TRUE;
             }
         }
@@ -861,6 +861,7 @@ JNIEXPORT jobjectArray JNICALL Java_java_net_NetworkInterface_getAll
     /* allocate a NetworkInterface array */
     netIFArr = (*env)->NewObjectArray(env, count, cls, NULL);
     if (netIFArr == NULL) {
+        free_netif(ifList);
         return NULL;
     }
 
@@ -875,6 +876,7 @@ JNIEXPORT jobjectArray JNICALL Java_java_net_NetworkInterface_getAll
 
         netifObj = createNetworkInterface(env, curr, -1, NULL);
         if (netifObj == NULL) {
+            free_netif(ifList);
             return NULL;
         }
 

src/windows/native/sun/bridge/AccessBridgeMessageQueue.cpp

@@ -32,6 +32,7 @@
 #include "AccessBridgePackages.h"               // for debugging only
 #include <windows.h>
 #include <malloc.h>
+#include <new>
 
 DEBUG_CODE(extern HWND theDialogWindow);
 extern "C" {
@@ -46,6 +47,9 @@ AccessBridgeQueueElement::AccessBridgeQueueElement(char *buf, int size) {
     next = (AccessBridgeQueueElement *) 0;
     previous = (AccessBridgeQueueElement *) 0;
     buffer = (char *) malloc(bufsize);
+    if (buffer == NULL) {
+        throw std::bad_alloc();
+    }
     memcpy(buffer, buf, bufsize);
 }
 

src/windows/native/sun/net/www/protocol/http/ntlm/NTLMAuthentication.c

+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <jni.h>
+#include <windows.h>
+#include "jni_util.h"
+#include <urlmon.h>
+
+JNIEXPORT jboolean JNICALL Java_sun_net_www_protocol_http_ntlm_NTLMAuthentication_isTrustedSite(JNIEnv *env, jclass clazz, jstring url )
+{
+
+    HRESULT hr;
+    DWORD dwZone;
+    DWORD  pPolicy = 0;
+    IInternetSecurityManager *spSecurityManager;
+    jboolean ret;
+    LPCWSTR bstrURL;
+
+    // Create IInternetSecurityManager
+    hr = CoInternetCreateSecurityManager(NULL, &spSecurityManager, (DWORD)0);
+    if (FAILED(hr)) {
+        return JNI_FALSE;
+    }
+
+    bstrURL = (LPCWSTR)((*env)->GetStringChars(env, url, NULL));
+    if (bstrURL == NULL) {
+        if (!(*env)->ExceptionCheck(env))
+            JNU_ThrowOutOfMemoryError(env, NULL);
+        spSecurityManager->lpVtbl->Release(spSecurityManager);
+        return JNI_FALSE;
+    }
+
+    // Determines the policy for the URLACTION_CREDENTIALS_USE action and display
+    // a user interface, if the policy indicates that the user should be queried
+    hr = spSecurityManager->lpVtbl->ProcessUrlAction(
+        spSecurityManager,
+        bstrURL,
+        URLACTION_CREDENTIALS_USE,
+        (LPBYTE)&pPolicy,
+        sizeof(DWORD), 0, 0, 0, 0);
+
+    if (FAILED(hr)) {
+        ret = JNI_FALSE;
+        goto cleanupAndReturn;
+    }
+
+    // If these two User Authentication Logon options is selected
+    // Anonymous logon
+    // Prompt for user name and password
+    if (pPolicy == URLPOLICY_CREDENTIALS_ANONYMOUS_ONLY ||
+        pPolicy == URLPOLICY_CREDENTIALS_MUST_PROMPT_USER) {
+        ret = JNI_FALSE;
+        goto cleanupAndReturn;
+    }
+
+    // Option "Automatic logon with current user name and password" is selected
+    if (pPolicy == URLPOLICY_CREDENTIALS_SILENT_LOGON_OK) {
+        ret = JNI_TRUE;
+        goto cleanupAndReturn;
+    }
+
+    // Option "Automatic logon only in intranet zone" is selected
+    if (pPolicy == URLPOLICY_CREDENTIALS_CONDITIONAL_PROMPT) {
+
+        // Gets the zone index from the specified URL
+        hr = spSecurityManager->lpVtbl->MapUrlToZone(
+                spSecurityManager, bstrURL, &dwZone, 0);
+        if (FAILED(hr)) {
+            ret = JNI_FALSE;
+            goto cleanupAndReturn;
+        }
+
+        // Check if the URL is in Local or Intranet zone
+        if (dwZone == URLZONE_INTRANET || dwZone == URLZONE_LOCAL_MACHINE) {
+            ret = JNI_TRUE;
+            goto cleanupAndReturn;
+        }
+    }
+    ret = JNI_FALSE;
+
+cleanupAndReturn:
+    (*env)->ReleaseStringChars(env, url, bstrURL);
+    spSecurityManager->lpVtbl->Release(spSecurityManager);
+    return ret;
+}

src/windows/native/sun/nio/ch/DatagramDispatcher.c

 /*
- * Copyright (c) 2002, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -95,6 +95,10 @@ Java_sun_nio_ch_DatagramDispatcher_readv0(JNIEnv *env, jclass clazz,
     jint fd = fdval(env, fdo);
     struct iovec *iovp = (struct iovec *)address;
     WSABUF *bufs = malloc(len * sizeof(WSABUF));
+    if (bufs == NULL) {
+        JNU_ThrowOutOfMemoryError(env, NULL);
+        return IOS_THROWN;
+    }
 
     /* copy iovec into WSABUF */
     for(i=0; i<len; i++) {
@@ -182,6 +186,10 @@ Java_sun_nio_ch_DatagramDispatcher_writev0(JNIEnv *env, jclass clazz,
     jint fd = fdval(env, fdo);
     struct iovec *iovp = (struct iovec *)address;
     WSABUF *bufs = malloc(len * sizeof(WSABUF));
+    if (bufs == NULL) {
+        JNU_ThrowOutOfMemoryError(env, NULL);
+        return IOS_THROWN;
+    }
 
     /* copy iovec into WSABUF */
     for(i=0; i<len; i++) {

src/windows/native/sun/nio/ch/WindowsSelectorImpl.c

 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -208,6 +208,10 @@ Java_sun_nio_ch_WindowsSelectorImpl_resetWakeupSocket0(JNIEnv *env, jclass this,
     /* Prepare corresponding buffer if needed, and then read */
     if (bytesToRead > WAKEUP_SOCKET_BUF_SIZE) {
         char* buf = (char*)malloc(bytesToRead);
+        if (buf == NULL) {
+            JNU_ThrowOutOfMemoryError(env, NULL);
+            return;
+        }
         recv(scinFd, buf, bytesToRead, 0);
         free(buf);
     } else {

src/windows/native/sun/security/krb5/NativeCreds.c

@@ -76,7 +76,8 @@ BOOL native_debug = 0;
 
 BOOL PackageConnectLookup(PHANDLE,PULONG);
 
-NTSTATUS ConstructTicketRequest(UNICODE_STRING DomainName,
+NTSTATUS ConstructTicketRequest(JNIEnv *env,
+                                UNICODE_STRING DomainName,
                                 PKERB_RETRIEVE_TKT_REQUEST *outRequest,
                                 ULONG *outSize);
 
@@ -102,6 +103,8 @@ jobject BuildEncryptionKey(JNIEnv *env, PKERB_CRYPTO_KEY cryptoKey);
 jobject BuildTicketFlags(JNIEnv *env, PULONG flags);
 jobject BuildKerberosTime(JNIEnv *env, PLARGE_INTEGER kerbtime);
 
+void ThrowOOME(JNIEnv *env, const char *szMessage);
+
 /*
  * Class:     sun_security_krb5_KrbCreds
  * Method:    JNI_OnLoad
@@ -495,7 +498,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
             }
 
             // use domain to request Ticket
-            Status = ConstructTicketRequest(msticket->TargetDomainName,
+            Status = ConstructTicketRequest(env, msticket->TargetDomainName,
                                 &pTicketRequest, &requestSize);
             if (!LSA_SUCCESS(Status)) {
                 ShowNTError("ConstructTicketRequest status", Status);
@@ -689,7 +692,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
 }
 
 static NTSTATUS
-ConstructTicketRequest(UNICODE_STRING DomainName,
+ConstructTicketRequest(JNIEnv *env, UNICODE_STRING DomainName,
                 PKERB_RETRIEVE_TKT_REQUEST *outRequest, ULONG *outSize)
 {
     NTSTATUS Status;
@@ -736,8 +739,10 @@ ConstructTicketRequest(UNICODE_STRING DomainName,
 
     pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST)
                     LocalAlloc(LMEM_ZEROINIT, RequestSize);
-    if (!pTicketRequest)
+    if (!pTicketRequest) {
+        ThrowOOME(env, "Can't allocate memory for ticket");
         return GetLastError();
+    }
 
     //
     // Concatenate the target prefix with the previous response's
@@ -894,7 +899,7 @@ jobject BuildTicket(JNIEnv *env, PUCHAR encodedTicket, ULONG encodedTicketSize)
     jbyteArray ary;
 
     ary = (*env)->NewByteArray(env,encodedTicketSize);
-    if ((*env)->ExceptionOccurred(env)) {
+    if (ary == NULL) {
         return (jobject) NULL;
     }
 
@@ -940,6 +945,10 @@ jobject BuildPrincipal(JNIEnv *env, PKERB_EXTERNAL_NAME principalName,
 
     realm = (WCHAR *) LocalAlloc(LMEM_ZEROINIT,
             ((domainName.Length)*sizeof(WCHAR) + sizeof(UNICODE_NULL)));
+    if (realm == NULL) {
+        ThrowOOME(env, "Can't allocate memory for realm");
+        return NULL;
+    }
     wcsncpy(realm, domainName.Buffer, domainName.Length/sizeof(WCHAR));
 
     if (native_debug) {
@@ -1014,6 +1023,9 @@ jobject BuildEncryptionKey(JNIEnv *env, PKERB_CRYPTO_KEY cryptoKey) {
     }
 
     ary = (*env)->NewByteArray(env,cryptoKey->Length);
+    if (ary == NULL) {
+        return (jobject) NULL;
+    }
     (*env)->SetByteArrayRegion(env, ary, (jsize) 0, cryptoKey->Length,
                                     (jbyte *)cryptoKey->Value);
     if ((*env)->ExceptionOccurred(env)) {
@@ -1036,6 +1048,9 @@ jobject BuildTicketFlags(JNIEnv *env, PULONG flags) {
     ULONG nlflags = htonl(*flags);
 
     ary = (*env)->NewByteArray(env, sizeof(*flags));
+    if (ary == NULL) {
+        return (jobject) NULL;
+    }
     (*env)->SetByteArrayRegion(env, ary, (jsize) 0, sizeof(*flags),
                                     (jbyte *)&nlflags);
     if ((*env)->ExceptionOccurred(env)) {
@@ -1088,3 +1103,10 @@ jobject BuildKerberosTime(JNIEnv *env, PLARGE_INTEGER kerbtime) {
     }
     return kerberosTime;
 }
+
+void ThrowOOME(JNIEnv *env, const char *szMessage) {
+    jclass exceptionClazz = (*env)->FindClass(env, "java/lang/OutOfMemoryError");
+    if (exceptionClazz != NULL) {
+        (*env)->ThrowNew(env, exceptionClazz, szMessage);
+    }
+}

src/windows/native/sun/security/mscapi/security.cpp

@@ -425,6 +425,15 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateCh
                     // Create ArrayList to store certs in each chain
                     jobject jArrayList =
                         env->NewObject(clazzArrayList, mNewArrayList);
+                    if (jArrayList == NULL) {
+                        __leave;
+                    }
+
+                    // Cleanup the previous allocated name
+                    if (pszNameString) {
+                        delete [] pszNameString;
+                        pszNameString = NULL;
+                    }
 
                     for (unsigned int j=0; j < rgpChain->cElement; j++)
                     {
@@ -463,6 +472,9 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateCh
 
                         // Allocate and populate byte array
                         jbyteArray byteArray = env->NewByteArray(cbCertEncoded);
+                        if (byteArray == NULL) {
+                            __leave;
+                        }
                         env->SetByteArrayRegion(byteArray, 0, cbCertEncoded,
                             (jbyte*) pbCertEncoded);
 
@@ -471,12 +483,21 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateCh
                         env->CallVoidMethod(obj, mGenCert, byteArray, jArrayList);
                     }
 
+                    // Usually pszNameString should be non-NULL. It's either
+                    // the friendly name or an element from the subject name
+                    // or SAN.
+                    if (pszNameString)
+                    {
                         if (bHasNoPrivateKey)
                         {
                             // Generate certificate chain and store into cert chain
                             // collection
+                            jstring name = env->NewStringUTF(pszNameString);
+                            if (name == NULL) {
+                                __leave;
+                            }
                             env->CallVoidMethod(obj, mGenCertChain,
-                            env->NewStringUTF(pszNameString),
+                                name,
                                 jArrayList);
                         }
                         else
@@ -491,13 +512,18 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateCh
                             {
                                 // Generate RSA certificate chain and store into cert
                                 // chain collection
+                                jstring name = env->NewStringUTF(pszNameString);
+                                if (name == NULL) {
+                                    __leave;
+                                }
                                 env->CallVoidMethod(obj, mGenRSAKeyAndCertChain,
-                                    env->NewStringUTF(pszNameString),
+                                        name,
                                         (jlong) hCryptProv, (jlong) hUserKey,
                                         dwPublicKeyLength, jArrayList);
                             }
                         }
                     }
+                }
 
                 // Free cert chain
                 if (pCertChainContext)
@@ -641,6 +667,9 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSASignature_signHash
 
         // Create new byte array
         jbyteArray temp = env->NewByteArray(dwBufLen);
+        if (temp == NULL) {
+            __leave;
+        }
 
         // Copy data from native buffer
         env->SetByteArrayRegion(temp, 0, dwBufLen, pSignedHashBuffer);
@@ -964,6 +993,9 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_storeCertificate
         }
 
         jCertAliasChars = env->GetStringChars(jCertAliasName, NULL);
+        if (jCertAliasChars == NULL) {
+            __leave;
+        }
         memcpy(pszCertAliasName, jCertAliasChars, size * sizeof(WCHAR));
         pszCertAliasName[size] = 0; // append the string terminator
 
@@ -1600,7 +1632,9 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSACipher_encryptDecrypt
         }
 
         // Create new byte array
-        result = env->NewByteArray(dwBufLen);
+        if ((result = env->NewByteArray(dwBufLen)) == NULL) {
+            __leave;
+        }
 
         // Copy data from native buffer to Java buffer
         env->SetByteArrayRegion(result, 0, dwBufLen, (jbyte*) pData);
@@ -1651,7 +1685,9 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSAPublicKey_getPublicKeyB
         }
 
         // Create new byte array
-        blob = env->NewByteArray(dwBlobLen);
+        if ((blob = env->NewByteArray(dwBlobLen)) == NULL) {
+            __leave;
+        }
 
         // Copy data from native buffer to Java buffer
         env->SetByteArrayRegion(blob, 0, dwBlobLen, (jbyte*) pbKeyBlob);
@@ -1680,6 +1716,13 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSAPublicKey_getExponent
     __try {
 
         jsize length = env->GetArrayLength(jKeyBlob);
+        jsize headerLength = sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY);
+
+        if (length < headerLength) {
+            ThrowExceptionWithMessage(env, KEY_EXCEPTION, "Invalid BLOB");
+            __leave;
+        }
+
         if ((keyBlob = env->GetByteArrayElements(jKeyBlob, 0)) == NULL) {
             __leave;
         }
@@ -1706,7 +1749,9 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSAPublicKey_getExponent
             exponentBytes[i] = ((BYTE*) &pRsaPubKey->pubexp)[j];
         }
 
-        exponent = env->NewByteArray(len);
+        if ((exponent = env->NewByteArray(len)) == NULL) {
+            __leave;
+        }
         env->SetByteArrayRegion(exponent, 0, len, exponentBytes);
     }
     __finally
@@ -1736,6 +1781,13 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSAPublicKey_getModulus
     __try {
 
         jsize length = env->GetArrayLength(jKeyBlob);
+        jsize headerLength = sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY);
+
+        if (length < headerLength) {
+            ThrowExceptionWithMessage(env, KEY_EXCEPTION, "Invalid BLOB");
+            __leave;
+        }
+
         if ((keyBlob = env->GetByteArrayElements(jKeyBlob, 0)) == NULL) {
             __leave;
         }
@@ -1752,19 +1804,25 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSAPublicKey_getModulus
             (RSAPUBKEY *) (keyBlob + sizeof(PUBLICKEYSTRUC));
 
         int len = pRsaPubKey->bitlen / 8;
+        if (len < 0 || len > length - headerLength) {
+            ThrowExceptionWithMessage(env, KEY_EXCEPTION, "Invalid key length");
+            __leave;
+        }
+
         modulusBytes = new (env) jbyte[len];
         if (modulusBytes == NULL) {
             __leave;
         }
-        BYTE * pbModulus =
-            (BYTE *) (keyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY));
+        BYTE * pbModulus = (BYTE *) (keyBlob + headerLength);
 
         // convert from little-endian while copying from blob
         for (int i = 0, j = len - 1; i < len; i++, j--) {
             modulusBytes[i] = pbModulus[j];
         }
 
-        modulus = env->NewByteArray(len);
+        if ((modulus = env->NewByteArray(len)) == NULL) {
+            __leave;
+        }
         env->SetByteArrayRegion(modulus, 0, len, modulusBytes);
     }
     __finally
@@ -1972,7 +2030,9 @@ jbyteArray generateKeyBlob(
             }
         }
 
-        jBlob = env->NewByteArray(jBlobLength);
+        if ((jBlob = env->NewByteArray(jBlobLength)) == NULL) {
+            __leave;
+        }
         env->SetByteArrayRegion(jBlob, 0, jBlobLength, jBlobBytes);
 
     }

src/windows/native/sun/security/pkcs11/wrapper/p11_md.c

 /*
- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -75,18 +75,20 @@
  * Signature: (Ljava/lang/String;)V
  */
 JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_connect
-    (JNIEnv *env, jobject obj, jstring jPkcs11ModulePath, jstring jGetFunctionList)
+    (JNIEnv *env, jobject obj, jstring jPkcs11ModulePath,
+        jstring jGetFunctionList)
 {
     HINSTANCE hModule;
     CK_C_GetFunctionList C_GetFunctionList;
-    CK_RV rv;
+    CK_RV rv = CK_ASSERT_OK;
     ModuleData *moduleData;
     jobject globalPKCS11ImplementationReference;
-    LPVOID lpMsgBuf;
-    char *exceptionMessage;
+    LPVOID lpMsgBuf = NULL;
+    char *exceptionMessage = NULL;
     const char *getFunctionListStr;
 
-    const char *libraryNameStr = (*env)->GetStringUTFChars(env, jPkcs11ModulePath, 0);
+    const char *libraryNameStr = (*env)->GetStringUTFChars(env,
+            jPkcs11ModulePath, 0);
     TRACE1("DEBUG: connect to PKCS#11 module: %s ... ", libraryNameStr);
 
 
@@ -106,21 +108,24 @@ JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_connect
             0,
             NULL
         );
-        exceptionMessage = (char *) malloc(sizeof(char) * (strlen((LPTSTR) lpMsgBuf) + strlen(libraryNameStr) + 1));
+        exceptionMessage = (char *) malloc(sizeof(char) *
+                (strlen((LPTSTR) lpMsgBuf) + strlen(libraryNameStr) + 1));
+        if (exceptionMessage == NULL) {
+            throwOutOfMemoryError(env, 0);
+            goto cleanup;
+        }
         strcpy(exceptionMessage, (LPTSTR) lpMsgBuf);
         strcat(exceptionMessage, libraryNameStr);
         throwIOException(env, (LPTSTR) exceptionMessage);
-        /* Free the buffer. */
-        free(exceptionMessage);
-        LocalFree(lpMsgBuf);
-        return;
+        goto cleanup;
     }
 
     /*
      * Get function pointer to C_GetFunctionList
      */
     getFunctionListStr = (*env)->GetStringUTFChars(env, jGetFunctionList, 0);
-    C_GetFunctionList = (CK_C_GetFunctionList) GetProcAddress(hModule, getFunctionListStr);
+    C_GetFunctionList = (CK_C_GetFunctionList) GetProcAddress(hModule,
+            getFunctionListStr);
     (*env)->ReleaseStringUTFChars(env, jGetFunctionList, getFunctionListStr);
     if (C_GetFunctionList == NULL) {
         FormatMessage(
@@ -135,24 +140,37 @@ JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_connect
             NULL
         );
         throwIOException(env, (LPTSTR) lpMsgBuf);
-        /* Free the buffer. */
-        LocalFree( lpMsgBuf );
-        return;
+        goto cleanup;
     }
 
     /*
      * Get function pointers to all PKCS #11 functions
      */
     moduleData = (ModuleData *) malloc(sizeof(ModuleData));
+    if (moduleData == NULL) {
+        throwOutOfMemoryError(env, 0);
+        goto cleanup;
+    }
     moduleData->hModule = hModule;
     moduleData->applicationMutexHandler = NULL;
     rv = (C_GetFunctionList)(&(moduleData->ckFunctionListPtr));
     globalPKCS11ImplementationReference = (*env)->NewGlobalRef(env, obj);
     putModuleEntry(env, globalPKCS11ImplementationReference, moduleData);
 
-    (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr);
     TRACE0("FINISHED\n");
 
+cleanup:
+    /* Free up allocated buffers we no longer need */
+    if (lpMsgBuf != NULL) {
+        LocalFree( lpMsgBuf );
+    }
+    if (libraryNameStr != NULL) {
+        (*env)->ReleaseStringUTFChars(env, jPkcs11ModulePath, libraryNameStr);
+    }
+    if (exceptionMessage != NULL) {
+        free(exceptionMessage);
+    }
+
     if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
 }
 

src/windows/native/sun/windows/WPrinterJob.cpp

@@ -886,10 +886,12 @@ Java_sun_print_Win32PrintService_getDefaultSettings(JNIEnv *env,
               if (!present) {
                   defIndices[0] = papers[0];
               }
+          }
+          // If DeviceCapabilities fails, then also free paper allocation
           if (papers != NULL) {
               free((char*)papers);
           }
-          }
+
       }
       RESTORE_CONTROLWORD
   }

test/java/math/BigDecimal/AddTests.java

 /*
- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 6362557
+ * @bug 6362557 8200698
  * @summary Some tests of add(BigDecimal, mc)
  * @author Joseph D. Darcy
  */
@@ -290,12 +290,35 @@ public class AddTests {
         return failures;
     }
 
+    private static int arithmeticExceptionTest() {
+        int failures = 0;
+        BigDecimal x;
+        try {
+            //
+            // The string representation "1e2147483647", which is equivalent
+            // to 10^Integer.MAX_VALUE, is used to create an augend with an
+            // unscaled value of 1 and a scale of -Integer.MAX_VALUE. The
+            // addend "1" has an unscaled value of 1 with a scale of 0. The
+            // addition is performed exactly and is specified to have a
+            // preferred scale of max(-Integer.MAX_VALUE, 0). As the scale
+            // of the result is 0, a value with Integer.MAX_VALUE + 1 digits
+            // would need to be created. Therefore the next statement is
+            // expected to overflow with an ArithmeticException.
+            //
+            x = new BigDecimal("1e2147483647").add(new BigDecimal(1));
+            failures++;
+        } catch (ArithmeticException ae) {
+        }
+        return failures;
+    }
+
     public static void main(String argv[]) {
         int failures = 0;
 
         failures += extremaTests();
         failures += roundingGradationTests();
         failures += precisionConsistencyTest();
+        failures += arithmeticExceptionTest();
 
         if (failures > 0) {
             throw new RuntimeException("Incurred " + failures +

test/java/math/BigDecimal/Constructor.java

 /*
- * Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,20 +23,48 @@
 
 /*
  * @test
- * @bug 4259453
- * @summary Test string constructor of BigDecimal
+ * @bug 4259453 8200698
+ * @summary Test constructors of BigDecimal
+ * @library ..
+ * @run testng Constructor
  */
+
 import java.math.BigDecimal;
+import org.testng.annotations.Test;
 
 public class Constructor {
-    public static void main(String[] args) throws Exception {
-        boolean nfe = false;
-        try {
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void stringConstructor() {
         BigDecimal bd = new BigDecimal("1.2e");
-        } catch (NumberFormatException e) {
-            nfe = true;
     }
-        if (!nfe)
-            throw new Exception("Didn't throw NumberFormatException");
+
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void charArrayConstructorNegativeOffset() {
+        BigDecimal bd = new BigDecimal(new char[5], -1, 4, null);
+    }
+
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void charArrayConstructorNegativeLength() {
+        BigDecimal bd = new BigDecimal(new char[5], 0, -1, null);
+    }
+
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void charArrayConstructorIntegerOverflow() {
+        try {
+            BigDecimal bd = new BigDecimal(new char[5], Integer.MAX_VALUE - 5,
+                6, null);
+        } catch (NumberFormatException nfe) {
+            if (nfe.getCause() instanceof IndexOutOfBoundsException) {
+                throw new RuntimeException
+                    ("NumberFormatException should not have a cause");
+            } else {
+                throw nfe;
+            }
+        }
+    }
+
+    @Test(expectedExceptions=NumberFormatException.class)
+    public void charArrayConstructorIndexOutOfBounds() {
+        BigDecimal bd = new BigDecimal(new char[5], 1, 5, null);
     }
 }

test/java/math/BigInteger/LargeValueExceptions.java

+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8200698
+ * @summary Tests that exceptions are thrown for ops which would overflow
+ * @requires (sun.arch.data.model == "64" & os.maxMemory > 4g)
+ * @run testng/othervm -Xmx4g LargeValueExceptions
+ */
+import java.math.BigInteger;
+import static java.math.BigInteger.ONE;
+import org.testng.annotations.Test;
+
+//
+// The intent of this test is to probe the boundaries between overflow and
+// non-overflow, principally for multiplication and squaring, specifically
+// the largest values which should not overflow and the smallest values which
+// should. The transition values used are not necessarily at the exact
+// boundaries but should be "close." Quite a few different values were used
+// experimentally before settling on the ones in this test. For multiplication
+// and squaring all cases are exercised: definite overflow and non-overflow
+// which can be detected "up front," and "indefinite" overflow, i.e., overflow
+// which cannot be detected up front so further calculations are required.
+//
+// Testing negative values is unnecessary. For both multiplication and squaring
+// the paths lead to the Toom-Cook algorithm where the signum is used only to
+// determine the sign of the result and not in the intermediate calculations.
+// This is also true for exponentiation.
+//
+// @Test annotations with optional element "enabled" set to "false" should
+// succeed when "enabled" is set to "true" but they take too to run in the
+// course of the typical regression test execution scenario.
+//
+public class LargeValueExceptions {
+    // BigInteger.MAX_MAG_LENGTH
+    private static final int MAX_INTS = 1 << 26;
+
+    // Number of bits corresponding to MAX_INTS
+    private static final long MAX_BITS = (0xffffffffL & MAX_INTS) << 5L;
+
+    // Half BigInteger.MAX_MAG_LENGTH
+    private static final int MAX_INTS_HALF = MAX_INTS / 2;
+
+    // --- squaring ---
+
+    // Largest no overflow determined by examining data lengths alone.
+    @Test(enabled=false)
+    public void squareNoOverflow() {
+        BigInteger x = ONE.shiftLeft(16*MAX_INTS - 1).subtract(ONE);
+        BigInteger y = x.multiply(x);
+    }
+
+    // Smallest no overflow determined by extra calculations.
+    @Test(enabled=false)
+    public void squareIndefiniteOverflowSuccess() {
+        BigInteger x = ONE.shiftLeft(16*MAX_INTS - 1);
+        BigInteger y = x.multiply(x);
+    }
+
+    // Largest overflow detected by extra calculations.
+    @Test(expectedExceptions=ArithmeticException.class,enabled=false)
+    public void squareIndefiniteOverflowFailure() {
+        BigInteger x = ONE.shiftLeft(16*MAX_INTS).subtract(ONE);
+        BigInteger y = x.multiply(x);
+    }
+
+    // Smallest overflow detected by examining data lengths alone.
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void squareDefiniteOverflow() {
+        BigInteger x = ONE.shiftLeft(16*MAX_INTS);
+        BigInteger y = x.multiply(x);
+    }
+
+    // --- multiplication ---
+
+    // Largest no overflow determined by examining data lengths alone.
+    @Test(enabled=false)
+    public void multiplyNoOverflow() {
+        final int halfMaxBits = MAX_INTS_HALF << 5;
+
+        BigInteger x = ONE.shiftLeft(halfMaxBits).subtract(ONE);
+        BigInteger y = ONE.shiftLeft(halfMaxBits - 1).subtract(ONE);
+        BigInteger z = x.multiply(y);
+    }
+
+    // Smallest no overflow determined by extra calculations.
+    @Test(enabled=false)
+    public void multiplyIndefiniteOverflowSuccess() {
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS/2) - 1);
+        long m = MAX_BITS - x.bitLength();
+
+        BigInteger y = ONE.shiftLeft((int)(MAX_BITS/2) - 1);
+        long n = MAX_BITS - y.bitLength();
+
+        if (m + n != MAX_BITS) {
+            throw new RuntimeException("Unexpected leading zero sum");
+        }
+
+        BigInteger z = x.multiply(y);
+    }
+
+    // Largest overflow detected by extra calculations.
+    @Test(expectedExceptions=ArithmeticException.class,enabled=false)
+    public void multiplyIndefiniteOverflowFailure() {
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS/2)).subtract(ONE);
+        long m = MAX_BITS - x.bitLength();
+
+        BigInteger y = ONE.shiftLeft((int)(MAX_BITS/2)).subtract(ONE);
+        long n = MAX_BITS - y.bitLength();
+
+        if (m + n != MAX_BITS) {
+            throw new RuntimeException("Unexpected leading zero sum");
+        }
+
+        BigInteger z = x.multiply(y);
+    }
+
+    // Smallest overflow detected by examining data lengths alone.
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void multiplyDefiniteOverflow() {
+        // multiply by 4 as MAX_INTS_HALF refers to ints
+        byte[] xmag = new byte[4*MAX_INTS_HALF];
+        xmag[0] = (byte)0xff;
+        BigInteger x = new BigInteger(1, xmag);
+
+        byte[] ymag = new byte[4*MAX_INTS_HALF + 1];
+        ymag[0] = (byte)0xff;
+        BigInteger y = new BigInteger(1, ymag);
+
+        BigInteger z = x.multiply(y);
+    }
+
+    // --- exponentiation ---
+
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void powOverflow() {
+        BigInteger.TEN.pow(Integer.MAX_VALUE);
+    }
+
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void powOverflow1() {
+        int shift = 20;
+        int exponent = 1 << shift;
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS / exponent));
+        BigInteger y = x.pow(exponent);
+    }
+
+    @Test(expectedExceptions=ArithmeticException.class)
+    public void powOverflow2() {
+        int shift = 20;
+        int exponent = 1 << shift;
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS / exponent)).add(ONE);
+        BigInteger y = x.pow(exponent);
+    }
+
+    @Test(expectedExceptions=ArithmeticException.class,enabled=false)
+    public void powOverflow3() {
+        int shift = 20;
+        int exponent = 1 << shift;
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS / exponent)).subtract(ONE);
+        BigInteger y = x.pow(exponent);
+    }
+
+    @Test(enabled=false)
+    public void powOverflow4() {
+        int shift = 20;
+        int exponent = 1 << shift;
+        BigInteger x = ONE.shiftLeft((int)(MAX_BITS / exponent - 1)).add(ONE);
+        BigInteger y = x.pow(exponent);
+    }
+}

test/java/time/test/java/time/chrono/TestEraDisplayName.java

+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package test.java.time.chrono;
+
+import java.time.*;
+import java.time.chrono.*;
+import java.time.format.*;
+import java.util.Locale;
+
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+import static org.testng.Assert.assertEquals;
+
+/**
+ * Tests Era.getDisplayName() correctly returns the name based on each
+ * chrono implementation.
+ * Note: The exact result may depend on locale data provider's implementation.
+ *
+ * @bug 8171049 8215377
+ * @run testng/othervm -Djava.locale.providers=CLDR TestEraDisplayName
+ */
+@Test
+public class TestEraDisplayName {
+    private static final Locale THAI = Locale.forLanguageTag("th-TH");
+    private static final Locale EGYPT = Locale.forLanguageTag("ar-EG");
+
+    @DataProvider(name="eraDisplayName")
+    Object[][] eraDisplayName() {
+        return new Object[][] {
+            // Era, text style, displyay locale, expected name
+            // IsoEra
+            { IsoEra.BCE,   TextStyle.FULL,     Locale.US,      "Before Christ" },
+            { IsoEra.CE,    TextStyle.FULL,     Locale.US,      "Anno Domini" },
+            { IsoEra.BCE,   TextStyle.FULL,     Locale.JAPAN,   "\u7d00\u5143\u524d" },
+            { IsoEra.CE,    TextStyle.FULL,     Locale.JAPAN,   "\u897f\u66a6" },
+            { IsoEra.BCE,   TextStyle.SHORT,    Locale.US,      "BC" },
+            { IsoEra.CE,    TextStyle.SHORT,    Locale.US,      "AD" },
+            { IsoEra.BCE,   TextStyle.SHORT,    Locale.JAPAN,   "\u7d00\u5143\u524d" },
+            { IsoEra.CE,    TextStyle.SHORT,    Locale.JAPAN,   "\u897f\u66a6" },
+            { IsoEra.BCE,   TextStyle.NARROW,   Locale.US,      "B" },
+            { IsoEra.CE,    TextStyle.NARROW,   Locale.US,      "A" },
+            { IsoEra.BCE,   TextStyle.NARROW,   Locale.JAPAN,   "B" },
+            { IsoEra.CE,    TextStyle.NARROW,   Locale.JAPAN,   "A" },
+
+            // JapaneseEra
+            { JapaneseEra.MEIJI,    TextStyle.FULL,     Locale.US,      "Meiji" },
+            { JapaneseEra.TAISHO,   TextStyle.FULL,     Locale.US,      "Taisho" },
+            { JapaneseEra.SHOWA,    TextStyle.FULL,     Locale.US,      "Showa" },
+            { JapaneseEra.HEISEI,   TextStyle.FULL,     Locale.US,      "Heisei" },
+            { JapaneseEra.MEIJI,    TextStyle.FULL,     Locale.JAPAN,   "\u660e\u6cbb" },
+            { JapaneseEra.TAISHO,   TextStyle.FULL,     Locale.JAPAN,   "\u5927\u6b63" },
+            { JapaneseEra.SHOWA,    TextStyle.FULL,     Locale.JAPAN,   "\u662d\u548c" },
+            { JapaneseEra.HEISEI,   TextStyle.FULL,     Locale.JAPAN,   "\u5e73\u6210" },
+            { JapaneseEra.MEIJI,    TextStyle.SHORT,    Locale.US,      "Meiji" },
+            { JapaneseEra.TAISHO,   TextStyle.SHORT,    Locale.US,      "Taisho" },
+            { JapaneseEra.SHOWA,    TextStyle.SHORT,    Locale.US,      "Showa" },
+            { JapaneseEra.HEISEI,   TextStyle.SHORT,    Locale.US,      "Heisei" },
+            { JapaneseEra.MEIJI,    TextStyle.SHORT,    Locale.JAPAN,   "\u660e\u6cbb" },
+            { JapaneseEra.TAISHO,   TextStyle.SHORT,    Locale.JAPAN,   "\u5927\u6b63" },
+            { JapaneseEra.SHOWA,    TextStyle.SHORT,    Locale.JAPAN,   "\u662d\u548c" },
+            { JapaneseEra.HEISEI,   TextStyle.SHORT,    Locale.JAPAN,   "\u5e73\u6210" },
+            { JapaneseEra.MEIJI,    TextStyle.NARROW,   Locale.US,      "M" },
+            { JapaneseEra.TAISHO,   TextStyle.NARROW,   Locale.US,      "T" },
+            { JapaneseEra.SHOWA,    TextStyle.NARROW,   Locale.US,      "S" },
+            { JapaneseEra.HEISEI,   TextStyle.NARROW,   Locale.US,      "H" },
+            { JapaneseEra.MEIJI,    TextStyle.NARROW,   Locale.JAPAN,   "M" },
+            { JapaneseEra.TAISHO,   TextStyle.NARROW,   Locale.JAPAN,   "T" },
+            { JapaneseEra.SHOWA,    TextStyle.NARROW,   Locale.JAPAN,   "S" },
+            { JapaneseEra.HEISEI,   TextStyle.NARROW,   Locale.JAPAN,   "H" },
+        };
+    }
+
+    @Test(dataProvider="eraDisplayName")
+    public void test_eraDisplayName(Era era, TextStyle style, Locale locale, String expected) {
+        assertEquals(era.getDisplayName(style, locale), expected);
+    }
+}

test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java

 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -38,7 +38,7 @@ import javax.net.ssl.SSLSocketFactory;
 
 /**
  * @test
- * @bug 8076221 8157035
+ * @bug 8076221 8157035 8211883
  * @summary Check if weak cipher suites are disabled
  * @run main/othervm DisabledAlgorithms default
  * @run main/othervm DisabledAlgorithms empty
@@ -59,9 +59,9 @@ public class DisabledAlgorithms {
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + trustStoreFile;
 
-    // supported RC4 cipher suites
+    // supported RC4, NULL, and anon cipher suites
     // it does not contain KRB5 cipher suites because they need a KDC
-    private static final String[] rc4_ciphersuites = new String[] {
+    private static final String[] rc4_null_anon_ciphersuites = new String[] {
         "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
         "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
         "SSL_RSA_WITH_RC4_128_SHA",
@@ -69,7 +69,31 @@ public class DisabledAlgorithms {
         "TLS_ECDH_RSA_WITH_RC4_128_SHA",
         "SSL_RSA_WITH_RC4_128_MD5",
         "TLS_ECDH_anon_WITH_RC4_128_SHA",
-        "SSL_DH_anon_WITH_RC4_128_MD5"
+        "SSL_DH_anon_WITH_RC4_128_MD5",
+        "SSL_RSA_WITH_NULL_MD5",
+        "SSL_RSA_WITH_NULL_SHA",
+        "TLS_RSA_WITH_NULL_SHA256",
+        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+        "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+        "TLS_ECDH_RSA_WITH_NULL_SHA",
+        "TLS_ECDHE_RSA_WITH_NULL_SHA",
+        "TLS_ECDH_anon_WITH_NULL_SHA",
+        "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+        "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
+        "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
+        "SSL_DH_anon_WITH_DES_CBC_SHA",
+        "SSL_DH_anon_WITH_RC4_128_MD5",
+        "TLS_DH_anon_WITH_AES_128_CBC_SHA",
+        "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+        "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
+        "TLS_DH_anon_WITH_AES_256_CBC_SHA",
+        "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
+        "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+        "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+        "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+        "TLS_ECDH_anon_WITH_NULL_SHA",
+        "TLS_ECDH_anon_WITH_RC4_128_SHA"
     };
 
     public static void main(String[] args) throws Exception {
@@ -88,8 +112,9 @@ public class DisabledAlgorithms {
                 System.out.println("jdk.tls.disabledAlgorithms = "
                         + Security.getProperty("jdk.tls.disabledAlgorithms"));
 
-                // check if RC4 cipher suites can't be used by default
-                checkFailure(rc4_ciphersuites);
+                // check if RC4, NULL, and anon cipher suites
+                // can't be used by default
+                checkFailure(rc4_null_anon_ciphersuites);
                 break;
             case "empty":
                 // reset jdk.tls.disabledAlgorithms
@@ -97,9 +122,9 @@ public class DisabledAlgorithms {
                 System.out.println("jdk.tls.disabledAlgorithms = "
                         + Security.getProperty("jdk.tls.disabledAlgorithms"));
 
-                // check if RC4 cipher suites can be used
+                // check if RC4, NULL, and anon cipher suites can be used
                 // if jdk.tls.disabledAlgorithms is empty
-                checkSuccess(rc4_ciphersuites);
+                checkSuccess(rc4_null_anon_ciphersuites);
                 break;
             default:
                 throw new RuntimeException("Wrong parameter: " + args[0]);

test/sun/security/ssl/SSLContextImpl/CustomizedCipherSuites.java

@@ -74,6 +74,7 @@
  *      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  */
 
+import java.security.Security;
 import javax.net.ssl.*;
 
 /**
@@ -90,14 +91,18 @@ public class CustomizedCipherSuites {
     private static boolean isClientMode;
 
     private static String enabledCipherSuite;
-    private static String disabledCipherSuite;
+    private static String notEnabledCipherSuite;
 
     public static void main(String[] args) throws Exception {
 
+        // reset the security property to make sure the cipher suites
+        // used in this test are not disabled
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         contextProtocol = trimQuotes(args[0]);
         isClientMode = Boolean.parseBoolean(args[1]);
         enabledCipherSuite = trimQuotes(args[2]);
-        disabledCipherSuite = trimQuotes(args[3]);
+        notEnabledCipherSuite = trimQuotes(args[3]);
 
         //
         // Create instance of SSLContext with the specified protocol.
@@ -206,8 +211,8 @@ public class CustomizedCipherSuites {
                 isMatch = true;
             }
 
-            if (!disabledCipherSuite.isEmpty() &&
-                        cipher.equals(disabledCipherSuite)) {
+            if (!notEnabledCipherSuite.isEmpty() &&
+                        cipher.equals(notEnabledCipherSuite)) {
                 isBroken = true;
             }
         }
@@ -219,7 +224,7 @@ public class CustomizedCipherSuites {
 
         if (isBroken) {
             throw new Exception(
-                "Cipher suite " + disabledCipherSuite + " should be disabled");
+                "Cipher suite " + notEnabledCipherSuite + " should not be enabled");
         }
     }
 
@@ -231,7 +236,7 @@ public class CustomizedCipherSuites {
         }
 
         boolean hasEnabledCipherSuite = enabledCipherSuite.isEmpty();
-        boolean hasDisabledCipherSuite = disabledCipherSuite.isEmpty();
+        boolean hasNotEnabledCipherSuite = notEnabledCipherSuite.isEmpty();
         for (String cipher : ciphers) {
             System.out.println("\tsupported cipher suite " + cipher);
             if (!enabledCipherSuite.isEmpty() &&
@@ -239,9 +244,9 @@ public class CustomizedCipherSuites {
                 hasEnabledCipherSuite = true;
             }
 
-            if (!disabledCipherSuite.isEmpty() &&
-                        cipher.equals(disabledCipherSuite)) {
-                hasDisabledCipherSuite = true;
+            if (!notEnabledCipherSuite.isEmpty() &&
+                        cipher.equals(notEnabledCipherSuite)) {
+                hasNotEnabledCipherSuite = true;
             }
         }
 
@@ -250,9 +255,9 @@ public class CustomizedCipherSuites {
                 "Cipher suite " + enabledCipherSuite + " should be supported");
         }
 
-        if (!hasDisabledCipherSuite) {
+        if (!hasNotEnabledCipherSuite) {
             throw new Exception(
-                "Cipher suite " + disabledCipherSuite + " should be supported");
+                "Cipher suite " + notEnabledCipherSuite + " should not be enabled");
         }
     }
 

test/sun/security/ssl/javax/net/ssl/NewAPIs/JSSERenegotiate.java

 /*
- * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,7 @@
 
 import java.io.*;
 import java.net.*;
+import java.security.Security;
 import javax.net.ssl.*;
 
 public class JSSERenegotiate {
@@ -190,6 +191,10 @@ public class JSSERenegotiate {
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset the security property to make sure that the cipher suites
+        // used in this test are not disabled
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;

test/sun/security/tools/jarsigner/TimestampCheck.java

 /*
- * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -75,6 +75,7 @@ import jdk.testlibrary.Utils;
  *          java.base/sun.security.util
  *          java.base/sun.security.tools.keytool
  * @library /lib/testlibrary
+ * @compile -XDignore.symbol.file TimestampCheck.java
  * @run main/othervm/timeout=600 TimestampCheck
  */
 public class TimestampCheck {
@@ -121,12 +122,12 @@ public class TimestampCheck {
          */
         byte[] sign(byte[] input, String path) throws Exception {
             DerValue value = new DerValue(input);
-            System.out.println("\nIncoming Request\n===================");
-            System.out.println("Version: " + value.data.getInteger());
+            System.out.println("#\n# Incoming Request\n===================");
+            System.out.println("# Version: " + value.data.getInteger());
             DerValue messageImprint = value.data.getDerValue();
             AlgorithmId aid = AlgorithmId.parse(
                     messageImprint.data.getDerValue());
-            System.out.println("AlgorithmId: " + aid);
+            System.out.println("# AlgorithmId: " + aid);
 
             ObjectIdentifier policyId = new ObjectIdentifier(defaultPolicyId);
             BigInteger nonce = null;
@@ -134,16 +135,16 @@ public class TimestampCheck {
                 DerValue v = value.data.getDerValue();
                 if (v.tag == DerValue.tag_Integer) {
                     nonce = v.getBigInteger();
-                    System.out.println("nonce: " + nonce);
+                    System.out.println("# nonce: " + nonce);
                 } else if (v.tag == DerValue.tag_Boolean) {
-                    System.out.println("certReq: " + v.getBoolean());
+                    System.out.println("# certReq: " + v.getBoolean());
                 } else if (v.tag == DerValue.tag_ObjectId) {
                     policyId = v.getOID();
-                    System.out.println("PolicyID: " + policyId);
+                    System.out.println("# PolicyID: " + policyId);
                 }
             }
 
-            System.out.println("\nResponse\n===================");
+            System.out.println("#\n# Response\n===================");
             FileInputStream is = new FileInputStream(keystore);
             KeyStore ks = KeyStore.getInstance("JCEKS");
             ks.load(is, "changeit".toCharArray());
@@ -229,10 +230,10 @@ public class TimestampCheck {
                     "1.2.840.113549.1.9.16.1.4"),
                     new DerValue(tstInfo2.toByteArray()));
 
-            System.out.println("Signing...");
-            System.out.println(new X500Name(signer
+            System.out.println("# Signing...");
+            System.out.println("# " + new X500Name(signer
                     .getIssuerX500Principal().getName()));
-            System.out.println(signer.getSerialNumber());
+            System.out.println("# " + signer.getSerialNumber());
 
             SignerInfo signerInfo = new SignerInfo(
                     new X500Name(signer.getIssuerX500Principal().getName()),
@@ -303,8 +304,6 @@ public class TimestampCheck {
 
     public static void main(String[] args) throws Throwable {
 
-        prepare();
-
         try (Handler tsa = Handler.init(0, "ks");) {
             tsa.start();
             int port = tsa.getPort();
@@ -313,62 +312,99 @@ public class TimestampCheck {
 
             if (args.length == 0) {         // Run this test
 
+                prepare();
+
                 sign("normal")
                         .shouldNotContain("Warning")
+                        .shouldContain("The signer certificate will expire on")
+                        .shouldContain("The timestamp will expire on")
                         .shouldHaveExitValue(0);
 
                 verify("normal.jar")
                         .shouldNotContain("Warning")
                         .shouldHaveExitValue(0);
 
+                verify("normal.jar", "-verbose")
+                        .shouldNotContain("Warning")
+                        .shouldContain("The signer certificate will expire on")
+                        .shouldContain("The timestamp will expire on")
+                        .shouldHaveExitValue(0);
+
                 // Simulate signing at a previous date:
                 // 1. tsold will create a timestamp of 20 days ago.
                 // 2. oldsigner expired 10 days ago.
-                // jarsigner will show a warning at signing.
                 signVerbose("tsold", "unsigned.jar", "tsold.jar", "oldsigner")
-                        .shouldHaveExitValue(4);
+                        .shouldNotContain("Warning")
+                        .shouldMatch("signer certificate expired on .*. "
+                                + "However, the JAR will be valid")
+                        .shouldHaveExitValue(0);
 
                 // It verifies perfectly.
                 verify("tsold.jar", "-verbose", "-certs")
                         .shouldNotContain("Warning")
+                        .shouldMatch("signer certificate expired on .*. "
+                                + "However, the JAR will be valid")
                         .shouldHaveExitValue(0);
 
+                // No timestamp
                 signVerbose(null, "unsigned.jar", "none.jar", "signer")
                         .shouldContain("is not timestamped")
+                        .shouldContain("The signer certificate will expire on")
                         .shouldHaveExitValue(0);
 
+                verify("none.jar", "-verbose")
+                        .shouldContain("do not include a timestamp")
+                        .shouldContain("The signer certificate will expire on")
+                        .shouldHaveExitValue(0);
+
+                // Error cases
+
                 signVerbose(null, "unsigned.jar", "badku.jar", "badku")
+                        .shouldContain("KeyUsage extension doesn't allow code signing")
                         .shouldHaveExitValue(8);
                 checkBadKU("badku.jar");
 
                 // 8180289: unvalidated TSA cert chain
                 sign("tsnoca")
-                        .shouldContain("TSA certificate chain is invalid")
+                        .shouldContain("The TSA certificate chain is invalid. "
+                                + "Reason: Path does not chain with any of the trust anchors")
                         .shouldHaveExitValue(64);
 
                 verify("tsnoca.jar", "-verbose", "-certs")
                         .shouldHaveExitValue(64)
                         .shouldContain("jar verified")
-                        .shouldContain("Invalid TSA certificate chain")
-                        .shouldContain("TSA certificate chain is invalid");
+                        .shouldContain("Invalid TSA certificate chain: "
+                                + "Path does not chain with any of the trust anchors")
+                        .shouldContain("TSA certificate chain is invalid."
+                                + " Reason: Path does not chain with any of the trust anchors");
 
                 sign("nononce")
+                        .shouldContain("Nonce missing in timestamp token")
                         .shouldHaveExitValue(1);
                 sign("diffnonce")
+                        .shouldContain("Nonce changed in timestamp token")
                         .shouldHaveExitValue(1);
                 sign("baddigest")
+                        .shouldContain("Digest octets changed in timestamp token")
                         .shouldHaveExitValue(1);
                 sign("diffalg")
+                        .shouldContain("Digest algorithm not")
                         .shouldHaveExitValue(1);
+
                 sign("fullchain")
                         .shouldHaveExitValue(0);   // Success, 6543440 solved.
+
                 sign("tsbad1")
+                        .shouldContain("Certificate is not valid for timestamping")
                         .shouldHaveExitValue(1);
                 sign("tsbad2")
+                        .shouldContain("Certificate is not valid for timestamping")
                         .shouldHaveExitValue(1);
                 sign("tsbad3")
+                        .shouldContain("Certificate is not valid for timestamping")
                         .shouldHaveExitValue(1);
                 sign("nocert")
+                        .shouldContain("Certificate not included in timestamp token")
                         .shouldHaveExitValue(1);
 
                 sign("policy", "-tsapolicyid",  "1.2.3")
@@ -376,6 +412,7 @@ public class TimestampCheck {
                 checkTimestamp("policy.jar", "1.2.3", "SHA-256");
 
                 sign("diffpolicy", "-tsapolicyid", "1.2.3")
+                        .shouldContain("TSAPolicyID changed in timestamp token")
                         .shouldHaveExitValue(1);
 
                 sign("sha1alg", "-tsadigestalg", "SHA")
@@ -384,11 +421,13 @@ public class TimestampCheck {
 
                 sign("tsweak", "-digestalg", "MD5",
                                 "-sigalg", "MD5withRSA", "-tsadigestalg", "MD5")
-                        .shouldHaveExitValue(68);
+                        .shouldHaveExitValue(68)
+                        .shouldContain("The timestamp is invalid. Without a valid timestamp");
                 checkWeak("tsweak.jar");
 
                 signVerbose("tsweak", "unsigned.jar", "tsweak2.jar", "signer")
                         .shouldHaveExitValue(64)
+                        .shouldContain("The timestamp is invalid. Without a valid timestamp")
                         .shouldContain("TSA certificate chain is invalid");
 
                 // Weak timestamp is an error and jar treated unsigned
@@ -397,19 +436,26 @@ public class TimestampCheck {
                         .shouldContain("treated as unsigned")
                         .shouldMatch("Timestamp.*512.*weak");
 
+                // Algorithm used in signing is weak
                 signVerbose("normal", "unsigned.jar", "halfWeak.jar", "signer",
                         "-digestalg", "MD5")
+                        .shouldContain("-digestalg option is considered a security risk")
                         .shouldHaveExitValue(4);
                 checkHalfWeak("halfWeak.jar");
 
                 // sign with DSA key
                 signVerbose("normal", "unsigned.jar", "sign1.jar", "dsakey")
                         .shouldHaveExitValue(0);
+
                 // sign with RSAkeysize < 1024
                 signVerbose("normal", "sign1.jar", "sign2.jar", "weakkeysize")
+                        .shouldContain("Algorithm constraints check failed on keysize")
                         .shouldHaveExitValue(4);
                 checkMultiple("sign2.jar");
 
+                // 8191438: jarsigner should print when a timestamp will expire
+                checkExpiration();
+
                 // When .SF or .RSA is missing or invalid
                 checkMissingOrInvalidFiles("normal.jar");
 
@@ -417,12 +463,118 @@ public class TimestampCheck {
                     checkInvalidTsaCertKeyUsage();
                 }
             } else {                        // Run as a standalone server
-                System.out.println("Press Enter to quit server");
+                System.out.println("TSA started at " + host
+                        + ". Press Enter to quit server");
                 System.in.read();
             }
         }
     }
 
+    private static void checkExpiration() throws Exception {
+
+        // Warning when expired or expiring
+        signVerbose(null, "unsigned.jar", "expired.jar", "expired")
+                .shouldContain("signer certificate has expired")
+                .shouldHaveExitValue(4);
+        verify("expired.jar")
+                .shouldContain("signer certificate has expired")
+                .shouldHaveExitValue(4);
+        signVerbose(null, "unsigned.jar", "expiring.jar", "expiring")
+                .shouldContain("signer certificate will expire within")
+                .shouldHaveExitValue(0);
+        verify("expiring.jar")
+                .shouldContain("signer certificate will expire within")
+                .shouldHaveExitValue(0);
+        // Info for long
+        signVerbose(null, "unsigned.jar", "long.jar", "long")
+                .shouldNotContain("signer certificate has expired")
+                .shouldNotContain("signer certificate will expire within")
+                .shouldContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+        verify("long.jar")
+                .shouldNotContain("signer certificate has expired")
+                .shouldNotContain("signer certificate will expire within")
+                .shouldNotContain("The signer certificate will expire")
+                .shouldHaveExitValue(0);
+        verify("long.jar", "-verbose")
+                .shouldContain("The signer certificate will expire")
+                .shouldHaveExitValue(0);
+
+        // Both expired
+        signVerbose("tsexpired", "unsigned.jar",
+                "tsexpired-expired.jar", "expired")
+                .shouldContain("The signer certificate has expired.")
+                .shouldContain("The timestamp has expired.")
+                .shouldHaveExitValue(4);
+        verify("tsexpired-expired.jar")
+                .shouldContain("signer certificate has expired")
+                .shouldContain("timestamp has expired.")
+                .shouldHaveExitValue(4);
+
+        // TS expired but signer still good
+        signVerbose("tsexpired", "unsigned.jar",
+                "tsexpired-long.jar", "long")
+                .shouldContain("The timestamp expired on")
+                .shouldHaveExitValue(0);
+        verify("tsexpired-long.jar")
+                .shouldMatch("timestamp expired on.*However, the JAR will be valid")
+                .shouldNotContain("Error")
+                .shouldHaveExitValue(0);
+
+        signVerbose("tsexpired", "unsigned.jar",
+                "tsexpired-ca.jar", "ca")
+                .shouldContain("The timestamp has expired.")
+                .shouldHaveExitValue(4);
+        verify("tsexpired-ca.jar")
+                .shouldNotContain("timestamp has expired")
+                .shouldNotContain("Error")
+                .shouldHaveExitValue(0);
+
+        // Warning when expiring
+        sign("tsexpiring")
+                .shouldContain("timestamp will expire within")
+                .shouldHaveExitValue(0);
+        verify("tsexpiring.jar")
+                .shouldContain("timestamp will expire within")
+                .shouldNotContain("still valid")
+                .shouldHaveExitValue(0);
+
+        signVerbose("tsexpiring", "unsigned.jar",
+                "tsexpiring-ca.jar", "ca")
+                .shouldContain("self-signed")
+                .stderrShouldNotMatch("The.*expir")
+                .shouldHaveExitValue(4); // self-signed
+        verify("tsexpiring-ca.jar")
+                .stderrShouldNotMatch("The.*expir")
+                .shouldHaveExitValue(0);
+
+        signVerbose("tsexpiringsoon", "unsigned.jar",
+                "tsexpiringsoon-long.jar", "long")
+                .shouldContain("The timestamp will expire")
+                .shouldHaveExitValue(0);
+        verify("tsexpiringsoon-long.jar")
+                .shouldMatch("timestamp will expire.*However, the JAR will be valid until")
+                .shouldHaveExitValue(0);
+
+        // Info for long
+        sign("tslong")
+                .shouldNotContain("timestamp has expired")
+                .shouldNotContain("timestamp will expire within")
+                .shouldContain("timestamp will expire on")
+                .shouldContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+        verify("tslong.jar")
+                .shouldNotContain("timestamp has expired")
+                .shouldNotContain("timestamp will expire within")
+                .shouldNotContain("timestamp will expire on")
+                .shouldNotContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+        verify("tslong.jar", "-verbose")
+                .shouldContain("timestamp will expire on")
+                .shouldContain("signer certificate will expire on")
+                .shouldHaveExitValue(0);
+    }
+
     private static void checkInvalidTsaCertKeyUsage() throws Exception {
 
         // Hack: Rewrite the TSA cert inside normal.jar into ts2.jar.
@@ -670,6 +822,14 @@ public class TimestampCheck {
         keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");
         keytool("-alias tsnoca -genkeypair -dname CN=tsnoca");
 
+        keytool("-alias expired -genkeypair -dname CN=expired");
+        keytool("-alias expiring -genkeypair -dname CN=expiring");
+        keytool("-alias long -genkeypair -dname CN=long");
+        keytool("-alias tsexpired -genkeypair -dname CN=tsexpired");
+        keytool("-alias tsexpiring -genkeypair -dname CN=tsexpiring");
+        keytool("-alias tsexpiringsoon -genkeypair -dname CN=tsexpiringsoon");
+        keytool("-alias tslong -genkeypair -dname CN=tslong");
+
         // tsnoca's issuer will be removed from keystore later
         keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
         gencert("tsnoca", "-ext eku:critical=ts");
@@ -681,7 +841,15 @@ public class TimestampCheck {
         gencert("dsakey");
         gencert("weakkeysize");
         gencert("badku", "-ext ku:critical=keyAgreement");
-        gencert("ts", "-ext eku:critical=ts");
+        gencert("ts", "-ext eku:critical=ts -validity 500");
+
+        gencert("expired", "-validity 10 -startdate -12d");
+        gencert("expiring", "-validity 178");
+        gencert("long", "-validity 182");
+        gencert("tsexpired", "-ext eku:critical=ts -validity 10 -startdate -12d");
+        gencert("tsexpiring", "-ext eku:critical=ts -validity 364");
+        gencert("tsexpiringsoon", "-ext eku:critical=ts -validity 170"); // earlier than expiring
+        gencert("tslong", "-ext eku:critical=ts -validity 367");
 
 
         for (int i = 0; i < 5; i++) {
@@ -701,7 +869,7 @@ public class TimestampCheck {
             }
         }
 
-        gencert("tsold", "-ext eku:critical=ts -startdate -40d -validity 45");
+        gencert("tsold", "-ext eku:critical=ts -startdate -40d -validity 500");
 
         gencert("tsweak", "-ext eku:critical=ts");
         gencert("tsbad1");

test/sun/security/tools/jarsigner/warnings/AliasNotInStoreTest.java

@@ -51,32 +51,12 @@ public class AliasNotInStoreTest extends Test {
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
         // create first key pair for signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", FIRST_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", BOTH_KEYS_KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=First",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
-
-        // create second key pair for signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", SECOND_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", BOTH_KEYS_KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Second",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+        createAlias(FIRST_KEY_ALIAS);
+        createAlias(SECOND_KEY_ALIAS);
 
         // sign jar with first key
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
-                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 "-signedjar", SIGNED_JARFILE,
@@ -93,7 +73,7 @@ public class AliasNotInStoreTest extends Test {
 
         // sign jar with second key
         analyzer = ProcessTools.executeCommand(JARSIGNER,
-                "-keystore", BOTH_KEYS_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 UPDATED_SIGNED_JARFILE,
@@ -104,7 +84,7 @@ public class AliasNotInStoreTest extends Test {
         // create keystore that contains only first key
         ProcessTools.executeCommand(KEYTOOL,
                 "-importkeystore",
-                "-srckeystore", BOTH_KEYS_KEYSTORE,
+                "-srckeystore", KEYSTORE,
                 "-srcalias", FIRST_KEY_ALIAS,
                 "-srcstorepass", PASSWORD,
                 "-srckeypass", PASSWORD,
@@ -113,7 +93,7 @@ public class AliasNotInStoreTest extends Test {
                 "-deststorepass", PASSWORD,
                 "-destkeypass", PASSWORD).shouldHaveExitValue(0);
 
-        // verify jar with keystore that contains only first key in strict mode,
+        // verify jar with keystore that contains only first key,
         // so there is signed entry (FirstClass.class) that is not signed
         // by any alias in the keystore
         analyzer = ProcessTools.executeCommand(JARSIGNER,

test/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java

 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -52,17 +52,14 @@ public class BadExtendedKeyUsageTest extends Test {
 
         // create a certificate whose signer certificate's
         // ExtendedKeyUsage extension doesn't allow code signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
+        // create key pair for jar signing
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+
+        issueCert(
+                KEY_ALIAS,
                 "-ext", "ExtendedkeyUsage=serverAuth",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
 
         // sign jar
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,

test/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java

 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,17 +53,13 @@ public class BadKeyUsageTest extends Test {
 
         // create a certificate whose signer certificate's KeyUsage extension
         // doesn't allow code signing
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkey",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+
+        issueCert(
+                KEY_ALIAS,
                 "-ext", "KeyUsage=keyAgreement",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+                "-validity", Integer.toString(VALIDITY));
 
         // sign jar
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,

test/sun/security/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java

 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,10 +25,6 @@ import jdk.testlibrary.OutputAnalyzer;
 import jdk.testlibrary.ProcessTools;
 import jdk.testlibrary.JarUtils;
 
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.util.Base64;
-
 /**
  * @test
  * @bug 8024302 8026037
@@ -38,25 +34,14 @@ import java.util.Base64;
  */
 public class BadNetscapeCertTypeTest extends Test {
 
-    private static final String NETSCAPE_KEYSTORE_BASE64 = TEST_SOURCES + FS
-            + "bad_netscape_cert_type.jks.base64";
-
-    private static final String NETSCAPE_KEYSTORE
-            = "bad_netscape_cert_type.jks";
-
     /**
      * The test signs and verifies a jar that contains entries
      * whose signer certificate's NetscapeCertType extension
      * doesn't allow code signing (badNetscapeCertType).
      * Warning message is expected.
-     * Run bad_netscape_cert_type.sh script to create bad_netscape_cert_type.jks
      */
     public static void main(String[] args) throws Throwable {
 
-        Files.write(Paths.get(NETSCAPE_KEYSTORE),
-                Base64.getMimeDecoder().decode(
-                    Files.readAllBytes(Paths.get(NETSCAPE_KEYSTORE_BASE64))));
-
         BadNetscapeCertTypeTest test = new BadNetscapeCertTypeTest();
         test.start();
     }
@@ -66,10 +51,22 @@ public class BadNetscapeCertTypeTest extends Test {
         Utils.createFiles(FIRST_FILE);
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
+        // create a certificate whose signer certificate's
+        // NetscapeCertType extension doesn't allow code signing
+        // create key pair for jar signing
+        createAlias(CA_KEY_ALIAS);
+        createAlias(KEY_ALIAS);
+
+        issueCert(
+                KEY_ALIAS,
+                // NetscapeCertType [ SSL client ]
+                "-ext", "2.16.840.1.113730.1.1=03020780",
+                "-validity", Integer.toString(VALIDITY));
+
         // sign jar
         OutputAnalyzer analyzer = ProcessTools.executeCommand(JARSIGNER,
                 "-verbose",
-                "-keystore", NETSCAPE_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 "-signedjar", SIGNED_JARFILE,
@@ -82,7 +79,7 @@ public class BadNetscapeCertTypeTest extends Test {
         analyzer = ProcessTools.executeCommand(JARSIGNER,
                 "-verify",
                 "-verbose",
-                "-keystore", NETSCAPE_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 SIGNED_JARFILE);
@@ -94,7 +91,7 @@ public class BadNetscapeCertTypeTest extends Test {
                 "-verify",
                 "-verbose",
                 "-strict",
-                "-keystore", NETSCAPE_KEYSTORE,
+                "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
                 SIGNED_JARFILE);

test/sun/security/tools/jarsigner/warnings/ChainNotValidatedTest.java

 /*
- * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,117 +21,52 @@
  * questions.
  */
 
-import java.io.File;
 import jdk.testlibrary.OutputAnalyzer;
 import jdk.testlibrary.ProcessTools;
 import jdk.testlibrary.JarUtils;
 
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
 /**
  * @test
  * @bug 8024302 8026037
  * @summary Test for chainNotValidated warning
  * @library /lib/testlibrary ../
- * @run main ChainNotValidatedTest
+ * @run main ChainNotValidatedTest ca2yes
+ * @run main ChainNotValidatedTest ca2no
  */
 public class ChainNotValidatedTest extends Test {
 
-    private static final String CHAIN = "chain";
-
-    /**
-     * The test signs and verifies a jar that contains entries
-     * whose cert chain can't be correctly validated (chainNotValidated).
-     * Warning message is expected.
-     */
     public static void main(String[] args) throws Throwable {
         ChainNotValidatedTest test = new ChainNotValidatedTest();
-        test.start();
+        test.start(args[0].equals("ca2yes"));
     }
 
-    private void start() throws Throwable {
+    private void start(boolean ca2yes) throws Throwable {
         // create a jar file that contains one class file
         Utils.createFiles(FIRST_FILE);
         JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
 
-        // create self-signed certificate whose BasicConstraints extension
-        // is set to false, so the certificate may not be used
-        // as a parent certificate (certpath validation should fail)
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkeypair",
-                "-alias", CA_KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=CA",
-                "-ext", "BasicConstraints:critical=ca:false",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+        // We have 2 @run. Need cleanup.
+        Files.deleteIfExists(Paths.get(KEYSTORE));
 
-        // create a certificate that is signed by self-signed certificate
-        // despite of it may not be used as a parent certificate
-        // (certpath validation should fail)
-        ProcessTools.executeCommand(KEYTOOL,
-                "-genkeypair",
-                "-alias", KEY_ALIAS,
-                "-keyalg", KEY_ALG,
-                "-keysize", Integer.toString(KEY_SIZE),
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-dname", "CN=Test",
-                "-ext", "BasicConstraints:critical=ca:false",
-                "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
+        // Root CA is not checked at all. If the intermediate CA has
+        // BasicConstraints extension set to true, it will be valid.
+        // Otherwise, chain validation will fail.
+        createAlias(CA_KEY_ALIAS);
+        createAlias(CA2_KEY_ALIAS);
+        issueCert(CA2_KEY_ALIAS,
+                "-ext",
+                "bc=ca:" + ca2yes);
 
-        ProcessTools.executeCommand(KEYTOOL,
-                "-certreq",
-                "-alias", KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-file", CERT_REQUEST_FILENAME).shouldHaveExitValue(0);
+        createAlias(KEY_ALIAS);
+        issueCert(KEY_ALIAS, "-alias", CA2_KEY_ALIAS);
 
-        ProcessTools.executeCommand(KEYTOOL,
-                "-gencert",
-                "-alias", CA_KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-infile", CERT_REQUEST_FILENAME,
-                "-validity", Integer.toString(VALIDITY),
-                "-outfile", CERT_FILENAME).shouldHaveExitValue(0);
-
-        ProcessTools.executeCommand(KEYTOOL,
-                "-importcert",
-                "-alias", KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD,
-                "-file", CERT_FILENAME).shouldHaveExitValue(0);
-
-        ProcessBuilder pb = new ProcessBuilder(KEYTOOL,
-                "-export",
-                "-rfc",
-                "-alias", KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD);
-        pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
-        ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
-
-        pb = new ProcessBuilder(KEYTOOL,
-                "-export",
-                "-rfc",
-                "-alias", CA_KEY_ALIAS,
-                "-keystore", KEYSTORE,
-                "-storepass", PASSWORD,
-                "-keypass", PASSWORD);
-        pb.redirectOutput(ProcessBuilder.Redirect.appendTo(new File(CHAIN)));
-        ProcessTools.executeCommand(pb).shouldHaveExitValue(0);
-
-        // remove CA certificate
+        // remove CA2 certificate so it's not trusted
         ProcessTools.executeCommand(KEYTOOL,
                 "-delete",
-                "-alias", CA_KEY_ALIAS,
+                "-alias", CA2_KEY_ALIAS,
                 "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD).shouldHaveExitValue(0);
@@ -141,12 +76,15 @@ public class ChainNotValidatedTest extends Test {
                 "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
-                "-certchain", CHAIN,
                 "-signedjar", SIGNED_JARFILE,
                 UNSIGNED_JARFILE,
                 KEY_ALIAS);
 
+        if (ca2yes) {
+            checkSigning(analyzer, "!" + CHAIN_NOT_VALIDATED_SIGNING_WARNING);
+        } else {
             checkSigning(analyzer, CHAIN_NOT_VALIDATED_SIGNING_WARNING);
+        }
 
         // verify signed jar
         analyzer = ProcessTools.executeCommand(JARSIGNER,
@@ -155,10 +93,13 @@ public class ChainNotValidatedTest extends Test {
                 "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
-                "-certchain", CHAIN,
                 SIGNED_JARFILE);
 
+        if (ca2yes) {
+            checkVerifying(analyzer, 0, "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        } else {
             checkVerifying(analyzer, 0, CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        }
 
         // verify signed jar in strict mode
         analyzer = ProcessTools.executeCommand(JARSIGNER,
@@ -168,11 +109,15 @@ public class ChainNotValidatedTest extends Test {
                 "-keystore", KEYSTORE,
                 "-storepass", PASSWORD,
                 "-keypass", PASSWORD,
-                "-certchain", CHAIN,
                 SIGNED_JARFILE);
 
+        if (ca2yes) {
+            checkVerifying(analyzer, 0,
+                    "!" + CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        } else {
             checkVerifying(analyzer, CHAIN_NOT_VALIDATED_EXIT_CODE,
                     CHAIN_NOT_VALIDATED_VERIFYING_WARNING);
+        }
 
         System.out.println("Test passed");
     }

test/sun/util/calendar/zi/tzdata/VERSION

@@ -21,4 +21,4 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
-tzdata2018e
+tzdata2018g

test/sun/util/calendar/zi/tzdata/antarctica

@@ -21,6 +21,8 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
+# tzdb data for Antarctica and environs
+
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.