refs;
+ if (res.referrals == null) {
+ refs = null;
+ } else if (handleReferrals == LdapClient.LDAP_REF_FOLLOW_SCHEME) {
+ refs = new Vector<>();
+ for (String s : res.referrals.elementAt(0)) {
+ if (s.startsWith("ldap:")) {
+ refs.add(s);
+ }
+ }
+ if (refs.isEmpty()) {
+ refs = null;
+ }
+ } else {
+ refs = res.referrals.elementAt(0);
+ }
+ r.setReferralInfo(refs, false);
if (hopCount > 1) {
r.setHopCount(hopCount);
diff --git a/src/share/classes/com/sun/jndi/ldap/LdapReferralException.java b/src/share/classes/com/sun/jndi/ldap/LdapReferralException.java
index 1058d9dd92433834c0f23cfbcdcca7ff68796eb8..0870ab75a95ed411989009faacdfb6b66ca7ea6a 100644
--- a/src/share/classes/com/sun/jndi/ldap/LdapReferralException.java
+++ b/src/share/classes/com/sun/jndi/ldap/LdapReferralException.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -117,7 +117,8 @@ final public class LdapReferralException extends
// If following referral, request controls are passed to referral ctx
this.reqCtls =
- (handleReferrals == LdapClient.LDAP_REF_FOLLOW ? reqCtls : null);
+ (handleReferrals == LdapClient.LDAP_REF_FOLLOW ||
+ handleReferrals == LdapClient.LDAP_REF_FOLLOW_SCHEME ? reqCtls : null);
}
/**
diff --git a/src/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java b/src/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java
index 9bcdd8547f64003fb0154d78d63e4780d941f57d..488edcdeae53eaed8087ab4885e083f3815ba9a6 100644
--- a/src/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java
+++ b/src/share/classes/com/sun/management/HotSpotDiagnosticMXBean.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -63,9 +63,10 @@ public interface HotSpotDiagnosticMXBean extends PlatformManagedObject {
* @param outputFile the system-dependent filename
* @param live if true dump only live objects
* i.e. objects that are reachable from others
- * @throws IOException if the outputFile
+ * @throws IOException if the outputFile already exists,
* cannot be created, opened, or written to.
* @throws UnsupportedOperationException if this operation is not supported.
+ * @throws IllegalArgumentException if outputFile does not end with ".hprof" suffix.
* @throws NullPointerException if outputFile is null.
* @throws SecurityException
* If a security manager exists and its {@link
diff --git a/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java b/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java
index 73f6b3357685556a4eaeb913807fed4abb481146..0658b6d7d876241cbf47bb719f1f8525f76a8400 100644
--- a/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java
+++ b/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java
@@ -1482,9 +1482,6 @@ public class ThreadPoolExecutor extends AbstractExecutorService {
/**
* Invokes {@code shutdown} when this executor is no longer
* referenced and it has no threads.
- *
- * This method is invoked with privileges that are restricted by
- * the security context of the caller that invokes the constructor.
*/
protected void finalize() {
SecurityManager sm = System.getSecurityManager();
diff --git a/src/share/classes/sun/awt/resources/awt_sv.properties b/src/share/classes/sun/awt/resources/awt_sv.properties
index d114d9ff98d3a8b3a1e41e6ab2d321bdb41f15f9..39d6ffd19945fc96ac2bc86a617d5e6a82f26752 100644
--- a/src/share/classes/sun/awt/resources/awt_sv.properties
+++ b/src/share/classes/sun/awt/resources/awt_sv.properties
@@ -71,7 +71,7 @@ AWT.f21=F21
AWT.f22=F22
AWT.f23=F23
AWT.f24=F24
-AWT.printScreen=Print Screen
+AWT.printScreen=Sk\u00E4rmutskrift
AWT.insert=Insert
AWT.help=Hj\u00E4lp
AWT.windows=Windows
diff --git a/src/share/classes/sun/launcher/resources/launcher_es.properties b/src/share/classes/sun/launcher/resources/launcher_es.properties
index de6a08c5eb9e29b1451f7103af5a49d7b619f8b1..04ae16d3afc90837933a646ce75d326aac622055 100644
--- a/src/share/classes/sun/launcher/resources/launcher_es.properties
+++ b/src/share/classes/sun/launcher/resources/launcher_es.properties
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
@@ -34,7 +34,7 @@ java.launcher.ergo.message1 =\ La VM por defecto es {0}
java.launcher.ergo.message2 =\ porque la ejecuci\u00F3n se est\u00E1 llevando a cabo en una m\u00E1quina de clase de servidor.\n
# Translators please note do not translate the options themselves
-java.launcher.opt.footer =\ -cp \n -classpath \n Lista separada por {0} de directorios, archivos JAR\n y archivos ZIP para buscar archivos de clase.\n -D=\n definir una propiedad del sistema\n -verbose:[class|gc|jni]\n activar la salida verbose\n -version imprimir la versi\u00F3n del producto y salir\n -version:\n Advertencia: Esta funci\u00F3n est\u00E1 anticuada y se eliminar\u00E1\n en una versi\u00F3n futura.\n es necesario que se ejecute la versi\u00F3n especificada\n -showversion imprimir la versi\u00F3n del producto y continuar\n -jre-restrict-search | -no-jre-restrict-search\n Advertencia: Esta funci\u00F3n est\u00E1 anticuada y se eliminar\u00E1\n en una versi\u00F3n futura.\n incluir/excluir JRE privados de usuario en la b\u00FAsqueda de versi\u00F3n\n -? -help imprimir este mensaje de ayuda\n -X imprimir la ayuda sobre las opciones que no sean est\u00E1ndar\n -ea[:...|:]\n -enableassertions[:...|:]\n activar afirmaciones con la granularidad especificada\n -da[:...|:]\n -disableassertions[:...|:]\n desactivar afirmaciones con la granularidad especificada\n -esa | -enablesystemassertions\n activar afirmaciones del sistema\n -dsa | -disablesystemassertions\n desactivar afirmaciones del sistema\n -agentlib:[=]\n cargar la biblioteca de agente nativa , como -agentlib:hprof\n v\u00E9ase tambi\u00E9n -agentlib:jdwp=help y -agentlib:hprof=help\n -agentpath:[=]\n cargar biblioteca de agente nativa con el nombre de la ruta de acceso completa\n -javaagent:[=]\n cargar agente de lenguaje de programaci\u00F3n Java, v\u00E9ase java.lang.instrument\n -splash:\n mostrar una pantalla de presentaci\u00F3n con la imagen especificada\nConsulte http://www.oracle.com/technetwork/java/javase/documentation/index.html para obtener m\u00E1s informaci\u00F3n.
+java.launcher.opt.footer =\ -cp \n -classpath \n Lista separada por {0} de directorios, archivos JAR\n y archivos ZIP para buscar archivos de clase.\n -D=\n definir una propiedad del sistema\n -verbose:[class|gc|jni]\n activar la salida verbose\n -version imprimir la versi\u00F3n del producto y salir\n -version:\n Advertencia: Esta funci\u00F3n est\u00E1 anticuada y se eliminar\u00E1\n en una versi\u00F3n futura.\n es necesario que se ejecute la versi\u00F3n especificada\n -showversion imprimir la versi\u00F3n del producto y continuar\n -jre-restrict-search | -no-jre-restrict-search\n Advertencia: Esta funci\u00F3n est\u00E1 anticuada y se eliminar\u00E1\n en una versi\u00F3n futura.\n incluir/excluir JRE privados de usuario en la b\u00FAsqueda de versi\u00F3n\n -? -help imprimir este mensaje de ayuda\n -X imprimir la ayuda sobre las opciones que no sean est\u00E1ndar\n -ea[:...|:]\n -enableassertions[:...|:]\n activar afirmaciones con la granularidad especificada\n -da[:...|:]\n -disableassertions[:...|:]\n desactivar afirmaciones con la granularidad especificada\n -esa | -enablesystemassertions\n activar afirmaciones del sistema\n -dsa | -disablesystemassertions\n desactivar afirmaciones del sistema\n -agentlib:[=]\n cargar la biblioteca de agente nativa , como -agentlib:hprof\n v\u00E9ase tambi\u00E9n -agentlib:jdwp=help y -agentlib:hprof=help\n -agentpath:[=]\n cargar biblioteca de agente nativa con el nombre de la ruta de acceso completa\n -javaagent:[=]\n cargar agente de lenguaje de programaci\u00F3n Java, v\u00E9ase java.lang.instrument\n -splash:\n mostrar una pantalla de presentaci\u00F3n con la imagen especificada\nConsulte http://www.oracle.com/technetwork/java/javase/documentation/index.html para obtener m\u00E1s informaci\u00F3n.
# Translators please note do not translate the options themselves
java.launcher.X.usage=\ -Xmixed ejecuci\u00F3n de modo mixto (por defecto)\n -Xint s\u00F3lo ejecuci\u00F3n de modo interpretado\n -Xbootclasspath:\n definir la ruta de acceso de b\u00FAsqueda para los recursos y clases de inicializaci\u00F3n de datos\n -Xbootclasspath/a:\n agregar al final de la ruta de acceso de la clase de inicializaci\u00F3n de datos\n -Xbootclasspath/p:\n anteponer a la ruta de acceso de la clase de inicializaci\u00F3n de datos\n -Xdiag mostrar mensajes de diagn\u00F3stico adicionales\n -Xnoclassgc desactivar la recolecci\u00F3n de basura de clases\n -Xincgc activar la recolecci\u00F3n de basura de clases\n -Xloggc: registrar el estado de GC en un archivo con registros de hora\n -Xbatch desactivar compilaci\u00F3n en segundo plano\n -Xms definir tama\u00F1o de pila Java inicial\n -Xmx definir tama\u00F1o de pila Java m\u00E1ximo\n -Xss definir tama\u00F1o de la pila del thread de Java\n -Xprof datos de salida de creaci\u00F3n de perfil de CPU\n -Xfuture activar las comprobaciones m\u00E1s estrictas, anticip\u00E1ndose al futuro valor por defecto\n -Xrs reducir el uso de se\u00F1ales de sistema operativo por parte de Java/VM (consulte la documentaci\u00F3n)\n -Xcheck:jni realizar comprobaciones adicionales para las funciones de JNI\n -Xshare:off no intentar usar datos de clase compartidos\n -Xshare:auto usar datos de clase compartidos si es posible (valor por defecto)\n -Xshare:on es obligatorio el uso de datos de clase compartidos, de lo contrario se emitir\u00E1 un fallo.\n -XshowSettings mostrar todos los valores y continuar\n -XshowSettings:all\n mostrar todos los valores y continuar\n -XshowSettings:vm mostrar todos los valores de la VM y continuar\n -XshowSettings:properties\n mostrar todos los valores de las propiedades y continuar\n -XshowSettings:locale\n mostrar todos los valores relacionados con la configuraci\u00F3n regional y continuar\n\nLas opciones -X no son est\u00E1ndar, por lo que podr\u00EDan cambiarse sin previo aviso.\n
diff --git a/src/share/classes/sun/launcher/resources/launcher_sv.properties b/src/share/classes/sun/launcher/resources/launcher_sv.properties
index 19b1b2aabf0edf6073bfe201f2c39bce75b58378..dcf8f5dd341209aee2cf3267479c02c4d49f70f7 100644
--- a/src/share/classes/sun/launcher/resources/launcher_sv.properties
+++ b/src/share/classes/sun/launcher/resources/launcher_sv.properties
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
@@ -37,7 +37,7 @@ java.launcher.ergo.message2 =\ eftersom du k\u00F6r en serverk
java.launcher.opt.footer =\ -cp \n -classpath \n En lista \u00F6ver kataloger, JAR-arkiv och och ZIP-arkiv\n f\u00F6r s\u00F6kning efter klassfiler avgr\u00E4nsad med {0}.\n -D=\n ange en systemegenskap\n -verbose:[class|gc|jni]\n aktivera utf\u00F6rliga utdata\n -version skriv ut produktversion och avsluta\n -version:\n Varning: den h\u00E4r funktionen \u00E4r inaktuell och kommer\n att tas bort i en framtida utg\u00E5va.\n kr\u00E4v den angivna versionen f\u00F6r att k\u00F6ra\n -showversion skriv ut produktversion och forts\u00E4tt\n -jre-restrict-search | -no-jre-restrict-search\n Varning: den h\u00E4r funktionen \u00E4r inaktuell och kommer\n att tas bort i en framtida utg\u00E5va.\n inkludera/exkludera anv\u00E4ndarprivata JRE:er i versionss\u00F6kningen\n -? -help skriv ut det h\u00E4r hj\u00E4lpmeddelandet\n -X skriv ut hj\u00E4lp f\u00F6r icke-standardalternativ\n -ea[:...|:]\n -enableassertions[:...|:]\n aktivera verifieringar med den angivna detaljgraden\n -da[:...|:]\n -disableassertions[:...|:]\n avaktivera verifieringar med den angivna detaljgraden\n -esa | -enablesystemassertions\n aktivera systemverifieringar\n -dsa | -disablesystemassertions\n avaktivera systemverifieringar\n -agentlib:[=]\n ladda det ursprungliga agentbiblioteket , t.ex. -agentlib:hprof\n se \u00E4ven -agentlib:jdwp=help och -agentlib:hprof=help\n -agentpath:[=]\n ladda det ursprungliga agentbiblioteket med det fullst\u00E4ndiga s\u00F6kv\u00E4gsnamnet\n -javaagent:[=]\n ladda agenten f\u00F6r programmeringsspr\u00E5ket Java, se java.lang.instrument\n -splash:\n visa v\u00E4lkomstsk\u00E4rmen med den angivna bilden\nMer information finns p\u00E5 http://www.oracle.com/technetwork/java/javase/documentation/index.html.
# Translators please note do not translate the options themselves
-java.launcher.X.usage=\ -Xmixed k\u00F6rning i blandat l\u00E4ge (standard)\n -Xint endast k\u00F6rning i tolkat l\u00E4ge\n -Xbootclasspath:\n ange s\u00F6kv\u00E4g f\u00F6r programladdningsklasser och -resurser\n -Xbootclasspath/a:\n l\u00E4gg till i slutet av programladdningsklassens s\u00F6kv\u00E4g\n -Xbootclasspath/p:\n l\u00E4gg till i b\u00F6rjan av programladdningsklassens s\u00F6kv\u00E4g\n -Xdiag visa ytterligare diagnostiska meddelanden\n -Xnoclassgc avaktivera klassens skr\u00E4pinsamling\n -Xincgc aktivera inkrementell skr\u00E4pinsamling\n -Xloggc: logga GC-status till en fil med tidsst\u00E4mplar\n -Xbatch avaktivera bakgrundskompilering\n -Xms ange ursprunglig storlek f\u00F6r Java-heap\n -Xmx ange maximal storlek f\u00F6r Java-heap\n -Xss ange storlek f\u00F6r java-tr\u00E5dsstack\n -Xprof utdata f\u00F6r processorprofilering\n -Xfuture aktivera str\u00E4ngaste kontroller, f\u00F6rv\u00E4ntad framtida standard\n -Xrs minska OS-signalanv\u00E4ndning av Java/VM (se dokumentation)\n -Xcheck:jni utf\u00F6r ytterligare kontroller f\u00F6r JNI-funktioner\n -Xshare:off anv\u00E4nd inte delade klassdata\n -Xshare:auto anv\u00E4nd delade klassdata om det g\u00E5r (standard)\n -Xshare:on kr\u00E4v att delade klassdata anv\u00E4nds, annars slutf\u00F6r inte.\n -XshowSettings visa alla inst\u00E4llningar och forts\u00E4tt\n -XshowSettings:all\n visa alla inst\u00E4llningar och forts\u00E4tt\n -XshowSettings:vm visa alla vm-relaterade inst\u00E4llningar och forts\u00E4tt\n -XshowSettings:properties\n visa alla egenskapsinst\u00E4llningar och forts\u00E4tt\n -XshowSettings:locale\n visa alla spr\u00E5krelaterade inst\u00E4llningar och forts\u00E4tt\n\n-X-alternativen \u00E4r inte standard och kan \u00E4ndras utan f\u00F6reg\u00E5ende meddelande.\n
+java.launcher.X.usage=\ -Xmixed exekvering i blandat l\u00E4ge (standard)\n -Xint endast exekvering i tolkat l\u00E4ge\n -Xbootclasspath:\n ange s\u00F6kv\u00E4g f\u00F6r programladdningsklasser och -resurser\n -Xbootclasspath/a:\n l\u00E4gg till i slutet av programladdningsklassens s\u00F6kv\u00E4g\n -Xbootclasspath/p:\n l\u00E4gg till i b\u00F6rjan av programladdningsklassens s\u00F6kv\u00E4g\n -Xdiag visa ytterligare diagnostiska meddelanden\n -Xnoclassgc avaktivera klassens skr\u00E4pinsamling\n -Xincgc aktivera inkrementell skr\u00E4pinsamling\n -Xloggc: logga GC-status till en fil med tidsst\u00E4mplar\n -Xbatch avaktivera bakgrundskompilering\n -Xms ange ursprunglig storlek f\u00F6r Java-heap\n -Xmx ange maximal storlek f\u00F6r Java-heap\n -Xss ange storlek f\u00F6r java-tr\u00E5dsstack\n -Xprof utdata f\u00F6r processorprofilering\n -Xfuture aktivera str\u00E4ngaste kontroller, f\u00F6rv\u00E4ntad framtida standard\n -Xrs minska OS-signalanv\u00E4ndning av Java/VM (se dokumentation)\n -Xcheck:jni utf\u00F6r ytterligare kontroller f\u00F6r JNI-funktioner\n -Xshare:off anv\u00E4nd inte delade klassdata\n -Xshare:auto anv\u00E4nd delade klassdata om det g\u00E5r (standard)\n -Xshare:on kr\u00E4v att delade klassdata anv\u00E4nds, annars slutf\u00F6r inte.\n -XshowSettings visa alla inst\u00E4llningar och forts\u00E4tt\n -XshowSettings:all\n visa alla inst\u00E4llningar och forts\u00E4tt\n -XshowSettings:vm visa alla vm-relaterade inst\u00E4llningar och forts\u00E4tt\n -XshowSettings:properties\n visa alla egenskapsinst\u00E4llningar och forts\u00E4tt\n -XshowSettings:locale\n visa alla spr\u00E5krelaterade inst\u00E4llningar och forts\u00E4tt\n\n-X-alternativen \u00E4r inte standard och kan \u00E4ndras utan f\u00F6reg\u00E5ende meddelande.\n
# Translators please note do not translate the options themselves
java.launcher.X.macosx.usage=\nF\u00F6ljande alternativ \u00E4r specifika f\u00F6r Mac OS X:\n -XstartOnFirstThread\n k\u00F6r huvudmetoden() p\u00E5 den f\u00F6rsta (AppKit) tr\u00E5den\n -Xdock:name="\n \u00E5sidosatt standardapplikationsnamn visas i docka\n -Xdock:icon=\n \u00E5sidosatt standardikon visas i docka\n\n
diff --git a/src/share/classes/sun/management/HotSpotDiagnostic.java b/src/share/classes/sun/management/HotSpotDiagnostic.java
index d2e7b397208789197260a6f9d168e915a273f4d9..dffaafe5524afb1f28c280d905a6aba80aa59c4d 100644
--- a/src/share/classes/sun/management/HotSpotDiagnostic.java
+++ b/src/share/classes/sun/management/HotSpotDiagnostic.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,8 @@ import javax.management.ObjectName;
import com.sun.management.HotSpotDiagnosticMXBean;
import com.sun.management.VMOption;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
/**
* Implementation of the diagnostic MBean for Hotspot VM.
@@ -41,6 +43,14 @@ public class HotSpotDiagnostic implements HotSpotDiagnosticMXBean {
}
public void dumpHeap(String outputFile, boolean live) throws IOException {
+
+ String propertyName = "jdk.management.heapdump.allowAnyFileSuffix";
+ PrivilegedAction pa = () -> Boolean.parseBoolean(System.getProperty(propertyName, "false"));
+ boolean allowAnyFileSuffix = AccessController.doPrivileged(pa);
+ if (!allowAnyFileSuffix && !outputFile.endsWith(".hprof")) {
+ throw new IllegalArgumentException("heapdump file must have .hprof extention");
+ }
+
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkWrite(outputFile);
diff --git a/src/share/classes/sun/management/jmxremote/SingleEntryRegistry.java b/src/share/classes/sun/management/jmxremote/SingleEntryRegistry.java
index 998b00ab14e654c75ade9f3e3340284b4dd9eb91..b3b5281358d9a4a77d1f4e3bb061252b77799fd4 100644
--- a/src/share/classes/sun/management/jmxremote/SingleEntryRegistry.java
+++ b/src/share/classes/sun/management/jmxremote/SingleEntryRegistry.java
@@ -32,6 +32,7 @@
package sun.management.jmxremote;
+import sun.misc.ObjectInputFilter;
import java.rmi.AccessException;
import java.rmi.NotBoundException;
import java.rmi.Remote;
@@ -56,7 +57,7 @@ public class SingleEntryRegistry extends RegistryImpl {
String name,
Remote object)
throws RemoteException {
- super(port, csf, ssf);
+ super(port, csf, ssf, SingleEntryRegistry::singleRegistryFilter);
this.name = name;
this.object = object;
}
@@ -84,6 +85,23 @@ public class SingleEntryRegistry extends RegistryImpl {
throw new AccessException("Cannot modify this registry");
}
+ /**
+ * ObjectInputFilter to check parameters to SingleEntryRegistry.
+ * Since it is a read-only Registry, no classes are accepted.
+ * String arguments are accepted without passing them to the serialFilter.
+ *
+ * @param info a reference to the serialization filter information
+ * @return Status.REJECTED if parameters are out of range
+ */
+ private static ObjectInputFilter.Status singleRegistryFilter(ObjectInputFilter.FilterInfo info) {
+ return (info.serialClass() != null ||
+ info.depth() > 2 ||
+ info.references() > 4 ||
+ info.arrayLength() >= 0)
+ ? ObjectInputFilter.Status.REJECTED
+ : ObjectInputFilter.Status.ALLOWED;
+ }
+
private final String name;
private final Remote object;
diff --git a/src/share/classes/sun/management/resources/agent_sv.properties b/src/share/classes/sun/management/resources/agent_sv.properties
index 3ac512aadca9bb1e78297bb53c26e9d742b3a1ad..03910f19b0b0cb0c71f2cfb7417e1e6b015096ba 100644
--- a/src/share/classes/sun/management/resources/agent_sv.properties
+++ b/src/share/classes/sun/management/resources/agent_sv.properties
@@ -1,6 +1,6 @@
#
#
-# Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
@@ -70,10 +70,10 @@ agent.err.invalid.option = Det angivna alternativet \u00E4r ogiltigt
agent.err.invalid.snmp.port = Ogiltigt com.sun.management.snmp.port-nummer
agent.err.invalid.snmp.trap.port = Ogiltigt com.sun.management.snmp.trap-nummer
agent.err.unknown.snmp.interface = Ok\u00E4nt SNMP-gr\u00E4nssnitt
-agent.err.acl.file.notset = Ingen SNMP ACL-fil har angetts, men com.sun.management.snmp.acl=true
-agent.err.acl.file.notfound = SNMP ACL-filen hittades inte
-agent.err.acl.file.not.readable = SNMP ACL-filen \u00E4r inte l\u00E4sbar
-agent.err.acl.file.read.failed = Kunde inte l\u00E4sa filen SNMP ACL
+agent.err.acl.file.notset = Ingen SNMP \u00E5tkomstkontrollista-fil har angetts, men com.sun.management.snmp.acl=true
+agent.err.acl.file.notfound = SNMP \u00E5tkomstkontrollista-filen hittades inte
+agent.err.acl.file.not.readable = SNMP \u00E5tkomstkontrollista-filen \u00E4r inte l\u00E4sbar
+agent.err.acl.file.read.failed = Kunde inte l\u00E4sa filen SNMP \u00E5tkomstkontrollista
agent.err.acl.file.access.notrestricted = L\u00E4sbeh\u00F6righeten f\u00F6r filen m\u00E5ste begr\u00E4nsas
agent.err.snmp.adaptor.start.failed = Kunde inte starta SNMP-adaptern med adressen
@@ -85,7 +85,7 @@ jmxremote.ConnectorBootstrap.ready = JMX-anslutning redo p\u00E5: {0}
jmxremote.ConnectorBootstrap.password.readonly = L\u00E4sbeh\u00F6righeten f\u00F6r l\u00F6senordsfilen m\u00E5ste begr\u00E4nsas: {0}
jmxremote.ConnectorBootstrap.file.readonly = Fill\u00E4snings\u00E5tkomst m\u00E5ste begr\u00E4nsas {0}
-jmxremote.AdaptorBootstrap.getTargetList.processing = ACL bearbetas
+jmxremote.AdaptorBootstrap.getTargetList.processing = \u00E5tkomstkontrollista bearbetas
jmxremote.AdaptorBootstrap.getTargetList.adding = M\u00E5l l\u00E4ggs till: {0}
jmxremote.AdaptorBootstrap.getTargetList.starting = Adapterservern startas:
jmxremote.AdaptorBootstrap.getTargetList.initialize1 = Adaptern redo.
diff --git a/src/share/classes/sun/rmi/registry/RegistryImpl.java b/src/share/classes/sun/rmi/registry/RegistryImpl.java
index e23379db3b96961e2970f62d86882ace22e0dc35..15f3d33f2d83315449bc79049ceef6f14c78c79d 100644
--- a/src/share/classes/sun/rmi/registry/RegistryImpl.java
+++ b/src/share/classes/sun/rmi/registry/RegistryImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -69,6 +69,10 @@ import sun.rmi.transport.LiveRef;
* registry.
*
* The LocateRegistry class is used to obtain registry for different hosts.
+ *
+ * The default RegistryImpl exported restricts access to clients on the local host
+ * for the methods {@link #bind}, {@link #rebind}, {@link #unbind} by checking
+ * the client host in the skeleton.
*
* @see java.rmi.registry.LocateRegistry
*/
@@ -96,10 +100,10 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
private static final String REGISTRY_FILTER_PROPNAME = "sun.rmi.registry.registryFilter";
/** Registry max depth of remote invocations. **/
- private static int REGISTRY_MAX_DEPTH = 5;
+ private static final int REGISTRY_MAX_DEPTH = 20;
/** Registry maximum array size in remote invocations. **/
- private static int REGISTRY_MAX_ARRAY_SIZE = 10000;
+ private static final int REGISTRY_MAX_ARRAY_SIZE = 10000;
/**
* The registryFilter created from the value of the {@code "sun.rmi.registry.registryFilter"}
@@ -136,6 +140,20 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
RMIClientSocketFactory csf,
RMIServerSocketFactory ssf)
throws RemoteException
+ {
+ this(port, csf, ssf, RegistryImpl::registryFilter);
+ }
+
+
+ /**
+ * Construct a new RegistryImpl on the specified port with the
+ * given custom socket factory pair and ObjectInputFilter.
+ */
+ public RegistryImpl(int port,
+ RMIClientSocketFactory csf,
+ RMIServerSocketFactory ssf,
+ ObjectInputFilter serialFilter)
+ throws RemoteException
{
if (port == Registry.REGISTRY_PORT && System.getSecurityManager() != null) {
// grant permission for default port only.
@@ -143,7 +161,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
AccessController.doPrivileged(new PrivilegedExceptionAction() {
public Void run() throws RemoteException {
LiveRef lref = new LiveRef(id, port, csf, ssf);
- setup(new UnicastServerRef2(lref, RegistryImpl::registryFilter));
+ setup(new UnicastServerRef2(lref, serialFilter));
return null;
}
}, null, new SocketPermission("localhost:"+port, "listen,accept"));
@@ -219,7 +237,8 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
public void bind(String name, Remote obj)
throws RemoteException, AlreadyBoundException, AccessException
{
- checkAccess("Registry.bind");
+ // The access check preventing remote access is done in the skeleton
+ // and is not applicable to local access.
synchronized (bindings) {
Remote curr = bindings.get(name);
if (curr != null)
@@ -236,7 +255,8 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
public void unbind(String name)
throws RemoteException, NotBoundException, AccessException
{
- checkAccess("Registry.unbind");
+ // The access check preventing remote access is done in the skeleton
+ // and is not applicable to local access.
synchronized (bindings) {
Remote obj = bindings.get(name);
if (obj == null)
@@ -252,7 +272,8 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
public void rebind(String name, Remote obj)
throws RemoteException, AccessException
{
- checkAccess("Registry.rebind");
+ // The access check preventing remote access is done in the skeleton
+ // and is not applicable to local access.
bindings.put(name, obj);
}
@@ -279,7 +300,6 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
* The client must be on same the same host as this server.
*/
public static void checkAccess(String op) throws AccessException {
-
try {
/*
* Get client host that this registry operation was made from.
@@ -305,7 +325,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
if (clientHost.isAnyLocalAddress()) {
throw new AccessException(
- "Registry." + op + " disallowed; origin unknown");
+ op + " disallowed; origin unknown");
}
try {
@@ -328,7 +348,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
// must have been an IOException
throw new AccessException(
- "Registry." + op + " disallowed; origin " +
+ op + " disallowed; origin " +
clientHost + " is non-local host");
}
}
@@ -337,8 +357,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
* Local call from this VM: allow access.
*/
} catch (java.net.UnknownHostException ex) {
- throw new AccessException("Registry." + op +
- " disallowed; origin is unknown host");
+ throw new AccessException(op + " disallowed; origin is unknown host");
}
}
diff --git a/src/share/classes/sun/rmi/registry/RegistryImpl_Skel.java b/src/share/classes/sun/rmi/registry/RegistryImpl_Skel.java
new file mode 100644
index 0000000000000000000000000000000000000000..842d47719591b7e74c5894b513245a40d8b7608c
--- /dev/null
+++ b/src/share/classes/sun/rmi/registry/RegistryImpl_Skel.java
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+
+package sun.rmi.registry;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.rmi.AccessException;
+import java.rmi.server.RemoteCall;
+
+import sun.rmi.transport.Connection;
+import sun.rmi.transport.StreamRemoteCall;
+import sun.rmi.transport.tcp.TCPConnection;
+
+/**
+ * Skeleton to dispatch RegistryImpl methods.
+ * Originally generated by RMIC but frozen to match the stubs.
+ */
+@SuppressWarnings({"deprecation", "serial"})
+public final class RegistryImpl_Skel
+ implements java.rmi.server.Skeleton {
+ private static final java.rmi.server.Operation[] operations = {
+ new java.rmi.server.Operation("void bind(java.lang.String, java.rmi.Remote)"),
+ new java.rmi.server.Operation("java.lang.String list()[]"),
+ new java.rmi.server.Operation("java.rmi.Remote lookup(java.lang.String)"),
+ new java.rmi.server.Operation("void rebind(java.lang.String, java.rmi.Remote)"),
+ new java.rmi.server.Operation("void unbind(java.lang.String)")
+ };
+
+ private static final long interfaceHash = 4905912898345647071L;
+
+ public java.rmi.server.Operation[] getOperations() {
+ return operations.clone();
+ }
+
+ public void dispatch(java.rmi.Remote obj, java.rmi.server.RemoteCall call, int opnum, long hash)
+ throws java.lang.Exception {
+ if (hash != interfaceHash)
+ throw new java.rmi.server.SkeletonMismatchException("interface hash mismatch");
+
+ sun.rmi.registry.RegistryImpl server = (sun.rmi.registry.RegistryImpl) obj;
+ switch (opnum) {
+ case 0: // bind(String, Remote)
+ {
+ // Check access before reading the arguments
+ RegistryImpl.checkAccess("Registry.bind");
+
+ java.lang.String $param_String_1;
+ java.rmi.Remote $param_Remote_2;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_String_1 = (java.lang.String) in.readObject();
+ $param_Remote_2 = (java.rmi.Remote) in.readObject();
+ } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ server.bind($param_String_1, $param_Remote_2);
+ try {
+ call.getResultStream(true);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ case 1: // list()
+ {
+ call.releaseInputStream();
+ java.lang.String[] $result = server.list();
+ try {
+ java.io.ObjectOutput out = call.getResultStream(true);
+ out.writeObject($result);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ case 2: // lookup(String)
+ {
+ java.lang.String $param_String_1;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_String_1 = (java.lang.String) in.readObject();
+ } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ java.rmi.Remote $result = server.lookup($param_String_1);
+ try {
+ java.io.ObjectOutput out = call.getResultStream(true);
+ out.writeObject($result);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ case 3: // rebind(String, Remote)
+ {
+ // Check access before reading the arguments
+ RegistryImpl.checkAccess("Registry.rebind");
+
+ java.lang.String $param_String_1;
+ java.rmi.Remote $param_Remote_2;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_String_1 = (java.lang.String) in.readObject();
+ $param_Remote_2 = (java.rmi.Remote) in.readObject();
+ } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ server.rebind($param_String_1, $param_Remote_2);
+ try {
+ call.getResultStream(true);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ case 4: // unbind(String)
+ {
+ // Check access before reading the arguments
+ RegistryImpl.checkAccess("Registry.unbind");
+
+ java.lang.String $param_String_1;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $param_String_1 = (java.lang.String) in.readObject();
+ } catch (java.io.IOException | java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling arguments", e);
+ } finally {
+ call.releaseInputStream();
+ }
+ server.unbind($param_String_1);
+ try {
+ call.getResultStream(true);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling return", e);
+ }
+ break;
+ }
+
+ default:
+ throw new java.rmi.UnmarshalException("invalid method number");
+ }
+ }
+}
diff --git a/src/share/classes/sun/rmi/registry/RegistryImpl_Stub.java b/src/share/classes/sun/rmi/registry/RegistryImpl_Stub.java
new file mode 100644
index 0000000000000000000000000000000000000000..f8574869147855dc78e2a70bdaa3e7603aba9d94
--- /dev/null
+++ b/src/share/classes/sun/rmi/registry/RegistryImpl_Stub.java
@@ -0,0 +1,189 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.rmi.registry;
+/**
+ * Stubs to invoke RegistryImpl remote methods.
+ * Originally generated from RMIC but frozen to match RegistryImpl_Skel.
+ */
+@SuppressWarnings({"deprecation", "serial"})
+public final class RegistryImpl_Stub
+ extends java.rmi.server.RemoteStub
+ implements java.rmi.registry.Registry, java.rmi.Remote {
+ private static final java.rmi.server.Operation[] operations = {
+ new java.rmi.server.Operation("void bind(java.lang.String, java.rmi.Remote)"),
+ new java.rmi.server.Operation("java.lang.String list()[]"),
+ new java.rmi.server.Operation("java.rmi.Remote lookup(java.lang.String)"),
+ new java.rmi.server.Operation("void rebind(java.lang.String, java.rmi.Remote)"),
+ new java.rmi.server.Operation("void unbind(java.lang.String)")
+ };
+
+ private static final long interfaceHash = 4905912898345647071L;
+
+ // constructors
+ public RegistryImpl_Stub() {
+ super();
+ }
+
+ public RegistryImpl_Stub(java.rmi.server.RemoteRef ref) {
+ super(ref);
+ }
+
+ // methods from remote interfaces
+
+ // implementation of bind(String, Remote)
+ public void bind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2)
+ throws java.rmi.AccessException, java.rmi.AlreadyBoundException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 0, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_String_1);
+ out.writeObject($param_Remote_2);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ ref.done(call);
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.rmi.AlreadyBoundException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ // implementation of list()
+ public java.lang.String[] list()
+ throws java.rmi.AccessException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 1, interfaceHash);
+ ref.invoke(call);
+ java.lang.String[] $result;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $result = (java.lang.String[]) in.readObject();
+ } catch (java.io.IOException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+ } catch (java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+ } finally {
+ ref.done(call);
+ }
+ return $result;
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ // implementation of lookup(String)
+ public java.rmi.Remote lookup(java.lang.String $param_String_1)
+ throws java.rmi.AccessException, java.rmi.NotBoundException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 2, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_String_1);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ java.rmi.Remote $result;
+ try {
+ java.io.ObjectInput in = call.getInputStream();
+ $result = (java.rmi.Remote) in.readObject();
+ } catch (java.io.IOException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+ } catch (java.lang.ClassNotFoundException e) {
+ throw new java.rmi.UnmarshalException("error unmarshalling return", e);
+ } finally {
+ ref.done(call);
+ }
+ return $result;
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.rmi.NotBoundException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ // implementation of rebind(String, Remote)
+ public void rebind(java.lang.String $param_String_1, java.rmi.Remote $param_Remote_2)
+ throws java.rmi.AccessException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 3, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_String_1);
+ out.writeObject($param_Remote_2);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ ref.done(call);
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+
+ // implementation of unbind(String)
+ public void unbind(java.lang.String $param_String_1)
+ throws java.rmi.AccessException, java.rmi.NotBoundException, java.rmi.RemoteException {
+ try {
+ java.rmi.server.RemoteCall call = ref.newCall((java.rmi.server.RemoteObject) this, operations, 4, interfaceHash);
+ try {
+ java.io.ObjectOutput out = call.getOutputStream();
+ out.writeObject($param_String_1);
+ } catch (java.io.IOException e) {
+ throw new java.rmi.MarshalException("error marshalling arguments", e);
+ }
+ ref.invoke(call);
+ ref.done(call);
+ } catch (java.lang.RuntimeException e) {
+ throw e;
+ } catch (java.rmi.RemoteException e) {
+ throw e;
+ } catch (java.rmi.NotBoundException e) {
+ throw e;
+ } catch (java.lang.Exception e) {
+ throw new java.rmi.UnexpectedException("undeclared checked exception", e);
+ }
+ }
+}
diff --git a/src/share/classes/sun/rmi/server/Activation.java b/src/share/classes/sun/rmi/server/Activation.java
index 928b1d549ec7b8f9b50585b6041f1e979d1e4dbe..cb36f2da7fc85ead55074b8826433e73560bb6ee 100644
--- a/src/share/classes/sun/rmi/server/Activation.java
+++ b/src/share/classes/sun/rmi/server/Activation.java
@@ -30,6 +30,7 @@ import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.io.ObjectInput;
import java.io.ObjectInputStream;
import java.io.OutputStream;
import java.io.PrintStream;
@@ -105,7 +106,6 @@ import sun.rmi.log.LogHandler;
import sun.rmi.log.ReliableLog;
import sun.rmi.registry.RegistryImpl;
import sun.rmi.runtime.NewThreadAction;
-import sun.rmi.server.UnicastServerRef;
import sun.rmi.transport.LiveRef;
import sun.security.action.GetBooleanAction;
import sun.security.action.GetIntegerAction;
@@ -345,6 +345,7 @@ public class Activation implements Serializable {
throw new AccessException(
"binding ActivationSystem is disallowed");
} else {
+ RegistryImpl.checkAccess("ActivationSystem.bind");
super.bind(name, obj);
}
}
@@ -356,6 +357,7 @@ public class Activation implements Serializable {
throw new AccessException(
"unbinding ActivationSystem is disallowed");
} else {
+ RegistryImpl.checkAccess("ActivationSystem.unbind");
super.unbind(name);
}
}
@@ -368,6 +370,7 @@ public class Activation implements Serializable {
throw new AccessException(
"binding ActivationSystem is disallowed");
} else {
+ RegistryImpl.checkAccess("ActivationSystem.rebind");
super.rebind(name, obj);
}
}
@@ -458,6 +461,33 @@ public class Activation implements Serializable {
}
+ /**
+ * SameHostOnlyServerRef checks that access is from a local client
+ * before the parameters are deserialized. The unmarshalCustomCallData
+ * hook is used to check the network address of the caller
+ * with RegistryImpl.checkAccess().
+ * The kind of access is retained for an exception if one is thrown.
+ */
+ static class SameHostOnlyServerRef extends UnicastServerRef {
+ private static final long serialVersionUID = 1234L;
+ private String accessKind; // an exception message
+
+ /**
+ * Construct a new SameHostOnlyServerRef from a LiveRef.
+ * @param lref a LiveRef
+ */
+ SameHostOnlyServerRef(LiveRef lref, String accessKind) {
+ super(lref);
+ this.accessKind = accessKind;
+ }
+
+ @Override
+ protected void unmarshalCustomCallData(ObjectInput in) throws IOException, ClassNotFoundException {
+ RegistryImpl.checkAccess(accessKind);
+ super.unmarshalCustomCallData(in);
+ }
+ }
+
class ActivationSystemImpl
extends RemoteServer
implements ActivationSystem
@@ -475,7 +505,8 @@ public class Activation implements Serializable {
* 'this' can be exported.
*/
LiveRef lref = new LiveRef(new ObjID(4), port, null, ssf);
- UnicastServerRef uref = new UnicastServerRef(lref);
+ UnicastServerRef uref = new SameHostOnlyServerRef(lref,
+ "ActivationSystem.nonLocalAccess");
ref = uref;
uref.exportObject(this, null);
}
@@ -484,8 +515,8 @@ public class Activation implements Serializable {
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.registerObject");
-
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
ActivationGroupID groupID = desc.getGroupID();
ActivationID id = new ActivationID(activatorStub);
getGroupEntry(groupID).registerObject(id, desc, true);
@@ -496,15 +527,18 @@ public class Activation implements Serializable {
throws ActivationException, UnknownObjectException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.unregisterObject");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
getGroupEntry(id).unregisterObject(id, true);
}
public ActivationGroupID registerGroup(ActivationGroupDesc desc)
throws ActivationException, RemoteException
{
+ Thread.dumpStack();
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.registerGroup");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
checkArgs(desc, null);
ActivationGroupID id = new ActivationGroupID(systemStub);
@@ -521,7 +555,8 @@ public class Activation implements Serializable {
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.activeGroup");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
getGroupEntry(id).activeGroup(group, incarnation);
return monitor;
@@ -531,7 +566,8 @@ public class Activation implements Serializable {
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.unregisterGroup");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
// remove entry before unregister so state is updated before
// logged
@@ -543,7 +579,8 @@ public class Activation implements Serializable {
throws ActivationException, UnknownObjectException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.setActivationDesc");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
if (!getGroupID(id).equals(desc.getGroupID())) {
throw new ActivationException(
@@ -557,8 +594,8 @@ public class Activation implements Serializable {
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess(
- "ActivationSystem.setActivationGroupDesc");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
checkArgs(desc, null);
return getGroupEntry(id).setActivationGroupDesc(id, desc, true);
@@ -568,7 +605,8 @@ public class Activation implements Serializable {
throws ActivationException, UnknownObjectException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess("ActivationSystem.getActivationDesc");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
return getGroupEntry(id).getActivationDesc(id);
}
@@ -577,8 +615,8 @@ public class Activation implements Serializable {
throws ActivationException, UnknownGroupException, RemoteException
{
checkShutdown();
- RegistryImpl.checkAccess
- ("ActivationSystem.getActivationGroupDesc");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
return getGroupEntry(id).desc;
}
@@ -588,7 +626,8 @@ public class Activation implements Serializable {
* the activation daemon and exits the activation daemon.
*/
public void shutdown() throws AccessException {
- RegistryImpl.checkAccess("ActivationSystem.shutdown");
+ // RegistryImpl.checkAccess() is done in the SameHostOnlyServerRef
+ // during unmarshallCustomData and is not applicable to local access.
Object lock = startupLock;
if (lock != null) {
diff --git a/src/share/classes/sun/rmi/server/UnicastServerRef.java b/src/share/classes/sun/rmi/server/UnicastServerRef.java
index c9f068c336581bac3f8565f4351330871c1a6dad..0da55822e2e6b11934151e76e2bbce9286719a8c 100644
--- a/src/share/classes/sun/rmi/server/UnicastServerRef.java
+++ b/src/share/classes/sun/rmi/server/UnicastServerRef.java
@@ -32,6 +32,7 @@ import java.io.ObjectOutput;
import java.io.ObjectStreamClass;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.rmi.AccessException;
import java.rmi.MarshalException;
import java.rmi.Remote;
import java.rmi.RemoteException;
@@ -290,20 +291,25 @@ public class UnicastServerRef extends UnicastRef
try {
in = call.getInputStream();
num = in.readInt();
- if (num >= 0) {
- if (skel != null) {
- oldDispatch(obj, call, num);
- return;
- } else {
- throw new UnmarshalException(
- "skeleton class not found but required " +
- "for client version");
- }
+ } catch (Exception readEx) {
+ throw new UnmarshalException("error unmarshalling call header",
+ readEx);
+ }
+ if (num >= 0) {
+ if (skel != null) {
+ oldDispatch(obj, call, num);
+ return;
+ } else {
+ throw new UnmarshalException(
+ "skeleton class not found but required " +
+ "for client version");
}
+ }
+ try {
op = in.readLong();
} catch (Exception readEx) {
throw new UnmarshalException("error unmarshalling call header",
- readEx);
+ readEx);
}
/*
@@ -331,6 +337,11 @@ public class UnicastServerRef extends UnicastRef
try {
unmarshalCustomCallData(in);
params = unmarshalParameters(obj, method, marshalStream);
+ } catch (AccessException aex) {
+ // For compatibility, AccessException is not wrapped in UnmarshalException
+ // disable saving any refs in the inputStream for GC
+ ((StreamRemoteCall) call).discardPendingRefs();
+ throw aex;
} catch (java.io.IOException | ClassNotFoundException e) {
// disable saving any refs in the inputStream for GC
((StreamRemoteCall) call).discardPendingRefs();
@@ -367,6 +378,7 @@ public class UnicastServerRef extends UnicastRef
*/
}
} catch (Throwable e) {
+ Throwable origEx = e;
logCallException(e);
ObjectOutput out = call.getResultStream(false);
@@ -382,6 +394,12 @@ public class UnicastServerRef extends UnicastRef
clearStackTraces(e);
}
out.writeObject(e);
+
+ // AccessExceptions should cause Transport.serviceCall
+ // to flag the connection as unusable.
+ if (origEx instanceof AccessException) {
+ throw new IOException("Connection is not reusable", origEx);
+ }
} finally {
call.releaseInputStream(); // in case skeleton doesn't
call.releaseOutputStream();
@@ -413,62 +431,41 @@ public class UnicastServerRef extends UnicastRef
* Handle server-side dispatch using the RMI 1.1 stub/skeleton
* protocol, given a non-negative operation number that has
* already been read from the call stream.
+ * Exceptions are handled by the caller to be sent to the remote client.
*
* @param obj the target remote object for the call
* @param call the "remote call" from which operation and
* method arguments can be obtained.
* @param op the operation number
- * @exception IOException if unable to marshal return result or
+ * @throws Exception if unable to marshal return result or
* release input or output streams
*/
- public void oldDispatch(Remote obj, RemoteCall call, int op)
- throws IOException
+ private void oldDispatch(Remote obj, RemoteCall call, int op)
+ throws Exception
{
long hash; // hash for matching stub with skeleton
+ // read remote call header
+ ObjectInput in;
+ in = call.getInputStream();
try {
- // read remote call header
- ObjectInput in;
- try {
- in = call.getInputStream();
- try {
- Class clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel");
- if (clazz.isAssignableFrom(skel.getClass())) {
- ((MarshalInputStream)in).useCodebaseOnly();
- }
- } catch (ClassNotFoundException ignore) { }
- hash = in.readLong();
- } catch (Exception readEx) {
- throw new UnmarshalException("error unmarshalling call header",
- readEx);
+ Class clazz = Class.forName("sun.rmi.transport.DGCImpl_Skel");
+ if (clazz.isAssignableFrom(skel.getClass())) {
+ ((MarshalInputStream)in).useCodebaseOnly();
}
+ } catch (ClassNotFoundException ignore) { }
- // if calls are being logged, write out object id and operation
- logCall(obj, skel.getOperations()[op]);
- unmarshalCustomCallData(in);
- // dispatch to skeleton for remote object
- skel.dispatch(obj, call, op, hash);
-
- } catch (Throwable e) {
- logCallException(e);
-
- ObjectOutput out = call.getResultStream(false);
- if (e instanceof Error) {
- e = new ServerError(
- "Error occurred in server thread", (Error) e);
- } else if (e instanceof RemoteException) {
- e = new ServerException(
- "RemoteException occurred in server thread",
- (Exception) e);
- }
- if (suppressStackTraces) {
- clearStackTraces(e);
- }
- out.writeObject(e);
- } finally {
- call.releaseInputStream(); // in case skeleton doesn't
- call.releaseOutputStream();
+ try {
+ hash = in.readLong();
+ } catch (Exception ioe) {
+ throw new UnmarshalException("error unmarshalling call header", ioe);
}
+
+ // if calls are being logged, write out object id and operation
+ logCall(obj, skel.getOperations()[op]);
+ unmarshalCustomCallData(in);
+ // dispatch to skeleton for remote object
+ skel.dispatch(obj, call, op, hash);
}
/**
diff --git a/src/share/classes/sun/security/ec/ECDSASignature.java b/src/share/classes/sun/security/ec/ECDSASignature.java
index 2abc262809aa2dca01fae5b4d02ddb5b6bb4afa7..ccd5a02956607249ae56d5cab6ebdc8ae409fc4d 100644
--- a/src/share/classes/sun/security/ec/ECDSASignature.java
+++ b/src/share/classes/sun/security/ec/ECDSASignature.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -287,11 +287,15 @@ abstract class ECDSASignature extends SignatureSpi {
}
random.nextBytes(seed);
- try {
+ // random bits needed for timing countermeasures
+ int timingArgument = random.nextInt();
+ // values must be non-zero to enable countermeasures
+ timingArgument |= 1;
+ try {
return encodeSignature(
- signDigest(getDigestValue(), s, encodedParams, seed));
-
+ signDigest(getDigestValue(), s, encodedParams, seed,
+ timingArgument));
} catch (GeneralSecurityException e) {
throw new SignatureException("Could not sign data", e);
}
@@ -418,11 +422,19 @@ abstract class ECDSASignature extends SignatureSpi {
* @param s the private key's S value.
* @param encodedParams the curve's DER encoded object identifier.
* @param seed the random seed.
+ * @param timing When non-zero, the implmentation will use timing
+ * countermeasures to hide secrets from timing channels. The EC
+ * implementation will disable the countermeasures when this value is
+ * zero, because the underlying EC functions are shared by several
+ * crypto operations, some of which do not use the countermeasures.
+ * The high-order 31 bits must be uniformly random. The entropy from
+ * these bits is used by the countermeasures.
*
* @return byte[] the signature.
*/
private static native byte[] signDigest(byte[] digest, byte[] s,
- byte[] encodedParams, byte[] seed) throws GeneralSecurityException;
+ byte[] encodedParams, byte[] seed, int timing)
+ throws GeneralSecurityException;
/**
* Verifies the signed digest using the public key.
diff --git a/src/share/classes/sun/security/provider/DSA.java b/src/share/classes/sun/security/provider/DSA.java
index 3a13e910d60baff6e5e56186ef47d8b332ebc4dd..665e1626e00c683b69df29455ac6ec406a5b4d60 100644
--- a/src/share/classes/sun/security/provider/DSA.java
+++ b/src/share/classes/sun/security/provider/DSA.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -67,6 +67,13 @@ abstract class DSA extends SignatureSpi {
/* Are we debugging? */
private static final boolean debug = false;
+ /* The number of bits used in exponent blinding */
+ private static final int BLINDING_BITS = 7;
+
+ /* The constant component of the exponent blinding value */
+ private static final BigInteger BLINDING_CONSTANT =
+ BigInteger.valueOf(1 << BLINDING_BITS);
+
/* The parameter object */
private DSAParams params;
@@ -312,8 +319,19 @@ abstract class DSA extends SignatureSpi {
return null;
}
+
private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g,
BigInteger k) {
+
+ // exponent blinding to hide information from timing channel
+ SecureRandom random = getSigningRandom();
+ // start with a random blinding component
+ BigInteger blindingValue = new BigInteger(BLINDING_BITS, random);
+ // add the fixed blinding component
+ blindingValue = blindingValue.add(BLINDING_CONSTANT);
+ // replace k with a blinded value that is congruent (mod q)
+ k = k.add(q.multiply(blindingValue));
+
BigInteger temp = g.modPow(k, p);
return temp.mod(q);
}
@@ -378,43 +396,8 @@ abstract class DSA extends SignatureSpi {
byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8];
random.nextBytes(kValue);
- BigInteger k = new BigInteger(1, kValue).mod(
+ return new BigInteger(1, kValue).mod(
q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
-
- // Using an equivalent exponent of fixed length (same as q or 1 bit
- // less than q) to keep the kG timing relatively constant.
- //
- // Note that this is an extra step on top of the approach defined in
- // FIPS 186-4 AppendixB.2.1 so as to make a fixed length K.
- k = k.add(q).divide(BigInteger.valueOf(2));
-
- // An alternative implementation based on FIPS 186-4 AppendixB2.2
- // with fixed-length K.
- //
- // Please keep it here as we may need to switch to it in the future.
- //
- // SecureRandom random = getSigningRandom();
- // byte[] kValue = new byte[(q.bitLength() + 7)/8];
- // BigInteger d = q.subtract(BigInteger.TWO);
- // BigInteger k;
- // do {
- // random.nextBytes(kValue);
- // BigInteger c = new BigInteger(1, kValue);
- // if (c.compareTo(d) <= 0) {
- // k = c.add(BigInteger.ONE);
- // // Using an equivalent exponent of fixed length to keep
- // // the g^k timing relatively constant.
- // //
- // // Note that this is an extra step on top of the approach
- // // defined in FIPS 186-4 AppendixB.2.2 so as to make a
- // // fixed length K.
- // if (k.bitLength() >= q.bitLength()) {
- // break;
- // }
- // }
- // } while (true);
-
- return k;
}
// Use the application-specified SecureRandom Object if provided.
diff --git a/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java b/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java
index 5a24a694b3d381bec59e2e248afd04bf8abc9230..ba3e4d60cb3dc918b4ab0b3d0cf86920d74bd646 100644
--- a/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java
+++ b/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -265,7 +265,7 @@ public final class LDAPCertStore extends CertStoreSpi {
*/
Hashtable currentEnv = ctx.getEnvironment();
if (currentEnv.get(Context.REFERRAL) == null) {
- ctx.addToEnvironment(Context.REFERRAL, "follow");
+ ctx.addToEnvironment(Context.REFERRAL, "follow-scheme");
}
} catch (NamingException e) {
if (debug != null) {
diff --git a/src/share/classes/sun/security/tools/keytool/Resources_sv.java b/src/share/classes/sun/security/tools/keytool/Resources_sv.java
index 971cd9c4c6d072a037086f50eac4684075ec9577..19208fa9a6cc26932a4134bc80d01058d814406b 100644
--- a/src/share/classes/sun/security/tools/keytool/Resources_sv.java
+++ b/src/share/classes/sun/security/tools/keytool/Resources_sv.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -55,7 +55,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
{"Changes.an.entry.s.alias",
"\u00C4ndrar postalias"}, //-changealias
{"Deletes.an.entry",
- "Tar bort post"}, //-delete
+ "Tar bort en post"}, //-delete
{"Exports.certificate",
"Exporterar certifikat"}, //-exportcert
{"Generates.a.key.pair",
@@ -175,7 +175,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
{"validity.number.of.days",
"antal dagar f\u00F6r giltighet"}, //-validity
{"Serial.ID.of.cert.to.revoke",
- "Seriellt id f\u00F6r certifikat som ska \u00E5terkallas"}, //-id
+ "Serienummer p\u00E5 certifikat som ska \u00E5terkallas"}, //-id
// keytool: Running part
{"keytool.error.", "nyckelverktygsfel: "},
{"Illegal.option.", "Otill\u00E5tet alternativ: "},
@@ -266,7 +266,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
"Certifikatet har inte lagts till i nyckellagret"},
{".Storing.ksfname.", "[Lagrar {0}]"},
{"alias.has.no.public.key.certificate.",
- "{0} saknar offentlig nyckel (certifikat)"},
+ "{0} saknar \u00F6ppen nyckel (certifikat)"},
{"Cannot.derive.signature.algorithm",
"Kan inte h\u00E4rleda signaturalgoritm"},
{"Alias.alias.does.not.exist",
@@ -316,7 +316,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
{"Failed.to.parse.input", "Kunde inte tolka indata"},
{"Empty.input", "Inga indata"},
{"Not.X.509.certificate", "Inte ett X.509-certifikat"},
- {"alias.has.no.public.key", "{0} saknar offentlig nyckel"},
+ {"alias.has.no.public.key", "{0} saknar \u00F6ppen nyckel"},
{"alias.has.no.X.509.certificate", "{0} saknar X.509-certifikat"},
{"New.certificate.self.signed.", "Nytt certifikat (sj\u00E4lvsignerat):"},
{"Reply.has.no.certificates", "Svaret saknar certifikat"},
@@ -371,7 +371,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
{".WARNING.WARNING.WARNING.",
"***************** WARNING WARNING WARNING *****************"},
- {"Signer.d.", "Signerare #%d:"},
+ {"Signer.d.", "Undertecknare %d:"},
{"Timestamp.", "Tidsst\u00E4mpel:"},
{"Signature.", "Signatur:"},
{"CRLs.", "CRL:er:"},
@@ -386,7 +386,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
"* Integriteten f\u00F6r den information som lagras i srckeystore*\n* har INTE verifierats! Om du vill verifiera dess integritet *\n* m\u00E5ste du ange l\u00F6senordet f\u00F6r srckeystore. *"},
{"Certificate.reply.does.not.contain.public.key.for.alias.",
- "Certifikatsvaret inneh\u00E5ller inte n\u00E5gon offentlig nyckel f\u00F6r <{0}>"},
+ "Certifikatsvaret inneh\u00E5ller inte n\u00E5gon \u00F6ppen nyckel f\u00F6r <{0}>"},
{"Incomplete.certificate.chain.in.reply",
"Ofullst\u00E4ndig certifikatskedja i svaret"},
{"Certificate.chain.in.reply.does.not.verify.",
@@ -417,7 +417,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
{".Empty.value.", "(Tomt v\u00E4rde)"},
{"Extension.Request.", "Till\u00E4ggsbeg\u00E4ran:"},
{"PKCS.10.Certificate.Request.Version.1.0.Subject.s.Public.Key.s.format.s.key.",
- "PKCS #10 certifikatbeg\u00E4ran (version 1.0)\n\u00C4mne: %s\nAllm\u00E4n nyckel: %s-format %s-nyckel\n"},
+ "PKCS #10 certifikatbeg\u00E4ran (version 1.0)\n\u00C4rende: %s\n\u00D6ppen nyckel: %s-format %s-nyckel\n"},
{"Unknown.keyUsage.type.", "Ok\u00E4nd keyUsage-typ: "},
{"Unknown.extendedkeyUsage.type.", "Ok\u00E4nd extendedkeyUsage-typ: "},
{"Unknown.AccessDescription.type.", "Ok\u00E4nd AccessDescription-typ: "},
diff --git a/src/share/classes/sun/security/tools/policytool/Resources_sv.java b/src/share/classes/sun/security/tools/policytool/Resources_sv.java
index d413c4e52be07104c4a55fc4f656625aad8cace2..000507145ab697cd6c1e0dae94b680fef3df6fa0 100644
--- a/src/share/classes/sun/security/tools/policytool/Resources_sv.java
+++ b/src/share/classes/sun/security/tools/policytool/Resources_sv.java
@@ -35,7 +35,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
private static final Object[][] contents = {
{"NEWLINE", "\n"},
{"Warning.A.public.key.for.alias.signers.i.does.not.exist.Make.sure.a.KeyStore.is.properly.configured.",
- "Varning! Det finns ingen offentlig nyckel f\u00F6r aliaset {0}. Kontrollera att det aktuella nyckellagret \u00E4r korrekt konfigurerat."},
+ "Varning! Det finns ingen \u00F6ppen nyckel f\u00F6r aliaset {0}. Kontrollera att det aktuella nyckellagret \u00E4r korrekt konfigurerat."},
{"Warning.Class.not.found.class", "Varning! Klassen hittades inte: {0}"},
{"Warning.Invalid.argument.s.for.constructor.arg",
"Varning! Ogiltiga argument f\u00F6r konstruktor: {0}"},
@@ -59,8 +59,8 @@ public class Resources_sv extends java.util.ListResourceBundle {
{"Warning.File.name.may.include.escaped.backslash.characters.It.is.not.necessary.to.escape.backslash.characters.the.tool.escapes",
"Varning! Filnamnet kan inneh\u00E5lla omv\u00E4nda snedstreck inom citattecken. Citattecken kr\u00E4vs inte f\u00F6r omv\u00E4nda snedstreck (verktyget hanterar detta n\u00E4r policyinneh\u00E5llet skrivs till det best\u00E4ndiga lagret).\n\nKlicka p\u00E5 Beh\u00E5ll f\u00F6r att beh\u00E5lla det angivna namnet, eller klicka p\u00E5 Redigera f\u00F6r att \u00E4ndra det."},
- {"Add.Public.Key.Alias", "L\u00E4gg till offentligt nyckelalias"},
- {"Remove.Public.Key.Alias", "Ta bort offentligt nyckelalias"},
+ {"Add.Public.Key.Alias", "L\u00E4gg till alias till \u00F6ppen nyckel"},
+ {"Remove.Public.Key.Alias", "Ta bort alias f\u00F6r \u00F6ppen nyckel"},
{"File", "&Arkiv"},
{"KeyStore", "&KeyStore"},
{"Policy.File.", "Policyfil:"},
@@ -136,7 +136,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
{"provider.name", "leverant\u00F6rsnamn"},
{"url", "url"},
{"method.list", "metodlista"},
- {"request.headers.list", "beg\u00E4ranrubriklista"},
+ {"request.headers.list", "lista \u00F6ver beg\u00E4randehuvuden"},
{"Principal.List", "Lista \u00F6ver identitetshavare"},
{"Permission.List", "Beh\u00F6righetslista"},
{"Code.Base", "Kodbas"},
diff --git a/src/share/classes/sun/security/util/AuthResources_sv.java b/src/share/classes/sun/security/util/AuthResources_sv.java
index 8e3e8eeacf855d37db19e638e6fe2e6453c51af4..8e7e2825a69561befd3e023a28279b1758dac8d7 100644
--- a/src/share/classes/sun/security/util/AuthResources_sv.java
+++ b/src/share/classes/sun/security/util/AuthResources_sv.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -137,7 +137,7 @@ public class AuthResources_sv extends java.util.ListResourceBundle {
// provided.null.name is the NullPointerException message when a
// developer incorrectly passes a null name to the constructor of
// subclasses of java.security.Principal
- {"provided.null.name", "angav null-namn"}
+ {"provided.null.name", "null-namn angavs"}
};
diff --git a/src/share/classes/sun/security/util/Resources_sv.java b/src/share/classes/sun/security/util/Resources_sv.java
index 35ec1ca3d453d794663c11d79917e627e236643d..bc8e223dcb0d1226e71496b7d86b5cbd5a9e6838 100644
--- a/src/share/classes/sun/security/util/Resources_sv.java
+++ b/src/share/classes/sun/security/util/Resources_sv.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -53,9 +53,9 @@ public class Resources_sv extends java.util.ListResourceBundle {
"CredOwner:\n\tIdentitetshavareklass = {0}\n\tIdentitetshavarenamn = {1}"},
// javax.security.auth.x500
- {"provided.null.name", "angav null-namn"},
- {"provided.null.keyword.map", "nullnyckelordsmappning tillhandah\u00F6lls"},
- {"provided.null.OID.map", "null-OID-mappning tillhandah\u00F6lls"},
+ {"provided.null.name", "null-namn angavs"},
+ {"provided.null.keyword.map", "nullnyckelordsmappning angavs"},
+ {"provided.null.OID.map", "null-OID-mappning angavs"},
// javax.security.auth.Subject
{"NEWLINE", "\n"},
@@ -73,7 +73,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
"\tPrivat inloggning \u00E4r inte tillg\u00E4nglig\n"},
{"Subject.is.read.only", "Innehavare \u00E4r skrivskyddad"},
{"attempting.to.add.an.object.which.is.not.an.instance.of.java.security.Principal.to.a.Subject.s.Principal.Set",
- "f\u00F6rs\u00F6k att l\u00E4gga till ett objekt som inte \u00E4r en f\u00F6rekomst av java.security.Principal till en upps\u00E4ttning av identitetshavare"},
+ "f\u00F6rs\u00F6k att l\u00E4gga till ett objekt som inte \u00E4r en instans av java.security.Principal till ett subjekts upps\u00E4ttning av identitetshavare"},
{"attempting.to.add.an.object.which.is.not.an.instance.of.class",
"f\u00F6rs\u00F6ker l\u00E4gga till ett objekt som inte \u00E4r en instans av {0}"},
@@ -84,11 +84,11 @@ public class Resources_sv extends java.util.ListResourceBundle {
{"Invalid.null.input.name", "Ogiltiga null-indata: namn"},
{"No.LoginModules.configured.for.name",
"Inga inloggningsmoduler har konfigurerats f\u00F6r {0}"},
- {"invalid.null.Subject.provided", "ogiltig null-innehavare"},
+ {"invalid.null.Subject.provided", "ogiltig null-subjekt"},
{"invalid.null.CallbackHandler.provided",
"ogiltig null-CallbackHandler"},
{"null.subject.logout.called.before.login",
- "null-innehavare - utloggning anropades f\u00F6re inloggning"},
+ "null-subjekt - utloggning anropades f\u00F6re inloggning"},
{"unable.to.instantiate.LoginModule.module.because.it.does.not.provide.a.no.argument.constructor",
"kan inte instansiera LoginModule, {0}, eftersom den inte tillhandah\u00E5ller n\u00E5gon icke-argumentskonstruktor"},
{"unable.to.instantiate.LoginModule",
@@ -148,12 +148,12 @@ public class Resources_sv extends java.util.ListResourceBundle {
// sun.security.pkcs11.SunPKCS11
{"PKCS11.Token.providerName.Password.",
- "PKCS11-tecken [{0}] L\u00F6senord: "},
+ "L\u00F6senord f\u00F6r PKCS11-token [{0}]: "},
/* --- DEPRECATED --- */
// javax.security.auth.Policy
{"unable.to.instantiate.Subject.based.policy",
- "den innehavarbaserade policyn kan inte skapas"}
+ "kan inte instansiera subjektbaserad policy"}
};
diff --git a/src/share/native/sun/security/ec/ECC_JNI.cpp b/src/share/native/sun/security/ec/ECC_JNI.cpp
index 5c07645d0dca8477ed629e9f5c78db81e146b92d..b7fb6750e5d4ef9cbe737c2bb137c306d9300805 100644
--- a/src/share/native/sun/security/ec/ECC_JNI.cpp
+++ b/src/share/native/sun/security/ec/ECC_JNI.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -190,7 +190,7 @@ cleanup:
*/
JNIEXPORT jbyteArray
JNICALL Java_sun_security_ec_ECDSASignature_signDigest
- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed)
+ (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
{
jbyte* pDigestBuffer = NULL;
jint jDigestLength = env->GetArrayLength(digest);
@@ -250,7 +250,7 @@ JNICALL Java_sun_security_ec_ECDSASignature_signDigest
// Sign the digest (using the supplied seed)
if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
- (unsigned char *) pSeedBuffer, jSeedLength, 0) != SECSuccess) {
+ (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) {
ThrowException(env, KEY_EXCEPTION);
goto cleanup;
}
diff --git a/src/share/native/sun/security/ec/impl/ec.c b/src/share/native/sun/security/ec/impl/ec.c
index 2561237b980723390927f5c99e931d7bd2ad2531..4e94d27793e66cea42399bfd0f2948e76fe3893d 100644
--- a/src/share/native/sun/security/ec/impl/ec.c
+++ b/src/share/native/sun/security/ec/impl/ec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -34,7 +34,7 @@
* Dr Vipul Gupta and
* Douglas Stebila , Sun Microsystems Laboratories
*
- * Last Modified Date from the Original Code: November 2016
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "mplogic.h"
@@ -87,7 +87,7 @@ ec_point_at_infinity(SECItem *pointP)
*/
SECStatus
ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2,
- const SECItem *pointP, SECItem *pointQ, int kmflag)
+ const SECItem *pointP, SECItem *pointQ, int kmflag, int timing)
{
mp_int Px, Py, Qx, Qy;
mp_int Gx, Gy, order, irreducible, a, b;
@@ -199,9 +199,9 @@ ec_points_mul(const ECParams *params, const mp_int *k1, const mp_int *k2,
goto cleanup;
if ((k2 != NULL) && (pointP != NULL)) {
- CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy) );
+ CHECK_MPI_OK( ECPoints_mul(group, k1, k2, &Px, &Py, &Qx, &Qy, timing) );
} else {
- CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy) );
+ CHECK_MPI_OK( ECPoints_mul(group, k1, NULL, NULL, NULL, &Qx, &Qy, timing) );
}
/* Construct the SECItem representation of point Q */
@@ -332,7 +332,8 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data,
(mp_size) len) );
- rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue), kmflag);
+ /* key generation does not support timing mitigation */
+ rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue), kmflag, /*timing*/ 0);
if (rv != SECSuccess) goto cleanup;
*privKey = key;
@@ -609,7 +610,8 @@ ECDH_Derive(SECItem *publicValue,
}
/* Multiply our private key and peer's public point */
- if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ, kmflag) != SECSuccess) ||
+ /* ECDH doesn't support timing mitigation */
+ if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ, kmflag, /*timing*/ 0) != SECSuccess) ||
ec_point_at_infinity(&pointQ))
goto cleanup;
@@ -644,7 +646,8 @@ cleanup:
*/
SECStatus
ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
- const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag)
+ const SECItem *digest, const unsigned char *kb, const int kblen, int kmflag,
+ int timing)
{
SECStatus rv = SECFailure;
mp_int x1;
@@ -713,16 +716,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
goto cleanup;
}
- /*
- * Using an equivalent exponent of fixed length (same as n or 1 bit less
- * than n) to keep the kG timing relatively constant.
- *
- * Note that this is an extra step on top of the approach defined in
- * ANSI X9.62 so as to make a fixed length K.
- */
- CHECK_MPI_OK( mp_add(&k, &n, &k) );
- CHECK_MPI_OK( mp_div_2(&k, &k) );
-
/*
** ANSI X9.62, Section 5.3.2, Step 2
**
@@ -731,7 +724,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
kGpoint.len = 2*flen + 1;
kGpoint.data = PORT_Alloc(2*flen + 1, kmflag);
if ((kGpoint.data == NULL) ||
- (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag)
+ (ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint, kmflag, timing)
!= SECSuccess))
goto cleanup;
@@ -853,7 +846,7 @@ cleanup:
*/
SECStatus
ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest,
- const unsigned char* random, int randomLen, int kmflag)
+ const unsigned char* random, int randomLen, int kmflag, int timing)
{
SECStatus rv = SECFailure;
int len;
@@ -871,7 +864,7 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest,
if (kBytes == NULL) goto cleanup;
/* Generate ECDSA signature with the specified k value */
- rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len, kmflag);
+ rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len, kmflag, timing);
cleanup:
if (kBytes) {
@@ -1017,7 +1010,8 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,
** Here, A = u1.G B = u2.Q and C = A + B
** If the result, C, is the point at infinity, reject the signature
*/
- if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC, kmflag)
+ /* verification does not support timing mitigation */
+ if (ec_points_mul(ecParams, &u1, &u2, &key->publicValue, &pointC, kmflag, /*timing*/ 0)
!= SECSuccess) {
rv = SECFailure;
goto cleanup;
diff --git a/src/share/native/sun/security/ec/impl/ec2.h b/src/share/native/sun/security/ec/impl/ec2.h
index aa5f2bba441d6fb5c7367bc06f2500bf1997fef5..72df04ef4132118a1d55e8f388be615bfe9bace1 100644
--- a/src/share/native/sun/security/ec/impl/ec2.h
+++ b/src/share/native/sun/security/ec/impl/ec2.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Douglas Stebila , Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _EC2_H
@@ -79,7 +80,7 @@ mp_err ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px,
* determines the field GF2m. Uses Montgomery projective coordinates. */
mp_err ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group);
+ const ECGroup *group, int timing);
#ifdef ECL_ENABLE_GF2M_PROJ
/* Converts a point P(px, py) from affine coordinates to projective
diff --git a/src/share/native/sun/security/ec/impl/ec2_aff.c b/src/share/native/sun/security/ec/impl/ec2_aff.c
index 5a546c0544e4eb54d366450b023f383ff8175546..8d0f5460f6ad218e4795489d8695dbd22fb2f3f5 100644
--- a/src/share/native/sun/security/ec/impl/ec2_aff.c
+++ b/src/share/native/sun/security/ec/impl/ec2_aff.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Douglas Stebila , Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ec2.h"
@@ -329,7 +330,8 @@ ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group)
/* 4: Verify that the order of the curve times the publicValue
* is the point at infinity.
*/
- MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
+ /* timing mitigation is not supported */
+ MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt, /*timing*/ 0) );
if (ec_GF2m_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
res = MP_NO;
goto CLEANUP;
diff --git a/src/share/native/sun/security/ec/impl/ec2_mont.c b/src/share/native/sun/security/ec/impl/ec2_mont.c
index b91e65ea083b96dd4c86e1e0a6002e3049c2af3e..bb605536f0f5aafe496783e3b7d311ec3e97ad76 100644
--- a/src/share/native/sun/security/ec/impl/ec2_mont.c
+++ b/src/share/native/sun/security/ec/impl/ec2_mont.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -35,6 +35,7 @@
* Stephen Fung , and
* Douglas Stebila , Sun Microsystems Laboratories.
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ec2.h"
@@ -181,10 +182,12 @@ gf2m_Mxy(const mp_int *x, const mp_int *y, mp_int *x1, mp_int *z1,
/* Computes R = nP based on algorithm 2P of Lopex, J. and Dahab, R. "Fast
* multiplication on elliptic curves over GF(2^m) without
* precomputation". Elliptic curve points P and R can be identical. Uses
- * Montgomery projective coordinates. */
+ * Montgomery projective coordinates. The timing parameter is ignored
+ * because this algorithm resists timing attacks by default. */
mp_err
ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px, const mp_int *py,
- mp_int *rx, mp_int *ry, const ECGroup *group)
+ mp_int *rx, mp_int *ry, const ECGroup *group,
+ int timing)
{
mp_err res = MP_OKAY;
mp_int x1, x2, z1, z2;
diff --git a/src/share/native/sun/security/ec/impl/ecc_impl.h b/src/share/native/sun/security/ec/impl/ecc_impl.h
index 0739f4c8884fd0adac111d6a6a20deaf18543ed0..48aa13a4b004168b7d926ab8d1ec7a3a344cf1ef 100644
--- a/src/share/native/sun/security/ec/impl/ecc_impl.h
+++ b/src/share/native/sun/security/ec/impl/ecc_impl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -34,7 +34,7 @@
* Dr Vipul Gupta and
* Douglas Stebila , Sun Microsystems Laboratories
*
- * Last Modified Date from the Original Code: November 2013
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _ECC_IMPL_H
@@ -258,7 +258,7 @@ extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
const unsigned char* random, int randomlen, int);
/* This function has been modified to accept an array of random bytes */
extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *,
- const unsigned char* random, int randomlen, int);
+ const unsigned char* random, int randomlen, int, int timing);
extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *,
const SECItem *, int);
extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
diff --git a/src/share/native/sun/security/ec/impl/ecl-priv.h b/src/share/native/sun/security/ec/impl/ecl-priv.h
index fa232ddfeccb4a722cf02d52be0a7ba999410c83..bdfe61547b2758c817be8b19ce2fe0b7732b0c10 100644
--- a/src/share/native/sun/security/ec/impl/ecl-priv.h
+++ b/src/share/native/sun/security/ec/impl/ecl-priv.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -34,6 +34,7 @@
* Stephen Fung and
* Douglas Stebila , Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _ECL_PRIV_H
@@ -193,12 +194,13 @@ struct ECGroupStr {
mp_int *ry, const ECGroup *group);
mp_err (*point_mul) (const mp_int *n, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group);
+ const ECGroup *group, int timing);
mp_err (*base_point_mul) (const mp_int *n, mp_int *rx, mp_int *ry,
const ECGroup *group);
mp_err (*points_mul) (const mp_int *k1, const mp_int *k2,
const mp_int *px, const mp_int *py, mp_int *rx,
- mp_int *ry, const ECGroup *group);
+ mp_int *ry, const ECGroup *group,
+ int timing);
mp_err (*validate_point) (const mp_int *px, const mp_int *py, const ECGroup *group);
/* Extra storage for implementation-specific data. Any memory
* allocated to these extra fields will be cleared by extra_free. */
@@ -262,10 +264,12 @@ void ec_GFp_extra_free_mont(GFMethod *meth);
/* point multiplication */
mp_err ec_pts_mul_basic(const mp_int *k1, const mp_int *k2,
const mp_int *px, const mp_int *py, mp_int *rx,
- mp_int *ry, const ECGroup *group);
+ mp_int *ry, const ECGroup *group,
+ int timing);
mp_err ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2,
const mp_int *px, const mp_int *py, mp_int *rx,
- mp_int *ry, const ECGroup *group);
+ mp_int *ry, const ECGroup *group,
+ int timing);
/* Computes the windowed non-adjacent-form (NAF) of a scalar. Out should
* be an array of signed char's to output to, bitsize should be the number
diff --git a/src/share/native/sun/security/ec/impl/ecl.h b/src/share/native/sun/security/ec/impl/ecl.h
index 3a83a9e1f3b84d49725706542ae6f9f8020f1a3f..deff0aa1191d0f4e00f02967142b6604b66a202d 100644
--- a/src/share/native/sun/security/ec/impl/ecl.h
+++ b/src/share/native/sun/security/ec/impl/ecl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Douglas Stebila , Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _ECL_H
@@ -70,7 +71,8 @@ void EC_FreeCurveParams(ECCurveParams * params);
* of the group of points on the elliptic curve. Input and output values
* are assumed to be NOT field-encoded. */
mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
- const mp_int *py, mp_int *qx, mp_int *qy);
+ const mp_int *py, mp_int *qx, mp_int *qy,
+ int timing);
/* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k1 * G +
* k2 * P(x, y), where G is the generator (base point) of the group of
@@ -78,7 +80,7 @@ mp_err ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
* be NOT field-encoded. */
mp_err ECPoints_mul(const ECGroup *group, const mp_int *k1,
const mp_int *k2, const mp_int *px, const mp_int *py,
- mp_int *qx, mp_int *qy);
+ mp_int *qx, mp_int *qy, int timing);
/* Validates an EC public key as described in Section 5.2.2 of X9.62.
* Returns MP_YES if the public key is valid, MP_NO if the public key
diff --git a/src/share/native/sun/security/ec/impl/ecl_mult.c b/src/share/native/sun/security/ec/impl/ecl_mult.c
index 176be78e07977bedef6f5fe1cda9ca1e2ca02d33..273eac9d184d6082dc1568ec7106cbcc033d1de0 100644
--- a/src/share/native/sun/security/ec/impl/ecl_mult.c
+++ b/src/share/native/sun/security/ec/impl/ecl_mult.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -49,7 +49,8 @@
* are assumed to be NOT field-encoded. */
mp_err
ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
- const mp_int *py, mp_int *rx, mp_int *ry)
+ const mp_int *py, mp_int *rx, mp_int *ry,
+ int timing)
{
mp_err res = MP_OKAY;
mp_int kt;
@@ -74,15 +75,15 @@ ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
} else {
MP_CHECKOK(group->
point_mul(&kt, &group->genx, &group->geny, rx, ry,
- group));
+ group, timing));
}
} else {
if (group->meth->field_enc) {
MP_CHECKOK(group->meth->field_enc(px, rx, group->meth));
MP_CHECKOK(group->meth->field_enc(py, ry, group->meth));
- MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group));
+ MP_CHECKOK(group->point_mul(&kt, rx, ry, rx, ry, group, timing));
} else {
- MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group));
+ MP_CHECKOK(group->point_mul(&kt, px, py, rx, ry, group, timing));
}
}
if (group->meth->field_dec) {
@@ -104,7 +105,7 @@ ECPoint_mul(const ECGroup *group, const mp_int *k, const mp_int *px,
mp_err
ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group)
+ const ECGroup *group, int timing)
{
mp_err res = MP_OKAY;
mp_int sx, sy;
@@ -116,9 +117,9 @@ ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px,
/* if some arguments are not defined used ECPoint_mul */
if (k1 == NULL) {
- return ECPoint_mul(group, k2, px, py, rx, ry);
+ return ECPoint_mul(group, k2, px, py, rx, ry, timing);
} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
- return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+ return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing);
}
MP_DIGITS(&sx) = 0;
@@ -126,8 +127,8 @@ ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px,
MP_CHECKOK(mp_init(&sx, FLAG(k1)));
MP_CHECKOK(mp_init(&sy, FLAG(k1)));
- MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy));
- MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry));
+ MP_CHECKOK(ECPoint_mul(group, k1, NULL, NULL, &sx, &sy, timing));
+ MP_CHECKOK(ECPoint_mul(group, k2, px, py, rx, ry, timing));
if (group->meth->field_enc) {
MP_CHECKOK(group->meth->field_enc(&sx, &sx, group->meth));
@@ -159,7 +160,7 @@ ec_pts_mul_basic(const mp_int *k1, const mp_int *k2, const mp_int *px,
mp_err
ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group)
+ const ECGroup *group, int timing)
{
mp_err res = MP_OKAY;
mp_int precomp[4][4][2];
@@ -174,9 +175,9 @@ ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
/* if some arguments are not defined used ECPoint_mul */
if (k1 == NULL) {
- return ECPoint_mul(group, k2, px, py, rx, ry);
+ return ECPoint_mul(group, k2, px, py, rx, ry, timing);
} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
- return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+ return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing);
}
/* initialize precomputation table */
@@ -308,7 +309,8 @@ ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
* Input and output values are assumed to be NOT field-encoded. */
mp_err
ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2,
- const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry)
+ const mp_int *px, const mp_int *py, mp_int *rx, mp_int *ry,
+ int timing)
{
mp_err res = MP_OKAY;
mp_int k1t, k2t;
@@ -345,9 +347,9 @@ ECPoints_mul(const ECGroup *group, const mp_int *k1, const mp_int *k2,
/* if points_mul is defined, then use it */
if (group->points_mul) {
- res = group->points_mul(k1p, k2p, px, py, rx, ry, group);
+ res = group->points_mul(k1p, k2p, px, py, rx, ry, group, timing);
} else {
- res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group);
+ res = ec_pts_mul_simul_w2(k1p, k2p, px, py, rx, ry, group, timing);
}
CLEANUP:
diff --git a/src/share/native/sun/security/ec/impl/ecp.h b/src/share/native/sun/security/ec/impl/ecp.h
index c2aad8e83c5733b279cd0ff41143fdc707f9b3b9..b367b909e80b0665963c15dfed2122b323f6154a 100644
--- a/src/share/native/sun/security/ec/impl/ecp.h
+++ b/src/share/native/sun/security/ec/impl/ecp.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Douglas Stebila , Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#ifndef _ECP_H
@@ -122,7 +123,7 @@ mp_err ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px,
mp_err
ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group);
+ const ECGroup *group, int timing);
/* Computes R = nP where R is (rx, ry) and P is the base point. Elliptic
* curve points P and R can be identical. Uses mixed Modified-Jacobian
@@ -131,9 +132,13 @@ mp_err
* returns output that is still field-encoded. Uses 5-bit window NAF
* method (algorithm 11) for scalar-point multiplication from Brown,
* Hankerson, Lopez, Menezes. Software Implementation of the NIST Elliptic
- * Curves Over Prime Fields. */
+ * Curves Over Prime Fields. The implementation includes a countermeasure
+ * that attempts to hide the size of n from timing channels. This counter-
+ * measure is enabled using the timing argument. The high-rder bits of timing
+ * must be uniformly random in order for this countermeasure to work. */
mp_err
ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
- mp_int *rx, mp_int *ry, const ECGroup *group);
+ mp_int *rx, mp_int *ry, const ECGroup *group,
+ int timing);
#endif /* _ECP_H */
diff --git a/src/share/native/sun/security/ec/impl/ecp_aff.c b/src/share/native/sun/security/ec/impl/ecp_aff.c
index f150ca16f145403bc6654da16943a06739800b3d..c9d923271719184b11f44ee939aa4b5ec897d4c9 100644
--- a/src/share/native/sun/security/ec/impl/ecp_aff.c
+++ b/src/share/native/sun/security/ec/impl/ecp_aff.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -38,6 +38,7 @@
* Nils Larsch , and
* Lenka Fibikova , the OpenSSL Project
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ecp.h"
@@ -340,7 +341,8 @@ ec_GFp_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group)
/* 4: Verify that the order of the curve times the publicValue
* is the point at infinity.
*/
- MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt) );
+ /* timing mitigation is not supported */
+ MP_CHECKOK( ECPoint_mul(group, &group->order, px, py, &pxt, &pyt, /*timing*/ 0) );
if (ec_GFp_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
res = MP_NO;
goto CLEANUP;
diff --git a/src/share/native/sun/security/ec/impl/ecp_jac.c b/src/share/native/sun/security/ec/impl/ecp_jac.c
index 12410bea625639f3b40a9bb7ac799237ba2b667f..9e1bdf20f67db9e2bbfdc43132e8911ee3401416 100644
--- a/src/share/native/sun/security/ec/impl/ecp_jac.c
+++ b/src/share/native/sun/security/ec/impl/ecp_jac.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -38,6 +38,7 @@
* Nils Larsch , and
* Lenka Fibikova , the OpenSSL Project
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ecp.h"
@@ -180,6 +181,15 @@ ec_GFp_pt_add_jac_aff(const mp_int *px, const mp_int *py, const mp_int *pz,
MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth));
MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth));
+ /*
+ * Additional checks for point equality and point at infinity
+ */
+ if (mp_cmp(px, &A) == 0 && mp_cmp(py, &B) == 0) {
+ /* POINT_DOUBLE(P) */
+ MP_CHECKOK(ec_GFp_pt_dbl_jac(px, py, pz, rx, ry, rz, group));
+ goto CLEANUP;
+ }
+
/* C = A - px, D = B - py */
MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth));
MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth));
@@ -406,7 +416,7 @@ ec_GFp_pt_mul_jac(const mp_int *n, const mp_int *px, const mp_int *py,
mp_err
ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
- const ECGroup *group)
+ const ECGroup *group, int timing)
{
mp_err res = MP_OKAY;
mp_int precomp[4][4][2];
@@ -430,9 +440,9 @@ ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
/* if some arguments are not defined used ECPoint_mul */
if (k1 == NULL) {
- return ECPoint_mul(group, k2, px, py, rx, ry);
+ return ECPoint_mul(group, k2, px, py, rx, ry, timing);
} else if ((k2 == NULL) || (px == NULL) || (py == NULL)) {
- return ECPoint_mul(group, k1, NULL, NULL, rx, ry);
+ return ECPoint_mul(group, k1, NULL, NULL, rx, ry, timing);
}
/* initialize precomputation table */
diff --git a/src/share/native/sun/security/ec/impl/ecp_jm.c b/src/share/native/sun/security/ec/impl/ecp_jm.c
index cdee87a59d9235ef360797288dd7e582f538de90..c5cdef9bf4ada2dbce4acfc6de61e05c4e82abd9 100644
--- a/src/share/native/sun/security/ec/impl/ecp_jm.c
+++ b/src/share/native/sun/security/ec/impl/ecp_jm.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
@@ -33,6 +33,7 @@
* Contributor(s):
* Stephen Fung , Sun Microsystems Laboratories
*
+ * Last Modified Date from the Original Code: May 2017
*********************************************************************** */
#include "ecp.h"
@@ -165,6 +166,16 @@ ec_GFp_pt_add_jm_aff(const mp_int *px, const mp_int *py, const mp_int *pz,
MP_CHECKOK(group->meth->field_mul(A, qx, A, group->meth));
MP_CHECKOK(group->meth->field_mul(B, qy, B, group->meth));
+ /*
+ * Additional checks for point equality and point at infinity
+ */
+ if (mp_cmp(px, A) == 0 && mp_cmp(py, B) == 0) {
+ /* POINT_DOUBLE(P) */
+ MP_CHECKOK(ec_GFp_pt_dbl_jm(px, py, pz, paz4, rx, ry, rz, raz4,
+ scratch, group));
+ goto CLEANUP;
+ }
+
/* C = A - px, D = B - py */
MP_CHECKOK(group->meth->field_sub(A, px, C, group->meth));
MP_CHECKOK(group->meth->field_sub(B, py, D, group->meth));
@@ -213,19 +224,23 @@ CLEANUP:
* Curves Over Prime Fields. */
mp_err
ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
- mp_int *rx, mp_int *ry, const ECGroup *group)
+ mp_int *rx, mp_int *ry, const ECGroup *group,
+ int timing)
{
mp_err res = MP_OKAY;
- mp_int precomp[16][2], rz, tpx, tpy;
- mp_int raz4;
+ mp_int precomp[16][2], rz, tpx, tpy, tpz;
+ mp_int raz4, tpaz4;
mp_int scratch[MAX_SCRATCH];
signed char *naf = NULL;
int i, orderBitSize;
+ int numDoubles, numAdds, extraDoubles, extraAdds;
MP_DIGITS(&rz) = 0;
MP_DIGITS(&raz4) = 0;
MP_DIGITS(&tpx) = 0;
MP_DIGITS(&tpy) = 0;
+ MP_DIGITS(&tpz) = 0;
+ MP_DIGITS(&tpaz4) = 0;
for (i = 0; i < 16; i++) {
MP_DIGITS(&precomp[i][0]) = 0;
MP_DIGITS(&precomp[i][1]) = 0;
@@ -239,7 +254,9 @@ ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
/* initialize precomputation table */
MP_CHECKOK(mp_init(&tpx, FLAG(n)));
- MP_CHECKOK(mp_init(&tpy, FLAG(n)));;
+ MP_CHECKOK(mp_init(&tpy, FLAG(n)));
+ MP_CHECKOK(mp_init(&tpz, FLAG(n)));
+ MP_CHECKOK(mp_init(&tpaz4, FLAG(n)));
MP_CHECKOK(mp_init(&rz, FLAG(n)));
MP_CHECKOK(mp_init(&raz4, FLAG(n)));
@@ -295,19 +312,64 @@ ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
/* Compute 5NAF */
ec_compute_wNAF(naf, orderBitSize, n, 5);
+ numAdds = 0;
+ numDoubles = orderBitSize;
/* wNAF method */
for (i = orderBitSize; i >= 0; i--) {
+
+ if (ec_GFp_pt_is_inf_jac(rx, ry, &rz) == MP_YES) {
+ numDoubles--;
+ }
+
/* R = 2R */
ec_GFp_pt_dbl_jm(rx, ry, &rz, &raz4, rx, ry, &rz,
&raz4, scratch, group);
+
if (naf[i] != 0) {
ec_GFp_pt_add_jm_aff(rx, ry, &rz, &raz4,
&precomp[(naf[i] + 15) / 2][0],
&precomp[(naf[i] + 15) / 2][1], rx, ry,
&rz, &raz4, scratch, group);
+ numAdds++;
}
}
+ /* extra operations to make timing less dependent on secrets */
+ if (timing) {
+ /* low-order bit of timing argument contains no entropy */
+ timing >>= 1;
+
+ MP_CHECKOK(ec_GFp_pt_set_inf_jac(&tpx, &tpy, &tpz));
+ mp_zero(&tpaz4);
+
+ /* Set the temp value to a non-infinite point */
+ ec_GFp_pt_add_jm_aff(&tpx, &tpy, &tpz, &tpaz4,
+ &precomp[8][0],
+ &precomp[8][1], &tpx, &tpy,
+ &tpz, &tpaz4, scratch, group);
+
+ /* two bits of extra adds */
+ extraAdds = timing & 0x3;
+ timing >>= 2;
+ /* Window size is 5, so the maximum number of additions is ceil(orderBitSize/5) */
+ /* This is the same as (orderBitSize + 4) / 5 */
+ for(i = numAdds; i <= (orderBitSize + 4) / 5 + extraAdds; i++) {
+ ec_GFp_pt_add_jm_aff(&tpx, &tpy, &tpz, &tpaz4,
+ &precomp[9 + (i % 3)][0],
+ &precomp[9 + (i % 3)][1], &tpx, &tpy,
+ &tpz, &tpaz4, scratch, group);
+ }
+
+ /* two bits of extra doubles */
+ extraDoubles = timing & 0x3;
+ timing >>= 2;
+ for(i = numDoubles; i <= orderBitSize + extraDoubles; i++) {
+ ec_GFp_pt_dbl_jm(&tpx, &tpy, &tpz, &tpaz4, &tpx, &tpy, &tpz,
+ &tpaz4, scratch, group);
+ }
+
+ }
+
/* convert result S to affine coordinates */
MP_CHECKOK(ec_GFp_pt_jac2aff(rx, ry, &rz, rx, ry, group));
@@ -321,6 +383,8 @@ ec_GFp_pt_mul_jm_wNAF(const mp_int *n, const mp_int *px, const mp_int *py,
}
mp_clear(&tpx);
mp_clear(&tpy);
+ mp_clear(&tpz);
+ mp_clear(&tpaz4);
mp_clear(&rz);
mp_clear(&raz4);
#ifdef _KERNEL
diff --git a/src/windows/native/sun/windows/ShellFolder2.cpp b/src/windows/native/sun/windows/ShellFolder2.cpp
index 4f563039750eec0650212a41cc12973c383e8fcf..71479456be06028b71a112723a1b2a7bcb1f16ea 100644
--- a/src/windows/native/sun/windows/ShellFolder2.cpp
+++ b/src/windows/native/sun/windows/ShellFolder2.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -192,14 +192,19 @@ static BOOL initShellProcs()
static jstring jstringFromSTRRET(JNIEnv* env, LPITEMIDLIST pidl, STRRET* pStrret) {
switch (pStrret->uType) {
case STRRET_CSTR :
- return JNU_NewStringPlatform(env, reinterpret_cast(pStrret->cStr));
+ if (pStrret->cStr != NULL) {
+ return JNU_NewStringPlatform(env, reinterpret_cast(pStrret->cStr));
+ }
+ break;
case STRRET_OFFSET :
// Note : this may need to be WCHAR instead
return JNU_NewStringPlatform(env,
(CHAR*)pidl + pStrret->uOffset);
case STRRET_WSTR :
- return env->NewString(reinterpret_cast(pStrret->pOleStr),
- static_cast(wcslen(pStrret->pOleStr)));
+ if (pStrret->pOleStr != NULL) {
+ return env->NewString(reinterpret_cast(pStrret->pOleStr),
+ static_cast(wcslen(pStrret->pOleStr)));
+ }
}
return NULL;
}
diff --git a/test/java/rmi/activation/nonLocalActivation/NonLocalActivationTest.java b/test/java/rmi/activation/nonLocalActivation/NonLocalActivationTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..594148805be1f2a74985294df1c7817f40e33118
--- /dev/null
+++ b/test/java/rmi/activation/nonLocalActivation/NonLocalActivationTest.java
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.rmi.AccessException;
+import java.rmi.activation.ActivationSystem;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Set;
+import java.util.HashSet;
+
+/*
+ * @test
+ * @bug 8174770
+ * @summary Verify that ActivationSystem rejects non-local access.
+ * The test is manual because the (non-local) host running rmid must be supplied as a property.
+ * @run main/manual/othervm -Dactivation.host=rmid-host NonLocalActivationTest
+ */
+
+/**
+ * Lookup the ActivationSystem on a different host and invoke its remote interface methods.
+ * They should all throw an exception, non-local access is prohibited.
+ *
+ * This test is a manual test and uses rmid running on a *different* host.
+ * The default port (1098) for the Activation System is ok and expected.
+ * Login or ssh to the different host and invoke {@code $JDK_HOME/bin/rmid}.
+ * It will not show any output.
+ *
+ * On the first host modify the @run command above to replace "rmid-host"
+ * with the hostname or IP address of the different host and run the test with jtreg.
+ */
+public class NonLocalActivationTest
+{
+ public static void main(String[] args) throws Exception {
+
+ String host = System.getProperty("activation.host");
+ if (host == null || host.isEmpty()) {
+ throw new RuntimeException("Specify host with system property: -Dactivation.host=");
+ }
+
+ // Check if running the test on a local system; it only applies to remote
+ String myHostName = InetAddress.getLocalHost().getHostName();
+ Set myAddrs = new HashSet<>();
+ InetAddress[] myAddrsArr = InetAddress.getAllByName(myHostName);
+ for (InetAddress a : myAddrsArr) {
+ myAddrs.add(a);
+ }
+ Set hostAddrs = new HashSet<>();
+ InetAddress[] hostAddrsArr = InetAddress.getAllByName(host);
+ for (InetAddress a : hostAddrsArr) {
+ hostAddrs.add(a);
+ }
+ if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i))
+ || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) {
+ throw new RuntimeException("Error: property 'activation.host' must not be the local host%n");
+ }
+
+ // Locate the registry operated by the ActivationSystem
+ // Test SystemRegistryImpl
+ Registry registry = LocateRegistry.getRegistry(host, ActivationSystem.SYSTEM_PORT);
+ try {
+ // Verify it is an ActivationSystem registry
+ registry.lookup("java.rmi.activation.ActivationSystem");
+ } catch (Exception nf) {
+ throw new RuntimeException("Not a ActivationSystem registry, does not contain java.rmi.activation.ActivationSystem", nf);
+ }
+
+ try {
+ registry.bind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: bind");
+ } catch (Exception e) {
+ assertIsAccessException(e, "Registry.bind");
+ }
+
+ try {
+ registry.rebind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: rebind");
+ } catch (Exception e) {
+ assertIsAccessException(e, "Registry.rebind");
+ }
+
+ try {
+ registry.unbind("foo");
+ throw new RuntimeException("Remote access should not succeed for method: unbind");
+ } catch (Exception e) {
+ assertIsAccessException(e, "Registry.unbind");
+ }
+
+
+ // Locate the ActivationSystem on the specified host and default port.
+ // Test each of the ActivationSystem methods
+ ActivationSystem as = (ActivationSystem) registry.lookup("java.rmi.activation.ActivationSystem");
+
+ // Argument is not material, access check is before arg processing
+
+ try {
+ as.registerGroup(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.getActivationDesc(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.getActivationGroupDesc(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.registerObject(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.unregisterGroup(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.unregisterObject(null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.setActivationDesc(null, null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+
+ try {
+ as.setActivationGroupDesc(null, null);
+ } catch (Exception aex) {
+ assertIsAccessException(aex, "ActivationSystem.nonLocalAccess");
+ }
+ }
+
+ /**
+ * Check the exception chain for the expected AccessException and message.
+ * @param ex the exception from the remote invocation.
+ */
+ private static void assertIsAccessException(Exception ex, String msg1) {
+ Throwable t = ex;
+ System.out.println();
+ while (!(t instanceof AccessException) && t.getCause() != null) {
+ t = t.getCause();
+ }
+ if (t instanceof AccessException) {
+ String msg = t.getMessage();
+ int asIndex = msg.indexOf(msg1);
+ int disallowIndex = msg.indexOf("disallowed");
+ int nonLocalHostIndex = msg.indexOf("non-local host");
+ if (asIndex < 0 ||
+ disallowIndex < 0 ||
+ nonLocalHostIndex < 0 ) {
+ throw new RuntimeException("exception message is malformed", t);
+ }
+ System.out.printf("Found expected AccessException: %s%n", t);
+ } else {
+ throw new RuntimeException("AccessException did not occur", ex);
+ }
+ }
+}
diff --git a/test/java/rmi/registry/nonLocalRegistry/NonLocalRegistryTest.java b/test/java/rmi/registry/nonLocalRegistry/NonLocalRegistryTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..771a34a7dce7cfb5213f57e6621e325727bd16b4
--- /dev/null
+++ b/test/java/rmi/registry/nonLocalRegistry/NonLocalRegistryTest.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.rmi.AccessException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Set;
+import java.util.HashSet;
+
+/* @test
+ * @bug 8174770
+ * @summary Verify that Registry rejects non-local access for bind, unbind, rebind.
+ * The test is manual because the (non-local) host running rmiregistry must be supplied as a property.
+ * @run main/othervm/manual -Dregistry.host=rmi-registry-host NonLocalRegistryTest
+ */
+
+/**
+ * Verify that access checks for Registry.bind(), .rebind(), and .unbind()
+ * are prevented on remote access to the registry.
+ *
+ * This test is a manual test and uses a standard rmiregistry running
+ * on a *different* host.
+ * The test verifies that the access check is performed *before* the object to be
+ * bound or rebound is deserialized.
+ *
+ * Login or ssh to the different host and invoke {@code $JDK_HOME/bin/rmiregistry}.
+ * It will not show any output.
+ *
+ * On the first host modify the @run command above to replace "rmi-registry-host"
+ * with the hostname or IP address of the different host and run the test with jtreg.
+ */
+public class NonLocalRegistryTest {
+
+ public static void main(String[] args) throws Exception {
+
+ String host = System.getProperty("registry.host");
+ if (host == null || host.isEmpty()) {
+ throw new RuntimeException("Specify host with system property: -Dregistry.host=");
+ }
+
+ // Check if running the test on a local system; it only applies to remote
+ String myHostName = InetAddress.getLocalHost().getHostName();
+ Set myAddrs = new HashSet<>();
+ InetAddress[] myAddrsArr = InetAddress.getAllByName(myHostName);
+ for (InetAddress a : myAddrsArr) {
+ myAddrs.add(a);
+ }
+ Set hostAddrs = new HashSet<>();
+ InetAddress[] hostAddrsArr = InetAddress.getAllByName(host);
+ for (InetAddress a : hostAddrsArr) {
+ hostAddrs.add(a);
+ }
+ if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i))
+ || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) {
+ throw new RuntimeException("Error: property 'registry.host' must not be the local host%n");
+ }
+
+ Registry registry = LocateRegistry.getRegistry(host, Registry.REGISTRY_PORT);
+
+ try {
+ registry.bind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: bind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+
+ try {
+ registry.rebind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: rebind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+
+ try {
+ registry.unbind("foo");
+ throw new RuntimeException("Remote access should not succeed for method: unbind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+ }
+
+ /**
+ * Check the exception chain for the expected AccessException and message.
+ * @param ex the exception from the remote invocation.
+ */
+ private static void assertIsAccessException(Throwable ex) {
+ Throwable t = ex;
+ while (!(t instanceof AccessException) && t.getCause() != null) {
+ t = t.getCause();
+ }
+ if (t instanceof AccessException) {
+ String msg = t.getMessage();
+ int asIndex = msg.indexOf("Registry");
+ int rrIndex = msg.indexOf("Registry.Registry"); // Obsolete error text
+ int disallowIndex = msg.indexOf("disallowed");
+ int nonLocalHostIndex = msg.indexOf("non-local host");
+ if (asIndex < 0 ||
+ rrIndex != -1 ||
+ disallowIndex < 0 ||
+ nonLocalHostIndex < 0 ) {
+ throw new RuntimeException("exception message is malformed", t);
+ }
+ System.out.printf("Found expected AccessException: %s%n%n", t);
+ } else {
+ throw new RuntimeException("AccessException did not occur when expected", ex);
+ }
+ }
+}
diff --git a/test/java/rmi/registry/serialFilter/RegistryFilterTest.java b/test/java/rmi/registry/serialFilter/RegistryFilterTest.java
index e29e24aea8ad0febbea0b05bbb4ef59c6d2c1bdc..2d5562fed61e7433ae31ebb81e67b27a4f84451c 100644
--- a/test/java/rmi/registry/serialFilter/RegistryFilterTest.java
+++ b/test/java/rmi/registry/serialFilter/RegistryFilterTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -21,24 +21,18 @@
* questions.
*/
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
import java.io.IOException;
-import java.io.ObjectOutputStream;
import java.io.Serializable;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
+import java.rmi.AlreadyBoundException;
import java.rmi.MarshalledObject;
import java.rmi.NotBoundException;
import java.rmi.Remote;
import java.rmi.RemoteException;
-import java.rmi.AlreadyBoundException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
-import java.util.Objects;
import java.security.Security;
+import java.util.Objects;
import org.testng.Assert;
import org.testng.TestNG;
@@ -57,7 +51,8 @@ import org.testng.annotations.Test;
* @summary Test filters for the RMI Registry
* @run testng/othervm RegistryFilterTest
* @run testng/othervm
- * -Dsun.rmi.registry.registryFilter=!java.lang.Long;!RegistryFilterTest$RejectableClass
+ * -Dsun.rmi.registry.registryFilter=!java.lang.Long;!RegistryFilterTest$RejectableClass;maxdepth=19
+ * -Dtest.maxdepth=19
* RegistryFilterTest
* @run testng/othervm/policy=security.policy
* -Djava.security.properties=${test.src}/java.security-extra1
@@ -68,6 +63,8 @@ public class RegistryFilterTest {
private static int port;
private static Registry registry;
+ static final int REGISTRY_MAX_DEPTH = 20;
+
static final int REGISTRY_MAX_ARRAY = 10000;
static final String registryFilter =
@@ -125,7 +122,7 @@ public class RegistryFilterTest {
/*
- * Test registry rejects an object with the max array size + 1.
+ * Test registry rejects an object with the max array size + 1.
*/
@Test(dataProvider="bindData")
public void simpleBind(String name, Remote obj, boolean blacklisted) throws RemoteException, AlreadyBoundException, NotBoundException {
@@ -139,9 +136,9 @@ public class RegistryFilterTest {
}
/*
- * Test registry rejects an object with a well known class
- * if blacklisted in the security properties.
- */
+ * Test registry rejects an object with a well known class
+ * if blacklisted in the security properties.
+ */
@Test
public void simpleRejectableClass() throws RemoteException, AlreadyBoundException, NotBoundException {
RejectableClass r1 = null;
@@ -150,9 +147,46 @@ public class RegistryFilterTest {
r1 = new RejectableClass();
registry.bind(name, r1);
registry.unbind(name);
- Assert.assertNull(registryFilter, "Registry filter should not have rejected");
+ Assert.assertNull(registryFilter, "Registry filter should have rejected");
} catch (Exception rex) {
- Assert.assertNotNull(registryFilter, "Registry filter should have rejected");
+ Assert.assertNotNull(registryFilter, "Registry filter should not have rejected");
+ }
+ }
+
+ /*
+ * Test registry does not reject an object with depth at the built-in limit.
+ */
+ @Test
+ public void simpleDepthBuiltinNonRejectable() throws RemoteException, AlreadyBoundException, NotBoundException {
+ int depthOverride = Integer.getInteger("test.maxdepth", REGISTRY_MAX_DEPTH);
+ depthOverride = Math.min(depthOverride, REGISTRY_MAX_DEPTH);
+ System.out.printf("overrideDepth: %d, filter: %s%n", depthOverride, registryFilter);
+ try {
+ String name = "reject2";
+ DepthRejectableClass r1 = DepthRejectableClass.create(depthOverride);
+ registry.bind(name, r1);
+ registry.unbind(name);
+ } catch (Exception rex) {
+ Assert.fail("Registry filter should not have rejected depth: "
+ + depthOverride);
+ }
+ }
+
+ /*
+ * Test registry rejects an object with depth at the limit + 1.
+ */
+ @Test
+ public void simpleDepthRejectable() throws RemoteException, AlreadyBoundException, NotBoundException {
+ int depthOverride = Integer.getInteger("test.maxdepth", REGISTRY_MAX_DEPTH);
+ depthOverride = Math.min(depthOverride, REGISTRY_MAX_DEPTH);
+ System.out.printf("overrideDepth: %d, filter: %s%n", depthOverride, registryFilter);
+ try {
+ String name = "reject3";
+ DepthRejectableClass r1 = DepthRejectableClass.create(depthOverride + 1);
+ registry.bind(name, r1);
+ Assert.fail("Registry filter should have rejected depth: " + depthOverride + 1);
+ } catch (Exception rex) {
+ // Rejection expected
}
}
@@ -173,6 +207,7 @@ public class RegistryFilterTest {
return super.toString() + "//" + Objects.toString(obj);
}
}
+
/**
* A simple Serializable Remote object that is passed by value.
* It and its contents are checked by the Registry serial filter.
@@ -183,4 +218,25 @@ public class RegistryFilterTest {
RejectableClass() {}
}
+ /**
+ * A simple Serializable Remote object that is passed by value.
+ * It and its contents are checked by the Registry serial filter.
+ */
+ static class DepthRejectableClass implements Serializable, Remote {
+ private static final long serialVersionUID = 362498820763181264L;
+ private final DepthRejectableClass next;
+
+ private DepthRejectableClass(DepthRejectableClass next) {
+ this.next = next;
+ }
+
+ static DepthRejectableClass create(int depth) {
+ DepthRejectableClass next = new DepthRejectableClass(null);
+ for (int i = 1; i < depth; i++) {
+ next = new DepthRejectableClass(next);
+ }
+ return next;
+ }
+ }
+
}
diff --git a/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java b/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..c20e67a571bc3de0788ae42abb6e36ea70a6dd57
--- /dev/null
+++ b/test/javax/management/remote/nonLocalAccess/NonLocalJMXRemoteTest.java
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.InetAddress;
+import java.rmi.AccessException;
+import java.rmi.NotBoundException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Set;
+import java.util.HashSet;
+
+/* @test
+ * @bug 8174770
+ * @summary Verify that JMX Registry rejects non-local access for bind, unbind, rebind.
+ * The test is manual because the (non-local) host and port running JMX must be supplied as properties.
+ * @run main/othervm/manual -Djmx-registry.host=jmx-registry-host -Djmx-registry.port=jmx-registry-port NonLocalJMXRemoteTest
+ */
+
+/**
+ * Verify that access checks for the Registry exported by JMX Registry.bind(),
+ * .rebind(), and .unbind() are prevented on remote access to the registry.
+ * The test verifies that the access check is performed *before* the object to be
+ * bound or rebound is deserialized.
+ * This tests the SingleEntryRegistry implemented by JMX.
+ * This test is a manual test and uses JMX running on a *different* host.
+ * JMX can be enabled in any Java runtime; for example:
+ * login or ssh to the different host and invoke rmiregistry with arguments below.
+ * It will not show any output.
+ * {@code $JDK_HOME/bin/rmiregistry \
+ * -J-Dcom.sun.management.jmxremote.port=8888 \
+ * -J-Dcom.sun.management.jmxremote.local.only=false \
+ * -J-Dcom.sun.management.jmxremote.ssl=false \
+ * -J-Dcom.sun.management.jmxremote.authenticate=false
+ * }
+ * On the first host modify the @run command above to replace "jmx-registry-host"
+ * with the hostname or IP address of the different host and run the test with jtreg.
+ */
+public class NonLocalJMXRemoteTest {
+
+ public static void main(String[] args) throws Exception {
+
+ String host = System.getProperty("jmx-registry.host");
+ if (host == null || host.isEmpty()) {
+ throw new RuntimeException("Specify host with system property: -Djmx-registry.host=");
+ }
+ int port = Integer.getInteger("jmx-registry.port", -1);
+ if (port <= 0) {
+ throw new RuntimeException("Specify port with system property: -Djmx-registry.port=");
+ }
+
+ // Check if running the test on a local system; it only applies to remote
+ String myHostName = InetAddress.getLocalHost().getHostName();
+ Set myAddrs = new HashSet<>();
+ InetAddress[] myAddrsArr = InetAddress.getAllByName(myHostName);
+ for (InetAddress a : myAddrsArr) {
+ myAddrs.add(a);
+ }
+ Set hostAddrs = new HashSet<>();
+ InetAddress[] hostAddrsArr = InetAddress.getAllByName(host);
+ for (InetAddress a : hostAddrsArr) {
+ hostAddrs.add(a);
+ }
+ if (hostAddrs.stream().anyMatch(i -> myAddrs.contains(i))
+ || hostAddrs.stream().anyMatch(h -> h.isLoopbackAddress())) {
+ throw new RuntimeException("Error: property 'jmx-registry.host' must not be the local host%n");
+ }
+
+ Registry registry = LocateRegistry.getRegistry(host, port);
+ try {
+ // Verify it is a JMX Registry
+ registry.lookup("jmxrmi");
+ } catch (NotBoundException nf) {
+ throw new RuntimeException("Not a JMX registry, jmxrmi is not bound", nf);
+ }
+
+ try {
+ registry.bind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: bind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+
+ try {
+ registry.rebind("foo", null);
+ throw new RuntimeException("Remote access should not succeed for method: rebind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+
+ try {
+ registry.unbind("foo");
+ throw new RuntimeException("Remote access should not succeed for method: unbind");
+ } catch (Exception e) {
+ assertIsAccessException(e);
+ }
+ }
+
+ /**
+ * Check the exception chain for the expected AccessException and message.
+ * @param ex the exception from the remote invocation.
+ */
+ private static void assertIsAccessException(Throwable ex) {
+ Throwable t = ex;
+ while (!(t instanceof AccessException) && t.getCause() != null) {
+ t = t.getCause();
+ }
+ if (t instanceof AccessException) {
+ String msg = t.getMessage();
+ int asIndex = msg.indexOf("Registry");
+ int disallowIndex = msg.indexOf("disallowed");
+ int nonLocalHostIndex = msg.indexOf("non-local host");
+ if (asIndex < 0 ||
+ disallowIndex < 0 ||
+ nonLocalHostIndex < 0 ) {
+ throw new RuntimeException("exception message is malformed", t);
+ }
+ System.out.printf("Found expected AccessException: %s%n%n", t);
+ } else {
+ throw new RuntimeException("AccessException did not occur when expected", ex);
+ }
+ }
+}
diff --git a/test/javax/swing/JFileChooser/GodMode/JFileChooserTest.java b/test/javax/swing/JFileChooser/GodMode/JFileChooserTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..d22cbb5ee641abe3677061a9007a4c890501e2f6
--- /dev/null
+++ b/test/javax/swing/JFileChooser/GodMode/JFileChooserTest.java
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+ /*
+ * @test
+ * @bug 8179014
+ * @requires (os.family == "Windows")
+ * @summary Check if JFileChooser crashes with GodMode Directory.
+ * @run main/manual JFileChooserTest
+ */
+import java.awt.Color;
+import java.awt.GridBagConstraints;
+import java.awt.GridBagLayout;
+import java.util.concurrent.CountDownLatch;
+import javax.swing.JPanel;
+import javax.swing.JTextArea;
+import javax.swing.SwingUtilities;
+import javax.swing.JButton;
+import javax.swing.JFrame;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.util.concurrent.TimeUnit;
+import javax.swing.JFileChooser;
+import javax.swing.UIManager;
+
+public class JFileChooserTest {
+
+ public static void main(String args[]) throws Exception {
+ final CountDownLatch latch = new CountDownLatch(1);
+ TestUI test = new TestUI(latch);
+ SwingUtilities.invokeAndWait(() -> {
+ try {
+ test.createUI();
+ } catch (Exception ex) {
+ throw new RuntimeException("Exception while creating UI");
+ }
+ });
+
+ boolean status = latch.await(5, TimeUnit.MINUTES);
+
+ if (!status) {
+ System.out.println("Test timed out.");
+ }
+
+ SwingUtilities.invokeAndWait(() -> {
+ try {
+ test.disposeUI();
+ } catch (Exception ex) {
+ throw new RuntimeException("Exception while disposing UI");
+ }
+ });
+
+ if (test.testResult == false) {
+ throw new RuntimeException("Test Failed.");
+ }
+ }
+}
+
+class TestUI {
+
+ private static JFrame mainFrame;
+ private static JPanel mainControlPanel;
+
+ private static JTextArea instructionTextArea;
+
+ private static JPanel resultButtonPanel;
+ private static JButton passButton;
+ private static JButton failButton;
+
+ private static GridBagLayout layout;
+ private final CountDownLatch latch;
+ public boolean testResult = false;
+
+ public TestUI(CountDownLatch latch) throws Exception {
+ this.latch = latch;
+ }
+
+ public final void createUI() throws Exception {
+ UIManager.setLookAndFeel(UIManager.getSystemLookAndFeelClassName());
+ mainFrame = new JFrame("JFileChooserTest");
+
+ layout = new GridBagLayout();
+ mainControlPanel = new JPanel(layout);
+ resultButtonPanel = new JPanel(layout);
+
+ GridBagConstraints gbc = new GridBagConstraints();
+
+ // Create Test instructions
+ String instructions
+ = "INSTRUCTIONS:"
+ + "\n 1. Create a new folder on the desktop."
+ + "\n 2. Rename the folder exactly as given below: "
+ + "\n GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} "
+ + "\n 3. Click on Launch Button. "
+ + "\n Check if JFileChooser is launched successfully. "
+ + "\n If yes, close the JFileChooser and click Pass, "
+ + "\n else Fail. "
+ + "\n 4. Delete the GodMode folder.";
+
+ instructionTextArea = new JTextArea();
+ instructionTextArea.setText(instructions);
+ instructionTextArea.setEnabled(false);
+ instructionTextArea.setDisabledTextColor(Color.black);
+ instructionTextArea.setBackground(Color.white);
+
+ gbc.gridx = 0;
+ gbc.gridy = 0;
+ gbc.fill = GridBagConstraints.HORIZONTAL;
+ mainControlPanel.add(instructionTextArea, gbc);
+ JButton launchButton = new JButton("Launch");
+ launchButton.setActionCommand("Launch");
+ launchButton.addActionListener((ActionEvent e) -> {
+ JFileChooser fileChooser = new JFileChooser();
+ fileChooser.showOpenDialog(null);
+ }
+ );
+
+ gbc.gridx = 0;
+ gbc.gridy = 1;
+ mainControlPanel.add(launchButton, gbc);
+
+ passButton = new JButton("Pass");
+ passButton.setActionCommand("Pass");
+ passButton.addActionListener((ActionEvent e) -> {
+ testResult = true;
+ mainFrame.dispose();
+ latch.countDown();
+
+ });
+ failButton = new JButton("Fail");
+ failButton.setActionCommand("Fail");
+ failButton.addActionListener(new ActionListener() {
+ @Override
+ public void actionPerformed(ActionEvent e) {
+ testResult = false;
+ mainFrame.dispose();
+ latch.countDown();
+ }
+ });
+ gbc.gridx = 0;
+ gbc.gridy = 0;
+ resultButtonPanel.add(passButton, gbc);
+ gbc.gridx = 1;
+ gbc.gridy = 0;
+ resultButtonPanel.add(failButton, gbc);
+
+ gbc.gridx = 0;
+ gbc.gridy = 2;
+ mainControlPanel.add(resultButtonPanel, gbc);
+
+ mainFrame.add(mainControlPanel);
+ mainFrame.pack();
+ mainFrame.setVisible(true);
+ }
+
+ public void disposeUI() {
+ mainFrame.setVisible(false);
+ mainFrame.dispose();
+ }
+}
diff --git a/test/sun/security/ssl/CertPathRestrictions/JSSEClient.java b/test/sun/security/ssl/CertPathRestrictions/JSSEClient.java
new file mode 100644
index 0000000000000000000000000000000000000000..e2e1b47d5066f2083bde2ea32b17e2d8c2dbf091
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/JSSEClient.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.InetSocketAddress;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+/*
+ * A SSL socket client.
+ */
+public class JSSEClient {
+
+ public static void main(String[] args) throws Exception {
+ System.out.println("Client: arguments=" + String.join("; ", args));
+
+ int port = Integer.valueOf(args[0]);
+ String[] trustNames = args[1].split(TLSRestrictions.DELIMITER);
+ String[] certNames = args[2].split(TLSRestrictions.DELIMITER);
+ String constraint = args[3];
+
+ TLSRestrictions.setConstraint("Client", constraint);
+
+ SSLContext context = TLSRestrictions.createSSLContext(
+ trustNames, certNames);
+ SSLSocketFactory socketFactory = context.getSocketFactory();
+ try (SSLSocket socket = (SSLSocket) socketFactory.createSocket()) {
+ socket.connect(new InetSocketAddress("localhost", port),
+ TLSRestrictions.TIMEOUT);
+ socket.setSoTimeout(TLSRestrictions.TIMEOUT);
+ System.out.println("Client: connected");
+
+ InputStream sslIS = socket.getInputStream();
+ OutputStream sslOS = socket.getOutputStream();
+ sslOS.write('C');
+ sslOS.flush();
+ sslIS.read();
+ System.out.println("Client: finished");
+ } catch (Exception e) {
+ throw new RuntimeException("Client: failed.", e);
+ }
+ }
+}
diff --git a/test/sun/security/ssl/CertPathRestrictions/JSSEServer.java b/test/sun/security/ssl/CertPathRestrictions/JSSEServer.java
new file mode 100644
index 0000000000000000000000000000000000000000..afcae83b2251093efbd9f64e8f23cae6628a9105
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/JSSEServer.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.InputStream;
+import java.io.OutputStream;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+
+/*
+ * A SSL socket server.
+ */
+public class JSSEServer {
+
+ private SSLServerSocket server = null;
+
+ private Exception exception = null;
+
+ public JSSEServer(SSLContext context,
+ boolean needClientAuth) throws Exception {
+ SSLServerSocketFactory serverFactory = context.getServerSocketFactory();
+ server = (SSLServerSocket) serverFactory.createServerSocket(0);
+ server.setSoTimeout(TLSRestrictions.TIMEOUT);
+ server.setNeedClientAuth(needClientAuth); // for dual authentication
+ System.out.println("Server: port=" + getPort());
+ }
+
+ public void start() {
+ new Thread(new Runnable() {
+
+ @Override
+ public void run() {
+ try {
+ System.out.println("Server: started");
+ try (SSLSocket socket = (SSLSocket) server.accept()) {
+ socket.setSoTimeout(TLSRestrictions.TIMEOUT);
+ InputStream sslIS = socket.getInputStream();
+ OutputStream sslOS = socket.getOutputStream();
+ sslIS.read();
+ sslOS.write('S');
+ sslOS.flush();
+ System.out.println("Server: finished");
+ }
+ } catch (Exception e) {
+ e.printStackTrace(System.out);
+ exception = e;
+ }
+ }
+ }).start();
+ }
+
+ public int getPort() {
+ return server.getLocalPort();
+ }
+
+ public Exception getException() {
+ return exception;
+ }
+}
diff --git a/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java b/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java
new file mode 100644
index 0000000000000000000000000000000000000000..f23a0a4ee5705986a726d96b6f504f1407a44932
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/TLSRestrictions.java
@@ -0,0 +1,541 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.SocketTimeoutException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyFactory;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.stream.Collectors;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.TrustManagerFactory;
+
+import jdk.testlibrary.OutputAnalyzer;
+import jdk.testlibrary.ProcessTools;
+
+/*
+ * @test
+ * @summary Verify the restrictions for certificate path on JSSE with custom trust store.
+ * @library /lib/testlibrary
+ * @compile JSSEClient.java
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions DEFAULT
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C1
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S1
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C2
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S2
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C3
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S3
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C4
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S4
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C5
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S5
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C6
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S6
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C7
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S7
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C8
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S8
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions C9
+ * @run main/othervm -Djava.security.debug=certpath TLSRestrictions S9
+ */
+public class TLSRestrictions {
+
+ private static final String TEST_CLASSES = System.getProperty("test.classes");
+ private static final char[] PASSWORD = "".toCharArray();
+ private static final String CERT_DIR = System.getProperty("cert.dir",
+ System.getProperty("test.src") + "/certs");
+
+ static final String PROP = "jdk.certpath.disabledAlgorithms";
+ static final String NOSHA1 = "MD2, MD5";
+ private static final String TLSSERVER = "SHA1 usage TLSServer";
+ private static final String TLSCLIENT = "SHA1 usage TLSClient";
+ static final String JDKCATLSSERVER = "SHA1 jdkCA & usage TLSServer";
+ static final String JDKCATLSCLIENT = "SHA1 jdkCA & usage TLSClient";
+
+ // This is a space holder in command arguments, and stands for none certificate.
+ static final String NONE_CERT = "NONE_CERT";
+
+ static final String DELIMITER = ",";
+ static final int TIMEOUT = 30000;
+
+ // It checks if java.security contains constraint "SHA1 jdkCA & usage TLSServer"
+ // for jdk.certpath.disabledAlgorithms by default.
+ private static void checkDefaultConstraint() {
+ System.out.println(
+ "Case: Checks the default value of jdk.certpath.disabledAlgorithms");
+ if (!Security.getProperty(PROP).contains(JDKCATLSSERVER)) {
+ throw new RuntimeException(String.format(
+ "%s doesn't contain constraint \"%s\", the real value is \"%s\".",
+ PROP, JDKCATLSSERVER, Security.getProperty(PROP)));
+ }
+ }
+
+ /*
+ * This method creates trust store and key store with specified certificates
+ * respectively. And then it creates SSL context with the stores.
+ * If trustNames contains NONE_CERT only, it does not create a custom trust
+ * store, but the default one in JDK.
+ *
+ * @param trustNames Trust anchors, which are used to create custom trust store.
+ * If null, no custom trust store is created and the default
+ * trust store in JDK is used.
+ * @param certNames Certificate chain, which is used to create key store.
+ * It cannot be null.
+ */
+ static SSLContext createSSLContext(String[] trustNames,
+ String[] certNames) throws Exception {
+ CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+
+ TrustManagerFactory tmf = null;
+ if (trustNames != null && trustNames.length > 0
+ && !trustNames[0].equals(NONE_CERT)) {
+ KeyStore trustStore = KeyStore.getInstance("JKS");
+ trustStore.load(null, null);
+ for (int i = 0; i < trustNames.length; i++) {
+ try (InputStream is = new ByteArrayInputStream(
+ loadCert(trustNames[i]).getBytes())) {
+ Certificate trustCert = certFactory.generateCertificate(is);
+ trustStore.setCertificateEntry("trustCert-" + i, trustCert);
+ }
+ }
+
+ tmf = TrustManagerFactory.getInstance("PKIX");
+ tmf.init(trustStore);
+ }
+
+ Certificate[] certChain = new Certificate[certNames.length];
+ for (int i = 0; i < certNames.length; i++) {
+ try (InputStream is = new ByteArrayInputStream(
+ loadCert(certNames[i]).getBytes())) {
+ Certificate cert = certFactory.generateCertificate(is);
+ certChain[i] = cert;
+ }
+ }
+
+ PKCS8EncodedKeySpec privKeySpec = new PKCS8EncodedKeySpec(
+ Base64.getMimeDecoder().decode(loadPrivKey(certNames[0])));
+ KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+ PrivateKey privKey = keyFactory.generatePrivate(privKeySpec);
+
+ KeyStore keyStore = KeyStore.getInstance("JKS");
+ keyStore.load(null, null);
+ keyStore.setKeyEntry("keyCert", privKey, PASSWORD, certChain);
+
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
+ kmf.init(keyStore, PASSWORD);
+
+ SSLContext context = SSLContext.getInstance("TLS");
+ context.init(kmf.getKeyManagers(),
+ tmf == null ? null : tmf.getTrustManagers(), null);
+ return context;
+ }
+
+ /*
+ * This method sets jdk.certpath.disabledAlgorithms, and then retrieves
+ * and prints its value.
+ */
+ static void setConstraint(String side, String constraint) {
+ System.out.printf("%s: Old %s=%s%n", side, PROP,
+ Security.getProperty(PROP));
+ Security.setProperty(PROP, constraint);
+ System.out.printf("%s: New %s=%s%n", side, PROP,
+ Security.getProperty(PROP));
+ }
+
+ /*
+ * This method is used to run a variety of cases.
+ * It launches a server, and then takes a client to connect the server.
+ * Both of server and client use the same certificates.
+ *
+ * @param trustNames Trust anchors, which are used to create custom trust store.
+ * If null, the default trust store in JDK is used.
+ * @param certNames Certificate chain, which is used to create key store.
+ * It cannot be null. The first certificate is regarded as
+ * the end entity.
+ * @param serverConstraint jdk.certpath.disabledAlgorithms value on server side.
+ * @param clientConstraint jdk.certpath.disabledAlgorithms value on client side.
+ * @param needClientAuth If true, server side acquires client authentication;
+ * otherwise, false.
+ * @param pass If true, the connection should be blocked; otherwise, false.
+ */
+ static void testConstraint(String[] trustNames, String[] certNames,
+ String serverConstraint, String clientConstraint,
+ boolean needClientAuth, boolean pass) throws Throwable {
+ String trustNameStr = trustNames == null ? ""
+ : String.join(DELIMITER, trustNames);
+ String certNameStr = certNames == null ? ""
+ : String.join(DELIMITER, certNames);
+
+ System.out.printf("Case:%n"
+ + " trustNames=%s; certNames=%s%n"
+ + " serverConstraint=%s; clientConstraint=%s%n"
+ + " needClientAuth=%s%n"
+ + " pass=%s%n%n",
+ trustNameStr, certNameStr,
+ serverConstraint, clientConstraint,
+ needClientAuth,
+ pass);
+ setConstraint("Server", serverConstraint);
+ JSSEServer server = new JSSEServer(
+ createSSLContext(trustNames, certNames),
+ needClientAuth);
+ int port = server.getPort();
+ server.start();
+
+ // Run client on another JVM so that its properties cannot be in conflict
+ // with server's.
+ OutputAnalyzer outputAnalyzer = ProcessTools.executeTestJvm(
+ "-Dcert.dir=" + CERT_DIR,
+ "-Djava.security.debug=certpath",
+ "-classpath",
+ TEST_CLASSES,
+ "JSSEClient",
+ port + "",
+ trustNameStr,
+ certNameStr,
+ clientConstraint);
+ int exitValue = outputAnalyzer.getExitValue();
+ String clientOut = outputAnalyzer.getOutput();
+
+ Exception serverException = server.getException();
+ if (serverException != null) {
+ System.out.println("Server: failed");
+ }
+
+ System.out.println("---------- Client output start ----------");
+ System.out.println(clientOut);
+ System.out.println("---------- Client output end ----------");
+
+ if (serverException instanceof SocketTimeoutException
+ || clientOut.contains("SocketTimeoutException")) {
+ System.out.println("The communication gets timeout and skips the test.");
+ return;
+ }
+
+ if (pass) {
+ if (serverException != null || exitValue != 0) {
+ throw new RuntimeException(
+ "Unexpected failure. Operation was blocked.");
+ }
+ } else {
+ if (serverException == null && exitValue == 0) {
+ throw new RuntimeException(
+ "Unexpected pass. Operation was allowed.");
+ }
+
+ // The test may encounter non-SSL issues, like network problem.
+ if (!(serverException instanceof SSLHandshakeException
+ || clientOut.contains("SSLHandshakeException"))) {
+ throw new RuntimeException("Failure with unexpected exception.");
+ }
+ }
+ }
+
+ /*
+ * This method is used to run a variety of cases, which don't require client
+ * authentication by default.
+ */
+ static void testConstraint(String[] trustNames, String[] certNames,
+ String serverConstraint, String clientConstraint, boolean pass)
+ throws Throwable {
+ testConstraint(trustNames, certNames, serverConstraint, clientConstraint,
+ false, pass);
+ }
+
+ public static void main(String[] args) throws Throwable {
+ switch (args[0]) {
+ // Case DEFAULT only checks one of default settings for
+ // jdk.certpath.disabledAlgorithms in JDK/conf/security/java.security.
+ case "DEFAULT":
+ checkDefaultConstraint();
+ break;
+
+ // Cases C1 and S1 use SHA256 root CA in trust store,
+ // and use SHA256 end entity in key store.
+ // C1 only sets constraint "SHA1 usage TLSServer" on client side;
+ // S1 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+ // The connection of the both cases should not be blocked.
+ case "C1":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA256" },
+ new String[] { "INTER_CA_SHA256-ROOT_CA_SHA256" },
+ NOSHA1,
+ TLSSERVER,
+ true);
+ break;
+ case "S1":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA256" },
+ new String[] { "INTER_CA_SHA256-ROOT_CA_SHA256" },
+ TLSCLIENT,
+ NOSHA1,
+ true,
+ true);
+ break;
+
+ // Cases C2 and S2 use SHA256 root CA in trust store,
+ // and use SHA1 end entity in key store.
+ // C2 only sets constraint "SHA1 usage TLSServer" on client side;
+ // S2 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+ // The connection of the both cases should be blocked.
+ case "C2":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA256" },
+ new String[] { "INTER_CA_SHA1-ROOT_CA_SHA256" },
+ NOSHA1,
+ TLSSERVER,
+ false);
+ break;
+ case "S2":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA256" },
+ new String[] { "INTER_CA_SHA1-ROOT_CA_SHA256" },
+ TLSCLIENT,
+ NOSHA1,
+ true,
+ false);
+ break;
+
+ // Cases C3 and S3 use SHA1 root CA in trust store,
+ // and use SHA1 end entity in key store.
+ // C3 only sets constraint "SHA1 usage TLSServer" on client side;
+ // S3 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+ // The connection of the both cases should be blocked.
+ case "C3":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA1" },
+ new String[] { "INTER_CA_SHA1-ROOT_CA_SHA1" },
+ NOSHA1,
+ TLSSERVER,
+ false);
+ break;
+ case "S3":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA1" },
+ new String[] { "INTER_CA_SHA1-ROOT_CA_SHA1" },
+ TLSCLIENT,
+ NOSHA1,
+ true,
+ false);
+ break;
+
+ // Cases C4 and S4 use SHA1 root CA as trust store,
+ // and use SHA256 end entity in key store.
+ // C4 only sets constraint "SHA1 usage TLSServer" on client side;
+ // S4 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+ // The connection of the both cases should not be blocked.
+ case "C4":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA1" },
+ new String[] { "INTER_CA_SHA256-ROOT_CA_SHA1" },
+ NOSHA1,
+ TLSSERVER,
+ true);
+ break;
+ case "S4":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA1" },
+ new String[] { "INTER_CA_SHA256-ROOT_CA_SHA1" },
+ TLSCLIENT,
+ NOSHA1,
+ true,
+ true);
+ break;
+
+ // Cases C5 and S5 use SHA1 root CA in trust store,
+ // and use SHA256 intermediate CA and SHA256 end entity in key store.
+ // C5 only sets constraint "SHA1 usage TLSServer" on client side;
+ // S5 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+ // The connection of the both cases should not be blocked.
+ case "C5":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA1" },
+ new String[] {
+ "END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1",
+ "INTER_CA_SHA256-ROOT_CA_SHA1" },
+ NOSHA1,
+ TLSSERVER,
+ true);
+ break;
+ case "S5":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA1" },
+ new String[] {
+ "END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1",
+ "INTER_CA_SHA256-ROOT_CA_SHA1" },
+ TLSCLIENT,
+ NOSHA1,
+ true,
+ true);
+ break;
+
+ // Cases C6 and S6 use SHA1 root CA as trust store,
+ // and use SHA1 intermediate CA and SHA256 end entity in key store.
+ // C6 only sets constraint "SHA1 usage TLSServer" on client side;
+ // S6 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+ // The connection of the both cases should be blocked.
+ case "C6":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA1" },
+ new String[] {
+ "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1",
+ "INTER_CA_SHA1-ROOT_CA_SHA1" },
+ NOSHA1,
+ TLSSERVER,
+ false);
+ break;
+ case "S6":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA1" },
+ new String[] {
+ "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1",
+ "INTER_CA_SHA1-ROOT_CA_SHA1" },
+ TLSCLIENT,
+ NOSHA1,
+ true,
+ false);
+ break;
+
+ // Cases C7 and S7 use SHA256 root CA in trust store,
+ // and use SHA256 intermediate CA and SHA1 end entity in key store.
+ // C7 only sets constraint "SHA1 usage TLSServer" on client side;
+ // S7 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+ // The connection of the both cases should be blocked.
+ case "C7":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA256" },
+ new String[] {
+ "END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256",
+ "INTER_CA_SHA256-ROOT_CA_SHA256" },
+ NOSHA1,
+ TLSSERVER,
+ false);
+ break;
+ case "S7":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA256" },
+ new String[] {
+ "END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256",
+ "INTER_CA_SHA256-ROOT_CA_SHA256" },
+ TLSCLIENT,
+ NOSHA1,
+ true,
+ false);
+ break;
+
+ // Cases C8 and S8 use SHA256 root CA in trust store,
+ // and use SHA1 intermediate CA and SHA256 end entity in key store.
+ // C8 only sets constraint "SHA1 usage TLSServer" on client side;
+ // S8 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+ // The connection of the both cases should be blocked.
+ case "C8":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA256" },
+ new String[] {
+ "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256",
+ "INTER_CA_SHA1-ROOT_CA_SHA256" },
+ NOSHA1,
+ TLSSERVER,
+ false);
+ break;
+ case "S8":
+ testConstraint(
+ new String[] { "ROOT_CA_SHA256" },
+ new String[] {
+ "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256",
+ "INTER_CA_SHA1-ROOT_CA_SHA256" },
+ TLSCLIENT,
+ NOSHA1,
+ true,
+ false);
+ break;
+
+ // Cases C9 and S9 use SHA256 root CA and SHA1 intermediate CA in trust store,
+ // and use SHA256 end entity in key store.
+ // C9 only sets constraint "SHA1 usage TLSServer" on client side;
+ // S9 only sets constraint "SHA1 usage TLSClient" on server side with client auth.
+ // The connection of the both cases should not be blocked.
+ case "C9":
+ testConstraint(
+ new String[] {
+ "ROOT_CA_SHA256",
+ "INTER_CA_SHA1-ROOT_CA_SHA256" },
+ new String[] {
+ "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256" },
+ NOSHA1,
+ TLSSERVER,
+ true);
+ break;
+ case "S9":
+ testConstraint(
+ new String[] {
+ "ROOT_CA_SHA256",
+ "INTER_CA_SHA1-ROOT_CA_SHA256" },
+ new String[] {
+ "END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256" },
+ TLSCLIENT,
+ NOSHA1,
+ true,
+ true);
+ break;
+ }
+
+ System.out.println("Case passed");
+ System.out.println("========================================");
+ }
+
+ private static String loadCert(String certName) {
+ try {
+ Path certFilePath = Paths.get(CERT_DIR, certName + ".cer");
+ return String.join("\n",
+ Files.lines(certFilePath).filter((String line) -> {
+ return !line.startsWith("Certificate")
+ && !line.startsWith(" ");
+ }).collect(Collectors.toList()));
+ } catch (IOException e) {
+ throw new RuntimeException("Load certificate failed", e);
+ }
+ }
+
+ private static String loadPrivKey(String certName) {
+ Path priveKeyFilePath = Paths.get(CERT_DIR, certName + "-PRIV.key");
+ try {
+ return new String(Files.readAllBytes(priveKeyFilePath));
+ } catch (IOException e) {
+ throw new RuntimeException("Load private key failed", e);
+ }
+ }
+}
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..8da367c70556d268543a701be8f5f0b6f9a3c8cc
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCYQDZxHxNJV8dQ
+I6mfJjuIZxAe5CX9GCrS3Fajh5DXIQwdcvQ4s6YdKzwFn+8dUdspdNTnS+bWjfYw
+0iAbsMt6L6ewutaZf6aufh1EBYiwNOvN8C8Cx0iiE8NiBo833AYWHKhDC4qu63QR
+dYwb9j+Jg8t6p0lQ64sFLDN/RJOcWlaPQbJbSNBKePQR7WOFvdJgFAdQmQjL+ND6
+PSui9QByyXQ+3nfs7ID4paUxYbCrJMh5/AJqaT04DYDEumfmURUn5+ZOIqmqvI2I
+pNXN5gVzL3b8mM2WGr5dpRY5cZ1X//BQ91SNjrKNJlmKFr7nMCfAdzxIW4b/sArv
+eYNE2Vy7AgMBAAECggEBAJNtkopFoiJiKnFypxyiJAG4cwbGu/ZxwX3/uLGPY3S9
+3oJhvxVs+IzEQdHchempSwTAyizS9cuLGfs6bbcConZF0Sa0NXvb/SZ4npQwm6St
+Ci2Xx530JWQ0qPyyB1r65rXguBp8AaXR/8msPqkQ8YOSqKWzea4u96Zhn9g8Koe6
+AD/8FeSzJBDVbJ+C7jKX/7sKsHbYqulzLMQf0lqXFxpGW+5UJaozoQOWXnnmqU3T
+0i4uaGUCXHbQM8eh3fvMFCU4UQMYVS1QOSvZJTnO5bSb8SqeQnCMnQ18ltq4sL43
+qFsEcmAjrlhNoBwslqvfY1bX9NtXyFZ8PuD8OvoFxPkCgYEAxlVfD2qcrAoOcbDe
+Em9hDVPizRuzGuCHi9K2YLDrLVDNd6NF3Pk65JiTsd1fA2AZdi+ljKGEwBhNFOyk
+qwmK2K4sYy7zvyV3Blmwvyo7+OaeexYF8RIw5keGlRsgHTGarzlQAlJu91UmyAmE
+C/99fZbSWo9QndJ0FVR6G3ti71UCgYEAxITBJqVtNFnv4PGdc3FNsYXlRQcSWjs9
+/1lsppLQjC6HMsb6JpxYUF3D4oFiUESKe/9kZzl1H/65Cm2mYq8sj+7lug8P5tz7
+DQa91dFM02r8JLO6TitSuZfbc0XH0K450ntuQlKX581icYSGBUwQHGApespuNVlh
+Mg7CmwNse88CgYAienrhEjaUTdc++nFQoR4tE/UslPEo7fmCXCoqWvc3VIGzl6Ww
+iX8seD3MwOAglRc4DYZpETcjsdXMmmrx9OG3U2gSAfqLszai2vq38N6mIWlRmn2D
+8BaiIbMKvsFxccsjRQJctPnnc10fj0/uSgcFyy9cYOex2AEoKBxmJKgJVQKBgA0c
+HhaJ6qMXbN1AwRQ2dsxk9kqIkjzavuQN/yWNncP8RqCojX+N5oZV+v9dSkW4jNSA
+0R3hw2KDB60ea38h2IMxmLm0z4bDLyxLSta8w7dG59M6+i7EzRv8eXNTMGVHeiwE
+d/KMt/2Kwgp4oMgxrtF1yM6cOoXslINWYL0emVoZAoGAcEKzO8LgPJsIVjRFz3ri
+0AQqiXQzYek2WAXYhlQCvBVn8in3MYcxKhjA3Og3Lym0xvZ+/8SbII9QNaidbgIH
+HDreeJW4KE5EfVnDaYcxwK/9LXZXndIxrpR0YKNSvZT7DuuQtFCoxJcASxb1k9Tc
+5MPT+pyPL+9v2q56ry56qas=
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256.cer b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256.cer
new file mode 100644
index 0000000000000000000000000000000000000000..21872d79ba9a4b4b6f6f5892b1dff16c0a61af8d
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256.cer
@@ -0,0 +1,81 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ e8:33:78:c7:69:9c:28:c2
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA256
+ Validity
+ Not Before: Mar 30 04:51:07 2017 GMT
+ Not After : Mar 28 04:51:07 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA1-INTER_CA_SHA256-ROOT_CA_SHA256
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:98:40:36:71:1f:13:49:57:c7:50:23:a9:9f:26:
+ 3b:88:67:10:1e:e4:25:fd:18:2a:d2:dc:56:a3:87:
+ 90:d7:21:0c:1d:72:f4:38:b3:a6:1d:2b:3c:05:9f:
+ ef:1d:51:db:29:74:d4:e7:4b:e6:d6:8d:f6:30:d2:
+ 20:1b:b0:cb:7a:2f:a7:b0:ba:d6:99:7f:a6:ae:7e:
+ 1d:44:05:88:b0:34:eb:cd:f0:2f:02:c7:48:a2:13:
+ c3:62:06:8f:37:dc:06:16:1c:a8:43:0b:8a:ae:eb:
+ 74:11:75:8c:1b:f6:3f:89:83:cb:7a:a7:49:50:eb:
+ 8b:05:2c:33:7f:44:93:9c:5a:56:8f:41:b2:5b:48:
+ d0:4a:78:f4:11:ed:63:85:bd:d2:60:14:07:50:99:
+ 08:cb:f8:d0:fa:3d:2b:a2:f5:00:72:c9:74:3e:de:
+ 77:ec:ec:80:f8:a5:a5:31:61:b0:ab:24:c8:79:fc:
+ 02:6a:69:3d:38:0d:80:c4:ba:67:e6:51:15:27:e7:
+ e6:4e:22:a9:aa:bc:8d:88:a4:d5:cd:e6:05:73:2f:
+ 76:fc:98:cd:96:1a:be:5d:a5:16:39:71:9d:57:ff:
+ f0:50:f7:54:8d:8e:b2:8d:26:59:8a:16:be:e7:30:
+ 27:c0:77:3c:48:5b:86:ff:b0:0a:ef:79:83:44:d9:
+ 5c:bb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+ serial:84:A1:70:1D:0A:92:D3:CC
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha1WithRSAEncryption
+ 22:63:2a:de:80:70:92:f7:53:e4:7f:ea:01:2b:13:b3:1b:02:
+ 2e:10:b4:1d:b7:33:7f:6f:0d:88:46:5a:b8:db:83:95:77:e2:
+ db:da:2e:31:0a:85:c6:9a:75:84:ca:73:5c:be:e3:30:22:7e:
+ bc:60:43:49:7c:69:06:14:4a:89:e4:23:ca:25:99:85:d6:06:
+ 16:d5:9e:a8:fd:25:43:88:07:12:0a:7e:de:24:33:71:ab:a4:
+ 23:aa:4e:dc:0f:89:ef:a9:09:89:55:a1:1d:ee:48:35:ea:10:
+ 42:ff:98:15:2a:e8:5c:46:e0:e4:4f:4c:b9:07:e0:da:08:6f:
+ ce:4a:fe:98:3e:ae:c5:e5:6a:6e:50:0f:2d:39:01:55:ed:59:
+ 0b:65:30:54:e8:72:26:ee:9f:cf:3f:ce:6a:20:c8:87:c9:81:
+ bc:f8:b3:ec:77:bb:bc:5b:8c:3f:18:fd:08:76:ad:27:59:fc:
+ b8:74:96:0d:cd:ed:97:91:6b:95:89:3a:f3:78:de:9f:06:a6:
+ ce:36:01:f0:be:ae:d8:d6:c4:3d:51:8a:2a:e0:43:59:8c:b4:
+ eb:63:93:9d:53:72:f8:4b:a3:c7:4a:da:2e:56:33:b6:46:1b:
+ 45:a8:23:1b:82:de:6d:4e:e0:18:cf:9b:ba:22:68:8b:8c:de:
+ 6f:08:2d:bc
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIJAOgzeMdpnCjCMA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMScwJQYDVQQDDB5JTlRFUl9DQV9TSEEyNTYtUk9PVF9D
+QV9TSEEyNTYwHhcNMTcwMzMwMDQ1MTA3WhcNMjcwMzI4MDQ1MTA3WjB/MQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09y
+ZzENMAsGA1UECwwESmF2YTE3MDUGA1UEAwwuRU5EX0VOVElUWV9TSEExLUlOVEVS
+X0NBX1NIQTI1Ni1ST09UX0NBX1NIQTI1NjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAJhANnEfE0lXx1AjqZ8mO4hnEB7kJf0YKtLcVqOHkNchDB1y9Diz
+ph0rPAWf7x1R2yl01OdL5taN9jDSIBuwy3ovp7C61pl/pq5+HUQFiLA0683wLwLH
+SKITw2IGjzfcBhYcqEMLiq7rdBF1jBv2P4mDy3qnSVDriwUsM39Ek5xaVo9BsltI
+0Ep49BHtY4W90mAUB1CZCMv40Po9K6L1AHLJdD7ed+zsgPilpTFhsKskyHn8Ampp
+PTgNgMS6Z+ZRFSfn5k4iqaq8jYik1c3mBXMvdvyYzZYavl2lFjlxnVf/8FD3VI2O
+so0mWYoWvucwJ8B3PEhbhv+wCu95g0TZXLsCAwEAAaOBjDCBiTB5BgNVHSMEcjBw
+oWOkYTBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkx
+DDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEXMBUGA1UEAwwOUk9PVF9DQV9T
+SEEyNTaCCQCEoXAdCpLTzDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IB
+AQAiYyregHCS91Pkf+oBKxOzGwIuELQdtzN/bw2IRlq424OVd+Lb2i4xCoXGmnWE
+ynNcvuMwIn68YENJfGkGFEqJ5CPKJZmF1gYW1Z6o/SVDiAcSCn7eJDNxq6Qjqk7c
+D4nvqQmJVaEd7kg16hBC/5gVKuhcRuDkT0y5B+DaCG/OSv6YPq7F5WpuUA8tOQFV
+7VkLZTBU6HIm7p/PP85qIMiHyYG8+LPsd7u8W4w/GP0Idq0nWfy4dJYNze2XkWuV
+iTrzeN6fBqbONgHwvq7Y1sQ9UYoq4ENZjLTrY5OdU3L4S6PHStouVjO2RhtFqCMb
+gt5tTuAYz5u6ImiLjN5vCC28
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..cd99ead5d10660ae7be822921443ab2b1136e20f
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDaYlKNTU1iQes/
+BtivvM1ixjCk1muM1RdMkJQItZB21y1kM1OLp3EmGKqVqwKbS5OTrMIxjPUwD9Ly
+aRJMvSP1xve7zwmNXOngA8eukmQ2olQU58ble6IAHcj4qg7a38E1ITvDmAswhTzK
+fI4Z6okLCjKfYafnfbi5JA+E6fiArB3zimjne+tiUNYZh2eYspsOOw6cmaLtIbMP
+ZyXy4iP6OCNIikb08Da27zjVn04i1SeUEv1YFmn4B9GWcNLAXyM1LmCNi70+SATp
+aZYRjr/BBR6LNZMBsNKJblWFXK3UtfYFiypyirgQjzPtLb1XsuMhfqMt8QZDh8n3
+YvYTW59xAgMBAAECggEAb4NPdhnoDulsL5XWZf55vhtH0ZQv/Qz+xbj57myQJS8B
+Xa4b1i8dRv/Hc3+MaDIyXHEWBGle9jjOVbwzfP4D88eyzrMMxKOSRTKI72qPQ5qm
+ZrpnxNzZv0d2TQvBZCBnrzKWKu1joVYX0anCghdR/VIqwVoDe+Clx9xTFGLI4yKO
+7v0dkr4Hxn3NT6bTV18V6PoGbUgIsmpNYQPFyUM/IHG2ewDffLP+tm7RsEfKYmcx
+Hr70pmWBpM9hwTAC+uXHuNXnsX4IjEQOXmm4PJ/A/sm2Bad93SPwi15e29MV8YbO
+vvirGLaepa7AUvqoK0DFNCLU6vCeFJ7DUZ/u2P8x8QKBgQDxNOWvy3EV4/P/ocSf
+itMtXZWj4driT4vUGwFZWfr3CVpZVaUmqXYeVdzNGuoWlmXOiOAuOepnlA36FCb5
+aGE4cq/hbdtbr+v6awEj5/A2me/ax1W1z6lD0pg0QJ7KvqFCBzVol5yTiWZKBVE+
+jp2waPfes770AUHczw9KKvEGtQKBgQDnxxiZAxtoNmOaB/NZmPNBKvWDw858+QX2
++u/jEH3pW393tUnipgIoo6yvd6djhJ6/4ViOxdioMIQCBab/xuSB4lfQsrJsWvS9
+uYB794s7CV2r3kUa3ux8wAovW6Fc369nD7JjUPX/Cq3zdlyTDt9LVLRCpZ6Li1xB
+r0ZVlpgPTQKBgQCgKay+X0tW6sdxHfyOp8Lz46liaa1LCuDhVZE+wHXZpXc9zJXe
+JzZMjF0SQGXh27n8O30IlOJmJrRlMw5yG/I6ZkUNXkIDDryVyom2SuOBjhPrZOMv
+15UgeO0h/Sqzm4M+ccTwD4Qjn1+xlPhOnqpsoja8xQPtyAvwz/jqGbtz5QKBgH01
+pSgj8Y5es3fmi6P/aInv9ynzgX0p2fsOnMEBi8Og1j+JBB0YqVni8crozNiKMGhg
+CEM4xk41x1qASzMp8w/ngqEPqCu5BzXnHG3b0K9X4+6Q6KwXeZH6/IWQ7p8Jh+wZ
+IrlcZ0gcMNSxQFmBU0eSvr6yUe/4nSIu2cQq0oKRAoGAUEFd0LxZw50BdCdpJlcQ
++oTbSUYQhAzPF2ybfR6i8IxXoOjVxpvRehlbwXIQV7XEqamXFTmBLIvuAlF1yWoH
+hzxNJuEgPRTPztnHD6LVzvuf2ain+CFZuDrXBT2l8PyF9BNL4/DMRrbgdCxr9F0O
+Ti0VJo1TRE8vVzUfVc9w1RI=
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1.cer b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1.cer
new file mode 100644
index 0000000000000000000000000000000000000000..c2cb37cb0eb9c5a241250af44bd2e4dd82253292
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1.cer
@@ -0,0 +1,81 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 86:09:85:57:41:bf:86:65
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA1
+ Validity
+ Not Before: Mar 30 04:51:06 2017 GMT
+ Not After : Mar 28 04:51:06 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:da:62:52:8d:4d:4d:62:41:eb:3f:06:d8:af:bc:
+ cd:62:c6:30:a4:d6:6b:8c:d5:17:4c:90:94:08:b5:
+ 90:76:d7:2d:64:33:53:8b:a7:71:26:18:aa:95:ab:
+ 02:9b:4b:93:93:ac:c2:31:8c:f5:30:0f:d2:f2:69:
+ 12:4c:bd:23:f5:c6:f7:bb:cf:09:8d:5c:e9:e0:03:
+ c7:ae:92:64:36:a2:54:14:e7:c6:e5:7b:a2:00:1d:
+ c8:f8:aa:0e:da:df:c1:35:21:3b:c3:98:0b:30:85:
+ 3c:ca:7c:8e:19:ea:89:0b:0a:32:9f:61:a7:e7:7d:
+ b8:b9:24:0f:84:e9:f8:80:ac:1d:f3:8a:68:e7:7b:
+ eb:62:50:d6:19:87:67:98:b2:9b:0e:3b:0e:9c:99:
+ a2:ed:21:b3:0f:67:25:f2:e2:23:fa:38:23:48:8a:
+ 46:f4:f0:36:b6:ef:38:d5:9f:4e:22:d5:27:94:12:
+ fd:58:16:69:f8:07:d1:96:70:d2:c0:5f:23:35:2e:
+ 60:8d:8b:bd:3e:48:04:e9:69:96:11:8e:bf:c1:05:
+ 1e:8b:35:93:01:b0:d2:89:6e:55:85:5c:ad:d4:b5:
+ f6:05:8b:2a:72:8a:b8:10:8f:33:ed:2d:bd:57:b2:
+ e3:21:7e:a3:2d:f1:06:43:87:c9:f7:62:f6:13:5b:
+ 9f:71
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+ serial:8D:A0:D2:8A:EE:0B:CF:65
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 29:b0:10:dc:45:ee:68:77:5f:12:9b:fc:de:eb:70:41:2e:6a:
+ a2:5f:a9:cc:ca:97:24:01:4a:1d:c2:78:52:57:34:9c:83:7f:
+ 60:f5:d9:68:a2:32:89:e9:d7:25:71:72:71:e5:76:e3:37:af:
+ 41:25:cc:8b:a4:fd:81:ef:6b:15:2b:91:3c:68:a5:25:53:cf:
+ c1:b9:aa:49:b4:cd:e3:3c:a2:8e:38:ea:e8:51:7c:7b:92:41:
+ bd:a3:22:7d:97:59:ad:55:e2:7d:9d:6a:bb:1f:95:84:1c:50:
+ 00:e9:6c:74:1d:bb:6c:07:ca:bc:6a:a2:dd:c1:66:37:64:bd:
+ fe:1a:c0:8c:a7:8c:a1:60:b8:c3:d2:5f:92:80:ee:ad:79:29:
+ f2:ad:e2:9f:74:39:bf:3b:a4:b6:25:2a:87:3f:36:49:b9:52:
+ fd:91:33:be:1d:41:a9:76:29:47:6e:c7:db:a8:ab:6e:78:91:
+ c0:13:56:1c:25:41:51:a7:64:4f:07:c0:2a:a8:80:63:8d:98:
+ e0:54:7d:a6:f4:22:6b:70:fa:1c:16:82:f4:07:2e:e1:ba:94:
+ 96:ec:c7:9e:8e:0a:24:1e:a4:e9:c0:92:ca:bd:32:98:ef:1f:
+ e1:a6:e6:4d:1f:c5:68:1b:77:d0:e0:35:1a:a9:c9:ee:98:72:
+ 7b:c3:e7:51
+-----BEGIN CERTIFICATE-----
+MIID9jCCAt6gAwIBAgIJAIYJhVdBv4ZlMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMSMwIQYDVQQDDBpJTlRFUl9DQV9TSEExLVJPT1RfQ0Ff
+U0hBMTAeFw0xNzAzMzAwNDUxMDZaFw0yNzAzMjgwNDUxMDZaMH0xCzAJBgNVBAYT
+AlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0w
+CwYDVQQLDARKYXZhMTUwMwYDVQQDDCxFTkRfRU5USVRZX1NIQTI1Ni1JTlRFUl9D
+QV9TSEExLVJPT1RfQ0FfU0hBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANpiUo1NTWJB6z8G2K+8zWLGMKTWa4zVF0yQlAi1kHbXLWQzU4uncSYYqpWr
+AptLk5OswjGM9TAP0vJpEky9I/XG97vPCY1c6eADx66SZDaiVBTnxuV7ogAdyPiq
+DtrfwTUhO8OYCzCFPMp8jhnqiQsKMp9hp+d9uLkkD4Tp+ICsHfOKaOd762JQ1hmH
+Z5iymw47DpyZou0hsw9nJfLiI/o4I0iKRvTwNrbvONWfTiLVJ5QS/VgWafgH0ZZw
+0sBfIzUuYI2LvT5IBOlplhGOv8EFHos1kwGw0oluVYVcrdS19gWLKnKKuBCPM+0t
+vVey4yF+oy3xBkOHyfdi9hNbn3ECAwEAAaOBijCBhzB3BgNVHSMEcDBuoWGkXzBd
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkxDDAKBgNV
+BAoMA09yZzENMAsGA1UECwwESmF2YTEVMBMGA1UEAwwMUk9PVF9DQV9TSEExggkA
+jaDSiu4Lz2UwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKbAQ3EXu
+aHdfEpv83utwQS5qol+pzMqXJAFKHcJ4Ulc0nIN/YPXZaKIyienXJXFyceV24zev
+QSXMi6T9ge9rFSuRPGilJVPPwbmqSbTN4zyijjjq6FF8e5JBvaMifZdZrVXifZ1q
+ux+VhBxQAOlsdB27bAfKvGqi3cFmN2S9/hrAjKeMoWC4w9JfkoDurXkp8q3in3Q5
+vzuktiUqhz82SblS/ZEzvh1BqXYpR27H26irbniRwBNWHCVBUadkTwfAKqiAY42Y
+4FR9pvQia3D6HBaC9Acu4bqUluzHno4KJB6k6cCSyr0ymO8f4abmTR/FaBt30OA1
+GqnJ7phye8PnUQ==
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..3f9ad5384df95c364b6b38943958382151cc74db
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDaCsiXcNnu7WpV
+t+FarvFhtaRr4RMQbKGhiIHi4aV0vqWmpX/eFde01eQZTZcPGJzEnjJrkyFo3Wbd
+31bjBLpt40kkI7kbODHrA2L+vY/hoCQeXK8+BrGioX9qHOpD7OLI3Esm1+KDiPPK
+w6qr9O9nS/fOID3zly92r+obY2ZuW6jQC0Yah3K9INrSIjH+rHXsmj2U5dCnktfi
+LzRcocvqtQHASYXFXEhWr1TCMnSz7h+l07O5YgYpmhwkRIPCkcdP+9wGhO2eOJYU
+kfaBteodDh7vHj2F+A6Lheosa4mi/nysyhQJl8uBFw97dqab9ul5Tb03iHmaY/q0
+xJKcEohnAgMBAAECggEBAJsa6K6yHJWWVfo8IBb+M7+qExiat5ELdb8O+DaJBcYS
+iIwPVvKI3zVIokZNp5OZkotbbcqQk0ehl7dlVM2RY30gHbuTne36/6eKdTV5a4y4
++niOviqFYH+sGpNFlnBTZtAzxVIQaJXhKmum3RYN2u/EXrdGwEsz1RO89/AbuZXu
+VdtEKkjPHXrIjnBkiT4271sm3OiPwOe6g0NKBMJ4InTyB+YtpgxlXtF+vv5cv6Vt
+ayT3sNsdsD8HLrenMmwv/k7nTYgNbhaJX2YCs9W7ZEscU2th6F7Cx6Z0z9h1SElC
++OKKhU6HnG/pWFMfWu80ZNjb3NTpXzTv4CLKjEYvz6ECgYEA8qEe+Ga7+XD0XwPB
+bFjoKmhOQhv0VCIiu9RgvIxQn5DuGX4H2hO1GP8LYOQZBm25nICIa+DyDZEaFGgL
+QgfPI4boK/rdV8syFTUNfw1Wq+W/pHhqzgUGHAnzRpX8jBQa9of14O+B7//ZFdGj
+5nt0qFTOAgNGslXMvSicKD/g0mMCgYEA5g7MpMmZI8zPf/PKLBkrQegdX2TBBiI5
+3KzvQuA29tEFdVwUIuhkgQkmy1u9Ujw0jZZ8NVBOsqfg7e7XkVr6/OF+MVWBjWl3
+Jn3DMCHl/HCLIZ4ZOM6/ydIMpBX6Ii53nvpO6vxRaOUg2T2gVHadVjjQAN9Oj68r
+TKUHfs4rTy0CgYB/g5QuQnfqKaYUxXmDQtqJZxYyAlUPXn1Yr85DaY75vYaVGTpx
+L0hPIcNOIbLRQRt6l8aaw7cS0D6fmOrJwibn6f/dFVP8zwq8QIyeSFlTsERe4PZo
+3hUO6V/UqgD3cZ2WEXB0zgtBIfpqUCpOeHWf/inivuwJz7PxegVP1fqHNwKBgA0p
+CZHfqm/+1lvmcUlGg0/43D1JwTT9nju+dM1pkBtcZ6iIBOreSmmLQXnenJzorsTu
+t9pA5s+XhOl3gUNiZfszVwmxb4DMaLF9/j1xovtm4L6ikaTLRvNfnbOBQlbUO6mP
+fhY5KtsKSG/E87gBNQzqoRN7sr3Lcnmm8x/Q4W9dAoGAITDcOI7UgPcnKMO8JUI5
+96Po3c/S7nBilVZRFOwjn0z6jrjzNTd+1IqkzIKBWfs5WlRkzXI6LPJVghwPUqUa
+q2C/3hQATD3FchEIohLfd8bj/wObaZNlKJB59a1RjxRZxuVQl3jvovvpn/hdXuJB
+nGIx7MryEG/yRpfrk2DL0bI=
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256.cer b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256.cer
new file mode 100644
index 0000000000000000000000000000000000000000..22390ed7d7e60f5dcb4a6e10ea44185c3c6a1524
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256.cer
@@ -0,0 +1,81 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 9e:f7:d7:79:1c:06:83:d5
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA256
+ Validity
+ Not Before: Mar 30 04:51:05 2017 GMT
+ Not After : Mar 28 04:51:05 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:da:0a:c8:97:70:d9:ee:ed:6a:55:b7:e1:5a:ae:
+ f1:61:b5:a4:6b:e1:13:10:6c:a1:a1:88:81:e2:e1:
+ a5:74:be:a5:a6:a5:7f:de:15:d7:b4:d5:e4:19:4d:
+ 97:0f:18:9c:c4:9e:32:6b:93:21:68:dd:66:dd:df:
+ 56:e3:04:ba:6d:e3:49:24:23:b9:1b:38:31:eb:03:
+ 62:fe:bd:8f:e1:a0:24:1e:5c:af:3e:06:b1:a2:a1:
+ 7f:6a:1c:ea:43:ec:e2:c8:dc:4b:26:d7:e2:83:88:
+ f3:ca:c3:aa:ab:f4:ef:67:4b:f7:ce:20:3d:f3:97:
+ 2f:76:af:ea:1b:63:66:6e:5b:a8:d0:0b:46:1a:87:
+ 72:bd:20:da:d2:22:31:fe:ac:75:ec:9a:3d:94:e5:
+ d0:a7:92:d7:e2:2f:34:5c:a1:cb:ea:b5:01:c0:49:
+ 85:c5:5c:48:56:af:54:c2:32:74:b3:ee:1f:a5:d3:
+ b3:b9:62:06:29:9a:1c:24:44:83:c2:91:c7:4f:fb:
+ dc:06:84:ed:9e:38:96:14:91:f6:81:b5:ea:1d:0e:
+ 1e:ef:1e:3d:85:f8:0e:8b:85:ea:2c:6b:89:a2:fe:
+ 7c:ac:ca:14:09:97:cb:81:17:0f:7b:76:a6:9b:f6:
+ e9:79:4d:bd:37:88:79:9a:63:fa:b4:c4:92:9c:12:
+ 88:67
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+ serial:84:A1:70:1D:0A:92:D3:CD
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 89:84:ce:6d:80:83:e7:19:80:21:a5:d3:79:ac:c4:2f:5c:5f:
+ 47:f1:1c:e7:40:2a:57:ec:76:01:a9:10:b6:a2:2b:1b:02:ac:
+ f7:46:b1:67:b3:36:0f:fa:f0:a3:40:c2:5a:38:00:67:a9:9d:
+ e8:59:be:2f:5b:d0:c6:6c:20:90:c0:3b:6b:af:75:8c:93:ac:
+ 5a:1e:8b:66:2c:79:0b:6d:9d:0d:d3:68:b5:b6:df:d6:04:6b:
+ 24:f7:5a:b9:f0:18:08:81:b1:50:1c:ac:1b:7a:b7:b8:d8:8e:
+ 6f:15:78:7e:23:5f:41:5c:df:76:09:1a:67:36:15:35:6a:77:
+ 36:09:19:50:12:6d:60:20:c1:7a:36:cb:4c:ee:a8:d7:b7:c7:
+ 29:26:31:04:0a:44:48:25:be:dd:00:92:ea:8c:00:ee:b4:eb:
+ 52:4a:da:47:97:d7:42:df:dd:7d:17:de:e3:a1:14:49:3b:2d:
+ aa:ac:e7:83:0f:c0:2d:3f:31:c5:af:bb:b1:1e:53:d1:a7:13:
+ 55:e3:25:f6:67:95:a1:75:e9:b8:a1:81:eb:d0:de:8a:a3:af:
+ 78:dc:d0:39:d0:e7:d6:61:9e:39:7b:8b:f9:ee:44:48:78:92:
+ e7:22:fa:9c:a4:d0:6b:2b:89:0a:fa:78:3d:7a:af:44:91:e5:
+ 8a:40:2f:10
+-----BEGIN CERTIFICATE-----
+MIIEAjCCAuqgAwIBAgIJAJ7313kcBoPVMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMSUwIwYDVQQDDBxJTlRFUl9DQV9TSEExLVJPT1RfQ0Ff
+U0hBMjU2MB4XDTE3MDMzMDA0NTEwNVoXDTI3MDMyODA0NTEwNVowgYQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMTwwOgYDVQQDDDNFTkRfRU5USVRZX1NIQTI1Ni1JTlRF
+Ul9DQV9TSEExLVJPT1RfQ0FfU0hBMjU2LVBSSVYwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQDaCsiXcNnu7WpVt+FarvFhtaRr4RMQbKGhiIHi4aV0vqWm
+pX/eFde01eQZTZcPGJzEnjJrkyFo3Wbd31bjBLpt40kkI7kbODHrA2L+vY/hoCQe
+XK8+BrGioX9qHOpD7OLI3Esm1+KDiPPKw6qr9O9nS/fOID3zly92r+obY2ZuW6jQ
+C0Yah3K9INrSIjH+rHXsmj2U5dCnktfiLzRcocvqtQHASYXFXEhWr1TCMnSz7h+l
+07O5YgYpmhwkRIPCkcdP+9wGhO2eOJYUkfaBteodDh7vHj2F+A6Lheosa4mi/nys
+yhQJl8uBFw97dqab9ul5Tb03iHmaY/q0xJKcEohnAgMBAAGjgYwwgYkweQYDVR0j
+BHIwcKFjpGEwXzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARD
+aXR5MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFzAVBgNVBAMMDlJPT1Rf
+Q0FfU0hBMjU2ggkAhKFwHQqS080wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
+AAOCAQEAiYTObYCD5xmAIaXTeazEL1xfR/Ec50AqV+x2AakQtqIrGwKs90axZ7M2
+D/rwo0DCWjgAZ6md6Fm+L1vQxmwgkMA7a691jJOsWh6LZix5C22dDdNotbbf1gRr
+JPdaufAYCIGxUBysG3q3uNiObxV4fiNfQVzfdgkaZzYVNWp3NgkZUBJtYCDBejbL
+TO6o17fHKSYxBApESCW+3QCS6owA7rTrUkraR5fXQt/dfRfe46EUSTstqqzngw/A
+LT8xxa+7sR5T0acTVeMl9meVoXXpuKGB69DeiqOveNzQOdDn1mGeOXuL+e5ESHiS
+5yL6nKTQayuJCvp4PXqvRJHlikAvEA==
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..8584f50ec7e2f9dfd31c366845c937f8f9d00be8
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHC0ieOFNTJjP+
+HMlFQ/w50Hx/+FYh9z9w3i08dVvi8oEhGUop7fvsqEyuAj3U/BYG87Wsv27wfa9l
+qSJRSgqUT3yI4jsMY/ozUInuKpp/yL97abyZVDUZc3diDZqryA/Qur8HNVLyA2hD
+DA9x8Ioeu5EDFl7AeqV3jx+A8fbulwVeCa29GByVkWRUEVF/48a1jpazBf2YQvrm
+5ElWoG8fuMrz6vgj+gYZYb1GPXmJQrtAIRp4Z1/AquPS4A/O21DnPLEM8WSw+rSC
+KGGKMqefJw74zeVyPlOiOmjFTeNfeVDViQrDgU++CTDjFa8XhweU6v+MtY5Mmzmf
+2AETGyd9AgMBAAECggEANCdMu8hebOcRsH+ybSfHKw7p0E4to3C5esV8bN8DWI/a
+LeYGfL4SyIvAq8eClBAJZYDuFXmDhBgqoSSUDWCtLPc21lcQycpYgKGVwoX/PYRI
+R/oIpNRfpW+P1G1kHaaqHjMQYr8iIK+r3gWG9n/kcPEMqhZudVitiopB4vODlDgf
+OI0goNWwYOPzoBkJSBbgfYC7vSz0dg+j9ooYPDnyUnHjykhu95mkmBHYc/MVMP8s
+ntFB5pgtWuLQATZImW4A1dtZiqCsF6APvJIQASxVq+wv3dwhejF9xMZR96QchVZJ
+QvPOcH76njIH4fThb0e46Dn54+KBpCnveSnDtAz5sQKBgQD2u6gWOK/Z4VqGlff1
+diLqzesdalCJhydKzOGRzRiJeW4E4MhEpUjIo44zPGkQ64zq6nefqIltdiaE7T9C
+Fnyu/+vd0zE1v3Ipgv0wD3NgTj3gGrBwl2gkY5sfSbCR+8vS/DhRU+s3KN45m3s4
+XfM27Uw/Zh/DFIe7jmGezfe/3wKBgQDOhRjDfxDDLCEXw4QFQb7Sp/43EGfoTd8h
+m700T/QXUTGx6qRhzHF9mUVea7FT+3I6CEqYNnZtFlYsJlq1g457rnvUJnTjJZb7
+wFl1h+u4u3IKo/lUUh2vD89PPOkMUF/uamJLh5jK7KNkOjwEDN2yPkRgaedY++nv
+NBcUPpGUIwKBgEkFmOWauVC+hVA3qj8XS5Y6g08dW+CYA2T75faEwLJPIeSHsj2+
+vR/EaB15z46WaApOgkDaXHHs+dF1dbdVeGlCjMgF7RZ/JoZqogxLRlZGUcG1pGpu
+JQBACnTkFkHeR6CVzQUk1QRqL/rUrU8tXwHukRZiXxwZQ2Ka7QFW6+/5AoGAHGem
+Dk2NyqppKtGTeP2f921vw7cX85WyWPcIwQc2NXbPdP8m+OSbv4CzT9dUHo75GQ5G
+5ESpaTunQo9L7qdXk59eHMHlVdC3wYylQUsemtv9RYVkJ7rbplZwVx+zliP/7dTo
+DCdsVozRtFlmI9B5Najm0rP+Q/jyJhpuCjTI5S0CgYEAsYcmFZZotwOyT4oJ/1Fu
+BtSOsoxnCa1vPJTVXEoX3F28ZUP4X0iWgGDO1e3aoWWYxWusf1fUj9BWbVnbtJfb
+gJ5JtQTAuMvmjCwFRWcBUytdxTUsWFbuDc5fw7DMW7YqjkCCISkd6Q8JyaFsJPy1
+7uFzumBnFtZGUIo2w4l8yrQ=
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1.cer b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1.cer
new file mode 100644
index 0000000000000000000000000000000000000000..8b9f080920e895efd402f924ba6a2ab590361cc6
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1.cer
@@ -0,0 +1,81 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 9e:b3:99:30:15:24:2c:69
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA1
+ Validity
+ Not Before: Mar 30 04:51:06 2017 GMT
+ Not After : Mar 28 04:51:06 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:c7:0b:48:9e:38:53:53:26:33:fe:1c:c9:45:43:
+ fc:39:d0:7c:7f:f8:56:21:f7:3f:70:de:2d:3c:75:
+ 5b:e2:f2:81:21:19:4a:29:ed:fb:ec:a8:4c:ae:02:
+ 3d:d4:fc:16:06:f3:b5:ac:bf:6e:f0:7d:af:65:a9:
+ 22:51:4a:0a:94:4f:7c:88:e2:3b:0c:63:fa:33:50:
+ 89:ee:2a:9a:7f:c8:bf:7b:69:bc:99:54:35:19:73:
+ 77:62:0d:9a:ab:c8:0f:d0:ba:bf:07:35:52:f2:03:
+ 68:43:0c:0f:71:f0:8a:1e:bb:91:03:16:5e:c0:7a:
+ a5:77:8f:1f:80:f1:f6:ee:97:05:5e:09:ad:bd:18:
+ 1c:95:91:64:54:11:51:7f:e3:c6:b5:8e:96:b3:05:
+ fd:98:42:fa:e6:e4:49:56:a0:6f:1f:b8:ca:f3:ea:
+ f8:23:fa:06:19:61:bd:46:3d:79:89:42:bb:40:21:
+ 1a:78:67:5f:c0:aa:e3:d2:e0:0f:ce:db:50:e7:3c:
+ b1:0c:f1:64:b0:fa:b4:82:28:61:8a:32:a7:9f:27:
+ 0e:f8:cd:e5:72:3e:53:a2:3a:68:c5:4d:e3:5f:79:
+ 50:d5:89:0a:c3:81:4f:be:09:30:e3:15:af:17:87:
+ 07:94:ea:ff:8c:b5:8e:4c:9b:39:9f:d8:01:13:1b:
+ 27:7d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+ serial:8D:A0:D2:8A:EE:0B:CF:64
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 2b:43:e4:c1:37:36:00:a3:ed:25:15:c7:9f:6b:25:0e:24:cd:
+ 1c:e8:d2:8c:a6:11:05:a9:2b:b5:dc:7b:fd:55:8e:be:1d:15:
+ d7:8b:a8:a6:44:cf:03:ba:ba:78:74:26:b9:19:11:c0:03:9b:
+ 4d:2f:f9:f7:ea:da:a3:2f:82:f9:9e:d0:77:d6:bf:eb:fd:57:
+ c8:eb:03:54:0a:0c:2b:36:0c:e5:99:b7:93:4d:a9:9d:e9:50:
+ 80:66:4e:73:c1:bd:83:13:09:ee:b9:01:62:ed:90:0e:4f:ff:
+ 9d:92:f3:cd:db:1f:ba:da:fc:67:9d:cb:a0:09:99:8b:3e:ea:
+ 9d:61:55:ac:6f:fb:11:5c:c0:fe:fb:ff:5b:15:7d:a7:c1:aa:
+ 3a:cd:30:43:35:ea:44:8a:21:ae:9f:af:bc:5c:ae:3a:01:2c:
+ 3b:eb:b6:8c:6a:e1:1c:4e:55:0a:84:5b:f8:68:71:aa:97:02:
+ 9b:5d:c4:c9:42:df:19:91:28:4a:12:35:8d:2e:3d:10:ec:35:
+ 8a:b1:d7:e0:e2:a6:f9:f6:47:4b:17:75:84:8e:2d:66:e8:74:
+ be:d6:27:6b:a2:28:23:26:41:70:92:c2:7c:50:e2:81:c9:e0:
+ 10:84:5d:87:4f:db:93:ce:dd:09:d2:48:63:3d:53:66:31:64:
+ 5a:13:b5:a6
+-----BEGIN CERTIFICATE-----
+MIID+jCCAuKgAwIBAgIJAJ6zmTAVJCxpMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMSUwIwYDVQQDDBxJTlRFUl9DQV9TSEEyNTYtUk9PVF9D
+QV9TSEExMB4XDTE3MDMzMDA0NTEwNloXDTI3MDMyODA0NTEwNlowfzELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcx
+DTALBgNVBAsMBEphdmExNzA1BgNVBAMMLkVORF9FTlRJVFlfU0hBMjU2LUlOVEVS
+X0NBX1NIQTI1Ni1ST09UX0NBX1NIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDHC0ieOFNTJjP+HMlFQ/w50Hx/+FYh9z9w3i08dVvi8oEhGUop7fvs
+qEyuAj3U/BYG87Wsv27wfa9lqSJRSgqUT3yI4jsMY/ozUInuKpp/yL97abyZVDUZ
+c3diDZqryA/Qur8HNVLyA2hDDA9x8Ioeu5EDFl7AeqV3jx+A8fbulwVeCa29GByV
+kWRUEVF/48a1jpazBf2YQvrm5ElWoG8fuMrz6vgj+gYZYb1GPXmJQrtAIRp4Z1/A
+quPS4A/O21DnPLEM8WSw+rSCKGGKMqefJw74zeVyPlOiOmjFTeNfeVDViQrDgU++
+CTDjFa8XhweU6v+MtY5Mmzmf2AETGyd9AgMBAAGjgYowgYcwdwYDVR0jBHAwbqFh
+pF8wXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARDaXR5MQww
+CgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFTATBgNVBAMMDFJPT1RfQ0FfU0hB
+MYIJAI2g0oruC89kMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACtD
+5ME3NgCj7SUVx59rJQ4kzRzo0oymEQWpK7Xce/1Vjr4dFdeLqKZEzwO6unh0JrkZ
+EcADm00v+ffq2qMvgvme0HfWv+v9V8jrA1QKDCs2DOWZt5NNqZ3pUIBmTnPBvYMT
+Ce65AWLtkA5P/52S883bH7ra/Gedy6AJmYs+6p1hVaxv+xFcwP77/1sVfafBqjrN
+MEM16kSKIa6fr7xcrjoBLDvrtoxq4RxOVQqEW/hocaqXAptdxMlC3xmRKEoSNY0u
+PRDsNYqx1+Dipvn2R0sXdYSOLWbodL7WJ2uiKCMmQXCSwnxQ4oHJ4BCEXYdP25PO
+3QnSSGM9U2YxZFoTtaY=
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..7fa6368571422ed37c65ade81a1dbb48f58fa374
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDuH2+6I/ytoLeW
+AG3J0xMQafYmxYDZNaDjiWBl7TGpL4TjRY84FuHI/G8ib0VY9DKtyUixm7qZev+b
+ExrfQGk9ZV7Dn41uBvmGcUMSqwb0QV/5/hneP7/3EXhoWjsCFUe0r0zOgCM7O9+F
+jUlSuxEHyaFE09PxWGVZpU4Yu71PeoI/JJGITV81o2Fst7Urz65NE5OWrvbO+pfD
+EiRvjLv/uil7znYV28lCbH7U1K8q5nGVtnpgTguhGL6/N3lIgvxoBtoXEQwdMV59
+APsH8anA19rHn5h/ZmknryxAs0c6Rg9Plo30MonIU/eAVZwNw8TczD276Rc02xnW
+RmbmxToRAgMBAAECggEAbK3OWV9JWJlMkNqbQQzj247w+FsV5ozSZGbzpzFtg/Eb
+Lns11XykCg4kTswIE4RIiQaf9efEb34yoL1Ee3YzUgEtEg2FCB2IzvJskV2ba+lW
+e4uclNH1tDa2BLKB0f6SXoXPgUP8UHGQH60PNQIJ0MsWnoorZjBY+WQ305QD3/yB
+fMonkjpWN+ZNTY8Y3vA2SsS4EoY0Ndy2FpmWPwKKMCcqXw6xzVjKvq+jpFfsGpcj
+i3MlKsCG5koreWrXdyt28CVOc6eMW5rsJfAHRw+OSn7PdLaGyZCUUsFXCjG0Vq2G
+YwuMfTJprrZk+lbi3XUXWk7XUEURB7Q4lIBxAcskAQKBgQD8pVj0OIsVHAGjQQ7C
+ZAnxFlON7XX3fgPdLtil9c+a1GlcPA2K52fBp8YlKlAS4bmZIQHbbkEBjh8KfG1P
+x7zBHoUXV8ruo/axzRPoeBVQat5NQKcKnlITrqdf8J3a+8iMxpMpd53h97HGiayq
+W04ZQNf7wjXvR+pJVluTEaoVUQKBgQDxSLruMmCsYvD+sipaQ3rBEMIAI3kc7ctl
+fEnipEk5wtPkKKldw+rvbh/AwY2i2JMUDcW92hkB5vCvbcKmCEkEO3FbawNkJnJi
+qfwbvHP/fGThMV3gbWWF3GZvBKY2+toSa2rwoR5kYTT1e4+byk38NAp/HAItFHIT
+DgAgMy6owQKBgQCjd8jKnBtBmVFl9B48oMXd+/gsCM0fSaXuYvVCzH17TJyvVRve
+GEQGBSwrt+j/jpWsArNU602cV/y1qDSCPlZfDgRHSkK/jc9805hh/fCsi7kyevaZ
+5D5vBb6+UM2Sdv8YNxPY7NB2+PFJ6KKTx2gM5uvYtZx4KivpL7souXE3QQKBgDxg
+FZ5q7rPUIjepP13MyteqqNC+D51Eh4PCgP58W3JfpQPPhOnYj14QMVPbWuSnys3W
+0Gc8PsuyDQHoti8znYm4khntAjE6SZ8Up+gM1P3WE6wh3Tq+RQwk5WDcSfcx+AVp
+6Z2Cw4ccp9LRc1LpYXA9WW8LBCRhnFXWSAPGquNBAoGAdCsvFzSipQ5qxWPlClRM
+lKqDdQheRl9IKCuImXZAvdX952VhmP7QV5PUwLV/CkVquvSdRSshrMO/fqFjfkjr
+puajXghFXa+YppQW42tPYBmKDnNVgxW5d5sC62AYaykh2iNw3v4BJyN+MMmkSf0M
+4/mKvs5m8N2OkOpY6r2wCp8=
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256.cer b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256.cer
new file mode 100644
index 0000000000000000000000000000000000000000..c503f92fb12da72efe7bef3ecacc6aebfcc48a2f
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256.cer
@@ -0,0 +1,81 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ e8:33:78:c7:69:9c:28:c1
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA256
+ Validity
+ Not Before: Mar 30 04:51:04 2017 GMT
+ Not After : Mar 28 04:51:04 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=END_ENTITY_SHA256-INTER_CA_SHA256-ROOT_CA_SHA256
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ee:1f:6f:ba:23:fc:ad:a0:b7:96:00:6d:c9:d3:
+ 13:10:69:f6:26:c5:80:d9:35:a0:e3:89:60:65:ed:
+ 31:a9:2f:84:e3:45:8f:38:16:e1:c8:fc:6f:22:6f:
+ 45:58:f4:32:ad:c9:48:b1:9b:ba:99:7a:ff:9b:13:
+ 1a:df:40:69:3d:65:5e:c3:9f:8d:6e:06:f9:86:71:
+ 43:12:ab:06:f4:41:5f:f9:fe:19:de:3f:bf:f7:11:
+ 78:68:5a:3b:02:15:47:b4:af:4c:ce:80:23:3b:3b:
+ df:85:8d:49:52:bb:11:07:c9:a1:44:d3:d3:f1:58:
+ 65:59:a5:4e:18:bb:bd:4f:7a:82:3f:24:91:88:4d:
+ 5f:35:a3:61:6c:b7:b5:2b:cf:ae:4d:13:93:96:ae:
+ f6:ce:fa:97:c3:12:24:6f:8c:bb:ff:ba:29:7b:ce:
+ 76:15:db:c9:42:6c:7e:d4:d4:af:2a:e6:71:95:b6:
+ 7a:60:4e:0b:a1:18:be:bf:37:79:48:82:fc:68:06:
+ da:17:11:0c:1d:31:5e:7d:00:fb:07:f1:a9:c0:d7:
+ da:c7:9f:98:7f:66:69:27:af:2c:40:b3:47:3a:46:
+ 0f:4f:96:8d:f4:32:89:c8:53:f7:80:55:9c:0d:c3:
+ c4:dc:cc:3d:bb:e9:17:34:db:19:d6:46:66:e6:c5:
+ 3a:11
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+ serial:84:A1:70:1D:0A:92:D3:CC
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 1d:1a:87:7d:11:0e:cc:cd:7f:6c:ed:21:1a:2c:35:de:09:b8:
+ c4:cf:0c:31:00:3d:f5:bd:d4:6e:f0:4f:7e:c2:8d:d6:c5:28:
+ ed:38:9d:d7:52:32:e2:8d:7b:64:c8:1d:4e:69:7e:49:5f:e1:
+ 5e:04:c7:d3:96:d2:63:ef:2c:35:4f:eb:08:2b:9d:b0:15:df:
+ 33:d8:1c:59:8e:bb:f1:28:4f:f0:85:bb:3c:56:e1:86:a4:75:
+ 2b:44:8a:1c:98:ae:94:f3:b6:76:a9:a3:e7:d6:bc:58:ef:fe:
+ 32:11:6f:76:5b:85:f8:14:91:83:2c:b6:20:a5:48:48:8b:6e:
+ ee:a8:6c:2b:12:18:94:3e:59:5e:a6:66:53:dc:40:b2:da:fd:
+ a4:5f:16:35:b6:20:2b:31:86:9b:91:55:b2:35:63:d2:47:bd:
+ 91:7e:43:bc:d6:0e:dc:95:1a:f0:8d:08:e5:66:cd:d1:0b:32:
+ d6:92:26:3e:78:e8:70:74:e1:14:64:b0:39:5d:7c:d0:28:23:
+ c7:83:53:02:90:fe:fc:9e:aa:9a:fb:c4:ef:9d:d5:22:f6:c1:
+ fd:e4:07:04:25:4f:8f:b2:13:6f:0d:51:cc:54:b4:38:d3:ac:
+ 31:aa:94:c5:d0:c8:5a:58:35:13:87:3e:f6:74:26:8c:2b:7d:
+ 6c:8e:36:a5
+-----BEGIN CERTIFICATE-----
+MIIEATCCAumgAwIBAgIJAOgzeMdpnCjBMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMScwJQYDVQQDDB5JTlRFUl9DQV9TSEEyNTYtUk9PVF9D
+QV9TSEEyNTYwHhcNMTcwMzMwMDQ1MTA0WhcNMjcwMzI4MDQ1MTA0WjCBgTELMAkG
+A1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANP
+cmcxDTALBgNVBAsMBEphdmExOTA3BgNVBAMMMEVORF9FTlRJVFlfU0hBMjU2LUlO
+VEVSX0NBX1NIQTI1Ni1ST09UX0NBX1NIQTI1NjCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAO4fb7oj/K2gt5YAbcnTExBp9ibFgNk1oOOJYGXtMakvhONF
+jzgW4cj8byJvRVj0Mq3JSLGbupl6/5sTGt9AaT1lXsOfjW4G+YZxQxKrBvRBX/n+
+Gd4/v/cReGhaOwIVR7SvTM6AIzs734WNSVK7EQfJoUTT0/FYZVmlThi7vU96gj8k
+kYhNXzWjYWy3tSvPrk0Tk5au9s76l8MSJG+Mu/+6KXvOdhXbyUJsftTUryrmcZW2
+emBOC6EYvr83eUiC/GgG2hcRDB0xXn0A+wfxqcDX2sefmH9maSevLECzRzpGD0+W
+jfQyichT94BVnA3DxNzMPbvpFzTbGdZGZubFOhECAwEAAaOBjDCBiTB5BgNVHSME
+cjBwoWOkYTBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENp
+dHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEXMBUGA1UEAwwOUk9PVF9D
+QV9TSEEyNTaCCQCEoXAdCpLTzDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQAdGod9EQ7MzX9s7SEaLDXeCbjEzwwxAD31vdRu8E9+wo3WxSjtOJ3XUjLi
+jXtkyB1OaX5JX+FeBMfTltJj7yw1T+sIK52wFd8z2BxZjrvxKE/whbs8VuGGpHUr
+RIocmK6U87Z2qaPn1rxY7/4yEW92W4X4FJGDLLYgpUhIi27uqGwrEhiUPllepmZT
+3ECy2v2kXxY1tiArMYabkVWyNWPSR72RfkO81g7clRrwjQjlZs3RCzLWkiY+eOhw
+dOEUZLA5XXzQKCPHg1MCkP78nqqa+8TvndUi9sH95AcEJU+PshNvDVHMVLQ406wx
+qpTF0MhaWDUThz72dCaMK31sjjal
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..cb077627f1e169a87d2fb13f1eecacf7356ce8e4
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX1pPNXGpnPQNc
+x9ReXrjbcHkIoyXcdXbhO0TnUBV5aGJTEn5/meDsK76Y2KDVyU/EO2jXpaQ5QiGn
+UzY6vKIn6boqTov4NLYwBsVPdAG/xZyr5q7p6bnJ8WRj40A2JeOeZ3FMglRtBCNg
+rYeEC4MDp2F41OVxsJZ4huodq94arqhD/hjE40g06UNa0I+/2dIpI2cSamIC5b3L
+/DK3ol+gIw/OOxMCgzAUSjeH6nTrrW1hUeSKx0NPGWRLWzLQ2yxhYcXlsedNuKHo
+ux/p3EkGXoGPajK7s7IlKj9CPQYwlQez37jCLJGovArqTr/8hxfrKMdZOl5bp+6H
+6uWh6af7AgMBAAECggEAXrUsM79qfRR7pjmVCTe9G6T1pwGXum3clSYhrPIqChTw
+mA0Ubr9Bv7/OKVlc8ZIdKzj6Xy2yquFGzRopQIrHCIZ5htjieC4BB3/hEmUP42s9
+vPxDIibJvD/s0hvEcD4d68LuJylFDHT1ZRWf0iQPAApxLckVSNa4n/hrQEvK8J+G
+HIH8VATq9iHp/GQmmFB8b3ubqn46zDGqly14+TGP2KtVJlY9FuCpvmtZZZjJ+K09
+vYM+BATwje6N6PqX5a3Z+NFC1NK9CmC+U6ECJ27uhySn8kvlU/i/SOAnrPftByO7
+g7K8p2Qzq1LlVIUU/JTidNZGXTaTMOVg8eHLmyt92QKBgQD9a94rLqk9BUtVsTYa
+AImt+KbUMB+Zi83cYDiCfNBkfIYw4dVUFJecmqZwg7IeqNwuSmXP41fASOvDel/L
+8bOj/rPccVSG9pmU0ir5WK9n8zobogfAzvaFr8cmo+TVv0FOZZA8e/+UfVsiKAsW
+3nwhwxN8ieILU1dtaNV1IfnAPwKBgQDaCM9URf+DFILI2WpuzKpk1loF6HrlklIn
++N0IFFcalqUpC8GhXTw7suypRBCZ+cp32h7WEcN9aHLMrnkDQP3bGTv53pJT5N9k
+7nk9Bfrk0CJCxeMRKwtuMhLkOmT0eh2aB1lWR0owA5b1Gjtiz5kTW7NN2+paJCDz
+SiDLVoFpRQKBgQCHvt0N4nuy/QACkd86BGm7b8LlTDXRCMsnrb73XqY9/VngG0gr
+NrCTqV9YS6MAu1Dd1uo8djnN/QGU/xsLYpfoU4nCnk450SQpTH7Ke8/Rbb8FiECA
+7hutNqAFuardOApiVRLy4zTfNFq5rBtsj5aMezMX9b/Ic0cUiyA0ExP1/wKBgQCp
+SDvI34wRdqRQUtWa7xbAsdg1TBnXEjLtTAA4nKpAP4Q+CR2uLlhstW+fv/PvyIwV
+X+mfJS2VubmgBzp3d0dhjAcP6mnL7yAvGiRRZ8ozSxG+rCuvEa+PQBuAzYHCeulu
+xJPtM+56tt7GsDY5cpsT95eQNNWQZQqcOgqaNTDGzQKBgCmMwRP1HN0qUSSVO1d8
+8N17OoZe5yntppEjesYQrLf4AEgPS3Qj8dv0qfe3z1B0gAKlG9+OR8cUBCMGVyum
+b51SiSi3LSm1VeuMfT7JDMSxTkbaI5CY7v+/5yCRFqikgBtCkHM9m4K95d3dVDO8
+JGrlKiKVIbu5LnQZMkPHRIEX
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1.cer b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1.cer
new file mode 100644
index 0000000000000000000000000000000000000000..58a4043c6364d6c7ca1c1e46ee66676000648888
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA1.cer
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 8d:a0:d2:8a:ee:0b:cf:65
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+ Validity
+ Not Before: Mar 30 04:51:04 2017 GMT
+ Not After : Mar 28 04:51:04 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:d7:d6:93:cd:5c:6a:67:3d:03:5c:c7:d4:5e:5e:
+ b8:db:70:79:08:a3:25:dc:75:76:e1:3b:44:e7:50:
+ 15:79:68:62:53:12:7e:7f:99:e0:ec:2b:be:98:d8:
+ a0:d5:c9:4f:c4:3b:68:d7:a5:a4:39:42:21:a7:53:
+ 36:3a:bc:a2:27:e9:ba:2a:4e:8b:f8:34:b6:30:06:
+ c5:4f:74:01:bf:c5:9c:ab:e6:ae:e9:e9:b9:c9:f1:
+ 64:63:e3:40:36:25:e3:9e:67:71:4c:82:54:6d:04:
+ 23:60:ad:87:84:0b:83:03:a7:61:78:d4:e5:71:b0:
+ 96:78:86:ea:1d:ab:de:1a:ae:a8:43:fe:18:c4:e3:
+ 48:34:e9:43:5a:d0:8f:bf:d9:d2:29:23:67:12:6a:
+ 62:02:e5:bd:cb:fc:32:b7:a2:5f:a0:23:0f:ce:3b:
+ 13:02:83:30:14:4a:37:87:ea:74:eb:ad:6d:61:51:
+ e4:8a:c7:43:4f:19:64:4b:5b:32:d0:db:2c:61:61:
+ c5:e5:b1:e7:4d:b8:a1:e8:bb:1f:e9:dc:49:06:5e:
+ 81:8f:6a:32:bb:b3:b2:25:2a:3f:42:3d:06:30:95:
+ 07:b3:df:b8:c2:2c:91:a8:bc:0a:ea:4e:bf:fc:87:
+ 17:eb:28:c7:59:3a:5e:5b:a7:ee:87:ea:e5:a1:e9:
+ a7:fb
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+ serial:F1:3B:B7:FB:28:3F:52:09
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha1WithRSAEncryption
+ d3:ce:da:23:e1:7c:73:fb:7f:26:d7:a4:3c:7b:17:01:75:ce:
+ a5:bd:75:f1:65:1b:56:27:ae:f8:97:a6:c4:ca:94:93:c9:12:
+ bb:c7:ec:2b:d5:38:d5:43:3a:6c:c2:51:3a:79:2f:d7:4e:da:
+ 2d:12:1f:b8:c2:4f:c8:ba:33:d3:f5:0c:78:cc:26:69:24:47:
+ 3f:ed:17:a0:7f:d0:20:fe:11:ca:75:50:1a:61:e1:91:b5:fa:
+ 91:04:e9:14:59:77:d4:29:0f:43:19:e0:dc:dd:a6:18:14:f4:
+ 33:3e:f0:cb:36:7b:18:04:03:dd:be:35:41:c4:3e:65:d2:67:
+ 44:73:ab:7f:d1:b9:26:7e:b3:1e:d0:e4:a4:52:83:60:a9:e6:
+ e1:bf:62:bb:9b:16:0c:97:ad:11:1a:2f:eb:92:ca:7e:98:15:
+ 46:23:59:5d:26:d9:ec:57:85:51:5b:09:f1:9b:1b:d3:5d:53:
+ 02:67:1a:e4:24:49:67:87:04:75:66:13:56:1b:8b:a1:08:de:
+ c8:4b:f8:87:73:6e:c2:31:ee:f6:32:14:45:32:a3:3f:e4:b1:
+ 0f:23:28:29:b4:a3:86:65:4f:2e:57:ad:8f:44:77:f8:4b:ea:
+ 7b:9d:8e:dc:cb:07:ee:b4:78:46:db:cd:12:eb:ad:ef:9b:8f:
+ 22:ba:83:7b
+-----BEGIN CERTIFICATE-----
+MIID1jCCAr6gAwIBAgIJAI2g0oruC89lMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTEwHhcNMTcwMzMw
+MDQ1MTA0WhcNMjcwMzI4MDQ1MTA0WjBrMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEj
+MCEGA1UEAwwaSU5URVJfQ0FfU0hBMS1ST09UX0NBX1NIQTEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDX1pPNXGpnPQNcx9ReXrjbcHkIoyXcdXbhO0Tn
+UBV5aGJTEn5/meDsK76Y2KDVyU/EO2jXpaQ5QiGnUzY6vKIn6boqTov4NLYwBsVP
+dAG/xZyr5q7p6bnJ8WRj40A2JeOeZ3FMglRtBCNgrYeEC4MDp2F41OVxsJZ4huod
+q94arqhD/hjE40g06UNa0I+/2dIpI2cSamIC5b3L/DK3ol+gIw/OOxMCgzAUSjeH
+6nTrrW1hUeSKx0NPGWRLWzLQ2yxhYcXlsedNuKHoux/p3EkGXoGPajK7s7IlKj9C
+PQYwlQez37jCLJGovArqTr/8hxfrKMdZOl5bp+6H6uWh6af7AgMBAAGjgYowgYcw
+dwYDVR0jBHAwbqFhpF8wXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ0wCwYD
+VQQHDARDaXR5MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFTATBgNVBAMM
+DFJPT1RfQ0FfU0hBMYIJAPE7t/soP1IJMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADggEBANPO2iPhfHP7fybXpDx7FwF1zqW9dfFlG1YnrviXpsTKlJPJErvH
+7CvVONVDOmzCUTp5L9dO2i0SH7jCT8i6M9P1DHjMJmkkRz/tF6B/0CD+Ecp1UBph
+4ZG1+pEE6RRZd9QpD0MZ4NzdphgU9DM+8Ms2exgEA92+NUHEPmXSZ0Rzq3/RuSZ+
+sx7Q5KRSg2Cp5uG/YrubFgyXrREaL+uSyn6YFUYjWV0m2exXhVFbCfGbG9NdUwJn
+GuQkSWeHBHVmE1Ybi6EI3shL+IdzbsIx7vYyFEUyoz/ksQ8jKCm0o4ZlTy5XrY9E
+d/hL6nudjtzLB+60eEbbzRLrre+bjyK6g3s=
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..8997b5f69e009a74092ca9b262290cc25c46e144
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDWN68vV57EPqPZ
+Dtvi2+NI4tfxUgkaWJXbqrLKuAJC8bff9edZpMXGAyqMpDDr7MAjs/3TDYpVaWYN
+Id5iwqamImbBLYf/K0LOkaX6+TyogaqwwdNVryR5eYcGXEiJY1MJ2mgzCNeGJ091
+4qwll3xkjAFolB6o9QoIbLB3cctl0vw6oAoi3TKWQxJ+UI6/uBotX5eQ9z1b/MDs
+6PNXHB22jYAj4tOePMZxq7AVCwTFpWbHK8j5ftXxpVoU5ECNHfIAHLprJqc/lKdf
+7rMyflbsjD8nV7TwY+FW7WfOQgiJhk0OK3VaBeSsovpOOwjS4Lpsazh3eUXeZJUk
+lrYrMfI3AgMBAAECggEAEpXmNx9NAQ3GPXDSlw4o3AwCXEeXzpdc+SAIPxpT5+b8
+4wt8tQRcvF9N88HTFMUHrpFRNlx4Ygyw8/a6SqtEtilJ7Py8TeE8/JsaYXn6T0xg
+uNE4OrjlWzy2AFFFYdYiQDqYy8S6nkMO29V8xg4slrSm8qHXPyVzZ2O2s8ZFtWG+
+ItAMb+Gv7FU2M4te/TwRnadljFAoyWry0XCXle1fN1Y3QJXtu3VDdmLmU0t+VGfa
+wuZ5k0FIb9TFIQuxtgUNXJZmIjZw4Ych3luUc1bMSn9FPHeOzk8J3yo1tGqQu15M
+KMLHxASTgt6opfhDbYIpD0fJJqCPdiJlMrqXHBPYwQKBgQDy8lrmsjBE97H0U2sS
+tqlJq+7VOe2ien+z6seXFxd6XHBI8D/wTi2Q/7BpIGbpek3xc0ujxaFbcqo/RJZA
+TUzYmc5leQLTwy4a54Neo33+sOuYPg8fQIMPT1OGa3DXv3EPSC8FdQrweNjn/bDX
+YXbXJ2nKc3RgdTVehuMh6mw25wKBgQDhuitrTL3dlyHMGhO+djxW3cgjsUbJXQsK
+1GnkGw5mzzL67M6ixw4WNxNJjuXEUI5Vat8iJzhZOA+Ae84DDbeN2FCM7UBpUsyB
+9T9aApBYLLMflZhl4PXK/zkh1J9vA5NqqJbAcw6a5uH0kjtuJOSvP5CVQc2xsX9i
+U9+eZesQMQKBgHo4Znasqg/oNIRf+vvdHOlNL8fhbqVQzzHqKSLfoRYTrwFirCfu
+jInnuA4LGPrYZqHTiPgJEpX456EQli4fNUu6hNUTvdJe3LD4S2SvB1G8G6npfp4Q
+TF7FX5W+M3S2gOBZRh6OtUQo56Y+QFr6U1kGIPiSgLeN/51gap/DWVF9AoGBAMmL
+hMEloFF+Y/rtPbvNrkqRc+YKn32jyfw9dN7rGYzKbGaHkmjc+sLzIhGHubfzhWLX
+Law9AJ8I4y6BXIx1bvMDtche/igMefV/mLUxnNhd8QG+fHhayJwcDlMamdBxjOqq
+5Q+oq927UP0ipFXQMzAWvW3Hd3W1WlvdL8kqjxvBAoGBAMaZ9JZO48Zn17IUweZC
+oVfM99YaHa+dm3L47PdQN6Ag6UjQ+sZ/6SLGIIg67SDhUQ+nuPCL8PH3Rf7PCuqW
+oHW3F+44SIrVdLlMkWb444dxdP6Xvb9aOMpvopBDuvzYPR3xzZ202DZbZ0sIEVu8
+8a+09JbRmEI2/Ee+em6a/Y4T
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256.cer b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256.cer
new file mode 100644
index 0000000000000000000000000000000000000000..440b9c35c57bc6315ec47cb373020e150e5a628d
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA1-ROOT_CA_SHA256.cer
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 84:a1:70:1d:0a:92:d3:cd
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+ Validity
+ Not Before: Mar 30 04:51:03 2017 GMT
+ Not After : Mar 28 04:51:03 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA1-ROOT_CA_SHA256
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:d6:37:af:2f:57:9e:c4:3e:a3:d9:0e:db:e2:db:
+ e3:48:e2:d7:f1:52:09:1a:58:95:db:aa:b2:ca:b8:
+ 02:42:f1:b7:df:f5:e7:59:a4:c5:c6:03:2a:8c:a4:
+ 30:eb:ec:c0:23:b3:fd:d3:0d:8a:55:69:66:0d:21:
+ de:62:c2:a6:a6:22:66:c1:2d:87:ff:2b:42:ce:91:
+ a5:fa:f9:3c:a8:81:aa:b0:c1:d3:55:af:24:79:79:
+ 87:06:5c:48:89:63:53:09:da:68:33:08:d7:86:27:
+ 4f:75:e2:ac:25:97:7c:64:8c:01:68:94:1e:a8:f5:
+ 0a:08:6c:b0:77:71:cb:65:d2:fc:3a:a0:0a:22:dd:
+ 32:96:43:12:7e:50:8e:bf:b8:1a:2d:5f:97:90:f7:
+ 3d:5b:fc:c0:ec:e8:f3:57:1c:1d:b6:8d:80:23:e2:
+ d3:9e:3c:c6:71:ab:b0:15:0b:04:c5:a5:66:c7:2b:
+ c8:f9:7e:d5:f1:a5:5a:14:e4:40:8d:1d:f2:00:1c:
+ ba:6b:26:a7:3f:94:a7:5f:ee:b3:32:7e:56:ec:8c:
+ 3f:27:57:b4:f0:63:e1:56:ed:67:ce:42:08:89:86:
+ 4d:0e:2b:75:5a:05:e4:ac:a2:fa:4e:3b:08:d2:e0:
+ ba:6c:6b:38:77:79:45:de:64:95:24:96:b6:2b:31:
+ f2:37
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+ serial:A3:52:9D:82:6F:DD:C6:1D
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:fb:b0:ab:a6:bb:3a:55:04:ed:5c:3b:ae:0c:0d:32:8f:aa:
+ ec:b7:24:2c:d5:37:b9:1f:91:64:21:c2:c0:6d:bc:d4:d4:5e:
+ e2:f1:12:ad:34:02:93:65:10:6c:93:93:2c:23:53:e8:ed:96:
+ c7:3b:6b:44:df:ff:24:8b:c1:cc:26:b2:1e:8f:26:66:34:3a:
+ bb:7d:ef:4e:a6:7e:b2:c8:93:c9:f7:46:5a:de:40:88:70:28:
+ c7:d1:fd:27:c3:99:fd:6a:a1:a5:e1:6d:c3:5a:bc:99:28:95:
+ e9:17:ed:a4:56:a5:04:ad:fb:74:a2:01:26:2a:5a:45:bc:7b:
+ 0d:df:0c:41:79:8b:b4:15:50:cd:88:ce:f5:a7:ee:cb:d2:5b:
+ 76:81:4c:1b:09:92:0e:e9:c6:42:df:b7:81:9e:89:3d:49:ed:
+ 17:fa:d2:2f:bd:8b:74:d5:cb:ce:af:46:6a:74:b3:34:a0:c5:
+ a0:64:66:7a:80:59:15:1e:de:16:df:11:3d:1e:96:e2:e5:2d:
+ f1:4d:20:f3:f6:f1:19:aa:ac:f8:b4:6e:76:a0:26:6c:cd:90:
+ f2:23:35:a0:8b:c8:e8:5d:27:5d:34:d3:69:74:61:c5:ac:6a:
+ 54:e9:86:8d:ca:ca:16:03:48:7f:cd:23:43:41:e2:77:3a:5d:
+ f2:3e:de:fa
+-----BEGIN CERTIFICATE-----
+MIID3DCCAsSgAwIBAgIJAIShcB0KktPNMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjAeFw0xNzAz
+MzAwNDUxMDNaFw0yNzAzMjgwNDUxMDNaMG0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZh
+MSUwIwYDVQQDDBxJTlRFUl9DQV9TSEExLVJPT1RfQ0FfU0hBMjU2MIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jevL1eexD6j2Q7b4tvjSOLX8VIJGliV
+26qyyrgCQvG33/XnWaTFxgMqjKQw6+zAI7P90w2KVWlmDSHeYsKmpiJmwS2H/ytC
+zpGl+vk8qIGqsMHTVa8keXmHBlxIiWNTCdpoMwjXhidPdeKsJZd8ZIwBaJQeqPUK
+CGywd3HLZdL8OqAKIt0ylkMSflCOv7gaLV+XkPc9W/zA7OjzVxwdto2AI+LTnjzG
+cauwFQsExaVmxyvI+X7V8aVaFORAjR3yABy6ayanP5SnX+6zMn5W7Iw/J1e08GPh
+Vu1nzkIIiYZNDit1WgXkrKL6TjsI0uC6bGs4d3lF3mSVJJa2KzHyNwIDAQABo4GM
+MIGJMHkGA1UdIwRyMHChY6RhMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEN
+MAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZhMRcwFQYD
+VQQDDA5ST09UX0NBX1NIQTI1NoIJAKNSnYJv3cYdMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADggEBAFb7sKumuzpVBO1cO64MDTKPquy3JCzVN7kfkWQhwsBt
+vNTUXuLxEq00ApNlEGyTkywjU+jtlsc7a0Tf/ySLwcwmsh6PJmY0Ort9706mfrLI
+k8n3RlreQIhwKMfR/SfDmf1qoaXhbcNavJkolekX7aRWpQSt+3SiASYqWkW8ew3f
+DEF5i7QVUM2IzvWn7svSW3aBTBsJkg7pxkLft4GeiT1J7Rf60i+9i3TVy86vRmp0
+szSgxaBkZnqAWRUe3hbfET0eluLlLfFNIPP28RmqrPi0bnagJmzNkPIjNaCLyOhd
+J10002l0YcWsalTpho3KyhYDSH/NI0NB4nc6XfI+3vo=
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..e1388a1025114288cf4d9b975a3452c18cac55fc
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDh12cWta4H1sY6
+KHyfvxSJk1JIUAe08JFmHwvO0Eb6LRmKrqwbXEyGs0CPGhMlnmxjvrfXbKkUjodY
+9ByxSBa7zYaVdPDGKDQ3HvPxyjZ0npPrHDII2wR+0UOD0ftkDbPHWQFBsl0OY/sI
+pRzihYRh8MwCrADdza3vHPrNBz2umuM5jnN20FVIGKhGMGbg5eackBmgvcaWT6BW
+B67iYRWVRwLywdSE+imOIS4P7ivndBe1DlB+z4oBmbBwYkM+5WyR3yT4+stdByyn
+naL+kExsC/TWDw+sE9TQUo2zqRbNI1j8UhBaQZz1pbX5YeGPTq/Z2J8EGvPxz6VY
+PmkDyMl3AgMBAAECggEAKrlDKUqpZ5Y73di26smNKxGRqVhqfNJdz0HkS/We18kc
+Yd31dR+a4oial/fI038K5ju4L6rAucDU3gEgRHFsy45v/Won+nS0nBDg+UbV0m4F
+cZ7d4Er+qLcR3KgmtKDa98VgtXr2m7hSTypdMoUrrBOPpJnBeDRmyStkTtEl3Bfa
+Fh72SZXNauGvB5+qrbPhls1HoWVbzZ3i6oUCBDrfmLD6G0ipGM+AQICmXjYX8OxT
+Ye5u/6DU4TkWu5A6/1m0Q4clGZXSeMx2d4PkZ0jZKOXdhwvzAaGh7I0AkuA4ZlCj
+slXENyAzQhm4EHHWxvld11e8oEh4DUfWtUXeLttawQKBgQDybE5gjAZdv+5BJXWV
+l2G+zb5tKHWd0XQQ2epktX+i+iA5lA0bLkAA4rrmZVsDEc4D2yjINsopBHTjwvtV
+F/LBBWIynm6MkIyjY6+0fBfoikz9ebKikuf1YRoRC5Dl0pd2Wa/ps2wowDbQnj3o
+4e6x+z0WviyL+uRr1JyotR2J5wKBgQDufVw64Z6AdWThlnP8qXqW12QQBd5qChPr
+fHJEkx0ViBoM97yalVzDssXn4X2ESVDqtsxH21SzKzDGzLoCG3PwCPgp9zWk9GS/
+HfhXFzI3qHIlI+s6481vjqDnXtvJ7oHutxYkkYQXSMgC69jeRY0nW78Bz03BAYjQ
+boRmeK1x8QKBgQDw9VBOTMADLUPvQwGGKAsC8VQHAgEuVcONAF0nrvPoFcA0GwGP
+87+wYayuVy5IdckVMiBuKW91p7VbsjHJGd2zl9tMPwfY9dCkkvBRcEr/W4A9Llqt
+l2GyF8smCB4FIfZkr67Xlvy54Jxbbf5RXUi5ZeUJlwuGM2IaACGa2zM6HwKBgEmW
+iOTqRTwh/RTWlcd6jAcLQybmiLBzl53r8l5SfoDsVA14S8vvFoaUHRjlrRMqhDtI
+WFQ7yzDVvOE6vpJz4hxIyDo6u2TAvG10U/Kbh7VA1qe7I5QyQmuPuPprfKocXB9K
+gxyZggalQIIWP/6lu15PoupuCvHpBUw7LcNorSwhAoGAXXBcp4U369B3ld+M+hC9
+G+2VttaC2917iqoM8R7WOiwez+10s+fNv89B6DjZxeX5haa7bbB+RvfqN8OysIRK
+m0Bh4w6q/JuRydj9T5sJLk9oUrEFLncqihlNT+1WEwR5x50OODYjpHz1YORo5HzL
+cnXKk8xTZFE7mXD1ZJoRLxc=
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1.cer b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1.cer
new file mode 100644
index 0000000000000000000000000000000000000000..3756ab2aeebab18b25d58645dc7124ffa8e2d0f8
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA1.cer
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 8d:a0:d2:8a:ee:0b:cf:64
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+ Validity
+ Not Before: Mar 30 04:51:03 2017 GMT
+ Not After : Mar 28 04:51:03 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:e1:d7:67:16:b5:ae:07:d6:c6:3a:28:7c:9f:bf:
+ 14:89:93:52:48:50:07:b4:f0:91:66:1f:0b:ce:d0:
+ 46:fa:2d:19:8a:ae:ac:1b:5c:4c:86:b3:40:8f:1a:
+ 13:25:9e:6c:63:be:b7:d7:6c:a9:14:8e:87:58:f4:
+ 1c:b1:48:16:bb:cd:86:95:74:f0:c6:28:34:37:1e:
+ f3:f1:ca:36:74:9e:93:eb:1c:32:08:db:04:7e:d1:
+ 43:83:d1:fb:64:0d:b3:c7:59:01:41:b2:5d:0e:63:
+ fb:08:a5:1c:e2:85:84:61:f0:cc:02:ac:00:dd:cd:
+ ad:ef:1c:fa:cd:07:3d:ae:9a:e3:39:8e:73:76:d0:
+ 55:48:18:a8:46:30:66:e0:e5:e6:9c:90:19:a0:bd:
+ c6:96:4f:a0:56:07:ae:e2:61:15:95:47:02:f2:c1:
+ d4:84:fa:29:8e:21:2e:0f:ee:2b:e7:74:17:b5:0e:
+ 50:7e:cf:8a:01:99:b0:70:62:43:3e:e5:6c:91:df:
+ 24:f8:fa:cb:5d:07:2c:a7:9d:a2:fe:90:4c:6c:0b:
+ f4:d6:0f:0f:ac:13:d4:d0:52:8d:b3:a9:16:cd:23:
+ 58:fc:52:10:5a:41:9c:f5:a5:b5:f9:61:e1:8f:4e:
+ af:d9:d8:9f:04:1a:f3:f1:cf:a5:58:3e:69:03:c8:
+ c9:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+ serial:F1:3B:B7:FB:28:3F:52:09
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 24:74:94:0a:7d:81:62:16:ed:4e:0f:e2:19:06:bd:8b:7a:e4:
+ 35:63:4c:73:ec:3a:45:d7:2a:8c:80:e6:6b:d9:26:7d:78:9f:
+ 6b:36:f9:fd:94:f7:ac:86:3c:0e:95:66:80:f3:0b:93:0f:44:
+ 0a:05:76:d9:1d:c6:37:6f:ea:02:b9:29:e9:96:11:d1:e6:1e:
+ 70:95:31:77:22:ed:3c:96:ad:9f:74:8c:41:f5:44:47:a2:4e:
+ d4:58:86:92:31:36:94:90:05:9d:94:16:8c:f8:c8:18:7b:45:
+ dc:49:45:53:63:06:bb:c6:a9:33:72:fe:48:7b:0e:21:89:e2:
+ 6c:44:29:3c:10:65:c6:7d:8e:6c:cb:95:ea:a1:ae:3b:c1:12:
+ 98:ce:b9:c8:98:12:0d:ac:a7:bd:31:cc:aa:ac:51:b4:a7:33:
+ 5b:60:0d:d6:ed:e0:29:5a:29:f5:fc:e0:27:db:77:88:fd:59:
+ 0c:02:70:d8:f4:1d:89:88:13:94:55:5b:77:a3:a6:8e:18:9a:
+ b8:82:5b:64:27:8c:ef:10:6a:df:ed:fd:a4:b5:2b:44:0f:5f:
+ 89:08:15:48:df:b0:13:08:7c:08:cc:07:ea:b8:a6:17:ab:35:
+ 65:07:2c:b9:ec:9a:d0:1f:e7:b9:a7:36:9e:24:f7:73:10:e0:
+ 70:6c:78:6e
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIJAI2g0oruC89kMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTEwHhcNMTcwMzMw
+MDQ1MTAzWhcNMjcwMzI4MDQ1MTAzWjBtMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEl
+MCMGA1UEAwwcSU5URVJfQ0FfU0hBMjU2LVJPT1RfQ0FfU0hBMTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOHXZxa1rgfWxjoofJ+/FImTUkhQB7TwkWYf
+C87QRvotGYqurBtcTIazQI8aEyWebGO+t9dsqRSOh1j0HLFIFrvNhpV08MYoNDce
+8/HKNnSek+scMgjbBH7RQ4PR+2QNs8dZAUGyXQ5j+wilHOKFhGHwzAKsAN3Nre8c
++s0HPa6a4zmOc3bQVUgYqEYwZuDl5pyQGaC9xpZPoFYHruJhFZVHAvLB1IT6KY4h
+Lg/uK+d0F7UOUH7PigGZsHBiQz7lbJHfJPj6y10HLKedov6QTGwL9NYPD6wT1NBS
+jbOpFs0jWPxSEFpBnPWltflh4Y9Or9nYnwQa8/HPpVg+aQPIyXcCAwEAAaOBijCB
+hzB3BgNVHSMEcDBuoWGkXzBdMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTAL
+BgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEVMBMGA1UE
+AwwMUk9PVF9DQV9TSEExggkA8Tu3+yg/UgkwDAYDVR0TBAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAJHSUCn2BYhbtTg/iGQa9i3rkNWNMc+w6RdcqjIDma9kmfXif
+azb5/ZT3rIY8DpVmgPMLkw9ECgV22R3GN2/qArkp6ZYR0eYecJUxdyLtPJatn3SM
+QfVER6JO1FiGkjE2lJAFnZQWjPjIGHtF3ElFU2MGu8apM3L+SHsOIYnibEQpPBBl
+xn2ObMuV6qGuO8ESmM65yJgSDaynvTHMqqxRtKczW2AN1u3gKVop9fzgJ9t3iP1Z
+DAJw2PQdiYgTlFVbd6OmjhiauIJbZCeM7xBq3+39pLUrRA9fiQgVSN+wEwh8CMwH
+6rimF6s1ZQcsueya0B/nuac2niT3cxDgcGx4bg==
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..e01b5aed2cd62b247c87c2fd18509118a8160705
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDbXbqJwTisc3wF
+Z6MYWonNxMsWBfNfwFB/KLQfEfZ+phvReORvJZ5lVT/1gTVs5/QhREU0qW48OxyM
+NXKgkcBZGLkRvVlDaOEcbTIDa4PYf7rnsTtU8DWYuyqqmeBnJ2ViKJ3ZGA750ctm
+ZsDZlWdwE5iCqX3hA/pfHGu+CNiW2jWSulookdIPqdJeLiwgnntm5tZFxoZ9hD1h
+J88iRqmqpS4joYXPxUNxfJ49Nx4iRfrx7HpyUVg3i5Q2q/AVuVSwbbPfNaQrG71V
+EbK0K7EjtL8Gw8DCS8Gvr0ApIpabA644BueWA9skjns9lvfSuH76Y5e2nHGJiOz7
+LWMFV24LAgMBAAECggEAD546u7gQCucl+1SHniJEEWxjcSv3SeftU0BYoqWqwRWe
+gWl0Ch3Jizlollger6RME1pC+x7dBFjJDYp4oMn/wdgqxQKQKmZ7MITtvKSY/H8L
+lZdevAtmJXud7AuMmIuLglOV+XDnEA5Jxv6l2Ff0x1v9zb+3gJ/B4aeqXBtRIFxD
+CfCcvcN1Bl+jj2fvS8iRrqofGa6DGXZVZvtIVjIvJnR1YBVMVYBNs6kcscM5Nblr
+PJFDDsg+Ph7hq5gpwj7pyb4e54sn06pdfBLgGkHJ82tCNkc+f4Ee2M7MoS//m4IC
+ajV+xht4REHuB7h5GM50TF5Gziianyc3g8//M7sC8QKBgQD7tvSzJK1N0w9NPK1e
+Q5zfEWxU1c7dJ/hr81OpvEzUut1vZeKT1mydtA0YJftDTFTXe5fsPKNTIrL4BWUw
+PLa3jWQNNDSLDNhdoqKrno+017pD7+p8G8x3AfyHxn6x2Shoz0jHTnGf+Q0vnvdT
+ZTFpWU+3J8Wp4+1Nx2lwGGEJXwKBgQDfGcnk/fTSs/QQNgzkC1HaQ35b66eEBwK3
+yi8KNsNxDByvdYGxaK/tLRiZIsKMxAV+3jebfA4WSgDkenmzGLn4gYUr5gkkmEW5
+irETT+HDK8LeM2iIbCROactwu3ytJrgpaoDXxRbDsGCUf98hjz1JDCR94wjGH78H
+K3Pmbm6e1QKBgEIuTVIYj5RJrNlC3dZN8p3Xx+LaQER3cOJ5HIMhJhY8d2IFqLf0
+BaTFJTg3LEP6esgZD82l988w7Vs2l+9B10yVWTv7gOEaZHzh+OEklGYY3jlkiANP
+j8eudwX/02nRTcWY0mrMniVQZv4hTqfXkFFBkSr3wwmzCr6LcpZtYn4DAoGBAIEm
+2bTBu1/aoxhbYd0GHI1g8x5dbm1E7bLdzZt5Fm00GMsOGFVOiEGiEJJeCAgbVh8a
+n1BYYYNPtfKOYDNoxgfxWtmN4o8Xw41kl5vZa5VjmPyu//2xtNbb8dTCBKvsNUJs
+kEfYpZQFX/O3jsFLvauy5tElhCfFqv2IjyC/nzQ9AoGBAJLCz62crl/AXqArSnAH
+efX9ozrNMJMQDMDtw5xB/EqRMazmTlqkYr0H4iTS69QNAPr8czdmpY6uO6BRE9+/
+f/tWZXQj7eT8pd1Dp2Ed1vHsOfiAUha0cYUMrqshsqKNXrCxl7144iRGZY7OjFI1
+USqVVNaci2IrtW5+NGV62BYP
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256.cer b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256.cer
new file mode 100644
index 0000000000000000000000000000000000000000..8c7e21cc629cabf7b40a846d4410889ddb598d26
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/INTER_CA_SHA256-ROOT_CA_SHA256.cer
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 84:a1:70:1d:0a:92:d3:cc
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+ Validity
+ Not Before: Mar 30 04:51:02 2017 GMT
+ Not After : Mar 28 04:51:02 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=INTER_CA_SHA256-ROOT_CA_SHA256
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:db:5d:ba:89:c1:38:ac:73:7c:05:67:a3:18:5a:
+ 89:cd:c4:cb:16:05:f3:5f:c0:50:7f:28:b4:1f:11:
+ f6:7e:a6:1b:d1:78:e4:6f:25:9e:65:55:3f:f5:81:
+ 35:6c:e7:f4:21:44:45:34:a9:6e:3c:3b:1c:8c:35:
+ 72:a0:91:c0:59:18:b9:11:bd:59:43:68:e1:1c:6d:
+ 32:03:6b:83:d8:7f:ba:e7:b1:3b:54:f0:35:98:bb:
+ 2a:aa:99:e0:67:27:65:62:28:9d:d9:18:0e:f9:d1:
+ cb:66:66:c0:d9:95:67:70:13:98:82:a9:7d:e1:03:
+ fa:5f:1c:6b:be:08:d8:96:da:35:92:ba:5a:28:91:
+ d2:0f:a9:d2:5e:2e:2c:20:9e:7b:66:e6:d6:45:c6:
+ 86:7d:84:3d:61:27:cf:22:46:a9:aa:a5:2e:23:a1:
+ 85:cf:c5:43:71:7c:9e:3d:37:1e:22:45:fa:f1:ec:
+ 7a:72:51:58:37:8b:94:36:ab:f0:15:b9:54:b0:6d:
+ b3:df:35:a4:2b:1b:bd:55:11:b2:b4:2b:b1:23:b4:
+ bf:06:c3:c0:c2:4b:c1:af:af:40:29:22:96:9b:03:
+ ae:38:06:e7:96:03:db:24:8e:7b:3d:96:f7:d2:b8:
+ 7e:fa:63:97:b6:9c:71:89:88:ec:fb:2d:63:05:57:
+ 6e:0b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+ serial:A3:52:9D:82:6F:DD:C6:1D
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 3f:f2:91:96:59:da:c1:8a:8c:4d:eb:25:1f:74:87:6f:fc:2e:
+ 92:7e:44:ff:a7:0b:78:aa:6d:2b:fe:b8:0a:b9:e9:bc:19:87:
+ 44:15:e1:3a:e4:54:e6:4b:54:3c:75:d9:f8:c9:07:83:74:f4:
+ 4c:ab:e4:6b:19:64:b6:4b:69:44:6e:74:f6:66:cf:16:43:8f:
+ 9c:cb:20:e4:7a:5e:78:13:00:6f:28:78:8d:c5:05:46:a9:92:
+ 0f:d0:38:c3:8b:0e:39:d4:87:e9:ee:35:07:78:dd:1a:1a:8c:
+ 3a:36:56:4e:3b:96:7a:d1:2c:29:95:06:29:ac:b2:f7:5c:fc:
+ 09:1c:72:24:e2:9e:72:bf:60:3a:7a:9b:59:35:48:6a:d2:3e:
+ 76:7f:ad:41:45:a5:6f:93:96:10:c4:4c:cf:3f:f1:1d:00:5f:
+ d1:60:f1:88:86:d8:ef:ff:72:63:8f:4c:df:9e:35:cb:17:2c:
+ 16:7b:d4:6c:0e:67:b6:ee:bc:68:07:b0:99:df:c5:f3:88:28:
+ a1:46:bb:6d:f5:2c:45:6b:e9:90:c0:78:35:20:73:14:5a:d0:
+ a5:56:cb:04:f4:43:a7:cf:28:f5:a3:5b:ac:f2:a3:4c:f6:39:
+ 3c:ef:f4:b1:42:20:8e:2a:14:0d:a1:b4:38:b2:f2:6c:14:33:
+ 05:04:bb:a7
+-----BEGIN CERTIFICATE-----
+MIID3jCCAsagAwIBAgIJAIShcB0KktPMMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjAeFw0xNzAz
+MzAwNDUxMDJaFw0yNzAzMjgwNDUxMDJaMG8xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZh
+MScwJQYDVQQDDB5JTlRFUl9DQV9TSEEyNTYtUk9PVF9DQV9TSEEyNTYwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbXbqJwTisc3wFZ6MYWonNxMsWBfNf
+wFB/KLQfEfZ+phvReORvJZ5lVT/1gTVs5/QhREU0qW48OxyMNXKgkcBZGLkRvVlD
+aOEcbTIDa4PYf7rnsTtU8DWYuyqqmeBnJ2ViKJ3ZGA750ctmZsDZlWdwE5iCqX3h
+A/pfHGu+CNiW2jWSulookdIPqdJeLiwgnntm5tZFxoZ9hD1hJ88iRqmqpS4joYXP
+xUNxfJ49Nx4iRfrx7HpyUVg3i5Q2q/AVuVSwbbPfNaQrG71VEbK0K7EjtL8Gw8DC
+S8Gvr0ApIpabA644BueWA9skjns9lvfSuH76Y5e2nHGJiOz7LWMFV24LAgMBAAGj
+gYwwgYkweQYDVR0jBHIwcKFjpGEwXzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+MQ0wCwYDVQQHDARDaXR5MQwwCgYDVQQKDANPcmcxDTALBgNVBAsMBEphdmExFzAV
+BgNVBAMMDlJPT1RfQ0FfU0hBMjU2ggkAo1Kdgm/dxh0wDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAQEAP/KRllnawYqMTeslH3SHb/wukn5E/6cLeKptK/64
+CrnpvBmHRBXhOuRU5ktUPHXZ+MkHg3T0TKvkaxlktktpRG509mbPFkOPnMsg5Hpe
+eBMAbyh4jcUFRqmSD9A4w4sOOdSH6e41B3jdGhqMOjZWTjuWetEsKZUGKayy91z8
+CRxyJOKecr9gOnqbWTVIatI+dn+tQUWlb5OWEMRMzz/xHQBf0WDxiIbY7/9yY49M
+3541yxcsFnvUbA5ntu68aAewmd/F84gooUa7bfUsRWvpkMB4NSBzFFrQpVbLBPRD
+p88o9aNbrPKjTPY5PO/0sUIgjioUDaG0OLLybBQzBQS7pw==
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..c56e9f1bdaeaf05ef7b8728e8a5c5763e1260988
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDhROyqYZ5UdQJ0
+xJdG4B+aXPHbIKV0w5AvJ7r4SuvIJ/4pEmV6fIU3+4CvN2sXKzW+0DppOBz99Oe6
+19jfMAx5t0pKHkwh5J0bduLf1k83lm8CvoX1a9lYY6ER4Y8wWtTcHG016onl8Lxq
+QVqlqbk9zsbNipvWxipIQOgzq7DmTXQ2Hrx0tg4DROlgwuarPBWcZjq6dG09nI0E
+zSY/Wis619L/6sdCxGFhvnJ0YbULvIqdR2J638KEO+rx1RXD66Jqc0KhnGZLf7NT
+YfTlY0zIMHE8oMkJPdH9tPKbyXMXhiG/u5x81RcJxT4gLi5fq2yrvMsaUC13bnJJ
+npFNy6XTAgMBAAECggEAPS4h9Jg0jw2EUEBAMaCXFK5fhTrVlOO0Ggp5TgvTA3ZR
+Ich8RQrih3TH2056yD0VCLC23HK/9Pz5npYWsW70RG5SP9UAqkfTn2znaxFiTF+P
+4Lfr296hlc7hJOEUqXZRz0HtKzJ6pzd9hIIhY1K4G6A4AATAFFGXlC4Eolvj3Hf0
+NgVFDYaFDEpEiin+fAsM5c1ZE0pxRZSVE5Emr9XvkvxLm5dK9lKOyyOQ+5RHhxQ6
+J4n+6Ct0O+FkeP9u3jTMtew9gxTwvHSgkf05hSRoqgMKcusKpqhHp6E4mT7sus7q
+AYzdv5sNIcx7PpojuHjploMH7ghhYxCmVOOFxXJ4CQKBgQD2naA8zZnh5BfbVC8p
+C9A6HfwnZ7cCjGtL30y8fh8OAMHbdGE4JXlhifPgW7PDxZ0Yho4rYd9MxLVcGl+p
+YPOKKcaKbzwdUJwZ4Zs1dJC+LTRqku6O3qlEofeojHN5IctLoLqDsiZBD7aT4l+O
+wmAWqwLZZQtiFpA/jbCb/Qw7tQKBgQDp11rFSHLKuVdMuSnUon3WN6lj9WNM3KFy
+C8R4EN/DTnuHrVL0MCff9eddBYvpQe0z/LA74oAD9fSjmtYe/24qIm2lAWVkwxBm
+yyspUmOybU8Q3GN8xw1Vrwg8JR5JVAOwKHwCGmybT7Zs+9eJRONnnZ6nUbTQ94cP
+sJVkyGUgZwKBgQCd/0CAk+xpl1tdbiLEtkfSZBF/IWhTXqkDM+2SuW6l5wBL29TJ
+RuDsB5jR/Y4+96T86H++9XY9Va0nc9IjzvRYaQlE+ZzW3yUTQ8HPTn3JCWcSfE4Q
+BEEHsojbWBhG28rGChRUeVceybVcK2SzLn6nJyqtIppXXkNOJDWoykcDHQKBgHzY
+27+k1JTjq3ZtDaZXMvQiN7AEnYW17gRjv/uSlsVBq7ZelYGGDGQIeAQ0J+Tbq/cr
+nDP80/hJYtnOmy9llL2uL/f+7NGFS8Z2Bo9DS7NBpQsNf5ho9fefQbhK4Qapcmak
+1sCQtxec0XsSYpsJSphRkRkoCG/hGB0KXFi4nTVVAoGAJrrh1rG1UMXmFUpraXIy
+Mc58lEYB87EkMOthyK8XklxLoYKPZlVS7AZZDtQMpRC6YnweiX6LmO4AamtlT71x
+BzQgmwHn4wOaysDPHFuf5hNCobXJREoiNzHb4AcqiZ7SNAW5Jd+0/PSY47hrDnRy
+wNFyg3O0k3kaXz5h3lVhxo4=
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1.cer b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1.cer
new file mode 100644
index 0000000000000000000000000000000000000000..490d03b0a7841e831f670c9f6b16c6c24d315caf
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA1.cer
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ f1:3b:b7:fb:28:3f:52:09
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+ Validity
+ Not Before: Mar 30 04:51:01 2017 GMT
+ Not After : Mar 28 04:51:01 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:e1:44:ec:aa:61:9e:54:75:02:74:c4:97:46:e0:
+ 1f:9a:5c:f1:db:20:a5:74:c3:90:2f:27:ba:f8:4a:
+ eb:c8:27:fe:29:12:65:7a:7c:85:37:fb:80:af:37:
+ 6b:17:2b:35:be:d0:3a:69:38:1c:fd:f4:e7:ba:d7:
+ d8:df:30:0c:79:b7:4a:4a:1e:4c:21:e4:9d:1b:76:
+ e2:df:d6:4f:37:96:6f:02:be:85:f5:6b:d9:58:63:
+ a1:11:e1:8f:30:5a:d4:dc:1c:6d:35:ea:89:e5:f0:
+ bc:6a:41:5a:a5:a9:b9:3d:ce:c6:cd:8a:9b:d6:c6:
+ 2a:48:40:e8:33:ab:b0:e6:4d:74:36:1e:bc:74:b6:
+ 0e:03:44:e9:60:c2:e6:ab:3c:15:9c:66:3a:ba:74:
+ 6d:3d:9c:8d:04:cd:26:3f:5a:2b:3a:d7:d2:ff:ea:
+ c7:42:c4:61:61:be:72:74:61:b5:0b:bc:8a:9d:47:
+ 62:7a:df:c2:84:3b:ea:f1:d5:15:c3:eb:a2:6a:73:
+ 42:a1:9c:66:4b:7f:b3:53:61:f4:e5:63:4c:c8:30:
+ 71:3c:a0:c9:09:3d:d1:fd:b4:f2:9b:c9:73:17:86:
+ 21:bf:bb:9c:7c:d5:17:09:c5:3e:20:2e:2e:5f:ab:
+ 6c:ab:bc:cb:1a:50:2d:77:6e:72:49:9e:91:4d:cb:
+ a5:d3
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA1
+ serial:F1:3B:B7:FB:28:3F:52:09
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha1WithRSAEncryption
+ 0b:be:7b:c7:53:14:87:37:02:66:37:f5:6f:38:3c:75:b3:72:
+ f6:f8:9c:77:4d:9a:e4:5c:23:3a:4a:5f:aa:6e:90:23:e9:b8:
+ 48:fd:6d:e1:88:b5:a2:a5:0a:30:c0:7d:33:a8:6f:79:42:52:
+ 80:f8:87:4b:2a:15:0a:ff:14:88:97:21:12:89:1c:d3:33:bf:
+ fa:4f:5e:68:9a:c6:69:2f:aa:1d:31:aa:80:f5:b0:d3:72:c9:
+ fa:ce:3b:5f:15:a6:61:e0:f1:d1:ab:e7:40:48:c1:d4:30:bd:
+ 0a:13:37:0d:ea:ac:38:b2:af:1b:78:3a:29:53:ee:90:71:3b:
+ 2b:a4:8b:16:e9:da:94:59:44:3d:7f:34:fb:0a:d1:6b:db:3d:
+ 66:01:a6:0f:98:b5:cc:57:39:b9:09:f2:01:cc:e5:89:86:7d:
+ f2:9a:b2:ad:08:3d:da:05:f9:24:1e:30:98:cc:92:a9:4c:4a:
+ cf:a3:53:6e:7f:5e:db:aa:43:9c:ac:b1:b5:80:ab:7e:a3:89:
+ 71:37:c2:4a:c1:16:9d:26:d5:70:89:8a:8e:a8:cb:40:3b:b8:
+ f0:d2:31:54:c2:1f:fc:24:5e:29:c1:5e:86:48:1e:83:4e:44:
+ 30:ff:8d:46:47:b6:0e:9c:77:bf:ba:08:8b:bd:eb:b7:ca:45:
+ 0a:e3:0c:ec
+-----BEGIN CERTIFICATE-----
+MIIDyDCCArCgAwIBAgIJAPE7t/soP1IJMA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTEwHhcNMTcwMzMw
+MDQ1MTAxWhcNMjcwMzI4MDQ1MTAxWjBdMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExDTALBgNVBAcMBENpdHkxDDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEV
+MBMGA1UEAwwMUk9PVF9DQV9TSEExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA4UTsqmGeVHUCdMSXRuAfmlzx2yCldMOQLye6+ErryCf+KRJlenyFN/uA
+rzdrFys1vtA6aTgc/fTnutfY3zAMebdKSh5MIeSdG3bi39ZPN5ZvAr6F9WvZWGOh
+EeGPMFrU3BxtNeqJ5fC8akFapam5Pc7GzYqb1sYqSEDoM6uw5k10Nh68dLYOA0Tp
+YMLmqzwVnGY6unRtPZyNBM0mP1orOtfS/+rHQsRhYb5ydGG1C7yKnUdiet/ChDvq
+8dUVw+uianNCoZxmS3+zU2H05WNMyDBxPKDJCT3R/bTym8lzF4Yhv7ucfNUXCcU+
+IC4uX6tsq7zLGlAtd25ySZ6RTcul0wIDAQABo4GKMIGHMHcGA1UdIwRwMG6hYaRf
+MF0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoG
+A1UECgwDT3JnMQ0wCwYDVQQLDARKYXZhMRUwEwYDVQQDDAxST09UX0NBX1NIQTGC
+CQDxO7f7KD9SCTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQALvnvH
+UxSHNwJmN/VvODx1s3L2+Jx3TZrkXCM6Sl+qbpAj6bhI/W3hiLWipQowwH0zqG95
+QlKA+IdLKhUK/xSIlyESiRzTM7/6T15omsZpL6odMaqA9bDTcsn6zjtfFaZh4PHR
+q+dASMHUML0KEzcN6qw4sq8beDopU+6QcTsrpIsW6dqUWUQ9fzT7CtFr2z1mAaYP
+mLXMVzm5CfIBzOWJhn3ymrKtCD3aBfkkHjCYzJKpTErPo1Nuf17bqkOcrLG1gKt+
+o4lxN8JKwRadJtVwiYqOqMtAO7jw0jFUwh/8JF4pwV6GSB6DTkQw/41GR7YOnHe/
+ugiLveu3ykUK4wzs
+-----END CERTIFICATE-----
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256-PRIV.key b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256-PRIV.key
new file mode 100644
index 0000000000000000000000000000000000000000..4c53e23e8ab1c9ab31727d794946674a88b47dfc
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256-PRIV.key
@@ -0,0 +1,26 @@
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2DzrIXts3huIs
+dtX+ZbY6RR5/S4yXUs3jJXc4mbITLn7PO1QVBT528NZVOu6jUxXsPTpTg1jgresh
+6Pcv1LNj7bP30uPXhmyawgQVUgLTGyU0+JWLJrpU7cEOTK4f/j58A+UHL255fM7T
+B3EvIj2Ad1MAYwIvVZnAXPSFt72YGz15doYiewp8dTXcX4TsFisCbypFikWxpXIF
+qjVqbAUx8fYgQxfPWFw4HbVvo3Nu1LqypswAfsmHd2v5nMv8wkAcPG5dIYHACN9r
+kPLMoUNUcBLn6QdIUrhk7dldRlR0TWT+VtRLKVWlGkMk9rRK+RnskNSuPg8fjb/Y
+gM0m5p0JAgMBAAECggEAPVk8cbClJjzpkhopWiRkF5abBEItCgD5KAXD+uqvuw77
+5FEVsE+oEORvFSFasOaaiJTJRsMH/A4fIbojMZb3LEE5V9VUuZeumSevwI92LDUF
+gKgTnGRcfanwWCU2t8kwvRGC57zv+Tg5aZskZMGg/901tvemENVDjjLEoxqbZNmX
+WZnhB8XiPxl9K32K0l+qNW3HvKJ8lkaW0L6/4HWWU4rYwbc9TZpzHDOXhAICQB76
+fCw4hcy1K6KjfGjfE/6afqMa76KSxxeCvUYorZlm2gk1WcEafkg9Jwzz2SWtsa8W
+L+YzbTd1GE8Z9bDA88Dw3vgdC1Pt0ywX/fJ/GCDHUQKBgQDjNaW/enKYXGTsM5C1
+I94OgSmgnjnjPZIBY0u89iCAf07ueqrNaLJgOEkGpCrLEa4tC2qc57ge1DO2rxTa
+6RowUzqG3Oqdsq21QaQZAmjjDC5mXlYPRpWvWVjBRaIDKw9zAUg9qEy24e/pRjdP
+cugR30d1OaxExdgoAt8iOqZ67wKBgQDNIPqF/+npd1UAqgdC9lOxnPQly1zjz/zY
+jbeJeww9Ut9aCXj0+we4gKhD37d178y1H2QBod+IPpqQ/uZmbNmN5JP+MIk2kZKB
+4jquQLa5jEc+y57h8UrWJBY+Ls7xiu/cw3aCAk0JaZRSrH/KzWE91x3s7o2yV43d
+dMkRmTTHhwKBgQCHaq4C1WP/UvIDpSgWDe6HDoxU4nj16vheQ2Qcl0T/0OCmWg36
+pu/JUUKU5rtqlHsO9cLxCVo/ZZH8y5TOdCfbrX8wafKbUqcdZKX9EeaZi+ULtiXs
+rNEB1WqEpo/M+5kVnioENY6jYT2v9t14SK/wFvdr8pet1YzjK/L5X6NhmQKBgFK4
+0u7I9k61Ve0vpEAH0FaXIgo/yZUBYkj+VZ62pYfxbKsFmObKeSGZmMHObVC9RMNi
+BlV2LwvlmzWP5eA2U0GahWgDsMH10KxaTCnLZSTMgkq7mLYrNW/IG8Q14jScQAC6
+PodNYD3EexEgCWUCkA19O885oKDkGAzPtOpI63TvAoGBAJvbKiJSFJNd3CIQlrOM
+wNw+Sww+c2Qw4PZZvIJNzjWumjesfUsuAyySrO2nXPzzSOrh7dRW98suaFi1Mih6
+ZwBpIll5VQsd2dwEa6vp6RFGWFNKPvDILEVgcCEOmckKRWDo+fb5bx2VHj1v4kfG
+MHDqy8Y2ercsU0Z5mEN8bUD7
diff --git a/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256.cer b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256.cer
new file mode 100644
index 0000000000000000000000000000000000000000..09d0dbd7f5c872cc0b9ce34f05946a236c1720bc
--- /dev/null
+++ b/test/sun/security/ssl/CertPathRestrictions/certs/ROOT_CA_SHA256.cer
@@ -0,0 +1,80 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ a3:52:9d:82:6f:dd:c6:1d
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+ Validity
+ Not Before: Mar 30 04:51:01 2017 GMT
+ Not After : Mar 28 04:51:01 2027 GMT
+ Subject: C=US, ST=CA, L=City, O=Org, OU=Java, CN=ROOT_CA_SHA256
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:b6:0f:3a:c8:5e:db:37:86:e2:2c:76:d5:fe:65:
+ b6:3a:45:1e:7f:4b:8c:97:52:cd:e3:25:77:38:99:
+ b2:13:2e:7e:cf:3b:54:15:05:3e:76:f0:d6:55:3a:
+ ee:a3:53:15:ec:3d:3a:53:83:58:e0:ad:eb:21:e8:
+ f7:2f:d4:b3:63:ed:b3:f7:d2:e3:d7:86:6c:9a:c2:
+ 04:15:52:02:d3:1b:25:34:f8:95:8b:26:ba:54:ed:
+ c1:0e:4c:ae:1f:fe:3e:7c:03:e5:07:2f:6e:79:7c:
+ ce:d3:07:71:2f:22:3d:80:77:53:00:63:02:2f:55:
+ 99:c0:5c:f4:85:b7:bd:98:1b:3d:79:76:86:22:7b:
+ 0a:7c:75:35:dc:5f:84:ec:16:2b:02:6f:2a:45:8a:
+ 45:b1:a5:72:05:aa:35:6a:6c:05:31:f1:f6:20:43:
+ 17:cf:58:5c:38:1d:b5:6f:a3:73:6e:d4:ba:b2:a6:
+ cc:00:7e:c9:87:77:6b:f9:9c:cb:fc:c2:40:1c:3c:
+ 6e:5d:21:81:c0:08:df:6b:90:f2:cc:a1:43:54:70:
+ 12:e7:e9:07:48:52:b8:64:ed:d9:5d:46:54:74:4d:
+ 64:fe:56:d4:4b:29:55:a5:1a:43:24:f6:b4:4a:f9:
+ 19:ec:90:d4:ae:3e:0f:1f:8d:bf:d8:80:cd:26:e6:
+ 9d:09
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ DirName:/C=US/ST=CA/L=City/O=Org/OU=Java/CN=ROOT_CA_SHA256
+ serial:A3:52:9D:82:6F:DD:C6:1D
+
+ X509v3 Basic Constraints:
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 6f:2f:a4:56:d5:58:6d:20:74:6b:66:b7:41:eb:c2:8c:56:2e:
+ 1b:51:79:b0:07:a6:63:28:8b:20:40:b9:72:4b:f5:e0:6b:18:
+ 39:5b:b4:ae:50:58:25:81:86:e3:19:ec:b1:dd:fb:5c:f5:d4:
+ a8:7d:a0:50:46:ac:1e:80:dc:cc:aa:0c:61:f8:a3:41:af:03:
+ 35:a4:02:4f:23:c7:5c:36:26:90:fe:51:07:58:0f:e7:14:26:
+ 34:c2:a7:bd:f2:34:33:cf:67:e4:2d:82:b6:e8:94:85:d6:8b:
+ 01:6f:ba:3d:78:f6:db:3d:dc:ba:6e:6d:83:fa:ea:d0:60:ab:
+ 1b:ad:9b:e2:ba:e3:e3:9f:26:5b:9a:c7:fb:9f:c1:7d:cc:0b:
+ cf:23:e0:ac:e1:e4:09:08:84:98:d4:6e:16:34:a5:5e:74:d5:
+ a8:61:e1:65:f7:9a:51:9f:f0:9f:86:65:ce:4f:b8:b6:64:7d:
+ 86:62:21:ec:71:50:70:ca:6b:2e:74:12:51:b1:68:b0:4a:66:
+ 19:60:e9:f8:b0:bf:6e:d8:ad:75:29:c3:31:13:73:01:3d:d5:
+ d4:5b:c2:60:bb:c4:c8:e6:29:cf:a3:49:65:8d:c2:1d:7d:c9:
+ 75:33:9b:97:73:38:99:5c:7d:b3:9f:b0:be:0d:f4:6a:c6:19:
+ 8d:98:a1:ca
+-----BEGIN CERTIFICATE-----
+MIIDzjCCAragAwIBAgIJAKNSnYJv3cYdMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3Jn
+MQ0wCwYDVQQLDARKYXZhMRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjAeFw0xNzAz
+MzAwNDUxMDFaFw0yNzAzMjgwNDUxMDFaMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTENMAsGA1UEBwwEQ2l0eTEMMAoGA1UECgwDT3JnMQ0wCwYDVQQLDARKYXZh
+MRcwFQYDVQQDDA5ST09UX0NBX1NIQTI1NjCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALYPOshe2zeG4ix21f5ltjpFHn9LjJdSzeMldziZshMufs87VBUF
+Pnbw1lU67qNTFew9OlODWOCt6yHo9y/Us2Pts/fS49eGbJrCBBVSAtMbJTT4lYsm
+ulTtwQ5Mrh/+PnwD5Qcvbnl8ztMHcS8iPYB3UwBjAi9VmcBc9IW3vZgbPXl2hiJ7
+Cnx1NdxfhOwWKwJvKkWKRbGlcgWqNWpsBTHx9iBDF89YXDgdtW+jc27UurKmzAB+
+yYd3a/mcy/zCQBw8bl0hgcAI32uQ8syhQ1RwEufpB0hSuGTt2V1GVHRNZP5W1Esp
+VaUaQyT2tEr5GeyQ1K4+Dx+Nv9iAzSbmnQkCAwEAAaOBjDCBiTB5BgNVHSMEcjBw
+oWOkYTBfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDTALBgNVBAcMBENpdHkx
+DDAKBgNVBAoMA09yZzENMAsGA1UECwwESmF2YTEXMBUGA1UEAwwOUk9PVF9DQV9T
+SEEyNTaCCQCjUp2Cb93GHTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
+AQBvL6RW1VhtIHRrZrdB68KMVi4bUXmwB6ZjKIsgQLlyS/Xgaxg5W7SuUFglgYbj
+Geyx3ftc9dSofaBQRqwegNzMqgxh+KNBrwM1pAJPI8dcNiaQ/lEHWA/nFCY0wqe9
+8jQzz2fkLYK26JSF1osBb7o9ePbbPdy6bm2D+urQYKsbrZviuuPjnyZbmsf7n8F9
+zAvPI+Cs4eQJCISY1G4WNKVedNWoYeFl95pRn/CfhmXOT7i2ZH2GYiHscVBwymsu
+dBJRsWiwSmYZYOn4sL9u2K11KcMxE3MBPdXUW8Jgu8TI5inPo0lljcIdfcl1M5uX
+cziZXH2zn7C+DfRqxhmNmKHK
+-----END CERTIFICATE-----