# HG changeset patch # User Andrew John Hughes # Date 1462332270 -3600 # Node ID 06179516eff23cd082e78677abf74fdfe4a7d0be # Parent 49231b25f344a5863b73381992aab708baaaea08 Update to build against the b39 tarball & April 2016 security fixes. Upstream changes: - S4459600: java -jar fails to run Main-Class if classname followed by whitespace. - S4963723: Implement SHA-224 - S6378099: RFE: Use libfontconfig to create/synthesise a fontconfig.properties - S6414899: P11Digest should support cloning - S6452854: Provide a flag to print the java configuration - S6578658: Request for raw RSA (NONEwithRSA) Signature support in SunMSCAPI - S6604496: Support for CKM_AES_CTR (counter mode) - S6742159: (launcher) improve the java launching mechanism - S6752622: java.awt.Font.getPeer throws "java.lang.InternalError: Not implemented" on Linux - S6753664: Support SHA256 (and higher) in SunMSCAPI - S6758881: (launcher) needs to throw NoClassDefFoundError instead of JavaRuntimeException - S6812738: SSL stress test with GF leads to 32 bit max process size in less than 5 minutes with PCKS11 provider - S6856415: Enabling java security manager will make program thrown wrong exception ( main method not found ) - S6892493: potential memory leaks in 2D font code indentified by parfait. - S6924489: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_NOT_INITIALIZED - S6925851: Localize JRE into pt_BR - S6956398: make ephemeral DH key match the length of the certificate key - S6968053: (launcher) hide exceptions under certain launcher failures - S6977738: Deadlock between java.lang.ClassLoader and java.util.Properties - S6981001: (launcher) EnsureJREInstallation is not being called in order - S7017734: jdk7 message drop 1 translation integration - S7026184: (launcher) Regression: class with unicode name can't be launched by java. - S7033170: Cipher.getMaxAllowedKeyLength(String) throws NoSuchAlgorithmException - S7044060: Need to support NSA Suite B Cryptography algorithms - S7104161: test/sun/tools/jinfo/Basic.sh fails on Ubuntu - S7106773: 512 bits RSA key cannot work with SHA384 and SHA512 - S7125442: jar application located in two bytes character named folder cannot be run with JRE 7 u1/u2 - S7127906: (launcher) convert the launcher regression tests to java - S7141141: Add 3 new test scenarios for testing Main-Class attribute in jar manifest file - S7158988: jvm crashes while debugging on x86_32 and x86_64 - S7189944: (launcher) test/tools/launcher/Arrrrghs.java needs a couple of minor fixes - S7193318: C2: remove number of inputs requirement from Node's new operator - S8002116: This JdbReadTwiceTest.sh gets an exit 1 - S8004007: test/sun/tools/jinfo/Basic.sh fails on when runSA is set to true - S8006935: Need to take care of long secret keys in HMAC/PRF compuation - S8023990: Regression: postscript size increase from 6u18 - S8027705: com/sun/jdi/JdbMethodExitTest.sh fails when a background thread is generating events. - S8028537: PPC64: Updated the JDK regression tests to run on AIX - S8036132: Tab characters in test/com/sun/jdi files - S8038963: com/sun/jdi tests fail because cygwin's ps sometimes misses processes - S8039921: SHA1WithDSA with key > 1024 bits not working - S8044419: TEST_BUG: com/sun/jdi/JdbReadTwiceTest.sh fails when run under root - S8059661: Test SoftReference and OOM behavior - S8067364: Printing to Postscript doesn't support dieresis - S8072753: Nondeterministic wrong answer on arithmetic - S8073735: [TEST_BUG] compiler/loopopts/CountedLoopProblem.java got OOME - S8074146: [TEST_BUG] jdb has succeded to read an unreadable file - S8075584: test for 8067364 depends on hardwired text advance - S8087120: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms. - S8129952: Ensure thread consistency - S8132051: Better byte behavior - S8134297: NPE in GSSNameElement nameType check - S8134650: Xsl transformation gives different results in 8u66 - S8138593: Make DSA more fair - S8141229: [Parfait] Null pointer dereference in cmsstrcasecmp of cmserr.c - S8143002: [Parfait] JNI exception pending in fontpath.c:1300 - S8143167: Better buffering of XML strings - S8144430: Improve JMX connections - S8146477: [TEST_BUG] ClientJSSEServerJSSE.java failing again - S8146494: Better ligature substitution - S8146498: Better device table adjustments - S8146967: [TEST_BUG] javax/security/auth/SubjectDomainCombiner/Optimize.java should use 4-args ProtectionDomain constructor - S8147567: InterpreterRuntime::post_field_access not updated for boolean in JDK-8132051 - S8148446: (tz) Support tzdata2016a - S8148475: Missing SA Bytecode updates. - S8149170: Better byte behavior for native arguments - S8149367: PolicyQualifierInfo/index_Ctor JCk test fails with IOE: Invalid encoding for PolicyQualifierInfo - S8150012: Better byte behavior for reflection - S8150790: 8u75 L10n resource file translation update - S8154210: Zero: Better byte behaviour - S8155261: Zero broken since HS23 update - S8155699: Resolve issues created by backports in OpenJDK 6 b39 - S8155699: Resolve issues created by backports in OpenJDK 6 b39, part 2 - S8155746: Sync Windows export list in make/java/jli/Makefile with make/java/jli/mapfile-vers ChangeLog: 2016-05-03 Andrew John Hughes * Makefile.am: (OPENJDK_DATE): Bump to b39 creation date; 3rd of May, 2016. (OPENJDK_SHA256SUM): Update for b39 tarball. 2016-05-03 Andrew John Hughes * patches/openjdk/8039921-sha1_1024plus.patch: Remove further b39 patch missed in earlier batch. 2016-05-03 Andrew John Hughes * patches/openjdk/4963723-implement_sha-224.patch, * patches/openjdk/6578658-sunmscapi_nonewithrsa.patch, * patches/openjdk/6753664-sunmscapi_sha-256.patch, * patches/openjdk/6956398-ephemeraldhkeysize.patch, * patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch, * patches/openjdk/7044060-support_nsa_suite_b.patch, * patches/openjdk/7106773-512_bits_rsa.patch, * patches/openjdk/8006935-long_keys_in_hmac_prf.patch, * patches/openjdk/8087120-zero_gcc5.patch, * patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch, * patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch, * patches/openjdk/p11cipher-6812738-native_cleanup.patch, * patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch, * patches/pr2486-768_dh.patch, * patches/pr2488-1024_dh.patch: Remove patches upstreamed in b39. * Makefile.am: (ICEDTEA_PATCHES): Remove above patches. * NEWS: Updated. * patches/openjdk/7170638-systemtap.patch: Regenerated due to copyright header change in jni.cpp. 2016-05-03 Andrew John Hughes * patches/hotspot/hs23/zero_fixes.patch: Remove fragments upstreamed in 8155261. * patches/hotspot/hs23/zero_hs22.patch: Likewise. 2016-01-29 Andrew John Hughes * Makefile.am: (OPENJDK_VERSION): Bump to next release, b39. diff -r 49231b25f344 -r 06179516eff2 ChangeLog --- a/ChangeLog Wed May 04 02:55:09 2016 +0100 +++ b/ChangeLog Wed May 04 04:24:30 2016 +0100 @@ -1,3 +1,51 @@ +2016-05-03 Andrew John Hughes + + * Makefile.am: + (OPENJDK_DATE): Bump to b39 creation date; + 3rd of May, 2016. + (OPENJDK_SHA256SUM): Update for b39 tarball. + +2016-05-03 Andrew John Hughes + + * patches/openjdk/8039921-sha1_1024plus.patch: + Remove further b39 patch missed in earlier batch. + +2016-05-03 Andrew John Hughes + + * patches/openjdk/4963723-implement_sha-224.patch, + * patches/openjdk/6578658-sunmscapi_nonewithrsa.patch, + * patches/openjdk/6753664-sunmscapi_sha-256.patch, + * patches/openjdk/6956398-ephemeraldhkeysize.patch, + * patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch, + * patches/openjdk/7044060-support_nsa_suite_b.patch, + * patches/openjdk/7106773-512_bits_rsa.patch, + * patches/openjdk/8006935-long_keys_in_hmac_prf.patch, + * patches/openjdk/8087120-zero_gcc5.patch, + * patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch, + * patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch, + * patches/openjdk/p11cipher-6812738-native_cleanup.patch, + * patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch, + * patches/pr2486-768_dh.patch, + * patches/pr2488-1024_dh.patch: + Remove patches upstreamed in b39. + * Makefile.am: + (ICEDTEA_PATCHES): Remove above patches. + * NEWS: Updated. + * patches/openjdk/7170638-systemtap.patch: + Regenerated due to copyright header change in jni.cpp. + +2016-05-03 Andrew John Hughes + + * patches/hotspot/hs23/zero_fixes.patch: + Remove fragments upstreamed in 8155261. + * patches/hotspot/hs23/zero_hs22.patch: + Likewise. + +2016-01-29 Andrew John Hughes + + * Makefile.am: + (OPENJDK_VERSION): Bump to next release, b39. + 2016-05-03 Andrew John Hughes PR2887: Location of 'stap' executable is hard-coded diff -r 49231b25f344 -r 06179516eff2 Makefile.am --- a/Makefile.am Wed May 04 02:55:09 2016 +0100 +++ b/Makefile.am Wed May 04 04:24:30 2016 +0100 @@ -1,8 +1,8 @@ # Dependencies -OPENJDK_DATE = 20_jan_2016 -OPENJDK_SHA256SUM = ff88dbcbda6c3c7d80b7cbd28065a455cdb009de9874fcf9ff9ca8205d38a257 -OPENJDK_VERSION = b38 +OPENJDK_DATE = 03_may_2016 +OPENJDK_SHA256SUM = d11dc2ababe88e7891f1abbd7fa4fe033a65dea22c071331a641374b3247717f +OPENJDK_VERSION = b39 OPENJDK_URL = https://java.net/downloads/openjdk6/ CACAO_VERSION = 68fe50ac34ec @@ -465,11 +465,7 @@ patches/remove_multicatch_in_testrsa.patch \ patches/openjdk/p11cipher-6682411-fix_indexoutofboundsexception.patch \ patches/openjdk/p11cipher-6682417-fix_decrypted_data_not_multiple_of_blocks.patch \ - patches/openjdk/p11cipher-6812738-native_cleanup.patch \ patches/openjdk/p11cipher-6687725-throw_illegalblocksizeexception.patch \ - patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch \ - patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch \ - patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch \ patches/traceable.patch \ patches/pr1319-support_giflib_5.patch \ patches/openjdk/6718364-inference_failure.patch \ @@ -581,15 +577,8 @@ patches/shark_fixes_from_8003868.patch \ patches/8003992_support_6.patch \ patches/shark-drop_compile_method_arg_following_7083786.patch \ - patches/openjdk/4963723-implement_sha-224.patch \ patches/openjdk/7180907-jarsigner_sha-256.patch \ patches/openjdk/8049480-jarsigner_openjdk_9.patch \ - patches/openjdk/6753664-sunmscapi_sha-256.patch \ - patches/openjdk/6578658-sunmscapi_nonewithrsa.patch \ - patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch \ - patches/openjdk/7044060-support_nsa_suite_b.patch \ - patches/openjdk/8006935-long_keys_in_hmac_prf.patch \ - patches/openjdk/7106773-512_bits_rsa.patch \ patches/pr1904-icedtea_and_distro_versioning.patch \ patches/openjdk/8017173-xml_cipher_rsa_oaep_cant_be_instantiated.patch \ patches/openjdk/8000897-pr2173-vm_crash_in_compilebroker.patch \ @@ -605,7 +594,6 @@ patches/pr2226-support_future_giflib_6_and_up.patch \ patches/openjdk/4890063-hprof_truncation.patch \ patches/openjdk/6562615-compiler_warnings.patch \ - patches/openjdk/6956398-ephemeraldhkeysize.patch \ patches/openjdk/6989466-compiler_warnings.patch \ patches/openjdk/6991580-ipv6_nameservers.patch \ patches/openjdk/7007905-javazic_line_numbers.patch \ @@ -615,7 +603,6 @@ patches/openjdk/7133138-timezone_io_improvement.patch \ patches/openjdk/8011709-canonshaping_memory_leak.patch \ patches/openjdk/8023052-jvm_crash_in_native_layout.patch \ - patches/openjdk/8039921-sha1_1024plus.patch \ patches/openjdk/8041451-ldap_read_timeout_abandon.patch \ patches/openjdk/8042855-indiclayoutengine_null_dereference.patch \ patches/openjdk/7094377-ldaps_timeout.patch \ @@ -627,12 +614,9 @@ patches/openjdk/8074761-ldap_empty_optional_params.patch \ patches/openjdk/8078654-closettfontfilefunc.patch \ patches/openjdk/8081315-giflib_interlacing.patch \ - patches/openjdk/8087120-zero_gcc5.patch \ patches/pr2319-policy_jar_checksum.patch \ patches/pr2460-policy_jar_timestamp.patch \ patches/pr2481_sysconfig_clock_spaces.patch \ - patches/pr2486-768_dh.patch \ - patches/pr2488-1024_dh.patch \ patches/openjdk/6440786-pr363-zero_entry_zips.patch \ patches/openjdk/6763122-no_zipfile_ctor_exception.patch \ patches/openjdk/6599383-pr363-large_zip_files.patch \ diff -r 49231b25f344 -r 06179516eff2 NEWS --- a/NEWS Wed May 04 02:55:09 2016 +0100 +++ b/NEWS Wed May 04 04:24:30 2016 +0100 @@ -14,6 +14,68 @@ New in release 1.13.11 (2016-04-XX): +* Security fixes + - S8129952, CVE-2016-0686: Ensure thread consistency + - S8132051, CVE-2016-0687: Better byte behavior + - S8138593, CVE-2016-0695: Make DSA more fair + - S8139008: Better state table management + - S8143167, CVE-2016-3425: Better buffering of XML strings + - S8144430, CVE-2016-3427: Improve JMX connections + - S8146494: Better ligature substitution + - S8146498: Better device table adjustments +* Import of OpenJDK6 b38 + - S4459600: java -jar fails to run Main-Class if classname followed by whitespace. + - S6378099: RFE: Use libfontconfig to create/synthesise a fontconfig.properties + - S6452854: Provide a flag to print the java configuration + - S6742159: (launcher) improve the java launching mechanism + - S6752622: java.awt.Font.getPeer throws "java.lang.InternalError: Not implemented" on Linux + - S6758881: (launcher) needs to throw NoClassDefFoundError instead of JavaRuntimeException + - S6856415: Enabling java security manager will make program thrown wrong exception ( main method not found ) + - S6892493: potential memory leaks in 2D font code indentified by parfait. + - S6925851: Localize JRE into pt_BR (corba) + - S6968053: (launcher) hide exceptions under certain launcher failures + - S6977738: Deadlock between java.lang.ClassLoader and java.util.Properties + - S6981001: (launcher) EnsureJREInstallation is not being called in order + - S7017734: jdk7 message drop 1 translation integration + - S7026184: (launcher) Regression: class with unicode name can't be launched by java. + - S7104161: test/sun/tools/jinfo/Basic.sh fails on Ubuntu + - S7125442: jar application located in two bytes character named folder cannot be run with JRE 7 u1/u2 + - S7127906: (launcher) convert the launcher regression tests to java + - S7141141: Add 3 new test scenarios for testing Main-Class attribute in jar manifest file + - S7158988: jvm crashes while debugging on x86_32 and x86_64 + - S7189944: (launcher) test/tools/launcher/Arrrrghs.java needs a couple of minor fixes + - S7193318: C2: remove number of inputs requirement from Node's new operator + - S8002116: This JdbReadTwiceTest.sh gets an exit 1 + - S8004007: test/sun/tools/jinfo/Basic.sh fails on when runSA is set to true + - S8023990: Regression: postscript size increase from 6u18 + - S8027705: com/sun/jdi/JdbMethodExitTest.sh fails when a background thread is generating events. + - S8028537: PPC64: Updated the JDK regression tests to run on AIX + - S8036132: Tab characters in test/com/sun/jdi files + - S8038963: com/sun/jdi tests fail because cygwin's ps sometimes misses processes + - S8044419: TEST_BUG: com/sun/jdi/JdbReadTwiceTest.sh fails when run under root + - S8059661: Test SoftReference and OOM behavior + - S8067364: Printing to Postscript doesn't support dieresis + - S8072753: Nondeterministic wrong answer on arithmetic + - S8073735: [TEST_BUG] compiler/loopopts/CountedLoopProblem.java got OOME + - S8074146: [TEST_BUG] jdb has succeded to read an unreadable file + - S8075584: test for 8067364 depends on hardwired text advance + - S8134297: NPE in GSSNameElement nameType check + - S8134650: Xsl transformation gives different results in 8u66 + - S8141229: [Parfait] Null pointer dereference in cmsstrcasecmp of cmserr.c + - S8143002: [Parfait] JNI exception pending in fontpath.c:1300 + - S8146477: [TEST_BUG] ClientJSSEServerJSSE.java failing again + - S8146967: [TEST_BUG] javax/security/auth/SubjectDomainCombiner/Optimize.java should use 4-args ProtectionDomain constructor + - S8147567: InterpreterRuntime::post_field_access not updated for boolean in JDK-8132051 + - S8148446: (tz) Support tzdata2016a + - S8148475: Missing SA Bytecode updates. + - S8149170: Better byte behavior for native arguments + - S8149367: PolicyQualifierInfo/index_Ctor JCk test fails with IOE: Invalid encoding for PolicyQualifierInfo + - S8150012: Better byte behavior for reflection + - S8150790: 8u75 L10n resource file translation update + - S8154210: Zero: Better byte behaviour + - S8155261: Zero broken since HS23 update + - S8155699: Resolve issues created by backports in OpenJDK 6 b39 + - S8155746: Sync Windows export list in make/java/jli/Makefile with make/java/jli/mapfile-vers * Backports - S6863746, PR2951: javap should not scan ct.sym by default - S8071705, PR2820, RH1182694: Java application menu misbehaves when running multiple screen stacked vertically diff -r 49231b25f344 -r 06179516eff2 patches/hotspot/hs23/zero_fixes.patch --- a/patches/hotspot/hs23/zero_fixes.patch Wed May 04 02:55:09 2016 +0100 +++ b/patches/hotspot/hs23/zero_fixes.patch Wed May 04 04:24:30 2016 +0100 @@ -1,60 +1,6 @@ -# HG changeset patch -# User andrew -# Date 1346354667 -3600 -# Thu Aug 30 20:24:27 2012 +0100 -# Node ID 2a413d946cb1acdcbe1110098f79b7a1f267bf75 -# Parent 3e0087ab5e924827bc198557c8e4e5b1c4ff1fa3 -Fix Zero FTBFS issues - -diff --git a/src/cpu/zero/vm/assembler_zero.cpp b/src/cpu/zero/vm/assembler_zero.cpp ---- openjdk/hotspot/src/cpu/zero/vm/assembler_zero.cpp -+++ openjdk/hotspot/src/cpu/zero/vm/assembler_zero.cpp -@@ -91,3 +91,11 @@ - address ShouldNotCallThisEntry() { - return (address) should_not_call; - } -+ -+static void zero_null_fn() { -+ return; -+} -+ -+address ZeroNullStubEntry(address fn) { -+ return (address) fn; -+} -diff --git a/src/cpu/zero/vm/assembler_zero.hpp b/src/cpu/zero/vm/assembler_zero.hpp ---- openjdk/hotspot/src/cpu/zero/vm/assembler_zero.hpp -+++ openjdk/hotspot/src/cpu/zero/vm/assembler_zero.hpp -@@ -65,5 +65,6 @@ - - address ShouldNotCallThisStub(); - address ShouldNotCallThisEntry(); -+address ZeroNullStubEntry(address fn); - - #endif // CPU_ZERO_VM_ASSEMBLER_ZERO_HPP -diff --git a/src/cpu/zero/vm/copy_zero.hpp b/src/cpu/zero/vm/copy_zero.hpp ---- openjdk/hotspot/src/cpu/zero/vm/copy_zero.hpp -+++ openjdk/hotspot/src/cpu/zero/vm/copy_zero.hpp -@@ -169,7 +169,7 @@ - } - - static void pd_fill_to_bytes(void* to, size_t count, jubyte value) { -- memset(to, value, count); -+ if ( count > 0 ) memset(to, value, count); - } - - static void pd_zero_to_words(HeapWord* tohw, size_t count) { -@@ -177,7 +177,7 @@ - } - - static void pd_zero_to_bytes(void* to, size_t count) { -- memset(to, 0, count); -+ if ( count > 0 ) memset(to, 0, count); - } - - #endif // CPU_ZERO_VM_COPY_ZERO_HPP -diff --git a/src/cpu/zero/vm/cppInterpreter_zero.cpp b/src/cpu/zero/vm/cppInterpreter_zero.cpp ---- openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp -+++ openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp +diff -Nru openjdk.orig/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp +--- openjdk.orig/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp 2016-05-03 20:18:13.388935986 +0100 ++++ openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp 2016-05-03 20:19:21.099818351 +0100 @@ -36,6 +36,7 @@ #include "oops/oop.inline.hpp" #include "prims/jvmtiExport.hpp" @@ -77,81 +23,7 @@ int CppInterpreter::normal_entry(methodOop method, intptr_t UNUSED, TRAPS) { JavaThread *thread = (JavaThread *) THREAD; -@@ -699,6 +707,9 @@ - method_handle = adapter; - } - -+ CPPINT_DEBUG( tty->print_cr( "Process method_handle sp: 0x%x unwind_sp: 0x%x result_slots: %d.", \ -+ stack->sp(), unwind_sp, result_slots ); ) -+ - // Start processing - process_method_handle(method_handle, THREAD); - if (HAS_PENDING_EXCEPTION) -@@ -718,6 +729,8 @@ - } - - // Check -+ CPPINT_DEBUG( tty->print_cr( "Exiting method_handle_entry, sp: 0x%x unwind_sp: 0x%x result_slots: %d.", \ -+ stack->sp(), unwind_sp, result_slots ); ) - assert(stack->sp() == unwind_sp - result_slots, "should be"); - - // No deoptimized frames on the stack -@@ -725,6 +738,7 @@ - } - - void CppInterpreter::process_method_handle(oop method_handle, TRAPS) { -+ - JavaThread *thread = (JavaThread *) THREAD; - ZeroStack *stack = thread->zero_stack(); - intptr_t *vmslots = stack->sp(); -@@ -739,6 +753,7 @@ - (MethodHandles::EntryKind) (((intptr_t) entry) & 0xffffffff); - - methodOop method = NULL; -+ CPPINT_DEBUG( tty->print_cr( "\nEntering %s 0x%x.",MethodHandles::entry_name(entry_kind), (char *)vmslots ); ) - switch (entry_kind) { - case MethodHandles::_invokestatic_mh: - direct_to_method = true; -@@ -811,11 +826,15 @@ - case MethodHandles::_bound_int_mh: - case MethodHandles::_bound_long_mh: - { -- BasicType arg_type = T_ILLEGAL; -- int arg_mask = -1; -- int arg_slots = -1; -- MethodHandles::get_ek_bound_mh_info( -- entry_kind, arg_type, arg_mask, arg_slots); -+ // BasicType arg_type = T_ILLEGAL; -+ // int arg_mask = -1; -+ // int arg_slots = -1; -+ // MethodHandles::get_ek_bound_mh_info( -+ // entry_kind, arg_type, arg_mask, arg_slots); -+ BasicType arg_type = MethodHandles::ek_bound_mh_arg_type(entry_kind); -+ int arg_mask = 0; -+ int arg_slots = type2size[arg_type];; -+ - int arg_slot = - java_lang_invoke_BoundMethodHandle::vmargslot(method_handle); - -@@ -961,10 +980,13 @@ - java_lang_invoke_AdapterMethodHandle::conversion(method_handle); - int arg2 = MethodHandles::adapter_conversion_vminfo(conv); - -- int swap_bytes = 0, rotate = 0; -- MethodHandles::get_ek_adapter_opt_swap_rot_info( -- entry_kind, swap_bytes, rotate); -- int swap_slots = swap_bytes >> LogBytesPerWord; -+ // int swap_bytes = 0, rotate = 0; -+ // MethodHandles::get_ek_adapter_opt_swap_rot_info( -+ // entry_kind, swap_bytes, rotate); -+ int swap_slots = MethodHandles::ek_adapter_opt_swap_slots(entry_kind); -+ int rotate = MethodHandles::ek_adapter_opt_swap_mode(entry_kind); -+ int swap_bytes = swap_slots * Interpreter::stackElementSize; -+ swap_slots = swap_bytes >> LogBytesPerWord; - - intptr_t tmp; - switch (rotate) { -@@ -1080,12 +1102,309 @@ +@@ -1079,12 +1094,309 @@ } break; @@ -464,17 +336,9 @@ // Continue along the chain if (direct_to_method) { if (method == NULL) { -@@ -1138,6 +1457,7 @@ - tty->print_cr("dst_rtype = %s", type2name(dst_rtype)); - ShouldNotReachHere(); - } -+ CPPINT_DEBUG( tty->print_cr( "LEAVING %s\n",MethodHandles::entry_name(entry_kind) ); ) - } - - // The new slots will be inserted before slot insert_before. -diff --git a/src/cpu/zero/vm/frame_zero.inline.hpp b/src/cpu/zero/vm/frame_zero.inline.hpp ---- openjdk/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp -+++ openjdk/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp +diff -Nru openjdk.orig/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp openjdk/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp +--- openjdk.orig/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp 2013-09-13 00:30:29.930952968 +0100 ++++ openjdk/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp 2016-05-03 20:19:21.099818351 +0100 @@ -36,6 +36,8 @@ _deopt_state = unknown; } @@ -484,161 +348,3 @@ inline frame::frame(ZeroFrame* zf, intptr_t* sp) { _zeroframe = zf; _sp = sp; -diff --git a/src/cpu/zero/vm/methodHandles_zero.cpp b/src/cpu/zero/vm/methodHandles_zero.cpp ---- openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.cpp -+++ openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.cpp -@@ -28,6 +28,8 @@ - #include "memory/allocation.inline.hpp" - #include "prims/methodHandles.hpp" - -+#define __ _masm-> -+ - int MethodHandles::adapter_conversion_ops_supported_mask() { - return ((1<do_oop((oop*)f->saved_target_addr()); -+ // blk->do_oop((oop*)f->saved_args_layout_addr()); -+ -+ // process variable arguments: -+ // if (cookie.is_null()) return; // no arguments to describe -+ -+ // the cookie is actually the invokeExact method for my target -+ // his argument signature is what I'm interested in -+ // assert(cookie->is_method(), ""); -+ // methodHandle invoker(thread, methodOop(cookie())); -+ // assert(invoker->name() == vmSymbols::invokeExact_name(), "must be this kind of method"); -+ // assert(!invoker->is_static(), "must have MH argument"); -+ // int slot_count = invoker->size_of_parameters(); -+ // assert(slot_count >= 1, "must include 'this'"); -+ // intptr_t* base = f->saved_args_base(); -+ // intptr_t* retval = NULL; -+ // if (f->has_return_value_slot()) -+ // retval = f->return_value_slot_addr(); -+ // int slot_num = slot_count - 1; -+ // intptr_t* loc = &base[slot_num]; -+ //blk->do_oop((oop*) loc); // original target, which is irrelevant -+ // int arg_num = 0; -+ // for (SignatureStream ss(invoker->signature()); !ss.is_done(); ss.next()) { -+ // if (ss.at_return_type()) continue; -+ // BasicType ptype = ss.type(); -+ // if (ptype == T_ARRAY) ptype = T_OBJECT; // fold all refs to T_OBJECT -+ // assert(ptype >= T_BOOLEAN && ptype <= T_OBJECT, "not array or void"); -+ // slot_num -= type2size[ptype]; -+ // loc = &base[slot_num]; -+ // bool is_oop = (ptype == T_OBJECT && loc != retval); -+ // if (is_oop) blk->do_oop((oop*)loc); -+ // arg_num += 1; -+ // } -+ // assert(slot_num == 0, "must have processed all the arguments"); -+} -diff --git a/src/cpu/zero/vm/methodHandles_zero.hpp b/src/cpu/zero/vm/methodHandles_zero.hpp ---- openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp -+++ openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp -@@ -43,4 +43,12 @@ - saved_target *(rcx+&mh_vmtgt) L2_stgt - continuation #STUB_CON L1_cont - */ -+ public: -+ -+static void generate_ricochet_blob(MacroAssembler* _masm, -+ // output params: -+ int* bounce_offset, -+ int* exception_offset, -+ int* frame_size_in_words); -+ - }; -diff --git a/src/cpu/zero/vm/sharedRuntime_zero.cpp b/src/cpu/zero/vm/sharedRuntime_zero.cpp ---- openjdk/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp -+++ openjdk/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp -@@ -48,6 +48,11 @@ - - - -+static address zero_null_code_stub() { -+ address start = ShouldNotCallThisStub(); -+ return start; -+} -+ - int SharedRuntime::java_calling_convention(const BasicType *sig_bt, - VMRegPair *regs, - int total_args_passed, -@@ -64,9 +69,9 @@ - AdapterFingerPrint *fingerprint) { - return AdapterHandlerLibrary::new_entry( - fingerprint, -- ShouldNotCallThisStub(), -- ShouldNotCallThisStub(), -- ShouldNotCallThisStub()); -+ ZeroNullStubEntry( CAST_FROM_FN_PTR(address,zero_null_code_stub) ), -+ ZeroNullStubEntry( CAST_FROM_FN_PTR(address,zero_null_code_stub) ), -+ ZeroNullStubEntry( CAST_FROM_FN_PTR(address,zero_null_code_stub) )); - } - - nmethod *SharedRuntime::generate_native_wrapper(MacroAssembler *masm, -@@ -107,11 +112,11 @@ - } - - static SafepointBlob* generate_empty_safepoint_blob() { -- return NULL; -+ return CAST_FROM_FN_PTR(SafepointBlob*,zero_stub); - } - - static DeoptimizationBlob* generate_empty_deopt_blob() { -- return NULL; -+ return CAST_FROM_FN_PTR(DeoptimizationBlob*,zero_stub); - } - - void SharedRuntime::generate_deopt_blob() { -diff --git a/src/share/vm/asm/codeBuffer.cpp b/src/share/vm/asm/codeBuffer.cpp ---- openjdk/hotspot/src/share/vm/asm/codeBuffer.cpp -+++ openjdk/hotspot/src/share/vm/asm/codeBuffer.cpp -@@ -674,7 +674,7 @@ - } - } - -- if (dest->blob() == NULL) { -+ if ((dest->blob() == NULL) && dest_filled ) { - // Destination is a final resting place, not just another buffer. - // Normalize uninitialized bytes in the final padding. - Copy::fill_to_bytes(dest_filled, dest_end - dest_filled, diff -r 49231b25f344 -r 06179516eff2 patches/hotspot/hs23/zero_hs22.patch --- a/patches/hotspot/hs23/zero_hs22.patch Wed May 04 02:55:09 2016 +0100 +++ b/patches/hotspot/hs23/zero_hs22.patch Wed May 04 04:24:30 2016 +0100 @@ -1,6 +1,6 @@ diff -Nru openjdk.orig/hotspot/make/linux/makefiles/defs.make openjdk/hotspot/make/linux/makefiles/defs.make ---- openjdk.orig/hotspot/make/linux/makefiles/defs.make 2013-08-15 14:22:31.083536693 +0100 -+++ openjdk/hotspot/make/linux/makefiles/defs.make 2013-08-15 14:38:48.102899192 +0100 +--- openjdk.orig/hotspot/make/linux/makefiles/defs.make 2016-05-03 20:02:04.292927351 +0100 ++++ openjdk/hotspot/make/linux/makefiles/defs.make 2016-05-03 20:13:14.185874164 +0100 @@ -232,6 +232,7 @@ # client and server subdirectories have symbolic links to ../libjsig.so EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/libjsig.$(LIBRARY_SUFFIX) @@ -49,128 +49,17 @@ ADD_SA_BINARIES/ia64 = ADD_SA_BINARIES/arm = diff -Nru openjdk.orig/hotspot/make/linux/platform_zero.in openjdk/hotspot/make/linux/platform_zero.in ---- openjdk.orig/hotspot/make/linux/platform_zero.in 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/make/linux/platform_zero.in 2013-08-15 14:28:43.109389844 +0100 +--- openjdk.orig/hotspot/make/linux/platform_zero.in 2010-06-14 19:53:45.000000000 +0100 ++++ openjdk/hotspot/make/linux/platform_zero.in 2016-05-03 20:13:14.185874164 +0100 @@ -14,4 +14,4 @@ gnu_dis_arch = zero -sysdefs = -DLINUX -D_GNU_SOURCE -DCC_INTERP -DZERO -D@ZERO_ARCHDEF@ -DZERO_LIBARCH=\"@ZERO_LIBARCH@\" +sysdefs = -DLINUX -D_GNU_SOURCE -DCC_INTERP -DZERO -DTARGET_ARCH_NYI_6939861=1 -D@ZERO_ARCHDEF@ -DZERO_LIBARCH=\"@ZERO_LIBARCH@\" -diff -Nru openjdk.orig/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp ---- openjdk.orig/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp 2013-08-15 14:37:15.525444593 +0100 -@@ -1,6 +1,6 @@ - /* - * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. -- * Copyright 2011 Red Hat, Inc. -+ * Copyright 2011, 2012 Red Hat, Inc. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -29,3 +29,18 @@ - adapter_code_size = 0 - }; - -+class RicochetFrame : public ResourceObj { -+ friend class MethodHandles; -+ private: -+ /* -+ RF field x86 SPARC -+ sender_pc *(rsp+0) I7-0x8 -+ sender_link rbp I6+BIAS -+ exact_sender_sp rsi/r13 I5_savedSP -+ conversion *(rcx+&amh_conv) L5_conv -+ saved_args_base rax L4_sab (cf. Gargs = G4) -+ saved_args_layout #NULL L3_sal -+ saved_target *(rcx+&mh_vmtgt) L2_stgt -+ continuation #STUB_CON L1_cont -+ */ -+}; -diff -Nru openjdk.orig/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp openjdk/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp ---- openjdk.orig/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp 2013-08-15 14:29:56.398542324 +0100 -@@ -1,6 +1,6 @@ - /* - * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. -- * Copyright 2007, 2008, 2009, 2010, 2011 Red Hat, Inc. -+ * Copyright 2007, 2008, 2009, 2010, 2011, 2012 Red Hat, Inc. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -47,6 +47,7 @@ - #endif - - -+ - int SharedRuntime::java_calling_convention(const BasicType *sig_bt, - VMRegPair *regs, - int total_args_passed, -@@ -96,19 +97,20 @@ - ShouldNotCallThis(); - } - -+JRT_LEAF(void, zero_stub()) -+ ShouldNotCallThis(); -+JRT_END -+ - static RuntimeStub* generate_empty_runtime_stub(const char* name) { -- CodeBuffer buffer(name, 0, 0); -- return RuntimeStub::new_runtime_stub(name, &buffer, 0, 0, NULL, false); -+ return CAST_FROM_FN_PTR(RuntimeStub*,zero_stub); - } - - static SafepointBlob* generate_empty_safepoint_blob() { -- CodeBuffer buffer("handler_blob", 0, 0); -- return SafepointBlob::create(&buffer, NULL, 0); -+ return NULL; - } - - static DeoptimizationBlob* generate_empty_deopt_blob() { -- CodeBuffer buffer("handler_blob", 0, 0); -- return DeoptimizationBlob::create(&buffer, NULL, 0, 0, 0, 0); -+ return NULL; - } - - -@@ -124,6 +126,7 @@ - return generate_empty_runtime_stub("resolve_blob"); - } - -+ - int SharedRuntime::c_calling_convention(const BasicType *sig_bt, - VMRegPair *regs, - int total_args_passed) { -diff -Nru openjdk.orig/hotspot/src/share/vm/runtime/vmStructs.cpp openjdk/hotspot/src/share/vm/runtime/vmStructs.cpp ---- openjdk.orig/hotspot/src/share/vm/runtime/vmStructs.cpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/share/vm/runtime/vmStructs.cpp 2013-08-15 14:28:43.113389906 +0100 -@@ -827,10 +827,10 @@ - /* CodeBlobs (NOTE: incomplete, but only a little) */ \ - /***************************************************/ \ - \ -- X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _sender_pc, address)) \ -- X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _exact_sender_sp, intptr_t*)) \ -- X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _sender_link, intptr_t*)) \ -- X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _saved_args_base, intptr_t*)) \ -+ NOT_ZERO(X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _sender_pc, address))) \ -+ NOT_ZERO(X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _exact_sender_sp, intptr_t*))) \ -+ NOT_ZERO(X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _sender_link, intptr_t*))) \ -+ NOT_ZERO(X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _saved_args_base, intptr_t*))) \ - \ - static_field(SharedRuntime, _ricochet_blob, RicochetBlob*) \ - \ -@@ -2529,7 +2529,7 @@ - /* frame */ \ - /**********************/ \ - \ -- X86_ONLY(declare_constant(frame::entry_frame_call_wrapper_offset)) \ -+ NOT_ZERO(X86_ONLY(declare_constant(frame::entry_frame_call_wrapper_offset))) \ - declare_constant(frame::pc_return_offset) \ - \ - /*************/ \ diff -Nru openjdk.orig/hotspot/src/share/vm/shark/sharkCompiler.cpp openjdk/hotspot/src/share/vm/shark/sharkCompiler.cpp ---- openjdk.orig/hotspot/src/share/vm/shark/sharkCompiler.cpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/share/vm/shark/sharkCompiler.cpp 2013-08-15 14:28:43.113389906 +0100 +--- openjdk.orig/hotspot/src/share/vm/shark/sharkCompiler.cpp 2013-09-13 00:30:29.750950170 +0100 ++++ openjdk/hotspot/src/share/vm/shark/sharkCompiler.cpp 2016-05-03 20:13:14.189874098 +0100 @@ -1,6 +1,6 @@ /* * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. @@ -188,29 +77,3 @@ assert(SafepointSynchronize::is_at_safepoint(), "must be at safepoint"); SharkEntry *entry = (SharkEntry *) code; -diff -Nru openjdk.orig/hotspot/src/share/vm/utilities/macros.hpp openjdk/hotspot/src/share/vm/utilities/macros.hpp ---- openjdk.orig/hotspot/src/share/vm/utilities/macros.hpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/share/vm/utilities/macros.hpp 2013-08-15 14:28:43.113389906 +0100 -@@ -177,6 +177,22 @@ - #define NOT_WIN64(code) code - #endif - -+#if defined(ZERO) -+#define ZERO_ONLY(code) code -+#define NOT_ZERO(code) -+#else -+#define ZERO_ONLY(code) -+#define NOT_ZERO(code) code -+#endif -+ -+#if defined(SHARK) -+#define SHARK_ONLY(code) code -+#define NOT_SHARK(code) -+#else -+#define SHARK_ONLY(code) -+#define NOT_SHARK(code) code -+#endif -+ - #if defined(IA32) || defined(AMD64) - #define X86 - #define X86_ONLY(code) code diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/4963723-implement_sha-224.patch --- a/patches/openjdk/4963723-implement_sha-224.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,2301 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacCore.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacCore.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacCore.java 2015-07-20 17:22:00.184870879 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacCore.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -38,16 +38,16 @@ - * This class constitutes the core of HMAC- algorithms, where - * can be SHA1 or MD5, etc. - * -- * It also contains the implementation classes for the SHA-256, -+ * It also contains the implementation classes for SHA-224, SHA-256, - * SHA-384, and SHA-512 HMACs. - * - * @author Jan Luehe - */ --final class HmacCore implements Cloneable { -+abstract class HmacCore extends MacSpi implements Cloneable { - -- private final MessageDigest md; -- private final byte[] k_ipad; // inner padding - key XORd with ipad -- private final byte[] k_opad; // outer padding - key XORd with opad -+ private MessageDigest md; -+ private byte[] k_ipad; // inner padding - key XORd with ipad -+ private byte[] k_opad; // outer padding - key XORd with opad - private boolean first; // Is this the first data to be processed? - - private final int blockLen; -@@ -73,22 +73,11 @@ - } - - /** -- * Constructor used for cloning. -- */ -- private HmacCore(HmacCore other) throws CloneNotSupportedException { -- this.md = (MessageDigest)other.md.clone(); -- this.blockLen = other.blockLen; -- this.k_ipad = (byte[])other.k_ipad.clone(); -- this.k_opad = (byte[])other.k_opad.clone(); -- this.first = other.first; -- } -- -- /** - * Returns the length of the HMAC in bytes. - * - * @return the HMAC length in bytes. - */ -- int getDigestLength() { -+ protected int engineGetMacLength() { - return this.md.getDigestLength(); - } - -@@ -103,9 +92,8 @@ - * @exception InvalidAlgorithmParameterException if the given algorithm - * parameters are inappropriate for this MAC. - */ -- void init(Key key, AlgorithmParameterSpec params) -+ protected void engineInit(Key key, AlgorithmParameterSpec params) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- - if (params != null) { - throw new InvalidAlgorithmParameterException - ("HMAC does not use parameters"); -@@ -140,7 +128,7 @@ - Arrays.fill(secret, (byte)0); - secret = null; - -- reset(); -+ engineReset(); - } - - /** -@@ -148,7 +136,7 @@ - * - * @param input the input byte to be processed. - */ -- void update(byte input) { -+ protected void engineUpdate(byte input) { - if (first == true) { - // compute digest for 1st pass; start with inner pad - md.update(k_ipad); -@@ -167,7 +155,7 @@ - * @param offset the offset in input where the input starts. - * @param len the number of bytes to process. - */ -- void update(byte input[], int offset, int len) { -+ protected void engineUpdate(byte input[], int offset, int len) { - if (first == true) { - // compute digest for 1st pass; start with inner pad - md.update(k_ipad); -@@ -178,7 +166,13 @@ - md.update(input, offset, len); - } - -- void update(ByteBuffer input) { -+ /** -+ * Processes the input.remaining() bytes in the ByteBuffer -+ * input. -+ * -+ * @param input the input byte buffer. -+ */ -+ protected void engineUpdate(ByteBuffer input) { - if (first == true) { - // compute digest for 1st pass; start with inner pad - md.update(k_ipad); -@@ -194,7 +188,7 @@ - * - * @return the HMAC result. - */ -- byte[] doFinal() { -+ protected byte[] engineDoFinal() { - if (first == true) { - // compute digest for 1st pass; start with inner pad - md.update(k_ipad); -@@ -223,7 +217,7 @@ - * Resets the HMAC for further use, maintaining the secret key that the - * HMAC was initialized with. - */ -- void reset() { -+ protected void engineReset() { - if (first == false) { - md.reset(); - first = true; -@@ -234,115 +228,38 @@ - * Clones this object. - */ - public Object clone() throws CloneNotSupportedException { -- return new HmacCore(this); -+ HmacCore copy = (HmacCore) super.clone(); -+ copy.md = (MessageDigest) md.clone(); -+ copy.k_ipad = k_ipad.clone(); -+ copy.k_opad = k_opad.clone(); -+ return copy; -+ } -+ -+ // nested static class for the HmacSHA224 implementation -+ public static final class HmacSHA224 extends HmacCore { -+ public HmacSHA224() throws NoSuchAlgorithmException { -+ super("SHA-224", 64); -+ } - } - - // nested static class for the HmacSHA256 implementation -- public static final class HmacSHA256 extends MacSpi implements Cloneable { -- private final HmacCore core; -+ public static final class HmacSHA256 extends HmacCore { - public HmacSHA256() throws NoSuchAlgorithmException { -- core = new HmacCore("SHA-256", 64); -- } -- private HmacSHA256(HmacSHA256 base) throws CloneNotSupportedException { -- core = (HmacCore)base.core.clone(); -- } -- protected int engineGetMacLength() { -- return core.getDigestLength(); -- } -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- core.init(key, params); -- } -- protected void engineUpdate(byte input) { -- core.update(input); -- } -- protected void engineUpdate(byte input[], int offset, int len) { -- core.update(input, offset, len); -- } -- protected void engineUpdate(ByteBuffer input) { -- core.update(input); -- } -- protected byte[] engineDoFinal() { -- return core.doFinal(); -- } -- protected void engineReset() { -- core.reset(); -- } -- public Object clone() throws CloneNotSupportedException { -- return new HmacSHA256(this); -+ super("SHA-256", 64); - } - } - - // nested static class for the HmacSHA384 implementation -- public static final class HmacSHA384 extends MacSpi implements Cloneable { -- private final HmacCore core; -+ public static final class HmacSHA384 extends HmacCore { - public HmacSHA384() throws NoSuchAlgorithmException { -- core = new HmacCore("SHA-384", 128); -- } -- private HmacSHA384(HmacSHA384 base) throws CloneNotSupportedException { -- core = (HmacCore)base.core.clone(); -- } -- protected int engineGetMacLength() { -- return core.getDigestLength(); -- } -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- core.init(key, params); -- } -- protected void engineUpdate(byte input) { -- core.update(input); -- } -- protected void engineUpdate(byte input[], int offset, int len) { -- core.update(input, offset, len); -- } -- protected void engineUpdate(ByteBuffer input) { -- core.update(input); -- } -- protected byte[] engineDoFinal() { -- return core.doFinal(); -- } -- protected void engineReset() { -- core.reset(); -- } -- public Object clone() throws CloneNotSupportedException { -- return new HmacSHA384(this); -+ super("SHA-384", 128); - } - } - - // nested static class for the HmacSHA512 implementation -- public static final class HmacSHA512 extends MacSpi implements Cloneable { -- private final HmacCore core; -+ public static final class HmacSHA512 extends HmacCore { - public HmacSHA512() throws NoSuchAlgorithmException { -- core = new HmacCore("SHA-512", 128); -- } -- private HmacSHA512(HmacSHA512 base) throws CloneNotSupportedException { -- core = (HmacCore)base.core.clone(); -- } -- protected int engineGetMacLength() { -- return core.getDigestLength(); -- } -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- core.init(key, params); -- } -- protected void engineUpdate(byte input) { -- core.update(input); -- } -- protected void engineUpdate(byte input[], int offset, int len) { -- core.update(input, offset, len); -- } -- protected void engineUpdate(ByteBuffer input) { -- core.update(input); -- } -- protected byte[] engineDoFinal() { -- return core.doFinal(); -- } -- protected void engineReset() { -- core.reset(); -- } -- public Object clone() throws CloneNotSupportedException { -- return new HmacSHA512(this); -+ super("SHA-512", 128); - } - } -- - } -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacMD5.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacMD5.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacMD5.java 2015-07-20 17:22:00.308868718 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacMD5.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1998, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1998, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -37,97 +37,11 @@ - * - * @author Jan Luehe - */ --public final class HmacMD5 extends MacSpi implements Cloneable { -- -- private HmacCore hmac; -- private static final int MD5_BLOCK_LENGTH = 64; -- -+public final class HmacMD5 extends HmacCore { - /** - * Standard constructor, creates a new HmacMD5 instance. - */ - public HmacMD5() throws NoSuchAlgorithmException { -- hmac = new HmacCore(MessageDigest.getInstance("MD5"), -- MD5_BLOCK_LENGTH); -- } -- -- /** -- * Returns the length of the HMAC in bytes. -- * -- * @return the HMAC length in bytes. -- */ -- protected int engineGetMacLength() { -- return hmac.getDigestLength(); -- } -- -- /** -- * Initializes the HMAC with the given secret key and algorithm parameters. -- * -- * @param key the secret key. -- * @param params the algorithm parameters. -- * -- * @exception InvalidKeyException if the given key is inappropriate for -- * initializing this MAC. -- * @exception InvalidAlgorithmParameterException if the given algorithm -- * parameters are inappropriate for this MAC. -- */ -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- hmac.init(key, params); -- } -- -- /** -- * Processes the given byte. -- * -- * @param input the input byte to be processed. -- */ -- protected void engineUpdate(byte input) { -- hmac.update(input); -- } -- -- /** -- * Processes the first len bytes in input, -- * starting at offset. -- * -- * @param input the input buffer. -- * @param offset the offset in input where the input starts. -- * @param len the number of bytes to process. -- */ -- protected void engineUpdate(byte input[], int offset, int len) { -- hmac.update(input, offset, len); -- } -- -- protected void engineUpdate(ByteBuffer input) { -- hmac.update(input); -- } -- -- /** -- * Completes the HMAC computation and resets the HMAC for further use, -- * maintaining the secret key that the HMAC was initialized with. -- * -- * @return the HMAC result. -- */ -- protected byte[] engineDoFinal() { -- return hmac.doFinal(); -- } -- -- /** -- * Resets the HMAC for further use, maintaining the secret key that the -- * HMAC was initialized with. -- */ -- protected void engineReset() { -- hmac.reset(); -- } -- -- /* -- * Clones this object. -- */ -- public Object clone() { -- HmacMD5 that = null; -- try { -- that = (HmacMD5) super.clone(); -- that.hmac = (HmacCore) this.hmac.clone(); -- } catch (CloneNotSupportedException e) { -- } -- return that; -+ super("MD5", 64); - } - } -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java 2015-07-20 17:22:00.336868230 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -41,26 +41,13 @@ - * - * @author Valerie Peng - */ --public final class HmacPKCS12PBESHA1 extends MacSpi implements Cloneable { -- -- private HmacCore hmac = null; -- private static final int SHA1_BLOCK_LENGTH = 64; -+public final class HmacPKCS12PBESHA1 extends HmacCore { - - /** - * Standard constructor, creates a new HmacSHA1 instance. - */ - public HmacPKCS12PBESHA1() throws NoSuchAlgorithmException { -- this.hmac = new HmacCore(MessageDigest.getInstance("SHA1"), -- SHA1_BLOCK_LENGTH); -- } -- -- /** -- * Returns the length of the HMAC in bytes. -- * -- * @return the HMAC length in bytes. -- */ -- protected int engineGetMacLength() { -- return hmac.getDigestLength(); -+ super("SHA1", 64); - } - - /** -@@ -71,7 +58,7 @@ - * - * @exception InvalidKeyException if the given key is inappropriate for - * initializing this MAC. -- u* @exception InvalidAlgorithmParameterException if the given algorithm -+ * @exception InvalidAlgorithmParameterException if the given algorithm - * parameters are inappropriate for this MAC. - */ - protected void engineInit(Key key, AlgorithmParameterSpec params) -@@ -140,64 +127,8 @@ - ("IterationCount must be a positive number"); - } - byte[] derivedKey = PKCS12PBECipherCore.derive(passwdChars, salt, -- iCount, hmac.getDigestLength(), PKCS12PBECipherCore.MAC_KEY); -+ iCount, engineGetMacLength(), PKCS12PBECipherCore.MAC_KEY); - SecretKey cipherKey = new SecretKeySpec(derivedKey, "HmacSHA1"); -- hmac.init(cipherKey, null); -- } -- -- /** -- * Processes the given byte. -- * -- * @param input the input byte to be processed. -- */ -- protected void engineUpdate(byte input) { -- hmac.update(input); -- } -- -- /** -- * Processes the first len bytes in input, -- * starting at offset. -- * -- * @param input the input buffer. -- * @param offset the offset in input where the input starts. -- * @param len the number of bytes to process. -- */ -- protected void engineUpdate(byte input[], int offset, int len) { -- hmac.update(input, offset, len); -- } -- -- protected void engineUpdate(ByteBuffer input) { -- hmac.update(input); -- } -- -- /** -- * Completes the HMAC computation and resets the HMAC for further use, -- * maintaining the secret key that the HMAC was initialized with. -- * -- * @return the HMAC result. -- */ -- protected byte[] engineDoFinal() { -- return hmac.doFinal(); -- } -- -- /** -- * Resets the HMAC for further use, maintaining the secret key that the -- * HMAC was initialized with. -- */ -- protected void engineReset() { -- hmac.reset(); -- } -- -- /* -- * Clones this object. -- */ -- public Object clone() { -- HmacPKCS12PBESHA1 that = null; -- try { -- that = (HmacPKCS12PBESHA1)super.clone(); -- that.hmac = (HmacCore)this.hmac.clone(); -- } catch (CloneNotSupportedException e) { -- } -- return that; -+ super.engineInit(cipherKey, null); - } - } -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacSHA1.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacSHA1.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacSHA1.java 2015-07-20 17:22:00.356867881 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacSHA1.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1998, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1998, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -37,97 +37,11 @@ - * - * @author Jan Luehe - */ --public final class HmacSHA1 extends MacSpi implements Cloneable { -- -- private HmacCore hmac = null; -- private static final int SHA1_BLOCK_LENGTH = 64; -- -+public final class HmacSHA1 extends HmacCore { - /** - * Standard constructor, creates a new HmacSHA1 instance. - */ - public HmacSHA1() throws NoSuchAlgorithmException { -- this.hmac = new HmacCore(MessageDigest.getInstance("SHA1"), -- SHA1_BLOCK_LENGTH); -- } -- -- /** -- * Returns the length of the HMAC in bytes. -- * -- * @return the HMAC length in bytes. -- */ -- protected int engineGetMacLength() { -- return hmac.getDigestLength(); -- } -- -- /** -- * Initializes the HMAC with the given secret key and algorithm parameters. -- * -- * @param key the secret key. -- * @param params the algorithm parameters. -- * -- * @exception InvalidKeyException if the given key is inappropriate for -- * initializing this MAC. -- * @exception InvalidAlgorithmParameterException if the given algorithm -- * parameters are inappropriate for this MAC. -- */ -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- hmac.init(key, params); -- } -- -- /** -- * Processes the given byte. -- * -- * @param input the input byte to be processed. -- */ -- protected void engineUpdate(byte input) { -- hmac.update(input); -- } -- -- /** -- * Processes the first len bytes in input, -- * starting at offset. -- * -- * @param input the input buffer. -- * @param offset the offset in input where the input starts. -- * @param len the number of bytes to process. -- */ -- protected void engineUpdate(byte input[], int offset, int len) { -- hmac.update(input, offset, len); -- } -- -- protected void engineUpdate(ByteBuffer input) { -- hmac.update(input); -- } -- -- /** -- * Completes the HMAC computation and resets the HMAC for further use, -- * maintaining the secret key that the HMAC was initialized with. -- * -- * @return the HMAC result. -- */ -- protected byte[] engineDoFinal() { -- return hmac.doFinal(); -- } -- -- /** -- * Resets the HMAC for further use, maintaining the secret key that the -- * HMAC was initialized with. -- */ -- protected void engineReset() { -- hmac.reset(); -- } -- -- /* -- * Clones this object. -- */ -- public Object clone() { -- HmacSHA1 that = null; -- try { -- that = (HmacSHA1)super.clone(); -- that.hmac = (HmacCore)this.hmac.clone(); -- } catch (CloneNotSupportedException e) { -- } -- return that; -+ super("SHA1", 64); - } - } -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java 2015-07-20 17:22:00.700861885 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -105,11 +105,11 @@ - return new SecretKeySpec(b, name); - } - -- // nested static class for the HmacSHA256 key generator -- public static final class HmacSHA256KG extends KeyGeneratorSpi { -+ // nested static classes for the HmacSHA-2 family of key generator -+ abstract static class HmacSHA2KG extends KeyGeneratorSpi { - private final KeyGeneratorCore core; -- public HmacSHA256KG() { -- core = new KeyGeneratorCore("HmacSHA256", 256); -+ protected HmacSHA2KG(String algoName, int len) { -+ core = new KeyGeneratorCore(algoName, len); - } - protected void engineInit(SecureRandom random) { - core.implInit(random); -@@ -124,50 +124,27 @@ - protected SecretKey engineGenerateKey() { - return core.implGenerateKey(); - } -+ public static final class SHA224 extends HmacSHA2KG { -+ public SHA224() { -+ super("HmacSHA224", 224); -+ } -+ } -+ public static final class SHA256 extends HmacSHA2KG { -+ public SHA256() { -+ super("HmacSHA256", 256); -+ } -+ } -+ public static final class SHA384 extends HmacSHA2KG { -+ public SHA384() { -+ super("HmacSHA384", 384); -+ } -+ } -+ public static final class SHA512 extends HmacSHA2KG { -+ public SHA512() { -+ super("HmacSHA512", 512); -+ } -+ } - } -- -- // nested static class for the HmacSHA384 key generator -- public static final class HmacSHA384KG extends KeyGeneratorSpi { -- private final KeyGeneratorCore core; -- public HmacSHA384KG() { -- core = new KeyGeneratorCore("HmacSHA384", 384); -- } -- protected void engineInit(SecureRandom random) { -- core.implInit(random); -- } -- protected void engineInit(AlgorithmParameterSpec params, -- SecureRandom random) throws InvalidAlgorithmParameterException { -- core.implInit(params, random); -- } -- protected void engineInit(int keySize, SecureRandom random) { -- core.implInit(keySize, random); -- } -- protected SecretKey engineGenerateKey() { -- return core.implGenerateKey(); -- } -- } -- -- // nested static class for the HmacSHA384 key generator -- public static final class HmacSHA512KG extends KeyGeneratorSpi { -- private final KeyGeneratorCore core; -- public HmacSHA512KG() { -- core = new KeyGeneratorCore("HmacSHA512", 512); -- } -- protected void engineInit(SecureRandom random) { -- core.implInit(random); -- } -- protected void engineInit(AlgorithmParameterSpec params, -- SecureRandom random) throws InvalidAlgorithmParameterException { -- core.implInit(params, random); -- } -- protected void engineInit(int keySize, SecureRandom random) { -- core.implInit(keySize, random); -- } -- protected SecretKey engineGenerateKey() { -- return core.implGenerateKey(); -- } -- } -- - // nested static class for the RC2 key generator - public static final class RC2KeyGenerator extends KeyGeneratorSpi { - private final KeyGeneratorCore core; -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/OAEPParameters.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/OAEPParameters.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/OAEPParameters.java 2015-07-20 17:22:00.780860490 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/OAEPParameters.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -143,6 +143,8 @@ - String mgfDigestName = convertToStandardName(params.getName()); - if (mgfDigestName.equals("SHA-1")) { - mgfSpec = MGF1ParameterSpec.SHA1; -+ } else if (mgfDigestName.equals("SHA-224")) { -+ mgfSpec = new MGF1ParameterSpec("SHA-224"); - } else if (mgfDigestName.equals("SHA-256")) { - mgfSpec = MGF1ParameterSpec.SHA256; - } else if (mgfDigestName.equals("SHA-384")) { -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java 2015-07-20 17:22:01.612845988 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -70,7 +70,7 @@ - * - * - Diffie-Hellman Key Agreement - * -- * - HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 -+ * - HMAC-MD5, HMAC-SHA1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 - * - */ - -@@ -117,6 +117,7 @@ - "NOPADDING|PKCS1PADDING|OAEPWITHMD5ANDMGF1PADDING" - + "|OAEPWITHSHA1ANDMGF1PADDING" - + "|OAEPWITHSHA-1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-224ANDMGF1PADDING" - + "|OAEPWITHSHA-256ANDMGF1PADDING" - + "|OAEPWITHSHA-384ANDMGF1PADDING" - + "|OAEPWITHSHA-512ANDMGF1PADDING"); -@@ -225,12 +226,25 @@ - put("KeyGenerator.HmacSHA1", - "com.sun.crypto.provider.HmacSHA1KeyGenerator"); - -+ put("KeyGenerator.HmacSHA224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA224"); -+ put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.8", "HmacSHA224"); -+ put("Alg.Alias.KeyGenerator.1.2.840.113549.2.8", "HmacSHA224"); -+ - put("KeyGenerator.HmacSHA256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA256KG"); -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA256"); -+ put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.9", "HmacSHA256"); -+ put("Alg.Alias.KeyGenerator.1.2.840.113549.2.9", "HmacSHA256"); -+ - put("KeyGenerator.HmacSHA384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA384KG"); -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA384"); -+ put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.10", "HmacSHA384"); -+ put("Alg.Alias.KeyGenerator.1.2.840.113549.2.10", "HmacSHA384"); -+ - put("KeyGenerator.HmacSHA512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA512KG"); -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA512"); -+ put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.11", "HmacSHA512"); -+ put("Alg.Alias.KeyGenerator.1.2.840.113549.2.11", "HmacSHA512"); - - put("KeyPairGenerator.DiffieHellman", - "com.sun.crypto.provider.DHKeyPairGenerator"); -@@ -393,12 +407,23 @@ - */ - put("Mac.HmacMD5", "com.sun.crypto.provider.HmacMD5"); - put("Mac.HmacSHA1", "com.sun.crypto.provider.HmacSHA1"); -+ put("Mac.HmacSHA224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA224"); -+ put("Alg.Alias.Mac.OID.1.2.840.113549.2.8", "HmacSHA224"); -+ put("Alg.Alias.Mac.1.2.840.113549.2.8", "HmacSHA224"); - put("Mac.HmacSHA256", - "com.sun.crypto.provider.HmacCore$HmacSHA256"); -+ put("Alg.Alias.Mac.OID.1.2.840.113549.2.9", "HmacSHA256"); -+ put("Alg.Alias.Mac.1.2.840.113549.2.9", "HmacSHA256"); - put("Mac.HmacSHA384", - "com.sun.crypto.provider.HmacCore$HmacSHA384"); -+ put("Alg.Alias.Mac.OID.1.2.840.113549.2.10", "HmacSHA384"); -+ put("Alg.Alias.Mac.1.2.840.113549.2.10", "HmacSHA384"); - put("Mac.HmacSHA512", - "com.sun.crypto.provider.HmacCore$HmacSHA512"); -+ put("Alg.Alias.Mac.OID.1.2.840.113549.2.11", "HmacSHA512"); -+ put("Alg.Alias.Mac.1.2.840.113549.2.11", "HmacSHA512"); -+ - put("Mac.HmacPBESHA1", - "com.sun.crypto.provider.HmacPKCS12PBESHA1"); - -@@ -409,6 +434,7 @@ - - put("Mac.HmacMD5 SupportedKeyFormats", "RAW"); - put("Mac.HmacSHA1 SupportedKeyFormats", "RAW"); -+ put("Mac.HmacSHA224 SupportedKeyFormats", "RAW"); - put("Mac.HmacSHA256 SupportedKeyFormats", "RAW"); - put("Mac.HmacSHA384 SupportedKeyFormats", "RAW"); - put("Mac.HmacSHA512 SupportedKeyFormats", "RAW"); -diff -Nru openjdk.orig/jdk/src/share/classes/java/security/spec/MGF1ParameterSpec.java openjdk/jdk/src/share/classes/java/security/spec/MGF1ParameterSpec.java ---- openjdk.orig/jdk/src/share/classes/java/security/spec/MGF1ParameterSpec.java 2015-07-20 17:22:19.176539837 +0100 -+++ openjdk/jdk/src/share/classes/java/security/spec/MGF1ParameterSpec.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -42,6 +42,7 @@ - * 
-  * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
-  *   { OID id-sha1 PARAMETERS NULL   }|
-+ *   { OID id-sha224 PARAMETERS NULL   }|
-  *   { OID id-sha256 PARAMETERS NULL }|
-  *   { OID id-sha384 PARAMETERS NULL }|
-  *   { OID id-sha512 PARAMETERS NULL },
-diff -Nru openjdk.orig/jdk/src/share/classes/java/security/spec/PSSParameterSpec.java openjdk/jdk/src/share/classes/java/security/spec/PSSParameterSpec.java
---- openjdk.orig/jdk/src/share/classes/java/security/spec/PSSParameterSpec.java	2015-07-20 17:22:19.176539837 +0100
-+++ openjdk/jdk/src/share/classes/java/security/spec/PSSParameterSpec.java	2015-07-20 17:43:33.190332609 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2001, 2006, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2001, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -47,6 +47,7 @@
-  * 
-  * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
-  *   { OID id-sha1 PARAMETERS NULL   }|
-+ *   { OID id-sha224 PARAMETERS NULL   }|
-  *   { OID id-sha256 PARAMETERS NULL }|
-  *   { OID id-sha384 PARAMETERS NULL }|
-  *   { OID id-sha512 PARAMETERS NULL },
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java	2015-07-20 17:41:00.580992729 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java	2015-07-20 17:43:33.190332609 +0100
-@@ -39,7 +39,7 @@
- 
- /**
-  * MessageDigest implementation class. This class currently supports
-- * MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512.
-+ * MD2, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
-  *
-  * Note that many digest operations are on fairly small amounts of data
-  * (less than 100 bytes total). For example, the 2nd hashing in HMAC or
-@@ -99,6 +99,9 @@
-         case (int)CKM_SHA_1:
-             digestLength = 20;
-             break;
-+        case (int)CKM_SHA224:
-+            digestLength = 28;
-+            break;
-         case (int)CKM_SHA256:
-             digestLength = 32;
-             break;
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java	2015-07-20 17:22:22.852475762 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java	2015-07-20 17:43:33.190332609 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -40,8 +40,8 @@
- 
- /**
-  * MAC implementation class. This class currently supports HMAC using
-- * MD5, SHA-1, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC using MD5
-- * and SHA-1.
-+ * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC
-+ * using MD5 and SHA-1.
-  *
-  * Note that unlike other classes (e.g. Signature), this does not
-  * composite various operations if the token only supports part of the
-@@ -107,6 +107,9 @@
-         case (int)CKM_SHA_1_HMAC:
-             macLength = 20;
-             break;
-+        case (int)CKM_SHA224_HMAC:
-+            macLength = 28;
-+            break;
-         case (int)CKM_SHA256_HMAC:
-             macLength = 32;
-             break;
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java	2015-07-20 17:22:22.860475622 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java	2015-07-20 17:43:33.190332609 +0100
-@@ -54,12 +54,14 @@
-  *   . MD2withRSA
-  *   . MD5withRSA
-  *   . SHA1withRSA
-+ *   . SHA224withRSA
-  *   . SHA256withRSA
-  *   . SHA384withRSA
-  *   . SHA512withRSA
-  * . ECDSA
-  *   . NONEwithECDSA
-  *   . SHA1withECDSA
-+ *   . SHA224withECDSA
-  *   . SHA256withECDSA
-  *   . SHA384withECDSA
-  *   . SHA512withECDSA
-@@ -144,6 +146,7 @@
-         case (int)CKM_MD2_RSA_PKCS:
-         case (int)CKM_MD5_RSA_PKCS:
-         case (int)CKM_SHA1_RSA_PKCS:
-+        case (int)CKM_SHA224_RSA_PKCS:
-         case (int)CKM_SHA256_RSA_PKCS:
-         case (int)CKM_SHA384_RSA_PKCS:
-         case (int)CKM_SHA512_RSA_PKCS:
-@@ -182,6 +185,8 @@
-                 String digestAlg;
-                 if (algorithm.equals("SHA1withECDSA")) {
-                     digestAlg = "SHA-1";
-+                } else if (algorithm.equals("SHA224withECDSA")) {
-+                    digestAlg = "SHA-224";
-                 } else if (algorithm.equals("SHA256withECDSA")) {
-                     digestAlg = "SHA-256";
-                 } else if (algorithm.equals("SHA384withECDSA")) {
-@@ -209,6 +214,9 @@
-             } else if (algorithm.equals("MD2withRSA")) {
-                 md = MessageDigest.getInstance("MD2");
-                 digestOID = AlgorithmId.MD2_oid;
-+            } else if (algorithm.equals("SHA224withRSA")) {
-+                md = MessageDigest.getInstance("SHA-224");
-+                digestOID = AlgorithmId.SHA224_oid;
-             } else if (algorithm.equals("SHA256withRSA")) {
-                 md = MessageDigest.getInstance("SHA-256");
-                 digestOID = AlgorithmId.SHA256_oid;
-@@ -334,6 +342,8 @@
-             encodedLength = 34;
-         } else if (algorithm.equals("SHA1withRSA")) {
-             encodedLength = 35;
-+        } else if (algorithm.equals("SHA224withRSA")) {
-+            encodedLength = 47;
-         } else if (algorithm.equals("SHA256withRSA")) {
-             encodedLength = 51;
-         } else if (algorithm.equals("SHA384withRSA")) {
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java	2015-07-20 17:41:00.524993705 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java	2015-07-20 17:43:33.190332609 +0100
-@@ -328,6 +328,7 @@
-                 System.out.println("Library info:");
-                 System.out.println(p11Info);
-             }
-+
-             if ((slotID < 0) || showInfo) {
-                 long[] slots = p11.C_GetSlotList(false);
-                 if (showInfo) {
-@@ -504,24 +505,37 @@
-                 m(CKM_MD2));
-         d(MD, "MD5",            P11Digest,
-                 m(CKM_MD5));
--        d(MD, "SHA1",           P11Digest,              s("SHA", "SHA-1"),
-+        d(MD, "SHA1",           P11Digest, s("SHA", "SHA-1"),
-                 m(CKM_SHA_1));
-+
-+        d(MD, "SHA-224",        P11Digest,
-+                s("2.16.840.1.101.3.4.2.4", "OID.2.16.840.1.101.3.4.2.4"),
-+                m(CKM_SHA224));
-         d(MD, "SHA-256",        P11Digest,
-+                s("2.16.840.1.101.3.4.2.1", "OID.2.16.840.1.101.3.4.2.1"),
-                 m(CKM_SHA256));
-         d(MD, "SHA-384",        P11Digest,
-+                s("2.16.840.1.101.3.4.2.2", "OID.2.16.840.1.101.3.4.2.2"),
-                 m(CKM_SHA384));
-         d(MD, "SHA-512",        P11Digest,
-+                s("2.16.840.1.101.3.4.2.3", "OID.2.16.840.1.101.3.4.2.3"),
-                 m(CKM_SHA512));
- 
-         d(MAC, "HmacMD5",       P11MAC,
-                 m(CKM_MD5_HMAC));
-         d(MAC, "HmacSHA1",      P11MAC,
-                 m(CKM_SHA_1_HMAC));
-+        d(MAC, "HmacSHA224",    P11MAC,
-+                s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"),
-+                m(CKM_SHA224_HMAC));
-         d(MAC, "HmacSHA256",    P11MAC,
-+                s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"),
-                 m(CKM_SHA256_HMAC));
-         d(MAC, "HmacSHA384",    P11MAC,
-+                s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"),
-                 m(CKM_SHA384_HMAC));
-         d(MAC, "HmacSHA512",    P11MAC,
-+                s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"),
-                 m(CKM_SHA512_HMAC));
-         d(MAC, "SslMacMD5",     P11MAC,
-                 m(CKM_SSL3_MD5_MAC));
-@@ -619,11 +633,17 @@
-                 m(CKM_ECDSA));
-         d(SIG, "SHA1withECDSA", P11Signature,           s("ECDSA"),
-                 m(CKM_ECDSA_SHA1, CKM_ECDSA));
-+        d(SIG, "SHA224withECDSA",       P11Signature,
-+                s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"),
-+                m(CKM_ECDSA));
-         d(SIG, "SHA256withECDSA",       P11Signature,
-+                s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"),
-                 m(CKM_ECDSA));
-         d(SIG, "SHA384withECDSA",       P11Signature,
-+                s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"),
-                 m(CKM_ECDSA));
-         d(SIG, "SHA512withECDSA",       P11Signature,
-+                s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"),
-                 m(CKM_ECDSA));
-         d(SIG, "MD2withRSA",    P11Signature,
-                 m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-@@ -631,11 +651,17 @@
-                 m(CKM_MD5_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         d(SIG, "SHA1withRSA",   P11Signature,
-                 m(CKM_SHA1_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-+        d(SIG, "SHA224withRSA", P11Signature,
-+                s("1.2.840.113549.1.1.14", "OID.1.2.840.113549.1.1.14"),
-+                m(CKM_SHA224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         d(SIG, "SHA256withRSA", P11Signature,
-+                s("1.2.840.113549.1.1.11", "OID.1.2.840.113549.1.1.11"),
-                 m(CKM_SHA256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         d(SIG, "SHA384withRSA", P11Signature,
-+                s("1.2.840.113549.1.1.12", "OID.1.2.840.113549.1.1.12"),
-                 m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         d(SIG, "SHA512withRSA", P11Signature,
-+                s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
-                 m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
- 
-         d(KG, "SunTlsRsaPremasterSecret", "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/Functions.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/Functions.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/Functions.java	2015-07-20 17:24:47.085961640 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/Functions.java	2015-07-20 17:43:33.190332609 +0100
-@@ -614,6 +614,7 @@
-         addMech(CKM_X9_42_DH_DERIVE,            "CKM_X9_42_DH_DERIVE");
-         addMech(CKM_X9_42_DH_HYBRID_DERIVE,     "CKM_X9_42_DH_HYBRID_DERIVE");
-         addMech(CKM_X9_42_MQV_DERIVE,           "CKM_X9_42_MQV_DERIVE");
-+        addMech(CKM_SHA224_RSA_PKCS,            "CKM_SHA224_RSA_PKCS");
-         addMech(CKM_SHA256_RSA_PKCS,            "CKM_SHA256_RSA_PKCS");
-         addMech(CKM_SHA384_RSA_PKCS,            "CKM_SHA384_RSA_PKCS");
-         addMech(CKM_SHA512_RSA_PKCS,            "CKM_SHA512_RSA_PKCS");
-@@ -659,6 +660,9 @@
-         addMech(CKM_RIPEMD160,                  "CKM_RIPEMD160");
-         addMech(CKM_RIPEMD160_HMAC,             "CKM_RIPEMD160_HMAC");
-         addMech(CKM_RIPEMD160_HMAC_GENERAL,     "CKM_RIPEMD160_HMAC_GENERAL");
-+        addMech(CKM_SHA224,                     "CKM_SHA224");
-+        addMech(CKM_SHA224_HMAC,                "CKM_SHA224_HMAC");
-+        addMech(CKM_SHA224_HMAC_GENERAL,        "CKM_SHA224_HMAC_GENERAL");
-         addMech(CKM_SHA256,                     "CKM_SHA256");
-         addMech(CKM_SHA256_HMAC,                "CKM_SHA256_HMAC");
-         addMech(CKM_SHA256_HMAC_GENERAL,        "CKM_SHA256_HMAC_GENERAL");
-@@ -718,6 +722,7 @@
-         addMech(CKM_MD5_KEY_DERIVATION,         "CKM_MD5_KEY_DERIVATION");
-         addMech(CKM_MD2_KEY_DERIVATION,         "CKM_MD2_KEY_DERIVATION");
-         addMech(CKM_SHA1_KEY_DERIVATION,        "CKM_SHA1_KEY_DERIVATION");
-+        addMech(CKM_SHA224_KEY_DERIVATION,      "CKM_SHA224_KEY_DERIVATION");
-         addMech(CKM_SHA256_KEY_DERIVATION,      "CKM_SHA256_KEY_DERIVATION");
-         addMech(CKM_SHA384_KEY_DERIVATION,      "CKM_SHA384_KEY_DERIVATION");
-         addMech(CKM_SHA512_KEY_DERIVATION,      "CKM_SHA512_KEY_DERIVATION");
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/DigestBase.java openjdk/jdk/src/share/classes/sun/security/provider/DigestBase.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/DigestBase.java	2015-07-20 17:22:23.412466001 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/DigestBase.java	2015-07-20 17:43:33.190332609 +0100
-@@ -39,7 +39,6 @@
-  *  . abstract void implCompress(byte[] b, int ofs);
-  *  . abstract void implDigest(byte[] out, int ofs);
-  *  . abstract void implReset();
-- *  . public abstract Object clone();
-  *
-  * See the inline documentation for details.
-  *
-@@ -61,7 +60,7 @@
-     // buffer to store partial blocks, blockSize bytes large
-     // Subclasses should not access this array directly except possibly in their
-     // implDigest() method. See MD5.java as an example.
--    final byte[] buffer;
-+    byte[] buffer;
-     // offset into buffer
-     private int bufOfs;
- 
-@@ -83,18 +82,6 @@
-         buffer = new byte[blockSize];
-     }
- 
--    /**
--     * Constructor for cloning. Replicates common data.
--     */
--    DigestBase(DigestBase base) {
--        this.algorithm = base.algorithm;
--        this.digestLength = base.digestLength;
--        this.blockSize = base.blockSize;
--        this.buffer = base.buffer.clone();
--        this.bufOfs = base.bufOfs;
--        this.bytesProcessed = base.bytesProcessed;
--    }
--
-     // return digest length. See JCA doc.
-     protected final int engineGetDigestLength() {
-         return digestLength;
-@@ -206,12 +193,11 @@
-      */
-     abstract void implReset();
- 
--    /**
--     * Clone this digest. Should be implemented as "return new MyDigest(this)".
--     * That constructor should first call "super(baseDigest)" and then copy
--     * subclass specific data.
--     */
--    public abstract Object clone();
-+    public Object clone() throws CloneNotSupportedException {
-+        DigestBase copy = (DigestBase) super.clone();
-+        copy.buffer = copy.buffer.clone();
-+        return copy;
-+    }
- 
-     // padding used for the MD5, and SHA-* message digests
-     static final byte[] padding;
-@@ -223,5 +209,4 @@
-         padding = new byte[136];
-         padding[0] = (byte)0x80;
-     }
--
- }
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/MD2.java openjdk/jdk/src/share/classes/sun/security/provider/MD2.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/MD2.java	2015-07-20 17:22:23.416465932 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/MD2.java	2015-07-20 17:43:33.190332609 +0100
-@@ -39,14 +39,14 @@
- public final class MD2 extends DigestBase {
- 
-     // state, 48 ints
--    private final int[] X;
-+    private int[] X;
- 
-     // checksum, 16 ints. they are really bytes, but byte arithmetic in
-     // the JVM is much slower that int arithmetic.
--    private final int[] C;
-+    private int[] C;
- 
-     // temporary store for checksum C during final digest
--    private final byte[] cBytes;
-+    private byte[] cBytes;
- 
-     /**
-      * Create a new MD2 digest. Called by the JCA framework
-@@ -58,15 +58,12 @@
-         cBytes = new byte[16];
-     }
- 
--    private MD2(MD2 base) {
--        super(base);
--        this.X = base.X.clone();
--        this.C = base.C.clone();
--        cBytes = new byte[16];
--    }
--
--    public Object clone() {
--        return new MD2(this);
-+    public Object clone() throws CloneNotSupportedException {
-+        MD2 copy = (MD2) super.clone();
-+        copy.X = copy.X.clone();
-+        copy.C = copy.C.clone();
-+        copy.cBytes = new byte[16];
-+        return copy;
-     }
- 
-     // reset state and checksum
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/MD4.java openjdk/jdk/src/share/classes/sun/security/provider/MD4.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/MD4.java	2015-07-20 17:22:23.416465932 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/MD4.java	2015-07-20 17:43:33.190332609 +0100
-@@ -44,9 +44,9 @@
- public final class MD4 extends DigestBase {
- 
-     // state of this object
--    private final int[] state;
-+    private int[] state;
-     // temporary buffer, used by implCompress()
--    private final int[] x;
-+    private int[] x;
- 
-     // rotation constants
-     private static final int S11 = 3;
-@@ -91,16 +91,12 @@
-         implReset();
-     }
- 
--    // Cloning constructor
--    private MD4(MD4 base) {
--        super(base);
--        this.state = base.state.clone();
--        this.x = new int[16];
--    }
--
-     // clone this object
--    public Object clone() {
--        return new MD4(this);
-+    public Object clone() throws CloneNotSupportedException {
-+        MD4 copy = (MD4) super.clone();
-+        copy.state = copy.state.clone();
-+        copy.x = new int[16];
-+        return copy;
-     }
- 
-     /**
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/MD5.java openjdk/jdk/src/share/classes/sun/security/provider/MD5.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/MD5.java	2015-07-20 17:22:23.416465932 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/MD5.java	2015-07-20 17:43:33.190332609 +0100
-@@ -39,9 +39,9 @@
- public final class MD5 extends DigestBase {
- 
-     // state of this object
--    private final int[] state;
-+    private int[] state;
-     // temporary buffer, used by implCompress()
--    private final int[] x;
-+    private int[] x;
- 
-     // rotation constants
-     private static final int S11 = 7;
-@@ -69,16 +69,12 @@
-         implReset();
-     }
- 
--    // Cloning constructor
--    private MD5(MD5 base) {
--        super(base);
--        this.state = base.state.clone();
--        this.x = new int[16];
--    }
--
-     // clone this object
--    public Object clone() {
--        return new MD5(this);
-+    public Object clone() throws CloneNotSupportedException {
-+        MD5 copy = (MD5) super.clone();
-+        copy.state = copy.state.clone();
-+        copy.x = new int[16];
-+        return copy;
-     }
- 
-     /**
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA2.java openjdk/jdk/src/share/classes/sun/security/provider/SHA2.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA2.java	2015-07-20 17:22:23.444465443 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/SHA2.java	2015-07-20 17:43:33.190332609 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2002, 2006, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -40,7 +40,7 @@
-  * @author      Valerie Peng
-  * @author      Andreas Sterbenz
-  */
--public final class SHA2 extends DigestBase {
-+abstract class SHA2 extends DigestBase {
- 
-     private static final int ITERATION = 64;
-     // Constants for each round
-@@ -64,46 +64,30 @@
-     };
- 
-     // buffer used by implCompress()
--    private final int[] W;
-+    private int[] W;
- 
-     // state of this object
--    private final int[] state;
-+    private int[] state;
-+
-+    // initial state value. different between SHA-224 and SHA-256
-+    private final int[] initialHashes;
- 
-     /**
-      * Creates a new SHA object.
-      */
--    public SHA2() {
--        super("SHA-256", 32, 64);
-+    SHA2(String name, int digestLength, int[] initialHashes) {
-+        super(name, digestLength, 64);
-+        this.initialHashes = initialHashes;
-         state = new int[8];
-         W = new int[64];
-         implReset();
-     }
- 
-     /**
--     * Creates a SHA2 object.with state (for cloning)
--     */
--    private SHA2(SHA2 base) {
--        super(base);
--        this.state = base.state.clone();
--        this.W = new int[64];
--    }
--
--    public Object clone() {
--        return new SHA2(this);
--    }
--
--    /**
-      * Resets the buffers and hash value to start a new hash.
-      */
-     void implReset() {
--        state[0] = 0x6a09e667;
--        state[1] = 0xbb67ae85;
--        state[2] = 0x3c6ef372;
--        state[3] = 0xa54ff53a;
--        state[4] = 0x510e527f;
--        state[5] = 0x9b05688c;
--        state[6] = 0x1f83d9ab;
--        state[7] = 0x5be0cd19;
-+        System.arraycopy(initialHashes, 0, state, 0, state.length);
-     }
- 
-     void implDigest(byte[] out, int ofs) {
-@@ -242,4 +226,38 @@
-         state[7] += h;
-     }
- 
-+    public Object clone() throws CloneNotSupportedException {
-+        SHA2 copy = (SHA2) super.clone();
-+        copy.state = copy.state.clone();
-+        copy.W = new int[64];
-+        return copy;
-+    }
-+
-+    /**
-+     * SHA-224 implementation class.
-+     */
-+    public static final class SHA224 extends SHA2 {
-+        private static final int[] INITIAL_HASHES = {
-+            0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
-+            0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4
-+        };
-+
-+        public SHA224() {
-+            super("SHA-224", 28, INITIAL_HASHES);
-+        }
-+    }
-+
-+    /**
-+     * SHA-256 implementation class.
-+     */
-+    public static final class SHA256 extends SHA2 {
-+        private static final int[] INITIAL_HASHES = {
-+            0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
-+            0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
-+        };
-+
-+        public SHA256() {
-+            super("SHA-256", 32, INITIAL_HASHES);
-+        }
-+    }
- }
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA5.java openjdk/jdk/src/share/classes/sun/security/provider/SHA5.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA5.java	2015-07-20 17:22:23.448465374 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/SHA5.java	2015-07-20 17:43:33.190332609 +0100
-@@ -82,10 +82,10 @@
-     };
- 
-     // buffer used by implCompress()
--    private final long[] W;
-+    private long[] W;
- 
-     // state of this object
--    private final long[] state;
-+    private long[] state;
- 
-     // initial state value. different between SHA-384 and SHA-512
-     private final long[] initialHashes;
-@@ -101,16 +101,6 @@
-         implReset();
-     }
- 
--    /**
--     * Creates a SHA object with state (for cloning)
--     */
--    SHA5(SHA5 base) {
--        super(base);
--        this.initialHashes = base.initialHashes;
--        this.state = base.state.clone();
--        this.W = new long[80];
--    }
--
-     final void implReset() {
-         System.arraycopy(initialHashes, 0, state, 0, state.length);
-     }
-@@ -255,6 +245,13 @@
-         state[7] += h;
-     }
- 
-+    public Object clone() throws CloneNotSupportedException {
-+        SHA5 copy = (SHA5) super.clone();
-+        copy.state = copy.state.clone();
-+        copy.W = new long[80];
-+        return copy;
-+    }
-+
-     /**
-      * SHA-512 implementation class.
-      */
-@@ -270,14 +267,6 @@
-         public SHA512() {
-             super("SHA-512", 64, INITIAL_HASHES);
-         }
--
--        private SHA512(SHA512 base) {
--            super(base);
--        }
--
--        public Object clone() {
--            return new SHA512(this);
--        }
-     }
- 
-     /**
-@@ -295,14 +284,5 @@
-         public SHA384() {
-             super("SHA-384", 48, INITIAL_HASHES);
-         }
--
--        private SHA384(SHA384 base) {
--            super(base);
--        }
--
--        public Object clone() {
--            return new SHA384(this);
--        }
-     }
--
- }
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA.java openjdk/jdk/src/share/classes/sun/security/provider/SHA.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA.java	2015-07-20 17:22:23.444465443 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/SHA.java	2015-07-20 17:43:33.190332609 +0100
-@@ -47,10 +47,10 @@
-     // 64 bytes are included in each hash block so the low order
-     // bits of count are used to know how to pack the bytes into ints
-     // and to know when to compute the block and start the next one.
--    private final int[] W;
-+    private int[] W;
- 
-     // state of this
--    private final int[] state;
-+    private int[] state;
- 
-     /**
-      * Creates a new SHA object.
-@@ -62,19 +62,14 @@
-         implReset();
-     }
- 
--    /**
--     * Creates a SHA object.with state (for cloning) */
--    private SHA(SHA base) {
--        super(base);
--        this.state = base.state.clone();
--        this.W = new int[80];
--    }
--
-     /*
-      * Clones this object.
-      */
--    public Object clone() {
--        return new SHA(this);
-+    public Object clone() throws CloneNotSupportedException {
-+        SHA copy = (SHA) super.clone();
-+        copy.state = copy.state.clone();
-+        copy.W = new int[80];
-+        return copy;
-     }
- 
-     /**
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SunEntries.java openjdk/jdk/src/share/classes/sun/security/provider/SunEntries.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SunEntries.java	2015-07-20 17:22:23.448465374 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/SunEntries.java	2015-07-20 17:43:33.190332609 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -43,6 +43,10 @@
-  *   identifier strings "OID.1.3.14.3.2.13", "OID.1.3.14.3.2.27" and
-  *   "OID.1.2.840.10040.4.3".
-  *
-+ * - SHA-2 is a set of message digest schemes described in FIPS 180-2.
-+ *   SHA-2 family of hash functions includes SHA-224, SHA-256, SHA-384,
-+ *   and SHA-512.
-+ *
-  * - DSA is the key generation scheme as described in FIPS 186.
-  *   Aliases for DSA include the OID strings "OID.1.3.14.3.2.12"
-  *   and "OID.1.2.840.10040.4.1".
-@@ -140,9 +144,19 @@
-         map.put("Alg.Alias.MessageDigest.SHA-1", "SHA");
-         map.put("Alg.Alias.MessageDigest.SHA1", "SHA");
- 
--        map.put("MessageDigest.SHA-256", "sun.security.provider.SHA2");
-+        map.put("MessageDigest.SHA-224", "sun.security.provider.SHA2$SHA224");
-+        map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.4", "SHA-224");
-+        map.put("Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.4", "SHA-224");
-+
-+        map.put("MessageDigest.SHA-256", "sun.security.provider.SHA2$SHA256");
-+        map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.1", "SHA-256");
-+        map.put("Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.1", "SHA-256");
-         map.put("MessageDigest.SHA-384", "sun.security.provider.SHA5$SHA384");
-+        map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.2", "SHA-384");
-+        map.put("Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.2", "SHA-384");
-         map.put("MessageDigest.SHA-512", "sun.security.provider.SHA5$SHA512");
-+        map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.3", "SHA-512");
-+        map.put("Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.3", "SHA-512");
- 
-         /*
-          * Algorithm Parameter Generator engines
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/rsa/RSASignature.java openjdk/jdk/src/share/classes/sun/security/rsa/RSASignature.java
---- openjdk.orig/jdk/src/share/classes/sun/security/rsa/RSASignature.java	2015-07-20 17:24:47.093961501 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/rsa/RSASignature.java	2015-07-20 17:43:33.190332609 +0100
-@@ -39,8 +39,8 @@
-  * PKCS#1 RSA signatures with the various message digest algorithms.
-  * This file contains an abstract base class with all the logic plus
-  * a nested static class for each of the message digest algorithms
-- * (see end of the file). We support MD2, MD5, SHA-1, SHA-256, SHA-384,
-- * and SHA-512.
-+ * (see end of the file). We support MD2, MD5, SHA-1, SHA-224, SHA-256,
-+ * SHA-384, and SHA-512.
-  *
-  * @since   1.5
-  * @author  Andreas Sterbenz
-@@ -270,6 +270,13 @@
-         }
-     }
- 
-+    // Nested class for SHA224withRSA signatures
-+    public static final class SHA224withRSA extends RSASignature {
-+        public SHA224withRSA() {
-+            super("SHA-224", AlgorithmId.SHA224_oid, 11);
-+        }
-+    }
-+
-     // Nested class for SHA256withRSA signatures
-     public static final class SHA256withRSA extends RSASignature {
-         public SHA256withRSA() {
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/rsa/SunRsaSignEntries.java openjdk/jdk/src/share/classes/sun/security/rsa/SunRsaSignEntries.java
---- openjdk.orig/jdk/src/share/classes/sun/security/rsa/SunRsaSignEntries.java	2015-07-20 17:22:24.016455473 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/rsa/SunRsaSignEntries.java	2015-07-20 17:43:33.190332609 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -52,6 +52,8 @@
-                 "sun.security.rsa.RSASignature$MD5withRSA");
-         map.put("Signature.SHA1withRSA",
-                 "sun.security.rsa.RSASignature$SHA1withRSA");
-+        map.put("Signature.SHA224withRSA",
-+                "sun.security.rsa.RSASignature$SHA224withRSA");
-         map.put("Signature.SHA256withRSA",
-                 "sun.security.rsa.RSASignature$SHA256withRSA");
-         map.put("Signature.SHA384withRSA",
-@@ -66,6 +68,7 @@
-         map.put("Signature.MD2withRSA SupportedKeyClasses", rsaKeyClasses);
-         map.put("Signature.MD5withRSA SupportedKeyClasses", rsaKeyClasses);
-         map.put("Signature.SHA1withRSA SupportedKeyClasses", rsaKeyClasses);
-+        map.put("Signature.SHA224withRSA SupportedKeyClasses", rsaKeyClasses);
-         map.put("Signature.SHA256withRSA SupportedKeyClasses", rsaKeyClasses);
-         map.put("Signature.SHA384withRSA SupportedKeyClasses", rsaKeyClasses);
-         map.put("Signature.SHA512withRSA SupportedKeyClasses", rsaKeyClasses);
-@@ -88,6 +91,9 @@
-         map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.5", "SHA1withRSA");
-         map.put("Alg.Alias.Signature.1.3.14.3.2.29",            "SHA1withRSA");
- 
-+        map.put("Alg.Alias.Signature.1.2.840.113549.1.1.14",     "SHA224withRSA");
-+        map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.14", "SHA224withRSA");
-+
-         map.put("Alg.Alias.Signature.1.2.840.113549.1.1.11",     "SHA256withRSA");
-         map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.11", "SHA256withRSA");
- 
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java
---- openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java	2015-07-20 17:41:00.468994682 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -175,9 +175,9 @@
-             // it's NULL. They are ---
-             // rfc3370 2.1: Implementations SHOULD generate SHA-1
-             // AlgorithmIdentifiers with absent parameters.
--            // rfc3447 C1: When id-sha1, id-sha256, id-sha384 and id-sha512
--            // are used in an AlgorithmIdentifier the parameters (which are
--            // optional) SHOULD be omitted.
-+            // rfc3447 C1: When id-sha1, id-sha224, id-sha256, id-sha384 and
-+            // id-sha512 are used in an AlgorithmIdentifier the parameters
-+            // (which are optional) SHOULD be omitted.
-             // rfc3279 2.3.2: The id-dsa algorithm syntax includes optional
-             // domain parameters... When omitted, the parameters component
-             // MUST be omitted entirely
-@@ -185,6 +185,7 @@
-             // is used, the AlgorithmIdentifier parameters field MUST be absent.
-             /*if (
-                 algid.equals((Object)SHA_oid) ||
-+                algid.equals((Object)SHA224_oid) ||
-                 algid.equals((Object)SHA256_oid) ||
-                 algid.equals((Object)SHA384_oid) ||
-                 algid.equals((Object)SHA512_oid) ||
-@@ -488,7 +489,10 @@
-             name.equalsIgnoreCase("SHA512")) {
-             return AlgorithmId.SHA512_oid;
-         }
--
-+        if (name.equalsIgnoreCase("SHA-224") ||
-+            name.equalsIgnoreCase("SHA224")) {
-+            return AlgorithmId.SHA224_oid;
-+        }
- 
-         // Various public key algorithms
-         if (name.equalsIgnoreCase("RSA")) {
-@@ -613,6 +617,9 @@
-     public static final ObjectIdentifier SHA_oid =
-     ObjectIdentifier.newInternal(new int[] {1, 3, 14, 3, 2, 26});
- 
-+    public static final ObjectIdentifier SHA224_oid =
-+    ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 4});
-+
-     public static final ObjectIdentifier SHA256_oid =
-     ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 1});
- 
-@@ -652,6 +659,8 @@
-                                        { 1, 2, 840, 113549, 1, 1, 5 };
-     private static final int sha1WithRSAEncryption_OIW_data[] =
-                                        { 1, 3, 14, 3, 2, 29 };
-+    private static final int sha224WithRSAEncryption_data[] =
-+                                       { 1, 2, 840, 113549, 1, 1, 14 };
-     private static final int sha256WithRSAEncryption_data[] =
-                                        { 1, 2, 840, 113549, 1, 1, 11 };
-     private static final int sha384WithRSAEncryption_data[] =
-@@ -669,6 +678,7 @@
-     public static final ObjectIdentifier md5WithRSAEncryption_oid;
-     public static final ObjectIdentifier sha1WithRSAEncryption_oid;
-     public static final ObjectIdentifier sha1WithRSAEncryption_OIW_oid;
-+    public static final ObjectIdentifier sha224WithRSAEncryption_oid;
-     public static final ObjectIdentifier sha256WithRSAEncryption_oid;
-     public static final ObjectIdentifier sha384WithRSAEncryption_oid;
-     public static final ObjectIdentifier sha512WithRSAEncryption_oid;
-@@ -798,6 +808,14 @@
-             ObjectIdentifier.newInternal(sha1WithRSAEncryption_OIW_data);
- 
-     /**
-+     * Identifies a signing algorithm where a SHA224 digest is
-+     * encrypted using an RSA private key; defined by PKCS #1.
-+     * OID = 1.2.840.113549.1.1.14
-+     */
-+        sha224WithRSAEncryption_oid =
-+            ObjectIdentifier.newInternal(sha224WithRSAEncryption_data);
-+
-+    /**
-      * Identifies a signing algorithm where a SHA256 digest is
-      * encrypted using an RSA private key; defined by PKCS #1.
-      * OID = 1.2.840.113549.1.1.11
-@@ -847,6 +865,7 @@
-         nameTable.put(MD5_oid, "MD5");
-         nameTable.put(MD2_oid, "MD2");
-         nameTable.put(SHA_oid, "SHA");
-+        nameTable.put(SHA224_oid, "SHA224");
-         nameTable.put(SHA256_oid, "SHA256");
-         nameTable.put(SHA384_oid, "SHA384");
-         nameTable.put(SHA512_oid, "SHA512");
-@@ -869,6 +888,7 @@
-         nameTable.put(shaWithDSA_OIW_oid, "SHA1withDSA");
-         nameTable.put(sha1WithRSAEncryption_oid, "SHA1withRSA");
-         nameTable.put(sha1WithRSAEncryption_OIW_oid, "SHA1withRSA");
-+        nameTable.put(sha224WithRSAEncryption_oid, "SHA224withRSA");
-         nameTable.put(sha256WithRSAEncryption_oid, "SHA256withRSA");
-         nameTable.put(sha384WithRSAEncryption_oid, "SHA384withRSA");
-         nameTable.put(sha512WithRSAEncryption_oid, "SHA512withRSA");
-diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java
---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java	2015-07-20 17:21:55.340955313 +0100
-+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java	2015-07-20 17:43:33.194332538 +0100
-@@ -49,6 +49,7 @@
-  * following algorithm names:
-  *
-  *  . "SHA1withRSA"
-+ *  . "SHA224withRSA"
-  *  . "MD5withRSA"
-  *  . "MD2withRSA"
-  *
-@@ -90,6 +91,12 @@
-         }
-     }
- 
-+    public static final class SHA224 extends RSASignature {
-+        public SHA224() {
-+            super("SHA-224");
-+        }
-+    }
-+
-     public static final class MD5 extends RSASignature {
-         public MD5() {
-             super("MD5");
-diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java
---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java	2015-07-20 17:21:55.688949247 +0100
-+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -81,6 +81,10 @@
-          */
-         map.put("Signature.SHA1withRSA",
-             "sun.security.mscapi.RSASignature$SHA1");
-+        map.put("Signature.SHA224withRSA",
-+            "sun.security.mscapi.RSASignature$SHA224");
-+        map.put("Alg.Alias.Signature.1.2.840.113549.1.1.14",     "SHA224withRSA");
-+        map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.14", "SHA224withRSA");
-         map.put("Signature.MD5withRSA",
-             "sun.security.mscapi.RSASignature$MD5");
-         map.put("Signature.MD2withRSA",
-@@ -89,6 +93,8 @@
-         // supported key classes
-         map.put("Signature.SHA1withRSA SupportedKeyClasses",
-             "sun.security.mscapi.Key");
-+        map.put("Signature.SHA224withRSA SupportedKeyClasses",
-+            "sun.security.mscapi.Key");
-         map.put("Signature.MD5withRSA SupportedKeyClasses",
-             "sun.security.mscapi.Key");
-         map.put("Signature.MD2withRSA SupportedKeyClasses",
-diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java
---- openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java	2015-07-20 17:22:00.164871228 +0100
-+++ openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -58,6 +58,7 @@
-         Cipher.getInstance("RSA/ECB/OAEPwithMD5andMGF1Padding");
-         Cipher.getInstance("RSA/ECB/OAEPwithSHA1andMGF1Padding");
-         Cipher.getInstance("RSA/ECB/OAEPwithSHA-1andMGF1Padding");
-+        Cipher.getInstance("RSA/ECB/OAEPwithSHA-224andMGF1Padding");
-         Cipher.getInstance("RSA/ECB/OAEPwithSHA-256andMGF1Padding");
-         Cipher.getInstance("RSA/ECB/OAEPwithSHA-384andMGF1Padding");
-         Cipher.getInstance("RSA/ECB/OAEPwithSHA-512andMGF1Padding");
-@@ -88,6 +89,18 @@
-         // tests alias works
-         testEncryptDecrypt("SHA-1", 16);
- 
-+        // basic test using SHA-224
-+        testEncryptDecrypt("SHA-224", 0);
-+        testEncryptDecrypt("SHA-224", 16);
-+        testEncryptDecrypt("SHA-224", 38);
-+        try {
-+            testEncryptDecrypt("SHA-224", 39);
-+            throw new Exception("Unexpectedly completed call");
-+        } catch (IllegalBlockSizeException e) {
-+            // ok
-+            System.out.println(e);
-+        }
-+
-         // basic test using SHA-256
-         testEncryptDecrypt("SHA-256", 0);
-         testEncryptDecrypt("SHA-256", 16);
-@@ -195,6 +208,7 @@
-         System.out.println("Done (" + (stop - start) + " ms).");
-     }
- 
-+    // NOTE: OAEP can process up to (modLen - 2*digestLen - 2) bytes of data
-     private static void testEncryptDecrypt(String hashAlg, int dataLength) throws Exception {
-         System.out.println("Testing OAEP with hash " + hashAlg + ", " + dataLength + " bytes");
-         Cipher c = Cipher.getInstance("RSA/ECB/OAEPwith" + hashAlg + "andMGF1Padding", cp);
-diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java
---- openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java	2015-07-20 17:22:00.172871088 +0100
-+++ openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -121,6 +121,7 @@
-     public static void main(String[] argv) throws Exception {
-         boolean status = true;
-         byte[] p = { (byte) 0x01, (byte) 0x02, (byte) 0x03, (byte) 0x04 };
-+        status &= runTest("SHA-224", MGF1ParameterSpec.SHA224, p);
-         status &= runTest("SHA-256", MGF1ParameterSpec.SHA256, p);
-         status &= runTest("SHA-384", MGF1ParameterSpec.SHA384, p);
-         status &= runTest("SHA-512", MGF1ParameterSpec.SHA512, p);
-diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java
---- openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java	2015-07-20 17:22:00.172871088 +0100
-+++ openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -47,10 +47,10 @@
-     private static Random random = new Random();
- 
-     private static String MD[] = {
--        "MD5", "SHA1", "SHA-256"
-+        "MD5", "SHA1", "SHA-224", "SHA-256"
-     };
-     private static int DATA_LENGTH[] = {
--        62, 54, 30
-+        62, 54, 34, 30
-     };
-     public static void main(String[] args) throws Exception {
-         long start = System.currentTimeMillis();
-diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/KeyGenerator/Test4628062.java openjdk/jdk/test/com/sun/crypto/provider/KeyGenerator/Test4628062.java
---- openjdk.orig/jdk/test/com/sun/crypto/provider/KeyGenerator/Test4628062.java	2015-07-20 17:22:00.244869833 +0100
-+++ openjdk/jdk/test/com/sun/crypto/provider/KeyGenerator/Test4628062.java	2015-07-20 17:43:33.194332538 +0100
-@@ -23,7 +23,7 @@
- 
- /*
-  * @test
-- * @bug 4628062
-+ * @bug 4628062 4963723
-  * @summary Verify that AES KeyGenerator supports default initialization
-  *      when init is not called
-  * @author Valerie Peng
-@@ -34,39 +34,45 @@
- 
- public class Test4628062 {
- 
--    private static final String ALGO = "AES";
--    private static final int[] KEYSIZES =
--        { 16, 24, 32 }; // in bytes
-+    private static final int[] AES_SIZES = { 16, 24, 32 }; // in bytes
-+    private static final int[] HMACSHA224_SIZES = { 28 };
-+    private static final int[] HMACSHA256_SIZES = { 32 };
-+    private static final int[] HMACSHA384_SIZES = { 48 };
-+    private static final int[] HMACSHA512_SIZES = { 64 };
- 
--    public boolean execute() throws Exception {
--        KeyGenerator kg = KeyGenerator.getInstance(ALGO, "SunJCE");
-+    public boolean execute(String algo, int[] keySizes) throws Exception {
-+        KeyGenerator kg = KeyGenerator.getInstance(algo, "SunJCE");
- 
-         // TEST FIX 4628062
-         Key keyWithDefaultSize = kg.generateKey();
-         byte[] encoding = keyWithDefaultSize.getEncoded();
--        if (encoding.length == 0) {
-+        int defKeyLen = encoding.length ;
-+        if (defKeyLen == 0) {
-             throw new Exception("default key length is 0!");
-+        } else if (defKeyLen != keySizes[0]) {
-+            throw new Exception("default key length mismatch!");
-         }
- 
-         // BONUS TESTS
--        // 1. call init(int keysize) with various valid key sizes
--        // and see if the generated key is the right size.
--        for (int i=0; i 1) {
-+            // 1. call init(int keysize) with various valid key sizes
-+            // and see if the generated key is the right size.
-+            for (int i=0; i 512) {
-diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/rsa/TestSignatures.java openjdk/jdk/test/sun/security/pkcs11/rsa/TestSignatures.java
---- openjdk.orig/jdk/test/sun/security/pkcs11/rsa/TestSignatures.java	2015-07-20 17:21:59.240887334 +0100
-+++ openjdk/jdk/test/sun/security/pkcs11/rsa/TestSignatures.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -81,6 +81,7 @@
-         testSignature("MD2withRSA", privateKey, publicKey);
-         testSignature("MD5withRSA", privateKey, publicKey);
-         testSignature("SHA1withRSA", privateKey, publicKey);
-+        testSignature("SHA224withRSA", privateKey, publicKey);
-         testSignature("SHA256withRSA", privateKey, publicKey);
-         RSAPublicKey rsaKey = (RSAPublicKey)publicKey;
-         if (rsaKey.getModulus().bitLength() > 512) {
-diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java openjdk/jdk/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java
---- openjdk.orig/jdk/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java	2015-07-20 17:21:58.944892493 +0100
-+++ openjdk/jdk/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -37,7 +37,7 @@
-     }
-     public void main(Provider p) throws Exception {
-         boolean isValidKeyLength[] = { true, true, false, false };  
--        String algos[] = { "SHA1withRSA", "SHA256withRSA", 
-+        String algos[] = { "SHA1withRSA", "SHA224withRSA", "SHA256withRSA",
-                            "SHA384withRSA", "SHA512withRSA" };
-         KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p);
-         kpg.initialize(512);
-diff -Nru openjdk.orig/jdk/test/sun/security/provider/MessageDigest/DigestKAT.java openjdk/jdk/test/sun/security/provider/MessageDigest/DigestKAT.java
---- openjdk.orig/jdk/test/sun/security/provider/MessageDigest/DigestKAT.java	2015-07-20 17:22:00.528864883 +0100
-+++ openjdk/jdk/test/sun/security/provider/MessageDigest/DigestKAT.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -23,7 +23,7 @@
- 
- /**
-  * @test
-- * @bug 4819771 4834179 5008306
-+ * @bug 4819771 4834179 5008306 4963723
-  * @summary Basic known-answer-test for all our MessageDigest algorithms
-  * @author Andreas Sterbenz
-  */
-@@ -190,6 +190,12 @@
-         t("SHA1", ALONG, "ce:56:53:59:08:04:ba:a9:36:9f:72:d4:83:ed:9e:ba:72:f0:4d:29"),
-         t("SHA1", BLONG, "1d:a8:1a:de:8d:1e:d0:82:ba:12:13:e2:56:26:30:fc:05:b8:8d:a6"),
- 
-+        t("SHA-224", s(""), "d1:4a:02:8c:2a:3a:2b:c9:47:61:02:bb:28:82:34:c4:15:a2:b0:1f:82:8e:a6:2a:c5:b3:e4:2f"),
-+        t("SHA-224", s("abc"), "23:09:7d:22:34:05:d8:22:86:42:a4:77:bd:a2:55:b3:2a:ad:bc:e4:bd:a0:b3:f7:e3:6c:9d:a7"),
-+        t("SHA-224", s("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), "75:38:8b:16:51:27:76:cc:5d:ba:5d:a1:fd:89:01:50:b0:c6:45:5c:b4:f5:8b:19:52:52:25:25"),
-+        t("SHA-224", s("The quick brown fox jumps over the lazy dog"), "73:0e:10:9b:d7:a8:a3:2b:1c:b9:d9:a0:9a:a2:32:5d:24:30:58:7d:db:c0:c3:8b:ad:91:15:25"),
-+        t("SHA-224", s("The quick brown fox jumps over the lazy dog."), "61:9c:ba:8e:8e:05:82:6e:9b:8c:51:9c:0a:5c:68:f4:fb:65:3e:8a:3d:8a:a0:4b:b2:c8:cd:4c"),
-+
-         t("SHA-256", s(""), "e3:b0:c4:42:98:fc:1c:14:9a:fb:f4:c8:99:6f:b9:24:27:ae:41:e4:64:9b:93:4c:a4:95:99:1b:78:52:b8:55"),
-         t("SHA-256", s("a"), "ca:97:81:12:ca:1b:bd:ca:fa:c2:31:b3:9a:23:dc:4d:a7:86:ef:f8:14:7c:4e:72:b9:80:77:85:af:ee:48:bb"),
-         t("SHA-256", s("abc"), "ba:78:16:bf:8f:01:cf:ea:41:41:40:de:5d:ae:22:23:b0:03:61:a3:96:17:7a:9c:b4:10:ff:61:f2:00:15:ad"),
-diff -Nru openjdk.orig/jdk/test/sun/security/provider/MessageDigest/Offsets.java openjdk/jdk/test/sun/security/provider/MessageDigest/Offsets.java
---- openjdk.orig/jdk/test/sun/security/provider/MessageDigest/Offsets.java	2015-07-20 17:22:00.564864256 +0100
-+++ openjdk/jdk/test/sun/security/provider/MessageDigest/Offsets.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -80,6 +80,7 @@
-         test("MD2", 0, 64, 0, 128);
-         test("MD5", 0, 64, 0, 128);
-         test("SHA1", 0, 64, 0, 128);
-+        test("SHA-224", 0, 64, 0, 128);
-         test("SHA-256", 0, 64, 0, 128);
-         test("SHA-384", 0, 128, 0, 256);
-         test("SHA-512", 0, 128, 0, 256);
-diff -Nru openjdk.orig/jdk/test/sun/security/provider/MessageDigest/TestSHAClone.java openjdk/jdk/test/sun/security/provider/MessageDigest/TestSHAClone.java
---- openjdk.orig/jdk/test/sun/security/provider/MessageDigest/TestSHAClone.java	2015-07-20 17:22:00.744861118 +0100
-+++ openjdk/jdk/test/sun/security/provider/MessageDigest/TestSHAClone.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2002, 2003, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -24,7 +24,7 @@
- /**
-  * @test
-  * @bug 4775971
-- * @summary test the clone implementation of SHA, SHA-256,
-+ * @summary test the clone implementation of SHA, SHA-224, SHA-256,
-  *          SHA-384, SHA-512 MessageDigest implementation.
-  */
- import java.security.*;
-@@ -33,7 +33,7 @@
- public class TestSHAClone {
- 
-     private static final String[] ALGOS = {
--        "SHA", "SHA-256", "SHA-512", "SHA-384"
-+        "SHA", "SHA-224", "SHA-256", "SHA-512", "SHA-384"
-     };
- 
-     private static byte[] input1 = {
-diff -Nru openjdk.orig/jdk/test/sun/security/rsa/TestKeyPairGenerator.java openjdk/jdk/test/sun/security/rsa/TestKeyPairGenerator.java
---- openjdk.orig/jdk/test/sun/security/rsa/TestKeyPairGenerator.java	2015-07-20 17:22:01.512847732 +0100
-+++ openjdk/jdk/test/sun/security/rsa/TestKeyPairGenerator.java	2015-07-20 17:43:33.194332538 +0100
-@@ -23,7 +23,7 @@
- 
- /**
-  * @test
-- * @bug 4853305 4865198 4888410
-+ * @bug 4853305 4865198 4888410 4963723
-  * @summary Verify that the RSA KeyPairGenerator works
-  * @author Andreas Sterbenz
-  */
-@@ -60,6 +60,7 @@
-         testSignature("MD2withRSA", privateKey, publicKey);
-         testSignature("MD5withRSA", privateKey, publicKey);
-         testSignature("SHA1withRSA", privateKey, publicKey);
-+        testSignature("SHA224withRSA", privateKey, publicKey);
-         testSignature("SHA256withRSA", privateKey, publicKey);
-         RSAPublicKey rsaKey = (RSAPublicKey)publicKey;
-         if (rsaKey.getModulus().bitLength() > 512) {
-diff -Nru openjdk.orig/jdk/test/sun/security/rsa/TestSignatures.java openjdk/jdk/test/sun/security/rsa/TestSignatures.java
---- openjdk.orig/jdk/test/sun/security/rsa/TestSignatures.java	2015-07-20 17:22:01.516847662 +0100
-+++ openjdk/jdk/test/sun/security/rsa/TestSignatures.java	2015-07-20 17:43:33.194332538 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -23,7 +23,7 @@
- 
- /**
-  * @test
-- * @bug 4853305
-+ * @bug 4853305 4963723
-  * @summary Test signing/verifying using all the signature algorithms
-  * @author Andreas Sterbenz
-  */
-@@ -80,6 +80,7 @@
-         testSignature("MD2withRSA", privateKey, publicKey);
-         testSignature("MD5withRSA", privateKey, publicKey);
-         testSignature("SHA1withRSA", privateKey, publicKey);
-+        testSignature("SHA224withRSA", privateKey, publicKey);
-         testSignature("SHA256withRSA", privateKey, publicKey);
-         RSAPublicKey rsaKey = (RSAPublicKey)publicKey;
-         if (rsaKey.getModulus().bitLength() > 512) {
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/6578658-sunmscapi_nonewithrsa.patch
--- a/patches/openjdk/6578658-sunmscapi_nonewithrsa.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,602 +0,0 @@
-# HG changeset patch
-# User vinnie
-# Date 1412805665 -3600
-#      Wed Oct 08 23:01:05 2014 +0100
-# Node ID 29dda8a543712fa28e76a963b6310e6a6a1b66d6
-# Parent  c4a0ef23f3c4f3f7ab264e518fe8c6b4fa4f6683
-6578658: Request for raw RSA (NONEwithRSA) Signature support in SunMSCAPI
-Reviewed-by: wetmore
-
-diff -r c4a0ef23f3c4 -r 29dda8a54371 src/windows/classes/sun/security/mscapi/RSASignature.java
---- openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java	Wed Oct 08 22:54:43 2014 +0100
-+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java	Wed Oct 08 23:01:05 2014 +0100
-@@ -48,6 +48,7 @@
-  * Objects should be instantiated by calling Signature.getInstance() using the
-  * following algorithm names:
-  *
-+ *  . "NONEwithRSA"
-  *  . "SHA1withRSA"
-  *  . "SHA224withRSA"
-  *  . "SHA256withRSA"
-@@ -56,7 +57,12 @@
-  *  . "MD5withRSA"
-  *  . "MD2withRSA"
-  *
-- * Note: RSA keys must be at least 512 bits long
-+ * NOTE: RSA keys must be at least 512 bits long.
-+ *
-+ * NOTE: NONEwithRSA must be supplied with a pre-computed message digest.
-+ *       Only the following digest algorithms are supported: MD5, SHA-1,
-+ *       SHA-224, SHA-256, SHA-384, SHA-512 and a special-purpose digest
-+ *       algorithm which is a concatenation of SHA-1 and MD5 digests.
-  *
-  * @since   1.6
-  * @author  Stanley Man-Kit Ho
-@@ -67,7 +73,7 @@
-     private final MessageDigest messageDigest;
- 
-     // message digest name
--    private final String messageDigestAlgorithm;
-+    private String messageDigestAlgorithm;
- 
-     // flag indicating whether the digest has been reset
-     private boolean needsReset;
-@@ -78,6 +84,13 @@
-     // the verification key
-     private Key publicKey = null;
- 
-+    /**
-+     * Constructs a new RSASignature. Used by Raw subclass.
-+     */
-+    RSASignature() {
-+        messageDigest = null;
-+        messageDigestAlgorithm = null;
-+    }
- 
-     /**
-      * Constructs a new RSASignature. Used by subclasses.
-@@ -96,6 +109,96 @@
-         needsReset = false;
-     }
- 
-+    // Nested class for NONEwithRSA signatures
-+    public static final class Raw extends RSASignature {
-+
-+        // the longest supported digest is 512 bits (SHA-512)
-+        private static final int RAW_RSA_MAX = 64;
-+
-+        private final byte[] precomputedDigest;
-+        private int offset = 0;
-+
-+        public Raw() {
-+            precomputedDigest = new byte[RAW_RSA_MAX];
-+        }
-+
-+        // Stores the precomputed message digest value.
-+        @Override
-+        protected void engineUpdate(byte b) throws SignatureException {
-+            if (offset >= precomputedDigest.length) {
-+                offset = RAW_RSA_MAX + 1;
-+                return;
-+            }
-+            precomputedDigest[offset++] = b;
-+        }
-+
-+        // Stores the precomputed message digest value.
-+        @Override
-+        protected void engineUpdate(byte[] b, int off, int len)
-+                throws SignatureException {
-+            if (offset + len > precomputedDigest.length) {
-+                offset = RAW_RSA_MAX + 1;
-+                return;
-+            }
-+            System.arraycopy(b, off, precomputedDigest, offset, len);
-+            offset += len;
-+        }
-+
-+        // Stores the precomputed message digest value.
-+        @Override
-+        protected void engineUpdate(ByteBuffer byteBuffer) {
-+            int len = byteBuffer.remaining();
-+            if (len <= 0) {
-+                return;
-+            }
-+            if (offset + len > precomputedDigest.length) {
-+                offset = RAW_RSA_MAX + 1;
-+                return;
-+            }
-+            byteBuffer.get(precomputedDigest, offset, len);
-+            offset += len;
-+        }
-+
-+        @Override
-+        protected void resetDigest(){
-+            offset = 0;
-+        }
-+
-+        // Returns the precomputed message digest value.
-+        @Override
-+        protected byte[] getDigestValue() throws SignatureException {
-+            if (offset > RAW_RSA_MAX) {
-+                throw new SignatureException("Message digest is too long");
-+            }
-+
-+            // Determine the digest algorithm from the digest length
-+            if (offset == 20) {
-+                setDigestName("SHA1");
-+            } else if (offset == 36) {
-+                setDigestName("SHA1+MD5");
-+            } else if (offset == 32) {
-+                setDigestName("SHA-256");
-+            } else if (offset == 48) {
-+                setDigestName("SHA-384");
-+            } else if (offset == 64) {
-+                setDigestName("SHA-512");
-+            } else if (offset == 16) {
-+                setDigestName("MD5");
-+            } else if (offset == 28) {
-+                setDigestName("SHA-224");
-+            } else {
-+                throw new SignatureException(
-+                    "Message digest length is not supported");
-+            }
-+
-+            byte[] result = new byte[offset];
-+            System.arraycopy(precomputedDigest, 0, result, 0, offset);
-+            offset = 0;
-+
-+            return result;
-+        }
-+    }
-+
-     public static final class SHA1 extends RSASignature {
-         public SHA1() {
-             super("SHA1");
-@@ -205,18 +308,22 @@
-     /**
-      * Resets the message digest if needed.
-      */
--    private void resetDigest() {
-+    protected void resetDigest() {
-         if (needsReset) {
-             messageDigest.reset();
-             needsReset = false;
-         }
-     }
- 
--    private byte[] getDigestValue() {
-+    protected byte[] getDigestValue() throws SignatureException {
-         needsReset = false;
-         return messageDigest.digest();
-     }
- 
-+    protected void setDigestName(String name) {
-+        messageDigestAlgorithm = name;
-+    }
-+
-     /**
-      * Updates the data to be signed or verified
-      * using the specified byte.
-@@ -278,9 +385,12 @@
- 
-         byte[] hash = getDigestValue();
- 
-+        // Omit the hash OID when generating a Raw signature
-+        boolean noHashOID = this instanceof Raw;
-+
-         // Sign hash using MS Crypto APIs
- 
--        byte[] result = signHash(hash, hash.length,
-+        byte[] result = signHash(noHashOID, hash, hash.length,
-             messageDigestAlgorithm, privateKey.getHCryptProvider(),
-             privateKey.getHCryptKey());
- 
-@@ -309,8 +419,8 @@
-      * Sign hash using Microsoft Crypto API with HCRYPTKEY.
-      * The returned data is in little-endian.
-      */
--    private native static byte[] signHash(byte[] hash, int hashSize,
--        String hashAlgorithm, long hCryptProv, long hCryptKey)
-+    private native static byte[] signHash(boolean noHashOID, byte[] hash,
-+        int hashSize, String hashAlgorithm, long hCryptProv, long hCryptKey)
-             throws SignatureException;
- 
-     /**
-diff -r c4a0ef23f3c4 -r 29dda8a54371 src/windows/classes/sun/security/mscapi/SunMSCAPI.java
---- openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java	Wed Oct 08 22:54:43 2014 +0100
-+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java	Wed Oct 08 23:01:05 2014 +0100
-@@ -79,6 +79,12 @@
-         /*
-          * Signature engines
-          */
-+        // NONEwithRSA must be supplied with a pre-computed message digest.
-+        // Only the following digest algorithms are supported: MD5, SHA-1,
-+        // SHA-224, SHA-256, SHA-384, SHA-512 and a special-purpose digest
-+        // algorithm which is a concatenation of SHA-1 and MD5 digests.
-+        map.put("Signature.NONEwithRSA",
-+            "sun.security.mscapi.RSASignature$Raw");
-         map.put("Signature.SHA1withRSA",
-             "sun.security.mscapi.RSASignature$SHA1");
-         map.put("Signature.SHA224withRSA",
-@@ -105,6 +111,8 @@
-             "sun.security.mscapi.RSASignature$MD2");
- 
-         // supported key classes
-+        map.put("Signature.NONEwithRSA SupportedKeyClasses",
-+            "sun.security.mscapi.Key");
-         map.put("Signature.SHA1withRSA SupportedKeyClasses",
-             "sun.security.mscapi.Key");
-         map.put("Signature.SHA224withRSA SupportedKeyClasses",
-diff -r c4a0ef23f3c4 -r 29dda8a54371 src/windows/native/sun/security/mscapi/security.cpp
---- openjdk/jdk/src/windows/native/sun/security/mscapi/security.cpp	Wed Oct 08 22:54:43 2014 +0100
-+++ openjdk/jdk/src/windows/native/sun/security/mscapi/security.cpp	Wed Oct 08 23:01:05 2014 +0100
-@@ -79,6 +79,8 @@
-         (strcmp("SHA-1", pszHashAlgorithm) == 0)) {
- 
-         algId = CALG_SHA1;
-+    } else if (strcmp("SHA1+MD5", pszHashAlgorithm) == 0) {
-+        algId = CALG_SSL3_SHAMD5; // a 36-byte concatenation of SHA-1 and MD5
-     } else if (strcmp("SHA-256", pszHashAlgorithm) == 0) {
-         algId = CALG_SHA_256;
-     } else if (strcmp("SHA-384", pszHashAlgorithm) == 0) {
-@@ -471,11 +473,12 @@
- /*
-  * Class:     sun_security_mscapi_RSASignature
-  * Method:    signHash
-- * Signature: ([BILjava/lang/String;JJ)[B
-+ * Signature: (Z[BILjava/lang/String;JJ)[B
-  */
- JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSASignature_signHash
--  (JNIEnv *env, jclass clazz, jbyteArray jHash, jint jHashSize,
--        jstring jHashAlgorithm, jlong hCryptProv, jlong hCryptKey)
-+  (JNIEnv *env, jclass clazz, jboolean noHashOID, jbyteArray jHash,
-+        jint jHashSize, jstring jHashAlgorithm, jlong hCryptProv,
-+        jlong hCryptKey)
- {
-     HCRYPTHASH hHash = NULL;
-     jbyte* pHashBuffer = NULL;
-@@ -546,14 +549,20 @@
- 
-         // Determine size of buffer
-         DWORD dwBufLen = 0;
--        if (::CryptSignHash(hHash, dwKeySpec, NULL, NULL, NULL, &dwBufLen) == FALSE)
-+        DWORD dwFlags = 0;
-+
-+        if (noHashOID == JNI_TRUE) {
-+            dwFlags = CRYPT_NOHASHOID; // omit hash OID in NONEwithRSA signature
-+        }
-+
-+        if (::CryptSignHash(hHash, dwKeySpec, NULL, dwFlags, NULL, &dwBufLen) == FALSE)
-         {
-             ThrowException(env, SIGNATURE_EXCEPTION, GetLastError());
-             __leave;
-         }
- 
-         pSignedHashBuffer = new jbyte[dwBufLen];
--        if (::CryptSignHash(hHash, dwKeySpec, NULL, NULL, (BYTE*)pSignedHashBuffer, &dwBufLen) == FALSE)
-+        if (::CryptSignHash(hHash, dwKeySpec, NULL, dwFlags, (BYTE*)pSignedHashBuffer, &dwBufLen) == FALSE)
-         {
-             ThrowException(env, SIGNATURE_EXCEPTION, GetLastError());
-             __leave;
-diff -r c4a0ef23f3c4 -r 29dda8a54371 test/sun/security/mscapi/SignUsingNONEwithRSA.java
---- /dev/null	Thu Jan 01 00:00:00 1970 +0000
-+++ openjdk/jdk/test/sun/security/mscapi/SignUsingNONEwithRSA.java	Wed Oct 08 23:01:05 2014 +0100
-@@ -0,0 +1,231 @@
-+/*
-+ * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+/**
-+ * @see SignUsingNONEwithRSA.sh
-+ */
-+
-+import java.security.*;
-+import java.util.*;
-+
-+public class SignUsingNONEwithRSA {
-+
-+    private static final List precomputedHashes = Arrays.asList(
-+        // A MD5 hash
-+        new byte[] {
-+            0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10,
-+            0x11, 0x12, 0x13, 0x14, 0x15, 0x16
-+        },
-+        // A SHA-1 hash
-+        new byte[] {
-+            0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10,
-+            0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20
-+        },
-+        // A concatenation of SHA-1 and MD5 hashes (used during SSL handshake)
-+        new byte[] {
-+            0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10,
-+            0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20,
-+            0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30,
-+            0x31, 0x32, 0x33, 0x34, 0x35, 0x36
-+        },
-+        // A SHA-224 hash
-+        new byte[] {
-+            0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10,
-+            0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20,
-+            0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28
-+        },
-+        // A SHA-256 hash
-+        new byte[] {
-+            0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10,
-+            0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20,
-+            0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30,
-+            0x31, 0x32
-+        },
-+        // A SHA-384 hash
-+        new byte[] {
-+            0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10,
-+            0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20,
-+            0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30,
-+            0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40,
-+            0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48
-+        },
-+        // A SHA-512 hash
-+        new byte[] {
-+            0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10,
-+            0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20,
-+            0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30,
-+            0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40,
-+            0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x50,
-+            0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x60,
-+            0x61, 0x62, 0x63, 0x64
-+        });
-+
-+    private static List generatedSignatures = new ArrayList<>();
-+
-+    public static void main(String[] args) throws Exception {
-+
-+        Provider[] providers = Security.getProviders("Signature.NONEwithRSA");
-+        if (providers == null) {
-+            System.out.println("No JCE providers support the " +
-+                "'Signature.NONEwithRSA' algorithm");
-+            System.out.println("Skipping this test...");
-+            return;
-+
-+        } else {
-+            System.out.println("The following JCE providers support the " +
-+                "'Signature.NONEwithRSA' algorithm: ");
-+            for (Provider provider : providers) {
-+                System.out.println("    " + provider.getName());
-+            }
-+        }
-+        System.out.println("-------------------------------------------------");
-+
-+        KeyPair keys = getKeysFromKeyStore();
-+        signAllUsing("SunMSCAPI", keys.getPrivate());
-+        System.out.println("-------------------------------------------------");
-+
-+        verifyAllUsing("SunMSCAPI", keys.getPublic());
-+        System.out.println("-------------------------------------------------");
-+
-+        verifyAllUsing("SunJCE", keys.getPublic());
-+        System.out.println("-------------------------------------------------");
-+
-+        keys = generateKeys();
-+        signAllUsing("SunJCE", keys.getPrivate());
-+        System.out.println("-------------------------------------------------");
-+
-+        verifyAllUsing("SunMSCAPI", keys.getPublic());
-+        System.out.println("-------------------------------------------------");
-+
-+    }
-+
-+    private static KeyPair getKeysFromKeyStore() throws Exception {
-+        KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
-+        ks.load(null, null);
-+        System.out.println("Loaded keystore: Windows-MY");
-+
-+        Enumeration e = ks.aliases();
-+        PrivateKey privateKey = null;
-+        PublicKey publicKey = null;
-+
-+        while (e.hasMoreElements()) {
-+            String alias = (String) e.nextElement();
-+            if (alias.equals("6578658")) {
-+                System.out.println("Loaded entry: " + alias);
-+                privateKey = (PrivateKey) ks.getKey(alias, null);
-+                publicKey = (PublicKey) ks.getCertificate(alias).getPublicKey();
-+            }
-+        }
-+        if (privateKey == null || publicKey == null) {
-+            throw new Exception("Cannot load the keys need to run this test");
-+        }
-+
-+        return new KeyPair(publicKey, privateKey);
-+    }
-+
-+
-+    private static KeyPair generateKeys() throws Exception {
-+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
-+        keyGen.initialize(1024, null);
-+        KeyPair pair = keyGen.generateKeyPair();
-+        PrivateKey privateKey = pair.getPrivate();
-+        PublicKey publicKey = pair.getPublic();
-+
-+        if (privateKey == null || publicKey == null) {
-+            throw new Exception("Cannot load the keys need to run this test");
-+        }
-+
-+        return new KeyPair(publicKey, privateKey);
-+    }
-+
-+    private static void signAllUsing(String providerName, PrivateKey privateKey)
-+            throws Exception {
-+        Signature sig1 = Signature.getInstance("NONEwithRSA", providerName);
-+        if (sig1 == null) {
-+            throw new Exception("'NONEwithRSA' is not supported");
-+        }
-+        if (sig1.getProvider() != null) {
-+            System.out.println("Using NONEwithRSA signer from the " +
-+                sig1.getProvider().getName() + " JCE provider");
-+        } else {
-+            System.out.println(
-+                "Using NONEwithRSA signer from the internal JCE provider");
-+        }
-+
-+        System.out.println("Using key: " + privateKey);
-+        generatedSignatures.clear();
-+        for (byte[] hash : precomputedHashes) {
-+            sig1.initSign(privateKey);
-+            sig1.update(hash);
-+
-+            try {
-+
-+                byte [] sigBytes = sig1.sign();
-+                System.out.println("\nGenerated RSA signature over a " +
-+                    hash.length + "-byte hash (signature length: " +
-+                    sigBytes.length * 8 + " bits)");
-+                System.out.println(String.format("0x%0" +
-+                    (sigBytes.length * 2) + "x",
-+                    new java.math.BigInteger(1, sigBytes)));
-+                generatedSignatures.add(sigBytes);
-+
-+            } catch (SignatureException se) {
-+                System.out.println("Error generating RSA signature: " + se);
-+            }
-+        }
-+    }
-+
-+    private static void verifyAllUsing(String providerName, PublicKey publicKey)
-+            throws Exception {
-+        Signature sig1 = Signature.getInstance("NONEwithRSA", providerName);
-+        if (sig1.getProvider() != null) {
-+            System.out.println("\nUsing NONEwithRSA verifier from the " +
-+                sig1.getProvider().getName() + " JCE provider");
-+        } else {
-+            System.out.println(
-+                "\nUsing NONEwithRSA verifier from the internal JCE provider");
-+        }
-+
-+        System.out.println("Using key: " + publicKey);
-+
-+        int i = 0;
-+        for (byte[] hash : precomputedHashes) {
-+
-+            byte[] sigBytes = generatedSignatures.get(i++);
-+            System.out.println("\nVerifying RSA Signature over a " +
-+                hash.length + "-byte hash (signature length: " +
-+                sigBytes.length * 8 + " bits)");
-+            System.out.println(String.format("0x%0" +
-+                (sigBytes.length * 2) + "x",
-+                new java.math.BigInteger(1, sigBytes)));
-+
-+            sig1.initVerify(publicKey);
-+            sig1.update(hash);
-+            if (sig1.verify(sigBytes)) {
-+                System.out.println("Verify PASSED");
-+            } else {
-+                throw new Exception("Verify FAILED");
-+            }
-+        }
-+    }
-+}
-diff -r c4a0ef23f3c4 -r 29dda8a54371 test/sun/security/mscapi/SignUsingNONEwithRSA.sh
---- /dev/null	Thu Jan 01 00:00:00 1970 +0000
-+++ openjdk/jdk/test/sun/security/mscapi/SignUsingNONEwithRSA.sh	Wed Oct 08 23:01:05 2014 +0100
-@@ -0,0 +1,83 @@
-+#!/bin/sh
-+
-+#
-+# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+
-+# @test
-+# @bug 6578658
-+# @run shell SignUsingNONEwithRSA.sh
-+# @summary Sign using the NONEwithRSA signature algorithm from SunMSCAPI
-+
-+# set a few environment variables so that the shell-script can run stand-alone
-+# in the source directory
-+if [ "${TESTSRC}" = "" ] ; then
-+   TESTSRC="."
-+fi
-+
-+if [ "${TESTCLASSES}" = "" ] ; then
-+   TESTCLASSES="."
-+fi
-+
-+if [ "${TESTJAVA}" = "" ] ; then
-+   echo "TESTJAVA not set.  Test cannot execute."
-+   echo "FAILED!!!"
-+   exit 1
-+fi
-+
-+OS=`uname -s`
-+case "$OS" in
-+    Windows* | CYGWIN* )
-+
-+        echo "Creating a temporary RSA keypair in the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+	    -genkeypair \
-+	    -storetype Windows-My \
-+	    -keyalg RSA \
-+	    -alias 6578658 \
-+	    -dname "cn=6578658,c=US" \
-+	    -noprompt
-+
-+        echo
-+	echo "Running the test..."
-+        ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\SignUsingNONEwithRSA.java
-+        ${TESTJAVA}/bin/java SignUsingNONEwithRSA
-+
-+        rc=$?
-+
-+        echo
-+        echo "Removing the temporary RSA keypair from the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+	    -delete \
-+	    -storetype Windows-My \
-+	    -alias 6578658
-+
-+	echo done.
-+        exit $rc
-+        ;;
-+
-+    * )
-+        echo "This test is not intended for '$OS' - passing test"
-+        exit 0
-+        ;;
-+esac
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/6753664-sunmscapi_sha-256.patch
--- a/patches/openjdk/6753664-sunmscapi_sha-256.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,640 +0,0 @@
-# HG changeset patch
-# User vinnie
-# Date 1412805283 -3600
-#      Wed Oct 08 22:54:43 2014 +0100
-# Node ID c4a0ef23f3c4f3f7ab264e518fe8c6b4fa4f6683
-# Parent  2adb6892881f4e3b359026854562b2ac70c63bef
-6753664: Support SHA256 (and higher) in SunMSCAPI
-Reviewed-by: mullan
-
-diff -r 2adb6892881f -r c4a0ef23f3c4 src/windows/classes/sun/security/mscapi/RSASignature.java
---- openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java	Wed Oct 08 22:42:49 2014 +0100
-+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java	Wed Oct 08 22:54:43 2014 +0100
-@@ -50,6 +50,9 @@
-  *
-  *  . "SHA1withRSA"
-  *  . "SHA224withRSA"
-+ *  . "SHA256withRSA"
-+ *  . "SHA384withRSA"
-+ *  . "SHA512withRSA"
-  *  . "MD5withRSA"
-  *  . "MD2withRSA"
-  *
-@@ -63,7 +66,10 @@
-     // message digest implementation we use
-     private final MessageDigest messageDigest;
- 
--    // flag indicating whether the digest is reset
-+    // message digest name
-+    private final String messageDigestAlgorithm;
-+
-+    // flag indicating whether the digest has been reset
-     private boolean needsReset;
- 
-     // the signing key
-@@ -73,10 +79,15 @@
-     private Key publicKey = null;
- 
- 
-+    /**
-+     * Constructs a new RSASignature. Used by subclasses.
-+     */
-     RSASignature(String digestName) {
- 
-         try {
-             messageDigest = MessageDigest.getInstance(digestName);
-+            // Get the digest's canonical name
-+            messageDigestAlgorithm = messageDigest.getAlgorithm();
- 
-         } catch (NoSuchAlgorithmException e) {
-            throw new ProviderException(e);
-@@ -97,6 +108,24 @@
-         }
-     }
- 
-+    public static final class SHA256 extends RSASignature {
-+        public SHA256() {
-+            super("SHA-256");
-+        }
-+    }
-+
-+    public static final class SHA384 extends RSASignature {
-+        public SHA384() {
-+            super("SHA-384");
-+        }
-+    }
-+
-+    public static final class SHA512 extends RSASignature {
-+        public SHA512() {
-+            super("SHA-512");
-+        }
-+    }
-+
-     public static final class MD5 extends RSASignature {
-         public MD5() {
-             super("MD5");
-@@ -109,16 +138,7 @@
-         }
-     }
- 
--    /**
--     * Initializes this signature object with the specified
--     * public key for verification operations.
--     *
--     * @param publicKey the public key of the identity whose signature is
--     * going to be verified.
--     *
--     * @exception InvalidKeyException if the key is improperly
--     * encoded, parameters are missing, and so on.
--     */
-+    // initialize for signing. See JCA doc
-     protected void engineInitVerify(PublicKey key)
-         throws InvalidKeyException
-     {
-@@ -159,24 +179,12 @@
-             publicKey = (sun.security.mscapi.RSAPublicKey) key;
-         }
- 
--        if (needsReset) {
--            messageDigest.reset();
--            needsReset = false;
--        }
-+        this.privateKey = null;
-+        resetDigest();
-     }
- 
--    /**
--     * Initializes this signature object with the specified
--     * private key for signing operations.
--     *
--     * @param privateKey the private key of the identity whose signature
--     * will be generated.
--     *
--     * @exception InvalidKeyException if the key is improperly
--     * encoded, parameters are missing, and so on.
--     */
--    protected void engineInitSign(PrivateKey key)
--        throws InvalidKeyException
-+    // initialize for signing. See JCA doc
-+    protected void engineInitSign(PrivateKey key) throws InvalidKeyException
-     {
-         // This signature accepts only RSAPrivateKey
-         if ((key instanceof sun.security.mscapi.RSAPrivateKey) == false) {
-@@ -190,12 +198,25 @@
-             null, RSAKeyPairGenerator.KEY_SIZE_MIN,
-             RSAKeyPairGenerator.KEY_SIZE_MAX);
- 
-+        this.publicKey = null;
-+        resetDigest();
-+    }
-+
-+    /**
-+     * Resets the message digest if needed.
-+     */
-+    private void resetDigest() {
-         if (needsReset) {
-             messageDigest.reset();
-             needsReset = false;
-         }
-     }
- 
-+    private byte[] getDigestValue() {
-+        needsReset = false;
-+        return messageDigest.digest();
-+    }
-+
-     /**
-      * Updates the data to be signed or verified
-      * using the specified byte.
-@@ -255,13 +276,12 @@
-      */
-     protected byte[] engineSign() throws SignatureException {
- 
--        byte[] hash = messageDigest.digest();
--        needsReset = false;
-+        byte[] hash = getDigestValue();
- 
-         // Sign hash using MS Crypto APIs
- 
-         byte[] result = signHash(hash, hash.length,
--            messageDigest.getAlgorithm(), privateKey.getHCryptProvider(),
-+            messageDigestAlgorithm, privateKey.getHCryptProvider(),
-             privateKey.getHCryptKey());
- 
-         // Convert signature array from little endian to big endian
-@@ -315,11 +335,10 @@
-     protected boolean engineVerify(byte[] sigBytes)
-         throws SignatureException
-     {
--        byte[] hash = messageDigest.digest();
--        needsReset = false;
-+        byte[] hash = getDigestValue();
- 
-         return verifySignedHash(hash, hash.length,
--            messageDigest.getAlgorithm(), convertEndianArray(sigBytes),
-+            messageDigestAlgorithm, convertEndianArray(sigBytes),
-             sigBytes.length, publicKey.getHCryptProvider(),
-             publicKey.getHCryptKey());
-     }
-diff -r 2adb6892881f -r c4a0ef23f3c4 src/windows/classes/sun/security/mscapi/SunMSCAPI.java
---- openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java	Wed Oct 08 22:42:49 2014 +0100
-+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java	Wed Oct 08 22:54:43 2014 +0100
-@@ -85,6 +85,20 @@
-             "sun.security.mscapi.RSASignature$SHA224");
-         map.put("Alg.Alias.Signature.1.2.840.113549.1.1.14",     "SHA224withRSA");
-         map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.14", "SHA224withRSA");
-+        map.put("Signature.SHA256withRSA",
-+            "sun.security.mscapi.RSASignature$SHA256");
-+        map.put("Alg.Alias.Signature.1.2.840.113549.1.1.11",     "SHA256withRSA");
-+        map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.11", "SHA256withRSA");
-+        map.put("Signature.SHA384withRSA",
-+            "sun.security.mscapi.RSASignature$SHA384");
-+        map.put("Alg.Alias.Signature.1.2.840.113549.1.1.12",     "SHA384withRSA");
-+        map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.12", "SHA384withRSA");
-+
-+        map.put("Signature.SHA512withRSA",
-+            "sun.security.mscapi.RSASignature$SHA512");
-+        map.put("Alg.Alias.Signature.1.2.840.113549.1.1.13",     "SHA512withRSA");
-+        map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.13", "SHA512withRSA");
-+
-         map.put("Signature.MD5withRSA",
-             "sun.security.mscapi.RSASignature$MD5");
-         map.put("Signature.MD2withRSA",
-@@ -95,12 +109,16 @@
-             "sun.security.mscapi.Key");
-         map.put("Signature.SHA224withRSA SupportedKeyClasses",
-             "sun.security.mscapi.Key");
-+        map.put("Signature.SHA256withRSA SupportedKeyClasses",
-+            "sun.security.mscapi.Key");
-+        map.put("Signature.SHA384withRSA SupportedKeyClasses",
-+            "sun.security.mscapi.Key");
-+        map.put("Signature.SHA512withRSA SupportedKeyClasses",
-+            "sun.security.mscapi.Key");
-         map.put("Signature.MD5withRSA SupportedKeyClasses",
-             "sun.security.mscapi.Key");
-         map.put("Signature.MD2withRSA SupportedKeyClasses",
-             "sun.security.mscapi.Key");
--        map.put("Signature.NONEwithRSA SupportedKeyClasses",
--            "sun.security.mscapi.Key");
- 
-         /*
-          * Key Pair Generator engines
-diff -r 2adb6892881f -r c4a0ef23f3c4 src/windows/native/sun/security/mscapi/security.cpp
---- openjdk/jdk/src/windows/native/sun/security/mscapi/security.cpp	Wed Oct 08 22:42:49 2014 +0100
-+++ openjdk/jdk/src/windows/native/sun/security/mscapi/security.cpp	Wed Oct 08 22:54:43 2014 +0100
-@@ -481,6 +481,7 @@
-     jbyte* pHashBuffer = NULL;
-     jbyte* pSignedHashBuffer = NULL;
-     jbyteArray jSignedHash = NULL;
-+    HCRYPTPROV hCryptProvAlt = NULL;
- 
-     __try
-     {
-@@ -490,8 +491,32 @@
-         // Acquire a hash object handle.
-         if (::CryptCreateHash(HCRYPTPROV(hCryptProv), algId, 0, 0, &hHash) == FALSE)
-         {
--            ThrowException(env, SIGNATURE_EXCEPTION, GetLastError());
--            __leave;
-+            // Failover to using the PROV_RSA_AES CSP
-+
-+            DWORD cbData = 256;
-+            BYTE pbData[256];
-+            pbData[0] = '\0';
-+
-+            // Get name of the key container
-+            ::CryptGetProvParam((HCRYPTPROV)hCryptProv, PP_CONTAINER,
-+                (BYTE *)pbData, &cbData, 0);
-+
-+            // Acquire an alternative CSP handle
-+            if (::CryptAcquireContext(&hCryptProvAlt, LPCSTR(pbData), NULL,
-+                PROV_RSA_AES, 0) == FALSE)
-+            {
-+
-+                ThrowException(env, SIGNATURE_EXCEPTION, GetLastError());
-+                __leave;
-+            }
-+
-+            // Acquire a hash object handle.
-+            if (::CryptCreateHash(HCRYPTPROV(hCryptProvAlt), algId, 0, 0,
-+                &hHash) == FALSE)
-+            {
-+                ThrowException(env, SIGNATURE_EXCEPTION, GetLastError());
-+                __leave;
-+            }
-         }
- 
-         // Copy hash from Java to native buffer
-@@ -544,6 +569,9 @@
-     }
-     __finally
-     {
-+        if (hCryptProvAlt)
-+            ::CryptReleaseContext(hCryptProvAlt, 0);
-+
-         if (pSignedHashBuffer)
-             delete [] pSignedHashBuffer;
- 
-@@ -572,6 +600,7 @@
-     jbyte* pSignedHashBuffer = NULL;
-     DWORD dwSignedHashBufferLen = jSignedHashSize;
-     jboolean result = JNI_FALSE;
-+    HCRYPTPROV hCryptProvAlt = NULL;
- 
-     __try
-     {
-@@ -582,8 +611,32 @@
-         if (::CryptCreateHash(HCRYPTPROV(hCryptProv), algId, 0, 0, &hHash)
-             == FALSE)
-         {
--            ThrowException(env, SIGNATURE_EXCEPTION, GetLastError());
--            __leave;
-+            // Failover to using the PROV_RSA_AES CSP
-+
-+            DWORD cbData = 256;
-+            BYTE pbData[256];
-+            pbData[0] = '\0';
-+
-+            // Get name of the key container
-+            ::CryptGetProvParam((HCRYPTPROV)hCryptProv, PP_CONTAINER,
-+                (BYTE *)pbData, &cbData, 0);
-+
-+            // Acquire an alternative CSP handle
-+            if (::CryptAcquireContext(&hCryptProvAlt, LPCSTR(pbData), NULL,
-+                PROV_RSA_AES, 0) == FALSE)
-+            {
-+
-+                ThrowException(env, SIGNATURE_EXCEPTION, GetLastError());
-+                __leave;
-+            }
-+
-+            // Acquire a hash object handle.
-+            if (::CryptCreateHash(HCRYPTPROV(hCryptProvAlt), algId, 0, 0,
-+                &hHash) == FALSE)
-+            {
-+                ThrowException(env, SIGNATURE_EXCEPTION, GetLastError());
-+                __leave;
-+            }
-         }
- 
-         // Copy hash and signedHash from Java to native buffer
-@@ -614,6 +667,9 @@
- 
-     __finally
-     {
-+        if (hCryptProvAlt)
-+            ::CryptReleaseContext(hCryptProvAlt, 0);
-+
-         if (pSignedHashBuffer)
-             delete [] pSignedHashBuffer;
- 
-@@ -646,15 +702,27 @@
-         pszKeyContainerName = env->GetStringUTFChars(keyContainerName, NULL);
- 
-         // Acquire a CSP context (create a new key container).
-+        // Prefer a PROV_RSA_AES CSP, when available, due to its support
-+        // for SHA-2-based signatures.
-         if (::CryptAcquireContext(
-             &hCryptProv,
-             pszKeyContainerName,
-             NULL,
--            PROV_RSA_FULL,
-+            PROV_RSA_AES,
-             CRYPT_NEWKEYSET) == FALSE)
-         {
--            ThrowException(env, KEY_EXCEPTION, GetLastError());
--            __leave;
-+            // Failover to using the default CSP (PROV_RSA_FULL)
-+
-+            if (::CryptAcquireContext(
-+                &hCryptProv,
-+                pszKeyContainerName,
-+                NULL,
-+                PROV_RSA_FULL,
-+                CRYPT_NEWKEYSET) == FALSE)
-+            {
-+                ThrowException(env, KEY_EXCEPTION, GetLastError());
-+                __leave;
-+            }
-         }
- 
-         // Generate an RSA keypair
-@@ -1847,15 +1915,27 @@
-         pbKeyBlob = (BYTE *) env->GetByteArrayElements(keyBlob, 0);
- 
-         // Acquire a CSP context (create a new key container).
-+        // Prefer a PROV_RSA_AES CSP, when available, due to its support
-+        // for SHA-2-based signatures.
-         if (::CryptAcquireContext(
-             &hCryptProv,
-             NULL,
-             NULL,
--            PROV_RSA_FULL,
-+            PROV_RSA_AES,
-             CRYPT_VERIFYCONTEXT) == FALSE)
-         {
--            ThrowException(env, KEYSTORE_EXCEPTION, GetLastError());
--            __leave;
-+            // Failover to using the default CSP (PROV_RSA_FULL)
-+
-+            if (::CryptAcquireContext(
-+                &hCryptProv,
-+                NULL,
-+                NULL,
-+                PROV_RSA_FULL,
-+                CRYPT_VERIFYCONTEXT) == FALSE)
-+            {
-+                ThrowException(env, KEYSTORE_EXCEPTION, GetLastError());
-+                __leave;
-+            }
-         }
- 
-         // Import the public key
-diff -r 2adb6892881f -r c4a0ef23f3c4 test/sun/security/mscapi/SignUsingSHA2withRSA.java
---- /dev/null	Thu Jan 01 00:00:00 1970 +0000
-+++ openjdk/jdk/test/sun/security/mscapi/SignUsingSHA2withRSA.java	Wed Oct 08 22:54:43 2014 +0100
-@@ -0,0 +1,157 @@
-+/*
-+ * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+/**
-+ * @see SignUsingSHA2withRSA.sh
-+ */
-+
-+import java.security.*;
-+import java.util.*;
-+
-+public class SignUsingSHA2withRSA {
-+
-+    private static final byte[] toBeSigned = new byte[] {
-+        0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10
-+    };
-+
-+    private static List generatedSignatures = new ArrayList();
-+
-+    public static void main(String[] args) throws Exception {
-+
-+        Provider[] providers = Security.getProviders("Signature.SHA256withRSA");
-+        if (providers == null) {
-+            System.out.println("No JCE providers support the " +
-+                "'Signature.SHA256withRSA' algorithm");
-+            System.out.println("Skipping this test...");
-+            return;
-+
-+        } else {
-+            System.out.println("The following JCE providers support the " +
-+                "'Signature.SHA256withRSA' algorithm: ");
-+            for (Provider provider : providers) {
-+                System.out.println("    " + provider.getName());
-+            }
-+        }
-+        System.out.println("-------------------------------------------------");
-+
-+        KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
-+        ks.load(null, null);
-+        System.out.println("Loaded keystore: Windows-MY");
-+
-+        Enumeration e = ks.aliases();
-+        PrivateKey privateKey = null;
-+        PublicKey publicKey = null;
-+
-+        while (e.hasMoreElements()) {
-+            String alias = (String) e.nextElement();
-+            if (alias.equals("6753664")) {
-+                System.out.println("Loaded entry: " + alias);
-+                privateKey = (PrivateKey) ks.getKey(alias, null);
-+                publicKey = (PublicKey) ks.getCertificate(alias).getPublicKey();
-+            }
-+        }
-+        if (privateKey == null || publicKey == null) {
-+            throw new Exception("Cannot load the keys need to run this test");
-+        }
-+        System.out.println("-------------------------------------------------");
-+
-+        generatedSignatures.add(signUsing("SHA256withRSA", privateKey));
-+        generatedSignatures.add(signUsing("SHA384withRSA", privateKey));
-+        generatedSignatures.add(signUsing("SHA512withRSA", privateKey));
-+        generatedSignatures.add(signUsing("SHA224withRSA", privateKey));
-+
-+
-+        System.out.println("-------------------------------------------------");
-+
-+        verifyUsing("SHA256withRSA", publicKey, generatedSignatures.get(0));
-+        verifyUsing("SHA384withRSA", publicKey, generatedSignatures.get(1));
-+        verifyUsing("SHA512withRSA", publicKey, generatedSignatures.get(2));
-+        verifyUsing("SHA224withRSA", publicKey, generatedSignatures.get(3));
-+
-+
-+        System.out.println("-------------------------------------------------");
-+    }
-+
-+    private static byte[] signUsing(String signAlgorithm,
-+        PrivateKey privateKey) throws Exception {
-+
-+        // Must explicitly specify the SunMSCAPI JCE provider
-+        // (otherwise SunJCE is chosen because it appears earlier in the list)
-+        Signature sig1 = Signature.getInstance(signAlgorithm, "SunMSCAPI");
-+        if (sig1 == null) {
-+            throw new Exception("'" + signAlgorithm + "' is not supported");
-+        }
-+        System.out.println("Using " + signAlgorithm + " signer from the " +
-+            sig1.getProvider().getName() + " JCE provider");
-+
-+        System.out.println("Using key: " + privateKey);
-+        sig1.initSign(privateKey);
-+        sig1.update(toBeSigned);
-+        byte [] sigBytes = null;
-+
-+        try {
-+            sigBytes = sig1.sign();
-+            System.out.println("Generated RSA signature over a " +
-+                toBeSigned.length + "-byte data (signature length: " +
-+                sigBytes.length * 8 + " bits)");
-+            System.out.println(String.format("0x%0" +
-+                (sigBytes.length * 2) + "x",
-+                new java.math.BigInteger(1, sigBytes)));
-+
-+        } catch (SignatureException se) {
-+                System.out.println("Error generating RSA signature: " + se);
-+        }
-+
-+        return sigBytes;
-+    }
-+
-+    private static void verifyUsing(String signAlgorithm, PublicKey publicKey,
-+        byte[] signature) throws Exception {
-+
-+        // Must explicitly specify the SunMSCAPI JCE provider
-+        // (otherwise SunJCE is chosen because it appears earlier in the list)
-+        Signature sig1 = Signature.getInstance(signAlgorithm, "SunMSCAPI");
-+        if (sig1 == null) {
-+            throw new Exception("'" + signAlgorithm + "' is not supported");
-+        }
-+        System.out.println("Using " + signAlgorithm + " verifier from the "
-+            + sig1.getProvider().getName() + " JCE provider");
-+
-+        System.out.println("Using key: " + publicKey);
-+
-+        System.out.println("\nVerifying RSA Signature over a " +
-+            toBeSigned.length + "-byte data (signature length: " +
-+            signature.length * 8 + " bits)");
-+        System.out.println(String.format("0x%0" + (signature.length * 2) +
-+            "x", new java.math.BigInteger(1, signature)));
-+
-+        sig1.initVerify(publicKey);
-+        sig1.update(toBeSigned);
-+
-+        if (sig1.verify(signature)) {
-+            System.out.println("Verify PASSED\n");
-+        } else {
-+            throw new Exception("Verify FAILED");
-+        }
-+    }
-+}
-diff -r 2adb6892881f -r c4a0ef23f3c4 test/sun/security/mscapi/SignUsingSHA2withRSA.sh
---- /dev/null	Thu Jan 01 00:00:00 1970 +0000
-+++ openjdk/jdk/test/sun/security/mscapi/SignUsingSHA2withRSA.sh	Wed Oct 08 22:54:43 2014 +0100
-@@ -0,0 +1,83 @@
-+#!/bin/sh
-+
-+#
-+# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+
-+# @test
-+# @bug 6753664
-+# @run shell SignUsingSHA2withRSA.sh
-+# @summary Support SHA256 (and higher) in SunMSCAPI
-+
-+# set a few environment variables so that the shell-script can run stand-alone
-+# in the source directory
-+if [ "${TESTSRC}" = "" ] ; then
-+   TESTSRC="."
-+fi
-+
-+if [ "${TESTCLASSES}" = "" ] ; then
-+   TESTCLASSES="."
-+fi
-+
-+if [ "${TESTJAVA}" = "" ] ; then
-+   echo "TESTJAVA not set.  Test cannot execute."
-+   echo "FAILED!!!"
-+   exit 1
-+fi
-+
-+OS=`uname -s`
-+case "$OS" in
-+    Windows* | CYGWIN* )
-+
-+        echo "Creating a temporary RSA keypair in the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+	    -genkeypair \
-+	    -storetype Windows-My \
-+	    -keyalg RSA \
-+	    -alias 6753664 \
-+	    -dname "cn=6753664,c=US" \
-+	    -noprompt
-+
-+        echo
-+	echo "Running the test..."
-+        ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\SignUsingSHA2withRSA.java
-+        ${TESTJAVA}/bin/java SignUsingSHA2withRSA
-+
-+        rc=$?
-+
-+        echo
-+        echo "Removing the temporary RSA keypair from the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+	    -delete \
-+	    -storetype Windows-My \
-+	    -alias 6753664
-+
-+	echo done.
-+        exit $rc
-+        ;;
-+
-+    * )
-+        echo "This test is not intended for '$OS' - passing test"
-+        exit 0
-+        ;;
-+esac
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/6956398-ephemeraldhkeysize.patch
--- a/patches/openjdk/6956398-ephemeraldhkeysize.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,761 +0,0 @@
-# HG changeset patch
-# User xuelei
-# Date 1428081992 -3600
-#      Fri Apr 03 18:26:32 2015 +0100
-# Node ID e7690bee9a7722b20bde481fb2da0bb6b903a258
-# Parent  bf4c2a6c354db2c6b6d036908749a27eef1c5968
-6956398, PR2486: make ephemeral DH key match the length of the certificate key
-Reviewed-by: weijun
-
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	2015-07-20 17:24:47.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	2015-07-22 21:02:12.190511032 +0100
-@@ -48,7 +48,9 @@
- 
- import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager;
- 
-+import sun.security.action.GetPropertyAction;
- import sun.security.util.AlgorithmConstraints;
-+import sun.security.util.KeyUtil;
- import sun.security.util.LegacyAlgorithmConstraints;
- import sun.security.ssl.HandshakeMessage.*;
- import sun.security.ssl.CipherSuite.*;
-@@ -106,6 +108,50 @@
-                     LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
-                     new SSLAlgorithmDecomposer());
- 
-+    // Flag to use smart ephemeral DH key which size matches the corresponding
-+    // authentication key
-+    private static final boolean useSmartEphemeralDHKeys;
-+
-+    // Flag to use legacy ephemeral DH key which size is 512 bits for
-+    // exportable cipher suites, and 768 bits for others
-+    private static final boolean useLegacyEphemeralDHKeys;
-+
-+    // The customized ephemeral DH key size for non-exportable cipher suites.
-+    private static final int customizedDHKeySize;
-+
-+    static {
-+        String property = AccessController.doPrivileged(
-+                    new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
-+        if (property == null || property.length() == 0) {
-+            useLegacyEphemeralDHKeys = false;
-+            useSmartEphemeralDHKeys = false;
-+            customizedDHKeySize = -1;
-+        } else if ("matched".equals(property)) {
-+            useLegacyEphemeralDHKeys = false;
-+            useSmartEphemeralDHKeys = true;
-+            customizedDHKeySize = -1;
-+        } else if ("legacy".equals(property)) {
-+            useLegacyEphemeralDHKeys = true;
-+            useSmartEphemeralDHKeys = false;
-+            customizedDHKeySize = -1;
-+        } else {
-+            useLegacyEphemeralDHKeys = false;
-+            useSmartEphemeralDHKeys = false;
-+
-+            try {
-+                customizedDHKeySize = parseUnsignedInt(property);
-+                if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) {
-+                    throw new IllegalArgumentException(
-+                        "Customized DH key size should be positive integer " +
-+                        "between 1024 and 2048 bits, inclusive");
-+                }
-+            } catch (NumberFormatException nfe) {
-+                throw new IllegalArgumentException(
-+                        "Invalid system property jdk.tls.ephemeralDHKeySize");
-+            }
-+        }
-+    }
-+
-     /*
-      * Constructor ... use the keys found in the auth context.
-      */
-@@ -898,7 +944,7 @@
-                     return false;
-                 }
-             } else if (keyExchange == K_DHE_RSA) {
--                setupEphemeralDHKeys(suite.exportable);
-+		setupEphemeralDHKeys(suite.exportable, privateKey);
-             } else if (keyExchange == K_ECDHE_RSA) {
-                 if (setupEphemeralECDHKeys() == false) {
-                     return false;
-@@ -910,7 +956,8 @@
-             if (setupPrivateKeyAndChain("DSA") == false) {
-                 return false;
-             }
--            setupEphemeralDHKeys(suite.exportable);
-+
-+            setupEphemeralDHKeys(suite.exportable, privateKey);
-             break;
-         case K_ECDHE_ECDSA:
-             // need EC cert signed using EC
-@@ -944,7 +991,7 @@
-             break;
-         case K_DH_ANON:
-             // no certs needed for anonymous
--            setupEphemeralDHKeys(suite.exportable);
-+            setupEphemeralDHKeys(suite.exportable, null);
-             break;
-         case K_ECDH_ANON:
-             // no certs needed for anonymous
-@@ -985,15 +1032,70 @@
-      * Acquire some "ephemeral" Diffie-Hellman  keys for this handshake.
-      * We don't reuse these, for improved forward secrecy.
-      */
--    private void setupEphemeralDHKeys(boolean export) {
-+    private void setupEphemeralDHKeys(boolean export, Key key) {
-         /*
--         * Diffie-Hellman keys ... we use 768 bit private keys due
--         * to the "use twice as many key bits as bits you want secret"
--         * rule of thumb, assuming we want the same size premaster
--         * secret with Diffie-Hellman and RSA key exchanges.  Except
--         * that exportable ciphers max out at 512 bits modulus values.
-+         * 768 bits ephemeral DH private keys were used to be used in
-+         * ServerKeyExchange except that exportable ciphers max out at 512
-+         * bits modulus values. We still adhere to this behavior in legacy
-+         * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
-+         * as "legacy").
-+         *
-+         * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
-+         * than 1024 bits. We have to consider the compatibility requirement.
-+         * 1024 bits DH key is always used for non-exportable cipher suites
-+         * in default mode (system property "jdk.tls.ephemeralDHKeySize"
-+         * is not defined).
-+         *
-+         * However, if applications want more stronger strength, setting
-+         * system property "jdk.tls.ephemeralDHKeySize" to "matched"
-+         * is a workaround to use ephemeral DH key which size matches the
-+         * corresponding authentication key. For example, if the public key
-+         * size of an authentication certificate is 2048 bits, then the
-+         * ephemeral DH key size should be 2048 bits accordingly unless
-+         * the cipher suite is exportable.  This key sizing scheme keeps
-+         * the cryptographic strength consistent between authentication
-+         * keys and key-exchange keys.
-+         *
-+         * Applications may also want to customize the ephemeral DH key size
-+         * to a fixed length for non-exportable cipher suites. This can be
-+         * approached by setting system property "jdk.tls.ephemeralDHKeySize"
-+         * to a valid positive integer between 1024 and 2048 bits, inclusive.
-+         *
-+         * Note that the minimum acceptable key size is 1024 bits except
-+         * exportable cipher suites or legacy mode.
-+         *
-+         * Note that the maximum acceptable key size is 2048 bits because
-+         * DH keys bigger than 2048 are not always supported by underlying
-+         * JCE providers.
-+         *
-+         * Note that per RFC 2246, the key size limit of DH is 512 bits for
-+         * exportable cipher suites.  Because of the weakness, exportable
-+         * cipher suites are deprecated since TLS v1.1 and they are not
-+         * enabled by default in Oracle provider. The legacy behavior is
-+         * reserved and 512 bits DH key is always used for exportable
-+         * cipher suites.
-          */
--        dh = new DHCrypt((export ? 512 : 768), sslContext.getSecureRandom());
-+        int keySize = export ? 512 : 1024;           // default mode
-+        if (!export) {
-+            if (useLegacyEphemeralDHKeys) {          // legacy mode
-+                keySize = 768;
-+            } else if (useSmartEphemeralDHKeys) {    // matched mode
-+                if (key != null) {
-+                    int ks = KeyUtil.getKeySize(key);
-+                    // Note that SunJCE provider only supports 2048 bits DH
-+                    // keys bigger than 1024.  Please DON'T use value other
-+                    // than 1024 and 2048 at present.  We may improve the
-+                    // underlying providers and key size here in the future.
-+                    //
-+                    // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
-+                    keySize = ks <= 1024 ? 1024 : 2048;
-+                } // Otherwise, anonymous cipher suites, 1024-bit is used.
-+            } else if (customizedDHKeySize > 0) {    // customized mode
-+                keySize = customizedDHKeySize;
-+            }
-+        }
-+
-+        dh = new DHCrypt(keySize, sslContext.getSecureRandom());
-     }
- 
-     // Setup the ephemeral ECDH parameters.
-@@ -1483,4 +1585,100 @@
- 
-         session.setPeerCertificates(peerCerts);
-     }
-+
-+    /**
-+     * Parses the string argument as an unsigned integer in the radix
-+     * specified by the second argument.  An unsigned integer maps the
-+     * values usually associated with negative numbers to positive
-+     * numbers larger than {@code MAX_VALUE}.
-+     *
-+     * The characters in the string must all be digits of the
-+     * specified radix (as determined by whether {@link
-+     * java.lang.Character#digit(char, int)} returns a nonnegative
-+     * value), except that the first character may be an ASCII plus
-+     * sign {@code '+'} ('\u002B'). The resulting
-+     * integer value is returned.
-+     *
-+     * 
An exception of type {@code NumberFormatException} is
-+     * thrown if any of the following situations occurs:
-+     * 
    
-+     * 
  • The first argument is {@code null} or is a string of
-+     * length zero.
-+     *
-+     * 
  • The radix is either smaller than
-+     * {@link java.lang.Character#MIN_RADIX} or
-+     * larger than {@link java.lang.Character#MAX_RADIX}.
-+     *
-+     * 
  • Any character of the string is not a digit of the specified
-+     * radix, except that the first character may be a plus sign
-+     * {@code '+'} ('\u002B') provided that the
-+     * string is longer than length 1.
-+     *
-+     * 
  • The value represented by the string is larger than the
-+     * largest unsigned {@code int}, 232-1.
-+     *
-+     * 

-+     *
-+     *
-+     * @param      s   the {@code String} containing the unsigned integer
-+     *                  representation to be parsed
-+     * @param      radix   the radix to be used while parsing {@code s}.
-+     * @return     the integer represented by the string argument in the
-+     *             specified radix.
-+     * @throws     NumberFormatException if the {@code String}
-+     *             does not contain a parsable {@code int}.
-+     * @since 1.8
-+     */
-+    private static int parseUnsignedInt(String s, int radix)
-+                throws NumberFormatException {
-+        if (s == null)  {
-+            throw new NumberFormatException("null");
-+        }
-+
-+        int len = s.length();
-+        if (len > 0) {
-+            char firstChar = s.charAt(0);
-+            if (firstChar == '-') {
-+                throw new
-+                    NumberFormatException(String.format("Illegal leading minus sign " +
-+                                                       "on unsigned string %s.", s));
-+            } else {
-+                if (len <= 5 || // Integer.MAX_VALUE in Character.MAX_RADIX is 6 digits
-+                    (radix == 10 && len <= 9) ) { // Integer.MAX_VALUE in base 10 is 10 digits
-+                    return Integer.parseInt(s, radix);
-+                } else {
-+                    long ell = Long.parseLong(s, radix);
-+                    if ((ell & 0xffffffff00000000L) == 0) {
-+                        return (int) ell;
-+                    } else {
-+                        throw new
-+                            NumberFormatException(String.format("String value %s exceeds " +
-+                                                                "range of unsigned int.", s));
-+                    }
-+                }
-+            }
-+        } else {
-+            throw new NumberFormatException("For input string: \"" + s + "\"");
-+        }
-+    }
-+
-+    /**
-+     * Parses the string argument as an unsigned decimal integer. The
-+     * characters in the string must all be decimal digits, except
-+     * that the first character may be an an ASCII plus sign {@code
-+     * '+'} ('\u002B'). The resulting integer value
-+     * is returned, exactly as if the argument and the radix 10 were
-+     * given as arguments to the {@link
-+     * #parseUnsignedInt(java.lang.String, int)} method.
-+     *
-+     * @param s   a {@code String} containing the unsigned {@code int}
-+     *            representation to be parsed
-+     * @return    the unsigned integer value represented by the argument in decimal.
-+     * @throws    NumberFormatException  if the string does not contain a
-+     *            parsable unsigned integer.
-+     * @since 1.8
-+     */
-+    private static int parseUnsignedInt(String s) throws NumberFormatException {
-+        return parseUnsignedInt(s, 10);
-+    }
- }
-diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
---- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	2015-07-22 21:01:02.635723436 +0100
-@@ -0,0 +1,477 @@
-+/*
-+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+//
-+// SunJSSE does not support dynamic system properties, no way to re-use
-+// system properties in samevm/agentvm mode.
-+//
-+
-+/*
-+ * @test
-+ * @bug 6956398
-+ * @summary make ephemeral DH key match the length of the certificate key
-+ * @run main/othervm
-+ *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75
-+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched
-+ *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75
-+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy
-+ *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75
-+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024
-+ *      DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75
-+ *
-+ * @run main/othervm
-+ *      DHEKeySizing SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA true 292 75
-+ *
-+ * @run main/othervm
-+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1510 139
-+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy
-+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1414 107
-+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched
-+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1894 267
-+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024
-+ *      DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA  false 1510 139
-+ *
-+ * @run main/othervm
-+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 484 139
-+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy
-+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 388 107
-+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched
-+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 484 139
-+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024
-+ *      DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5  false 484 139
-+ */
-+
-+/*
-+ * This is a simple hack to test key sizes of Diffie-Hellman key exchanging
-+ * during SSL/TLS handshaking.
-+ *
-+ * The record length of DH ServerKeyExchange and ClientKeyExchange.
-+ * ServerKeyExchange message are wrapped in ServerHello series messages, which
-+ * contains ServerHello, Certificate and ServerKeyExchange message.
-+ *
-+ *    struct {
-+ *        opaque dh_p<1..2^16-1>;
-+ *        opaque dh_g<1..2^16-1>;
-+ *        opaque dh_Ys<1..2^16-1>;
-+ *    } ServerDHParams;     // Ephemeral DH parameters
-+ *
-+ *    struct {
-+ *        select (PublicValueEncoding) {
-+ *            case implicit: struct { };
-+ *            case explicit: opaque dh_Yc<1..2^16-1>;
-+ *        } dh_public;
-+ *    } ClientDiffieHellmanPublic;
-+ *
-+ * Fomr above structures, it is clear that if the DH key size increasing 128
-+ * bits (16 bytes), the ServerHello series messages increases 48 bytes
-+ * (becuase dh_p, dh_g and dh_Ys each increase 16 bytes) and ClientKeyExchange
-+ * increases 16 bytes (because of the size increasing of dh_Yc).
-+ *
-+ * Here is a summary of the record length in the test case.
-+ *
-+ *            |  ServerHello Series  |  ClientKeyExchange | ServerHello Anon
-+ *   512-bit  |          1318 bytes  |           75 bytes |        292 bytes
-+ *   768-bit  |          1414 bytes  |          107 bytes |        388 bytes
-+ *  1024-bit  |          1510 bytes  |          139 bytes |        484 bytes
-+ *  2048-bit  |          1894 bytes  |          267 bytes |        484 bytes
-+ */
-+
-+import javax.net.ssl.*;
-+import javax.net.ssl.SSLEngineResult.*;
-+import java.io.*;
-+import java.nio.*;
-+import java.security.KeyStore;
-+import java.security.KeyFactory;
-+import java.security.cert.Certificate;
-+import java.security.cert.CertificateFactory;
-+import java.security.spec.PKCS8EncodedKeySpec;
-+import java.security.spec.*;
-+import java.security.interfaces.*;
-+import java.util.Base64;
-+
-+public class DHEKeySizing {
-+
-+    private static boolean debug = true;
-+
-+    private SSLContext sslc;
-+    private SSLEngine ssle1;    // client
-+    private SSLEngine ssle2;    // server
-+
-+    private ByteBuffer appOut1;         // write side of ssle1
-+    private ByteBuffer appIn1;          // read side of ssle1
-+    private ByteBuffer appOut2;         // write side of ssle2
-+    private ByteBuffer appIn2;          // read side of ssle2
-+
-+    private ByteBuffer oneToTwo;        // "reliable" transport ssle1->ssle2
-+    private ByteBuffer twoToOne;        // "reliable" transport ssle2->ssle1
-+
-+    /*
-+     * Where do we find the keystores?
-+     */
-+    // Certificates and key used in the test.
-+    static String trustedCertStr =
-+        "-----BEGIN CERTIFICATE-----\n" +
-+        "MIIC8jCCAdqgAwIBAgIEUjkuRzANBgkqhkiG9w0BAQUFADA7MR0wGwYDVQQLExRT\n" +
-+        "dW5KU1NFIFRlc3QgU2VyaXZjZTENMAsGA1UEChMESmF2YTELMAkGA1UEBhMCVVMw\n" +
-+        "HhcNMTMwOTE4MDQzODMxWhcNMTMxMjE3MDQzODMxWjA7MR0wGwYDVQQLExRTdW5K\n" +
-+        "U1NFIFRlc3QgU2VyaXZjZTENMAsGA1UEChMESmF2YTELMAkGA1UEBhMCVVMwggEi\n" +
-+        "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCO+IGeaskJAvEcYc7pCl9neK3E\n" +
-+        "a28fwWLtChufYNaC9hQfZlUdETWYjV7fZJVJKT/oLzdDNMWuVA0LKXArpI3thLNK\n" +
-+        "QLXisdF9hKPlZRDazACL9kWUUtJ0FzpEySK4e8wW/z9FuU6e6iO19FbjxAfInJqk\n" +
-+        "3EDiEhB5g73S2vtvPCxgq2DvWw9TDl/LIqdKG2JCS93koXCCaHmQ7MrIOqHPd+8r\n" +
-+        "RbGpatXT9qyHKppUv9ATxVygO4rA794mgCFxpT+fkhz+NEB0twTkM65T1hnnOv5n\n" +
-+        "ZIxkcjBggt85UlZtnP3b9P7SYxsWIa46Oc38Od2f3YejfVg6B+PqPgWNl3+/AgMB\n" +
-+        "AAEwDQYJKoZIhvcNAQEFBQADggEBAAlrP6DFLRPSy0IgQhcI2i56tR/na8pezSte\n" +
-+        "ZHcCdaCZPDy4UP8mpLJ9QCjEB5VJv8hPm4xdK7ULnKGOGHgYqDpV2ZHvQlhV1woQ\n" +
-+        "TZGb/LM3c6kAs0j4j9KM2fq3iYUYexjIkS1KzsziflxMM6igS9BRMBR2LQyU+cYq\n" +
-+        "YEsFzkF7Aj2ET4v/+tgot9mRr2NioJcaJkdsPDpMU3IKB1cczfu+OuLQ/GCG0Fqu\n" +
-+        "6ijCeCqfnaAbemHbJeVZZ6Qgka3uC2YMntLBmLkhqEo1d9zGYLoh7oWL77y5ibQZ\n" +
-+        "LK5/H/zikcu579TWjlDHcqL3arCwBcrtsjSaPrRSWMrWV/6c0qw=\n" +
-+        "-----END CERTIFICATE-----";
-+
-+    // Private key in the format of PKCS#8
-+    static String targetPrivateKey =
-+        "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCO+IGeaskJAvEc\n" +
-+        "Yc7pCl9neK3Ea28fwWLtChufYNaC9hQfZlUdETWYjV7fZJVJKT/oLzdDNMWuVA0L\n" +
-+        "KXArpI3thLNKQLXisdF9hKPlZRDazACL9kWUUtJ0FzpEySK4e8wW/z9FuU6e6iO1\n" +
-+        "9FbjxAfInJqk3EDiEhB5g73S2vtvPCxgq2DvWw9TDl/LIqdKG2JCS93koXCCaHmQ\n" +
-+        "7MrIOqHPd+8rRbGpatXT9qyHKppUv9ATxVygO4rA794mgCFxpT+fkhz+NEB0twTk\n" +
-+        "M65T1hnnOv5nZIxkcjBggt85UlZtnP3b9P7SYxsWIa46Oc38Od2f3YejfVg6B+Pq\n" +
-+        "PgWNl3+/AgMBAAECggEAPdb5Ycc4m4A9QBSCRcRpzbyiFLKPh0HDg1n65q4hOtYr\n" +
-+        "kAVYTVFTSF/lqGS+Ob3w2YIKujQKSUQrvCc5UHdFuHXMgxKIWbymK0+DAMb9SlYw\n" +
-+        "6lkkcWp9gx9E4dnJ/df2SAAxovvrKMuHlL1SFASHhVtPfH2URvSfUaANLDXxyYOs\n" +
-+        "8BX0Nr6wazhWjLjXo9yIGnKSvFfB8XisYcA78kEgas43zhmIGCDPqaYyyffOfRbx\n" +
-+        "pM1KNwGmlN86iWR1CbwA/wwhcMySWQueS+s7cHbpRqZIYJF9jEeELiwi0vxjealS\n" +
-+        "EMuHYedIRFMWaDIq9XyjrvXamHb0Z25jlXBNZHaM0QKBgQDE9adl+zAezR/n79vw\n" +
-+        "0XiX2Fx1UEo3ApZHuoA2Q/PcBk+rlKqqQ3IwTcy6Wo648wK7v6Nq7w5nEWcsf0dU\n" +
-+        "QA2Ng/AJEev/IfF34x7sKGYxtk1gcE0EuSBA3R+ocEZxnNw1Ryd5nUU24s8d4jCP\n" +
-+        "Mkothnyaim+zE2raDlEtVc0CaQKBgQC509av+02Uq5oMjzbQp5PBJfQFjATOQT15\n" +
-+        "eefYnVYurkQ1kcVfixkrO2ORhg4SjmI2Z5hJDgGtXdwgidpzkad+R2epS5qLMyno\n" +
-+        "lQVpY6bMpEZ7Mos0yQygxnm8uNohEcTExOe+nP5fNJVpzBsGmfeyYOhnPQlf6oqf\n" +
-+        "0cHizedb5wKBgQC/l5LyMil6HOGHlhzmIm3jj7VI7QR0hJC5T6N+phVml8ESUDjA\n" +
-+        "DYHbmSKouISTRtkG14FY+RiSjCxH7bvuKazFV2289PETquogTA/9e8MFYqfcQwG4\n" +
-+        "sXi9gBxWlnj/9a2EKiYtOB5nKLR/BlNkSHA93tAA6N+FXEMZwMmYhxk42QKBgAuY\n" +
-+        "HQgD3PZOsqDf+qKQIhbmAFCsSMx5o5VFtuJ8BpmJA/Z3ruHkMuDQpsi4nX4o5hXQ\n" +
-+        "5t6AAjjH52kcUMXvK40kdWJJtk3DFnVNfvXxYsHX6hHbuHXFqYUKfSP6QJnZmvZP\n" +
-+        "9smcz/4usLfWJUWHK740b6upUkFqx9Vq5/b3s9y3AoGAdM5TW7LkkOFsdMGVAUzR\n" +
-+        "9iXmCWElHTK2Pcp/3yqDBHSfiQx6Yp5ANyPnE9NBM0yauCfOyBB2oxLO4Rdv3Rqk\n" +
-+        "9V9kyR/YAGr7dJaPcQ7pZX0OpkzgueAOJYPrx5VUzPYUtklYV1ycFZTfKlpFCxT+\n" +
-+        "Ei6KUo0NXSdUIcB4yib1J10=";
-+
-+    static char passphrase[] = "passphrase".toCharArray();
-+
-+    /*
-+     * Majority of the test case is here, setup is done below.
-+     */
-+
-+    private void createSSLEngines() throws Exception {
-+        ssle1 = sslc.createSSLEngine("client", 1);
-+        ssle1.setUseClientMode(true);
-+
-+        ssle2 = sslc.createSSLEngine("server", 2);
-+        ssle2.setUseClientMode(false);
-+    }
-+
-+    private boolean isHandshaking(SSLEngine e) {
-+        return (e.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING);
-+    }
-+
-+    private void checkResult(ByteBuffer bbIn, ByteBuffer bbOut,
-+            SSLEngineResult result,
-+            Status status, HandshakeStatus hsStatus,
-+            int consumed, int produced)
-+            throws Exception {
-+
-+        if ((status != null) && (result.getStatus() != status)) {
-+            throw new Exception("Unexpected Status: need = " + status +
-+                " got = " + result.getStatus());
-+        }
-+
-+        if ((hsStatus != null) && (result.getHandshakeStatus() != hsStatus)) {
-+            throw new Exception("Unexpected hsStatus: need = " + hsStatus +
-+                " got = " + result.getHandshakeStatus());
-+        }
-+
-+        if ((consumed != -1) && (consumed != result.bytesConsumed())) {
-+            throw new Exception("Unexpected consumed: need = " + consumed +
-+                " got = " + result.bytesConsumed());
-+        }
-+
-+        if ((produced != -1) && (produced != result.bytesProduced())) {
-+            throw new Exception("Unexpected produced: need = " + produced +
-+                " got = " + result.bytesProduced());
-+        }
-+
-+        if ((consumed != -1) && (bbIn.position() != result.bytesConsumed())) {
-+            throw new Exception("Consumed " + bbIn.position() +
-+                " != " + consumed);
-+        }
-+
-+        if ((produced != -1) && (bbOut.position() != result.bytesProduced())) {
-+            throw new Exception("produced " + bbOut.position() +
-+                " != " + produced);
-+        }
-+    }
-+
-+    private void test(String cipherSuite, boolean exportable,
-+            int lenServerKeyEx, int lenClientKeyEx) throws Exception {
-+
-+        createSSLEngines();
-+        createBuffers();
-+
-+        SSLEngineResult result1;        // ssle1's results from last operation
-+        SSLEngineResult result2;        // ssle2's results from last operation
-+
-+        String[] suites = new String [] {cipherSuite};
-+
-+        ssle1.setEnabledCipherSuites(suites);
-+        ssle2.setEnabledCipherSuites(suites);
-+
-+        log("======================================");
-+        log("===================");
-+        log("client hello");
-+        result1 = ssle1.wrap(appOut1, oneToTwo);
-+        checkResult(appOut1, oneToTwo, result1,
-+            Status.OK, HandshakeStatus.NEED_UNWRAP, 0, -1);
-+        oneToTwo.flip();
-+
-+        result2 = ssle2.unwrap(oneToTwo, appIn2);
-+        checkResult(oneToTwo, appIn2, result2,
-+            Status.OK, HandshakeStatus.NEED_TASK, result1.bytesProduced(), 0);
-+        runDelegatedTasks(ssle2);
-+        oneToTwo.compact();
-+
-+        log("===================");
-+        log("ServerHello");
-+        result2 = ssle2.wrap(appOut2, twoToOne);
-+        checkResult(appOut2, twoToOne, result2,
-+            Status.OK, HandshakeStatus.NEED_UNWRAP, 0, -1);
-+        twoToOne.flip();
-+
-+        log("Message length of ServerHello series: " + twoToOne.remaining());
-+        if (lenServerKeyEx != twoToOne.remaining()) {
-+            throw new Exception(
-+                "Expected to generate ServerHello series messages of " +
-+                lenServerKeyEx + " bytes, but not " + twoToOne.remaining());
-+        }
-+
-+        result1 = ssle1.unwrap(twoToOne, appIn1);
-+        checkResult(twoToOne, appIn1, result1,
-+            Status.OK, HandshakeStatus.NEED_TASK, result2.bytesProduced(), 0);
-+        runDelegatedTasks(ssle1);
-+        twoToOne.compact();
-+
-+        log("===================");
-+        log("Key Exchange");
-+        result1 = ssle1.wrap(appOut1, oneToTwo);
-+        checkResult(appOut1, oneToTwo, result1,
-+            Status.OK, HandshakeStatus.NEED_WRAP, 0, -1);
-+        oneToTwo.flip();
-+
-+        log("Message length of ClientKeyExchange: " + oneToTwo.remaining());
-+        if (lenClientKeyEx != oneToTwo.remaining()) {
-+            throw new Exception(
-+                "Expected to generate ClientKeyExchange message of " +
-+                lenClientKeyEx + " bytes, but not " + oneToTwo.remaining());
-+        }
-+        result2 = ssle2.unwrap(oneToTwo, appIn2);
-+        checkResult(oneToTwo, appIn2, result2,
-+            Status.OK, HandshakeStatus.NEED_TASK, result1.bytesProduced(), 0);
-+        runDelegatedTasks(ssle2);
-+        oneToTwo.compact();
-+
-+        log("===================");
-+        log("Client CCS");
-+        result1 = ssle1.wrap(appOut1, oneToTwo);
-+        checkResult(appOut1, oneToTwo, result1,
-+            Status.OK, HandshakeStatus.NEED_WRAP, 0, -1);
-+        oneToTwo.flip();
-+
-+        result2 = ssle2.unwrap(oneToTwo, appIn2);
-+        checkResult(oneToTwo, appIn2, result2,
-+            Status.OK, HandshakeStatus.NEED_UNWRAP,
-+            result1.bytesProduced(), 0);
-+        oneToTwo.compact();
-+
-+        log("===================");
-+        log("Client Finished");
-+        result1 = ssle1.wrap(appOut1, oneToTwo);
-+        checkResult(appOut1, oneToTwo, result1,
-+            Status.OK, HandshakeStatus.NEED_UNWRAP, 0, -1);
-+        oneToTwo.flip();
-+
-+        result2 = ssle2.unwrap(oneToTwo, appIn2);
-+        checkResult(oneToTwo, appIn2, result2,
-+            Status.OK, HandshakeStatus.NEED_WRAP,
-+            result1.bytesProduced(), 0);
-+        oneToTwo.compact();
-+
-+        log("===================");
-+        log("Server CCS");
-+        result2 = ssle2.wrap(appOut2, twoToOne);
-+        checkResult(appOut2, twoToOne, result2,
-+            Status.OK, HandshakeStatus.NEED_WRAP, 0, -1);
-+        twoToOne.flip();
-+
-+        result1 = ssle1.unwrap(twoToOne, appIn1);
-+        checkResult(twoToOne, appIn1, result1,
-+            Status.OK, HandshakeStatus.NEED_UNWRAP, result2.bytesProduced(), 0);
-+        twoToOne.compact();
-+
-+        log("===================");
-+        log("Server Finished");
-+        result2 = ssle2.wrap(appOut2, twoToOne);
-+        checkResult(appOut2, twoToOne, result2,
-+            Status.OK, HandshakeStatus.FINISHED, 0, -1);
-+        twoToOne.flip();
-+
-+        result1 = ssle1.unwrap(twoToOne, appIn1);
-+        checkResult(twoToOne, appIn1, result1,
-+            Status.OK, HandshakeStatus.FINISHED, result2.bytesProduced(), 0);
-+        twoToOne.compact();
-+
-+        log("===================");
-+        log("Check Session/Ciphers");
-+        String cs = ssle1.getSession().getCipherSuite();
-+        if (!cs.equals(suites[0])) {
-+            throw new Exception("suites not equal: " + cs + "/" + suites[0]);
-+        }
-+
-+        cs = ssle2.getSession().getCipherSuite();
-+        if (!cs.equals(suites[0])) {
-+            throw new Exception("suites not equal: " + cs + "/" + suites[0]);
-+        }
-+
-+        log("===================");
-+        log("Done with SSL/TLS handshaking");
-+    }
-+
-+    public static void main(String args[]) throws Exception {
-+        if (args.length != 4) {
-+            System.out.println(
-+                "Usage: java DHEKeySizing cipher-suite " +
-+                "exportable(true|false)\n" +
-+                "    size-of-server-hello-record size-of-client-key-exchange");
-+            throw new Exception("Incorrect usage!");
-+        }
-+
-+        (new DHEKeySizing()).test(args[0],
-+                Boolean.parseBoolean(args[1]),
-+                Integer.parseInt(args[2]),
-+                Integer.parseInt(args[3]));
-+        System.out.println("Test Passed.");
-+    }
-+
-+    /*
-+     * **********************************************************
-+     * Majority of the test case is above, below is just setup stuff
-+     * **********************************************************
-+     */
-+
-+    public DHEKeySizing() throws Exception {
-+        sslc = getSSLContext();
-+    }
-+
-+    /*
-+     * Create an initialized SSLContext to use for this test.
-+     */
-+    private SSLContext getSSLContext() throws Exception {
-+
-+        // generate certificate from cert string
-+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
-+
-+        // create a key store
-+        KeyStore ts = KeyStore.getInstance("JKS");
-+        KeyStore ks = KeyStore.getInstance("JKS");
-+        ts.load(null, null);
-+        ks.load(null, null);
-+
-+        // import the trused cert
-+        ByteArrayInputStream is =
-+                    new ByteArrayInputStream(trustedCertStr.getBytes());
-+        Certificate trusedCert = cf.generateCertificate(is);
-+        is.close();
-+        ts.setCertificateEntry("rsa-trusted-2048", trusedCert);
-+
-+        // generate the private key.
-+        String keySpecStr = targetPrivateKey;
-+        PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(
-+                            Base64.getMimeDecoder().decode(keySpecStr));
-+        KeyFactory kf = KeyFactory.getInstance("RSA");
-+        RSAPrivateKey priKey = (RSAPrivateKey)kf.generatePrivate(priKeySpec);
-+
-+        Certificate[] chain = new Certificate[1];
-+        chain[0] = trusedCert;
-+
-+        // import the key entry.
-+        ks.setKeyEntry("rsa-key-2048", priKey, passphrase, chain);
-+
-+        // create SSL context
-+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
-+        kmf.init(ks, passphrase);
-+
-+        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
-+        tmf.init(ts);
-+
-+        SSLContext sslCtx = SSLContext.getInstance("TLS");
-+        sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
-+
-+        return sslCtx;
-+    }
-+
-+    private void createBuffers() {
-+        // Size the buffers as appropriate.
-+
-+        SSLSession session = ssle1.getSession();
-+        int appBufferMax = session.getApplicationBufferSize();
-+        int netBufferMax = session.getPacketBufferSize();
-+
-+        appIn1 = ByteBuffer.allocateDirect(appBufferMax + 50);
-+        appIn2 = ByteBuffer.allocateDirect(appBufferMax + 50);
-+
-+        oneToTwo = ByteBuffer.allocateDirect(netBufferMax);
-+        twoToOne = ByteBuffer.allocateDirect(netBufferMax);
-+
-+        appOut1 = ByteBuffer.wrap("Hi Engine2, I'm SSLEngine1".getBytes());
-+        appOut2 = ByteBuffer.wrap("Hello Engine1, I'm SSLEngine2".getBytes());
-+
-+        log("AppOut1 = " + appOut1);
-+        log("AppOut2 = " + appOut2);
-+        log("");
-+    }
-+
-+    private static void runDelegatedTasks(SSLEngine engine) throws Exception {
-+
-+        Runnable runnable;
-+        while ((runnable = engine.getDelegatedTask()) != null) {
-+            log("running delegated task...");
-+            runnable.run();
-+        }
-+    }
-+
-+    private static void log(String str) {
-+        if (debug) {
-+            System.out.println(str);
-+        }
-+    }
-+}
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch
--- a/patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,117 +0,0 @@
-# HG changeset patch
-# User valeriep
-# Date 1326944130 28800
-#      Wed Jan 18 19:35:30 2012 -0800
-# Node ID b2488252ba0c238d37b24069808b0ac8c2da1c76
-# Parent  9ec80e94c5cda0fb59fbfe217e3505f597ccbe90
-7033170: Cipher.getMaxAllowedKeyLength(String) throws NoSuchAlgorithmException
-Summary: Changed to always use full transformation as provider properties.
-Reviewed-by: mullan
-
-diff -r 9ec80e94c5cd -r b2488252ba0c src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java	Wed Jan 18 19:33:50 2012 -0800
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java	Wed Jan 18 19:35:30 2012 -0800
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -606,24 +606,31 @@
-                 m(CKM_DES_CBC));
-         d(CIP, "DES/CBC/PKCS5Padding",          P11Cipher,
-                 m(CKM_DES_CBC_PAD, CKM_DES_CBC));
--        d(CIP, "DES/ECB",                       P11Cipher,      s("DES"),
-+        d(CIP, "DES/ECB/NoPadding",             P11Cipher,
-                 m(CKM_DES_ECB));
--
-+        d(CIP, "DES/ECB/PKCS5Padding",          P11Cipher,      s("DES"),
-+                m(CKM_DES_ECB));
-         d(CIP, "DESede/CBC/NoPadding",          P11Cipher,
-                 m(CKM_DES3_CBC));
-         d(CIP, "DESede/CBC/PKCS5Padding",       P11Cipher,
-                 m(CKM_DES3_CBC_PAD, CKM_DES3_CBC));
--        d(CIP, "DESede/ECB",                    P11Cipher,      s("DESede"),
-+        d(CIP, "DESede/ECB/NoPadding",          P11Cipher,
-+                m(CKM_DES3_ECB));
-+        d(CIP, "DESede/ECB/PKCS5Padding",       P11Cipher,      s("DESede"),
-                 m(CKM_DES3_ECB));
-         d(CIP, "AES/CBC/NoPadding",             P11Cipher,
-                 m(CKM_AES_CBC));
-         d(CIP, "AES/CBC/PKCS5Padding",          P11Cipher,
-                 m(CKM_AES_CBC_PAD, CKM_AES_CBC));
--        d(CIP, "AES/ECB",                       P11Cipher,      s("AES"),
-+        d(CIP, "AES/ECB/NoPadding",             P11Cipher,
-+                m(CKM_AES_ECB));
-+        d(CIP, "AES/ECB/PKCS5Padding",          P11Cipher,      s("AES"),
-                 m(CKM_AES_ECB));
-         d(CIP, "AES/CTR/NoPadding",             P11Cipher,
-                 m(CKM_AES_CTR));
--        d(CIP, "Blowfish/CBC",                  P11Cipher,
-+        d(CIP, "Blowfish/CBC/NoPadding",        P11Cipher,
-+                m(CKM_BLOWFISH_CBC));
-+        d(CIP, "Blowfish/CBC/PKCS5Padding",     P11Cipher,
-                 m(CKM_BLOWFISH_CBC));
- 
-         // XXX RSA_X_509, RSA_OAEP not yet supported
-diff -r 9ec80e94c5cd -r b2488252ba0c test/javax/crypto/Cipher/GetMaxAllowed.java
---- openjdk/jdk/test/javax/crypto/Cipher/GetMaxAllowed.java	Wed Jan 18 19:33:50 2012 -0800
-+++ openjdk/jdk/test/javax/crypto/Cipher/GetMaxAllowed.java	Wed Jan 18 19:35:30 2012 -0800
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -23,7 +23,7 @@
- 
- /**
-  * @test
-- * @bug 4807942
-+ * @bug 4807942 7033170
-  * @summary Test the Cipher.getMaxAllowedKeyLength(String) and
-  * getMaxAllowedParameterSpec(String) methods
-  * @author Valerie Peng
-@@ -40,7 +40,7 @@
- 
- public class GetMaxAllowed {
- 
--    private static void runTest(boolean isUnlimited) throws Exception {
-+    private static void runTest1(boolean isUnlimited) throws Exception {
-         System.out.println("Testing " + (isUnlimited? "un":"") +
-                            "limited policy...");
- 
-@@ -78,6 +78,20 @@
-         System.out.println("All tests passed");
-     }
- 
-+    private static void runTest2() throws Exception {
-+        System.out.println("Testing against Security.getAlgorithms()");
-+
-+        Set algorithms = Security.getAlgorithms("Cipher");
-+
-+        for (String algorithm: algorithms) {
-+            int keylength = -1;
-+
-+            // if 7033170 is not fixed, NoSuchAlgorithmException is thrown
-+            keylength = Cipher.getMaxAllowedKeyLength(algorithm);
-+
-+        }
-+    }
-+
-     public static void main(String[] args) throws Exception {
-         // decide if the installed jurisdiction policy file is the
-         // unlimited version
-@@ -88,6 +102,9 @@
-         } catch (InvalidKeyException ike) {
-             isUnlimited = false;
-         }
--        runTest(isUnlimited);
-+        runTest1(isUnlimited);
-+
-+        // test using the set of algorithms returned by Security.getAlgorithms()
-+        runTest2();
-     }
- }
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/7044060-support_nsa_suite_b.patch
--- a/patches/openjdk/7044060-support_nsa_suite_b.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,3214 +0,0 @@
-diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/AESCipher.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/AESCipher.java
---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/AESCipher.java	2014-12-24 18:49:01.952432946 +0000
-+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/AESCipher.java	2014-12-24 20:19:58.491124251 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -47,18 +47,122 @@
-  * @see OutputFeedback
-  */
- 
--public final class AESCipher extends CipherSpi {
-+abstract class AESCipher extends CipherSpi {
-+    public static final class General extends AESCipher {
-+        public General() {
-+            super(-1);
-+        }
-+    }
-+    abstract static class OidImpl extends AESCipher {
-+        protected OidImpl(int keySize, String mode, String padding) {
-+            super(keySize);
-+            try {
-+                engineSetMode(mode);
-+                engineSetPadding(padding);
-+            } catch (GeneralSecurityException gse) {
-+                // internal error; re-throw as provider exception
-+                ProviderException pe =new ProviderException("Internal Error");
-+                pe.initCause(gse);
-+                throw pe;
-+            }
-+        }
-+    }
-+    public static final class AES128_ECB_NoPadding extends OidImpl {
-+        public AES128_ECB_NoPadding() {
-+            super(16, "ECB", "NOPADDING");
-+        }
-+    }
-+    public static final class AES192_ECB_NoPadding extends OidImpl {
-+        public AES192_ECB_NoPadding() {
-+            super(24, "ECB", "NOPADDING");
-+        }
-+    }
-+    public static final class AES256_ECB_NoPadding extends OidImpl {
-+        public AES256_ECB_NoPadding() {
-+            super(32, "ECB", "NOPADDING");
-+        }
-+    }
-+    public static final class AES128_CBC_NoPadding extends OidImpl {
-+        public AES128_CBC_NoPadding() {
-+            super(16, "CBC", "NOPADDING");
-+        }
-+    }
-+    public static final class AES192_CBC_NoPadding extends OidImpl {
-+        public AES192_CBC_NoPadding() {
-+            super(24, "CBC", "NOPADDING");
-+        }
-+    }
-+    public static final class AES256_CBC_NoPadding extends OidImpl {
-+        public AES256_CBC_NoPadding() {
-+            super(32, "CBC", "NOPADDING");
-+        }
-+    }
-+    public static final class AES128_OFB_NoPadding extends OidImpl {
-+        public AES128_OFB_NoPadding() {
-+            super(16, "OFB", "NOPADDING");
-+        }
-+    }
-+    public static final class AES192_OFB_NoPadding extends OidImpl {
-+        public AES192_OFB_NoPadding() {
-+            super(24, "OFB", "NOPADDING");
-+        }
-+    }
-+    public static final class AES256_OFB_NoPadding extends OidImpl {
-+        public AES256_OFB_NoPadding() {
-+            super(32, "OFB", "NOPADDING");
-+        }
-+    }
-+    public static final class AES128_CFB_NoPadding extends OidImpl {
-+        public AES128_CFB_NoPadding() {
-+            super(16, "CFB", "NOPADDING");
-+        }
-+    }
-+    public static final class AES192_CFB_NoPadding extends OidImpl {
-+        public AES192_CFB_NoPadding() {
-+            super(24, "CFB", "NOPADDING");
-+        }
-+    }
-+    public static final class AES256_CFB_NoPadding extends OidImpl {
-+        public AES256_CFB_NoPadding() {
-+            super(32, "CFB", "NOPADDING");
-+        }
-+    }
-+
-+    // utility method used by AESCipher and AESWrapCipher
-+    static final void checkKeySize(Key key, int fixedKeySize)
-+        throws InvalidKeyException {
-+        if (fixedKeySize != -1) {
-+            if (key == null) {
-+                throw new InvalidKeyException("The key must not be null");
-+            }
-+            byte[] value = key.getEncoded();
-+            if (value == null) {
-+                throw new InvalidKeyException("Key encoding must not be null");
-+            } else if (value.length != fixedKeySize) {
-+                throw new InvalidKeyException("The key must be " +
-+                    fixedKeySize*8 + " bits");
-+            }
-+        }
-+    }
-+
-     /*
-      * internal CipherCore object which does the real work.
-      */
-     private CipherCore core = null;
- 
-+    /*
-+     * needed to support AES oids which associates a fixed key size
-+     * to the cipher object.
-+     */
-+    private final int fixedKeySize; // in bytes, -1 if no restriction
-+
-     /**
-      * Creates an instance of AES cipher with default ECB mode and
-      * PKCS5Padding.
-      */
--    public AESCipher() {
-+    protected AESCipher(int keySize) {
-         core = new CipherCore(new AESCrypt(), AESConstants.AES_BLOCK_SIZE);
-+        fixedKeySize = keySize;
-     }
- 
-     /**
-@@ -183,6 +287,7 @@
-      */
-     protected void engineInit(int opmode, Key key, SecureRandom random)
-         throws InvalidKeyException {
-+        checkKeySize(key, fixedKeySize);
-         core.init(opmode, key, random);
-     }
- 
-@@ -214,6 +319,7 @@
-                               AlgorithmParameterSpec params,
-                               SecureRandom random)
-         throws InvalidKeyException, InvalidAlgorithmParameterException {
-+        checkKeySize(key, fixedKeySize);
-         core.init(opmode, key, params, random);
-     }
- 
-@@ -221,6 +327,7 @@
-                               AlgorithmParameters params,
-                               SecureRandom random)
-         throws InvalidKeyException, InvalidAlgorithmParameterException {
-+        checkKeySize(key, fixedKeySize);
-         core.init(opmode, key, params, random);
-     }
- 
-diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java
---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java	2014-12-24 18:49:01.952432946 +0000
-+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java	2014-12-24 20:19:27.306753452 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -43,8 +43,27 @@
-  *
-  * @see AESCipher
-  */
--public final class AESWrapCipher extends CipherSpi {
--
-+abstract class AESWrapCipher extends CipherSpi {
-+    public static final class General extends AESWrapCipher {
-+        public General() {
-+            super(-1);
-+        }
-+    }
-+    public static final class AES128 extends AESWrapCipher {
-+        public AES128() {
-+            super(16);
-+        }
-+    }
-+    public static final class AES192 extends AESWrapCipher {
-+        public AES192() {
-+            super(24);
-+        }
-+    }
-+    public static final class AES256 extends AESWrapCipher {
-+        public AES256() {
-+            super(32);
-+        }
-+    }
-     private static final byte[] IV = {
-         (byte) 0xA6, (byte) 0xA6, (byte) 0xA6, (byte) 0xA6,
-         (byte) 0xA6, (byte) 0xA6, (byte) 0xA6, (byte) 0xA6
-@@ -62,12 +81,19 @@
-      */
-     private boolean decrypting = false;
- 
-+    /*
-+     * needed to support AES oids which associates a fixed key size
-+     * to the cipher object.
-+     */
-+    private final int fixedKeySize; // in bytes, -1 if no restriction
-+
-     /**
-      * Creates an instance of AES KeyWrap cipher with default
-      * mode, i.e. "ECB" and padding scheme, i.e. "NoPadding".
-      */
--    public AESWrapCipher() {
-+    public AESWrapCipher(int keySize) {
-         cipher = new AESCrypt();
-+        fixedKeySize = keySize;
-     }
- 
-     /**
-@@ -170,6 +196,7 @@
-             throw new UnsupportedOperationException("This cipher can " +
-                 "only be used for key wrapping and unwrapping");
-         }
-+        AESCipher.checkKeySize(key, fixedKeySize);
-         cipher.init(decrypting, key.getAlgorithm(), key.getEncoded());
-     }
- 
-diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java
---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java	2013-08-21 20:33:03.876325741 +0100
-+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java	2014-12-24 20:18:40.126192669 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -80,10 +80,10 @@
-      * @param random the source of randomness
-      */
-     public void initialize(int keysize, SecureRandom random) {
--        if ((keysize < 512) || (keysize > 1024) || (keysize % 64 != 0)) {
-+        if ((keysize < 512) || (keysize > 2048) || (keysize % 64 != 0)) {
-             throw new InvalidParameterException("Keysize must be multiple "
-                                                 + "of 64, and can only range "
--                                                + "from 512 to 1024 "
-+                                                + "from 512 to 2048 "
-                                                 + "(inclusive)");
-         }
-         this.pSize = keysize;
-@@ -115,11 +115,11 @@
- 
-         params = (DHParameterSpec)algParams;
-         pSize = params.getP().bitLength();
--        if ((pSize < 512) || (pSize > 1024) ||
-+        if ((pSize < 512) || (pSize > 2048) ||
-             (pSize % 64 != 0)) {
-             throw new InvalidAlgorithmParameterException
-                 ("Prime size must be multiple of 64, and can only range "
--                 + "from 512 to 1024 (inclusive)");
-+                 + "from 512 to 2048 (inclusive)");
-         }
- 
-         // exponent size is optional, could be 0
-@@ -156,10 +156,11 @@
-         BigInteger g = params.getG();
- 
-         if (lSize <= 0) {
-+            lSize = pSize >> 1;
-             // use an exponent size of (pSize / 2) but at least 384 bits
--            lSize = Math.max(384, pSize >> 1);
--            // if lSize is larger than pSize, limit by pSize
--            lSize = Math.min(lSize, pSize);
-+            if (lSize < 384) {
-+                lSize = 384;
-+            }
-         }
- 
-         BigInteger x;
-diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java	2013-08-21 20:33:03.892325999 +0100
-+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java	2014-12-24 20:18:40.126192669 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -68,10 +68,10 @@
-      * @param random the source of randomness
-      */
-     protected void engineInit(int keysize, SecureRandom random) {
--        if ((keysize < 512) || (keysize > 1024) || (keysize % 64 != 0)) {
-+        if ((keysize < 512) || (keysize > 2048) || (keysize % 64 != 0)) {
-             throw new InvalidParameterException("Keysize must be multiple "
-                                                 + "of 64, and can only range "
--                                                + "from 512 to 1024 "
-+                                                + "from 512 to 2048 "
-                                                 + "(inclusive)");
-         }
-         this.primeSize = keysize;
-@@ -100,10 +100,10 @@
-             DHGenParameterSpec dhParamSpec = (DHGenParameterSpec)genParamSpec;
- 
-             primeSize = dhParamSpec.getPrimeSize();
--            if ((primeSize<512) || (primeSize>1024) || (primeSize%64 != 0)) {
-+            if ((primeSize<512) || (primeSize>2048) || (primeSize%64 != 0)) {
-                 throw new InvalidAlgorithmParameterException
-                     ("Modulus size must be multiple of 64, and can only range "
--                     + "from 512 to 1024 (inclusive)");
-+                     + "from 512 to 2048 (inclusive)");
-             }
- 
-             exponentSize = dhParamSpec.getExponentSize();
-diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java
---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java	2014-12-24 20:10:36.400459042 +0000
-+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java	2014-12-24 20:18:40.130192717 +0000
-@@ -172,16 +172,67 @@
-                 put("Cipher.Blowfish SupportedKeyFormats", "RAW");
- 
-                 put("Cipher.AES", "com.sun.crypto.provider.AESCipher");
-+                put("Cipher.AES", "com.sun.crypto.provider.AESCipher$General");
-                 put("Alg.Alias.Cipher.Rijndael", "AES");
-                 put("Cipher.AES SupportedModes", BLOCK_MODES128);
-                 put("Cipher.AES SupportedPaddings", BLOCK_PADS);
-                 put("Cipher.AES SupportedKeyFormats", "RAW");
- 
--                put("Cipher.AESWrap", "com.sun.crypto.provider.AESWrapCipher");
-+                put("Cipher.AES_128/ECB/NoPadding", "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding");
-+                put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.1", "AES_128/ECB/NoPadding");
-+                put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.1", "AES_128/ECB/NoPadding");
-+                put("Cipher.AES_128/CBC/NoPadding", "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding");
-+                put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.2", "AES_128/CBC/NoPadding");
-+                put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.2", "AES_128/CBC/NoPadding");
-+                put("Cipher.AES_128/OFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding");
-+                put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.3", "AES_128/OFB/NoPadding");
-+                put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.3", "AES_128/OFB/NoPadding");
-+                put("Cipher.AES_128/CFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding");
-+                put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.4", "AES_128/CFB/NoPadding");
-+                put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.4", "AES_128/CFB/NoPadding");
-+
-+                put("Cipher.AES_192/ECB/NoPadding", "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.21", "AES_192/ECB/NoPadding");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.21", "AES_192/ECB/NoPadding");
-+		put("Cipher.AES_192/CBC/NoPadding", "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.22", "AES_192/CBC/NoPadding");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.22", "AES_192/CBC/NoPadding");
-+		put("Cipher.AES_192/OFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.23", "AES_192/OFB/NoPadding");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.23", "AES_192/OFB/NoPadding");
-+		put("Cipher.AES_192/CFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.24", "AES_192/CFB/NoPadding");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.24", "AES_192/CFB/NoPadding");
-+
-+
-+		put("Cipher.AES_256/ECB/NoPadding", "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.41", "AES_256/ECB/NoPadding");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.41", "AES_256/ECB/NoPadding");
-+		put("Cipher.AES_256/CBC/NoPadding", "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.42", "AES_256/CBC/NoPadding");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.42", "AES_256/CBC/NoPadding");
-+		put("Cipher.AES_256/OFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.43", "AES_256/OFB/NoPadding");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.43", "AES_256/OFB/NoPadding");
-+		put("Cipher.AES_256/CFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.44", "AES_256/CFB/NoPadding");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.44", "AES_256/CFB/NoPadding");
-+		
-+		put("Cipher.AESWrap", "com.sun.crypto.provider.AESWrapCipher$General");
-                 put("Cipher.AESWrap SupportedModes", "ECB");
-                 put("Cipher.AESWrap SupportedPaddings", "NOPADDING");
-                 put("Cipher.AESWrap SupportedKeyFormats", "RAW");
- 
-+		put("Cipher.AESWrap_128", "com.sun.crypto.provider.AESWrapCipher$AES128");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.5", "AESWrap_128");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.5", "AESWrap_128");
-+		put("Cipher.AESWrap_192", "com.sun.crypto.provider.AESWrapCipher$AES192");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.25", "AESWrap_192");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.25", "AESWrap_192");
-+		put("Cipher.AESWrap_256", "com.sun.crypto.provider.AESWrapCipher$AES256");
-+		put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.45", "AESWrap_256");
-+		put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.45", "AESWrap_256");
-+
-                 put("Cipher.RC2",
-                     "com.sun.crypto.provider.RC2Cipher");
-                 put("Cipher.RC2 SupportedModes", BLOCK_MODES);
-@@ -196,7 +247,7 @@
-                 put("Cipher.ARCFOUR SupportedKeyFormats", "RAW");
- 
-                 /*
--                 *  Key(pair) Generator engines
-+                 * Key(pair) Generator engines
-                  */
-                 put("KeyGenerator.DES",
-                     "com.sun.crypto.provider.DESKeyGenerator");
-@@ -225,6 +276,8 @@
- 
-                 put("KeyGenerator.HmacSHA1",
-                     "com.sun.crypto.provider.HmacSHA1KeyGenerator");
-+		put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.7", "HmacSHA1");
-+		put("Alg.Alias.KeyGenerator.1.2.840.113549.2.7", "HmacSHA1");
- 
-                 put("KeyGenerator.HmacSHA224",
-                     "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA224");
-@@ -407,6 +460,8 @@
-                  */
-                 put("Mac.HmacMD5", "com.sun.crypto.provider.HmacMD5");
-                 put("Mac.HmacSHA1", "com.sun.crypto.provider.HmacSHA1");
-+		put("Alg.Alias.Mac.OID.1.2.840.113549.2.7", "HmacSHA1");
-+		put("Alg.Alias.Mac.1.2.840.113549.2.7", "HmacSHA1");
-                 put("Mac.HmacSHA224",
-                     "com.sun.crypto.provider.HmacCore$HmacSHA224");
-                 put("Alg.Alias.Mac.OID.1.2.840.113549.2.8", "HmacSHA224");
-diff -Nru openjdk.orig/jdk/src/share/classes/java/security/interfaces/DSAKeyPairGenerator.java openjdk/jdk/src/share/classes/java/security/interfaces/DSAKeyPairGenerator.java
---- openjdk.orig/jdk/src/share/classes/java/security/interfaces/DSAKeyPairGenerator.java	2013-08-21 20:33:07.800389240 +0100
-+++ openjdk/jdk/src/share/classes/java/security/interfaces/DSAKeyPairGenerator.java	2014-12-24 20:18:40.130192717 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1997, 2005, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -62,6 +62,9 @@
-  * interface is all that is needed when you accept defaults for algorithm-specific
-  * parameters.
-  *
-+ * 
Note: Some earlier implementations of this interface may not support
-+ * larger sizes of DSA parameters such as 2048 and 3072-bit.
-+ *
-  * @see java.security.KeyPairGenerator
-  */
- public interface DSAKeyPairGenerator {
-@@ -78,7 +81,7 @@
-      * can be null.
-      *
-      * @exception InvalidParameterException if the params
--     * value is invalid or null.
-+     * value is invalid, null, or unsupported.
-      */
-    public void initialize(DSAParams params, SecureRandom random)
-    throws InvalidParameterException;
-@@ -97,7 +100,7 @@
-      * default parameters for modulus lengths of 512 and 1024 bits.
-      *
-      * @param modlen the modulus length in bits. Valid values are any
--     * multiple of 8 between 512 and 1024, inclusive.
-+     * multiple of 64 between 512 and 1024, inclusive, 2048, and 3072.
-      *
-      * @param random the random bit source to use to generate key bits;
-      * can be null.
-@@ -105,10 +108,9 @@
-      * @param genParams whether or not to generate new parameters for
-      * the modulus length requested.
-      *
--     * @exception InvalidParameterException if modlen is not
--     * between 512 and 1024, or if genParams is false and
--     * there are no precomputed parameters for the requested modulus
--     * length.
-+     * @exception InvalidParameterException if modlen is
-+     * invalid, or unsupported, or if genParams is false and there
-+     * are no precomputed parameters for the requested modulus length.
-      */
-     public void initialize(int modlen, boolean genParams, SecureRandom random)
-     throws InvalidParameterException;
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java	2014-12-24 20:10:34.252433649 +0000
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java	2014-12-24 20:18:40.130192717 +0000
-@@ -164,6 +164,10 @@
-     // if we do the padding
-     private int bytesBuffered;
- 
-+    // length of key size in bytes; currently only used by AES given its oid
-+    // specification mandates a fixed size of the key
-+    private int fixedKeySize = -1;
-+
-     P11Cipher(Token token, String algorithm, long mechanism)
-             throws PKCS11Exception, NoSuchAlgorithmException {
-         super();
-@@ -172,19 +176,26 @@
-         this.mechanism = mechanism;
- 
-         String algoParts[] = algorithm.split("/");
--        keyAlgorithm = algoParts[0];
- 
--        if (keyAlgorithm.equals("AES")) {
-+        if (algoParts[0].startsWith("AES")) {
-             blockSize = 16;
--        } else if (keyAlgorithm.equals("RC4") ||
--                keyAlgorithm.equals("ARCFOUR")) {
--            blockSize = 0;
--        } else { // DES, DESede, Blowfish
--            blockSize = 8;
--        }
--        this.blockMode =
-+            int index = algoParts[0].indexOf('_');
-+            if (index != -1) {
-+                // should be well-formed since we specify what we support
-+                fixedKeySize = Integer.parseInt(algoParts[0].substring(index+1))/8;
-+            }
-+            keyAlgorithm = "AES";
-+        } else {
-+            keyAlgorithm = algoParts[0];
-+            if (keyAlgorithm.equals("RC4") ||
-+                    keyAlgorithm.equals("ARCFOUR")) {
-+                blockSize = 0;
-+            } else { // DES, DESede, Blowfish
-+                blockSize = 8;
-+            }
-+            this.blockMode =
-                 (algoParts.length > 1 ? parseMode(algoParts[1]) : MODE_ECB);
--
-+        }
-         String defPadding = (blockSize == 0 ? "NoPadding" : "PKCS5Padding");
-         String paddingStr =
-                 (algoParts.length > 2 ? algoParts[2] : defPadding);
-@@ -333,6 +344,9 @@
-             SecureRandom random)
-             throws InvalidKeyException, InvalidAlgorithmParameterException {
-         cancelOperation();
-+        if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) {
-+            throw new InvalidKeyException("Key size is invalid");
-+        }
-         switch (opmode) {
-             case Cipher.ENCRYPT_MODE:
-                 encrypt = true;
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java	2014-12-24 20:10:36.604461454 +0000
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java	2014-12-24 20:18:40.130192717 +0000
-@@ -383,12 +383,8 @@
-         return System.identityHashCode(this);
-     }
- 
--    private static String[] s(String s1) {
--        return new String[] {s1};
--    }
--
--    private static String[] s(String s1, String s2) {
--        return new String[] {s1, s2};
-+    private static String[] s(String ...aliases) {
-+        return aliases;
-     }
- 
-     private static final class Descriptor {
-@@ -505,7 +501,8 @@
-                 m(CKM_MD2));
-         d(MD, "MD5",            P11Digest,
-                 m(CKM_MD5));
--        d(MD, "SHA1",           P11Digest, s("SHA", "SHA-1"),
-+        d(MD, "SHA1",           P11Digest,
-+                s("SHA", "SHA-1", "1.3.14.3.2.26", "OID.1.3.14.3.2.26"),
-                 m(CKM_SHA_1));
- 
-         d(MD, "SHA-224",        P11Digest,
-@@ -524,6 +521,7 @@
-         d(MAC, "HmacMD5",       P11MAC,
-                 m(CKM_MD5_HMAC));
-         d(MAC, "HmacSHA1",      P11MAC,
-+                s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"),
-                 m(CKM_SHA_1_HMAC));
-         d(MAC, "HmacSHA224",    P11MAC,
-                 s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"),
-@@ -545,6 +543,7 @@
-         d(KPG, "RSA",           P11KeyPairGenerator,
-                 m(CKM_RSA_PKCS_KEY_PAIR_GEN));
-         d(KPG, "DSA",           P11KeyPairGenerator,
-+                s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"),
-                 m(CKM_DSA_KEY_PAIR_GEN));
-         d(KPG, "DH",            P11KeyPairGenerator,    s("DiffieHellman"),
-                 m(CKM_DH_PKCS_KEY_PAIR_GEN));
-@@ -567,6 +566,7 @@
-         d(KF, "RSA",            P11RSAKeyFactory,
-                 m(CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_PKCS, CKM_RSA_X_509));
-         d(KF, "DSA",            P11DSAKeyFactory,
-+                s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"),
-                 m(CKM_DSA_KEY_PAIR_GEN, CKM_DSA, CKM_DSA_SHA1));
-         d(KF, "DH",             P11DHKeyFactory,        s("DiffieHellman"),
-                 m(CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE));
-@@ -590,6 +590,7 @@
-         d(SKF, "DESede",        P11SecretKeyFactory,
-                 m(CKM_DES3_CBC));
-         d(SKF, "AES",           P11SecretKeyFactory,
-+                s("2.16.840.1.101.3.4.1", "OID.2.16.840.1.101.3.4.1"),
-                 m(CKM_AES_CBC));
-         d(SKF, "Blowfish",      P11SecretKeyFactory,
-                 m(CKM_BLOWFISH_CBC));
-@@ -615,10 +616,28 @@
-                 m(CKM_DES3_ECB));
-         d(CIP, "AES/CBC/NoPadding",             P11Cipher,
-                 m(CKM_AES_CBC));
-+        d(CIP, "AES_128/CBC/NoPadding",          P11Cipher,
-+                s("2.16.840.1.101.3.4.1.2", "OID.2.16.840.1.101.3.4.1.2"),
-+                m(CKM_AES_CBC));
-+        d(CIP, "AES_192/CBC/NoPadding",          P11Cipher,
-+                s("2.16.840.1.101.3.4.1.22", "OID.2.16.840.1.101.3.4.1.22"),
-+                m(CKM_AES_CBC));
-+        d(CIP, "AES_256/CBC/NoPadding",          P11Cipher,
-+                s("2.16.840.1.101.3.4.1.42", "OID.2.16.840.1.101.3.4.1.42"),
-+                m(CKM_AES_CBC));
-         d(CIP, "AES/CBC/PKCS5Padding",          P11Cipher,
-                 m(CKM_AES_CBC_PAD, CKM_AES_CBC));
-         d(CIP, "AES/ECB/NoPadding",             P11Cipher,
-                 m(CKM_AES_ECB));
-+        d(CIP, "AES_128/ECB/NoPadding",          P11Cipher,
-+                s("2.16.840.1.101.3.4.1.1", "OID.2.16.840.1.101.3.4.1.1"),
-+                m(CKM_AES_ECB));
-+        d(CIP, "AES_192/ECB/NoPadding",          P11Cipher,
-+                s("2.16.840.1.101.3.4.1.21", "OID.2.16.840.1.101.3.4.1.21"),
-+                m(CKM_AES_ECB));
-+        d(CIP, "AES_256/ECB/NoPadding",          P11Cipher,
-+                s("2.16.840.1.101.3.4.1.41", "OID.2.16.840.1.101.3.4.1.41"),
-+                m(CKM_AES_ECB));
-         d(CIP, "AES/ECB/PKCS5Padding",          P11Cipher,      s("AES"),
-                 m(CKM_AES_ECB));
-         d(CIP, "AES/CTR/NoPadding",             P11Cipher,
-@@ -632,13 +651,16 @@
-         d(CIP, "RSA/ECB/PKCS1Padding",          P11RSACipher,
-                 m(CKM_RSA_PKCS));
- 
--        d(SIG, "RawDSA",        P11Signature,           s("NONEwithDSA"),
-+        d(SIG, "RawDSA",        P11Signature,   s("NONEwithDSA"),
-                 m(CKM_DSA));
--        d(SIG, "DSA",           P11Signature,           s("SHA1withDSA"),
-+        d(SIG, "DSA",           P11Signature,
-+                s("SHA1withDSA", "1.3.14.3.2.13", "1.3.14.3.2.27",
-+                  "1.2.840.10040.4.3", "OID.1.2.840.10040.4.3"),
-                 m(CKM_DSA_SHA1, CKM_DSA));
-         d(SIG, "NONEwithECDSA", P11Signature,
-                 m(CKM_ECDSA));
--        d(SIG, "SHA1withECDSA", P11Signature,           s("ECDSA"),
-+        d(SIG, "SHA1withECDSA", P11Signature,
-+                s("ECDSA", "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1"),
-                 m(CKM_ECDSA_SHA1, CKM_ECDSA));
-         d(SIG, "SHA224withECDSA",       P11Signature,
-                 s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"),
-@@ -653,10 +675,14 @@
-                 s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"),
-                 m(CKM_ECDSA));
-         d(SIG, "MD2withRSA",    P11Signature,
-+                s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"),
-                 m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         d(SIG, "MD5withRSA",    P11Signature,
-+                s("1.2.840.113549.1.1.4", "OID.1.2.840.113549.1.1.4"),
-                 m(CKM_MD5_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         d(SIG, "SHA1withRSA",   P11Signature,
-+                s("1.2.840.113549.1.1.5", "OID.1.2.840.113549.1.1.5",
-+                  "1.3.14.3.2.29"),
-                 m(CKM_SHA1_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
-         d(SIG, "SHA224withRSA", P11Signature,
-                 s("1.2.840.113549.1.1.14", "OID.1.2.840.113549.1.1.14"),
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/DSA.java openjdk/jdk/src/share/classes/sun/security/provider/DSA.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/DSA.java	2013-08-21 20:33:03.312316612 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/DSA.java	2014-12-24 20:18:40.130192717 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1996, 2004, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -45,14 +45,15 @@
- 
- /**
-  * The Digital Signature Standard (using the Digital Signature
-- * Algorithm), as described in fips186 of the National Instute of
-- * Standards and Technology (NIST), using fips180-1 (SHA-1).
-+ * Algorithm), as described in fips186-3 of the National Instute of
-+ * Standards and Technology (NIST), using SHA digest algorithms
-+ * from FIPS180-3.
-  *
-  * This file contains both the signature implementation for the
-- * commonly used SHA1withDSA (DSS) as well as RawDSA, used by TLS
-- * among others. RawDSA expects the 20 byte SHA-1 digest as input
-- * via update rather than the original data like other signature
-- * implementations.
-+ * commonly used SHA1withDSA (DSS), SHA224withDSA, SHA256withDSA,
-+ * as well as RawDSA, used by TLS among others. RawDSA expects
-+ * the 20 byte SHA-1 digest as input via update rather than the
-+ * original data like other signature implementations.
-  *
-  * @author Benjamin Renaud
-  *
-@@ -78,129 +79,19 @@
-     /* The private key, if any */
-     private BigInteger presetX;
- 
--    /* The random seed used to generate k */
--    private int[] Kseed;
--
--    /* The random seed used to generate k (specified by application) */
--    private byte[] KseedAsByteArray;
--
--    /*
--     * The random seed used to generate k
--     * (prevent the same Kseed from being used twice in a row
--     */
--    private int[] previousKseed;
--
-     /* The RNG used to output a seed for generating k */
-     private SecureRandom signingRandom;
- 
-+    /* The message digest object used */
-+    private final MessageDigest md;
-+
-     /**
-      * Construct a blank DSA object. It must be
-      * initialized before being usable for signing or verifying.
-      */
--    DSA() {
-+    DSA(MessageDigest md) {
-         super();
--    }
--
--    /**
--     * Return the 20 byte hash value and reset the digest.
--     */
--    abstract byte[] getDigest() throws SignatureException;
--
--    /**
--     * Reset the digest.
--     */
--    abstract void resetDigest();
--
--    /**
--     * Standard SHA1withDSA implementation.
--     */
--    public static final class SHA1withDSA extends DSA {
--
--        /* The SHA hash for the data */
--        private final MessageDigest dataSHA;
--
--        public SHA1withDSA() throws NoSuchAlgorithmException {
--            dataSHA = MessageDigest.getInstance("SHA-1");
--        }
--
--        /**
--         * Update a byte to be signed or verified.
--         */
--        protected void engineUpdate(byte b) {
--            dataSHA.update(b);
--        }
--
--        /**
--         * Update an array of bytes to be signed or verified.
--         */
--        protected void engineUpdate(byte[] data, int off, int len) {
--            dataSHA.update(data, off, len);
--        }
--
--        protected void engineUpdate(ByteBuffer b) {
--            dataSHA.update(b);
--        }
--
--        byte[] getDigest() {
--            return dataSHA.digest();
--        }
--
--        void resetDigest() {
--            dataSHA.reset();
--        }
--    }
--
--    /**
--     * RawDSA implementation.
--     *
--     * RawDSA requires the data to be exactly 20 bytes long. If it is
--     * not, a SignatureException is thrown when sign()/verify() is called
--     * per JCA spec.
--     */
--    public static final class RawDSA extends DSA {
--
--        // length of the SHA-1 digest (20 bytes)
--        private final static int SHA1_LEN = 20;
--
--        // 20 byte digest buffer
--        private final byte[] digestBuffer;
--
--        // offset into the buffer
--        private int ofs;
--
--        public RawDSA() {
--            digestBuffer = new byte[SHA1_LEN];
--        }
--
--        protected void engineUpdate(byte b) {
--            if (ofs == SHA1_LEN) {
--                ofs = SHA1_LEN + 1;
--                return;
--            }
--            digestBuffer[ofs++] = b;
--        }
--
--        protected void engineUpdate(byte[] data, int off, int len) {
--            if (ofs + len > SHA1_LEN) {
--                ofs = SHA1_LEN + 1;
--                return;
--            }
--            System.arraycopy(data, off, digestBuffer, ofs, len);
--            ofs += len;
--        }
--
--        byte[] getDigest() throws SignatureException {
--            if (ofs != SHA1_LEN) {
--                throw new SignatureException
--                        ("Data for RawDSA must be exactly 20 bytes long");
--            }
--            ofs = 0;
--            return digestBuffer;
--        }
--
--        void resetDigest() {
--            ofs = 0;
--        }
-+        this.md = md;
-     }
- 
-     /**
-@@ -217,13 +108,25 @@
-             throw new InvalidKeyException("not a DSA private key: " +
-                                           privateKey);
-         }
-+
-         java.security.interfaces.DSAPrivateKey priv =
-             (java.security.interfaces.DSAPrivateKey)privateKey;
-+
-+        // check for algorithm specific constraints before doing initialization
-+        DSAParams params = priv.getParams();
-+        if (params == null) {
-+            throw new InvalidKeyException("DSA private key lacks parameters");
-+        }
-+        checkKey(params);
-+
-+        this.params = params;
-         this.presetX = priv.getX();
-         this.presetY = null;
--        initialize(priv.getParams());
-+        this.presetP = params.getP();
-+        this.presetQ = params.getQ();
-+        this.presetG = params.getG();
-+        this.md.reset();
-     }
--
-     /**
-      * Initialize the DSA object with a DSA public key.
-      *
-@@ -240,17 +143,43 @@
-         }
-         java.security.interfaces.DSAPublicKey pub =
-             (java.security.interfaces.DSAPublicKey)publicKey;
-+
-+        // check for algorithm specific constraints before doing initialization
-+        DSAParams params = pub.getParams();
-+        if (params == null) {
-+            throw new InvalidKeyException("DSA public key lacks parameters");
-+        }
-+        checkKey(params);
-+
-+        this.params = params;
-         this.presetY = pub.getY();
-         this.presetX = null;
--        initialize(pub.getParams());
-+        this.presetP = params.getP();
-+        this.presetQ = params.getQ();
-+        this.presetG = params.getG();
-+        this.md.reset();
-     }
- 
--    private void initialize(DSAParams params) throws InvalidKeyException {
--        resetDigest();
--        setParams(params);
-+    /**
-+     * Update a byte to be signed or verified.
-+     */
-+    protected void engineUpdate(byte b) {
-+        md.update(b);
-     }
- 
-     /**
-+     * Update an array of bytes to be signed or verified.
-+     */
-+    protected void engineUpdate(byte[] data, int off, int len) {
-+        md.update(data, off, len);
-+    }
-+
-+    protected void engineUpdate(ByteBuffer b) {
-+        md.update(b);
-+    }
-+
-+
-+    /**
-      * Sign all the data thus far updated. The signature is formatted
-      * according to the Canonical Encoding Rules, returned as a DER
-      * sequence of Integer, r and s.
-@@ -352,23 +281,51 @@
-         }
-     }
- 
-+    @Deprecated
-+    protected void engineSetParameter(String key, Object param) {
-+        throw new InvalidParameterException("No parameter accepted");
-+    }
-+
-+    @Deprecated
-+    protected Object engineGetParameter(String key) {
-+        return null;
-+    }
-+
-+    protected void checkKey(DSAParams params) throws InvalidKeyException {
-+        // FIPS186-3 states in sec4.2 that a hash function which provides
-+        // a lower security strength than the (L, N) pair ordinarily should
-+        // not be used.
-+        int valueN = params.getQ().bitLength();
-+        if (valueN > md.getDigestLength()*8) {
-+            throw new InvalidKeyException("Key is too strong for this signature algorithm");
-+        }
-+    }
-+
-     private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g,
-                          BigInteger k) {
-         BigInteger temp = g.modPow(k, p);
--        return temp.remainder(q);
--   }
-+        return temp.mod(q);
-+    }
- 
-     private BigInteger generateS(BigInteger x, BigInteger q,
-             BigInteger r, BigInteger k) throws SignatureException {
- 
--        byte[] s2 = getDigest();
--        BigInteger temp = new BigInteger(1, s2);
-+        byte[] s2;
-+        try {
-+            s2 = md.digest();
-+        } catch (RuntimeException re) {
-+            // Only for RawDSA due to its 20-byte length restriction
-+            throw new SignatureException(re.getMessage());
-+        }
-+        // get the leftmost min(N, outLen) bits of the digest value
-+        int nBytes = q.bitLength()/8;
-+        if (nBytes < s2.length) {
-+            s2 = Arrays.copyOfRange(s2, 0, nBytes);
-+        }
-+        BigInteger z = new BigInteger(1, s2);
-         BigInteger k1 = k.modInverse(q);
- 
--        BigInteger s = x.multiply(r);
--        s = temp.add(s);
--        s = k1.multiply(s);
--        return s.remainder(q);
-+        return x.multiply(r).add(z).multiply(k1).mod(q);
-     }
- 
-     private BigInteger generateW(BigInteger p, BigInteger q,
-@@ -380,54 +337,41 @@
-              BigInteger q, BigInteger g, BigInteger w, BigInteger r)
-              throws SignatureException {
- 
--        byte[] s2 = getDigest();
--        BigInteger temp = new BigInteger(1, s2);
--
--        temp = temp.multiply(w);
--        BigInteger u1 = temp.remainder(q);
-+        byte[] s2;
-+        try {
-+            s2 = md.digest();
-+        } catch (RuntimeException re) {
-+            // Only for RawDSA due to its 20-byte length restriction
-+            throw new SignatureException(re.getMessage());
-+        }
-+        // get the leftmost min(N, outLen) bits of the digest value
-+        int nBytes = q.bitLength()/8;
-+        if (nBytes < s2.length) {
-+            s2 = Arrays.copyOfRange(s2, 0, nBytes);
-+        }
-+        BigInteger z = new BigInteger(1, s2);
- 
--        BigInteger u2 = (r.multiply(w)).remainder(q);
-+        BigInteger u1 = z.multiply(w).mod(q);
-+        BigInteger u2 = (r.multiply(w)).mod(q);
- 
-         BigInteger t1 = g.modPow(u1,p);
-         BigInteger t2 = y.modPow(u2,p);
-         BigInteger t3 = t1.multiply(t2);
--        BigInteger t5 = t3.remainder(p);
--        return t5.remainder(q);
-+        BigInteger t5 = t3.mod(p);
-+        return t5.mod(q);
-     }
- 
--    /*
--     * Please read bug report 4044247 for an alternative, faster,
--     * NON-FIPS approved method to generate K
--     */
--    private BigInteger generateK(BigInteger q) {
--
--        BigInteger k = null;
--
--        // The application specified a Kseed for us to use.
--        // Note that we do not allow usage of the same Kseed twice in a row
--        if (Kseed != null && !Arrays.equals(Kseed, previousKseed)) {
--            k = generateK(Kseed, q);
--            if (k.signum() > 0 && k.compareTo(q) < 0) {
--                previousKseed = new int [Kseed.length];
--                System.arraycopy(Kseed, 0, previousKseed, 0, Kseed.length);
--                return k;
--            }
--        }
--
--        // The application did not specify a Kseed for us to use.
--        // We'll generate a new Kseed by getting random bytes from
--        // a SecureRandom object.
-+    // NOTE: This following impl is defined in FIPS 186-3 AppendixB.2.2.
-+    // Original DSS algos such as SHA1withDSA and RawDSA uses a different
-+    // algorithm defined in FIPS 186-1 Sec3.2, and thus need to override this.
-+    protected BigInteger generateK(BigInteger q) {
-         SecureRandom random = getSigningRandom();
-+        byte[] kValue = new byte[q.bitLength()/8];
- 
-         while (true) {
--            int[] seed = new int[5];
--
--            for (int i = 0; i < 5; i++)
--                seed[i] = random.nextInt();
--            k = generateK(seed, q);
-+            random.nextBytes(kValue);
-+            BigInteger k = new BigInteger(1, kValue).mod(q);
-             if (k.signum() > 0 && k.compareTo(q) < 0) {
--                previousKseed = new int [seed.length];
--                System.arraycopy(seed, 0, previousKseed, 0, seed.length);
-                 return k;
-             }
-         }
-@@ -435,7 +379,7 @@
- 
-     // Use the application-specified SecureRandom Object if provided.
-     // Otherwise, use our default SecureRandom Object.
--    private SecureRandom getSigningRandom() {
-+    protected SecureRandom getSigningRandom() {
-         if (signingRandom == null) {
-             if (appRandom != null) {
-                 signingRandom = appRandom;
-@@ -447,171 +391,6 @@
-     }
- 
-     /**
--     * Compute k for a DSA signature.
--     *
--     * @param seed the seed for generating k. This seed should be
--     * secure. This is what is refered to as the KSEED in the DSA
--     * specification.
--     *
--     * @param g the g parameter from the DSA key pair.
--     */
--    private BigInteger generateK(int[] seed, BigInteger q) {
--
--        // check out t in the spec.
--        int[] t = { 0xEFCDAB89, 0x98BADCFE, 0x10325476,
--                    0xC3D2E1F0, 0x67452301 };
--        //
--        int[] tmp = DSA.SHA_7(seed, t);
--        byte[] tmpBytes = new byte[tmp.length * 4];
--        for (int i = 0; i < tmp.length; i++) {
--            int k = tmp[i];
--            for (int j = 0; j < 4; j++) {
--                tmpBytes[(i * 4) + j] = (byte) (k >>> (24 - (j * 8)));
--            }
--        }
--        BigInteger k = new BigInteger(1, tmpBytes).mod(q);
--        return k;
--    }
--
--   // Constants for each round
--    private static final int round1_kt = 0x5a827999;
--    private static final int round2_kt = 0x6ed9eba1;
--    private static final int round3_kt = 0x8f1bbcdc;
--    private static final int round4_kt = 0xca62c1d6;
--
--   /**
--    * Computes set 1 thru 7 of SHA-1 on m1. */
--   static int[] SHA_7(int[] m1, int[] h) {
--
--       int[] W = new int[80];
--       System.arraycopy(m1,0,W,0,m1.length);
--       int temp = 0;
--
--        for (int t = 16; t <= 79; t++){
--            temp = W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16];
--            W[t] = ((temp << 1) | (temp >>>(32 - 1)));
--        }
--
--       int a = h[0],b = h[1],c = h[2], d = h[3], e = h[4];
--       for (int i = 0; i < 20; i++) {
--            temp = ((a<<5) | (a>>>(32-5))) +
--                ((b&c)|((~b)&d))+ e + W[i] + round1_kt;
--            e = d;
--            d = c;
--            c = ((b<<30) | (b>>>(32-30)));
--            b = a;
--            a = temp;
--        }
--
--        // Round 2
--        for (int i = 20; i < 40; i++) {
--            temp = ((a<<5) | (a>>>(32-5))) +
--                (b ^ c ^ d) + e + W[i] + round2_kt;
--            e = d;
--            d = c;
--            c = ((b<<30) | (b>>>(32-30)));
--            b = a;
--            a = temp;
--        }
--
--        // Round 3
--        for (int i = 40; i < 60; i++) {
--            temp = ((a<<5) | (a>>>(32-5))) +
--                ((b&c)|(b&d)|(c&d)) + e + W[i] + round3_kt;
--            e = d;
--            d = c;
--            c = ((b<<30) | (b>>>(32-30)));
--            b = a;
--            a = temp;
--        }
--
--        // Round 4
--        for (int i = 60; i < 80; i++) {
--            temp = ((a<<5) | (a>>>(32-5))) +
--                (b ^ c ^ d) + e + W[i] + round4_kt;
--            e = d;
--            d = c;
--            c = ((b<<30) | (b>>>(32-30)));
--            b = a;
--            a = temp;
--        }
--       int[] md = new int[5];
--       md[0] = h[0] + a;
--       md[1] = h[1] + b;
--       md[2] = h[2] + c;
--       md[3] = h[3] + d;
--       md[4] = h[4] + e;
--       return md;
--   }
--
--
--    /**
--     * This implementation recognizes the following parameter:

--     *
--     * 
Kseed
--     *
--     * 
a byte array.
--     *
--     * 

--     *
--     * @deprecated
--     */
--    @Deprecated
--    protected void engineSetParameter(String key, Object param) {
--        if (key.equals("KSEED")) {
--            if (param instanceof byte[]) {
--                Kseed = byteArray2IntArray((byte[])param);
--                KseedAsByteArray = (byte[])param;
--            } else {
--                debug("unrecognized param: " + key);
--                throw new InvalidParameterException("Kseed not a byte array");
--            }
--        } else {
--            throw new InvalidParameterException("invalid parameter");
--        }
--    }
--
--    /**
--     * Return the value of the requested parameter. Recognized
--     * parameters are:
--     *
--     * 

--     *
--     * 
Kseed
--     *
--     * 
a byte array.
--     *
--     * 

--     *
--     * @return the value of the requested parameter.
--     *
--     * @see java.security.SignatureEngine
--     *
--     * @deprecated
--     */
--    @Deprecated
--    protected Object engineGetParameter(String key) {
--        if (key.equals("KSEED")) {
--            return KseedAsByteArray;
--        } else {
--            return null;
--        }
--    }
--
--    /**
--     * Set the algorithm object.
--     */
--    private void setParams(DSAParams params) throws InvalidKeyException {
--        if (params == null) {
--            throw new InvalidKeyException("DSA public key lacks parameters");
--        }
--        this.params = params;
--        this.presetP = params.getP();
--        this.presetQ = params.getQ();
--        this.presetG = params.getG();
--    }
--
--    /**
-      * Return a human readable rendition of the engine.
-      */
-     public String toString() {
-@@ -632,47 +411,336 @@
-         return printable;
-     }
- 
--    /*
--     * Utility routine for converting a byte array into an int array
-+    private static void debug(Exception e) {
-+        if (debug) {
-+            e.printStackTrace();
-+        }
-+    }
-+
-+    private static void debug(String s) {
-+        if (debug) {
-+            System.err.println(s);
-+        }
-+    }
-+
-+    /**
-+     * Standard SHA224withDSA implementation as defined in FIPS186-3.
-      */
--    private int[] byteArray2IntArray(byte[] byteArray) {
-+    public static final class SHA224withDSA extends DSA {
-+        public SHA224withDSA() throws NoSuchAlgorithmException {
-+            super(MessageDigest.getInstance("SHA-224"));
-+        }
-+    }
-+
-+    /**
-+     * Standard SHA256withDSA implementation as defined in FIPS186-3.
-+     */
-+    public static final class SHA256withDSA extends DSA {
-+        public SHA256withDSA() throws NoSuchAlgorithmException {
-+            super(MessageDigest.getInstance("SHA-256"));
-+        }
-+    }
-+
-+    static class LegacyDSA extends DSA {
-+        /* The random seed used to generate k */
-+        private int[] kSeed;
-+        /* The random seed used to generate k (specified by application) */
-+        private byte[] kSeedAsByteArray;
-+        /*
-+         * The random seed used to generate k
-+         * (prevent the same Kseed from being used twice in a row
-+         */
-+        private int[] kSeedLast;
-+
-+        public LegacyDSA(MessageDigest md) throws NoSuchAlgorithmException {
-+            super(md);
-+        }
-+
-+        @Deprecated
-+        protected void engineSetParameter(String key, Object param) {
-+            if (key.equals("KSEED")) {
-+                if (param instanceof byte[]) {
-+                    kSeed = byteArray2IntArray((byte[])param);
-+                    kSeedAsByteArray = (byte[])param;
-+                } else {
-+                    debug("unrecognized param: " + key);
-+                    throw new InvalidParameterException("kSeed not a byte array");
-+                }
-+            } else {
-+                throw new InvalidParameterException("Unsupported parameter");
-+            }
-+        }
-+
-+        @Deprecated
-+        protected Object engineGetParameter(String key) {
-+           if (key.equals("KSEED")) {
-+               return kSeedAsByteArray;
-+           } else {
-+               return null;
-+           }
-+        }
-+
-+        @Override
-+        protected void checkKey(DSAParams params) throws InvalidKeyException {
-+            int valueL = params.getP().bitLength();
-+            if (valueL > 1024) {
-+                throw new InvalidKeyException("Key is too long for this algorithm");
-+            }
-+        }
-+
-+        /*
-+         * Please read bug report 4044247 for an alternative, faster,
-+         * NON-FIPS approved method to generate K
-+         */
-+        @Override
-+        protected BigInteger generateK(BigInteger q) {
-+            BigInteger k = null;
-+
-+            // The application specified a kSeed for us to use.
-+            // Note: we dis-allow usage of the same Kseed twice in a row
-+            if (kSeed != null && !Arrays.equals(kSeed, kSeedLast)) {
-+                k = generateKUsingKSeed(kSeed, q);
-+                if (k.signum() > 0 && k.compareTo(q) < 0) {
-+                    kSeedLast = kSeed.clone();
-+                    return k;
-+                }
-+            }
-+
-+            // The application did not specify a Kseed for us to use.
-+            // We'll generate a new Kseed by getting random bytes from
-+            // a SecureRandom object.
-+            SecureRandom random = getSigningRandom();
-+
-+            while (true) {
-+                int[] seed = new int[5];
-+
-+                for (int i = 0; i < 5; i++) seed[i] = random.nextInt();
-+
-+                k = generateKUsingKSeed(seed, q);
-+                if (k.signum() > 0 && k.compareTo(q) < 0) {
-+                    kSeedLast = seed;
-+                    return k;
-+                }
-+            }
-+        }
-+
-+        /**
-+         * Compute k for the DSA signature as defined in the original DSS,
-+         * i.e. FIPS186.
-+         *
-+         * @param seed the seed for generating k. This seed should be
-+         * secure. This is what is refered to as the KSEED in the DSA
-+         * specification.
-+         *
-+         * @param g the g parameter from the DSA key pair.
-+         */
-+        private BigInteger generateKUsingKSeed(int[] seed, BigInteger q) {
-+
-+            // check out t in the spec.
-+            int[] t = { 0xEFCDAB89, 0x98BADCFE, 0x10325476,
-+                        0xC3D2E1F0, 0x67452301 };
-+            //
-+            int[] tmp = SHA_7(seed, t);
-+            byte[] tmpBytes = new byte[tmp.length * 4];
-+            for (int i = 0; i < tmp.length; i++) {
-+                int k = tmp[i];
-+                for (int j = 0; j < 4; j++) {
-+                    tmpBytes[(i * 4) + j] = (byte) (k >>> (24 - (j * 8)));
-+                }
-+            }
-+            BigInteger k = new BigInteger(1, tmpBytes).mod(q);
-+            return k;
-+        }
-+
-+        // Constants for each round
-+        private static final int round1_kt = 0x5a827999;
-+        private static final int round2_kt = 0x6ed9eba1;
-+        private static final int round3_kt = 0x8f1bbcdc;
-+        private static final int round4_kt = 0xca62c1d6;
-+
-+        /**
-+         * Computes set 1 thru 7 of SHA-1 on m1. */
-+        static int[] SHA_7(int[] m1, int[] h) {
- 
--        int j = 0;
--        byte[] newBA;
--        int mod = byteArray.length % 4;
--
--        // guarantee that the incoming byteArray is a multiple of 4
--        // (pad with 0's)
--        switch (mod) {
-+            int[] W = new int[80];
-+            System.arraycopy(m1,0,W,0,m1.length);
-+            int temp = 0;
-+
-+            for (int t = 16; t <= 79; t++){
-+                temp = W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16];
-+                W[t] = ((temp << 1) | (temp >>>(32 - 1)));
-+            }
-+
-+            int a = h[0],b = h[1],c = h[2], d = h[3], e = h[4];
-+            for (int i = 0; i < 20; i++) {
-+                temp = ((a<<5) | (a>>>(32-5))) +
-+                    ((b&c)|((~b)&d))+ e + W[i] + round1_kt;
-+                e = d;
-+                d = c;
-+                c = ((b<<30) | (b>>>(32-30)));
-+                b = a;
-+                a = temp;
-+            }
-+
-+            // Round 2
-+            for (int i = 20; i < 40; i++) {
-+                temp = ((a<<5) | (a>>>(32-5))) +
-+                    (b ^ c ^ d) + e + W[i] + round2_kt;
-+                e = d;
-+                d = c;
-+                c = ((b<<30) | (b>>>(32-30)));
-+                b = a;
-+                a = temp;
-+            }
-+
-+            // Round 3
-+            for (int i = 40; i < 60; i++) {
-+                temp = ((a<<5) | (a>>>(32-5))) +
-+                    ((b&c)|(b&d)|(c&d)) + e + W[i] + round3_kt;
-+                e = d;
-+                d = c;
-+                c = ((b<<30) | (b>>>(32-30)));
-+                b = a;
-+                a = temp;
-+            }
-+
-+            // Round 4
-+            for (int i = 60; i < 80; i++) {
-+                temp = ((a<<5) | (a>>>(32-5))) +
-+                    (b ^ c ^ d) + e + W[i] + round4_kt;
-+                e = d;
-+                d = c;
-+                c = ((b<<30) | (b>>>(32-30)));
-+                b = a;
-+                a = temp;
-+            }
-+            int[] md = new int[5];
-+            md[0] = h[0] + a;
-+            md[1] = h[1] + b;
-+            md[2] = h[2] + c;
-+            md[3] = h[3] + d;
-+            md[4] = h[4] + e;
-+            return md;
-+        }
-+
-+        /*
-+         * Utility routine for converting a byte array into an int array
-+         */
-+        private int[] byteArray2IntArray(byte[] byteArray) {
-+
-+            int j = 0;
-+            byte[] newBA;
-+            int mod = byteArray.length % 4;
-+
-+            // guarantee that the incoming byteArray is a multiple of 4
-+            // (pad with 0's)
-+            switch (mod) {
-             case 3:     newBA = new byte[byteArray.length + 1]; break;
-             case 2:     newBA = new byte[byteArray.length + 2]; break;
-             case 1:     newBA = new byte[byteArray.length + 3]; break;
-             default:    newBA = new byte[byteArray.length + 0]; break;
--        }
--        System.arraycopy(byteArray, 0, newBA, 0, byteArray.length);
-+            }
-+            System.arraycopy(byteArray, 0, newBA, 0, byteArray.length);
- 
--        // copy each set of 4 bytes in the byte array into an integer
--        int[] newSeed = new int[newBA.length / 4];
--        for (int i = 0; i < newBA.length; i += 4) {
--            newSeed[j] = newBA[i + 3] & 0xFF;
--            newSeed[j] |= (newBA[i + 2] << 8) & 0xFF00;
--            newSeed[j] |= (newBA[i + 1] << 16) & 0xFF0000;
--            newSeed[j] |= (newBA[i + 0] << 24) & 0xFF000000;
--            j++;
--        }
-+            // copy each set of 4 bytes in the byte array into an integer
-+            int[] newSeed = new int[newBA.length / 4];
-+            for (int i = 0; i < newBA.length; i += 4) {
-+                newSeed[j] = newBA[i + 3] & 0xFF;
-+                newSeed[j] |= (newBA[i + 2] << 8) & 0xFF00;
-+                newSeed[j] |= (newBA[i + 1] << 16) & 0xFF0000;
-+                newSeed[j] |= (newBA[i + 0] << 24) & 0xFF000000;
-+                j++;
-+            }
- 
--        return newSeed;
-+            return newSeed;
-+        }
-     }
- 
--    private static void debug(Exception e) {
--        if (debug) {
--            e.printStackTrace();
-+    public static final class SHA1withDSA extends LegacyDSA {
-+        public SHA1withDSA() throws NoSuchAlgorithmException {
-+            super(MessageDigest.getInstance("SHA-1"));
-         }
-     }
- 
--    private static void debug(String s) {
--        if (debug) {
--            System.err.println(s);
-+    /**
-+     * RawDSA implementation.
-+     *
-+     * RawDSA requires the data to be exactly 20 bytes long. If it is
-+     * not, a SignatureException is thrown when sign()/verify() is called
-+     * per JCA spec.
-+     */
-+    public static final class RawDSA extends LegacyDSA {
-+        // Internal special-purpose MessageDigest impl for RawDSA
-+        // Only override whatever methods used
-+        // NOTE: no clone support
-+        public static final class NullDigest20 extends MessageDigest {
-+            // 20 byte digest buffer
-+            private final byte[] digestBuffer = new byte[20];
-+
-+            // offset into the buffer; use Integer.MAX_VALUE to indicate
-+            // out-of-bound condition
-+            private int ofs = 0;
-+
-+            protected NullDigest20() {
-+                super("NullDigest20");
-+            }
-+            protected void engineUpdate(byte input) {
-+                if (ofs == digestBuffer.length) {
-+                    ofs = Integer.MAX_VALUE;
-+                } else {
-+                    digestBuffer[ofs++] = input;
-+                }
-+            }
-+            protected void engineUpdate(byte[] input, int offset, int len) {
-+                if (ofs + len > digestBuffer.length) {
-+                    ofs = Integer.MAX_VALUE;
-+                } else {
-+                    System.arraycopy(input, offset, digestBuffer, ofs, len);
-+                    ofs += len;
-+                }
-+            }
-+            protected final void engineUpdate(ByteBuffer input) {
-+                int inputLen = input.remaining();
-+                if (ofs + inputLen > digestBuffer.length) {
-+                    ofs = Integer.MAX_VALUE;
-+                } else {
-+                    input.get(digestBuffer, ofs, inputLen);
-+                    ofs += inputLen;
-+                }
-+            }
-+            protected byte[] engineDigest() throws RuntimeException {
-+                if (ofs != digestBuffer.length) {
-+                    throw new RuntimeException
-+                        ("Data for RawDSA must be exactly 20 bytes long");
-+                }
-+                reset();
-+                return digestBuffer;
-+            }
-+            protected int engineDigest(byte[] buf, int offset, int len)
-+                throws DigestException {
-+                if (ofs != digestBuffer.length) {
-+                    throw new DigestException
-+                        ("Data for RawDSA must be exactly 20 bytes long");
-+                }
-+                if (len < digestBuffer.length) {
-+                    throw new DigestException
-+                        ("Output buffer too small; must be at least 20 bytes");
-+                }
-+                System.arraycopy(digestBuffer, 0, buf, offset, digestBuffer.length);
-+                reset();
-+                return digestBuffer.length;
-+            }
-+
-+            protected void engineReset() {
-+                ofs = 0;
-+            }
-+            protected final int engineGetDigestLength() {
-+                return digestBuffer.length;
-+            }
-+        }
-+
-+        public RawDSA() throws NoSuchAlgorithmException {
-+            super(new NullDigest20());
-         }
-     }
- }
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java openjdk/jdk/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java	2013-08-21 20:33:03.316316678 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java	2014-12-24 20:18:40.130192717 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1997, 2005, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -48,8 +48,9 @@
- public class DSAKeyPairGenerator extends KeyPairGenerator
- implements java.security.interfaces.DSAKeyPairGenerator {
- 
--    /* The modulus length */
--    private int modlen;
-+    /* Length for prime P and subPrime Q in bits */
-+    private int plen;
-+    private int qlen;
- 
-     /* whether to force new parameters to be generated for each KeyPair */
-     private boolean forceNewParameters;
-@@ -65,20 +66,23 @@
-         initialize(1024, null);
-     }
- 
--    private static void checkStrength(int strength) {
--        if ((strength < 512) || (strength > 1024) || (strength % 64 != 0)) {
-+    private static void checkStrength(int sizeP, int sizeQ) {
-+        if ((sizeP >= 512) && (sizeP <= 1024) && (sizeP % 64 == 0)
-+            && sizeQ == 160) {
-+            // traditional - allow for backward compatibility
-+            // L=multiples of 64 and between 512 and 1024 (inclusive)
-+            // N=160
-+        } else if (sizeP == 2048 && (sizeQ == 224 || sizeQ == 256)) {
-+            // L=2048, N=224 or 256
-+        } else {
-             throw new InvalidParameterException
--                ("Modulus size must range from 512 to 1024 "
--                 + "and be a multiple of 64");
-+                ("Unsupported prime and subprime size combination: " +
-+                 sizeP + ", " + sizeQ);
-         }
-     }
- 
-     public void initialize(int modlen, SecureRandom random) {
--        checkStrength(modlen);
--        this.random = random;
--        this.modlen = modlen;
--        this.params = null;
--        this.forceNewParameters = false;
-+        initialize(modlen, false, random);
-     }
- 
-     /**
-@@ -86,18 +90,27 @@
-      * is false, a set of pre-computed parameters is used.
-      */
-     public void initialize(int modlen, boolean genParams, SecureRandom random) {
--        checkStrength(modlen);
-+        int subPrimeLen = -1;
-+        if (modlen <= 1024) {
-+            subPrimeLen = 160;
-+        } else if (modlen == 2048) {
-+            subPrimeLen = 224;
-+        }
-+        checkStrength(modlen, subPrimeLen);
-         if (genParams) {
-             params = null;
-         } else {
--            params = ParameterCache.getCachedDSAParameterSpec(modlen);
-+            params = ParameterCache.getCachedDSAParameterSpec(modlen,
-+                subPrimeLen);
-             if (params == null) {
-                 throw new InvalidParameterException
-                     ("No precomputed parameters for requested modulus size "
-                      + "available");
-             }
-+
-         }
--        this.modlen = modlen;
-+        this.plen = modlen;
-+        this.qlen = subPrimeLen;
-         this.random = random;
-         this.forceNewParameters = genParams;
-     }
-@@ -136,9 +149,11 @@
-     }
- 
-     private void initialize0(DSAParameterSpec params, SecureRandom random) {
--        int modlen = params.getP().bitLength();
--        checkStrength(modlen);
--        this.modlen = modlen;
-+        int sizeP = params.getP().bitLength();
-+        int sizeQ = params.getQ().bitLength();
-+        checkStrength(sizeP, sizeQ);
-+        this.plen = sizeP;
-+        this.qlen = sizeQ;
-         this.params = params;
-         this.random = random;
-         this.forceNewParameters = false;
-@@ -156,11 +171,11 @@
-         try {
-             if (forceNewParameters) {
-                 // generate new parameters each time
--                spec = ParameterCache.getNewDSAParameterSpec(modlen, random);
-+                spec = ParameterCache.getNewDSAParameterSpec(plen, qlen, random);
-             } else {
-                 if (params == null) {
-                     params =
--                        ParameterCache.getDSAParameterSpec(modlen, random);
-+                        ParameterCache.getDSAParameterSpec(plen, qlen, random);
-                 }
-                 spec = params;
-             }
-@@ -203,43 +218,14 @@
-      */
-     private BigInteger generateX(SecureRandom random, BigInteger q) {
-         BigInteger x = null;
-+        byte[] temp = new byte[qlen];
-         while (true) {
--            int[] seed = new int[5];
--            for (int i = 0; i < 5; i++) {
--                seed[i] = random.nextInt();
--            }
--            x = generateX(seed, q);
-+            random.nextBytes(temp);
-+            x = new BigInteger(1, temp).mod(q);
-             if (x.signum() > 0 && (x.compareTo(q) < 0)) {
--                break;
--            }
--        }
--        return x;
--    }
--
--    /**
--     * Given a seed, generate the private key component of the key
--     * pair. In the terminology used in the DSA specification
--     * (FIPS-186) seed is the XSEED quantity.
--     *
--     * @param seed the seed to use to generate the private key.
--     */
--    BigInteger generateX(int[] seed, BigInteger q) {
--
--        // check out t in the spec.
--        int[] t = { 0x67452301, 0xEFCDAB89, 0x98BADCFE,
--                    0x10325476, 0xC3D2E1F0 };
--        //
--
--        int[] tmp = DSA.SHA_7(seed, t);
--        byte[] tmpBytes = new byte[tmp.length * 4];
--        for (int i = 0; i < tmp.length; i++) {
--            int k = tmp[i];
--            for (int j = 0; j < 4; j++) {
--                tmpBytes[(i * 4) + j] = (byte) (k >>> (24 - (j * 8)));
-+                return x;
-             }
-         }
--        BigInteger x = new BigInteger(1, tmpBytes).mod(q);
--        return x;
-     }
- 
-     /**
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/DSAParameterGenerator.java openjdk/jdk/src/share/classes/sun/security/provider/DSAParameterGenerator.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/DSAParameterGenerator.java	2013-08-21 20:33:03.316316678 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/DSAParameterGenerator.java	2014-12-24 20:18:40.130192717 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -32,10 +32,12 @@
- import java.security.NoSuchAlgorithmException;
- import java.security.NoSuchProviderException;
- import java.security.InvalidParameterException;
-+import java.security.MessageDigest;
- import java.security.SecureRandom;
- import java.security.spec.AlgorithmParameterSpec;
- import java.security.spec.InvalidParameterSpecException;
- import java.security.spec.DSAParameterSpec;
-+import sun.security.spec.DSAGenParameterSpec;
- 
- /**
-  * This class generates parameters for the DSA algorithm. It uses a default
-@@ -54,8 +56,14 @@
- 
- public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
- 
--    // the modulus length
--    private int modLen = 1024; // default
-+    // the default parameters
-+    private static final DSAGenParameterSpec DEFAULTS =
-+        new DSAGenParameterSpec(1024, 160, 160);
-+
-+    // the length of prime P, subPrime Q, and seed in bits
-+    private int valueL = -1;
-+    private int valueN = -1;
-+    private int seedLen = -1;
- 
-     // the source of randomness
-     private SecureRandom random;
-@@ -65,11 +73,7 @@
-     private static final BigInteger ONE = BigInteger.valueOf(1);
-     private static final BigInteger TWO = BigInteger.valueOf(2);
- 
--    // Make a SHA-1 hash function
--    private SHA sha;
--
-     public DSAParameterGenerator() {
--        this.sha = new SHA();
-     }
- 
-     /**
-@@ -80,19 +84,18 @@
-      * @param random the source of randomness
-      */
-     protected void engineInit(int strength, SecureRandom random) {
--        /*
--         * Bruce Schneier, "Applied Cryptography", 2nd Edition,
--         * Description of DSA:
--         * [...] The algorithm uses the following parameter:
--         * p=a prime number L bits long, when L ranges from 512 to 1024 and is
--         * a multiple of 64. [...]
--         */
--        if ((strength < 512) || (strength > 1024) || (strength % 64 != 0)) {
-+        if ((strength >= 512) && (strength <= 1024) && (strength % 64 == 0)) {
-+            this.valueN = 160;
-+        } else if (strength == 2048) {
-+            this.valueN = 224;
-+//      } else if (strength == 3072) {
-+//          this.valueN = 256;
-+        } else {
-             throw new InvalidParameterException
--                ("Prime size must range from 512 to 1024 "
--                 + "and be a multiple of 64");
-+                ("Prime size should be 512 - 1024, or 2048");
-         }
--        this.modLen = strength;
-+        this.valueL = strength;
-+        this.seedLen = valueN;
-         this.random = random;
-     }
- 
-@@ -100,7 +103,7 @@
-      * Initializes this parameter generator with a set of
-      * algorithm-specific parameter generation values.
-      *
--     * @param params the set of algorithm-specific parameter generation values
-+     * @param genParamSpec the set of algorithm-specific parameter generation values
-      * @param random the source of randomness
-      *
-      * @exception InvalidAlgorithmParameterException if the given parameter
-@@ -109,7 +112,19 @@
-     protected void engineInit(AlgorithmParameterSpec genParamSpec,
-                               SecureRandom random)
-         throws InvalidAlgorithmParameterException {
-+        if (!(genParamSpec instanceof DSAGenParameterSpec)) {
-             throw new InvalidAlgorithmParameterException("Invalid parameter");
-+        }
-+        DSAGenParameterSpec dsaGenParams = (DSAGenParameterSpec) genParamSpec;
-+        if (dsaGenParams.getPrimePLength() > 2048) {
-+            throw new InvalidParameterException
-+                ("Prime size should be 512 - 1024, or 2048");
-+        }
-+        // directly initialize using the already validated values
-+        this.valueL = dsaGenParams.getPrimePLength();
-+        this.valueN = dsaGenParams.getSubprimeQLength();
-+        this.seedLen = dsaGenParams.getSeedLength();
-+        this.random = random;
-     }
- 
-     /**
-@@ -123,15 +138,21 @@
-             if (this.random == null) {
-                 this.random = new SecureRandom();
-             }
--
--            BigInteger[] pAndQ = generatePandQ(this.random, this.modLen);
-+            if (valueL == -1) {
-+                try {
-+                    engineInit(DEFAULTS, this.random);
-+                } catch (InvalidAlgorithmParameterException iape) {
-+                    // should never happen
-+                }
-+            }
-+            BigInteger[] pAndQ = generatePandQ(this.random, valueL,
-+                                               valueN, seedLen);
-             BigInteger paramP = pAndQ[0];
-             BigInteger paramQ = pAndQ[1];
-             BigInteger paramG = generateG(paramP, paramQ);
- 
--            DSAParameterSpec dsaParamSpec = new DSAParameterSpec(paramP,
--                                                                 paramQ,
--                                                                 paramG);
-+            DSAParameterSpec dsaParamSpec =
-+                new DSAParameterSpec(paramP, paramQ, paramG);
-             algParams = AlgorithmParameters.getInstance("DSA", "SUN");
-             algParams.init(dsaParamSpec);
-         } catch (InvalidParameterSpecException e) {
-@@ -156,102 +177,98 @@
-      *
-      * @param random the source of randomness to generate the
-      * seed
--     * @param L the size of p, in bits.
-+     * @param valueL the size of p, in bits.
-+     * @param valueN the size of q, in bits.
-+     * @param seedLen the length of seed, in bits.
-      *
-      * @return an array of BigInteger, with p at index 0 and
--     * q at index 1.
-+     * q at index 1, the seed at index 2, and the counter value
-+     * at index 3.
-      */
--    BigInteger[] generatePandQ(SecureRandom random, int L) {
--        BigInteger[] result = null;
--        byte[] seed = new byte[20];
--
--        while(result == null) {
--            for (int i = 0; i < 20; i++) {
--                seed[i] = (byte)random.nextInt();
--            }
--            result = generatePandQ(seed, L);
-+    private static BigInteger[] generatePandQ(SecureRandom random, int valueL,
-+                                              int valueN, int seedLen) {
-+        String hashAlg = null;
-+        if (valueN == 160) {
-+            hashAlg = "SHA";
-+        } else if (valueN == 224) {
-+            hashAlg = "SHA-224";
-+        } else if (valueN == 256) {
-+            hashAlg = "SHA-256";
-+        }
-+        MessageDigest hashObj = null;
-+        try {
-+            hashObj = MessageDigest.getInstance(hashAlg);
-+        } catch (NoSuchAlgorithmException nsae) {
-+            // should never happen
-+            nsae.printStackTrace();
-         }
--        return result;
--    }
- 
--    /*
--     * Generates the prime and subprime parameters for DSA.
--     *
--     * 
The seed parameter corresponds to the SEED parameter
--     * referenced in the FIPS specification of the DSA algorithm,
--     * and L is the size of p, in bits.
--     *
--     * @param seed the seed to generate the parameters
--     * @param L the size of p, in bits.
--     *
--     * @return an array of BigInteger, with p at index 0,
--     * q at index 1, the seed at index 2, and the counter value
--     * at index 3, or null if the seed does not yield suitable numbers.
--     */
--    BigInteger[] generatePandQ(byte[] seed, int L) {
-+        /* Step 3, 4: Useful variables */
-+        int outLen = hashObj.getDigestLength()*8;
-+        int n = (valueL - 1) / outLen;
-+        int b = (valueL - 1) % outLen;
-+        byte[] seedBytes = new byte[seedLen/8];
-+        BigInteger twoSl = TWO.pow(seedLen);
-+        int primeCertainty = 80; // for 1024-bit prime P
-+        if (valueL == 2048) {
-+            primeCertainty = 112;
-+            //} else if (valueL == 3072) {
-+            //    primeCertainty = 128;
-+        }
- 
--        /* Useful variables */
--        int g = seed.length * 8;
--        int n = (L - 1) / 160;
--        int b = (L - 1) % 160;
--
--        BigInteger SEED = new BigInteger(1, seed);
--        BigInteger TWOG = TWO.pow(2 * g);
--
--        /* Step 2 (Step 1 is getting seed). */
--        byte[] U1 = SHA(seed);
--        byte[] U2 = SHA(toByteArray((SEED.add(ONE)).mod(TWOG)));
--
--        xor(U1, U2);
--        byte[] U = U1;
--
--        /* Step 3: For q by setting the msb and lsb to 1 */
--        U[0] |= 0x80;
--        U[19] |= 1;
--        BigInteger q = new BigInteger(1, U);
--
--        /* Step 5 */
--         if (!q.isProbablePrime(80)) {
--             return null;
--
--         } else {
--             BigInteger V[] = new BigInteger[n + 1];
--             BigInteger offset = TWO;
--
--             /* Step 6 */
--             for (int counter = 0; counter < 4096; counter++) {
--
--                 /* Step 7 */
--                 for (int k = 0; k <= n; k++) {
--                     BigInteger K = BigInteger.valueOf(k);
--                     BigInteger tmp = (SEED.add(offset).add(K)).mod(TWOG);
--                     V[k] = new BigInteger(1, SHA(toByteArray(tmp)));
--                 }
--
--                 /* Step 8 */
--                 BigInteger W = V[0];
--                 for (int i = 1; i < n; i++) {
--                     W = W.add(V[i].multiply(TWO.pow(i * 160)));
--                 }
--                 W = W.add((V[n].mod(TWO.pow(b))).multiply(TWO.pow(n * 160)));
--
--                 BigInteger TWOLm1 = TWO.pow(L - 1);
--                 BigInteger X = W.add(TWOLm1);
--
--                 /* Step 9 */
--                 BigInteger c = X.mod(q.multiply(TWO));
--                 BigInteger p = X.subtract(c.subtract(ONE));
--
--                 /* Step 10 - 13 */
--                 if (p.compareTo(TWOLm1) > -1 && p.isProbablePrime(80)) {
--                     BigInteger[] result = {p, q, SEED,
--                                            BigInteger.valueOf(counter)};
--                     return result;
--                 }
--                 offset = offset.add(BigInteger.valueOf(n)).add(ONE);
-+        BigInteger resultP, resultQ, seed = null;
-+        int counter;
-+        while (true) {
-+            do {
-+                /* Step 5 */
-+                random.nextBytes(seedBytes);
-+                seed = new BigInteger(1, seedBytes);
-+
-+                /* Step 6 */
-+                BigInteger U = new BigInteger(1, hashObj.digest(seedBytes)).
-+                    mod(TWO.pow(valueN - 1));
-+
-+                /* Step 7 */
-+                resultQ = TWO.pow(valueN - 1).add(U).add(ONE). subtract(U.mod(TWO));
-+            } while (!resultQ.isProbablePrime(primeCertainty));
-+
-+            /* Step 10 */
-+            BigInteger offset = ONE;
-+            /* Step 11 */
-+            for (counter = 0; counter < 4*valueL; counter++) {
-+                BigInteger V[] = new BigInteger[n + 1];
-+                /* Step 11.1 */
-+                for (int j = 0; j <= n; j++) {
-+                    BigInteger J = BigInteger.valueOf(j);
-+                    BigInteger tmp = (seed.add(offset).add(J)).mod(twoSl);
-+                    byte[] vjBytes = hashObj.digest(toByteArray(tmp));
-+                    V[j] = new BigInteger(1, vjBytes);
-+                }
-+                /* Step 11.2 */
-+                BigInteger W = V[0];
-+                for (int i = 1; i < n; i++) {
-+                    W = W.add(V[i].multiply(TWO.pow(i * outLen)));
-+                }
-+                W = W.add((V[n].mod(TWO.pow(b))).multiply(TWO.pow(n * outLen)));
-+                /* Step 11.3 */
-+                BigInteger twoLm1 = TWO.pow(valueL - 1);
-+                BigInteger X = W.add(twoLm1);
-+                /* Step 11.4, 11.5 */
-+                BigInteger c = X.mod(resultQ.multiply(TWO));
-+                resultP = X.subtract(c.subtract(ONE));
-+                /* Step 11.6, 11.7 */
-+                if (resultP.compareTo(twoLm1) > -1
-+                    && resultP.isProbablePrime(primeCertainty)) {
-+                    /* Step 11.8 */
-+                    BigInteger[] result = {resultP, resultQ, seed,
-+                                           BigInteger.valueOf(counter)};
-+                    return result;
-+                }
-+                /* Step 11.9 */
-+                offset = offset.add(BigInteger.valueOf(n)).add(ONE);
-              }
--             return null;
--         }
-+        }
-+
-     }
- 
-     /*
-@@ -262,31 +279,24 @@
-      *
-      * @param the g
-      */
--    BigInteger generateG(BigInteger p, BigInteger q) {
-+    private static BigInteger generateG(BigInteger p, BigInteger q) {
-         BigInteger h = ONE;
-+        /* Step 1 */
-         BigInteger pMinusOneOverQ = (p.subtract(ONE)).divide(q);
--        BigInteger g = ONE;
--        while (g.compareTo(TWO) < 0) {
--            g = h.modPow(pMinusOneOverQ, p);
-+        BigInteger resultG = ONE;
-+        while (resultG.compareTo(TWO) < 0) {
-+            /* Step 3 */
-+            resultG = h.modPow(pMinusOneOverQ, p);
-             h = h.add(ONE);
-         }
--        return g;
--    }
--
--    /*
--     * Returns the SHA-1 digest of some data
--     */
--    private byte[] SHA(byte[] array) {
--        sha.engineReset();
--        sha.engineUpdate(array, 0, array.length);
--        return sha.engineDigest();
-+        return resultG;
-     }
- 
-     /*
-      * Converts the result of a BigInteger.toByteArray call to an exact
-      * signed magnitude representation for any positive number.
-      */
--    private byte[] toByteArray(BigInteger bigInt) {
-+    private static byte[] toByteArray(BigInteger bigInt) {
-         byte[] result = bigInt.toByteArray();
-         if (result[0] == 0) {
-             byte[] tmp = new byte[result.length - 1];
-@@ -295,13 +305,4 @@
-         }
-         return result;
-     }
--
--    /*
--     * XORs U2 into U1
--     */
--    private void xor(byte[] U1, byte[] U2) {
--        for (int i = 0; i < U1.length; i++) {
--            U1[i] ^= U2[i];
--        }
--    }
- }
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/ParameterCache.java openjdk/jdk/src/share/classes/sun/security/provider/ParameterCache.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/ParameterCache.java	2013-08-21 20:33:03.320316743 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/ParameterCache.java	2014-12-24 20:18:40.130192717 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -26,6 +26,7 @@
- package sun.security.provider;
- 
- import java.util.*;
-+import java.util.concurrent.ConcurrentHashMap;
- import java.math.BigInteger;
- 
- import java.security.*;
-@@ -34,6 +35,8 @@
- 
- import javax.crypto.spec.DHParameterSpec;
- 
-+import sun.security.spec.DSAGenParameterSpec;
-+
- /**
-  * Cache for DSA and DH parameter specs. Used by the KeyPairGenerators
-  * in the Sun, SunJCE, and SunPKCS11 provider if no parameters have been
-@@ -55,11 +58,17 @@
-     private final static Map dhCache;
- 
-     /**
--     * Return cached DSA parameters for the given keylength, or null if none
--     * are available in the cache.
-+     * Return cached DSA parameters for the given length combination of
-+     * prime and subprime, or null if none are available in the cache.
-      */
--    public static DSAParameterSpec getCachedDSAParameterSpec(int keyLength) {
--        return dsaCache.get(Integer.valueOf(keyLength));
-+    public static DSAParameterSpec getCachedDSAParameterSpec(int primeLen,
-+            int subprimeLen) {
-+        // ensure the sum is unique in all cases, i.e.
-+        // case#1: (512 <= p <= 1024) AND q=160
-+        // case#2: p=2048 AND q=224
-+        // case#3: p=2048 AND q=256
-+        // (NOT-YET-SUPPORTED)case#4: p=3072 AND q=256
-+        return dsaCache.get(Integer.valueOf(primeLen+subprimeLen));
-     }
- 
-     /**
-@@ -71,18 +80,39 @@
-     }
- 
-     /**
--     * Return DSA parameters for the given keylength. Uses cache if possible,
--     * generates new parameters and adds them to the cache otherwise.
-+     * Return DSA parameters for the given primeLen. Uses cache if
-+     * possible, generates new parameters and adds them to the cache
-+     * otherwise.
-      */
--    public static DSAParameterSpec getDSAParameterSpec(int keyLength,
-+    public static DSAParameterSpec getDSAParameterSpec(int primeLen,
-             SecureRandom random)
--            throws NoSuchAlgorithmException, InvalidParameterSpecException {
--        DSAParameterSpec spec = getCachedDSAParameterSpec(keyLength);
-+            throws NoSuchAlgorithmException, InvalidParameterSpecException,
-+                   InvalidAlgorithmParameterException {
-+        if (primeLen <= 1024) {
-+            return getDSAParameterSpec(primeLen, 160, random);
-+        } else if (primeLen == 2048) {
-+            return getDSAParameterSpec(primeLen, 224, random);
-+        } else {
-+            return null;
-+        }
-+    }
-+
-+    /**
-+     * Return DSA parameters for the given primeLen and subprimeLen.
-+     * Uses cache if possible, generates new parameters and adds them to the
-+     * cache otherwise.
-+     */
-+    public static DSAParameterSpec getDSAParameterSpec(int primeLen,
-+            int subprimeLen, SecureRandom random)
-+            throws NoSuchAlgorithmException, InvalidParameterSpecException,
-+                   InvalidAlgorithmParameterException {
-+        DSAParameterSpec spec =
-+            getCachedDSAParameterSpec(primeLen, subprimeLen);
-         if (spec != null) {
-             return spec;
-         }
--        spec = getNewDSAParameterSpec(keyLength, random);
--        dsaCache.put(Integer.valueOf(keyLength), spec);
-+        spec = getNewDSAParameterSpec(primeLen, subprimeLen, random);
-+        dsaCache.put(Integer.valueOf(primeLen + subprimeLen), spec);
-         return spec;
-     }
- 
-@@ -107,28 +137,28 @@
-     }
- 
-     /**
--     * Return new DSA parameters for the given keylength. Do not lookup in
--     * cache and do not cache the newly generated parameters. This method
--     * really only exists for the legacy method
-+     * Return new DSA parameters for the given length combination of prime and
-+     * sub prime. Do not lookup in cache and do not cache the newly generated
-+     * parameters. This method really only exists for the legacy method
-      * DSAKeyPairGenerator.initialize(int, boolean, SecureRandom).
-      */
--    public static DSAParameterSpec getNewDSAParameterSpec(int keyLength,
--            SecureRandom random)
--            throws NoSuchAlgorithmException, InvalidParameterSpecException {
-+    public static DSAParameterSpec getNewDSAParameterSpec(int primeLen,
-+            int subprimeLen, SecureRandom random)
-+            throws NoSuchAlgorithmException, InvalidParameterSpecException,
-+                   InvalidAlgorithmParameterException {
-         AlgorithmParameterGenerator gen =
-                 AlgorithmParameterGenerator.getInstance("DSA");
--        gen.init(keyLength, random);
-+        DSAGenParameterSpec genParams =
-+            new DSAGenParameterSpec(primeLen, subprimeLen);
-+        gen.init(genParams, random);
-         AlgorithmParameters params = gen.generateParameters();
-         DSAParameterSpec spec = params.getParameterSpec(DSAParameterSpec.class);
-         return spec;
-     }
- 
-     static {
--        // XXX change to ConcurrentHashMap once available
--        dhCache = Collections.synchronizedMap
--                        (new HashMap());
--        dsaCache = Collections.synchronizedMap
--                        (new HashMap());
-+        dhCache = new ConcurrentHashMap();
-+        dsaCache = new ConcurrentHashMap();
- 
-         /*
-          * We support precomputed parameter for 512, 768 and 1024 bit
-@@ -210,17 +240,99 @@
-                            "83dfe15ae59f06928b665e807b552564014c3bfecf" +
-                            "492a", 16);
- 
--        dsaCache.put(Integer.valueOf(512),
-+        dsaCache.put(Integer.valueOf(512+160),
-                                 new DSAParameterSpec(p512, q512, g512));
--        dsaCache.put(Integer.valueOf(768),
-+        dsaCache.put(Integer.valueOf(768+160),
-                                 new DSAParameterSpec(p768, q768, g768));
--        dsaCache.put(Integer.valueOf(1024),
-+        dsaCache.put(Integer.valueOf(1024+160),
-                                 new DSAParameterSpec(p1024, q1024, g1024));
-+        /*
-+         * L = 2048, N = 224
-+         * SEED = 584236080cfa43c09b02354135f4cc5198a19efada08bd866d601ba4
-+         * counter = 2666
-+         */
-+        BigInteger p2048_224 =
-+            new BigInteger("8f7935d9b9aae9bfabed887acf4951b6f32ec59e3b" +
-+                           "af3718e8eac4961f3efd3606e74351a9c4183339b8" +
-+                           "09e7c2ae1c539ba7475b85d011adb8b47987754984" +
-+                           "695cac0e8f14b3360828a22ffa27110a3d62a99345" +
-+                           "3409a0fe696c4658f84bdd20819c3709a01057b195" +
-+                           "adcd00233dba5484b6291f9d648ef883448677979c" +
-+                           "ec04b434a6ac2e75e9985de23db0292fc1118c9ffa" +
-+                           "9d8181e7338db792b730d7b9e349592f6809987215" +
-+                           "3915ea3d6b8b4653c633458f803b32a4c2e0f27290" +
-+                           "256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea1" +
-+                           "43de4b66ff04903ed5cf1623e158d487c608e97f21" +
-+                           "1cd81dca23cb6e380765f822e342be484c05763939" +
-+                           "601cd667", 16);
-+
-+        BigInteger q2048_224 =
-+            new BigInteger("baf696a68578f7dfdee7fa67c977c785ef32b233ba" +
-+                           "e580c0bcd5695d", 16);
-+
-+        BigInteger g2048_224 =
-+            new BigInteger("16a65c58204850704e7502a39757040d34da3a3478" +
-+                           "c154d4e4a5c02d242ee04f96e61e4bd0904abdac8f" +
-+                           "37eeb1e09f3182d23c9043cb642f88004160edf9ca" +
-+                           "09b32076a79c32a627f2473e91879ba2c4e744bd20" +
-+                           "81544cb55b802c368d1fa83ed489e94e0fa0688e32" +
-+                           "428a5c78c478c68d0527b71c9a3abb0b0be12c4468" +
-+                           "9639e7d3ce74db101a65aa2b87f64c6826db3ec72f" +
-+                           "4b5599834bb4edb02f7c90e9a496d3a55d535bebfc" +
-+                           "45d4f619f63f3dedbb873925c2f224e07731296da8" +
-+                           "87ec1e4748f87efb5fdeb75484316b2232dee553dd" +
-+                           "af02112b0d1f02da30973224fe27aeda8b9d4b2922" +
-+                           "d9ba8be39ed9e103a63c52810bc688b7e2ed4316e1" +
-+                           "ef17dbde", 16);
-+        dsaCache.put(Integer.valueOf(2048+224),
-+                     new DSAParameterSpec(p2048_224, q2048_224, g2048_224));
-+
-+        /*
-+         * L = 2048, N = 256
-+         * SEED = b0b4417601b59cbc9d8ac8f935cadaec4f5fbb2f23785609ae466748d9b5a536
-+         * counter = 497
-+         */
-+        BigInteger p2048_256 =
-+            new BigInteger("95475cf5d93e596c3fcd1d902add02f427f5f3c721" +
-+                           "0313bb45fb4d5bb2e5fe1cbd678cd4bbdd84c9836b" +
-+                           "e1f31c0777725aeb6c2fc38b85f48076fa76bcd814" +
-+                           "6cc89a6fb2f706dd719898c2083dc8d896f84062e2" +
-+                           "c9c94d137b054a8d8096adb8d51952398eeca852a0" +
-+                           "af12df83e475aa65d4ec0c38a9560d5661186ff98b" +
-+                           "9fc9eb60eee8b030376b236bc73be3acdbd74fd61c" +
-+                           "1d2475fa3077b8f080467881ff7e1ca56fee066d79" +
-+                           "506ade51edbb5443a563927dbc4ba520086746175c" +
-+                           "8885925ebc64c6147906773496990cb714ec667304" +
-+                           "e261faee33b3cbdf008e0c3fa90650d97d3909c927" +
-+                           "5bf4ac86ffcb3d03e6dfc8ada5934242dd6d3bcca2" +
-+                           "a406cb0b", 16);
-+
-+        BigInteger q2048_256 =
-+            new BigInteger("f8183668ba5fc5bb06b5981e6d8b795d30b8978d43" +
-+                           "ca0ec572e37e09939a9773", 16);
-+
-+        BigInteger g2048_256 =
-+            new BigInteger("42debb9da5b3d88cc956e08787ec3f3a09bba5f48b" +
-+                           "889a74aaf53174aa0fbe7e3c5b8fcd7a53bef563b0" +
-+                           "e98560328960a9517f4014d3325fc7962bf1e04937" +
-+                           "0d76d1314a76137e792f3f0db859d095e4a5b93202" +
-+                           "4f079ecf2ef09c797452b0770e1350782ed57ddf79" +
-+                           "4979dcef23cb96f183061965c4ebc93c9c71c56b92" +
-+                           "5955a75f94cccf1449ac43d586d0beee43251b0b22" +
-+                           "87349d68de0d144403f13e802f4146d882e057af19" +
-+                           "b6f6275c6676c8fa0e3ca2713a3257fd1b27d0639f" +
-+                           "695e347d8d1cf9ac819a26ca9b04cb0eb9b7b03598" +
-+                           "8d15bbac65212a55239cfc7e58fae38d7250ab9991" +
-+                           "ffbc97134025fe8ce04c4399ad96569be91a546f49" +
-+                           "78693c7a", 16);
-+        dsaCache.put(Integer.valueOf(2048+256),
-+                                new DSAParameterSpec(p2048_256, q2048_256, g2048_256));
- 
-         // use DSA parameters for DH as well
-         dhCache.put(Integer.valueOf(512), new DHParameterSpec(p512, g512));
-         dhCache.put(Integer.valueOf(768), new DHParameterSpec(p768, g768));
-         dhCache.put(Integer.valueOf(1024), new DHParameterSpec(p1024, g1024));
-+        dhCache.put(Integer.valueOf(2048), new DHParameterSpec(p2048_224, g2048_224));
-     }
- 
- }
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SunEntries.java openjdk/jdk/src/share/classes/sun/security/provider/SunEntries.java
---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SunEntries.java	2014-12-24 20:10:36.404459089 +0000
-+++ openjdk/jdk/src/share/classes/sun/security/provider/SunEntries.java	2014-12-24 20:18:40.130192717 +0000
-@@ -47,6 +47,10 @@
-  *   SHA-2 family of hash functions includes SHA-224, SHA-256, SHA-384,
-  *   and SHA-512.
-  *
-+ * - SHA-224withDSA/SHA-256withDSA are the signature schemes
-+ *   described in FIPS 186-3. The associated object identifiers are
-+ *   "OID.2.16.840.1.101.3.4.3.1", and "OID.2.16.840.1.101.3.4.3.2".
-+
-  * - DSA is the key generation scheme as described in FIPS 186.
-  *   Aliases for DSA include the OID strings "OID.1.3.14.3.2.12"
-  *   and "OID.1.2.840.10040.4.1".
-@@ -106,11 +110,15 @@
-         map.put("Signature.SHA1withDSA", "sun.security.provider.DSA$SHA1withDSA");
-         map.put("Signature.NONEwithDSA", "sun.security.provider.DSA$RawDSA");
-         map.put("Alg.Alias.Signature.RawDSA", "NONEwithDSA");
-+        map.put("Signature.SHA224withDSA", "sun.security.provider.DSA$SHA224withDSA");
-+        map.put("Signature.SHA256withDSA", "sun.security.provider.DSA$SHA256withDSA");
- 
-         String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
-                 "|java.security.interfaces.DSAPrivateKey";
-         map.put("Signature.SHA1withDSA SupportedKeyClasses", dsaKeyClasses);
-         map.put("Signature.NONEwithDSA SupportedKeyClasses", dsaKeyClasses);
-+        map.put("Signature.SHA224withDSA SupportedKeyClasses", dsaKeyClasses);
-+        map.put("Signature.SHA256withDSA SupportedKeyClasses", dsaKeyClasses);
- 
-         map.put("Alg.Alias.Signature.DSA", "SHA1withDSA");
-         map.put("Alg.Alias.Signature.DSS", "SHA1withDSA");
-@@ -124,6 +132,10 @@
-         map.put("Alg.Alias.Signature.1.2.840.10040.4.3", "SHA1withDSA");
-         map.put("Alg.Alias.Signature.1.3.14.3.2.13", "SHA1withDSA");
-         map.put("Alg.Alias.Signature.1.3.14.3.2.27", "SHA1withDSA");
-+        map.put("Alg.Alias.Signature.OID.2.16.840.1.101.3.4.3.1", "SHA224withDSA");
-+        map.put("Alg.Alias.Signature.2.16.840.1.101.3.4.3.1", "SHA224withDSA");
-+        map.put("Alg.Alias.Signature.OID.2.16.840.1.101.3.4.3.2", "SHA256withDSA");
-+        map.put("Alg.Alias.Signature.2.16.840.1.101.3.4.3.2", "SHA256withDSA");
- 
-         /*
-          *  Key Pair Generator engines
-@@ -143,6 +155,8 @@
- 
-         map.put("Alg.Alias.MessageDigest.SHA-1", "SHA");
-         map.put("Alg.Alias.MessageDigest.SHA1", "SHA");
-+        map.put("Alg.Alias.MessageDigest.1.3.14.3.2.26", "SHA");
-+        map.put("Alg.Alias.MessageDigest.OID.1.3.14.3.2.26", "SHA");
- 
-         map.put("MessageDigest.SHA-224", "sun.security.provider.SHA2$SHA224");
-         map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.4", "SHA-224");
-@@ -169,15 +183,17 @@
-          */
-         map.put("AlgorithmParameters.DSA",
-             "sun.security.provider.DSAParameters");
--        map.put("Alg.Alias.AlgorithmParameters.1.3.14.3.2.12", "DSA");
-+        map.put("Alg.Alias.AlgorithmParameters.OID.1.2.840.10040.4.1", "DSA");
-         map.put("Alg.Alias.AlgorithmParameters.1.2.840.10040.4.1", "DSA");
-+        map.put("Alg.Alias.AlgorithmParameters.1.3.14.3.2.12", "DSA");
- 
-         /*
-          * Key factories
-          */
-         map.put("KeyFactory.DSA", "sun.security.provider.DSAKeyFactory");
--        map.put("Alg.Alias.KeyFactory.1.3.14.3.2.12", "DSA");
-+        map.put("Alg.Alias.KeyFactory.OID.1.2.840.10040.4.1", "DSA");
-         map.put("Alg.Alias.KeyFactory.1.2.840.10040.4.1", "DSA");
-+        map.put("Alg.Alias.KeyFactory.1.3.14.3.2.12", "DSA");
- 
-         /*
-          * Certificates
-@@ -234,9 +250,13 @@
-         /*
-          * KeySize
-          */
-+        map.put("Signature.NONEwithDSA KeySize", "1024");
-         map.put("Signature.SHA1withDSA KeySize", "1024");
--        map.put("KeyPairGenerator.DSA KeySize", "1024");
--        map.put("AlgorithmParameterGenerator.DSA KeySize", "1024");
-+        map.put("Signature.SHA224withDSA KeySize", "2048");
-+        map.put("Signature.SHA256withDSA KeySize", "2048");
-+
-+        map.put("KeyPairGenerator.DSA KeySize", "2048");
-+        map.put("AlgorithmParameterGenerator.DSA KeySize", "2048");
- 
-         /*
-          * Implementation type: software or hardware
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/spec/DSAGenParameterSpec.java openjdk/jdk/src/share/classes/sun/security/spec/DSAGenParameterSpec.java
---- openjdk.orig/jdk/src/share/classes/sun/security/spec/DSAGenParameterSpec.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/spec/DSAGenParameterSpec.java	2014-12-24 20:18:40.130192717 +0000
-@@ -0,0 +1,129 @@
-+/*
-+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+package sun.security.spec;
-+
-+import java.security.spec.AlgorithmParameterSpec;
-+
-+/**
-+ * This immutable class specifies the set of parameters used for
-+ * generating DSA parameters as specified in
-+ * FIPS 186-3 Digital Signature Standard (DSS).
-+ *
-+ * @see AlgorithmParameterSpec
-+ *
-+ * @since 8
-+ */
-+public final class DSAGenParameterSpec implements AlgorithmParameterSpec {
-+
-+    private final int pLen;
-+    private final int qLen;
-+    private final int seedLen;
-+
-+    /**
-+     * Creates a domain parameter specification for DSA parameter
-+     * generation using primePLen and subprimeQLen.
-+     * The value of subprimeQLen is also used as the default
-+     * length of the domain parameter seed in bits.
-+     * @param primePLen the desired length of the prime P in bits.
-+     * @param subprimeQLen the desired length of the sub-prime Q in bits.
-+     * @exception IllegalArgumentException if primePLen
-+     * or subprimeQLen is illegal per the specification of
-+     * FIPS 186-3.
-+     */
-+    public DSAGenParameterSpec(int primePLen, int subprimeQLen) {
-+        this(primePLen, subprimeQLen, subprimeQLen);
-+    }
-+
-+    /**
-+     * Creates a domain parameter specification for DSA parameter
-+     * generation using primePLen, subprimeQLen,
-+     * and seedLen.
-+     * @param primePLen the desired length of the prime P in bits.
-+     * @param subprimeQLen the desired length of the sub-prime Q in bits.
-+     * @param seedLen the desired length of the domain parameter seed in bits,
-+     * shall be equal to or greater than subprimeQLen.
-+     * @exception IllegalArgumentException if primePLenLen,
-+     * subprimeQLen, or seedLen is illegal per the
-+     * specification of FIPS 186-3.
-+     */
-+    public DSAGenParameterSpec(int primePLen, int subprimeQLen, int seedLen) {
-+        switch (primePLen) {
-+        case 1024:
-+            if (subprimeQLen != 160) {
-+                throw new IllegalArgumentException
-+                    ("subprimeQLen must be 160 when primePLen=1024");
-+            }
-+            break;
-+        case 2048:
-+            if (subprimeQLen != 224 && subprimeQLen != 256) {
-+               throw new IllegalArgumentException
-+                   ("subprimeQLen must be 224 or 256 when primePLen=2048");
-+            }
-+            break;
-+        case 3072:
-+            if (subprimeQLen != 256) {
-+                throw new IllegalArgumentException
-+                    ("subprimeQLen must be 256 when primePLen=3072");
-+            }
-+            break;
-+        default:
-+            throw new IllegalArgumentException
-+                ("primePLen must be 1024, 2048, or 3072");
-+        }
-+        if (seedLen < subprimeQLen) {
-+            throw new IllegalArgumentException
-+                ("seedLen must be equal to or greater than subprimeQLen");
-+        }
-+        this.pLen = primePLen;
-+        this.qLen = subprimeQLen;
-+        this.seedLen = seedLen;
-+    }
-+
-+    /**
-+     * Returns the desired length of the prime P of the
-+     * to-be-generated DSA domain parameters in bits.
-+     * @return the length of the prime P.
-+     */
-+    public int getPrimePLength() {
-+        return pLen;
-+    }
-+
-+    /**
-+     * Returns the desired length of the sub-prime Q of the
-+     * to-be-generated DSA domain parameters in bits.
-+     * @return the length of the sub-prime Q.
-+     */
-+    public int getSubprimeQLength() {
-+        return qLen;
-+    }
-+
-+    /**
-+     * Returns the desired length of the domain parameter seed in bits.
-+     * @return the length of the domain parameter seed.
-+     */
-+    public int getSeedLength() {
-+        return seedLen;
-+    }
-+}
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java
---- openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java	2014-12-24 20:10:36.520460461 +0000
-+++ openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java	2014-12-24 20:18:40.130192717 +0000
-@@ -508,6 +508,9 @@
-         if (name.equalsIgnoreCase("EC")) {
-             return EC_oid;
-         }
-+        if (name.equalsIgnoreCase("ECDH")) {
-+            return AlgorithmId.ECDH_oid;
-+        }
- 
-         // Common signature types
-         if (name.equalsIgnoreCase("MD5withRSA")
-@@ -527,6 +530,12 @@
-             || name.equalsIgnoreCase("SHA-1/DSA")) {
-             return AlgorithmId.sha1WithDSA_oid;
-         }
-+        if (name.equalsIgnoreCase("SHA224WithDSA")) {
-+            return AlgorithmId.sha224WithDSA_oid;
-+        }
-+        if (name.equalsIgnoreCase("SHA256WithDSA")) {
-+            return AlgorithmId.sha256WithDSA_oid;
-+        }
-         if (name.equalsIgnoreCase("SHA1WithRSA")
-             || name.equalsIgnoreCase("SHA1/RSA")) {
-             return AlgorithmId.sha1WithRSAEncryption_oid;
-@@ -645,6 +654,7 @@
-     public static final ObjectIdentifier DSA_oid;
-     public static final ObjectIdentifier DSA_OIW_oid;
-     public static final ObjectIdentifier EC_oid = oid(1, 2, 840, 10045, 2, 1);
-+    public static final ObjectIdentifier ECDH_oid = oid(1, 3, 132, 1, 12);
-     public static final ObjectIdentifier RSA_oid;
-     public static final ObjectIdentifier RSAEncryption_oid;
- 
-@@ -685,6 +695,10 @@
-     public static final ObjectIdentifier shaWithDSA_OIW_oid;
-     public static final ObjectIdentifier sha1WithDSA_OIW_oid;
-     public static final ObjectIdentifier sha1WithDSA_oid;
-+    public static final ObjectIdentifier sha224WithDSA_oid =
-+                                            oid(2, 16, 840, 1, 101, 3, 4, 3, 1);
-+    public static final ObjectIdentifier sha256WithDSA_oid =
-+                                            oid(2, 16, 840, 1, 101, 3, 4, 3, 2);
- 
-     public static final ObjectIdentifier sha1WithECDSA_oid =
-                                             oid(1, 2, 840, 10045, 4, 1);
-@@ -716,7 +730,6 @@
-     public static ObjectIdentifier pbeWithSHA1AndRC2_40_oid =
-         ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 6});
- 
--
-     static {
-     /*
-      * Note the preferred OIDs are named simply with no "OIW" or
-@@ -876,6 +889,8 @@
-         nameTable.put(DSA_oid, "DSA");
-         nameTable.put(DSA_OIW_oid, "DSA");
-         nameTable.put(EC_oid, "EC");
-+        nameTable.put(ECDH_oid, "ECDH");
-+
-         nameTable.put(sha1WithECDSA_oid, "SHA1withECDSA");
-         nameTable.put(sha224WithECDSA_oid, "SHA224withECDSA");
-         nameTable.put(sha256WithECDSA_oid, "SHA256withECDSA");
-@@ -886,6 +901,8 @@
-         nameTable.put(sha1WithDSA_oid, "SHA1withDSA");
-         nameTable.put(sha1WithDSA_OIW_oid, "SHA1withDSA");
-         nameTable.put(shaWithDSA_OIW_oid, "SHA1withDSA");
-+        nameTable.put(sha224WithDSA_oid, "SHA224withDSA");
-+        nameTable.put(sha256WithDSA_oid, "SHA256withDSA");
-         nameTable.put(sha1WithRSAEncryption_oid, "SHA1withRSA");
-         nameTable.put(sha1WithRSAEncryption_OIW_oid, "SHA1withRSA");
-         nameTable.put(sha224WithRSAEncryption_oid, "SHA224withRSA");
-diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java
---- openjdk.orig/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java	2013-08-21 20:32:58.224234259 +0100
-+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java	2014-12-24 20:18:40.130192717 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -23,7 +23,7 @@
- 
- /**
-  * @test
-- * @bug 6330287 6331386
-+ * @bug 6330287 6331386 7044060
-  * @summary verify that DHKeyPairGenerator returns keys of the expected size
-  * (modulus and exponent)
-  * -and-
-@@ -57,7 +57,8 @@
-      * Sizes and values for various lengths.
-      */
-     private enum Sizes {
--        two56(256), three84(384), five12(512), seven68(768), ten24(1024);
-+        two56(256), three84(384), five12(512), seven68(768), ten24(1024),
-+        twenty48(2048);
- 
-         private final int intSize;
-         private final BigInteger bigIntValue;
-@@ -82,7 +83,8 @@
-         KeyPair kp;
-         KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH", "SunJCE");
- 
--        // Sun's default uses a default psize of 1024/lsize of 512
-+        // Sun's default uses a default psize of 1024 and
-+        // lsize of (pSize / 2) but at least 384 bits
-         kp = kpg.generateKeyPair();
-         checkKeyPair(kp, Sizes.ten24, Sizes.five12);
- 
-@@ -114,6 +116,20 @@
-         kp = kpg.generateKeyPair();
-         checkKeyPair(kp, Sizes.seven68, Sizes.three84);
- 
-+        // test w/ only pSize
-+        kpg.initialize(Sizes.twenty48.getIntSize());
-+        kp = kpg.generateKeyPair();
-+        checkKeyPair(kp, Sizes.twenty48, Sizes.ten24);
-+
-+        publicKey = (DHPublicKey)kp.getPublic();
-+        p = publicKey.getParams().getP();
-+        g = publicKey.getParams().getG();
-+
-+        // test w/ all values specified
-+        kpg.initialize(new DHParameterSpec(p, g, Sizes.five12.getIntSize()));
-+        kp = kpg.generateKeyPair();
-+        checkKeyPair(kp, Sizes.twenty48, Sizes.five12);
-+
-         System.out.println("OK");
-     }
- 
-diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestECDH2.java openjdk/jdk/test/sun/security/pkcs11/ec/TestECDH2.java
---- openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestECDH2.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/pkcs11/ec/TestECDH2.java	2014-12-24 20:18:40.134192764 +0000
-@@ -0,0 +1,127 @@
-+/*
-+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+/**
-+ * @test
-+ * @bug 6405536
-+ * @summary basic test of ECDSA signatures for P-256 and P-384 from the
-+ * example data in "Suite B Implementer's Guide to FIPS 186-3".
-+ * @library ..
-+ * @library ../../../../java/security/testlibrary
-+ * @compile -XDignore.symbol.file TestECDH2.java
-+ * @run main TestECDH2
-+ */
-+
-+import java.io.*;
-+import java.util.*;
-+import java.math.BigInteger;
-+
-+import java.security.*;
-+import java.security.spec.*;
-+import java.security.interfaces.*;
-+import javax.crypto.*;
-+
-+import sun.security.ec.NamedCurve;
-+
-+public class TestECDH2 extends PKCS11Test {
-+
-+    // values of the keys we use for the tests
-+
-+    // keypair using NIST P-256
-+    private final static String privD256 = "70a12c2db16845ed56ff68cfc21a472b3f04d7d6851bf6349f2d7d5b3452b38a";
-+    private final static String pubX256 = "8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8";
-+    private final static String pubY256 = "d8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9";
-+
-+    // keypair using NIST P-384
-+    private final static String privD384 = "c838b85253ef8dc7394fa5808a5183981c7deef5a69ba8f4f2117ffea39cfcd90e95f6cbc854abacab701d50c1f3cf24";
-+    private final static String pubX384 = "1fbac8eebd0cbf35640b39efe0808dd774debff20a2a329e91713baf7d7f3c3e81546d883730bee7e48678f857b02ca0";
-+    private final static String pubY384 = "eb213103bd68ce343365a8a4c3d4555fa385f5330203bdd76ffad1f3affb95751c132007e1b240353cb0a4cf1693bdf9";
-+
-+    private KeyFactory kf = null;
-+    private KeyPairGenerator kpg = null;
-+
-+    private static void testKeyAgreement(KeyPair kpA, KeyPair kpB, Provider p)
-+        throws Exception {
-+        KeyAgreement ka1 = KeyAgreement.getInstance("ECDH", p);
-+        ka1.init(kpA.getPrivate());
-+        ka1.doPhase(kpB.getPublic(), true);
-+        byte[] s1 = ka1.generateSecret();
-+
-+        KeyAgreement ka2 = KeyAgreement.getInstance("ECDH", p);
-+        ka2.init(kpB.getPrivate());
-+        ka2.doPhase(kpA.getPublic(), true);
-+        byte[] s2 = ka2.generateSecret();
-+        if (Arrays.equals(s1, s2) == false) {
-+            System.out.println("expected: " + toString(s1));
-+            System.out.println("actual:   " + toString(s2));
-+            throw new Exception("Generated secrets do not match");
-+        }
-+    }
-+
-+    private KeyPair genECKeyPair(String curvName, String privD, String pubX,
-+                                 String pubY) throws Exception {
-+        ECParameterSpec ecParams = NamedCurve.getECParameterSpec(curvName);
-+        ECPrivateKeySpec privKeySpec =
-+            new ECPrivateKeySpec(new BigInteger(privD, 16), ecParams);
-+        ECPublicKeySpec pubKeySpec =
-+            new ECPublicKeySpec(new ECPoint(new BigInteger(pubX, 16),
-+                                            new BigInteger(pubY, 16)),
-+                                ecParams);
-+        PrivateKey privKey = kf.generatePrivate(privKeySpec);
-+        PublicKey pubKey = kf.generatePublic(pubKeySpec);
-+        return new KeyPair(pubKey, privKey);
-+    }
-+    private KeyPair genECKeyPair(String curvName) throws Exception {
-+        ECGenParameterSpec genParams = new ECGenParameterSpec(curvName);
-+        kpg.initialize(genParams, null);
-+        return kpg.generateKeyPair();
-+    }
-+    public static void main(String[] args) throws Exception {
-+        main(new TestECDH2());
-+    }
-+
-+    public void main(Provider provider) throws Exception {
-+        if (provider.getService("KeyAgreement", "ECDH") == null) {
-+            System.out.println("ECDH not supported, skipping");
-+            return;
-+        }
-+
-+        kf = KeyFactory.getInstance("EC", provider);
-+        kpg = KeyPairGenerator.getInstance("EC", provider);
-+
-+        System.out.println("Testing against NIST P-256");
-+
-+        long start = System.currentTimeMillis();
-+        KeyPair kp256A = genECKeyPair("secp256r1", privD256, pubX256, pubY256);
-+        KeyPair kp256B = genECKeyPair("secp256r1");
-+        testKeyAgreement(kp256A, kp256B, provider);
-+
-+        System.out.println("Testing against NIST P-384");
-+        KeyPair kp384A = genECKeyPair("secp384r1", privD384, pubX384, pubY384);
-+        KeyPair kp384B = genECKeyPair("secp384r1");
-+        testKeyAgreement(kp384A, kp384B, provider);
-+
-+        long stop = System.currentTimeMillis();
-+        System.out.println("All tests passed (" + (stop - start) + " ms).");
-+    }
-+}
-diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestECDSA2.java openjdk/jdk/test/sun/security/pkcs11/ec/TestECDSA2.java
---- openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestECDSA2.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/pkcs11/ec/TestECDSA2.java	2014-12-24 20:18:40.134192764 +0000
-@@ -0,0 +1,122 @@
-+/*
-+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+/**
-+ * @test
-+ * @bug 6405536
-+ * @summary basic test of ECDSA signatures for P-256 and P-384 from the
-+ * example data in "Suite B Implementer's Guide to FIPS 186-3".
-+ * @library ..
-+ * @library ../../../../java/security/testlibrary
-+ * @compile -XDignore.symbol.file TestECDSA2.java
-+ * @run main TestECDSA2
-+ */
-+
-+import java.io.*;
-+import java.util.*;
-+import java.math.BigInteger;
-+
-+import java.security.*;
-+import java.security.spec.*;
-+import java.security.interfaces.*;
-+
-+import sun.security.ec.NamedCurve;
-+
-+public class TestECDSA2 extends PKCS11Test {
-+
-+    // values of the keys we use for the tests
-+
-+    // keypair using NIST P-256
-+    private final static String privD256 = "70a12c2db16845ed56ff68cfc21a472b3f04d7d6851bf6349f2d7d5b3452b38a";
-+    private final static String pubX256 = "8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8";
-+    private final static String pubY256 = "d8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9";
-+
-+    // keypair using NIST P-384
-+    private final static String privD384 = "c838b85253ef8dc7394fa5808a5183981c7deef5a69ba8f4f2117ffea39cfcd90e95f6cbc854abacab701d50c1f3cf24";
-+    private final static String pubX384 = "1fbac8eebd0cbf35640b39efe0808dd774debff20a2a329e91713baf7d7f3c3e81546d883730bee7e48678f857b02ca0";
-+    private final static String pubY384 = "eb213103bd68ce343365a8a4c3d4555fa385f5330203bdd76ffad1f3affb95751c132007e1b240353cb0a4cf1693bdf9";
-+
-+    // data to be signed
-+    private final static byte[] data = "This is only a test message. It is 48 bytes long".getBytes();
-+
-+    private KeyFactory kf = null;
-+
-+    private static void testSignAndVerify(String alg, KeyPair kp, Provider p) throws Exception {
-+        Signature s = Signature.getInstance(alg, p);
-+        s.initSign(kp.getPrivate());
-+        s.update(data);
-+        byte[] result = s.sign();
-+
-+        s.initVerify(kp.getPublic());
-+        s.update(data);
-+        if (!s.verify(result)) {
-+            throw new Exception("Error: Signature verification failed");
-+        }
-+        System.out.println(p.getName() + ": " + alg + " Passed");
-+    }
-+
-+    private KeyPair genECKeyPair(String curvName, String privD, String pubX, String pubY) throws Exception {
-+        ECParameterSpec ecParams = NamedCurve.getECParameterSpec(curvName);
-+        ECPrivateKeySpec privKeySpec =
-+            new ECPrivateKeySpec(new BigInteger(privD, 16), ecParams);
-+        ECPublicKeySpec pubKeySpec =
-+            new ECPublicKeySpec(new ECPoint(new BigInteger(pubX, 16), new BigInteger(pubY, 16)),
-+                                ecParams);
-+        PrivateKey privKey = kf.generatePrivate(privKeySpec);
-+        PublicKey pubKey = kf.generatePublic(pubKeySpec);
-+        return new KeyPair(pubKey, privKey);
-+    }
-+
-+    public static void main(String[] args) throws Exception {
-+        main(new TestECDSA2());
-+    }
-+
-+    public void main(Provider provider) throws Exception {
-+        boolean testP256 =
-+            (provider.getService("Signature", "SHA256withECDSA") != null);
-+
-+        boolean testP384 =
-+            (provider.getService("Signature", "SHA384withECDSA") != null);
-+
-+        if (!testP256 && !testP384) {
-+            System.out.println("ECDSA not supported, skipping");
-+            return;
-+        }
-+
-+        kf = KeyFactory.getInstance("EC", provider);
-+
-+        long start = System.currentTimeMillis();
-+        if (testP256) {
-+            // can use secp256r1, NIST P-256, X9.62 prime256v1, or 1.2.840.10045.3.1.7
-+            KeyPair kp = genECKeyPair("secp256r1", privD256, pubX256, pubY256);
-+            testSignAndVerify("SHA256withECDSA", kp, provider);
-+        }
-+        if (testP384) {
-+            // can use secp384r1, NIST P-384, 1.3.132.0.34
-+            KeyPair kp = genECKeyPair("secp384r1", privD384, pubX384, pubY384);
-+            testSignAndVerify("SHA384withECDSA", kp, provider);
-+        }
-+        long stop = System.currentTimeMillis();
-+        System.out.println("All tests passed (" + (stop - start) + " ms).");
-+    }
-+}
-diff -Nru openjdk.orig/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java openjdk/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java
---- openjdk.orig/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java	2014-12-24 20:18:40.134192764 +0000
-@@ -0,0 +1,117 @@
-+/*
-+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+/*
-+ * @test
-+ * @bug 7044060
-+ * @summary verify that DSA parameter generation works
-+ * @run main/othervm/timeout=300 TestAlgParameterGenerator
-+ */
-+import java.security.*;
-+import java.security.spec.*;
-+import java.security.interfaces.*;
-+
-+public class TestAlgParameterGenerator {
-+
-+    private static void checkParamStrength(AlgorithmParameters param,
-+                                           int strength) throws Exception {
-+        String algo = param.getAlgorithm();
-+        if (!algo.equalsIgnoreCase("DSA")) {
-+            throw new Exception("Unexpected type of parameters: " + algo);
-+        }
-+        DSAParameterSpec spec = param.getParameterSpec(DSAParameterSpec.class);
-+        int valueL = spec.getP().bitLength();
-+        if (strength != valueL) {
-+            System.out.println("Expected " + strength + " but actual " + valueL);
-+            throw new Exception("Wrong P strength");
-+        }
-+    }
-+    private static void checkParamStrength(AlgorithmParameters param,
-+                                           DSAGenParameterSpec genParam)
-+        throws Exception {
-+        String algo = param.getAlgorithm();
-+        if (!algo.equalsIgnoreCase("DSA")) {
-+            throw new Exception("Unexpected type of parameters: " + algo);
-+        }
-+        DSAParameterSpec spec = param.getParameterSpec(DSAParameterSpec.class);
-+        int valueL = spec.getP().bitLength();
-+        int strength = genParam.getPrimePLength();
-+        if (strength != valueL) {
-+            System.out.println("P: Expected " + strength + " but actual " + valueL);
-+            throw new Exception("Wrong P strength");
-+        }
-+        int valueN = spec.getQ().bitLength();
-+        strength = genParam.getSubprimeQLength();
-+        if (strength != valueN) {
-+            System.out.println("Q: Expected " + strength + " but actual " + valueN);
-+            throw new Exception("Wrong Q strength");
-+        }
-+    }
-+
-+    public static void main(String[] args) throws Exception {
-+        AlgorithmParameterGenerator apg =
-+            AlgorithmParameterGenerator.getInstance("DSA", "SUN");
-+
-+        long start, stop;
-+        // make sure no-init still works
-+        start = System.currentTimeMillis();
-+        AlgorithmParameters param = apg.generateParameters();
-+        stop = System.currentTimeMillis();
-+        System.out.println("Time: " + (stop - start) + " ms.");
-+        checkParamStrength(param, 1024);
-+
-+        // make sure the old model works
-+        int[] strengths = { 512, 768, 1024 };
-+        for (int i = 0; i < strengths.length; i++) {
-+            int sizeP = strengths[i];
-+            System.out.println("Generating " + sizeP + "-bit DSA Parameters");
-+            start = System.currentTimeMillis();
-+            apg.init(sizeP);
-+            param = apg.generateParameters();
-+            stop = System.currentTimeMillis();
-+            System.out.println("Time: " + (stop - start) + " ms.");
-+            checkParamStrength(param, sizeP);
-+        }
-+
-+        // now the newer model
-+        DSAGenParameterSpec spec1 = new DSAGenParameterSpec(1024, 160);
-+        DSAGenParameterSpec spec2 = new DSAGenParameterSpec(2048, 224);
-+        DSAGenParameterSpec spec3 = new DSAGenParameterSpec(2048, 256);
-+        //DSAGenParameterSpec spec4 = new DSAGenParameterSpec(3072, 256);
-+        DSAGenParameterSpec[] specSet = {
-+            spec1, spec2, spec3//, spec4
-+        };
-+        for (int i = 0; i < specSet.length; i++) {
-+            DSAGenParameterSpec genParam = specSet[i];
-+            System.out.println("Generating (" + genParam.getPrimePLength() +
-+                               ", " + genParam.getSubprimeQLength() +
-+                               ") DSA Parameters");
-+            start = System.currentTimeMillis();
-+            apg.init(genParam, null);
-+            param = apg.generateParameters();
-+            stop = System.currentTimeMillis();
-+            System.out.println("Time: " + (stop - start) + " ms.");
-+            checkParamStrength(param, genParam);
-+        }
-+    }
-+}
-diff -Nru openjdk.orig/jdk/test/sun/security/provider/DSA/TestDSA2.java openjdk/jdk/test/sun/security/provider/DSA/TestDSA2.java
---- openjdk.orig/jdk/test/sun/security/provider/DSA/TestDSA2.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/provider/DSA/TestDSA2.java	2014-12-24 20:18:40.134192764 +0000
-@@ -0,0 +1,96 @@
-+/*
-+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+/*
-+ * @test
-+ * @bug 7044060
-+ * @run main/othervm/timeout=250 TestDSA2
-+ * @summary verify that DSA signature works using SHA and SHA-224 and SHA-256 digests.
-+ */
-+
-+
-+import java.security.*;
-+import java.security.spec.*;
-+import java.security.interfaces.*;
-+
-+public class TestDSA2 {
-+
-+    // NOTE: need to explictly specify provider since the more
-+    // preferred provider SunPKCS11 provider only supports up
-+    // 1024 bits.
-+    private static final String PROV = "SUN";
-+
-+    private static final String[] SIG_ALGOS = {
-+        "SHA1withDSA", "SHA224withDSA", "SHA256withDSA"
-+    };
-+
-+    private static final int[] KEYSIZES = {
-+        1024, 2048
-+    };
-+
-+    public static void main(String[] args) throws Exception {
-+        boolean[] expectedToPass = { true, true, true };
-+        test(1024, expectedToPass);
-+        boolean[] expectedToPass2 = { false, true, true };
-+        test(2048, expectedToPass2);
-+    }
-+
-+    private static void test(int keySize, boolean[] testStatus)
-+        throws Exception {
-+        byte[] data = "1234567890".getBytes();
-+        System.out.println("Test against key size: " + keySize);
-+
-+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA", PROV);
-+        keyGen.initialize(keySize, new SecureRandom());
-+        KeyPair pair = keyGen.generateKeyPair();
-+
-+        if (testStatus.length != SIG_ALGOS.length) {
-+            throw new RuntimeException("TestError: incorrect status array!");
-+        }
-+        for (int i = 0; i < SIG_ALGOS.length; i++) {
-+            Signature dsa = Signature.getInstance(SIG_ALGOS[i], PROV);
-+            try {
-+                dsa.initSign(pair.getPrivate());
-+                dsa.update(data);
-+                byte[] sig = dsa.sign();
-+                dsa.initVerify(pair.getPublic());
-+                dsa.update(data);
-+                boolean verifies = dsa.verify(sig);
-+                if (verifies == testStatus[i]) {
-+                    System.out.println(SIG_ALGOS[i] + ": Passed");
-+                } else {
-+                    System.out.println(SIG_ALGOS[i] + ": should " +
-+                                       (testStatus[i]? "pass":"fail"));
-+                    throw new RuntimeException(SIG_ALGOS[i] + ": Unexpected Test result!");
-+
-+                }
-+            } catch (Exception ex) {
-+                if (testStatus[i]) {
-+                    ex.printStackTrace();
-+                    throw new RuntimeException(SIG_ALGOS[i] + ": Unexpected exception " + ex);
-+                } else {
-+                    System.out.println(SIG_ALGOS[i] + ": Passed, expected " + ex);
-+                }
-+            }
-+        }
-+    }
-+}
-diff -Nru openjdk.orig/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java openjdk/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java
---- openjdk.orig/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java	2013-08-21 20:32:58.044231344 +0100
-+++ openjdk/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java	2014-12-24 20:18:40.134192764 +0000
-@@ -24,7 +24,7 @@
- /*
-  * @test
-  * @bug 4800108
-- * @summary verify that precomputed DSA parameters are always used (512, 768, 1024 bit)
-+ * @summary verify that precomputed DSA parameters are always used (512, 768, 1024, 2048 bit)
-  * @run main/othervm/timeout=15 TestKeyPairGenerator
-  */
- 
-@@ -78,6 +78,10 @@
-         kp = kpg.generateKeyPair();
-         checkKeyLength(kp, 512);
- 
-+        kpg.initialize(2048);
-+        kp = kpg.generateKeyPair();
-+        checkKeyLength(kp, 2048);
-+
-         long stop = System.currentTimeMillis();
-         System.out.println("Time: " + (stop - start) + " ms.");
-     }
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/7106773-512_bits_rsa.patch
--- a/patches/openjdk/7106773-512_bits_rsa.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1336 +0,0 @@
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/util/KeyLength.java openjdk/jdk/src/share/classes/sun/security/util/KeyLength.java
---- openjdk.orig/jdk/src/share/classes/sun/security/util/KeyLength.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/util/KeyLength.java	2014-10-08 23:56:02.320447941 +0100
-@@ -0,0 +1,91 @@
-+/*
-+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.util;
-+
-+import java.security.Key;
-+import java.security.PrivilegedAction;
-+import java.security.AccessController;
-+import java.security.interfaces.ECKey;
-+import java.security.interfaces.RSAKey;
-+import java.security.interfaces.DSAKey;
-+import javax.crypto.SecretKey;
-+import javax.crypto.interfaces.DHKey;
-+
-+/**
-+ * A utility class to get key length
-+ */
-+public final class KeyLength {
-+
-+    /**
-+     * Returns the key size of the given key object in bits.
-+     *
-+     * @param key the key object, cannot be null
-+     * @return the key size of the given key object in bits, or -1 if the
-+     *       key size is not accessible
-+     */
-+    final public static int getKeySize(Key key) {
-+        int size = -1;
-+
-+        if (key instanceof Length) {
-+            try {
-+                Length ruler = (Length)key;
-+                size = ruler.length();
-+            } catch (UnsupportedOperationException usoe) {
-+                // ignore the exception
-+            }
-+
-+            if (size >= 0) {
-+                return size;
-+            }
-+        }
-+
-+        // try to parse the length from key specification
-+        if (key instanceof SecretKey) {
-+            SecretKey sk = (SecretKey)key;
-+            String format = sk.getFormat();
-+            if ("RAW".equals(format) && sk.getEncoded() != null) {
-+                size = (sk.getEncoded().length * 8);
-+            }   // Otherwise, it may be a unextractable key of PKCS#11, or
-+                // a key we are not able to handle.
-+        } else if (key instanceof RSAKey) {
-+            RSAKey pubk = (RSAKey)key;
-+            size = pubk.getModulus().bitLength();
-+        } else if (key instanceof ECKey) {
-+            ECKey pubk = (ECKey)key;
-+            size = pubk.getParams().getOrder().bitLength();
-+        } else if (key instanceof DSAKey) {
-+            DSAKey pubk = (DSAKey)key;
-+            size = pubk.getParams().getP().bitLength();
-+        } else if (key instanceof DHKey) {
-+            DHKey pubk = (DHKey)key;
-+            size = pubk.getParams().getP().bitLength();
-+        }   // Otherwise, it may be a unextractable key of PKCS#11, or
-+            // a key we are not able to handle.
-+
-+        return size;
-+    }
-+}
-+
-diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/Key.java openjdk/jdk/src/windows/classes/sun/security/mscapi/Key.java
---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/Key.java	2014-07-14 04:24:44.000000000 +0100
-+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/Key.java	2014-10-08 23:56:02.320447941 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -25,6 +25,8 @@
- 
- package sun.security.mscapi;
- 
-+import sun.security.util.Length;
-+
- /**
-  * The handle for an RSA or DSA key using the Microsoft Crypto API.
-  *
-@@ -35,7 +37,7 @@
-  * @since 1.6
-  * @author  Stanley Man-Kit Ho
-  */
--abstract class Key implements java.security.Key
-+abstract class Key implements java.security.Key, Length
- {
- 
-     // Native handle
-@@ -81,7 +83,8 @@
-     /**
-      * Return bit length of the key.
-      */
--    public int bitLength()
-+    @Override
-+    public int length()
-     {
-         return keyLength;
-     }
-diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSACipher.java openjdk/jdk/src/windows/classes/sun/security/mscapi/RSACipher.java
---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSACipher.java	2014-07-14 04:24:44.000000000 +0100
-+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSACipher.java	2014-10-08 23:57:43.965856392 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -198,12 +198,12 @@
-             mode = encrypt ? MODE_ENCRYPT : MODE_VERIFY;
-             publicKey = (sun.security.mscapi.Key)key;
-             privateKey = null;
--            outputSize = publicKey.bitLength() / 8;
-+            outputSize = publicKey.length() / 8;
-         } else if (key instanceof PrivateKey) {
-             mode = encrypt ? MODE_SIGN : MODE_DECRYPT;
-             privateKey = (sun.security.mscapi.Key)key;
-             publicKey = null;
--            outputSize = privateKey.bitLength() / 8;
-+            outputSize = privateKey.length() / 8;
-         } else {
-             throw new InvalidKeyException("Unknown key type: " + key);
-         }
-@@ -358,7 +358,7 @@
-     protected int engineGetKeySize(Key key) throws InvalidKeyException {
- 
-         if (key instanceof sun.security.mscapi.Key) {
--            return ((sun.security.mscapi.Key) key).bitLength();
-+            return ((sun.security.mscapi.Key) key).length();
-         } else {
-             throw new InvalidKeyException("Unsupported key type: " + key);
-         }
-diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java
---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java	2014-10-08 23:52:11.237246746 +0100
-+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java	2014-10-08 23:56:50.913121240 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2005, 2008, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -297,7 +297,7 @@
- 
-         // Check against the local and global values to make sure
-         // the sizes are ok.  Round up to nearest byte.
--        RSAKeyFactory.checkKeyLengths(((privateKey.bitLength() + 7) & ~7),
-+        RSAKeyFactory.checkKeyLengths(((privateKey.length() + 7) & ~7),
-             null, RSAKeyPairGenerator.KEY_SIZE_MIN,
-             RSAKeyPairGenerator.KEY_SIZE_MAX);
- 
-diff -Nru openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey1024.sh openjdk/jdk/test/sun/security/mscapi/ShortRSAKey1024.sh
---- openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey1024.sh	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/mscapi/ShortRSAKey1024.sh	2014-10-08 23:56:02.320447941 +0100
-@@ -0,0 +1,85 @@
-+#!/bin/sh
-+
-+#
-+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+
-+# @test
-+# @bug 7106773
-+# @summary 512 bits RSA key cannot work with SHA384 and SHA512
-+# @run shell ShortRSAKey1024.sh
-+
-+# set a few environment variables so that the shell-script can run stand-alone
-+# in the source directory
-+if [ "${TESTSRC}" = "" ] ; then
-+   TESTSRC="."
-+fi
-+
-+if [ "${TESTCLASSES}" = "" ] ; then
-+   TESTCLASSES="."
-+fi
-+
-+if [ "${TESTJAVA}" = "" ] ; then
-+   echo "TESTJAVA not set.  Test cannot execute."
-+   echo "FAILED!!!"
-+   exit 1
-+fi
-+
-+OS=`uname -s`
-+case "$OS" in
-+    Windows* | CYGWIN* )
-+
-+        echo "Creating a temporary RSA keypair in the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+            -genkeypair \
-+            -storetype Windows-My \
-+            -keyalg RSA \
-+            -alias 7106773.1024 \
-+            -keysize 1024 \
-+            -dname "cn=localhost,c=US" \
-+            -noprompt
-+
-+        echo
-+        echo "Running the test..."
-+        ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\ShortRSAKeyWithinTLS.java
-+        ${TESTJAVA}/bin/java ShortRSAKeyWithinTLS 7106773.1024 1024 \
-+            TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-+
-+        rc=$?
-+
-+        echo
-+        echo "Removing the temporary RSA keypair from the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+            -delete \
-+            -storetype Windows-My \
-+            -alias 7106773.1024
-+
-+        echo done.
-+        exit $rc
-+        ;;
-+
-+    * )
-+        echo "This test is not intended for '$OS' - passing test"
-+        exit 0
-+        ;;
-+esac
-diff -Nru openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey512.sh openjdk/jdk/test/sun/security/mscapi/ShortRSAKey512.sh
---- openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey512.sh	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/mscapi/ShortRSAKey512.sh	2014-10-08 23:56:02.320447941 +0100
-@@ -0,0 +1,86 @@
-+#!/bin/sh
-+
-+#
-+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+
-+# @test
-+# @bug 7106773
-+# @summary 512 bits RSA key cannot work with SHA384 and SHA512
-+# @run shell ShortRSAKey512.sh
-+
-+# set a few environment variables so that the shell-script can run stand-alone
-+# in the source directory
-+if [ "${TESTSRC}" = "" ] ; then
-+   TESTSRC="."
-+fi
-+
-+if [ "${TESTCLASSES}" = "" ] ; then
-+   TESTCLASSES="."
-+fi
-+
-+if [ "${TESTJAVA}" = "" ] ; then
-+   echo "TESTJAVA not set.  Test cannot execute."
-+   echo "FAILED!!!"
-+   exit 1
-+fi
-+
-+OS=`uname -s`
-+case "$OS" in
-+    Windows* | CYGWIN* )
-+
-+        echo "Creating a temporary RSA keypair in the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+            -genkeypair \
-+            -storetype Windows-My \
-+            -keyalg RSA \
-+            -alias 7106773.512 \
-+            -keysize 512 \
-+            -dname "cn=localhost,c=US" \
-+            -noprompt
-+
-+        echo
-+        echo "Running the test..."
-+        ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\ShortRSAKeyWithinTLS.java
-+        ${TESTJAVA}/bin/java ShortRSAKeyWithinTLS 7106773.512 512 \
-+            TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-+
-+
-+        rc=$?
-+
-+        echo
-+        echo "Removing the temporary RSA keypair from the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+            -delete \
-+            -storetype Windows-My \
-+            -alias 7106773.512
-+
-+        echo done.
-+        exit $rc
-+        ;;
-+
-+    * )
-+        echo "This test is not intended for '$OS' - passing test"
-+        exit 0
-+        ;;
-+esac
-diff -Nru openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey768.sh openjdk/jdk/test/sun/security/mscapi/ShortRSAKey768.sh
---- openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey768.sh	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/mscapi/ShortRSAKey768.sh	2014-10-08 23:56:02.320447941 +0100
-@@ -0,0 +1,85 @@
-+#!/bin/sh
-+
-+#
-+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+#
-+# This code is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License version 2 only, as
-+# published by the Free Software Foundation.
-+#
-+# This code is distributed in the hope that it will be useful, but WITHOUT
-+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+# version 2 for more details (a copy is included in the LICENSE file that
-+# accompanied this code).
-+#
-+# You should have received a copy of the GNU General Public License version
-+# 2 along with this work; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+# or visit www.oracle.com if you need additional information or have any
-+# questions.
-+#
-+
-+
-+# @test
-+# @bug 7106773
-+# @summary 512 bits RSA key cannot work with SHA384 and SHA512
-+# @run shell ShortRSAKey768.sh
-+
-+# set a few environment variables so that the shell-script can run stand-alone
-+# in the source directory
-+if [ "${TESTSRC}" = "" ] ; then
-+   TESTSRC="."
-+fi
-+
-+if [ "${TESTCLASSES}" = "" ] ; then
-+   TESTCLASSES="."
-+fi
-+
-+if [ "${TESTJAVA}" = "" ] ; then
-+   echo "TESTJAVA not set.  Test cannot execute."
-+   echo "FAILED!!!"
-+   exit 1
-+fi
-+
-+OS=`uname -s`
-+case "$OS" in
-+    Windows* | CYGWIN* )
-+
-+        echo "Creating a temporary RSA keypair in the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+            -genkeypair \
-+            -storetype Windows-My \
-+            -keyalg RSA \
-+            -alias 7106773.768 \
-+            -keysize 768 \
-+            -dname "cn=localhost,c=US" \
-+            -noprompt
-+
-+        echo
-+        echo "Running the test..."
-+        ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\ShortRSAKeyWithinTLS.java
-+        ${TESTJAVA}/bin/java ShortRSAKeyWithinTLS 7106773.768 768 \
-+            TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-+
-+        rc=$?
-+
-+        echo
-+        echo "Removing the temporary RSA keypair from the Windows-My store..."
-+        ${TESTJAVA}/bin/keytool \
-+            -delete \
-+            -storetype Windows-My \
-+            -alias 7106773.768
-+
-+        echo done.
-+        exit $rc
-+        ;;
-+
-+    * )
-+        echo "This test is not intended for '$OS' - passing test"
-+        exit 0
-+        ;;
-+esac
-diff -Nru openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKeyWithinTLS.java openjdk/jdk/test/sun/security/mscapi/ShortRSAKeyWithinTLS.java
---- openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKeyWithinTLS.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/mscapi/ShortRSAKeyWithinTLS.java	2014-10-08 23:56:02.324447997 +0100
-@@ -0,0 +1,355 @@
-+/*
-+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+import java.io.*;
-+import java.net.*;
-+import java.util.*;
-+import java.security.*;
-+import javax.net.*;
-+import javax.net.ssl.*;
-+import java.lang.reflect.*;
-+
-+import sun.security.util.KeyLength;
-+
-+public class ShortRSAKeyWithinTLS {
-+
-+    /*
-+     * =============================================================
-+     * Set the various variables needed for the tests, then
-+     * specify what tests to run on each side.
-+     */
-+
-+    /*
-+     * Should we run the client or server in a separate thread?
-+     * Both sides can throw exceptions, but do you have a preference
-+     * as to which side should be the main thread.
-+     */
-+    static boolean separateServerThread = false;
-+
-+    /*
-+     * Is the server ready to serve?
-+     */
-+    volatile static boolean serverReady = false;
-+
-+    /*
-+     * Turn on SSL debugging?
-+     */
-+    static boolean debug = false;
-+
-+    /*
-+     * If the client or server is doing some kind of object creation
-+     * that the other side depends on, and that thread prematurely
-+     * exits, you may experience a hang.  The test harness will
-+     * terminate all hung threads after its timeout has expired,
-+     * currently 3 minutes by default, but you might try to be
-+     * smart about it....
-+     */
-+
-+    /*
-+     * Define the server side of the test.
-+     *
-+     * If the server prematurely exits, serverReady will be set to true
-+     * to avoid infinite hangs.
-+     */
-+    void doServerSide() throws Exception {
-+
-+        // load the key store
-+        KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
-+        ks.load(null, null);
-+        System.out.println("Loaded keystore: Windows-MY");
-+
-+        // check key size
-+        checkKeySize(ks);
-+
-+        // initialize the SSLContext
-+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
-+        kmf.init(ks, null);
-+
-+        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
-+        tmf.init(ks);
-+
-+        SSLContext ctx = SSLContext.getInstance("TLS");
-+        ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
-+
-+        ServerSocketFactory ssf = ctx.getServerSocketFactory();
-+        SSLServerSocket sslServerSocket = (SSLServerSocket)
-+                                ssf.createServerSocket(serverPort);
-+        sslServerSocket.setNeedClientAuth(true);
-+        serverPort = sslServerSocket.getLocalPort();
-+        System.out.println("serverPort = " + serverPort);
-+
-+        /*
-+         * Signal Client, we're ready for his connect.
-+         */
-+        serverReady = true;
-+
-+        SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
-+        InputStream sslIS = sslSocket.getInputStream();
-+        OutputStream sslOS = sslSocket.getOutputStream();
-+
-+        sslIS.read();
-+        sslOS.write(85);
-+        sslOS.flush();
-+
-+        sslSocket.close();
-+    }
-+
-+    /*
-+     * Define the client side of the test.
-+     *
-+     * If the server prematurely exits, serverReady will be set to true
-+     * to avoid infinite hangs.
-+     */
-+    void doClientSide() throws Exception {
-+
-+        /*
-+         * Wait for server to get started.
-+         */
-+        while (!serverReady) {
-+            Thread.sleep(50);
-+        }
-+
-+        // load the key store
-+        KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
-+        ks.load(null, null);
-+        System.out.println("Loaded keystore: Windows-MY");
-+
-+        // initialize the SSLContext
-+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
-+        kmf.init(ks, null);
-+
-+        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
-+        tmf.init(ks);
-+
-+        SSLContext ctx = SSLContext.getInstance("TLS");
-+        ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
-+
-+        SSLSocketFactory sslsf = ctx.getSocketFactory();
-+        SSLSocket sslSocket = (SSLSocket)
-+            sslsf.createSocket("localhost", serverPort);
-+
-+        if (clientProtocol != null) {
-+            sslSocket.setEnabledProtocols(new String[] {clientProtocol});
-+        }
-+
-+        if (clientCiperSuite != null) {
-+            sslSocket.setEnabledCipherSuites(new String[] {clientCiperSuite});
-+        }
-+
-+        InputStream sslIS = sslSocket.getInputStream();
-+        OutputStream sslOS = sslSocket.getOutputStream();
-+
-+        sslOS.write(280);
-+        sslOS.flush();
-+        sslIS.read();
-+
-+        sslSocket.close();
-+    }
-+
-+    private void checkKeySize(KeyStore ks) throws Exception {
-+        PrivateKey privateKey = null;
-+        PublicKey publicKey = null;
-+
-+        if (ks.containsAlias(keyAlias)) {
-+            System.out.println("Loaded entry: " + keyAlias);
-+            privateKey = (PrivateKey)ks.getKey(keyAlias, null);
-+            publicKey = (PublicKey)ks.getCertificate(keyAlias).getPublicKey();
-+
-+            int privateKeySize = KeyLength.getKeySize(privateKey);
-+            if (privateKeySize != keySize) {
-+                throw new Exception("Expected key size is " + keySize +
-+                        ", but the private key size is " + privateKeySize);
-+            }
-+
-+            int publicKeySize = KeyLength.getKeySize(publicKey);
-+            if (publicKeySize != keySize) {
-+                throw new Exception("Expected key size is " + keySize +
-+                        ", but the public key size is " + publicKeySize);
-+            }
-+        }
-+    }
-+
-+    /*
-+     * =============================================================
-+     * The remainder is just support stuff
-+     */
-+
-+    // use any free port by default
-+    volatile int serverPort = 0;
-+
-+    volatile Exception serverException = null;
-+    volatile Exception clientException = null;
-+
-+    private static String keyAlias;
-+    private static int keySize;
-+    private static String clientProtocol = null;
-+    private static String clientCiperSuite = null;
-+
-+    private static void parseArguments(String[] args) {
-+        keyAlias = args[0];
-+        keySize = Integer.parseInt(args[1]);
-+
-+        if (args.length > 2) {
-+            clientProtocol = args[2];
-+        }
-+
-+        if (args.length > 3) {
-+            clientCiperSuite = args[3];
-+        }
-+    }
-+
-+    public static void main(String[] args) throws Exception {
-+        if (debug) {
-+            System.setProperty("javax.net.debug", "all");
-+        }
-+
-+        // Get the customized arguments.
-+        parseArguments(args);
-+
-+        new ShortRSAKeyWithinTLS();
-+    }
-+
-+    Thread clientThread = null;
-+    Thread serverThread = null;
-+
-+    /*
-+     * Primary constructor, used to drive remainder of the test.
-+     *
-+     * Fork off the other side, then do your work.
-+     */
-+    ShortRSAKeyWithinTLS() throws Exception {
-+        try {
-+            if (separateServerThread) {
-+                startServer(true);
-+                startClient(false);
-+            } else {
-+                startClient(true);
-+                startServer(false);
-+            }
-+        } catch (Exception e) {
-+            // swallow for now.  Show later
-+        }
-+
-+        /*
-+         * Wait for other side to close down.
-+         */
-+        if (separateServerThread) {
-+            serverThread.join();
-+        } else {
-+            clientThread.join();
-+        }
-+
-+        /*
-+         * When we get here, the test is pretty much over.
-+         * Which side threw the error?
-+         */
-+        Exception local;
-+        Exception remote;
-+        String whichRemote;
-+
-+        if (separateServerThread) {
-+            remote = serverException;
-+            local = clientException;
-+            whichRemote = "server";
-+        } else {
-+            remote = clientException;
-+            local = serverException;
-+            whichRemote = "client";
-+        }
-+
-+        /*
-+         * If both failed, return the curthread's exception, but also
-+         * print the remote side Exception
-+         */
-+        if ((local != null) && (remote != null)) {
-+            System.out.println(whichRemote + " also threw:");
-+            remote.printStackTrace();
-+            System.out.println();
-+            throw local;
-+        }
-+
-+        if (remote != null) {
-+            throw remote;
-+        }
-+
-+        if (local != null) {
-+            throw local;
-+        }
-+    }
-+
-+    void startServer(boolean newThread) throws Exception {
-+        if (newThread) {
-+            serverThread = new Thread() {
-+                public void run() {
-+                    try {
-+                        doServerSide();
-+                    } catch (Exception e) {
-+                        /*
-+                         * Our server thread just died.
-+                         *
-+                         * Release the client, if not active already...
-+                         */
-+                        System.err.println("Server died...");
-+                        serverReady = true;
-+                        serverException = e;
-+                    }
-+                }
-+            };
-+            serverThread.start();
-+        } else {
-+            try {
-+                doServerSide();
-+            } catch (Exception e) {
-+                serverException = e;
-+            } finally {
-+                serverReady = true;
-+            }
-+        }
-+    }
-+
-+    void startClient(boolean newThread) throws Exception {
-+        if (newThread) {
-+            clientThread = new Thread() {
-+                public void run() {
-+                    try {
-+                        doClientSide();
-+                    } catch (Exception e) {
-+                        /*
-+                         * Our client thread just died.
-+                         */
-+                        System.err.println("Client died...");
-+                        clientException = e;
-+                    }
-+                }
-+            };
-+            clientThread.start();
-+        } else {
-+            try {
-+                doClientSide();
-+            } catch (Exception e) {
-+                clientException = e;
-+            }
-+        }
-+    }
-+}
-+
-diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.java openjdk/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.java
---- openjdk.orig/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.java	2014-07-14 04:24:44.000000000 +0100
-+++ openjdk/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.java	2014-10-08 23:56:02.324447997 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -155,6 +155,14 @@
-         SSLSocket sslSocket = (SSLSocket)
-             sslsf.createSocket("localhost", serverPort);
- 
-+        if (clientProtocol != null) {
-+            sslSocket.setEnabledProtocols(new String[] {clientProtocol});
-+        }
-+
-+        if (clientCiperSuite != null) {
-+            sslSocket.setEnabledCipherSuites(new String[] {clientCiperSuite});
-+        }
-+
-         InputStream sslIS = sslSocket.getInputStream();
-         OutputStream sslOS = sslSocket.getOutputStream();
- 
-@@ -176,7 +184,22 @@
-     volatile Exception serverException = null;
-     volatile Exception clientException = null;
- 
-+    private static String clientProtocol = null;
-+    private static String clientCiperSuite = null;
-+
-+    private static void parseArguments(String[] args) {
-+        if (args.length > 0) {
-+            clientProtocol = args[0];
-+        }
-+
-+        if (args.length > 1) {
-+            clientCiperSuite = args[1];
-+        }
-+    }
-+
-     public static void main(String[] args) throws Exception {
-+        // Get the customized arguments.
-+        parseArguments(args);
-         main(new ClientAuth());
-     }
- 
-diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.sh openjdk/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.sh
---- openjdk.orig/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.sh	2014-07-14 04:24:44.000000000 +0100
-+++ openjdk/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.sh	2014-10-08 23:56:02.324447997 +0100
-@@ -1,5 +1,5 @@
- #
--# Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
-+# Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
- # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- #
- # This code is free software; you can redistribute it and/or modify it
-@@ -22,8 +22,9 @@
- #
- 
- # @test
--# @bug 4938185
-+# @bug 4938185 7106773
- # @summary KeyStore support for NSS cert/key databases
-+#          512 bits RSA key cannot work with SHA384 and SHA512
- #
- # @run shell ClientAuth.sh
- 
-@@ -126,6 +127,7 @@
- 	${TESTSRC}${FS}ClientAuth.java
- 
- # run test
-+echo "Run ClientAuth ..."
- ${TESTJAVA}${FS}bin${FS}java \
- 	-classpath ${TESTCLASSES}${PS}${TESTSRC}${FS}loader.jar \
- 	-DDIR=${TESTSRC}${FS}ClientAuthData${FS} \
-@@ -139,6 +141,27 @@
- 
- # save error status
- status=$?
-+
-+# return if failed
-+if [ "${status}" != "0" ] ; then
-+    exit $status
-+fi
-+
-+# run test with specified TLS protocol and cipher suite
-+echo "Run ClientAuth TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
-+${TESTJAVA}${FS}bin${FS}java \
-+	-classpath ${TESTCLASSES}${PS}${TESTSRC}${FS}loader.jar \
-+	-DDIR=${TESTSRC}${FS}ClientAuthData${FS} \
-+	-DCUSTOM_DB_DIR=${TESTCLASSES} \
-+	-DCUSTOM_P11_CONFIG=${TESTSRC}${FS}ClientAuthData${FS}p11-nss.txt \
-+	-DNO_DEFAULT=true \
-+	-DNO_DEIMOS=true \
-+	-Dtest.src=${TESTSRC} \
-+	-Dtest.classes=${TESTCLASSES} \
-+	ClientAuth TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-+
-+# save error status
-+status=$?
- 
- # return
- exit $status
-diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java
---- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java	2014-10-08 23:56:03.904469889 +0100
-@@ -0,0 +1,414 @@
-+/*
-+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+/*
-+ * @test
-+ * @bug 7106773
-+ * @summary 512 bits RSA key cannot work with SHA384 and SHA512
-+ *
-+ *     SunJSSE does not support dynamic system properties, no way to re-use
-+ *     system properties in samevm/agentvm mode.
-+ * @run main/othervm ShortRSAKey512 PKIX
-+ * @run main/othervm ShortRSAKey512 SunX509
-+ */
-+
-+import java.net.*;
-+import java.util.*;
-+import java.io.*;
-+import javax.net.ssl.*;
-+import java.security.KeyStore;
-+import java.security.KeyFactory;
-+import java.security.cert.Certificate;
-+import java.security.cert.CertificateFactory;
-+import java.security.spec.*;
-+import java.security.interfaces.*;
-+import sun.misc.BASE64Decoder;
-+
-+
-+public class ShortRSAKey512 {
-+
-+    /*
-+     * =============================================================
-+     * Set the various variables needed for the tests, then
-+     * specify what tests to run on each side.
-+     */
-+
-+    /*
-+     * Should we run the client or server in a separate thread?
-+     * Both sides can throw exceptions, but do you have a preference
-+     * as to which side should be the main thread.
-+     */
-+    static boolean separateServerThread = false;
-+
-+    /*
-+     * Where do we find the keystores?
-+     */
-+    // Certificates and key used in the test.
-+    static String trustedCertStr =
-+        "-----BEGIN CERTIFICATE-----\n" +
-+        "MIICkjCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" +
-+        "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" +
-+        "MTEwODE5MDE1MjE5WhcNMzIwNzI5MDE1MjE5WjA7MQswCQYDVQQGEwJVUzENMAsG\n" +
-+        "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwgZ8wDQYJ\n" +
-+        "KoZIhvcNAQEBBQADgY0AMIGJAoGBAM8orG08DtF98TMSscjGsidd1ZoN4jiDpi8U\n" +
-+        "ICz+9dMm1qM1d7O2T+KH3/mxyox7Rc2ZVSCaUD0a3CkhPMnlAx8V4u0H+E9sqso6\n" +
-+        "iDW3JpOyzMExvZiRgRG/3nvp55RMIUV4vEHOZ1QbhuqG4ebN0Vz2DkRft7+flthf\n" +
-+        "vDld6f5JAgMBAAGjgaUwgaIwHQYDVR0OBBYEFLl81dnfp0wDrv0OJ1sxlWzH83Xh\n" +
-+        "MGMGA1UdIwRcMFqAFLl81dnfp0wDrv0OJ1sxlWzH83XhoT+kPTA7MQswCQYDVQQG\n" +
-+        "EwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2\n" +
-+        "Y2WCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEE\n" +
-+        "BQADgYEALlgaH1gWtoBZ84EW8Hu6YtGLQ/L9zIFmHonUPZwn3Pr//icR9Sqhc3/l\n" +
-+        "pVTxOINuFHLRz4BBtEylzRIOPzK3tg8XwuLb1zd0db90x3KBCiAL6E6cklGEPwLe\n" +
-+        "XYMHDn9eDsaq861Tzn6ZwzMgw04zotPMoZN0mVd/3Qca8UJFucE=\n" +
-+        "-----END CERTIFICATE-----";
-+
-+    static String targetCertStr =
-+        "-----BEGIN CERTIFICATE-----\n" +
-+        "MIICNDCCAZ2gAwIBAgIBDDANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" +
-+        "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" +
-+        "MTExMTA3MTM1NTUyWhcNMzEwNzI1MTM1NTUyWjBPMQswCQYDVQQGEwJVUzENMAsG\n" +
-+        "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxEjAQBgNV\n" +
-+        "BAMTCWxvY2FsaG9zdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3Pb49OSPfOD2G\n" +
-+        "HSXFCFx1GJEZfqG9ZUf7xuIi/ra5dLjPGAaoY5QF2QOa8VnOriQCXDfyXHxsuRnE\n" +
-+        "OomxL7EVAgMBAAGjeDB2MAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQUXNCJK3/dtCIc\n" +
-+        "xb+zlA/JINlvs/MwHwYDVR0jBBgwFoAUuXzV2d+nTAOu/Q4nWzGVbMfzdeEwJwYD\n" +
-+        "VR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAzANBgkqhkiG9w0B\n" +
-+        "AQQFAAOBgQB2qIDUxA2caMPpGtUACZAPRUtrGssCINIfItETXJZCx/cRuZ5sP4D9\n" +
-+        "N1acoNDn0hCULe3lhXAeTC9NZ97680yJzregQMV5wATjo1FGsKY30Ma+sc/nfzQW\n" +
-+        "+h/7RhYtoG0OTsiaDCvyhI6swkNJzSzrAccPY4+ZgU8HiDLzZTmM3Q==\n" +
-+        "-----END CERTIFICATE-----";
-+
-+    // Private key in the format of PKCS#8, key size is 512 bits.
-+    static String targetPrivateKey =
-+        "MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAtz2+PTkj3zg9hh0l\n" +
-+        "xQhcdRiRGX6hvWVH+8biIv62uXS4zxgGqGOUBdkDmvFZzq4kAlw38lx8bLkZxDqJ\n" +
-+        "sS+xFQIDAQABAkByx/5Oo2hQ/w2q4L8z+NTRlJ3vdl8iIDtC/4XPnfYfnGptnpG6\n" +
-+        "ZThQRvbMZiai0xHQPQMszvAHjZVme1eDl3EBAiEA3aKJHynPVCEJhpfCLWuMwX5J\n" +
-+        "1LntwJO7NTOyU5m8rPECIQDTpzn5X44r2rzWBDna/Sx7HW9IWCxNgUD2Eyi2nA7W\n" +
-+        "ZQIgJerEorw4aCAuzQPxiGu57PB6GRamAihEAtoRTBQlH0ECIQDN08FgTtnesgCU\n" +
-+        "DFYLLcw1CiHvc7fZw4neBDHCrC8NtQIgA8TOUkGnpCZlQ0KaI8KfKWI+vxFcgFnH\n" +
-+        "3fnqsTgaUs4=";
-+
-+    static char passphrase[] = "passphrase".toCharArray();
-+
-+    /*
-+     * Is the server ready to serve?
-+     */
-+    volatile static boolean serverReady = false;
-+
-+    /*
-+     * Turn on SSL debugging?
-+     */
-+    static boolean debug = false;
-+
-+    /*
-+     * Define the server side of the test.
-+     *
-+     * If the server prematurely exits, serverReady will be set to true
-+     * to avoid infinite hangs.
-+     */
-+    void doServerSide() throws Exception {
-+        SSLContext context = generateSSLContext(null, targetCertStr,
-+                                            targetPrivateKey);
-+        SSLServerSocketFactory sslssf = context.getServerSocketFactory();
-+        SSLServerSocket sslServerSocket =
-+            (SSLServerSocket)sslssf.createServerSocket(serverPort);
-+        serverPort = sslServerSocket.getLocalPort();
-+
-+        /*
-+         * Signal Client, we're ready for his connect.
-+         */
-+        serverReady = true;
-+
-+        SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept();
-+        InputStream sslIS = sslSocket.getInputStream();
-+        OutputStream sslOS = sslSocket.getOutputStream();
-+
-+        sslIS.read();
-+        sslOS.write('A');
-+        sslOS.flush();
-+
-+        sslSocket.close();
-+    }
-+
-+    /*
-+     * Define the client side of the test.
-+     *
-+     * If the server prematurely exits, serverReady will be set to true
-+     * to avoid infinite hangs.
-+     */
-+    void doClientSide() throws Exception {
-+
-+        /*
-+         * Wait for server to get started.
-+         */
-+        while (!serverReady) {
-+            Thread.sleep(50);
-+        }
-+
-+        SSLContext context = generateSSLContext(trustedCertStr, null, null);
-+        SSLSocketFactory sslsf = context.getSocketFactory();
-+
-+        SSLSocket sslSocket =
-+            (SSLSocket)sslsf.createSocket("localhost", serverPort);
-+
-+        // enable TLSv1.2 only
-+        sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});
-+
-+        // enable a block cipher
-+        sslSocket.setEnabledCipherSuites(
-+            new String[] {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"});
-+
-+        InputStream sslIS = sslSocket.getInputStream();
-+        OutputStream sslOS = sslSocket.getOutputStream();
-+
-+        sslOS.write('B');
-+        sslOS.flush();
-+        sslIS.read();
-+
-+        sslSocket.close();
-+    }
-+
-+    /*
-+     * =============================================================
-+     * The remainder is just support stuff
-+     */
-+    private static String tmAlgorithm;        // trust manager
-+
-+    private static void parseArguments(String[] args) {
-+        tmAlgorithm = args[0];
-+    }
-+
-+    private static SSLContext generateSSLContext(String trustedCertStr,
-+            String keyCertStr, String keySpecStr) throws Exception {
-+
-+        // generate certificate from cert string
-+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
-+
-+        // create a key store
-+        KeyStore ks = KeyStore.getInstance("JKS");
-+        ks.load(null, null);
-+
-+        // import the trused cert
-+        Certificate trusedCert = null;
-+        ByteArrayInputStream is = null;
-+        if (trustedCertStr != null) {
-+            is = new ByteArrayInputStream(trustedCertStr.getBytes());
-+            trusedCert = cf.generateCertificate(is);
-+            is.close();
-+
-+            ks.setCertificateEntry("RSA Export Signer", trusedCert);
-+        }
-+
-+        if (keyCertStr != null) {
-+            // generate the private key.
-+            PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(
-+                                new BASE64Decoder().decodeBuffer(keySpecStr));
-+            KeyFactory kf = KeyFactory.getInstance("RSA");
-+            RSAPrivateKey priKey =
-+                    (RSAPrivateKey)kf.generatePrivate(priKeySpec);
-+
-+            // generate certificate chain
-+            is = new ByteArrayInputStream(keyCertStr.getBytes());
-+            Certificate keyCert = cf.generateCertificate(is);
-+            is.close();
-+
-+            Certificate[] chain = null;
-+            if (trusedCert != null) {
-+                chain = new Certificate[2];
-+                chain[0] = keyCert;
-+                chain[1] = trusedCert;
-+            } else {
-+                chain = new Certificate[1];
-+                chain[0] = keyCert;
-+            }
-+
-+            // import the key entry.
-+            ks.setKeyEntry("Whatever", priKey, passphrase, chain);
-+        }
-+
-+        // create SSL context
-+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);
-+        tmf.init(ks);
-+
-+        SSLContext ctx = SSLContext.getInstance("TLS");
-+        if (keyCertStr != null && !keyCertStr.isEmpty()) {
-+            KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
-+            kmf.init(ks, passphrase);
-+
-+            ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
-+            ks = null;
-+        } else {
-+            ctx.init(null, tmf.getTrustManagers(), null);
-+        }
-+
-+        return ctx;
-+    }
-+
-+
-+    // use any free port by default
-+    volatile int serverPort = 0;
-+
-+    volatile Exception serverException = null;
-+    volatile Exception clientException = null;
-+
-+    public static void main(String[] args) throws Exception {
-+        if (debug)
-+            System.setProperty("javax.net.debug", "all");
-+
-+        /*
-+         * Get the customized arguments.
-+         */
-+        parseArguments(args);
-+
-+        /*
-+         * Start the tests.
-+         */
-+        new ShortRSAKey512();
-+    }
-+
-+    Thread clientThread = null;
-+    Thread serverThread = null;
-+
-+    /*
-+     * Primary constructor, used to drive remainder of the test.
-+     *
-+     * Fork off the other side, then do your work.
-+     */
-+    ShortRSAKey512() throws Exception {
-+        try {
-+            if (separateServerThread) {
-+                startServer(true);
-+                startClient(false);
-+            } else {
-+                startClient(true);
-+                startServer(false);
-+            }
-+        } catch (Exception e) {
-+            // swallow for now.  Show later
-+        }
-+
-+        /*
-+         * Wait for other side to close down.
-+         */
-+        if (separateServerThread) {
-+            serverThread.join();
-+        } else {
-+            clientThread.join();
-+        }
-+
-+        /*
-+         * When we get here, the test is pretty much over.
-+         * Which side threw the error?
-+         */
-+        Exception local;
-+        Exception remote;
-+        String whichRemote;
-+
-+        if (separateServerThread) {
-+            remote = serverException;
-+            local = clientException;
-+            whichRemote = "server";
-+        } else {
-+            remote = clientException;
-+            local = serverException;
-+            whichRemote = "client";
-+        }
-+
-+        /*
-+         * If both failed, return the curthread's exception, but also
-+         * print the remote side Exception
-+         */
-+        if ((local != null) && (remote != null)) {
-+            System.out.println(whichRemote + " also threw:");
-+            remote.printStackTrace();
-+            System.out.println();
-+            throw local;
-+        }
-+
-+        if (remote != null) {
-+            throw remote;
-+        }
-+
-+        if (local != null) {
-+            throw local;
-+        }
-+    }
-+
-+    void startServer(boolean newThread) throws Exception {
-+        if (newThread) {
-+            serverThread = new Thread() {
-+                public void run() {
-+                    try {
-+                        doServerSide();
-+                    } catch (Exception e) {
-+                        /*
-+                         * Our server thread just died.
-+                         *
-+                         * Release the client, if not active already...
-+                         */
-+                        System.err.println("Server died...");
-+                        serverReady = true;
-+                        serverException = e;
-+                    }
-+                }
-+            };
-+            serverThread.start();
-+        } else {
-+            try {
-+                doServerSide();
-+            } catch (Exception e) {
-+                serverException = e;
-+            } finally {
-+                serverReady = true;
-+            }
-+        }
-+    }
-+
-+    void startClient(boolean newThread) throws Exception {
-+        if (newThread) {
-+            clientThread = new Thread() {
-+                public void run() {
-+                    try {
-+                        doClientSide();
-+                    } catch (Exception e) {
-+                        /*
-+                         * Our client thread just died.
-+                         */
-+                        System.err.println("Client died...");
-+                        clientException = e;
-+                    }
-+                }
-+            };
-+            clientThread.start();
-+        } else {
-+            try {
-+                doClientSide();
-+            } catch (Exception e) {
-+                clientException = e;
-+            }
-+        }
-+    }
-+}
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/7170638-systemtap.patch
--- a/patches/openjdk/7170638-systemtap.patch	Wed May 04 02:55:09 2016 +0100
+++ b/patches/openjdk/7170638-systemtap.patch	Wed May 04 04:24:30 2016 +0100
@@ -10,8 +10,8 @@
 Contributed-by: Mark Wielaard 
 
 diff -Nru openjdk.orig/hotspot/make/bsd/makefiles/buildtree.make openjdk/hotspot/make/bsd/makefiles/buildtree.make
---- openjdk.orig/hotspot/make/bsd/makefiles/buildtree.make	2015-04-09 02:20:24.000000000 +0100
-+++ openjdk/hotspot/make/bsd/makefiles/buildtree.make	2015-07-22 03:46:03.362170724 +0100
+--- openjdk.orig/hotspot/make/bsd/makefiles/buildtree.make	2016-05-03 23:39:23.113016118 +0100
++++ openjdk/hotspot/make/bsd/makefiles/buildtree.make	2016-05-04 00:26:06.226759102 +0100
 @@ -162,6 +162,13 @@
    endif
  endif
@@ -35,8 +35,8 @@
  	echo "# Used for platform dispatching"; \
  	echo "TARGET_DEFINES  = -DTARGET_OS_FAMILY_\$$(Platform_os_family)"; \
 diff -Nru openjdk.orig/hotspot/make/linux/makefiles/buildtree.make openjdk/hotspot/make/linux/makefiles/buildtree.make
---- openjdk.orig/hotspot/make/linux/makefiles/buildtree.make	2015-07-22 03:45:38.710600424 +0100
-+++ openjdk/hotspot/make/linux/makefiles/buildtree.make	2015-07-22 03:46:19.929881934 +0100
+--- openjdk.orig/hotspot/make/linux/makefiles/buildtree.make	2016-05-04 00:25:18.651544017 +0100
++++ openjdk/hotspot/make/linux/makefiles/buildtree.make	2016-05-04 00:26:06.226759102 +0100
 @@ -155,6 +155,13 @@
    endif
  endif
@@ -60,8 +60,8 @@
  	echo "DISTRIBUTION_ID = $(DISTRIBUTION_ID)"; \
  	echo; \
 diff -Nru openjdk.orig/hotspot/make/linux/makefiles/dtrace.make openjdk/hotspot/make/linux/makefiles/dtrace.make
---- openjdk.orig/hotspot/make/linux/makefiles/dtrace.make	2015-04-09 02:20:11.000000000 +0100
-+++ openjdk/hotspot/make/linux/makefiles/dtrace.make	2015-07-22 03:46:03.362170724 +0100
+--- openjdk.orig/hotspot/make/linux/makefiles/dtrace.make	2016-05-03 23:39:06.653287621 +0100
++++ openjdk/hotspot/make/linux/makefiles/dtrace.make	2016-05-04 00:26:06.226759102 +0100
 @@ -1,5 +1,6 @@
  #
 -# Copyright (c) 2005, 2008, Oracle and/or its affiliates. All rights reserved.
@@ -112,8 +112,8 @@
 +# It doesn't support HAVE_DTRACE_H though.
 +
 diff -Nru openjdk.orig/hotspot/make/linux/makefiles/vm.make openjdk/hotspot/make/linux/makefiles/vm.make
---- openjdk.orig/hotspot/make/linux/makefiles/vm.make	2015-07-22 03:45:38.714600354 +0100
-+++ openjdk/hotspot/make/linux/makefiles/vm.make	2015-07-22 03:46:42.457489257 +0100
+--- openjdk.orig/hotspot/make/linux/makefiles/vm.make	2016-05-04 00:25:18.651544017 +0100
++++ openjdk/hotspot/make/linux/makefiles/vm.make	2016-05-04 00:26:06.226759102 +0100
 @@ -394,7 +394,7 @@
  
  #----------------------------------------------------------------------
@@ -124,8 +124,8 @@
  install: install_jvm install_jsig install_saproc
  
 diff -Nru openjdk.orig/hotspot/make/solaris/makefiles/buildtree.make openjdk/hotspot/make/solaris/makefiles/buildtree.make
---- openjdk.orig/hotspot/make/solaris/makefiles/buildtree.make	2015-04-09 02:20:13.000000000 +0100
-+++ openjdk/hotspot/make/solaris/makefiles/buildtree.make	2015-07-22 03:46:03.362170724 +0100
+--- openjdk.orig/hotspot/make/solaris/makefiles/buildtree.make	2016-05-03 23:39:09.757236421 +0100
++++ openjdk/hotspot/make/solaris/makefiles/buildtree.make	2016-05-04 00:26:06.226759102 +0100
 @@ -147,6 +147,13 @@
    endif
  endif
@@ -149,16 +149,16 @@
  	echo; \
  	echo "# Used for platform dispatching"; \
 diff -Nru openjdk.orig/hotspot/src/share/vm/prims/jni.cpp openjdk/hotspot/src/share/vm/prims/jni.cpp
---- openjdk.orig/hotspot/src/share/vm/prims/jni.cpp	2015-04-09 02:20:26.000000000 +0100
-+++ openjdk/hotspot/src/share/vm/prims/jni.cpp	2015-07-22 03:46:03.366170655 +0100
+--- openjdk.orig/hotspot/src/share/vm/prims/jni.cpp	2016-05-03 23:59:23.705202879 +0100
++++ openjdk/hotspot/src/share/vm/prims/jni.cpp	2016-05-04 00:26:20.690520468 +0100
 @@ -1,5 +1,6 @@
  /*
-  * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+  * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
 + * Copyright (c) 2012 Red Hat, Inc.
   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   *
   * This code is free software; you can redistribute it and/or modify it
-@@ -2819,10 +2820,9 @@
+@@ -2841,10 +2842,9 @@
  JNI_QUICK_ENTRY(void, jni_Set##Result##Field(JNIEnv *env, jobject obj, jfieldID fieldID, Argument value)) \
    JNIWrapper("Set" XSTR(Result) "Field"); \
  \
@@ -172,7 +172,7 @@
  \
    oop o = JNIHandles::resolve_non_null(obj); \
    klassOop k = o->klass(); \
-@@ -3129,10 +3129,9 @@
+@@ -3152,10 +3152,9 @@
  \
  JNI_ENTRY(void, jni_SetStatic##Result##Field(JNIEnv *env, jclass clazz, jfieldID fieldID, Argument value)) \
    JNIWrapper("SetStatic" XSTR(Result) "Field"); \
@@ -187,8 +187,8 @@
    JNIid* id = jfieldIDWorkaround::from_static_jfieldID(fieldID); \
    assert(id->is_static_field_id(), "invalid static field id"); \
 diff -Nru openjdk.orig/hotspot/src/share/vm/utilities/dtrace.hpp openjdk/hotspot/src/share/vm/utilities/dtrace.hpp
---- openjdk.orig/hotspot/src/share/vm/utilities/dtrace.hpp	2015-04-09 02:20:21.000000000 +0100
-+++ openjdk/hotspot/src/share/vm/utilities/dtrace.hpp	2015-07-22 03:46:03.366170655 +0100
+--- openjdk.orig/hotspot/src/share/vm/utilities/dtrace.hpp	2016-05-03 23:39:18.405093776 +0100
++++ openjdk/hotspot/src/share/vm/utilities/dtrace.hpp	2016-05-04 00:26:06.226759102 +0100
 @@ -1,5 +1,6 @@
  /*
 - * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/8006935-long_keys_in_hmac_prf.patch
--- a/patches/openjdk/8006935-long_keys_in_hmac_prf.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,41 +0,0 @@
-diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java	2014-07-14 04:24:43.000000000 +0100
-+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java	2014-10-08 23:47:13.825128435 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -181,13 +181,28 @@
-         int off = secret.length >> 1;
-         int seclen = off + (secret.length & 1);
- 
-+        byte[] secKey = secret;
-+        int keyLen = seclen;
-         byte[] output = new byte[outputLength];
- 
-         // P_MD5(S1, label + seed)
--        expand(md5, 16, secret, 0, seclen, labelBytes, seed, output);
-+        // If we have a long secret, digest it first.
-+        if (seclen > 64) {              // 64: block size of HMAC-MD5
-+            md5.update(secret, 0, seclen);
-+            secKey = md5.digest();
-+            keyLen = secKey.length;
-+        }
-+        expand(md5, 16, secKey, 0, keyLen, labelBytes, seed, output);
- 
-         // P_SHA-1(S2, label + seed)
--        expand(sha, 20, secret, off, seclen, labelBytes, seed, output);
-+        // If we have a long secret, digest it first.
-+        if (seclen > 64) {              // 64: block size of HMAC-SHA1
-+            sha.update(secret, off, seclen);
-+            secKey = sha.digest();
-+            keyLen = secKey.length;
-+            off = 0;
-+        }
-+	expand(sha, 20, secKey, off, keyLen, labelBytes, seed, output);
- 
-         return output;
-     }
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/8039921-sha1_1024plus.patch
--- a/patches/openjdk/8039921-sha1_1024plus.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,87 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1436281867 -3600
-#      Tue Jul 07 16:11:07 2015 +0100
-# Node ID 38e2f59188166b2dcc2c7655a4c4d6ad948c4c59
-# Parent  67d5d1b652e7c475140d9eabe687681c6e55b0af
-8039921, PR2468: SHA1WithDSA with key > 1024 bits not working
-Summary: Removed the key size limits for all SHAXXXWithDSA signatures
-Reviewed-by: weijun
-
-diff -r 67d5d1b652e7 -r 38e2f5918816 src/share/classes/sun/security/provider/DSA.java
---- openjdk/jdk/src/share/classes/sun/security/provider/DSA.java	Tue Jul 07 16:05:01 2015 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/provider/DSA.java	Tue Jul 07 16:11:07 2015 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -117,7 +117,6 @@
-         if (params == null) {
-             throw new InvalidKeyException("DSA private key lacks parameters");
-         }
--        checkKey(params);
- 
-         this.params = params;
-         this.presetX = priv.getX();
-@@ -149,7 +148,6 @@
-         if (params == null) {
-             throw new InvalidKeyException("DSA public key lacks parameters");
-         }
--        checkKey(params);
- 
-         this.params = params;
-         this.presetY = pub.getY();
-@@ -291,16 +289,6 @@
-         return null;
-     }
- 
--    protected void checkKey(DSAParams params) throws InvalidKeyException {
--        // FIPS186-3 states in sec4.2 that a hash function which provides
--        // a lower security strength than the (L, N) pair ordinarily should
--        // not be used.
--        int valueN = params.getQ().bitLength();
--        if (valueN > md.getDigestLength()*8) {
--            throw new InvalidKeyException("Key is too strong for this signature algorithm");
--        }
--    }
--
-     private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g,
-                          BigInteger k) {
-         BigInteger temp = g.modPow(k, p);
-@@ -480,14 +468,6 @@
-            }
-         }
- 
--        @Override
--        protected void checkKey(DSAParams params) throws InvalidKeyException {
--            int valueL = params.getP().bitLength();
--            if (valueL > 1024) {
--                throw new InvalidKeyException("Key is too long for this algorithm");
--            }
--        }
--
-         /*
-          * Please read bug report 4044247 for an alternative, faster,
-          * NON-FIPS approved method to generate K
-diff -r 67d5d1b652e7 -r 38e2f5918816 test/sun/security/provider/DSA/TestDSA2.java
---- openjdk/jdk/test/sun/security/provider/DSA/TestDSA2.java	Tue Jul 07 16:05:01 2015 +0100
-+++ openjdk/jdk/test/sun/security/provider/DSA/TestDSA2.java	Tue Jul 07 16:11:07 2015 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -50,7 +50,7 @@
-     public static void main(String[] args) throws Exception {
-         boolean[] expectedToPass = { true, true, true };
-         test(1024, expectedToPass);
--        boolean[] expectedToPass2 = { false, true, true };
-+        boolean[] expectedToPass2 = { true, true, true };
-         test(2048, expectedToPass2);
-     }
- 
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/8087120-zero_gcc5.patch
--- a/patches/openjdk/8087120-zero_gcc5.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,24 +0,0 @@
-# HG changeset patch
-# User sgehwolf
-# Date 1434121785 -3600
-#      Fri Jun 12 16:09:45 2015 +0100
-# Node ID b19bc5aeaa099ac73ee8341e337a007180409593
-# Parent  4ce44f68d86dcf88b27142e5ec031dec29d47d6f
-8087120, RH1206656, PR2554: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms.
-Summary: Use __builtin_frame_address(0) rather than returning address of local variable.
-Reviewed-by: dholmes
-
-diff -r 4ce44f68d86d -r b19bc5aeaa09 src/os_cpu/linux_zero/vm/os_linux_zero.cpp
---- openjdk/hotspot/src/os_cpu/linux_zero/vm/os_linux_zero.cpp	Sun Jul 19 18:19:32 2015 +0100
-+++ openjdk/hotspot/src/os_cpu/linux_zero/vm/os_linux_zero.cpp	Fri Jun 12 16:09:45 2015 +0100
-@@ -61,8 +61,8 @@
- #endif
- 
- address os::current_stack_pointer() {
--  address dummy = (address) &dummy;
--  return dummy;
-+  // return the address of the current function
-+  return (address)__builtin_frame_address(0);
- }
- 
- frame os::get_sender_for_C_frame(frame* fr) {
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch
--- a/patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1511 +0,0 @@
-diff -Nru openjdk.orig/jdk/make/sun/security/pkcs11/mapfile-vers openjdk/jdk/make/sun/security/pkcs11/mapfile-vers
---- openjdk.orig/jdk/make/sun/security/pkcs11/mapfile-vers	2012-05-01 22:18:01.000000000 +0100
-+++ openjdk/jdk/make/sun/security/pkcs11/mapfile-vers	2012-08-08 18:42:13.064667047 +0100
-@@ -1,5 +1,5 @@
- #
--# Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
-+# Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
- # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- #
- # This code is free software; you can redistribute it and/or modify it
-@@ -47,8 +47,8 @@
- 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseSession;
- #		Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseAllSessions;
- 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSessionInfo;
--#		Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState;
--#		Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState;
-+		Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState;
-+		Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState;
- 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1Login;
- 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1Logout;
- 		Java_sun_security_pkcs11_wrapper_PKCS11_C_1CreateObject;
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java	2012-05-01 22:18:26.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java	2012-08-08 18:42:13.076667253 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -49,13 +49,12 @@
-  * @author  Andreas Sterbenz
-  * @since   1.5
-  */
--final class P11Digest extends MessageDigestSpi {
-+final class P11Digest extends MessageDigestSpi implements Cloneable {
- 
--    /* unitialized, fields uninitialized, no session acquired */
-+    /* fields initialized, no session acquired */
-     private final static int S_BLANK    = 1;
- 
--    // data in buffer, all fields valid, session acquired
--    // but digest not initialized
-+    /* data in buffer, session acquired, but digest not initialized */
-     private final static int S_BUFFERED = 2;
- 
-     /* session initialized for digesting */
-@@ -69,8 +68,8 @@
-     // algorithm name
-     private final String algorithm;
- 
--    // mechanism id
--    private final long mechanism;
-+    // mechanism id object
-+    private final CK_MECHANISM mechanism;
- 
-     // length of the digest in bytes
-     private final int digestLength;
-@@ -81,11 +80,8 @@
-     // current state, one of S_* above
-     private int state;
- 
--    // one byte buffer for the update(byte) method, initialized on demand
--    private byte[] oneByte;
--
-     // buffer to reduce number of JNI calls
--    private final byte[] buffer;
-+    private byte[] buffer;
- 
-     // offset into the buffer
-     private int bufOfs;
-@@ -94,7 +90,7 @@
-         super();
-         this.token = token;
-         this.algorithm = algorithm;
--        this.mechanism = mechanism;
-+        this.mechanism = new CK_MECHANISM(mechanism);
-         switch ((int)mechanism) {
-         case (int)CKM_MD2:
-         case (int)CKM_MD5:
-@@ -117,7 +113,6 @@
-         }
-         buffer = new byte[BUFFER_SIZE];
-         state = S_BLANK;
--        engineReset();
-     }
- 
-     // see JCA spec
-@@ -125,44 +120,31 @@
-         return digestLength;
-     }
- 
--    private void cancelOperation() {
--        token.ensureValid();
--        if (session == null) {
--            return;
--        }
--        if ((state != S_INIT) || (token.explicitCancel == false)) {
--            return;
--        }
--        // need to explicitly "cancel" active op by finishing it
--        try {
--            token.p11.C_DigestFinal(session.id(), buffer, 0, buffer.length);
--        } catch (PKCS11Exception e) {
--            throw new ProviderException("cancel() failed", e);
--        } finally {
--            state = S_BUFFERED;
--        }
--    }
--
-     private void fetchSession() {
-         token.ensureValid();
-         if (state == S_BLANK) {
--            engineReset();
-+            try {
-+                session = token.getOpSession();
-+                state = S_BUFFERED;
-+            } catch (PKCS11Exception e) {
-+                throw new ProviderException("No more session available", e);
-+            }
-         }
-     }
- 
-     // see JCA spec
-     protected void engineReset() {
--        try {
--            cancelOperation();
--            bufOfs = 0;
--            if (session == null) {
--                session = token.getOpSession();
-+        token.ensureValid();
-+
-+        if (session != null) {
-+            if (state == S_INIT && token.explicitCancel == true) {
-+                session = token.killSession(session);
-+            } else {
-+                session = token.releaseSession(session);
-             }
--            state = S_BUFFERED;
--        } catch (PKCS11Exception e) {
--            state = S_BLANK;
--            throw new ProviderException("reset() failed, ", e);
-         }
-+        state = S_BLANK;
-+        bufOfs = 0;
-     }
- 
-     // see JCA spec
-@@ -180,18 +162,22 @@
-     protected int engineDigest(byte[] digest, int ofs, int len)
-             throws DigestException {
-         if (len < digestLength) {
--            throw new DigestException("Length must be at least " + digestLength);
-+            throw new DigestException("Length must be at least " +
-+                    digestLength);
-         }
-+
-         fetchSession();
-         try {
-             int n;
-             if (state == S_BUFFERED) {
--                n = token.p11.C_DigestSingle(session.id(),
--                        new CK_MECHANISM(mechanism),
--                        buffer, 0, bufOfs, digest, ofs, len);
-+                n = token.p11.C_DigestSingle(session.id(), mechanism, buffer, 0,
-+                        bufOfs, digest, ofs, len);
-+                bufOfs = 0;
-             } else {
-                 if (bufOfs != 0) {
--                    doUpdate(buffer, 0, bufOfs);
-+                    token.p11.C_DigestUpdate(session.id(), 0, buffer, 0,
-+                            bufOfs);
-+                    bufOfs = 0;
-                 }
-                 n = token.p11.C_DigestFinal(session.id(), digest, ofs, len);
-             }
-@@ -202,36 +188,44 @@
-         } catch (PKCS11Exception e) {
-             throw new ProviderException("digest() failed", e);
-         } finally {
--            state = S_BLANK;
--            bufOfs = 0;
--            session = token.releaseSession(session);
-+            engineReset();
-         }
-     }
- 
-     // see JCA spec
-     protected void engineUpdate(byte in) {
--        if (oneByte == null) {
--            oneByte = new byte[1];
--        }
--        oneByte[0] = in;
--        engineUpdate(oneByte, 0, 1);
-+        byte[] temp = { in };
-+        engineUpdate(temp, 0, 1);
-     }
- 
-     // see JCA spec
-     protected void engineUpdate(byte[] in, int ofs, int len) {
--        fetchSession();
-         if (len <= 0) {
-             return;
-         }
--        if ((bufOfs != 0) && (bufOfs + len > buffer.length)) {
--            doUpdate(buffer, 0, bufOfs);
--            bufOfs = 0;
--        }
--        if (bufOfs + len > buffer.length) {
--            doUpdate(in, ofs, len);
--        } else {
--            System.arraycopy(in, ofs, buffer, bufOfs, len);
--            bufOfs += len;
-+
-+        fetchSession();
-+        try {
-+            if (state == S_BUFFERED) {
-+                token.p11.C_DigestInit(session.id(), mechanism);
-+                state = S_INIT;
-+            }
-+            if ((bufOfs != 0) && (bufOfs + len > buffer.length)) {
-+                // process the buffered data
-+                token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
-+                bufOfs = 0;
-+            }
-+            if (bufOfs + len > buffer.length) {
-+                // process the new data
-+                token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len);
-+             } else {
-+                // buffer the new data
-+                System.arraycopy(in, ofs, buffer, bufOfs, len);
-+                bufOfs += len;
-+            }
-+        } catch (PKCS11Exception e) {
-+            engineReset();
-+            throw new ProviderException("update() failed", e);
-         }
-     }
- 
-@@ -239,11 +233,7 @@
-     // the master secret is sensitive. We may want to consider making this
-     // method public in a future release.
-     protected void implUpdate(SecretKey key) throws InvalidKeyException {
--        fetchSession();
--        if (bufOfs != 0) {
--            doUpdate(buffer, 0, bufOfs);
--            bufOfs = 0;
--        }
-+
-         // SunJSSE calls this method only if the key does not have a RAW
-         // encoding, i.e. if it is sensitive. Therefore, no point in calling
-         // SecretKeyFactory to try to convert it. Just verify it ourselves.
-@@ -252,60 +242,77 @@
-         }
-         P11Key p11Key = (P11Key)key;
-         if (p11Key.token != token) {
--            throw new InvalidKeyException("Not a P11Key of this provider: " + key);
-+            throw new InvalidKeyException("Not a P11Key of this provider: " +
-+                    key);
-         }
-+
-+        fetchSession();
-         try {
-             if (state == S_BUFFERED) {
--                token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism));
-+                token.p11.C_DigestInit(session.id(), mechanism);
-                 state = S_INIT;
-             }
-+
-+            if (bufOfs != 0) {
-+                token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
-+                bufOfs = 0;
-+            }
-             token.p11.C_DigestKey(session.id(), p11Key.keyID);
-         } catch (PKCS11Exception e) {
-+            engineReset();
-             throw new ProviderException("update(SecretKey) failed", e);
-         }
-     }
- 
-     // see JCA spec
-     protected void engineUpdate(ByteBuffer byteBuffer) {
--        fetchSession();
-         int len = byteBuffer.remaining();
-         if (len <= 0) {
-             return;
-         }
-+
-         if (byteBuffer instanceof DirectBuffer == false) {
-             super.engineUpdate(byteBuffer);
-             return;
-         }
-+
-+        fetchSession();
-         long addr = ((DirectBuffer)byteBuffer).address();
-         int ofs = byteBuffer.position();
-         try {
-             if (state == S_BUFFERED) {
--                token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism));
-+                token.p11.C_DigestInit(session.id(), mechanism);
-                 state = S_INIT;
--                if (bufOfs != 0) {
--                    doUpdate(buffer, 0, bufOfs);
--                    bufOfs = 0;
--                }
-+            }
-+            if (bufOfs != 0) {
-+                token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
-+                bufOfs = 0;
-             }
-             token.p11.C_DigestUpdate(session.id(), addr + ofs, null, 0, len);
-             byteBuffer.position(ofs + len);
-         } catch (PKCS11Exception e) {
-+            engineReset();
-             throw new ProviderException("update() failed", e);
-         }
-     }
- 
--    private void doUpdate(byte[] in, int ofs, int len) {
--        if (len <= 0) {
--            return;
--        }
-+    public Object clone() throws CloneNotSupportedException {
-+        P11Digest copy = (P11Digest) super.clone();
-+        copy.buffer = buffer.clone();
-         try {
--            if (state == S_BUFFERED) {
--                token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism));
--                state = S_INIT;
-+            if (session != null) {
-+                copy.session = copy.token.getOpSession();
-+            }
-+            if (state == S_INIT) {
-+                byte[] stateValues =
-+                    token.p11.C_GetOperationState(session.id());
-+                token.p11.C_SetOperationState(copy.session.id(),
-+                                              stateValues, 0, 0);
-             }
--            token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len);
-         } catch (PKCS11Exception e) {
--            throw new ProviderException("update() failed", e);
-+            throw (CloneNotSupportedException)
-+                (new CloneNotSupportedException(algorithm).initCause(e));
-         }
-+        return copy;
-     }
- }
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java	2012-05-01 22:18:26.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java	2012-08-08 18:42:13.080667322 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  */
- 
- /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
-@@ -133,14 +133,15 @@
-      * @preconditions (pkcs11ModulePath <> null)
-      * @postconditions
-      */
--    PKCS11(String pkcs11ModulePath, String functionListName) throws IOException {
-+    PKCS11(String pkcs11ModulePath, String functionListName)
-+            throws IOException {
-         connect(pkcs11ModulePath, functionListName);
-         this.pkcs11ModulePath = pkcs11ModulePath;
-     }
- 
--    public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList,
--            CK_C_INITIALIZE_ARGS pInitArgs, boolean omitInitialize)
--            throws IOException, PKCS11Exception {
-+    public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
-+            String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
-+            boolean omitInitialize) throws IOException, PKCS11Exception {
-         // we may only call C_Initialize once per native .so/.dll
-         // so keep a cache using the (non-canonicalized!) path
-         PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
-@@ -177,7 +178,8 @@
-      * @preconditions (pkcs11ModulePath <> null)
-      * @postconditions
-      */
--    private native void connect(String pkcs11ModulePath, String functionListName) throws IOException;
-+    private native void connect(String pkcs11ModulePath, String functionListName)
-+            throws IOException;
- 
-     /**
-      * Disconnects the PKCS#11 library from this object. After calling this
-@@ -255,7 +257,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native long[] C_GetSlotList(boolean tokenPresent) throws PKCS11Exception;
-+    public native long[] C_GetSlotList(boolean tokenPresent)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -287,7 +290,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native CK_TOKEN_INFO C_GetTokenInfo(long slotID) throws PKCS11Exception;
-+    public native CK_TOKEN_INFO C_GetTokenInfo(long slotID)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -322,7 +326,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, long type) throws PKCS11Exception;
-+    public native CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, long type)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -339,7 +344,8 @@
-      * @preconditions
-      * @postconditions
-      */
--//    public native void C_InitToken(long slotID, char[] pPin, char[] pLabel) throws PKCS11Exception;
-+//    public native void C_InitToken(long slotID, char[] pPin, char[] pLabel)
-+//            throws PKCS11Exception;
- 
- 
-     /**
-@@ -354,7 +360,8 @@
-      * @preconditions
-      * @postconditions
-      */
--//    public native void C_InitPIN(long hSession, char[] pPin) throws PKCS11Exception;
-+//    public native void C_InitPIN(long hSession, char[] pPin)
-+//            throws PKCS11Exception;
- 
- 
-     /**
-@@ -371,7 +378,8 @@
-      * @preconditions
-      * @postconditions
-      */
--//    public native void C_SetPIN(long hSession, char[] pOldPin, char[] pNewPin) throws PKCS11Exception;
-+//    public native void C_SetPIN(long hSession, char[] pOldPin, char[] pNewPin)
-+//            throws PKCS11Exception;
- 
- 
- 
-@@ -398,7 +406,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native long C_OpenSession(long slotID, long flags, Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception;
-+    public native long C_OpenSession(long slotID, long flags,
-+            Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception;
- 
- 
-     /**
-@@ -440,7 +449,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native CK_SESSION_INFO C_GetSessionInfo(long hSession) throws PKCS11Exception;
-+    public native CK_SESSION_INFO C_GetSessionInfo(long hSession)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -457,7 +467,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--//    public native byte[] C_GetOperationState(long hSession) throws PKCS11Exception;
-+    public native byte[] C_GetOperationState(long hSession)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -478,7 +489,8 @@
-      * @preconditions
-      * @postconditions
-      */
--//    public native void C_SetOperationState(long hSession, byte[] pOperationState, long hEncryptionKey, long hAuthenticationKey) throws PKCS11Exception;
-+    public native void C_SetOperationState(long hSession, byte[] pOperationState,
-+            long hEncryptionKey, long hAuthenticationKey) throws PKCS11Exception;
- 
- 
-     /**
-@@ -495,7 +507,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_Login(long hSession, long userType, char[] pPin) throws PKCS11Exception;
-+    public native void C_Login(long hSession, long userType, char[] pPin)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -531,7 +544,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native long C_CreateObject(long hSession, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
-+    public native long C_CreateObject(long hSession, CK_ATTRIBUTE[] pTemplate)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -552,7 +566,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native long C_CopyObject(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
-+    public native long C_CopyObject(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
- 
- 
-     /**
-@@ -567,7 +582,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_DestroyObject(long hSession, long hObject) throws PKCS11Exception;
-+    public native void C_DestroyObject(long hSession, long hObject)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -584,7 +600,8 @@
-      * @preconditions
-      * @postconditions
-      */
--//    public native long C_GetObjectSize(long hSession, long hObject) throws PKCS11Exception;
-+//    public native long C_GetObjectSize(long hSession, long hObject)
-+//            throws PKCS11Exception;
- 
- 
-     /**
-@@ -604,7 +621,8 @@
-      * @preconditions (pTemplate <> null)
-      * @postconditions (result <> null)
-      */
--    public native void C_GetAttributeValue(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
-+    public native void C_GetAttributeValue(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
- 
- 
-     /**
-@@ -623,7 +641,8 @@
-      * @preconditions (pTemplate <> null)
-      * @postconditions
-      */
--    public native void C_SetAttributeValue(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
-+    public native void C_SetAttributeValue(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
- 
- 
-     /**
-@@ -640,7 +659,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_FindObjectsInit(long hSession, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
-+    public native void C_FindObjectsInit(long hSession, CK_ATTRIBUTE[] pTemplate)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -659,7 +679,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native long[] C_FindObjects(long hSession, long ulMaxObjectCount) throws PKCS11Exception;
-+    public native long[] C_FindObjects(long hSession, long ulMaxObjectCount)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -695,7 +716,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_EncryptInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception;
-+    public native void C_EncryptInit(long hSession, CK_MECHANISM pMechanism,
-+            long hKey) throws PKCS11Exception;
- 
- 
-     /**
-@@ -713,7 +735,8 @@
-      * @preconditions (pData <> null)
-      * @postconditions (result <> null)
-      */
--    public native int C_Encrypt(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOfs, int outLen) throws PKCS11Exception;
-+    public native int C_Encrypt(long hSession, byte[] in, int inOfs, int inLen,
-+            byte[] out, int outOfs, int outLen) throws PKCS11Exception;
- 
- 
-     /**
-@@ -732,7 +755,9 @@
-      * @preconditions (pPart <> null)
-      * @postconditions
-      */
--    public native int C_EncryptUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception;
-+    public native int C_EncryptUpdate(long hSession, long directIn, byte[] in,
-+            int inOfs, int inLen, long directOut, byte[] out, int outOfs,
-+            int outLen) throws PKCS11Exception;
- 
- 
-     /**
-@@ -749,7 +774,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native int C_EncryptFinal(long hSession, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception;
-+    public native int C_EncryptFinal(long hSession, long directOut, byte[] out,
-+            int outOfs, int outLen) throws PKCS11Exception;
- 
- 
-     /**
-@@ -766,7 +792,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_DecryptInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception;
-+    public native void C_DecryptInit(long hSession, CK_MECHANISM pMechanism,
-+            long hKey) throws PKCS11Exception;
- 
- 
-     /**
-@@ -785,7 +812,8 @@
-      * @preconditions (pEncryptedPart <> null)
-      * @postconditions (result <> null)
-      */
--    public native int C_Decrypt(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOfs, int outLen) throws PKCS11Exception;
-+    public native int C_Decrypt(long hSession, byte[] in, int inOfs, int inLen,
-+            byte[] out, int outOfs, int outLen) throws PKCS11Exception;
- 
- 
-     /**
-@@ -805,7 +833,9 @@
-      * @preconditions (pEncryptedPart <> null)
-      * @postconditions
-      */
--    public native int C_DecryptUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception;
-+    public native int C_DecryptUpdate(long hSession, long directIn, byte[] in,
-+            int inOfs, int inLen, long directOut, byte[] out, int outOfs,
-+            int outLen) throws PKCS11Exception;
- 
- 
-     /**
-@@ -822,7 +852,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native int C_DecryptFinal(long hSession, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception;
-+    public native int C_DecryptFinal(long hSession, long directOut, byte[] out,
-+            int outOfs, int outLen) throws PKCS11Exception;
- 
- 
- 
-@@ -842,7 +873,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_DigestInit(long hSession, CK_MECHANISM pMechanism) throws PKCS11Exception;
-+    public native void C_DigestInit(long hSession, CK_MECHANISM pMechanism)
-+            throws PKCS11Exception;
- 
- 
-     // note that C_DigestSingle does not exist in PKCS#11
-@@ -863,7 +895,9 @@
-      * @preconditions (data <> null)
-      * @postconditions (result <> null)
-      */
--    public native int C_DigestSingle(long hSession, CK_MECHANISM pMechanism, byte[] in, int inOfs, int inLen, byte[] digest, int digestOfs, int digestLen) throws PKCS11Exception;
-+    public native int C_DigestSingle(long hSession, CK_MECHANISM pMechanism,
-+            byte[] in, int inOfs, int inLen, byte[] digest, int digestOfs,
-+            int digestLen) throws PKCS11Exception;
- 
- 
-     /**
-@@ -879,7 +913,8 @@
-      * @preconditions (pPart <> null)
-      * @postconditions
-      */
--    public native void C_DigestUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception;
-+    public native void C_DigestUpdate(long hSession, long directIn, byte[] in,
-+            int inOfs, int inLen) throws PKCS11Exception;
- 
- 
-     /**
-@@ -896,7 +931,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_DigestKey(long hSession, long hKey) throws PKCS11Exception;
-+    public native void C_DigestKey(long hSession, long hKey)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -912,7 +948,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native int C_DigestFinal(long hSession, byte[] pDigest, int digestOfs, int digestLen) throws PKCS11Exception;
-+    public native int C_DigestFinal(long hSession, byte[] pDigest, int digestOfs,
-+            int digestLen) throws PKCS11Exception;
- 
- 
- 
-@@ -937,7 +974,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_SignInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception;
-+    public native void C_SignInit(long hSession, CK_MECHANISM pMechanism,
-+            long hKey) throws PKCS11Exception;
- 
- 
-     /**
-@@ -957,7 +995,8 @@
-      * @preconditions (pData <> null)
-      * @postconditions (result <> null)
-      */
--    public native byte[] C_Sign(long hSession, byte[] pData) throws PKCS11Exception;
-+    public native byte[] C_Sign(long hSession, byte[] pData)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -974,7 +1013,8 @@
-      * @preconditions (pPart <> null)
-      * @postconditions
-      */
--    public native void C_SignUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception;
-+    public native void C_SignUpdate(long hSession, long directIn, byte[] in,
-+            int inOfs, int inLen) throws PKCS11Exception;
- 
- 
-     /**
-@@ -991,7 +1031,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native byte[] C_SignFinal(long hSession, int expectedLen) throws PKCS11Exception;
-+    public native byte[] C_SignFinal(long hSession, int expectedLen)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -1009,7 +1050,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_SignRecoverInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception;
-+    public native void C_SignRecoverInit(long hSession, CK_MECHANISM pMechanism,
-+            long hKey) throws PKCS11Exception;
- 
- 
-     /**
-@@ -1028,7 +1070,9 @@
-      * @preconditions (pData <> null)
-      * @postconditions (result <> null)
-      */
--    public native int C_SignRecover(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOufs, int outLen) throws PKCS11Exception;
-+    public native int C_SignRecover(long hSession, byte[] in, int inOfs,
-+            int inLen, byte[] out, int outOufs, int outLen)
-+            throws PKCS11Exception;
- 
- 
- 
-@@ -1052,7 +1096,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception;
-+    public native void C_VerifyInit(long hSession, CK_MECHANISM pMechanism,
-+            long hKey) throws PKCS11Exception;
- 
- 
-     /**
-@@ -1071,7 +1116,8 @@
-      * @preconditions (pData <> null) and (pSignature <> null)
-      * @postconditions
-      */
--    public native void C_Verify(long hSession, byte[] pData, byte[] pSignature) throws PKCS11Exception;
-+    public native void C_Verify(long hSession, byte[] pData, byte[] pSignature)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -1088,7 +1134,8 @@
-      * @preconditions (pPart <> null)
-      * @postconditions
-      */
--    public native void C_VerifyUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception;
-+    public native void C_VerifyUpdate(long hSession, long directIn, byte[] in,
-+            int inOfs, int inLen) throws PKCS11Exception;
- 
- 
-     /**
-@@ -1104,7 +1151,8 @@
-      * @preconditions (pSignature <> null)
-      * @postconditions
-      */
--    public native void C_VerifyFinal(long hSession, byte[] pSignature) throws PKCS11Exception;
-+    public native void C_VerifyFinal(long hSession, byte[] pSignature)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -1122,7 +1170,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native void C_VerifyRecoverInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception;
-+    public native void C_VerifyRecoverInit(long hSession,
-+            CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception;
- 
- 
-     /**
-@@ -1140,7 +1189,9 @@
-      * @preconditions (pSignature <> null)
-      * @postconditions (result <> null)
-      */
--    public native int C_VerifyRecover(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOufs, int outLen) throws PKCS11Exception;
-+    public native int C_VerifyRecover(long hSession, byte[] in, int inOfs,
-+            int inLen, byte[] out, int outOufs, int outLen)
-+            throws PKCS11Exception;
- 
- 
- 
-@@ -1164,7 +1215,8 @@
-      * @preconditions (pPart <> null)
-      * @postconditions
-      */
--//    public native byte[] C_DigestEncryptUpdate(long hSession, byte[] pPart) throws PKCS11Exception;
-+//    public native byte[] C_DigestEncryptUpdate(long hSession, byte[] pPart)
-+//            throws PKCS11Exception;
- 
- 
-     /**
-@@ -1184,7 +1236,8 @@
-      * @preconditions (pEncryptedPart <> null)
-      * @postconditions
-      */
--//    public native byte[] C_DecryptDigestUpdate(long hSession, byte[] pEncryptedPart) throws PKCS11Exception;
-+//    public native byte[] C_DecryptDigestUpdate(long hSession,
-+//            byte[] pEncryptedPart) throws PKCS11Exception;
- 
- 
-     /**
-@@ -1204,7 +1257,8 @@
-      * @preconditions (pPart <> null)
-      * @postconditions
-      */
--//    public native byte[] C_SignEncryptUpdate(long hSession, byte[] pPart) throws PKCS11Exception;
-+//    public native byte[] C_SignEncryptUpdate(long hSession, byte[] pPart)
-+//            throws PKCS11Exception;
- 
- 
-     /**
-@@ -1224,7 +1278,8 @@
-      * @preconditions (pEncryptedPart <> null)
-      * @postconditions
-      */
--//    public native byte[] C_DecryptVerifyUpdate(long hSession, byte[] pEncryptedPart) throws PKCS11Exception;
-+//    public native byte[] C_DecryptVerifyUpdate(long hSession,
-+//            byte[] pEncryptedPart) throws PKCS11Exception;
- 
- 
- 
-@@ -1250,7 +1305,8 @@
-      * @preconditions
-      * @postconditions
-      */
--    public native long C_GenerateKey(long hSession, CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
-+    public native long C_GenerateKey(long hSession, CK_MECHANISM pMechanism,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
- 
- 
-     /**
-@@ -1280,9 +1336,8 @@
-      * @postconditions (result <> null) and (result.length == 2)
-      */
-     public native long[] C_GenerateKeyPair(long hSession,
--                                   CK_MECHANISM pMechanism,
--                                   CK_ATTRIBUTE[] pPublicKeyTemplate,
--                                   CK_ATTRIBUTE[] pPrivateKeyTemplate) throws PKCS11Exception;
-+            CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pPublicKeyTemplate,
-+            CK_ATTRIBUTE[] pPrivateKeyTemplate) throws PKCS11Exception;
- 
- 
- 
-@@ -1305,7 +1360,8 @@
-      * @preconditions
-      * @postconditions (result <> null)
-      */
--    public native byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, long hWrappingKey, long hKey) throws PKCS11Exception;
-+    public native byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism,
-+            long hWrappingKey, long hKey) throws PKCS11Exception;
- 
- 
-     /**
-@@ -1331,8 +1387,8 @@
-      * @postconditions
-      */
-     public native long C_UnwrapKey(long hSession, CK_MECHANISM pMechanism,
--                          long hUnwrappingKey, byte[] pWrappedKey,
--                          CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
-+            long hUnwrappingKey, byte[] pWrappedKey, CK_ATTRIBUTE[] pTemplate)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -1356,7 +1412,7 @@
-      * @postconditions
-      */
-     public native long C_DeriveKey(long hSession, CK_MECHANISM pMechanism,
--                          long hBaseKey, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
-+            long hBaseKey, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception;
- 
- 
- 
-@@ -1377,7 +1433,8 @@
-      * @preconditions (pSeed <> null)
-      * @postconditions
-      */
--    public native void C_SeedRandom(long hSession, byte[] pSeed) throws PKCS11Exception;
-+    public native void C_SeedRandom(long hSession, byte[] pSeed)
-+            throws PKCS11Exception;
- 
- 
-     /**
-@@ -1393,7 +1450,8 @@
-      * @preconditions (randomData <> null)
-      * @postconditions
-      */
--    public native void C_GenerateRandom(long hSession, byte[] randomData) throws PKCS11Exception;
-+    public native void C_GenerateRandom(long hSession, byte[] randomData)
-+            throws PKCS11Exception;
- 
- 
- 
-@@ -1413,7 +1471,8 @@
-      * @preconditions
-      * @postconditions
-      */
--//    public native void C_GetFunctionStatus(long hSession) throws PKCS11Exception;
-+//    public native void C_GetFunctionStatus(long hSession)
-+//            throws PKCS11Exception;
- 
- 
-     /**
-@@ -1450,7 +1509,8 @@
-      * @preconditions (pRserved == null)
-      * @postconditions
-      */
--//    public native long C_WaitForSlotEvent(long flags, Object pRserved) throws PKCS11Exception;
-+//    public native long C_WaitForSlotEvent(long flags, Object pRserved)
-+//            throws PKCS11Exception;
- 
-     /**
-      * Returns the string representation of this object.
-@@ -1476,7 +1536,8 @@
- // parent. Used for tokens that only support single threaded access
- static class SynchronizedPKCS11 extends PKCS11 {
- 
--    SynchronizedPKCS11(String pkcs11ModulePath, String functionListName) throws IOException {
-+    SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
-+            throws IOException {
-         super(pkcs11ModulePath, functionListName);
-     }
- 
-@@ -1484,7 +1545,8 @@
-         super.C_Initialize(pInitArgs);
-     }
- 
--    public synchronized void C_Finalize(Object pReserved) throws PKCS11Exception {
-+    public synchronized void C_Finalize(Object pReserved)
-+            throws PKCS11Exception {
-         super.C_Finalize(pReserved);
-     }
- 
-@@ -1492,39 +1554,48 @@
-         return super.C_GetInfo();
-     }
- 
--    public synchronized long[] C_GetSlotList(boolean tokenPresent) throws PKCS11Exception {
-+    public synchronized long[] C_GetSlotList(boolean tokenPresent)
-+            throws PKCS11Exception {
-         return super.C_GetSlotList(tokenPresent);
-     }
- 
--    public synchronized CK_SLOT_INFO C_GetSlotInfo(long slotID) throws PKCS11Exception {
-+    public synchronized CK_SLOT_INFO C_GetSlotInfo(long slotID)
-+            throws PKCS11Exception {
-         return super.C_GetSlotInfo(slotID);
-     }
- 
--    public synchronized CK_TOKEN_INFO C_GetTokenInfo(long slotID) throws PKCS11Exception {
-+    public synchronized CK_TOKEN_INFO C_GetTokenInfo(long slotID)
-+            throws PKCS11Exception {
-         return super.C_GetTokenInfo(slotID);
-     }
- 
--    public synchronized long[] C_GetMechanismList(long slotID) throws PKCS11Exception {
-+    public synchronized long[] C_GetMechanismList(long slotID)
-+            throws PKCS11Exception {
-         return super.C_GetMechanismList(slotID);
-     }
- 
--    public synchronized CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, long type) throws PKCS11Exception {
-+    public synchronized CK_MECHANISM_INFO C_GetMechanismInfo(long slotID,
-+            long type) throws PKCS11Exception {
-         return super.C_GetMechanismInfo(slotID, type);
-     }
- 
--    public synchronized long C_OpenSession(long slotID, long flags, Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception {
-+    public synchronized long C_OpenSession(long slotID, long flags,
-+            Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception {
-         return super.C_OpenSession(slotID, flags, pApplication, Notify);
-     }
- 
--    public synchronized void C_CloseSession(long hSession) throws PKCS11Exception {
-+    public synchronized void C_CloseSession(long hSession)
-+            throws PKCS11Exception {
-         super.C_CloseSession(hSession);
-     }
- 
--    public synchronized CK_SESSION_INFO C_GetSessionInfo(long hSession) throws PKCS11Exception {
-+    public synchronized CK_SESSION_INFO C_GetSessionInfo(long hSession)
-+            throws PKCS11Exception {
-         return super.C_GetSessionInfo(hSession);
-     }
- 
--    public synchronized void C_Login(long hSession, long userType, char[] pPin) throws PKCS11Exception {
-+    public synchronized void C_Login(long hSession, long userType, char[] pPin)
-+            throws PKCS11Exception {
-         super.C_Login(hSession, userType, pPin);
-     }
- 
-@@ -1532,157 +1603,207 @@
-         super.C_Logout(hSession);
-     }
- 
--    public synchronized long C_CreateObject(long hSession, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+    public synchronized long C_CreateObject(long hSession,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-         return super.C_CreateObject(hSession, pTemplate);
-     }
- 
--    public synchronized long C_CopyObject(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+    public synchronized long C_CopyObject(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-         return super.C_CopyObject(hSession, hObject, pTemplate);
-     }
- 
--    public synchronized void C_DestroyObject(long hSession, long hObject) throws PKCS11Exception {
-+    public synchronized void C_DestroyObject(long hSession, long hObject)
-+            throws PKCS11Exception {
-         super.C_DestroyObject(hSession, hObject);
-     }
- 
--    public synchronized void C_GetAttributeValue(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+    public synchronized void C_GetAttributeValue(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-         super.C_GetAttributeValue(hSession, hObject, pTemplate);
-     }
- 
--    public synchronized void C_SetAttributeValue(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+    public synchronized void C_SetAttributeValue(long hSession, long hObject,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-         super.C_SetAttributeValue(hSession, hObject, pTemplate);
-     }
- 
--    public synchronized void C_FindObjectsInit(long hSession, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+    public synchronized void C_FindObjectsInit(long hSession,
-+            CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-         super.C_FindObjectsInit(hSession, pTemplate);
-     }
- 
--    public synchronized long[] C_FindObjects(long hSession, long ulMaxObjectCount) throws PKCS11Exception {
-+    public synchronized long[] C_FindObjects(long hSession,
-+            long ulMaxObjectCount) throws PKCS11Exception {
-         return super.C_FindObjects(hSession, ulMaxObjectCount);
-     }
- 
--    public synchronized void C_FindObjectsFinal(long hSession) throws PKCS11Exception {
-+    public synchronized void C_FindObjectsFinal(long hSession)
-+            throws PKCS11Exception {
-         super.C_FindObjectsFinal(hSession);
-     }
- 
--    public synchronized void C_EncryptInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-+    public synchronized void C_EncryptInit(long hSession,
-+            CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-         super.C_EncryptInit(hSession, pMechanism, hKey);
-     }
- 
--    public synchronized int C_Encrypt(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOfs, int outLen) throws PKCS11Exception {
-+    public synchronized int C_Encrypt(long hSession, byte[] in, int inOfs,
-+            int inLen, byte[] out, int outOfs, int outLen)
-+            throws PKCS11Exception {
-         return super.C_Encrypt(hSession, in, inOfs, inLen, out, outOfs, outLen);
-     }
- 
--    public synchronized int C_EncryptUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception {
--        return super.C_EncryptUpdate(hSession, directIn, in, inOfs, inLen, directOut, out, outOfs, outLen);
-+    public synchronized int C_EncryptUpdate(long hSession, long directIn,
-+            byte[] in, int inOfs, int inLen, long directOut, byte[] out,
-+            int outOfs, int outLen) throws PKCS11Exception {
-+        return super.C_EncryptUpdate(hSession, directIn, in, inOfs, inLen,
-+                directOut, out, outOfs, outLen);
-     }
- 
--    public synchronized int C_EncryptFinal(long hSession, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception {
-+    public synchronized int C_EncryptFinal(long hSession, long directOut,
-+            byte[] out, int outOfs, int outLen) throws PKCS11Exception {
-         return super.C_EncryptFinal(hSession, directOut, out, outOfs, outLen);
-     }
- 
--    public synchronized void C_DecryptInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-+    public synchronized void C_DecryptInit(long hSession,
-+            CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-         super.C_DecryptInit(hSession, pMechanism, hKey);
-     }
- 
--    public synchronized int C_Decrypt(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOfs, int outLen) throws PKCS11Exception {
-+    public synchronized int C_Decrypt(long hSession, byte[] in, int inOfs,
-+            int inLen, byte[] out, int outOfs, int outLen)
-+            throws PKCS11Exception {
-         return super.C_Decrypt(hSession, in, inOfs, inLen, out, outOfs, outLen);
-     }
- 
--    public synchronized int C_DecryptUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception {
--        return super.C_DecryptUpdate(hSession, directIn, in, inOfs, inLen, directOut, out, outOfs, outLen);
-+    public synchronized int C_DecryptUpdate(long hSession, long directIn,
-+            byte[] in, int inOfs, int inLen, long directOut, byte[] out,
-+            int outOfs, int outLen) throws PKCS11Exception {
-+        return super.C_DecryptUpdate(hSession, directIn, in, inOfs, inLen,
-+                directOut, out, outOfs, outLen);
-     }
- 
--    public synchronized int C_DecryptFinal(long hSession, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception {
-+    public synchronized int C_DecryptFinal(long hSession, long directOut,
-+            byte[] out, int outOfs, int outLen) throws PKCS11Exception {
-         return super.C_DecryptFinal(hSession, directOut, out, outOfs, outLen);
-     }
- 
--    public synchronized void C_DigestInit(long hSession, CK_MECHANISM pMechanism) throws PKCS11Exception {
-+    public synchronized void C_DigestInit(long hSession, CK_MECHANISM pMechanism)
-+            throws PKCS11Exception {
-         super.C_DigestInit(hSession, pMechanism);
-     }
- 
--    public synchronized int C_DigestSingle(long hSession, CK_MECHANISM pMechanism, byte[] in, int inOfs, int inLen, byte[] digest, int digestOfs, int digestLen) throws PKCS11Exception {
--        return super.C_DigestSingle(hSession, pMechanism, in, inOfs, inLen, digest, digestOfs, digestLen);
-+    public synchronized int C_DigestSingle(long hSession,
-+            CK_MECHANISM pMechanism, byte[] in, int inOfs, int inLen,
-+            byte[] digest, int digestOfs, int digestLen) throws PKCS11Exception {
-+        return super.C_DigestSingle(hSession, pMechanism, in, inOfs, inLen,
-+                digest, digestOfs, digestLen);
-     }
- 
--    public synchronized void C_DigestUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception {
-+    public synchronized void C_DigestUpdate(long hSession, long directIn,
-+            byte[] in, int inOfs, int inLen) throws PKCS11Exception {
-         super.C_DigestUpdate(hSession, directIn, in, inOfs, inLen);
-     }
- 
--    public synchronized void C_DigestKey(long hSession, long hKey) throws PKCS11Exception {
-+    public synchronized void C_DigestKey(long hSession, long hKey)
-+            throws PKCS11Exception {
-         super.C_DigestKey(hSession, hKey);
-     }
- 
--    public synchronized int C_DigestFinal(long hSession, byte[] pDigest, int digestOfs, int digestLen) throws PKCS11Exception {
-+    public synchronized int C_DigestFinal(long hSession, byte[] pDigest,
-+            int digestOfs, int digestLen) throws PKCS11Exception {
-         return super.C_DigestFinal(hSession, pDigest, digestOfs, digestLen);
-     }
- 
--    public synchronized void C_SignInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-+    public synchronized void C_SignInit(long hSession, CK_MECHANISM pMechanism,
-+            long hKey) throws PKCS11Exception {
-         super.C_SignInit(hSession, pMechanism, hKey);
-     }
- 
--    public synchronized byte[] C_Sign(long hSession, byte[] pData) throws PKCS11Exception {
-+    public synchronized byte[] C_Sign(long hSession, byte[] pData)
-+            throws PKCS11Exception {
-         return super.C_Sign(hSession, pData);
-     }
- 
--    public synchronized void C_SignUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception {
-+    public synchronized void C_SignUpdate(long hSession, long directIn,
-+            byte[] in, int inOfs, int inLen) throws PKCS11Exception {
-         super.C_SignUpdate(hSession, directIn, in, inOfs, inLen);
-     }
- 
--    public synchronized byte[] C_SignFinal(long hSession, int expectedLen) throws PKCS11Exception {
-+    public synchronized byte[] C_SignFinal(long hSession, int expectedLen)
-+            throws PKCS11Exception {
-         return super.C_SignFinal(hSession, expectedLen);
-     }
- 
--    public synchronized void C_SignRecoverInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-+    public synchronized void C_SignRecoverInit(long hSession,
-+            CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-         super.C_SignRecoverInit(hSession, pMechanism, hKey);
-     }
- 
--    public synchronized int C_SignRecover(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOufs, int outLen) throws PKCS11Exception {
--        return super.C_SignRecover(hSession, in, inOfs, inLen, out, outOufs, outLen);
-+    public synchronized int C_SignRecover(long hSession, byte[] in, int inOfs,
-+            int inLen, byte[] out, int outOufs, int outLen)
-+            throws PKCS11Exception {
-+        return super.C_SignRecover(hSession, in, inOfs, inLen, out, outOufs,
-+                outLen);
-     }
- 
--    public synchronized void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-+    public synchronized void C_VerifyInit(long hSession, CK_MECHANISM pMechanism,
-+            long hKey) throws PKCS11Exception {
-         super.C_VerifyInit(hSession, pMechanism, hKey);
-     }
- 
--    public synchronized void C_Verify(long hSession, byte[] pData, byte[] pSignature) throws PKCS11Exception {
-+    public synchronized void C_Verify(long hSession, byte[] pData,
-+            byte[] pSignature) throws PKCS11Exception {
-         super.C_Verify(hSession, pData, pSignature);
-     }
- 
--    public synchronized void C_VerifyUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception {
-+    public synchronized void C_VerifyUpdate(long hSession, long directIn,
-+            byte[] in, int inOfs, int inLen) throws PKCS11Exception {
-         super.C_VerifyUpdate(hSession, directIn, in, inOfs, inLen);
-     }
- 
--    public synchronized void C_VerifyFinal(long hSession, byte[] pSignature) throws PKCS11Exception {
-+    public synchronized void C_VerifyFinal(long hSession, byte[] pSignature)
-+            throws PKCS11Exception {
-         super.C_VerifyFinal(hSession, pSignature);
-     }
- 
--    public synchronized void C_VerifyRecoverInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-+    public synchronized void C_VerifyRecoverInit(long hSession,
-+            CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception {
-         super.C_VerifyRecoverInit(hSession, pMechanism, hKey);
-     }
- 
--    public synchronized int C_VerifyRecover(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOufs, int outLen) throws PKCS11Exception {
--        return super.C_VerifyRecover(hSession, in, inOfs, inLen, out, outOufs, outLen);
-+    public synchronized int C_VerifyRecover(long hSession, byte[] in, int inOfs,
-+            int inLen, byte[] out, int outOufs, int outLen)
-+            throws PKCS11Exception {
-+        return super.C_VerifyRecover(hSession, in, inOfs, inLen, out, outOufs,
-+                outLen);
-     }
- 
--    public synchronized long C_GenerateKey(long hSession, CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
-+    public synchronized long C_GenerateKey(long hSession,
-+            CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pTemplate)
-+            throws PKCS11Exception {
-         return super.C_GenerateKey(hSession, pMechanism, pTemplate);
-     }
- 
-     public synchronized long[] C_GenerateKeyPair(long hSession,
--                                   CK_MECHANISM pMechanism,
--                                   CK_ATTRIBUTE[] pPublicKeyTemplate,
--                                   CK_ATTRIBUTE[] pPrivateKeyTemplate) throws PKCS11Exception {
--        return super.C_GenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate, pPrivateKeyTemplate);
-+            CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pPublicKeyTemplate,
-+            CK_ATTRIBUTE[] pPrivateKeyTemplate)
-+            throws PKCS11Exception {
-+        return super.C_GenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate,
-+                pPrivateKeyTemplate);
-     }
- 
--    public synchronized byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, long hWrappingKey, long hKey) throws PKCS11Exception {
-+    public synchronized byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism,
-+            long hWrappingKey, long hKey) throws PKCS11Exception {
-         return super.C_WrapKey(hSession, pMechanism, hWrappingKey, hKey);
-     }
- 
-     public synchronized long C_UnwrapKey(long hSession, CK_MECHANISM pMechanism,
--                          long hUnwrappingKey, byte[] pWrappedKey,
--                          CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
--        return super.C_UnwrapKey(hSession, pMechanism, hUnwrappingKey, pWrappedKey, pTemplate);
-+            long hUnwrappingKey, byte[] pWrappedKey, CK_ATTRIBUTE[] pTemplate)
-+            throws PKCS11Exception {
-+        return super.C_UnwrapKey(hSession, pMechanism, hUnwrappingKey,
-+                pWrappedKey, pTemplate);
-     }
- 
-     public synchronized long C_DeriveKey(long hSession, CK_MECHANISM pMechanism,
-@@ -1690,14 +1811,14 @@
-         return super.C_DeriveKey(hSession, pMechanism, hBaseKey, pTemplate);
-     }
- 
--    public synchronized void C_SeedRandom(long hSession, byte[] pSeed) throws PKCS11Exception {
-+    public synchronized void C_SeedRandom(long hSession, byte[] pSeed)
-+            throws PKCS11Exception {
-         super.C_SeedRandom(hSession, pSeed);
-     }
- 
--    public synchronized void C_GenerateRandom(long hSession, byte[] randomData) throws PKCS11Exception {
-+    public synchronized void C_GenerateRandom(long hSession, byte[] randomData)
-+            throws PKCS11Exception {
-         super.C_GenerateRandom(hSession, randomData);
-     }
--
- }
--
- }
-diff -Nru openjdk.orig/jdk/src/share/lib/security/sunpkcs11-solaris.cfg openjdk/jdk/src/share/lib/security/sunpkcs11-solaris.cfg
---- openjdk.orig/jdk/src/share/lib/security/sunpkcs11-solaris.cfg	2012-05-01 22:18:31.000000000 +0100
-+++ openjdk/jdk/src/share/lib/security/sunpkcs11-solaris.cfg	2012-08-08 18:44:13.570735299 +0100
-@@ -14,17 +14,22 @@
- attributes = compatibility
- 
- disabledMechanisms = {
-+  CKM_DSA_KEY_PAIR_GEN
-+# the following mechanisms are disabled due to CKR_SAVED_STATE_INVALID bug
-+# (Solaris bug 7058108)
-   CKM_MD2
-   CKM_MD5
-   CKM_SHA_1
-+# the following mechanisms are disabled due to no cloning support
-+# (Solaris bug 7050617)
-   CKM_SHA256
-   CKM_SHA384
-   CKM_SHA512
--  CKM_DSA_KEY_PAIR_GEN
- # KEY_AND_MAC_DERIVE disabled due to Solaris bug 6306708
-   CKM_SSL3_KEY_AND_MAC_DERIVE
-   CKM_TLS_KEY_AND_MAC_DERIVE
--# the following mechanisms are disabled due to performance issues (Solaris bug 6337157)
-+# the following mechanisms are disabled due to performance issues
-+# (Solaris bug 6337157)
-   CKM_DSA_SHA1
-   CKM_MD5_RSA_PKCS
-   CKM_SHA1_RSA_PKCS
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	2012-08-08 18:39:27.921768411 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	2012-08-08 18:42:13.080667322 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
-  */
- 
- /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
-@@ -96,8 +96,8 @@
- #define P11_ENABLE_C_CLOSESESSION
- #undef  P11_ENABLE_C_CLOSEALLSESSIONS
- #define P11_ENABLE_C_GETSESSIONINFO
--#undef  P11_ENABLE_C_GETOPERATIONSTATE
--#undef  P11_ENABLE_C_SETOPERATIONSTATE
-+#define P11_ENABLE_C_GETOPERATIONSTATE
-+#define P11_ENABLE_C_SETOPERATIONSTATE
- #define P11_ENABLE_C_LOGIN
- #define P11_ENABLE_C_LOGOUT
- #define P11_ENABLE_C_CREATEOBJECT
-diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/MessageDigest/TestCloning.java openjdk/jdk/test/sun/security/pkcs11/MessageDigest/TestCloning.java
---- openjdk.orig/jdk/test/sun/security/pkcs11/MessageDigest/TestCloning.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/test/sun/security/pkcs11/MessageDigest/TestCloning.java	2012-08-08 18:42:13.080667322 +0100
-@@ -0,0 +1,141 @@
-+/*
-+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+/**
-+ * @test
-+ * @bug 6414899
-+ * @summary Ensure the cloning functionality works.
-+ * @author Valerie Peng
-+ * @library ..
-+ */
-+
-+import java.util.*;
-+
-+import java.security.*;
-+
-+public class TestCloning extends PKCS11Test {
-+
-+    private static final String[] ALGOS = {
-+        "MD2", "MD5", "SHA1", "SHA-256", "SHA-384", "SHA-512"
-+    };
-+
-+    public static void main(String[] args) throws Exception {
-+        main(new TestCloning());
-+    }
-+
-+    private static final byte[] data1 = new byte[10];
-+    private static final byte[] data2 = new byte[10*1024];
-+
-+
-+    public void main(Provider p) throws Exception {
-+        Random r = new Random();
-+        byte[] data1 = new byte[10];
-+        byte[] data2 = new byte[2*1024];
-+        r.nextBytes(data1);
-+        r.nextBytes(data2);
-+        System.out.println("Testing against provider " + p.getName());
-+        for (int i = 0; i < ALGOS.length; i++) {
-+            if (p.getService("MessageDigest", ALGOS[i]) == null) {
-+                System.out.println(ALGOS[i] + " is not supported, skipping");
-+                continue;
-+            } else {
-+                System.out.println("Testing " + ALGOS[i] + " of " + p.getName());
-+                MessageDigest md = MessageDigest.getInstance(ALGOS[i], p);
-+                try {
-+                    md = testCloning(md, p);
-+                    // repeat the test again after generating digest once
-+                    for (int j = 0; j < 10; j++) {
-+                        md = testCloning(md, p);
-+                    }
-+                } catch (Exception ex) {
-+                    if (ALGOS[i] == "MD2" &&
-+                        p.getName().equalsIgnoreCase("SunPKCS11-NSS")) {
-+                        // known bug in NSS; ignore for now
-+                        System.out.println("Ignore Known bug in MD2 of NSS");
-+                        continue;
-+                    }
-+                    throw ex;
-+                }
-+            }
-+        }
-+    }
-+
-+    private static MessageDigest testCloning(MessageDigest mdObj, Provider p)
-+        throws Exception {
-+
-+        // copy#0: clone at state BLANK w/o any data
-+        MessageDigest mdCopy0 = (MessageDigest) mdObj.clone();
-+
-+        // copy#1: clone again at state BUFFERED w/ very short data
-+        mdObj.update(data1);
-+        mdCopy0.update(data1);
-+        MessageDigest mdCopy1 = (MessageDigest) mdObj.clone();
-+
-+        // copy#2: clone again after updating it w/ long data to trigger
-+        // the state into INIT
-+        mdObj.update(data2);
-+        mdCopy0.update(data2);
-+        mdCopy1.update(data2);
-+        MessageDigest mdCopy2 = (MessageDigest) mdObj.clone();
-+
-+        // copy#3: clone again after updating it w/ very short data
-+        mdObj.update(data1);
-+        mdCopy0.update(data1);
-+        mdCopy1.update(data1);
-+        mdCopy2.update(data1);
-+        MessageDigest mdCopy3 = (MessageDigest) mdObj.clone();
-+
-+        // copy#4: clone again after updating it w/ long data
-+        mdObj.update(data2);
-+        mdCopy0.update(data2);
-+        mdCopy1.update(data2);
-+        mdCopy2.update(data2);
-+        mdCopy3.update(data2);
-+        MessageDigest mdCopy4 = (MessageDigest) mdObj.clone();
-+
-+        // check digest equalities
-+        byte[] answer = mdObj.digest();
-+        byte[] result0 = mdCopy0.digest();
-+        byte[] result1 = mdCopy1.digest();
-+        byte[] result2 = mdCopy2.digest();
-+        byte[] result3 = mdCopy3.digest();
-+        byte[] result4 = mdCopy4.digest();
-+
-+
-+        check(answer, result0, "copy0");
-+        check(answer, result1, "copy1");
-+        check(answer, result2, "copy2");
-+        check(answer, result3, "copy3");
-+        check(answer, result4, "copy4");
-+
-+        return mdCopy3;
-+    }
-+
-+    private static void check(byte[] d1, byte[] d2, String copyName)
-+            throws Exception {
-+        if (Arrays.equals(d1, d2) == false) {
-+            throw new RuntimeException(copyName + " digest mismatch!");
-+        }
-+    }
-+}
-+
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch
--- a/patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,608 +0,0 @@
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java	2012-10-23 18:11:19.306081852 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java	2012-10-24 03:20:31.807709327 +0100
-@@ -42,14 +42,12 @@
-  * Cipher implementation class. This class currently supports
-  * DES, DESede, AES, ARCFOUR, and Blowfish.
-  *
-- * This class is designed to support ECB and CBC with NoPadding and
-- * PKCS5Padding for both. It will use its own padding impl if the
-- * native mechanism does not support padding.
-+ * This class is designed to support ECB, CBC, CTR with NoPadding
-+ * and ECB, CBC with PKCS5Padding. It will use its own padding impl
-+ * if the native mechanism does not support padding.
-  *
-- * Note that PKCS#11 current only supports ECB and CBC. There are no
-- * provisions for other modes such as CFB, OFB, PCBC, or CTR mode.
-- * However, CTR could be implemented relatively easily (and efficiently)
-- * on top of ECB mode in this class, if need be.
-+ * Note that PKCS#11 currently only supports ECB, CBC, and CTR.
-+ * There are no provisions for other modes such as CFB, OFB, and PCBC.
-  *
-  * @author  Andreas Sterbenz
-  * @since   1.5
-@@ -60,6 +58,8 @@
-     private final static int MODE_ECB = 3;
-     // mode constant for CBC mode
-     private final static int MODE_CBC = 4;
-+    // mode constant for CTR mode
-+    private final static int MODE_CTR = 5;
- 
-     // padding constant for NoPadding
-     private final static int PAD_NONE = 5;
-@@ -157,7 +157,7 @@
-     private byte[] padBuffer;
-     private int padBufferLen;
- 
--    // original IV, if in MODE_CBC
-+    // original IV, if in MODE_CBC or MODE_CTR
-     private byte[] iv;
- 
-     // number of bytes buffered internally by the native mechanism and padBuffer
-@@ -213,6 +213,8 @@
-                         ("CBC mode not supported with stream ciphers");
-             }
-             result = MODE_CBC;
-+        } else if (mode.equals("CTR")) {
-+            result = MODE_CTR;
-         } else {
-             throw new NoSuchAlgorithmException("Unsupported mode " + mode);
-         }
-@@ -228,6 +230,10 @@
-         if (padding.equals("NOPADDING")) {
-             paddingType = PAD_NONE;
-         } else if (padding.equals("PKCS5PADDING")) {
-+            if (this.blockMode == MODE_CTR) {
-+                throw new NoSuchPaddingException
-+                    ("PKCS#5 padding not supported with CTR mode");
-+            }
-             paddingType = PAD_PKCS5;
-             if (mechanism != CKM_DES_CBC_PAD && mechanism != CKM_DES3_CBC_PAD &&
-                     mechanism != CKM_AES_CBC_PAD) {
-@@ -348,11 +354,14 @@
-                             ("IV not used in ECB mode");
-                 }
-             }
--        } else { // MODE_CBC
-+        } else { // MODE_CBC or MODE_CTR
-             if (iv == null) {
-                 if (encrypt == false) {
--                    throw new InvalidAlgorithmParameterException
--                            ("IV must be specified for decryption in CBC mode");
-+                    String exMsg =
-+                        (blockMode == MODE_CBC ?
-+                         "IV must be specified for decryption in CBC mode" :
-+                         "IV must be specified for decryption in CTR mode");
-+                    throw new InvalidAlgorithmParameterException(exMsg);
-                 }
-                 // generate random IV
-                 if (random == null) {
-@@ -410,13 +419,15 @@
-         if (session == null) {
-             session = token.getOpSession();
-         }
-+        CK_MECHANISM mechParams = (blockMode == MODE_CTR?
-+            new CK_MECHANISM(mechanism, new CK_AES_CTR_PARAMS(iv)) :
-+            new CK_MECHANISM(mechanism, iv));
-+
-         try {
-             if (encrypt) {
--                token.p11.C_EncryptInit(session.id(),
--                        new CK_MECHANISM(mechanism, iv), p11Key.keyID);
-+                token.p11.C_EncryptInit(session.id(), mechParams, p11Key.keyID);
-             } else {
--                token.p11.C_DecryptInit(session.id(),
--                        new CK_MECHANISM(mechanism, iv), p11Key.keyID);
-+                token.p11.C_DecryptInit(session.id(), mechParams, p11Key.keyID);
-             }
-         } catch (PKCS11Exception ex) {
-             // release session when initialization failed
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java	2012-10-23 18:11:19.250080966 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java	2012-10-24 03:20:31.807709327 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -620,6 +620,8 @@
-                 m(CKM_AES_CBC_PAD, CKM_AES_CBC));
-         d(CIP, "AES/ECB",                       P11Cipher,      s("AES"),
-                 m(CKM_AES_ECB));
-+        d(CIP, "AES/CTR/NoPadding",             P11Cipher,
-+                m(CKM_AES_CTR));
-         d(CIP, "Blowfish/CBC",                  P11Cipher,
-                 m(CKM_BLOWFISH_CBC));
- 
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java	2012-10-24 03:20:31.823709582 +0100
-@@ -0,0 +1,66 @@
-+/*
-+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+package sun.security.pkcs11.wrapper;
-+
-+/**
-+ * This class represents the necessary parameters required by
-+ * the CKM_AES_CTR mechanism as defined in CK_AES_CTR_PARAMS structure.

-+ * PKCS#11 structure:
-+ * 
-+ * typedef struct CK_AES_CTR_PARAMS {
-+ *   CK_ULONG ulCounterBits;
-+ *   CK_BYTE cb[16];
-+ * } CK_AES_CTR_PARAMS;
-+ * 

-+ *
-+ * @author Yu-Ching Valerie Peng
-+ * @since   1.7
-+ */
-+public class CK_AES_CTR_PARAMS {
-+
-+    private final long ulCounterBits;
-+    private final byte cb[];
-+
-+    public CK_AES_CTR_PARAMS(byte[] cb) {
-+        ulCounterBits = 128;
-+        this.cb = cb.clone();
-+    }
-+
-+    public String toString() {
-+        StringBuffer buffer = new StringBuffer();
-+
-+        buffer.append(Constants.INDENT);
-+        buffer.append("ulCounterBits: ");
-+        buffer.append(ulCounterBits);
-+        buffer.append(Constants.NEWLINE);
-+
-+        buffer.append(Constants.INDENT);
-+        buffer.append("cb: ");
-+        buffer.append(Functions.toHexString(cb));
-+
-+        return buffer.toString();
-+    }
-+}
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java	2012-09-21 20:03:48.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java	2012-10-24 03:20:31.823709582 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
-  */
- 
- /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
-@@ -48,6 +48,7 @@
- package sun.security.pkcs11.wrapper;
- 
- import java.math.BigInteger;
-+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
- 
- /**
-  * class CK_MECHANISM specifies a particular mechanism and any parameters it
-@@ -127,6 +128,10 @@
-         init(mechanism, params);
-     }
- 
-+    public CK_MECHANISM(long mechanism, CK_AES_CTR_PARAMS params) {
-+        init(mechanism, params);
-+    }
-+
-     private void init(long mechanism, Object pParameter) {
-         this.mechanism = mechanism;
-         this.pParameter = pParameter;
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	2012-09-21 20:03:48.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	2012-10-24 03:20:31.823709582 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
-  */
- 
- /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
-@@ -47,8 +47,6 @@
- 
- package sun.security.pkcs11.wrapper;
- 
--
--
- /**
-  * This interface holds constants of the PKCS#11 v2.11 standard.
-  * This is mainly the content of the 'pkcs11t.h' header file.
-@@ -306,6 +304,10 @@
- 
-     public static final long  CKK_VENDOR_DEFINED  = 0x80000000L;
- 
-+    // new for v2.20 amendment 3
-+    //public static final long  CKK_CAMELLIA          = 0x00000025L;
-+    //public static final long  CKK_ARIA              = 0x00000026L;
-+
-     // pseudo key type ANY (for template manager)
-     public static final long  PCKK_ANY            = 0x7FFFFF22L;
- 
-@@ -690,6 +692,34 @@
- 
-     public static final long  CKM_VENDOR_DEFINED             = 0x80000000L;
- 
-+    // new for v2.20 amendment 3
-+    public static final long  CKM_SHA224                     = 0x00000255L;
-+    public static final long  CKM_SHA224_HMAC                = 0x00000256L;
-+    public static final long  CKM_SHA224_HMAC_GENERAL        = 0x00000257L;
-+    public static final long  CKM_SHA224_KEY_DERIVATION      = 0x00000396L;
-+    public static final long  CKM_SHA224_RSA_PKCS            = 0x00000046L;
-+    public static final long  CKM_SHA224_RSA_PKCS_PSS        = 0x00000047L;
-+    public static final long  CKM_AES_CTR                    = 0x00001086L;
-+    /*
-+    public static final long  CKM_CAMELLIA_KEY_GEN           = 0x00000550L;
-+    public static final long  CKM_CAMELLIA_ECB               = 0x00000551L;
-+    public static final long  CKM_CAMELLIA_CBC               = 0x00000552L;
-+    public static final long  CKM_CAMELLIA_MAC               = 0x00000553L;
-+    public static final long  CKM_CAMELLIA_MAC_GENERAL       = 0x00000554L;
-+    public static final long  CKM_CAMELLIA_CBC_PAD           = 0x00000555L;
-+    public static final long  CKM_CAMELLIA_ECB_ENCRYPT_DATA  = 0x00000556L;
-+    public static final long  CKM_CAMELLIA_CBC_ENCRYPT_DATA  = 0x00000557L;
-+    public static final long  CKM_CAMELLIA_CTR               = 0x00000558L;
-+    public static final long  CKM_ARIA_KEY_GEN               = 0x00000560L;
-+    public static final long  CKM_ARIA_ECB                   = 0x00000561L;
-+    public static final long  CKM_ARIA_CBC                   = 0x00000562L;
-+    public static final long  CKM_ARIA_MAC                   = 0x00000563L;
-+    public static final long  CKM_ARIA_MAC_GENERAL           = 0x00000564L;
-+    public static final long  CKM_ARIA_CBC_PAD               = 0x00000565L;
-+    public static final long  CKM_ARIA_ECB_ENCRYPT_DATA      = 0x00000566L;
-+    public static final long  CKM_ARIA_CBC_ENCRYPT_DATA      = 0x00000567L;
-+    */
-+
-     // NSS private
-     public static final long  CKM_NSS_TLS_PRF_GENERAL        = 0x80000373L;
- 
-@@ -881,7 +911,8 @@
- 
-     /* The following MGFs are defined */
-     public static final long  CKG_MGF1_SHA1       =  0x00000001L;
--
-+    // new for v2.20 amendment 3
-+    public static final long  CKG_MGF1_SHA224     = 0x00000005L;
- 
-     /* The following encoding parameter sources are defined */
-     public static final long  CKZ_DATA_SPECIFIED   = 0x00000001L;
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c	2012-10-23 18:11:19.274081347 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c	2012-10-24 03:20:31.823709582 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
-  */
- 
- /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
-@@ -695,6 +695,46 @@
- }
- 
- /*
-+ * converts the Java CK_AES_CTR_PARAMS object to a CK_AES_CTR_PARAMS structure
-+ *
-+ * @param env - used to call JNI funktions to get the Java classes and objects
-+ * @param jParam - the Java CK_AES_CTR_PARAMS object to convert
-+ * @param ckpParam - pointer to the new CK_AES_CTR_PARAMS structure
-+ */
-+void jAesCtrParamsToCKAesCtrParam(JNIEnv *env, jobject jParam,
-+                                  CK_AES_CTR_PARAMS_PTR ckpParam) {
-+    jclass jAesCtrParamsClass;
-+    jfieldID fieldID;
-+    jlong jCounterBits;
-+    jobject jCb;
-+    CK_BYTE_PTR ckBytes;
-+    CK_ULONG ckTemp;
-+
-+    /* get ulCounterBits */
-+    jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS);
-+    if (jAesCtrParamsClass == NULL) { return; }
-+    fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "ulCounterBits", "J");
-+    if (fieldID == NULL) { return; }
-+    jCounterBits = (*env)->GetLongField(env, jParam, fieldID);
-+
-+    /* get cb */
-+    fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "cb", "[B");
-+    if (fieldID == NULL) { return; }
-+    jCb = (*env)->GetObjectField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    ckpParam->ulCounterBits = jLongToCKULong(jCounterBits);
-+    jByteArrayToCKByteArray(env, jCb, &ckBytes, &ckTemp);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-+    if (ckTemp != 16) {
-+        TRACE1("ERROR: WRONG CTR IV LENGTH %d", ckTemp);
-+    } else {
-+        memcpy(ckpParam->cb, ckBytes, ckTemp);
-+        free(ckBytes);
-+    }
-+}
-+
-+/*
-  * converts a Java CK_MECHANISM object into a CK_MECHANISM structure
-  *
-  * @param env - used to call JNI funktions to get the values out of the Java object
-@@ -937,12 +977,10 @@
- {
-     /* get all Java mechanism parameter classes */
-     jclass jVersionClass, jSsl3MasterKeyDeriveParamsClass, jSsl3KeyMatParamsClass;
--    jclass jTlsPrfParamsClass, jRsaPkcsOaepParamsClass, jPbeParamsClass;
--    jclass jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass;
-+    jclass jTlsPrfParamsClass, jAesCtrParamsClass, jRsaPkcsOaepParamsClass;
-+    jclass jPbeParamsClass, jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass;
-     jclass jEcdh1DeriveParamsClass, jEcdh2DeriveParamsClass;
-     jclass jX942Dh1DeriveParamsClass, jX942Dh2DeriveParamsClass;
--
--    /* get all Java mechanism parameter classes */
-     TRACE0("\nDEBUG: jMechanismParameterToCKMechanismParameter");
- 
-     /* most common cases, i.e. NULL/byte[]/long, are already handled by
-@@ -1045,6 +1083,33 @@
-         *ckpParamPtr = ckpParam;
-         return;
-     }
-+
-+    jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS);
-+    if (jAesCtrParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jAesCtrParamsClass)) {
-+        /*
-+         * CK_AES_CTR_PARAMS
-+         */
-+        CK_AES_CTR_PARAMS_PTR ckpParam;
-+
-+        ckpParam = (CK_AES_CTR_PARAMS_PTR) malloc(sizeof(CK_AES_CTR_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
-+
-+        /* convert jParameter to CKParameter */
-+        jAesCtrParamsToCKAesCtrParam(env, jParam, ckpParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
-+
-+        /* get length and pointer of parameter */
-+        *ckpLength = sizeof(CK_AES_CTR_PARAMS);
-+        *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
-     jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS);
-     if (jRsaPkcsOaepParamsClass == NULL) { return; }
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h	1970-01-01 01:00:00.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h	2012-10-24 03:20:31.823709582 +0100
-@@ -0,0 +1,124 @@
-+/* pkcs-11v2-20a3.h include file for the PKCS #11 Version 2.20 Amendment 3
-+   document. */
-+
-+/* $Revision: 1.4 $ */
-+
-+/* License to copy and use this software is granted provided that it is
-+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+ * (Cryptoki) Version 2.20 Amendment 3" in all material mentioning or
-+ * referencing this software.
-+
-+ * RSA Security Inc. makes no representations concerning either the
-+ * merchantability of this software or the suitability of this software for
-+ * any particular purpose. It is provided "as is" without express or implied
-+ * warranty of any kind.
-+ */
-+
-+/* This file is preferably included after inclusion of pkcs11.h */
-+
-+#ifndef _PKCS_11V2_20A3_H_
-+#define _PKCS_11V2_20A3_H_ 1
-+
-+/* Are the definitions of this file already included in pkcs11t.h ? */
-+#ifndef CKK_CAMELLIA
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+/* Key types */
-+
-+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
-+#define CKK_CAMELLIA                   0x00000025
-+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
-+#define CKK_ARIA                       0x00000026
-+
-+
-+/* Mask-generating functions */
-+
-+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
-+#define CKG_MGF1_SHA224                0x00000005
-+
-+
-+/* Mechanism Identifiers */
-+
-+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_SHA224                     0x00000255
-+#define CKM_SHA224_HMAC                0x00000256
-+#define CKM_SHA224_HMAC_GENERAL        0x00000257
-+
-+/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_SHA224_KEY_DERIVATION      0x00000396
-+
-+/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_SHA224_RSA_PKCS            0x00000046
-+#define CKM_SHA224_RSA_PKCS_PSS        0x00000047
-+
-+/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_AES_CTR                    0x00001086
-+
-+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_CAMELLIA_KEY_GEN           0x00000550
-+#define CKM_CAMELLIA_ECB               0x00000551
-+#define CKM_CAMELLIA_CBC               0x00000552
-+#define CKM_CAMELLIA_MAC               0x00000553
-+#define CKM_CAMELLIA_MAC_GENERAL       0x00000554
-+#define CKM_CAMELLIA_CBC_PAD           0x00000555
-+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556
-+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557
-+#define CKM_CAMELLIA_CTR               0x00000558
-+
-+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
-+#define CKM_ARIA_KEY_GEN               0x00000560
-+#define CKM_ARIA_ECB                   0x00000561
-+#define CKM_ARIA_CBC                   0x00000562
-+#define CKM_ARIA_MAC                   0x00000563
-+#define CKM_ARIA_MAC_GENERAL           0x00000564
-+#define CKM_ARIA_CBC_PAD               0x00000565
-+#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566
-+#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567
-+
-+
-+/* Mechanism parameters */
-+
-+/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-+typedef struct CK_AES_CTR_PARAMS {
-+    CK_ULONG ulCounterBits;
-+    CK_BYTE cb[16];
-+} CK_AES_CTR_PARAMS;
-+
-+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
-+
-+/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-+typedef struct CK_CAMELLIA_CTR_PARAMS {
-+    CK_ULONG ulCounterBits;
-+    CK_BYTE cb[16];
-+} CK_CAMELLIA_CTR_PARAMS;
-+
-+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
-+
-+/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
-+    CK_BYTE      iv[16];
-+    CK_BYTE_PTR  pData;
-+    CK_ULONG     length;
-+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
-+
-+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-+
-+/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
-+    CK_BYTE      iv[16];
-+    CK_BYTE_PTR  pData;
-+    CK_ULONG     length;
-+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
-+
-+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif
-+
-+#endif
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	2012-10-23 18:11:19.282081473 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	2012-10-24 03:20:31.823709582 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
-  */
- 
- /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
-@@ -153,6 +153,7 @@
- #include "p11_md.h"
- 
- #include "pkcs11.h"
-+#include "pkcs-11v2-20a3.h"
- #include 
- #include 
- 
-@@ -272,6 +273,7 @@
- #define CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS"
- #define CLASS_SSL3_KEY_MAT_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS"
- #define CLASS_TLS_PRF_PARAMS "sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS"
-+#define CLASS_AES_CTR_PARAMS "sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS"
- 
- /* function to convert a PKCS#11 return value other than CK_OK into a Java Exception
-  * or to throw a PKCS11RuntimeException
-diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java
---- openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java	2012-10-23 18:11:19.250080966 +0100
-+++ openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java	2012-10-24 03:20:31.823709582 +0100
-@@ -33,7 +33,7 @@
- 
- /**
-  * @test %I% %E%
-- * @bug 4898461
-+ * @bug 4898461 6604496
-  * @summary basic test for symmetric ciphers with padding
-  * @author Valerie Peng
-  * @library ..
-@@ -80,9 +80,13 @@
-         new CI("DES/ECB/PKCS5Padding", "DES", 6400),
-         new CI("DESede/ECB/PKCS5Padding", "DESede", 400),
-         new CI("AES/ECB/PKCS5Padding", "AES", 64),
-+
-         new CI("DES", "DES", 6400),
-         new CI("DESede", "DESede", 408),
--        new CI("AES", "AES", 128)
-+        new CI("AES", "AES", 128),
-+
-+        new CI("AES/CTR/NoPadding", "AES", 3200)
-+
-     };
-     private static StringBuffer debugBuf = new StringBuffer();
- 
-diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java
---- openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java	2012-09-21 20:04:16.000000000 +0100
-+++ openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java	2012-10-24 03:20:31.823709582 +0100
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2007, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -23,7 +23,7 @@
- 
- /**
-  * @test
-- * @bug 4898484
-+ * @bug 4898484 6604496
-  * @summary basic test for symmetric ciphers with no padding
-  * @author Valerie Peng
-  * @library ..
-@@ -59,7 +59,8 @@
-         new CI("DES/CBC/NoPadding", "DES", 400),
-         new CI("DESede/CBC/NoPadding", "DESede", 160),
-         new CI("AES/CBC/NoPadding", "AES", 4800),
--        new CI("Blowfish/CBC/NoPadding", "Blowfish", 24)
-+        new CI("Blowfish/CBC/NoPadding", "Blowfish", 24),
-+        new CI("AES/CTR/NoPadding", "AES", 1600)
-     };
- 
-     private static StringBuffer debugBuf;
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/p11cipher-6812738-native_cleanup.patch
--- a/patches/openjdk/p11cipher-6812738-native_cleanup.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,4832 +0,0 @@
-diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java
---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java	2014-10-08 17:30:03.986103813 +0100
-@@ -202,7 +202,9 @@
-                 throw new InvalidKeyException
-                                 ("Unwrap has to be used with private keys");
-             }
--            encrypt = false;
-+            // No further setup needed for C_Unwrap(). We'll initialize later
-+            // if we can't use C_Unwrap().
-+            return;
-         } else {
-             throw new InvalidKeyException("Unsupported mode: " + opmode);
-         }
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c	2014-10-08 17:30:03.986103813 +0100
-@@ -89,21 +89,24 @@
- 
-     /* load CK_DATE class */
-     jDateClass = (*env)->FindClass(env, CLASS_DATE);
--    assert(jDateClass != 0);
-+    if (jDateClass == NULL) { return NULL; }
- 
-     /* load CK_DATE constructor */
-     jCtrId = (*env)->GetMethodID(env, jDateClass, "", "([C[C[C)V");
--    assert(jCtrId != 0);
-+    if (jCtrId == NULL) { return NULL; }
- 
-     /* prep all fields */
-     jYear = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->year), 4);
-+    if (jYear == NULL) { return NULL; }
-     jMonth = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->month), 2);
-+    if (jMonth == NULL) { return NULL; }
-     jDay = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->day), 2);
-+    if (jDay == NULL) { return NULL; }
- 
-     /* create new CK_DATE object */
-     jDateObject =
-       (*env)->NewObject(env, jDateClass, jCtrId, jYear, jMonth, jDay);
--    assert(jDateObject != 0);
-+    if (jDateObject == NULL) { return NULL; }
- 
-     /* free local references */
-     (*env)->DeleteLocalRef(env, jDateClass);
-@@ -131,11 +134,11 @@
- 
-     /* load CK_VERSION class */
-     jVersionClass = (*env)->FindClass(env, CLASS_VERSION);
--    assert(jVersionClass != 0);
-+    if (jVersionClass == NULL) { return NULL; }
- 
-     /* load CK_VERSION constructor */
-     jCtrId = (*env)->GetMethodID(env, jVersionClass, "", "(II)V");
--    assert(jCtrId != 0);
-+    if (jCtrId == NULL) { return NULL; }
- 
-     /* prep both fields */
-     jMajor = ckpVersion->major;
-@@ -144,7 +147,7 @@
-     /* create new CK_VERSION object */
-     jVersionObject =
-       (*env)->NewObject(env, jVersionClass, jCtrId, jMajor, jMinor);
--    assert(jVersionObject != 0);
-+    if (jVersionObject == NULL) { return NULL; }
- 
-     /* free local references */
-     (*env)->DeleteLocalRef(env, jVersionClass);
-@@ -171,11 +174,11 @@
- 
-     /* load CK_SESSION_INFO class */
-     jSessionInfoClass = (*env)->FindClass(env, CLASS_SESSION_INFO);
--    assert(jSessionInfoClass != 0);
-+    if (jSessionInfoClass == NULL) { return NULL; }
- 
-     /* load CK_SESSION_INFO constructor */
-     jCtrId = (*env)->GetMethodID(env, jSessionInfoClass, "", "(JJJJ)V");
--    assert(jCtrId != 0);
-+    if (jCtrId == NULL) { return NULL; }
- 
-     /* prep all fields */
-     jSlotID = ckULongToJLong(ckpSessionInfo->slotID);
-@@ -187,7 +190,7 @@
-     jSessionInfoObject =
-       (*env)->NewObject(env, jSessionInfoClass, jCtrId, jSlotID, jState,
-                         jFlags, jDeviceError);
--    assert(jSessionInfoObject != 0);
-+    if (jSessionInfoObject == NULL) { return NULL; }
- 
-     /* free local references */
-     (*env)->DeleteLocalRef(env, jSessionInfoClass);
-@@ -211,20 +214,21 @@
-     jobject jPValue = NULL;
- 
-     jAttributeClass = (*env)->FindClass(env, CLASS_ATTRIBUTE);
--    assert(jAttributeClass != 0);
-+    if (jAttributeClass == NULL) { return NULL; }
- 
-     /* load CK_INFO constructor */
-     jCtrId = (*env)->GetMethodID(env, jAttributeClass, "", "(JLjava/lang/Object;)V");
--    assert(jCtrId != 0);
-+    if (jCtrId == NULL) { return NULL; }
- 
-     /* prep both fields */
-     jType = ckULongToJLong(ckpAttribute->type);
-     jPValue = ckAttributeValueToJObject(env, ckpAttribute);
-+    if ((*env)->ExceptionCheck(env)) { return NULL; }
- 
-     /* create new CK_ATTRIBUTE object */
-     jAttributeObject =
-       (*env)->NewObject(env, jAttributeClass, jCtrId, jType, jPValue);
--    assert(jAttributeObject != 0);
-+    if (jAttributeObject == NULL) { return NULL; }
- 
-     /* free local references */
-     (*env)->DeleteLocalRef(env, jAttributeClass);
-@@ -252,23 +256,27 @@
-         return NULL;
-     }
- 
--    /* allocate memory for CK_VERSION pointer */
--    ckpVersion = (CK_VERSION_PTR) malloc(sizeof(CK_VERSION));
--
-     /* get CK_VERSION class */
-     jVersionClass = (*env)->GetObjectClass(env, jVersion);
--    assert(jVersionClass != 0);
-+    if (jVersionClass == NULL) { return NULL; }
- 
-     /* get Major */
-     jFieldID = (*env)->GetFieldID(env, jVersionClass, "major", "B");
--    assert(jFieldID != 0);
-+    if (jFieldID == NULL) { return NULL; }
-     jMajor = (*env)->GetByteField(env, jVersion, jFieldID);
--    ckpVersion->major = jByteToCKByte(jMajor);
- 
-     /* get Minor */
-     jFieldID = (*env)->GetFieldID(env, jVersionClass, "minor", "B");
--    assert(jFieldID != 0);
-+    if (jFieldID == NULL) { return NULL; }
-     jMinor = (*env)->GetByteField(env, jVersion, jFieldID);
-+
-+    /* allocate memory for CK_VERSION pointer */
-+    ckpVersion = (CK_VERSION_PTR) malloc(sizeof(CK_VERSION));
-+    if (ckpVersion == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-+    ckpVersion->major = jByteToCKByte(jMajor);
-     ckpVersion->minor = jByteToCKByte(jMinor);
- 
-     return ckpVersion ;
-@@ -292,18 +300,36 @@
-     jchar *jTempChars;
-     CK_ULONG i;
- 
--    /* allocate memory for CK_DATE pointer */
--    ckpDate = (CK_DATE *) malloc(sizeof(CK_DATE));
-+    if (jDate == NULL) {
-+        return NULL;
-+    }
- 
-     /* get CK_DATE class */
-     jDateClass = (*env)->FindClass(env, CLASS_DATE);
--    assert(jDateClass != 0);
-+    if (jDateClass == NULL) { return NULL; }
- 
-     /* get Year */
-     jFieldID = (*env)->GetFieldID(env, jDateClass, "year", "[C");
--    assert(jFieldID != 0);
-+    if (jFieldID == NULL) { return NULL; }
-     jYear = (*env)->GetObjectField(env, jDate, jFieldID);
- 
-+    /* get Month */
-+    jFieldID = (*env)->GetFieldID(env, jDateClass, "month", "[C");
-+    if (jFieldID == NULL) { return NULL; }
-+    jMonth = (*env)->GetObjectField(env, jDate, jFieldID);
-+
-+    /* get Day */
-+    jFieldID = (*env)->GetFieldID(env, jDateClass, "day", "[C");
-+    if (jFieldID == NULL) { return NULL; }
-+    jDay = (*env)->GetObjectField(env, jDate, jFieldID);
-+
-+    /* allocate memory for CK_DATE pointer */
-+    ckpDate = (CK_DATE *) malloc(sizeof(CK_DATE));
-+    if (ckpDate == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-+
-     if (jYear == NULL) {
-         ckpDate->year[0] = 0;
-         ckpDate->year[1] = 0;
-@@ -312,43 +338,66 @@
-     } else {
-         ckLength = (*env)->GetArrayLength(env, jYear);
-         jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar));
-+        if (jTempChars == NULL) {
-+            free(ckpDate);
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return NULL;
-+        }
-         (*env)->GetCharArrayRegion(env, jYear, 0, ckLength, jTempChars);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpDate);
-+            free(jTempChars);
-+            return NULL;
-+        }
-+
-         for (i = 0; (i < ckLength) && (i < 4) ; i++) {
-             ckpDate->year[i] = jCharToCKChar(jTempChars[i]);
-         }
-         free(jTempChars);
-     }
- 
--    /* get Month */
--    jFieldID = (*env)->GetFieldID(env, jDateClass, "month", "[C");
--    assert(jFieldID != 0);
--    jMonth = (*env)->GetObjectField(env, jDate, jFieldID);
--
-     if (jMonth == NULL) {
-         ckpDate->month[0] = 0;
-         ckpDate->month[1] = 0;
-     } else {
-         ckLength = (*env)->GetArrayLength(env, jMonth);
-         jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar));
-+        if (jTempChars == NULL) {
-+            free(ckpDate);
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return NULL;
-+        }
-         (*env)->GetCharArrayRegion(env, jMonth, 0, ckLength, jTempChars);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpDate);
-+            free(jTempChars);
-+            return NULL;
-+        }
-+
-         for (i = 0; (i < ckLength) && (i < 4) ; i++) {
-             ckpDate->month[i] = jCharToCKChar(jTempChars[i]);
-         }
-         free(jTempChars);
-     }
- 
--    /* get Day */
--    jFieldID = (*env)->GetFieldID(env, jDateClass, "day", "[C");
--    assert(jFieldID != 0);
--    jDay = (*env)->GetObjectField(env, jDate, jFieldID);
--
-     if (jDay == NULL) {
-         ckpDate->day[0] = 0;
-         ckpDate->day[1] = 0;
-     } else {
-         ckLength = (*env)->GetArrayLength(env, jDay);
-         jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar));
-+        if (jTempChars == NULL) {
-+            free(ckpDate);
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return NULL;
-+        }
-         (*env)->GetCharArrayRegion(env, jDay, 0, ckLength, jTempChars);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpDate);
-+            free(jTempChars);
-+            return NULL;
-+        }
-+
-         for (i = 0; (i < ckLength) && (i < 4) ; i++) {
-             ckpDate->day[i] = jCharToCKChar(jTempChars[i]);
-         }
-@@ -374,23 +423,25 @@
-     jlong jType;
-     jobject jPValue;
- 
-+    // TBD: what if jAttribute == NULL?!
-+
-     TRACE0("\nDEBUG: jAttributeToCKAttribute");
-     /* get CK_ATTRIBUTE class */
-     TRACE0(", getting attribute object class");
-     jAttributeClass = (*env)->GetObjectClass(env, jAttribute);
--    assert(jAttributeClass != 0);
-+    if (jAttributeClass == NULL) { return ckAttribute; }
- 
-     /* get type */
-     TRACE0(", getting type field");
-     jFieldID = (*env)->GetFieldID(env, jAttributeClass, "type", "J");
--    assert(jFieldID != 0);
-+    if (jFieldID == NULL) { return ckAttribute; }
-     jType = (*env)->GetLongField(env, jAttribute, jFieldID);
-     TRACE1(", type=0x%X", jType);
- 
-     /* get pValue */
-     TRACE0(", getting pValue field");
-     jFieldID = (*env)->GetFieldID(env, jAttributeClass, "pValue", "Ljava/lang/Object;");
--    assert(jFieldID != 0);
-+    if (jFieldID == NULL) { return ckAttribute; }
-     jPValue = (*env)->GetObjectField(env, jAttribute, jFieldID);
-     TRACE1(", pValue=%p", jPValue);
- 
-@@ -417,36 +468,50 @@
- {
-     // XXX don't return structs
-     // XXX prefetch class and field ids
--    jclass jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS);
-+    jclass jSsl3MasterKeyDeriveParamsClass;
-     CK_SSL3_MASTER_KEY_DERIVE_PARAMS ckParam;
-     jfieldID fieldID;
--    jobject jObject;
-     jclass jSsl3RandomDataClass;
--    jobject jRandomInfo;
-+    jobject jRandomInfo, jRIClientRandom, jRIServerRandom, jVersion;
- 
-     /* get RandomInfo */
--    jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA);
-+    jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS);
-+    if (jSsl3MasterKeyDeriveParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jSsl3MasterKeyDeriveParamsClass, "RandomInfo", "Lsun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return ckParam; }
-     jRandomInfo = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get pClientRandom and ulClientRandomLength out of RandomInfo */
-+    jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA);
-+    if (jSsl3RandomDataClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pClientRandom", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jRandomInfo, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jRIClientRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID);
- 
-     /* get pServerRandom and ulServerRandomLength out of RandomInfo */
-     fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pServerRandom", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jRandomInfo, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jRIServerRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID);
- 
-     /* get pVersion */
-     fieldID = (*env)->GetFieldID(env, jSsl3MasterKeyDeriveParamsClass, "pVersion",  "Lsun/security/pkcs11/wrapper/CK_VERSION;");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    ckParam.pVersion = jVersionToCKVersionPtr(env, jObject);
-+    if (fieldID == NULL) { return ckParam; }
-+    jVersion = (*env)->GetObjectField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    ckParam.pVersion = jVersionToCKVersionPtr(env, jVersion);
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-+    jByteArrayToCKByteArray(env, jRIClientRandom, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pVersion);
-+        return ckParam;
-+    }
-+    jByteArrayToCKByteArray(env, jRIServerRandom, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pVersion);
-+        free(ckParam.RandomInfo.pClientRandom);
-+        return ckParam;
-+    }
- 
-     return ckParam ;
- }
-@@ -457,27 +522,52 @@
-  */
- CK_TLS_PRF_PARAMS jTlsPrfParamsToCKTlsPrfParam(JNIEnv *env, jobject jParam)
- {
--    jclass jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS);
-+    jclass jTlsPrfParamsClass;
-     CK_TLS_PRF_PARAMS ckParam;
-     jfieldID fieldID;
--    jobject jObject;
-+    jobject jSeed, jLabel, jOutput;
- 
-+    // TBD: what if jParam == NULL?!
-+
-+    /* get pSeed */
-+    jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS);
-+    if (jTlsPrfParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pSeed", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pSeed), &(ckParam.ulSeedLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jSeed = (*env)->GetObjectField(env, jParam, fieldID);
- 
-+    /* get pLabel */
-     fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pLabel", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pLabel), &(ckParam.ulLabelLen));
--
--    ckParam.pulOutputLen = malloc(sizeof(CK_ULONG));
-+    if (fieldID == NULL) { return ckParam; }
-+    jLabel = (*env)->GetObjectField(env, jParam, fieldID);
- 
-+    /* get pOutput */
-     fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pOutput", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pOutput), ckParam.pulOutputLen);
-+    if (fieldID == NULL) { return ckParam; }
-+    jOutput = (*env)->GetObjectField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    jByteArrayToCKByteArray(env, jSeed, &(ckParam.pSeed), &(ckParam.ulSeedLen));
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-+    jByteArrayToCKByteArray(env, jLabel, &(ckParam.pLabel), &(ckParam.ulLabelLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pSeed);
-+        return ckParam;
-+    }
-+    ckParam.pulOutputLen = malloc(sizeof(CK_ULONG));
-+    if (ckParam.pulOutputLen == NULL) {
-+        free(ckParam.pSeed);
-+        free(ckParam.pLabel);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return ckParam;
-+    }
-+    jByteArrayToCKByteArray(env, jOutput, &(ckParam.pOutput), ckParam.pulOutputLen);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pSeed);
-+        free(ckParam.pLabel);
-+        free(ckParam.pulOutputLen);
-+        return ckParam;
-+    }
- 
-     return ckParam ;
- }
-@@ -493,68 +583,91 @@
- {
-     // XXX don't return structs
-     // XXX prefetch class and field ids
--    jclass jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS);
-+    jclass jSsl3KeyMatParamsClass, jSsl3RandomDataClass, jSsl3KeyMatOutClass;
-     CK_SSL3_KEY_MAT_PARAMS ckParam;
-     jfieldID fieldID;
--    jlong jLong;
--    jboolean jBoolean;
--    jobject jObject;
--    jobject jRandomInfo;
--    jobject jReturnedKeyMaterial;
--    jclass jSsl3RandomDataClass;
--    jclass jSsl3KeyMatOutClass;
-+    jlong jMacSizeInBits, jKeySizeInBits, jIVSizeInBits;
-+    jboolean jIsExport;
-+    jobject jRandomInfo, jRIClientRandom, jRIServerRandom;
-+    jobject jReturnedKeyMaterial, jRMIvClient, jRMIvServer;
-     CK_ULONG ckTemp;
- 
-     /* get ulMacSizeInBits */
-+    jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS);
-+    if (jSsl3KeyMatParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulMacSizeInBits", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.ulMacSizeInBits = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jMacSizeInBits = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get ulKeySizeInBits */
-     fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulKeySizeInBits", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.ulKeySizeInBits = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jKeySizeInBits = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get ulIVSizeInBits */
-     fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulIVSizeInBits", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.ulIVSizeInBits = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jIVSizeInBits = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get bIsExport */
-     fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "bIsExport", "Z");
--    assert(fieldID != 0);
--    jBoolean = (*env)->GetBooleanField(env, jParam, fieldID);
--    ckParam.bIsExport = jBooleanToCKBBool(jBoolean);
-+    if (fieldID == NULL) { return ckParam; }
-+    jIsExport = (*env)->GetBooleanField(env, jParam, fieldID);
- 
-     /* get RandomInfo */
-     jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA);
-+    if (jSsl3RandomDataClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "RandomInfo",  "Lsun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return ckParam; }
-     jRandomInfo = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get pClientRandom and ulClientRandomLength out of RandomInfo */
-     fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pClientRandom", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jRandomInfo, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jRIClientRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID);
- 
-     /* get pServerRandom and ulServerRandomLength out of RandomInfo */
-     fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pServerRandom", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jRandomInfo, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jRIServerRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID);
- 
-     /* get pReturnedKeyMaterial */
-     jSsl3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT);
-+    if (jSsl3KeyMatOutClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "pReturnedKeyMaterial",  "Lsun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_OUT;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return ckParam; }
-     jReturnedKeyMaterial = (*env)->GetObjectField(env, jParam, fieldID);
- 
-+    /* get pIVClient out of pReturnedKeyMaterial */
-+    fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVClient", "[B");
-+    if (fieldID == NULL) { return ckParam; }
-+    jRMIvClient = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID);
-+
-+    /* get pIVServer out of pReturnedKeyMaterial */
-+    fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVServer", "[B");
-+    if (fieldID == NULL) { return ckParam; }
-+    jRMIvServer = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID);
-+
-+    /* populate java values */
-+    ckParam.ulMacSizeInBits = jLongToCKULong(jMacSizeInBits);
-+    ckParam.ulKeySizeInBits = jLongToCKULong(jKeySizeInBits);
-+    ckParam.ulIVSizeInBits = jLongToCKULong(jIVSizeInBits);
-+    ckParam.bIsExport = jBooleanToCKBBool(jIsExport);
-+    jByteArrayToCKByteArray(env, jRIClientRandom, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen));
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-+    jByteArrayToCKByteArray(env, jRIServerRandom, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.RandomInfo.pClientRandom);
-+        return ckParam;
-+    }
-     /* allocate memory for pRetrunedKeyMaterial */
-     ckParam.pReturnedKeyMaterial = (CK_SSL3_KEY_MAT_OUT_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_OUT));
-+    if (ckParam.pReturnedKeyMaterial == NULL) {
-+        free(ckParam.RandomInfo.pClientRandom);
-+        free(ckParam.RandomInfo.pServerRandom);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return ckParam;
-+    }
- 
-     // the handles are output params only, no need to fetch them from Java
-     ckParam.pReturnedKeyMaterial->hClientMacSecret = 0;
-@@ -562,17 +675,21 @@
-     ckParam.pReturnedKeyMaterial->hClientKey = 0;
-     ckParam.pReturnedKeyMaterial->hServerKey = 0;
- 
--    /* get pIVClient out of pReturnedKeyMaterial */
--    fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVClient", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pReturnedKeyMaterial->pIVClient), &ckTemp);
--
--    /* get pIVServer out of pReturnedKeyMaterial */
--    fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVServer", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pReturnedKeyMaterial->pIVServer), &ckTemp);
-+    jByteArrayToCKByteArray(env, jRMIvClient, &(ckParam.pReturnedKeyMaterial->pIVClient), &ckTemp);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.RandomInfo.pClientRandom);
-+        free(ckParam.RandomInfo.pServerRandom);
-+        free(ckParam.pReturnedKeyMaterial);
-+        return ckParam;
-+    }
-+    jByteArrayToCKByteArray(env, jRMIvServer, &(ckParam.pReturnedKeyMaterial->pIVServer), &ckTemp);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.RandomInfo.pClientRandom);
-+        free(ckParam.RandomInfo.pServerRandom);
-+        free(ckParam.pReturnedKeyMaterial);
-+        free(ckParam.pReturnedKeyMaterial->pIVClient);
-+        return ckParam;
-+    }
- 
-     return ckParam ;
- }
-@@ -811,7 +928,7 @@
-         *ckpParamPtr = jLongObjectToCKULongPtr(env, jParam);
-         *ckpLength = sizeof(CK_ULONG);
-     } else {
--        /* printf("slow path jMechanismParameterToCKMechanismParameter\n"); */
-+        TRACE0("\nSLOW PATH jMechanismParameterToCKMechanismParameter\n");
-         jMechanismParameterToCKMechanismParameterSlow(env, jParam, ckpParamPtr, ckpLength);
-     }
- }
-@@ -819,40 +936,24 @@
- void jMechanismParameterToCKMechanismParameterSlow(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength)
- {
-     /* get all Java mechanism parameter classes */
--    jclass jVersionClass    = (*env)->FindClass(env, CLASS_VERSION);
--    jclass jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS);
--    jclass jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
--    jclass jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
--
--    jclass jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS);
--    jclass jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS);
--    jclass jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS);
--    jclass jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS);
--    jclass jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS);
--
--    jclass jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS);
--    jclass jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS);
--    jclass jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS);
-+    jclass jVersionClass, jSsl3MasterKeyDeriveParamsClass, jSsl3KeyMatParamsClass;
-+    jclass jTlsPrfParamsClass, jRsaPkcsOaepParamsClass, jPbeParamsClass;
-+    jclass jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass;
-+    jclass jEcdh1DeriveParamsClass, jEcdh2DeriveParamsClass;
-+    jclass jX942Dh1DeriveParamsClass, jX942Dh2DeriveParamsClass;
- 
-+    /* get all Java mechanism parameter classes */
-     TRACE0("\nDEBUG: jMechanismParameterToCKMechanismParameter");
- 
--    /* first check the most common cases */
--/*
--    if (jParam == NULL) {
--        *ckpParamPtr = NULL;
--        *ckpLength = 0;
--    } else if ((*env)->IsInstanceOf(env, jParam, jByteArrayClass)) {
--        jByteArrayToCKByteArray(env, jParam, (CK_BYTE_PTR *)ckpParamPtr, ckpLength);
--    } else if ((*env)->IsInstanceOf(env, jParam, jLongClass)) {
--        *ckpParamPtr = jLongObjectToCKULongPtr(env, jParam);
--        *ckpLength = sizeof(CK_ULONG);
--    } else if ((*env)->IsInstanceOf(env, jParam, jVersionClass)) {
--*/
-+    /* most common cases, i.e. NULL/byte[]/long, are already handled by
-+     * jMechanismParameterToCKMechanismParameter before calling this method.
-+     */
-+    jVersionClass = (*env)->FindClass(env, CLASS_VERSION);
-+    if (jVersionClass == NULL) { return; }
-     if ((*env)->IsInstanceOf(env, jParam, jVersionClass)) {
-         /*
-          * CK_VERSION used by CKM_SSL3_PRE_MASTER_KEY_GEN
-          */
--
-         CK_VERSION_PTR ckpParam;
- 
-         /* convert jParameter to CKParameter */
-@@ -861,191 +962,312 @@
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_VERSION);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jSsl3MasterKeyDeriveParamsClass)) {
-+    jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS);
-+    if (jSsl3MasterKeyDeriveParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jSsl3MasterKeyDeriveParamsClass)) {
-         /*
-          * CK_SSL3_MASTER_KEY_DERIVE_PARAMS
-          */
--
-         CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR) malloc(sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jSsl3KeyMatParamsClass)) {
-+    jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS);
-+    if (jSsl3KeyMatParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jSsl3KeyMatParamsClass)) {
-         /*
-          * CK_SSL3_KEY_MAT_PARAMS
-          */
--
-         CK_SSL3_KEY_MAT_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_SSL3_KEY_MAT_PARAMS_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jSsl3KeyMatParamToCKSsl3KeyMatParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_SSL3_KEY_MAT_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jTlsPrfParamsClass)) {
--        //
--        // CK_TLS_PRF_PARAMS
--        //
--
-+    jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS);
-+    if (jTlsPrfParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jTlsPrfParamsClass)) {
-+        /*
-+         * CK_TLS_PRF_PARAMS
-+         */
-         CK_TLS_PRF_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_TLS_PRF_PARAMS_PTR) malloc(sizeof(CK_TLS_PRF_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
--        // convert jParameter to CKParameter
-+        /* convert jParameter to CKParameter */
-         *ckpParam = jTlsPrfParamsToCKTlsPrfParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
--        // get length and pointer of parameter
-+        /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_TLS_PRF_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsOaepParamsClass)) {
-+    jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS);
-+    if (jRsaPkcsOaepParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsOaepParamsClass)) {
-         /*
-          * CK_RSA_PKCS_OAEP_PARAMS
-          */
--
-         CK_RSA_PKCS_OAEP_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_RSA_PKCS_OAEP_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_OAEP_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jRsaPkcsOaepParamToCKRsaPkcsOaepParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_RSA_PKCS_OAEP_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jPbeParamsClass)) {
-+    jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-+    if (jPbeParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jPbeParamsClass)) {
-         /*
-          * CK_PBE_PARAMS
-          */
--
-         CK_PBE_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_PBE_PARAMS_PTR) malloc(sizeof(CK_PBE_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jPbeParamToCKPbeParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_PBE_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
-+    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
-+    if (jPkcs5Pbkd2ParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
-         /*
-          * CK_PKCS5_PBKD2_PARAMS
-          */
--
-         CK_PKCS5_PBKD2_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_PKCS5_PBKD2_PARAMS_PTR) malloc(sizeof(CK_PKCS5_PBKD2_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsPssParamsClass)) {
-+    jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS);
-+    if (jRsaPkcsPssParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsPssParamsClass)) {
-         /*
-          * CK_RSA_PKCS_PSS_PARAMS
-          */
--
-         CK_RSA_PKCS_PSS_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_RSA_PKCS_PSS_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_PSS_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jRsaPkcsPssParamToCKRsaPkcsPssParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_RSA_PKCS_PSS_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jEcdh1DeriveParamsClass)) {
-+    jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS);
-+    if (jEcdh1DeriveParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jEcdh1DeriveParamsClass)) {
-         /*
-          * CK_ECDH1_DERIVE_PARAMS
-          */
--
-         CK_ECDH1_DERIVE_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_ECDH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH1_DERIVE_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jEcdh1DeriveParamToCKEcdh1DeriveParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_ECDH1_DERIVE_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jEcdh2DeriveParamsClass)) {
-+    jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS);
-+    if (jEcdh2DeriveParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jEcdh2DeriveParamsClass)) {
-         /*
-          * CK_ECDH2_DERIVE_PARAMS
-          */
--
-         CK_ECDH2_DERIVE_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_ECDH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH2_DERIVE_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jEcdh2DeriveParamToCKEcdh2DeriveParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_ECDH2_DERIVE_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jX942Dh1DeriveParamsClass)) {
-+    jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS);
-+    if (jX942Dh1DeriveParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jX942Dh1DeriveParamsClass)) {
-         /*
-          * CK_X9_42_DH1_DERIVE_PARAMS
-          */
--
-         CK_X9_42_DH1_DERIVE_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_X9_42_DH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH1_DERIVE_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jX942Dh1DeriveParamToCKX942Dh1DeriveParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_X9_42_DH1_DERIVE_PARAMS);
-         *ckpParamPtr = ckpParam;
-+        return;
-+    }
- 
--    } else if ((*env)->IsInstanceOf(env, jParam, jX942Dh2DeriveParamsClass)) {
-+    jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS);
-+    if (jX942Dh2DeriveParamsClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jParam, jX942Dh2DeriveParamsClass)) {
-         /*
-          * CK_X9_42_DH2_DERIVE_PARAMS
-          */
--
-         CK_X9_42_DH2_DERIVE_PARAMS_PTR ckpParam;
- 
-         ckpParam = (CK_X9_42_DH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH2_DERIVE_PARAMS));
-+        if (ckpParam == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
- 
-         /* convert jParameter to CKParameter */
-         *ckpParam = jX942Dh2DeriveParamToCKX942Dh2DeriveParam(env, jParam);
-+        if ((*env)->ExceptionCheck(env)) {
-+            free(ckpParam);
-+            return;
-+        }
- 
-         /* get length and pointer of parameter */
-         *ckpLength = sizeof(CK_X9_42_DH2_DERIVE_PARAMS);
-         *ckpParamPtr = ckpParam;
--
--    } else {
--        /* if everything faild up to here */
--        /* try if the parameter is a primitive Java type */
--        jObjectToPrimitiveCKObjectPtrPtr(env, jParam, ckpParamPtr, ckpLength);
--        /* *ckpParamPtr = jObjectToCKVoidPtr(jParam); */
--        /* *ckpLength = 1; */
-+        return;
-     }
- 
-+    /* if everything faild up to here */
-+    /* try if the parameter is a primitive Java type */
-+    jObjectToPrimitiveCKObjectPtrPtr(env, jParam, ckpParamPtr, ckpLength);
-+    /* *ckpParamPtr = jObjectToCKVoidPtr(jParam); */
-+    /* *ckpLength = 1; */
-+
-     TRACE0("FINISHED\n");
- }
- 
-@@ -1061,36 +1283,41 @@
-  */
- CK_RSA_PKCS_OAEP_PARAMS jRsaPkcsOaepParamToCKRsaPkcsOaepParam(JNIEnv *env, jobject jParam)
- {
--    jclass jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS);
-+    jclass jRsaPkcsOaepParamsClass;
-     CK_RSA_PKCS_OAEP_PARAMS ckParam;
-     jfieldID fieldID;
--    jlong jLong;
--    jobject jObject;
-+    jlong jHashAlg, jMgf, jSource;
-+    jobject jSourceData;
-     CK_BYTE_PTR ckpByte;
- 
-     /* get hashAlg */
-+    jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS);
-+    if (jRsaPkcsOaepParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "hashAlg", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.hashAlg = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jHashAlg = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get mgf */
-     fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "mgf", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.mgf = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jMgf = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get source */
-     fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "source", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.source = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jSource = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get sourceData and sourceDataLength */
-     fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "pSourceData", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &ckpByte, &(ckParam.ulSourceDataLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jSourceData = (*env)->GetObjectField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    ckParam.hashAlg = jLongToCKULong(jHashAlg);
-+    ckParam.mgf = jLongToCKULong(jMgf);
-+    ckParam.source = jLongToCKULong(jSource);
-+    jByteArrayToCKByteArray(env, jSourceData, & ckpByte, &(ckParam.ulSourceDataLen));
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-     ckParam.pSourceData = (CK_VOID_PTR) ckpByte;
- 
-     return ckParam ;
-@@ -1105,36 +1332,50 @@
-  */
- CK_PBE_PARAMS jPbeParamToCKPbeParam(JNIEnv *env, jobject jParam)
- {
--    jclass jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-+    jclass jPbeParamsClass;
-     CK_PBE_PARAMS ckParam;
-     jfieldID fieldID;
--    jlong jLong;
--    jobject jObject;
-+    jlong jIteration;
-+    jobject jInitVector, jPassword, jSalt;
-     CK_ULONG ckTemp;
- 
-     /* get pInitVector */
-+    jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-+    if (jPbeParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jCharArrayToCKCharArray(env, jObject, &(ckParam.pInitVector), &ckTemp);
-+    if (fieldID == NULL) { return ckParam; }
-+    jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get pPassword and ulPasswordLength */
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jCharArrayToCKCharArray(env, jObject, &(ckParam.pPassword), &(ckParam.ulPasswordLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jPassword = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get pSalt and ulSaltLength */
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jCharArrayToCKCharArray(env, jObject, &(ckParam.pSalt), &(ckParam.ulSaltLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jSalt = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get ulIteration */
-     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.ulIteration = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jIteration = (*env)->GetLongField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    ckParam.ulIteration = jLongToCKULong(jIteration);
-+    jCharArrayToCKCharArray(env, jInitVector, &(ckParam.pInitVector), &ckTemp);
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-+    jCharArrayToCKCharArray(env, jPassword, &(ckParam.pPassword), &(ckParam.ulPasswordLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pInitVector);
-+        return ckParam;
-+    }
-+    jCharArrayToCKCharArray(env, jSalt, &(ckParam.pSalt), &(ckParam.ulSaltLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pInitVector);
-+        free(ckParam.pPassword);
-+        return ckParam;
-+    }
- 
-     return ckParam ;
- }
-@@ -1147,8 +1388,7 @@
-  */
- void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism)
- {
--    jclass jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM);
--    jclass jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-+    jclass jMechanismClass, jPbeParamsClass;
-     CK_PBE_PARAMS *ckParam;
-     jfieldID fieldID;
-     CK_MECHANISM_TYPE ckMechanismType;
-@@ -1161,8 +1401,10 @@
-     jchar* jInitVectorChars;
- 
-     /* get mechanism */
-+    jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM);
-+    if (jMechanismClass == NULL) { return; }
-     fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return; }
-     jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID);
-     ckMechanismType = jLongToCKULong(jMechanismType);
-     if (ckMechanismType != ckMechanism->mechanism) {
-@@ -1170,21 +1412,25 @@
-         return;
-     }
- 
-+    jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-+    if (jPbeParamsClass == NULL) { return; }
-     ckParam = (CK_PBE_PARAMS *) ckMechanism->pParameter;
-     if (ckParam != NULL_PTR) {
-         initVector = ckParam->pInitVector;
-         if (initVector != NULL_PTR) {
-             /* get pParameter */
-             fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;");
--            assert(fieldID != 0);
-+            if (fieldID == NULL) { return; }
-             jParameter = (*env)->GetObjectField(env, jMechanism, fieldID);
-             fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVektor", "[C");
--            assert(fieldID != 0);
-+            if (fieldID == NULL) { return; }
-             jInitVector = (*env)->GetObjectField(env, jParameter, fieldID);
- 
-             if (jInitVector != NULL) {
-                 jInitVectorLength = (*env)->GetArrayLength(env, jInitVector);
-                 jInitVectorChars = (*env)->GetCharArrayElements(env, jInitVector, NULL);
-+                if (jInitVectorChars == NULL) { return; }
-+
-                 /* copy the chars to the Java buffer */
-                 for (i=0; i < jInitVectorLength; i++) {
-                     jInitVectorChars[i] = ckCharToJChar(initVector[i]);
-@@ -1205,41 +1451,50 @@
-  */
- CK_PKCS5_PBKD2_PARAMS jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(JNIEnv *env, jobject jParam)
- {
--    jclass jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
-+    jclass jPkcs5Pbkd2ParamsClass;
-     CK_PKCS5_PBKD2_PARAMS ckParam;
-     jfieldID fieldID;
--    jlong jLong;
--    jobject jObject;
-+    jlong jSaltSource, jIteration, jPrf;
-+    jobject jSaltSourceData, jPrfData;
- 
-     /* get saltSource */
-+    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
-+    if (jPkcs5Pbkd2ParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.saltSource = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get pSaltSourceData */
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pSaltSourceData", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR *) &(ckParam.pSaltSourceData), &(ckParam.ulSaltSourceDataLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jSaltSourceData = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get iterations */
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "iterations", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.iterations = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jIteration = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get prf */
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "prf", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.prf = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jPrf = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get pPrfData and ulPrfDataLength in byte */
-     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR *) &(ckParam.pPrfData), &(ckParam.ulPrfDataLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    ckParam.saltSource = jLongToCKULong(jSaltSource);
-+    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *) &(ckParam.pSaltSourceData), &(ckParam.ulSaltSourceDataLen));
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-+    ckParam.iterations = jLongToCKULong(jIteration);
-+    ckParam.prf = jLongToCKULong(jPrf);
-+    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *) &(ckParam.pPrfData), &(ckParam.ulPrfDataLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pSaltSourceData);
-+        return ckParam;
-+    }
- 
-     return ckParam ;
- }
-@@ -1253,28 +1508,32 @@
-  */
- CK_RSA_PKCS_PSS_PARAMS jRsaPkcsPssParamToCKRsaPkcsPssParam(JNIEnv *env, jobject jParam)
- {
--    jclass jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS);
-+    jclass jRsaPkcsPssParamsClass;
-     CK_RSA_PKCS_PSS_PARAMS ckParam;
-     jfieldID fieldID;
--    jlong jLong;
-+    jlong jHashAlg, jMgf, jSLen;
- 
-     /* get hashAlg */
-+    jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS);
-+    if (jRsaPkcsPssParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "hashAlg", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.hashAlg = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jHashAlg = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get mgf */
-     fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "mgf", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.mgf = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jMgf = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get sLen */
-     fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "sLen", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.sLen = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jSLen = (*env)->GetLongField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    ckParam.hashAlg = jLongToCKULong(jHashAlg);
-+    ckParam.mgf = jLongToCKULong(jMgf);
-+    ckParam.sLen = jLongToCKULong(jSLen);
- 
-     return ckParam ;
- }
-@@ -1288,29 +1547,39 @@
-  */
- CK_ECDH1_DERIVE_PARAMS jEcdh1DeriveParamToCKEcdh1DeriveParam(JNIEnv *env, jobject jParam)
- {
--    jclass jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS);
-+    jclass jEcdh1DeriveParamsClass;
-     CK_ECDH1_DERIVE_PARAMS ckParam;
-     jfieldID fieldID;
-     jlong jLong;
--    jobject jObject;
-+    jobject jSharedData, jPublicData;
- 
-     /* get kdf */
-+    jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS);
-+    if (jEcdh1DeriveParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "kdf", "J");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return ckParam; }
-     jLong = (*env)->GetLongField(env, jParam, fieldID);
-     ckParam.kdf = jLongToCKULong(jLong);
- 
-     /* get pSharedData and ulSharedDataLen */
-     fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pSharedData", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jSharedData = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get pPublicData and ulPublicDataLen */
-     fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pPublicData", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jPublicData = (*env)->GetObjectField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    ckParam.kdf = jLongToCKULong(jLong);
-+    jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen));
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-+    jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pSharedData);
-+        return ckParam;
-+    }
- 
-     return ckParam ;
- }
-@@ -1324,48 +1593,61 @@
-  */
- CK_ECDH2_DERIVE_PARAMS jEcdh2DeriveParamToCKEcdh2DeriveParam(JNIEnv *env, jobject jParam)
- {
--    jclass jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS);
-+    jclass jEcdh2DeriveParamsClass;
-     CK_ECDH2_DERIVE_PARAMS ckParam;
-     jfieldID fieldID;
--    jlong jLong;
--    jobject jObject;
-+    jlong jKdf, jPrivateDataLen, jPrivateData;
-+    jobject jSharedData, jPublicData, jPublicData2;
- 
-     /* get kdf */
-+    jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS);
-+    if (jEcdh2DeriveParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "kdf", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.kdf = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jKdf = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get pSharedData and ulSharedDataLen */
-     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pSharedData", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jSharedData = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get pPublicData and ulPublicDataLen */
-     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jPublicData = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get ulPrivateDataLen */
-     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "ulPrivateDataLen", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.ulPrivateDataLen = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get hPrivateData */
-     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "hPrivateData", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.hPrivateData = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jPrivateData = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get pPublicData2 and ulPublicDataLen2 */
-     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData2", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2));
-+    if (fieldID == NULL) { return ckParam; }
-+    jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID);
- 
-+    /* populate java values */
-+    ckParam.kdf = jLongToCKULong(jKdf);
-+    jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen));
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-+    jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pSharedData);
-+        return ckParam;
-+    }
-+    ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen);
-+    ckParam.hPrivateData = jLongToCKULong(jPrivateData);
-+    jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pSharedData);
-+        free(ckParam.pPublicData);
-+        return ckParam;
-+    }
-     return ckParam ;
- }
- 
-@@ -1378,29 +1660,38 @@
-  */
- CK_X9_42_DH1_DERIVE_PARAMS jX942Dh1DeriveParamToCKX942Dh1DeriveParam(JNIEnv *env, jobject jParam)
- {
--    jclass jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS);
-+    jclass jX942Dh1DeriveParamsClass;
-     CK_X9_42_DH1_DERIVE_PARAMS ckParam;
-     jfieldID fieldID;
--    jlong jLong;
--    jobject jObject;
-+    jlong jKdf;
-+    jobject jOtherInfo, jPublicData;
- 
-     /* get kdf */
-+    jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS);
-+    if (jX942Dh1DeriveParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "kdf", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.kdf = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jKdf = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get pOtherInfo and ulOtherInfoLen */
-     fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pOtherInfo", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get pPublicData and ulPublicDataLen */
-     fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pPublicData", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jPublicData = (*env)->GetObjectField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    ckParam.kdf = jLongToCKULong(jKdf);
-+    jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen));
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-+    jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pOtherInfo);
-+        return ckParam;
-+    }
- 
-     return ckParam ;
- }
-@@ -1414,47 +1705,61 @@
-  */
- CK_X9_42_DH2_DERIVE_PARAMS jX942Dh2DeriveParamToCKX942Dh2DeriveParam(JNIEnv *env, jobject jParam)
- {
--    jclass jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS);
-+    jclass jX942Dh2DeriveParamsClass;
-     CK_X9_42_DH2_DERIVE_PARAMS ckParam;
-     jfieldID fieldID;
--    jlong jLong;
--    jobject jObject;
-+    jlong jKdf, jPrivateDataLen, jPrivateData;
-+    jobject jOtherInfo, jPublicData, jPublicData2;
- 
-     /* get kdf */
-+    jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS);
-+    if (jX942Dh2DeriveParamsClass == NULL) { return ckParam; }
-     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "kdf", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.kdf = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jKdf = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get pOtherInfo and ulOtherInfoLen */
-     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pOtherInfo", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get pPublicData and ulPublicDataLen */
-     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
-+    if (fieldID == NULL) { return ckParam; }
-+    jPublicData = (*env)->GetObjectField(env, jParam, fieldID);
- 
-     /* get ulPrivateDataLen */
-     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "ulPrivateDataLen", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.ulPrivateDataLen = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get hPrivateData */
-     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "hPrivateData", "J");
--    assert(fieldID != 0);
--    jLong = (*env)->GetLongField(env, jParam, fieldID);
--    ckParam.hPrivateData = jLongToCKULong(jLong);
-+    if (fieldID == NULL) { return ckParam; }
-+    jPrivateData = (*env)->GetLongField(env, jParam, fieldID);
- 
-     /* get pPublicData2 and ulPublicDataLen2 */
-     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData2", "[B");
--    assert(fieldID != 0);
--    jObject = (*env)->GetObjectField(env, jParam, fieldID);
--    jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2));
-+    if (fieldID == NULL) { return ckParam; }
-+    jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID);
-+
-+    /* populate java values */
-+    ckParam.kdf = jLongToCKULong(jKdf);
-+    jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen));
-+    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-+    jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pOtherInfo);
-+        return ckParam;
-+    }
-+    ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen);
-+    ckParam.hPrivateData = jLongToCKULong(jPrivateData);
-+    jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2));
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckParam.pOtherInfo);
-+        free(ckParam.pPublicData);
-+        return ckParam;
-+    }
- 
-     return ckParam ;
- }
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c	2014-10-08 17:30:03.986103813 +0100
-@@ -81,6 +81,7 @@
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     ckKeyHandle = jLongToCKULong(jKeyHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return; }
- 
-     rv = (*ckpFunctions->C_EncryptInit)(ckSessionHandle, &ckMechanism,
-                                         ckKeyHandle);
-@@ -126,14 +127,29 @@
- 
-     if (jInLen > MAX_STACK_BUFFER_LEN) {
-       inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen);
-+      if (inBufP == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return 0;
-+      }
-     } else {
-       inBufP = IBUF;
-     }
-     (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP);
-+    if ((*env)->ExceptionCheck(env)) {
-+      if (inBufP != IBUF) { free(inBufP); }
-+      return 0;
-+    }
- 
-     ckEncryptedPartLen = jOutLen;
-     if (jOutLen > MAX_STACK_BUFFER_LEN) {
-       outBufP = (CK_BYTE_PTR)malloc((size_t)jOutLen);
-+      if (outBufP == NULL) {
-+        if (inBufP != IBUF) {
-+          free(inBufP);
-+        }
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return 0;
-+      }
-     } else {
-       outBufP = OBUF;
-     }
-@@ -193,10 +209,18 @@
-     } else {
-       if (jInLen > MAX_STACK_BUFFER_LEN) {
-         inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen);
-+        if (inBufP == NULL) {
-+          JNU_ThrowOutOfMemoryError(env, 0);
-+          return 0;
-+        }
-       } else {
-         inBufP = IBUF;
-       }
-       (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP);
-+      if ((*env)->ExceptionCheck(env)) {
-+        if (directIn == 0 && inBufP != IBUF) { free(inBufP); }
-+        return 0;
-+      }
-     }
- 
-     ckEncryptedPartLen = jOutLen;
-@@ -205,6 +229,13 @@
-     } else {
-       if (jOutLen > MAX_STACK_BUFFER_LEN) {
-         outBufP = (CK_BYTE_PTR)malloc((size_t)jOutLen);
-+        if (outBufP == NULL) {
-+          if (directIn == 0 && inBufP != IBUF) {
-+            free(inBufP);
-+          }
-+          JNU_ThrowOutOfMemoryError(env, 0);
-+          return 0;
-+        }
-       } else {
-         outBufP = OBUF;
-       }
-@@ -317,6 +348,7 @@
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     ckKeyHandle = jLongToCKULong(jKeyHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return; }
- 
-     rv = (*ckpFunctions->C_DecryptInit)(ckSessionHandle, &ckMechanism,
-                                         ckKeyHandle);
-@@ -362,14 +394,29 @@
- 
-     if (jInLen > MAX_STACK_BUFFER_LEN) {
-       inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen);
-+      if (inBufP == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return 0;
-+      }
-     } else {
-       inBufP = IBUF;
-     }
-     (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP);
-+    if ((*env)->ExceptionCheck(env)) {
-+      if (inBufP != IBUF) { free(inBufP); }
-+      return 0;
-+    }
- 
-     ckPartLen = jOutLen;
-     if (jOutLen > MAX_STACK_BUFFER_LEN) {
-       outBufP = (CK_BYTE_PTR)malloc((size_t)jOutLen);
-+      if (outBufP == NULL) {
-+        if (inBufP != IBUF) {
-+          free(inBufP);
-+        }
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return 0;
-+      }
-     } else {
-       outBufP = OBUF;
-     }
-@@ -429,10 +476,18 @@
-     } else {
-       if (jInLen > MAX_STACK_BUFFER_LEN) {
-         inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen);
-+        if (inBufP == NULL) {
-+          JNU_ThrowOutOfMemoryError(env, 0);
-+          return 0;
-+        }
-       } else {
-         inBufP = IBUF;
-       }
-       (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP);
-+      if ((*env)->ExceptionCheck(env)) {
-+        if (directIn == 0 && inBufP != IBUF) { free(inBufP); }
-+        return 0;
-+      }
-     }
- 
-     ckDecryptedPartLen = jOutLen;
-@@ -441,6 +496,13 @@
-     } else {
-       if (jOutLen > MAX_STACK_BUFFER_LEN) {
-         outBufP = (CK_BYTE_PTR)malloc((size_t)jOutLen);
-+        if (outBufP == NULL) {
-+          if (directIn == 0 && inBufP != IBUF) {
-+            free(inBufP);
-+          }
-+          JNU_ThrowOutOfMemoryError(env, 0);
-+          return 0;
-+      }
-       } else {
-         outBufP = OBUF;
-       }
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c	2014-10-08 17:30:03.986103813 +0100
-@@ -75,6 +75,7 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return; }
- 
-     rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism);
- 
-@@ -82,7 +83,7 @@
-         free(ckMechanism.pParameter);
-     }
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -114,6 +115,7 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return 0; }
- 
-     rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism);
- 
-@@ -121,29 +123,32 @@
-         free(ckMechanism.pParameter);
-     }
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0; }
- 
-     if (jInLen <= MAX_STACK_BUFFER_LEN) {
-         bufP = BUF;
-     } else {
-         /* always use single part op, even for large data */
--        bufP = (CK_BYTE_PTR)malloc((size_t)jInLen);
-+        bufP = (CK_BYTE_PTR) malloc((size_t)jInLen);
-+        if (bufP == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return 0;
-+        }
-     }
- 
-     (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)bufP);
--    rv = (*ckpFunctions->C_Digest)(ckSessionHandle, bufP, jInLen, DIGESTBUF, &ckDigestLength);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
--        if (bufP != BUF) {
--            free(bufP);
--        }
-+    if ((*env)->ExceptionCheck(env)) {
-+        if (bufP != BUF) { free(bufP); }
-         return 0;
-     }
- 
--    (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)DIGESTBUF);
--
--    if (bufP != BUF) {
--        free(bufP);
-+    rv = (*ckpFunctions->C_Digest)(ckSessionHandle, bufP, jInLen, DIGESTBUF, &ckDigestLength);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)DIGESTBUF);
-     }
-+
-+    if (bufP != BUF) { free(bufP); }
-+
-     return ckDigestLength;
- }
- #endif
-@@ -183,17 +188,23 @@
-         bufP = BUF;
-     } else {
-         bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen);
--        bufP = (CK_BYTE_PTR)malloc((size_t)bufLen);
-+        bufP = (CK_BYTE_PTR) malloc((size_t)bufLen);
-+        if (bufP == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
-     }
- 
-     while (jInLen > 0) {
-         jsize chunkLen = min(bufLen, jInLen);
-         (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP);
-+        if ((*env)->ExceptionCheck(env)) {
-+            if (bufP != BUF) { free(bufP); }
-+            return;
-+        }
-         rv = (*ckpFunctions->C_DigestUpdate)(ckSessionHandle, bufP, chunkLen);
--        if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
--            if (bufP != BUF) {
--                free(bufP);
--            }
-+        if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+            if (bufP != BUF) { free(bufP); }
-             return;
-         }
-         jInOfs += chunkLen;
-@@ -229,7 +240,7 @@
-     ckKeyHandle = jLongToCKULong(jKeyHandle);
- 
-     rv = (*ckpFunctions->C_DigestKey)(ckSessionHandle, ckKeyHandle);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -257,10 +268,9 @@
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
- 
-     rv = (*ckpFunctions->C_DigestFinal)(ckSessionHandle, BUF, &ckDigestLength);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0 ; }
--
--    (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)BUF);
--
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)BUF);
-+    }
-     return ckDigestLength;
- }
- #endif
-@@ -288,12 +298,13 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jByteArrayToCKByteArray(env, jSeed, &ckpSeed, &ckSeedLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
- 
-     rv = (*ckpFunctions->C_SeedRandom)(ckSessionHandle, ckpSeed, ckSeedLength);
- 
-     free(ckpSeed);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -322,6 +333,7 @@
- 
-     jRandomBufferLength = (*env)->GetArrayLength(env, jRandomData);
-     jRandomBuffer = (*env)->GetByteArrayElements(env, jRandomData, NULL);
-+    if (jRandomBuffer == NULL) { return; }
- 
-     rv = (*ckpFunctions->C_GenerateRandom)(ckSessionHandle,
-                                          (CK_BYTE_PTR) jRandomBuffer,
-@@ -330,6 +342,6 @@
-     /* copy back generated bytes */
-     (*env)->ReleaseByteArrayElements(env, jRandomData, jRandomBuffer, 0);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c	2014-10-08 17:30:03.986103813 +0100
-@@ -73,7 +73,7 @@
-     CK_SESSION_HANDLE ckSessionHandle;
-     CK_BYTE_PTR ckpPart = NULL_PTR, ckpEncryptedPart;
-     CK_ULONG ckPartLength, ckEncryptedPartLength = 0;
--    jbyteArray jEncryptedPart;
-+    jbyteArray jEncryptedPart = NULL;
-     CK_RV rv;
- 
-     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
-@@ -81,20 +81,28 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jByteArrayToCKByteArray(env, jPart, &ckpPart, &ckPartLength);
-+    if ((*env)->ExceptionCheck(env)) { return NULL; }
- 
-     rv = (*ckpFunctions->C_DigestEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, NULL_PTR, &ckEncryptedPartLength);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+        free(ckpPart);
-+        return NULL;
-+    }
- 
-     ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE));
-+    if (ckpEncryptedPart == NULL) {
-+        free(ckpPart);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
- 
-     rv = (*ckpFunctions->C_DigestEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, ckpEncryptedPart, &ckEncryptedPartLength);
--
--    jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength);
-+    }
-     free(ckpPart);
-     free(ckpEncryptedPart);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
-     return jEncryptedPart ;
- }
- #endif
-@@ -117,7 +125,7 @@
-     CK_SESSION_HANDLE ckSessionHandle;
-     CK_BYTE_PTR ckpPart, ckpEncryptedPart = NULL_PTR;
-     CK_ULONG ckPartLength = 0, ckEncryptedPartLength;
--    jbyteArray jPart;
-+    jbyteArray jPart = NULL;
-     CK_RV rv;
- 
-     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
-@@ -125,19 +133,27 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jByteArrayToCKByteArray(env, jEncryptedPart, &ckpEncryptedPart, &ckEncryptedPartLength);
-+    if ((*env)->ExceptionCheck(env)) { return NULL; }
- 
-     rv = (*ckpFunctions->C_DecryptDigestUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, NULL_PTR, &ckPartLength);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+        free(ckpEncryptedPart);
-+        return NULL;
-+    }
- 
-     ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE));
-+    if (ckpPart == NULL) {
-+        free(ckpEncryptedPart);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
- 
-     rv = (*ckpFunctions->C_DecryptDigestUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, ckpPart, &ckPartLength);
--
--    jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength);
--    free(ckpPart);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength);
-+    }
-     free(ckpEncryptedPart);
--
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
-+    free(ckpPart);
- 
-     return jPart ;
- }
-@@ -161,7 +177,7 @@
-     CK_SESSION_HANDLE ckSessionHandle;
-     CK_BYTE_PTR ckpPart = NULL_PTR, ckpEncryptedPart;
-     CK_ULONG ckPartLength, ckEncryptedPartLength = 0;
--    jbyteArray jEncryptedPart;
-+    jbyteArray jEncryptedPart = NULL;
-     CK_RV rv;
- 
-     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
-@@ -169,20 +185,28 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jByteArrayToCKByteArray(env, jPart, &ckpPart, &ckPartLength);
-+    if ((*env)->ExceptionCheck(env)) { return NULL; }
- 
-     rv = (*ckpFunctions->C_SignEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, NULL_PTR, &ckEncryptedPartLength);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+        free(ckpPart);
-+        return NULL;
-+    }
- 
-     ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE));
-+    if (ckpEncryptedPart == NULL) {
-+        free(ckpPart);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
- 
-     rv = (*ckpFunctions->C_SignEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, ckpEncryptedPart, &ckEncryptedPartLength);
--
--    jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength);
-+    }
-     free(ckpPart);
-     free(ckpEncryptedPart);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
-     return jEncryptedPart ;
- }
- #endif
-@@ -205,7 +229,7 @@
-     CK_SESSION_HANDLE ckSessionHandle;
-     CK_BYTE_PTR ckpPart, ckpEncryptedPart = NULL_PTR;
-     CK_ULONG ckPartLength = 0, ckEncryptedPartLength;
--    jbyteArray jPart;
-+    jbyteArray jPart = NULL;
-     CK_RV rv;
- 
-     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
-@@ -213,19 +237,28 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jByteArrayToCKByteArray(env, jEncryptedPart, &ckpEncryptedPart, &ckEncryptedPartLength);
-+    if ((*env)->ExceptionCheck(env)) { return NULL; }
- 
-     rv = (*ckpFunctions->C_DecryptVerifyUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, NULL_PTR, &ckPartLength);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+        free(ckpEncryptedPart);
-+        return NULL;
-+    }
- 
-     ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE));
-+    if (ckpPart == NULL) {
-+        free(ckpEncryptedPart);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
- 
-     rv = (*ckpFunctions->C_DecryptVerifyUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, ckpPart, &ckPartLength);
- 
--    jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength);
--    free(ckpPart);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength);
-+    }
-     free(ckpEncryptedPart);
--
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
-+    free(ckpPart);
- 
-     return jPart ;
- }
-@@ -252,7 +285,7 @@
- 
-     /* C_GetFunctionStatus should always return CKR_FUNCTION_NOT_PARALLEL */
-     rv = (*ckpFunctions->C_GetFunctionStatus)(ckSessionHandle);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -277,6 +310,6 @@
- 
-     /* C_GetFunctionStatus should always return CKR_FUNCTION_NOT_PARALLEL */
-     rv = (*ckpFunctions->C_CancelFunction)(ckSessionHandle);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c	2014-10-08 17:30:03.986103813 +0100
-@@ -102,6 +102,7 @@
- 
- jclass fetchClass(JNIEnv *env, const char *name) {
-     jclass tmpClass = (*env)->FindClass(env, name);
-+    if (tmpClass == NULL) { return NULL; }
-     return (*env)->NewGlobalRef(env, tmpClass);
- }
- 
-@@ -110,14 +111,18 @@
- 
-     /* PKCS11 */
-     pNativeDataID = (*env)->GetFieldID(env, thisClass, "pNativeData", "J");
-+    if (pNativeDataID == NULL) { return; }
- 
-     /* CK_MECHANISM */
-     tmpClass = (*env)->FindClass(env, CLASS_MECHANISM);
-+    if (tmpClass == NULL) { return; }
-     mech_mechanismID = (*env)->GetFieldID(env, tmpClass, "mechanism", "J");
-+    if (mech_mechanismID == NULL) { return; }
-     mech_pParameterID = (*env)->GetFieldID(env, tmpClass, "pParameter",
-                                            "Ljava/lang/Object;");
--
-+    if (mech_pParameterID == NULL) { return; }
-     jByteArrayClass = fetchClass(env, "[B");
-+    if (jByteArrayClass == NULL) { return; }
-     jLongClass = fetchClass(env, "java/lang/Long");
- }
- 
-@@ -252,10 +257,9 @@
-     if (ckpFunctions == NULL) { return NULL; }
- 
-     rv = (*ckpFunctions->C_GetInfo)(&ckLibInfo);
--    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
--    jInfoObject = ckInfoPtrToJInfo(env, &ckLibInfo);
--
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jInfoObject = ckInfoPtrToJInfo(env, &ckLibInfo);
-+    }
-     return jInfoObject ;
- }
- 
-@@ -279,28 +283,31 @@
- 
-     /* load CK_INFO class */
-     jInfoClass = (*env)->FindClass(env, CLASS_INFO);
--    assert(jInfoClass != 0);
-+    if (jInfoClass == NULL) { return NULL; };
- 
-     /* load CK_INFO constructor */
-     jCtrId = (*env)->GetMethodID
-       (env, jInfoClass, "",
-        "(Lsun/security/pkcs11/wrapper/CK_VERSION;[CJ[CLsun/security/pkcs11/wrapper/CK_VERSION;)V");
--
--    assert(jCtrId != 0);
-+    if (jCtrId == NULL) { return NULL; }
- 
-     /* prep all fields */
-     jCryptokiVer = ckVersionPtrToJVersion(env, &(ckpInfo->cryptokiVersion));
-+    if (jCryptokiVer == NULL) { return NULL; }
-     jVendor =
-       ckUTF8CharArrayToJCharArray(env, &(ckpInfo->manufacturerID[0]), 32);
-+    if (jVendor == NULL) { return NULL; }
-     jFlags = ckULongToJLong(ckpInfo->flags);
-     jLibraryDesc =
-       ckUTF8CharArrayToJCharArray(env, &(ckpInfo->libraryDescription[0]), 32);
-+    if (jLibraryDesc == NULL) { return NULL; }
-     jLibraryVer = ckVersionPtrToJVersion(env, &(ckpInfo->libraryVersion));
-+    if (jLibraryVer == NULL) { return NULL; }
- 
-     /* create new CK_INFO object */
-     jInfoObject = (*env)->NewObject(env, jInfoClass, jCtrId, jCryptokiVer,
-                                     jVendor, jFlags, jLibraryDesc, jLibraryVer);
--    assert(jInfoObject != 0);
-+    if (jInfoObject == NULL) { return NULL; }
- 
-     /* free local references */
-     (*env)->DeleteLocalRef(env, jInfoClass);
-@@ -343,15 +350,18 @@
-     if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
- 
-     ckpSlotList = (CK_SLOT_ID_PTR) malloc(ckTokenNumber * sizeof(CK_SLOT_ID));
-+    if (ckpSlotList == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
- 
-     rv = (*ckpFunctions->C_GetSlotList)(ckTokenPresent, ckpSlotList,
-                                         &ckTokenNumber);
--
--    jSlotList = ckULongArrayToJLongArray(env, ckpSlotList, ckTokenNumber);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jSlotList = ckULongArrayToJLongArray(env, ckpSlotList, ckTokenNumber);
-+    }
-     free(ckpSlotList);
- 
--    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
-     return jSlotList ;
- }
- #endif
-@@ -380,10 +390,9 @@
-     ckSlotID = jLongToCKULong(jSlotID);
- 
-     rv = (*ckpFunctions->C_GetSlotInfo)(ckSlotID, &ckSlotInfo);
--    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
--    jSlotInfoObject = ckSlotInfoPtrToJSlotInfo(env, &ckSlotInfo);
--
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jSlotInfoObject = ckSlotInfoPtrToJSlotInfo(env, &ckSlotInfo);
-+    }
-     return jSlotInfoObject ;
- }
- 
-@@ -410,28 +419,32 @@
- 
-     /* load CK_SLOT_INFO class */
-     jSlotInfoClass = (*env)->FindClass(env, CLASS_SLOT_INFO);
--    assert(jSlotInfoClass != 0);
-+    if (jSlotInfoClass == NULL) { return NULL; };
- 
-     /* load CK_SLOT_INFO constructor */
-     jCtrId = (*env)->GetMethodID
-       (env, jSlotInfoClass, "",
-        "([C[CJLsun/security/pkcs11/wrapper/CK_VERSION;Lsun/security/pkcs11/wrapper/CK_VERSION;)V");
--    assert(jCtrId != 0);
-+    if (jCtrId == NULL) { return NULL; }
- 
-     /* prep all fields */
-     jSlotDesc =
-       ckUTF8CharArrayToJCharArray(env, &(ckpSlotInfo->slotDescription[0]), 64);
-+    if (jSlotDesc == NULL) { return NULL; }
-     jVendor =
-       ckUTF8CharArrayToJCharArray(env, &(ckpSlotInfo->manufacturerID[0]), 32);
-+    if (jVendor == NULL) { return NULL; }
-     jFlags = ckULongToJLong(ckpSlotInfo->flags);
-     jHardwareVer = ckVersionPtrToJVersion(env, &(ckpSlotInfo->hardwareVersion));
-+    if (jHardwareVer == NULL) { return NULL; }
-     jFirmwareVer = ckVersionPtrToJVersion(env, &(ckpSlotInfo->firmwareVersion));
-+    if (jFirmwareVer == NULL) { return NULL; }
- 
-     /* create new CK_SLOT_INFO object */
-     jSlotInfoObject = (*env)->NewObject
-       (env, jSlotInfoClass, jCtrId, jSlotDesc, jVendor, jFlags,
-        jHardwareVer, jFirmwareVer);
--    assert(jSlotInfoObject != 0);
-+    if (jSlotInfoObject == NULL) { return NULL; }
- 
-     /* free local references */
-     (*env)->DeleteLocalRef(env, jSlotInfoClass);
-@@ -460,7 +473,7 @@
- {
-     CK_SLOT_ID ckSlotID;
-     CK_TOKEN_INFO ckTokenInfo;
--    jobject jInfoTokenObject;
-+    jobject jInfoTokenObject = NULL;
-     CK_RV rv;
- 
-     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
-@@ -469,10 +482,9 @@
-     ckSlotID = jLongToCKULong(jSlotID);
- 
-     rv = (*ckpFunctions->C_GetTokenInfo)(ckSlotID, &ckTokenInfo);
--    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
--    jInfoTokenObject = ckTokenInfoPtrToJTokenInfo(env, &ckTokenInfo);
--
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jInfoTokenObject = ckTokenInfoPtrToJTokenInfo(env, &ckTokenInfo);
-+    }
-     return jInfoTokenObject ;
- }
- 
-@@ -512,21 +524,25 @@
- 
-     /* load CK_TOKEN_INFO class */
-     jTokenInfoClass = (*env)->FindClass(env, CLASS_TOKEN_INFO);
--    assert(jTokenInfoClass != 0);
-+    if (jTokenInfoClass == NULL)  { return NULL; };
- 
-     /* load CK_TOKEN_INFO constructor */
-     jCtrId = (*env)->GetMethodID
-       (env, jTokenInfoClass, "",
-        "([C[C[C[CJJJJJJJJJJJLsun/security/pkcs11/wrapper/CK_VERSION;Lsun/security/pkcs11/wrapper/CK_VERSION;[C)V");
--    assert(jCtrId != 0);
-+    if (jCtrId == NULL)  { return NULL; };
- 
-     /* prep all fields */
-     jLabel = ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->label[0]), 32);
-+    if (jLabel == NULL)  { return NULL; };
-     jVendor =
-       ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->manufacturerID[0]), 32);
-+    if (jVendor == NULL)  { return NULL; };
-     jModel = ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->model[0]), 16);
-+    if (jModel == NULL)  { return NULL; };
-     jSerialNo =
-       ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->serialNumber[0]), 16);
-+    if (jSerialNo == NULL)  { return NULL; };
-     jFlags = ckULongToJLong(ckpTokenInfo->flags);
-     jMaxSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulMaxSessionCount);
-     jSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulSessionCount);
-@@ -540,10 +556,13 @@
-     jFreePrivMem = ckULongSpecialToJLong(ckpTokenInfo->ulFreePrivateMemory);
-     jHardwareVer =
-       ckVersionPtrToJVersion(env, &(ckpTokenInfo->hardwareVersion));
-+    if (jHardwareVer == NULL) { return NULL; }
-     jFirmwareVer =
-       ckVersionPtrToJVersion(env, &(ckpTokenInfo->firmwareVersion));
-+    if (jFirmwareVer == NULL) { return NULL; }
-     jUtcTime =
-       ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->utcTime[0]), 16);
-+    if (jUtcTime == NULL) { return NULL; }
- 
-     /* create new CK_TOKEN_INFO object */
-     jTokenInfoObject =
-@@ -553,7 +572,7 @@
-                         jMaxPinLen, jMinPinLen,
-                         jTotalPubMem, jFreePubMem, jTotalPrivMem, jFreePrivMem,
-                         jHardwareVer, jFirmwareVer, jUtcTime);
--    assert(jTokenInfoObject != 0);
-+    if (jTokenInfoObject == NULL) { return NULL; }
- 
-     /* free local references */
-     (*env)->DeleteLocalRef(env, jTokenInfoClass);
-@@ -584,7 +603,7 @@
- {
-     CK_FLAGS ckFlags;
-     CK_SLOT_ID ckSlotID;
--    jlong jSlotID;
-+    jlong jSlotID = 0L;
-     CK_RV rv;
- 
-     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
-@@ -593,9 +612,9 @@
-     ckFlags = jLongToCKULong(jFlags);
- 
-     rv = (*ckpFunctions->C_WaitForSlotEvent)(ckFlags, &ckSlotID, NULL_PTR);
--    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L; }
--
--    jSlotID = ckULongToJLong(ckSlotID);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jSlotID = ckULongToJLong(ckSlotID);
-+    }
- 
-     return jSlotID ;
- }
-@@ -632,16 +651,19 @@
- 
-     ckpMechanismList = (CK_MECHANISM_TYPE_PTR)
-       malloc(ckMechanismNumber * sizeof(CK_MECHANISM_TYPE));
-+    if (ckpMechanismList == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
- 
-     rv = (*ckpFunctions->C_GetMechanismList)(ckSlotID, ckpMechanismList,
-                                              &ckMechanismNumber);
--
--    jMechanismList = ckULongArrayToJLongArray(env, ckpMechanismList,
--                                              ckMechanismNumber);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jMechanismList = ckULongArrayToJLongArray(env, ckpMechanismList,
-+                                                  ckMechanismNumber);
-+    }
-     free(ckpMechanismList);
- 
--    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
-     return jMechanismList ;
- }
- #endif
-@@ -663,7 +685,7 @@
-     CK_SLOT_ID ckSlotID;
-     CK_MECHANISM_TYPE ckMechanismType;
-     CK_MECHANISM_INFO ckMechanismInfo;
--    jobject jMechanismInfo;
-+    jobject jMechanismInfo = NULL;
-     CK_RV rv;
- 
-     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
-@@ -674,10 +696,9 @@
- 
-     rv = (*ckpFunctions->C_GetMechanismInfo)(ckSlotID, ckMechanismType,
-                                              &ckMechanismInfo);
--    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
--    jMechanismInfo = ckMechanismInfoPtrToJMechanismInfo(env, &ckMechanismInfo);
--
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jMechanismInfo = ckMechanismInfoPtrToJMechanismInfo(env, &ckMechanismInfo);
-+    }
-     return jMechanismInfo ;
- }
- 
-@@ -703,11 +724,11 @@
- 
-     /* load CK_MECHANISM_INFO class */
-     jMechanismInfoClass = (*env)->FindClass(env, CLASS_MECHANISM_INFO);
--    assert(jMechanismInfoClass != 0);
-+    if (jMechanismInfoClass == NULL) { return NULL; };
- 
-     /* load CK_MECHANISM_INFO constructor */
-     jCtrId = (*env)->GetMethodID(env, jMechanismInfoClass, "", "(JJJ)V");
--    assert(jCtrId != 0);
-+    if (jCtrId == NULL) { return NULL; };
- 
-     /* prep all fields */
-     jMinKeySize = ckULongToJLong(ckpMechanismInfo->ulMinKeySize);
-@@ -717,7 +738,7 @@
-     /* create new CK_MECHANISM_INFO object */
-     jMechanismInfoObject = (*env)->NewObject(env, jMechanismInfoClass, jCtrId,
-                                              jMinKeySize, jMaxKeySize, jFlags);
--    assert(jMechanismInfoObject != 0);
-+    if (jMechanismInfoObject == NULL) { return NULL; };
- 
-     /* free local references */
-     (*env)->DeleteLocalRef(env, jMechanismInfoClass);
-@@ -753,8 +774,13 @@
- 
-     ckSlotID = jLongToCKULong(jSlotID);
-     jCharArrayToCKCharArray(env, jPin, &ckpPin, &ckPinLength);
--    jCharArrayToCKUTF8CharArray(env, jLabel, &ckpLabel, &ckLabelLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-     /* ckLabelLength <= 32 !!! */
-+    jCharArrayToCKUTF8CharArray(env, jLabel, &ckpLabel, &ckLabelLength);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckpPin);
-+        return;
-+    }
- 
-     rv = (*ckpFunctions->C_InitToken)(ckSlotID, ckpPin, ckPinLength, ckpLabel);
-     TRACE1("InitToken return code: %d", rv);
-@@ -790,6 +816,7 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jCharArrayToCKCharArray(env, jPin, &ckpPin, &ckPinLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
- 
-     rv = (*ckpFunctions->C_InitPIN)(ckSessionHandle, ckpPin, ckPinLength);
- 
-@@ -828,7 +855,12 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jCharArrayToCKCharArray(env, jOldPin, &ckpOldPin, &ckOldPinLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-     jCharArrayToCKCharArray(env, jNewPin, &ckpNewPin, &ckNewPinLength);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckpOldPin);
-+        return;
-+    }
- 
-     rv = (*ckpFunctions->C_SetPIN)(ckSessionHandle, ckpOldPin, ckOldPinLength,
-                                    ckpNewPin, ckNewPinLength);
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c	2014-10-08 17:30:03.990103869 +0100
-@@ -74,7 +74,7 @@
-     CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR;
-     CK_ULONG ckAttributesLength;
-     CK_OBJECT_HANDLE ckKeyHandle;
--    jlong jKeyHandle;
-+    jlong jKeyHandle = 0L;
-     CK_ULONG i;
-     CK_RV rv;
- 
-@@ -83,21 +83,23 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
--    if ((*env)->ExceptionOccurred(env)) { return 0L ; }
-+    if ((*env)->ExceptionCheck(env)) { return 0L ; }
-+
-     jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength);
-+    if ((*env)->ExceptionCheck(env)) {
-+        if (ckMechanism.pParameter != NULL_PTR) {
-+            free(ckMechanism.pParameter);
-+        }
-+        return 0L;
-+    }
- 
-     rv = (*ckpFunctions->C_GenerateKey)(ckSessionHandle, &ckMechanism, ckpAttributes, ckAttributesLength, &ckKeyHandle);
- 
--    jKeyHandle = ckULongToJLong(ckKeyHandle);
--    for(i=0; iExceptionCheck(env)) { return NULL; }
-+
-     ckpKeyHandles = (CK_OBJECT_HANDLE_PTR) malloc(2 * sizeof(CK_OBJECT_HANDLE));
-+    if (ckpKeyHandles == NULL) {
-+        if (ckMechanism.pParameter != NULL_PTR) {
-+            free(ckMechanism.pParameter);
-+        }
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     ckpPublicKeyHandle = ckpKeyHandles;   /* first element of array is Public Key */
-     ckpPrivateKeyHandle = (ckpKeyHandles + 1);  /* second element of array is Private Key */
- 
-+    jAttributeArrayToCKAttributeArray(env, jPublicKeyTemplate, &ckpPublicKeyAttributes, &ckPublicKeyAttributesLength);
-+    if ((*env)->ExceptionCheck(env)) {
-+        if (ckMechanism.pParameter != NULL_PTR) {
-+            free(ckMechanism.pParameter);
-+        }
-+        free(ckpKeyHandles);
-+        return NULL;
-+    }
-+
-+    jAttributeArrayToCKAttributeArray(env, jPrivateKeyTemplate, &ckpPrivateKeyAttributes, &ckPrivateKeyAttributesLength);
-+    if ((*env)->ExceptionCheck(env)) {
-+        if (ckMechanism.pParameter != NULL_PTR) {
-+            free(ckMechanism.pParameter);
-+        }
-+        free(ckpKeyHandles);
-+        freeCKAttributeArray(ckpPublicKeyAttributes, ckPublicKeyAttributesLength);
-+        return NULL;
-+    }
-+
-     rv = (*ckpFunctions->C_GenerateKeyPair)(ckSessionHandle, &ckMechanism,
-                      ckpPublicKeyAttributes, ckPublicKeyAttributesLength,
-                      ckpPrivateKeyAttributes, ckPrivateKeyAttributesLength,
-                      ckpPublicKeyHandle, ckpPrivateKeyHandle);
- 
--    jKeyHandles = ckULongArrayToJLongArray(env, ckpKeyHandles, 2);
--
--    for(i=0; iExceptionCheck(env)) { return NULL; }
-+
-     ckWrappingKeyHandle = jLongToCKULong(jWrappingKeyHandle);
-     ckKeyHandle = jLongToCKULong(jKeyHandle);
- 
-     rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength);
-     if (rv == CKR_BUFFER_TOO_SMALL) {
-         ckpWrappedKey = (CK_BYTE_PTR) malloc(ckWrappedKeyLength);
-+        if (ckpWrappedKey == NULL) {
-+            if (ckMechanism.pParameter != NULL_PTR) {
-+                free(ckMechanism.pParameter);
-+            }
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return NULL;
-+        }
-+
-         rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength);
-     }
-     if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-         jWrappedKey = ckByteArrayToJByteArray(env, ckpWrappedKey, ckWrappedKeyLength);
-     }
- 
--    if (ckpWrappedKey != BUF) {
--        free(ckpWrappedKey);
--    }
--    if(ckMechanism.pParameter != NULL_PTR)
-+    if (ckpWrappedKey != BUF) { free(ckpWrappedKey); }
-+    if (ckMechanism.pParameter != NULL_PTR) {
-         free(ckMechanism.pParameter);
--
-+    }
-     return jWrappedKey ;
- }
- #endif
-@@ -277,7 +300,7 @@
-     CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR;
-     CK_ULONG ckAttributesLength;
-     CK_OBJECT_HANDLE ckKeyHandle;
--    jlong jKeyHandle;
-+    jlong jKeyHandle = 0L;
-     CK_ULONG i;
-     CK_RV rv;
- 
-@@ -286,37 +309,48 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return 0L; }
-+
-     ckUnwrappingKeyHandle = jLongToCKULong(jUnwrappingKeyHandle);
-     jByteArrayToCKByteArray(env, jWrappedKey, &ckpWrappedKey, &ckWrappedKeyLength);
-+    if ((*env)->ExceptionCheck(env)) {
-+        if (ckMechanism.pParameter != NULL_PTR) {
-+            free(ckMechanism.pParameter);
-+        }
-+        return 0L;
-+    }
-+
-     jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength);
-+    if ((*env)->ExceptionCheck(env)) {
-+        if (ckMechanism.pParameter != NULL_PTR) {
-+            free(ckMechanism.pParameter);
-+        }
-+        free(ckpWrappedKey);
-+        return 0L;
-+    }
-+
- 
-     rv = (*ckpFunctions->C_UnwrapKey)(ckSessionHandle, &ckMechanism, ckUnwrappingKeyHandle,
-                  ckpWrappedKey, ckWrappedKeyLength,
-                  ckpAttributes, ckAttributesLength, &ckKeyHandle);
- 
--    jKeyHandle = ckLongToJLong(ckKeyHandle);
--
--    for(i=0; iFindClass(env, CLASS_MECHANISM);
--    jclass jTLSPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS);
-+    jclass jMechanismClass, jTLSPrfParamsClass;
-     CK_TLS_PRF_PARAMS *ckTLSPrfParams;
-     jobject jTLSPrfParams;
-     jfieldID fieldID;
-@@ -374,8 +407,10 @@
-     int i;
- 
-     /* get mechanism */
-+    jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM);
-+    if (jMechanismClass == NULL) { return; }
-     fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return; }
-     jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID);
-     ckMechanismType = jLongToCKULong(jMechanismType);
-     if (ckMechanismType != ckMechanism->mechanism) {
-@@ -388,12 +423,14 @@
-     if (ckTLSPrfParams != NULL_PTR) {
-         /* get the Java CK_TLS_PRF_PARAMS object (pParameter) */
-         fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;");
--        assert(fieldID != 0);
-+        if (fieldID == NULL) { return; }
-         jTLSPrfParams = (*env)->GetObjectField(env, jMechanism, fieldID);
- 
-         /* copy back the client IV */
-+        jTLSPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS);
-+        if (jTLSPrfParamsClass == NULL) { return; }
-         fieldID = (*env)->GetFieldID(env, jTLSPrfParamsClass, "pOutput", "[B");
--        assert(fieldID != 0);
-+        if (fieldID == NULL) { return; }
-         jOutput = (*env)->GetObjectField(env, jTLSPrfParams, fieldID);
-         output = ckTLSPrfParams->pOutput;
- 
-@@ -402,26 +439,21 @@
-         if (jOutput != NULL) {
-             jLength = (*env)->GetArrayLength(env, jOutput);
-             jBytes = (*env)->GetByteArrayElements(env, jOutput, NULL);
-+            if (jBytes == NULL) { return; }
-+
-             /* copy the bytes to the Java buffer */
-             for (i=0; i < jLength; i++) {
-                 jBytes[i] = ckByteToJByte(output[i]);
-             }
-             /* copy back the Java buffer to the object */
-             (*env)->ReleaseByteArrayElements(env, jOutput, jBytes, 0);
--            // free malloc'd data
--            free(output);
-         }
- 
-         // free malloc'd data
--        if (ckTLSPrfParams->pSeed != NULL) {
--            free(ckTLSPrfParams->pSeed);
--        }
--        if (ckTLSPrfParams->pLabel != NULL) {
--            free(ckTLSPrfParams->pLabel);
--        }
--        if (ckTLSPrfParams->pulOutputLen != NULL) {
--            free(ckTLSPrfParams->pulOutputLen);
--        }
-+        free(ckTLSPrfParams->pSeed);
-+        free(ckTLSPrfParams->pLabel);
-+        free(ckTLSPrfParams->pulOutputLen);
-+        free(ckTLSPrfParams->pOutput);
-     }
- }
- 
-@@ -456,8 +488,16 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return 0L; }
-+
-     ckBaseKeyHandle = jLongToCKULong(jBaseKeyHandle);
-     jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength);
-+    if ((*env)->ExceptionCheck(env)) {
-+        if (ckMechanism.pParameter != NULL_PTR) {
-+            free(ckMechanism.pParameter);
-+        }
-+        return 0L;
-+    }
- 
-     switch (ckMechanism.mechanism) {
-     case CKM_SSL3_KEY_AND_MAC_DERIVE:
-@@ -476,14 +516,8 @@
-                  ckpAttributes, ckAttributesLength, phKey);
- 
-     jKeyHandle = ckLongToJLong(ckKeyHandle);
--    for(i=0; iFindClass(env, CLASS_MECHANISM);
--  jclass jSSL3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS);
--  jclass jVersionClass = (*env)->FindClass(env, CLASS_VERSION);
-+  jclass jMechanismClass, jSSL3MasterKeyDeriveParamsClass, jVersionClass;
-   CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ckSSL3MasterKeyDeriveParams;
-   CK_VERSION *ckVersion;
-   jfieldID fieldID;
-@@ -541,8 +572,10 @@
-   jobject jVersion;
- 
-   /* get mechanism */
-+  jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM);
-+  if (jMechanismClass == NULL) { return; }
-   fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J");
--  assert(fieldID != 0);
-+  if (fieldID == NULL) { return; }
-   jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID);
-   ckMechanismType = jLongToCKULong(jMechanismType);
-   if (ckMechanismType != ckMechanism->mechanism) {
-@@ -558,27 +591,31 @@
-     if (ckVersion != NULL_PTR) {
-       /* get the Java CK_SSL3_MASTER_KEY_DERIVE_PARAMS (pParameter) */
-       fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-+
-       jSSL3MasterKeyDeriveParams = (*env)->GetObjectField(env, jMechanism, fieldID);
- 
-       /* get the Java CK_VERSION */
-+      jSSL3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS);
-+      if (jSSL3MasterKeyDeriveParamsClass == NULL) { return; }
-       fieldID = (*env)->GetFieldID(env, jSSL3MasterKeyDeriveParamsClass, "pVersion", "L"CLASS_VERSION";");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       jVersion = (*env)->GetObjectField(env, jSSL3MasterKeyDeriveParams, fieldID);
- 
-       /* now copy back the version from the native structure to the Java structure */
- 
-       /* copy back the major version */
-+      jVersionClass = (*env)->FindClass(env, CLASS_VERSION);
-+      if (jVersionClass == NULL) { return; }
-       fieldID = (*env)->GetFieldID(env, jVersionClass, "major", "B");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       (*env)->SetByteField(env, jVersion, fieldID, ckByteToJByte(ckVersion->major));
- 
-       /* copy back the minor version */
-       fieldID = (*env)->GetFieldID(env, jVersionClass, "minor", "B");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       (*env)->SetByteField(env, jVersion, fieldID, ckByteToJByte(ckVersion->minor));
-     }
--
-   }
- }
- 
-@@ -591,9 +628,7 @@
-  */
- void copyBackSSLKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism)
- {
--  jclass jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM);
--  jclass jSSL3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS);
--  jclass jSSL3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT);
-+  jclass jMechanismClass, jSSL3KeyMatParamsClass, jSSL3KeyMatOutClass;
-   CK_SSL3_KEY_MAT_PARAMS *ckSSL3KeyMatParam;
-   CK_SSL3_KEY_MAT_OUT *ckSSL3KeyMatOut;
-   jfieldID fieldID;
-@@ -608,8 +643,10 @@
-   int i;
- 
-   /* get mechanism */
-+  jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM);
-+  if (jMechanismClass == NULL) { return; }
-   fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J");
--  assert(fieldID != 0);
-+  if (fieldID == NULL) { return; }
-   jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID);
-   ckMechanismType = jLongToCKULong(jMechanismType);
-   if (ckMechanismType != ckMechanism->mechanism) {
-@@ -633,74 +670,78 @@
-     if (ckSSL3KeyMatOut != NULL_PTR) {
-       /* get the Java CK_SSL3_KEY_MAT_PARAMS (pParameter) */
-       fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       jSSL3KeyMatParam = (*env)->GetObjectField(env, jMechanism, fieldID);
- 
-       /* get the Java CK_SSL3_KEY_MAT_OUT */
-+      jSSL3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS);
-+      if (jSSL3KeyMatParamsClass == NULL) { return; }
-       fieldID = (*env)->GetFieldID(env, jSSL3KeyMatParamsClass, "pReturnedKeyMaterial", "L"CLASS_SSL3_KEY_MAT_OUT";");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       jSSL3KeyMatOut = (*env)->GetObjectField(env, jSSL3KeyMatParam, fieldID);
- 
-       /* now copy back all the key handles and the initialization vectors */
-       /* copy back client MAC secret handle */
-+      jSSL3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT);
-+      if (jSSL3KeyMatOutClass == NULL) { return; }
-       fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hClientMacSecret", "J");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hClientMacSecret));
- 
-       /* copy back server MAC secret handle */
-       fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hServerMacSecret", "J");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hServerMacSecret));
- 
-       /* copy back client secret key handle */
-       fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hClientKey", "J");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hClientKey));
- 
-       /* copy back server secret key handle */
-       fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hServerKey", "J");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hServerKey));
- 
-       /* copy back the client IV */
-       fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "pIVClient", "[B");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       jIV = (*env)->GetObjectField(env, jSSL3KeyMatOut, fieldID);
-       iv = ckSSL3KeyMatOut->pIVClient;
- 
-       if (jIV != NULL) {
-         jLength = (*env)->GetArrayLength(env, jIV);
-         jBytes = (*env)->GetByteArrayElements(env, jIV, NULL);
-+        if (jBytes == NULL) { return; }
-         /* copy the bytes to the Java buffer */
-         for (i=0; i < jLength; i++) {
-           jBytes[i] = ckByteToJByte(iv[i]);
-         }
-         /* copy back the Java buffer to the object */
-         (*env)->ReleaseByteArrayElements(env, jIV, jBytes, 0);
--        // free malloc'd data
--        free(iv);
-       }
-+      // free malloc'd data
-+      free(ckSSL3KeyMatOut->pIVClient);
- 
-       /* copy back the server IV */
-       fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "pIVServer", "[B");
--      assert(fieldID != 0);
-+      if (fieldID == NULL) { return; }
-       jIV = (*env)->GetObjectField(env, jSSL3KeyMatOut, fieldID);
-       iv = ckSSL3KeyMatOut->pIVServer;
- 
-       if (jIV != NULL) {
-         jLength = (*env)->GetArrayLength(env, jIV);
-         jBytes = (*env)->GetByteArrayElements(env, jIV, NULL);
-+        if (jBytes == NULL) { return; }
-         /* copy the bytes to the Java buffer */
-         for (i=0; i < jLength; i++) {
-           jBytes[i] = ckByteToJByte(iv[i]);
-         }
-         /* copy back the Java buffer to the object */
-         (*env)->ReleaseByteArrayElements(env, jIV, jBytes, 0);
--        // free malloc'd data
--        free(iv);
-       }
--
-       // free malloc'd data
-+      free(ckSSL3KeyMatOut->pIVServer);
-       free(ckSSL3KeyMatOut);
-     }
-   }
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c	2014-10-08 17:30:03.990103869 +0100
-@@ -76,7 +76,7 @@
- CK_C_INITIALIZE_ARGS_PTR makeCKInitArgsAdapter(JNIEnv *env, jobject jInitArgs)
- {
-     CK_C_INITIALIZE_ARGS_PTR ckpInitArgs;
--    jclass jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS);
-+    jclass jInitArgsClass;
-     jfieldID fieldID;
-     jlong jFlags;
-     jobject jReserved;
-@@ -91,10 +91,20 @@
- 
-     /* convert the Java InitArgs object to a pointer to a CK_C_INITIALIZE_ARGS structure */
-     ckpInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS));
-+    if (ckpInitArgs == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL_PTR;
-+    }
- 
-     /* Set the mutex functions that will call the Java mutex functions, but
-      * only set it, if the field is not null.
-      */
-+    jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS);
-+    if (jInitArgsClass == NULL) {
-+        free(ckpInitArgs);
-+        return NULL;
-+    }
-+
- #ifdef NO_CALLBACKS
-     ckpInitArgs->CreateMutex = NULL_PTR;
-     ckpInitArgs->DestroyMutex = NULL_PTR;
-@@ -102,22 +112,22 @@
-     ckpInitArgs->UnlockMutex = NULL_PTR;
- #else
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "CreateMutex", "Lsun/security/pkcs11/wrapper/CK_CREATEMUTEX;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return NULL; }
-     jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID);
-     ckpInitArgs->CreateMutex = (jMutexHandler != NULL) ? &callJCreateMutex : NULL_PTR;
- 
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "DestroyMutex", "Lsun/security/pkcs11/wrapper/CK_DESTROYMUTEX;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return NULL; }
-     jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID);
-     ckpInitArgs->DestroyMutex = (jMutexHandler != NULL) ? &callJDestroyMutex : NULL_PTR;
- 
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "LockMutex", "Lsun/security/pkcs11/wrapper/CK_LOCKMUTEX;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return NULL; }
-     jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID);
-     ckpInitArgs->LockMutex = (jMutexHandler != NULL) ? &callJLockMutex : NULL_PTR;
- 
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "UnlockMutex", "Lsun/security/pkcs11/wrapper/CK_UNLOCKMUTEX;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return NULL; }
-     jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID);
-     ckpInitArgs->UnlockMutex = (jMutexHandler != NULL) ? &callJUnlockMutex : NULL_PTR;
- 
-@@ -129,19 +139,25 @@
-         /* set the global object jInitArgs so that the right Java mutex functions will be called */
-         jInitArgsObject = (*env)->NewGlobalRef(env, jInitArgs);
-         ckpGlobalInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS));
-+        if (ckpGlobalInitArgs == NULL) {
-+            free(ckpInitArgs);
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return NULL_PTR;
-+        }
-+
-         memcpy(ckpGlobalInitArgs, ckpInitArgs, sizeof(CK_C_INITIALIZE_ARGS));
-     }
- #endif /* NO_CALLBACKS */
- 
-     /* convert and set the flags field */
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "flags", "J");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return NULL; }
-     jFlags = (*env)->GetLongField(env, jInitArgs, fieldID);
-     ckpInitArgs->flags = jLongToCKULong(jFlags);
- 
-     /* pReserved should be NULL_PTR in this version */
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "pReserved", "Ljava/lang/Object;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return NULL; }
-     jReserved = (*env)->GetObjectField(env, jInitArgs, fieldID);
- 
-     /* we try to convert the reserved parameter also */
-@@ -201,20 +217,21 @@
-         wasAttached = 1;
-     }
- 
--
-     jCreateMutexClass = (*env)->FindClass(env, CLASS_CREATEMUTEX);
-+    if (jCreateMutexClass == NULL) { return rv; }
-     jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS);
-+    if (jInitArgsClass == NULL) { return rv; }
- 
-     /* get the CreateMutex object out of the jInitArgs object */
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "CreateMutex", "Lsun/security/pkcs11/wrapper/CK_CREATEMUTEX;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return rv; }
-     jCreateMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID);
-     assert(jCreateMutex != 0);
- 
-     /* call the CK_CREATEMUTEX function of the CreateMutex object */
-     /* and get the new Java mutex object */
-     methodID = (*env)->GetMethodID(env, jCreateMutexClass, "CK_CREATEMUTEX", "()Ljava/lang/Object;");
--    assert(methodID != 0);
-+    if (methodID == NULL) { return rv; }
-     jMutex = (*env)->CallObjectMethod(env, jCreateMutex, methodID);
- 
-     /* set a global reference on the Java mutex */
-@@ -227,10 +244,13 @@
-     pkcs11Exception = (*env)->ExceptionOccurred(env);
- 
-     if (pkcs11Exception != NULL) {
-+        /* TBD: clear the pending exception with ExceptionClear? */
-         /* The was an exception thrown, now we get the error-code from it */
-         pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION);
-+        if (pkcs11ExceptionClass == NULL) { return rv; }
-         methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J");
--        assert(methodID != 0);
-+        if (methodID == NULL) { return rv; }
-+
-         errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID);
-         rv = jLongToCKULong(errorCode);
-     }
-@@ -292,22 +312,23 @@
-         wasAttached = 1;
-     }
- 
--
-     jDestroyMutexClass = (*env)->FindClass(env, CLASS_DESTROYMUTEX);
-+    if (jDestroyMutexClass == NULL) { return rv; }
-     jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS);
-+    if (jInitArgsClass == NULL) { return rv; }
- 
-     /* convert the CK mutex to a Java mutex */
-     jMutex = ckVoidPtrToJObject(pMutex);
- 
-     /* get the DestroyMutex object out of the jInitArgs object */
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "DestroyMutex", "Lsun/security/pkcs11/wrapper/CK_DESTROYMUTEX;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return rv; }
-     jDestroyMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID);
-     assert(jDestroyMutex != 0);
- 
-     /* call the CK_DESTROYMUTEX method of the DestroyMutex object */
-     methodID = (*env)->GetMethodID(env, jDestroyMutexClass, "CK_DESTROYMUTEX", "(Ljava/lang/Object;)V");
--    assert(methodID != 0);
-+    if (methodID == NULL) { return rv; }
-     (*env)->CallVoidMethod(env, jDestroyMutex, methodID, jMutex);
- 
-     /* delete the global reference on the Java mutex */
-@@ -318,10 +339,12 @@
-     pkcs11Exception = (*env)->ExceptionOccurred(env);
- 
-     if (pkcs11Exception != NULL) {
-+        /* TBD: clear the pending exception with ExceptionClear? */
-         /* The was an exception thrown, now we get the error-code from it */
-         pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION);
-+        if (pkcs11ExceptionClass == NULL) { return rv; }
-         methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J");
--        assert(methodID != 0);
-+        if (methodID == NULL) { return rv; }
-         errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID);
-         rv = jLongToCKULong(errorCode);
-     }
-@@ -383,33 +406,35 @@
-         wasAttached = 1;
-     }
- 
--
-     jLockMutexClass = (*env)->FindClass(env, CLASS_LOCKMUTEX);
-+    if (jLockMutexClass == NULL) { return rv; }
-     jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS);
-+    if (jInitArgsClass == NULL) { return rv; }
- 
-     /* convert the CK mutex to a Java mutex */
-     jMutex = ckVoidPtrToJObject(pMutex);
- 
-     /* get the LockMutex object out of the jInitArgs object */
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "LockMutex", "Lsun/security/pkcs11/wrapper/CK_LOCKMUTEX;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return rv; }
-     jLockMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID);
-     assert(jLockMutex != 0);
- 
-     /* call the CK_LOCKMUTEX method of the LockMutex object */
-     methodID = (*env)->GetMethodID(env, jLockMutexClass, "CK_LOCKMUTEX", "(Ljava/lang/Object;)V");
--    assert(methodID != 0);
-+    if (methodID == NULL) { return rv; }
-     (*env)->CallVoidMethod(env, jLockMutex, methodID, jMutex);
- 
--
-     /* check, if callback threw an exception */
-     pkcs11Exception = (*env)->ExceptionOccurred(env);
- 
-     if (pkcs11Exception != NULL) {
-+        /* TBD: clear the pending exception with ExceptionClear? */
-         /* The was an exception thrown, now we get the error-code from it */
-         pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION);
-+        if (pkcs11ExceptionClass == NULL) { return rv; }
-         methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J");
--        assert(methodID != 0);
-+        if (methodID == NULL) { return rv; }
-         errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID);
-         rv = jLongToCKULong(errorCode);
-     }
-@@ -471,33 +496,35 @@
-         wasAttached = 1;
-     }
- 
--
-     jUnlockMutexClass = (*env)->FindClass(env, CLASS_UNLOCKMUTEX);
-+    if (jUnlockMutexClass == NULL) { return rv; }
-     jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS);
-+    if (jInitArgsClass == NULL) { return rv; }
- 
-     /* convert the CK-type mutex to a Java mutex */
-     jMutex = ckVoidPtrToJObject(pMutex);
- 
-     /* get the UnlockMutex object out of the jInitArgs object */
-     fieldID = (*env)->GetFieldID(env, jInitArgsClass, "UnlockMutex", "Lsun/security/pkcs11/wrapper/CK_UNLOCKMUTEX;");
--    assert(fieldID != 0);
-+    if (fieldID == NULL) { return rv; }
-     jUnlockMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID);
-     assert(jUnlockMutex != 0);
- 
-     /* call the CK_UNLOCKMUTEX method of the UnLockMutex object */
-     methodID = (*env)->GetMethodID(env, jUnlockMutexClass, "CK_UNLOCKMUTEX", "(Ljava/lang/Object;)V");
--    assert(methodID != 0);
-+    if (methodID == NULL) { return rv; }
-     (*env)->CallVoidMethod(env, jUnlockMutex, methodID, jMutex);
- 
--
-     /* check, if callback threw an exception */
-     pkcs11Exception = (*env)->ExceptionOccurred(env);
- 
-     if (pkcs11Exception != NULL) {
-+        /* TBD: clear the pending exception with ExceptionClear? */
-         /* The was an exception thrown, now we get the error-code from it */
-         pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION);
-+        if (pkcs11ExceptionClass == NULL) { return rv; }
-         methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J");
--        assert(methodID != 0);
-+        if (methodID == NULL) { return rv; }
-         errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID);
-         rv = jLongToCKULong(errorCode);
-     }
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c	2014-10-08 17:30:03.990103869 +0100
-@@ -81,16 +81,14 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength);
-+    if ((*env)->ExceptionCheck(env)) { return 0L; }
- 
-     rv = (*ckpFunctions->C_CreateObject)(ckSessionHandle, ckpAttributes, ckAttributesLength, &ckObjectHandle);
- 
-     jObjectHandle = ckULongToJLong(ckObjectHandle);
--    for(i=0; iExceptionCheck(env)) { return 0L; }
- 
-     rv = (*ckpFunctions->C_CopyObject)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength, &ckNewObjectHandle);
- 
-     jNewObjectHandle = ckULongToJLong(ckNewObjectHandle);
--    for(i=0; iC_DestroyObject)(ckSessionHandle, ckObjectHandle);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -194,7 +190,7 @@
-     ckObjectHandle = jLongToCKULong(jObjectHandle);
- 
-     rv = (*ckpFunctions->C_GetObjectSize)(ckSessionHandle, ckObjectHandle, &ckObjectSize);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; }
- 
-     jObjectSize = ckULongToJLong(ckObjectSize);
- 
-@@ -221,7 +217,7 @@
-     CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR;
-     CK_ULONG ckAttributesLength;
-     CK_ULONG ckBufferLength;
--    CK_ULONG i;
-+    CK_ULONG i, j;
-     jobject jAttribute;
-     CK_RV rv;
- 
-@@ -238,19 +234,20 @@
-     ckObjectHandle = jLongToCKULong(jObjectHandle);
-     TRACE1("jAttributeArrayToCKAttributeArray now with jTemplate = %d", jTemplate);
-     jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-+
-     TRACE2("DEBUG: jAttributeArrayToCKAttributeArray finished with ckpAttribute = %d, Length = %d\n", ckpAttributes, ckAttributesLength);
- 
-     /* first set all pValue to NULL, to get the needed buffer length */
-     for(i = 0; i < ckAttributesLength; i++) {
--        if(ckpAttributes[i].pValue != NULL_PTR) {
-+        if (ckpAttributes[i].pValue != NULL_PTR) {
-             free(ckpAttributes[i].pValue);
-+            ckpAttributes[i].pValue = NULL_PTR;
-         }
-     }
--    for (i = 0; i < ckAttributesLength; i++) {
--        ckpAttributes[i].pValue = NULL_PTR;
--    }
-+
-     rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-         free(ckpAttributes);
-         return ;
-     }
-@@ -261,27 +258,34 @@
-     for (i = 0; i < ckAttributesLength; i++) {
-         ckBufferLength = sizeof(CK_BYTE) * ckpAttributes[i].ulValueLen;
-         ckpAttributes[i].pValue = (void *) malloc(ckBufferLength);
-+        if (ckpAttributes[i].pValue == NULL) {
-+            freeCKAttributeArray(ckpAttributes, i);
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
-         ckpAttributes[i].ulValueLen = ckBufferLength;
-     }
- 
-     /* now get the attributes with all values */
-     rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength);
- 
--    /* copy back the values to the Java attributes */
--    for (i = 0; i < ckAttributesLength; i++) {
--        jAttribute = ckAttributePtrToJAttribute(env, &(ckpAttributes[i]));
--        (*env)->SetObjectArrayElement(env, jTemplate, i, jAttribute);
--    }
--
--    for(i=0; iSetObjectArrayElement(env, jTemplate, i, jAttribute);
-+            if ((*env)->ExceptionCheck(env)) {
-+                freeCKAttributeArray(ckpAttributes, ckAttributesLength);
-+                return;
-+            }
-         }
-     }
--    free(ckpAttributes);
-+    freeCKAttributeArray(ckpAttributes, ckAttributesLength);
-     TRACE0("FINISHED\n");
--
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return ; }
- }
- #endif
- 
-@@ -312,15 +316,11 @@
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     ckObjectHandle = jLongToCKULong(jObjectHandle);
-     jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
- 
-     rv = (*ckpFunctions->C_SetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength);
- 
--    for(i=0; iExceptionCheck(env)) { return; }
- 
-     rv = (*ckpFunctions->C_FindObjectsInit)(ckSessionHandle, ckpAttributes, ckAttributesLength);
- 
--    for(i=0; iC_FindObjects)(ckSessionHandle, ckpObjectHandleArray, ckMaxObjectLength, &ckActualObjectCount);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jObjectHandleArray = ckULongArrayToJLongArray(env, ckpObjectHandleArray, ckActualObjectCount);
-+    }
- 
--    jObjectHandleArray = ckULongArrayToJLongArray(env, ckpObjectHandleArray, ckActualObjectCount);
-     free(ckpObjectHandleArray);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
-     return jObjectHandleArray ;
- }
- #endif
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c	2014-10-08 17:30:03.990103869 +0100
-@@ -97,6 +97,10 @@
- #ifndef NO_CALLBACKS
-     if (jNotify != NULL) {
-         notifyEncapsulation = (NotifyEncapsulation *) malloc(sizeof(NotifyEncapsulation));
-+        if (notifyEncapsulation == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return 0L;
-+        }
-         notifyEncapsulation->jApplicationData = (jApplication != NULL)
-                 ? (*env)->NewGlobalRef(env, jApplication)
-                 : NULL;
-@@ -118,7 +122,18 @@
-     TRACE0(" ... ");
- 
-     rv = (*ckpFunctions->C_OpenSession)(ckSlotID, ckFlags, ckpApplication, ckNotify, &ckSessionHandle);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+#ifndef NO_CALLBACKS
-+        if (notifyEncapsulation != NULL) {
-+            if (notifyEncapsulation->jApplicationData != NULL) {
-+                (*env)->DeleteGlobalRef(env, jApplication);
-+            }
-+            (*env)->DeleteGlobalRef(env, jNotify);
-+            free(notifyEncapsulation);
-+        }
-+#endif /* NO_CALLBACKS */
-+        return 0L;
-+    }
- 
-     TRACE0("got session");
-     TRACE1(", SessionHandle=%u", ckSessionHandle);
-@@ -163,7 +178,7 @@
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
- 
-     rv = (*ckpFunctions->C_CloseSession)(ckSessionHandle);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- 
- #ifndef NO_CALLBACKS
-     notifyEncapsulation = removeNotifyEntry(env, ckSessionHandle);
-@@ -208,7 +223,7 @@
-     ckSlotID = jLongToCKULong(jSlotID);
- 
-     rv = (*ckpFunctions->C_CloseAllSessions)(ckSlotID);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- 
- #ifndef NO_CALLBACKS
-     /* Remove all notify callback helper objects. */
-@@ -250,10 +265,9 @@
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
- 
-     rv = (*ckpFunctions->C_GetSessionInfo)(ckSessionHandle, &ckSessionInfo);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
--    jSessionInfo = ckSessionInfoPtrToJSessionInfo(env, &ckSessionInfo);
--
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jSessionInfo = ckSessionInfoPtrToJSessionInfo(env, &ckSessionInfo);
-+    }
-     return jSessionInfo ;
- }
- #endif
-@@ -274,7 +288,7 @@
-     CK_SESSION_HANDLE ckSessionHandle;
-     CK_BYTE_PTR ckpState;
-     CK_ULONG ckStateLength;
--    jbyteArray jState;
-+    jbyteArray jState = NULL;
-     CK_RV rv;
- 
-     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
-@@ -283,17 +297,20 @@
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
- 
-     rv = (*ckpFunctions->C_GetOperationState)(ckSessionHandle, NULL_PTR, &ckStateLength);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
- 
-     ckpState = (CK_BYTE_PTR) malloc(ckStateLength);
-+    if (ckpState == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
- 
-     rv = (*ckpFunctions->C_GetOperationState)(ckSessionHandle, ckpState, &ckStateLength);
--
--    jState = ckByteArrayToJByteArray(env, ckpState, ckStateLength);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jState = ckByteArrayToJByteArray(env, ckpState, ckStateLength);
-+    }
-     free(ckpState);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
-     return jState ;
- }
- #endif
-@@ -325,6 +342,8 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jByteArrayToCKByteArray(env, jOperationState, &ckpState, &ckStateLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-+
-     ckEncryptionKeyHandle = jLongToCKULong(jEncryptionKeyHandle);
-     ckAuthenticationKeyHandle = jLongToCKULong(jAuthenticationKeyHandle);
- 
-@@ -332,7 +351,7 @@
- 
-     free(ckpState);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -362,12 +381,13 @@
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     ckUserType = jLongToCKULong(jUserType);
-     jCharArrayToCKCharArray(env, jPin, &ckpPinArray, &ckPinLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
- 
-     rv = (*ckpFunctions->C_Login)(ckSessionHandle, ckUserType, ckpPinArray, ckPinLength);
- 
-     free(ckpPinArray);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -391,7 +411,7 @@
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
- 
-     rv = (*ckpFunctions->C_Logout)(ckSessionHandle);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -410,10 +430,14 @@
-     NotifyListNode *currentNode, *newNode;
- 
-     if (notifyEncapsulation == NULL) {
--        return ;
-+        return;
-     }
- 
-     newNode = (NotifyListNode *) malloc(sizeof(NotifyListNode));
-+    if (newNode == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     newNode->hSession = hSession;
-     newNode->notifyEncapsulation = notifyEncapsulation;
-     newNode->next = NULL;
-@@ -578,9 +602,10 @@
-     jEvent = ckULongToJLong(event);
- 
-     ckNotifyClass = (*env)->FindClass(env, CLASS_NOTIFY);
--    assert(ckNotifyClass != 0);
-+    if (ckNotifyClass == NULL) { return rv; }
-     jmethod = (*env)->GetMethodID(env, ckNotifyClass, "CK_NOTIFY", "(JJLjava/lang/Object;)V");
--    assert(jmethod != 0);
-+    if (jmethod == NULL) { return rv; }
-+
-     (*env)->CallVoidMethod(env, notifyEncapsulation->jNotifyObject, jmethod,
-                          jSessionHandle, jEvent, notifyEncapsulation->jApplicationData);
- 
-@@ -588,10 +613,14 @@
-     pkcs11Exception = (*env)->ExceptionOccurred(env);
- 
-     if (pkcs11Exception != NULL) {
-+        /* TBD: clear the pending exception with ExceptionClear? */
-         /* The was an exception thrown, now we get the error-code from it */
-         pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION);
-+        if (pkcs11ExceptionClass == NULL) { return rv; }
-+
-         jmethod = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J");
--        assert(jmethod != 0);
-+        if (jmethod == NULL) { return rv; }
-+
-         errorCode = (*env)->CallLongMethod(env, pkcs11Exception, jmethod);
-         rv = jLongToCKULong(errorCode);
-     }
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c	2014-10-08 17:30:03.990103869 +0100
-@@ -77,15 +77,16 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-     ckKeyHandle = jLongToCKULong(jKeyHandle);
- 
-     rv = (*ckpFunctions->C_SignInit)(ckSessionHandle, &ckMechanism, ckKeyHandle);
- 
--    if(ckMechanism.pParameter != NULL_PTR) {
-+    if (ckMechanism.pParameter != NULL_PTR) {
-         free(ckMechanism.pParameter);
-     }
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -117,14 +118,23 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength);
-+    if ((*env)->ExceptionCheck(env)) { return NULL; }
- 
-     /* START standard code */
- 
-     /* first determine the length of the signature */
-     rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, NULL_PTR, &ckSignatureLength);
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+        free(ckpData);
-+        return NULL;
-+    }
- 
-     ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE));
-+    if (ckpSignature == NULL) {
-+        free(ckpData);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
- 
-     /* now get the signature */
-     rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength);
-@@ -134,22 +144,31 @@
-     /* START workaround code for operation abort bug in pkcs#11 of Datakey and iButton */
- /*
-     ckpSignature = (CK_BYTE_PTR) malloc(256 * sizeof(CK_BYTE));
-+    if (ckpSignature == NULL) {
-+        free(ckpData);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength);
- 
-     if (rv == CKR_BUFFER_TOO_SMALL) {
-         free(ckpSignature);
-         ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE));
-+        if (ckpSignature == NULL) {
-+            free(ckpData);
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return NULL;
-+        }
-         rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength);
-     }
-  */
-     /* END workaround code */
--
--    jSignature = ckByteArrayToJByteArray(env, ckpSignature, ckSignatureLength);
-+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-+        jSignature = ckByteArrayToJByteArray(env, ckpSignature, ckSignatureLength);
-+    }
-     free(ckpData);
-     free(ckpSignature);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; }
--
-     return jSignature ;
- }
- #endif
-@@ -189,14 +208,22 @@
-         bufP = BUF;
-     } else {
-         bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen);
--        bufP = (CK_BYTE_PTR)malloc((size_t)bufLen);
-+        bufP = (CK_BYTE_PTR) malloc((size_t)bufLen);
-+        if (bufP == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
-     }
- 
-     while (jInLen > 0) {
-         jsize chunkLen = min(bufLen, jInLen);
-         (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP);
-+        if ((*env)->ExceptionCheck(env)) {
-+            if (bufP != BUF) { free(bufP); }
-+            return;
-+        }
-         rv = (*ckpFunctions->C_SignUpdate)(ckSessionHandle, bufP, chunkLen);
--        if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+        if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-             if (bufP != BUF) {
-                 free(bufP);
-             }
-@@ -206,9 +233,7 @@
-         jInLen -= chunkLen;
-     }
- 
--    if (bufP != BUF) {
--        free(bufP);
--    }
-+    if (bufP != BUF) { free(bufP); }
- }
- #endif
- 
-@@ -244,15 +269,18 @@
-     rv = (*ckpFunctions->C_SignFinal)(ckSessionHandle, bufP, &ckSignatureLength);
-     if (rv == CKR_BUFFER_TOO_SMALL) {
-         bufP = (CK_BYTE_PTR) malloc(ckSignatureLength);
-+        if (bufP == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return NULL;
-+        }
-         rv = (*ckpFunctions->C_SignFinal)(ckSessionHandle, bufP, &ckSignatureLength);
-     }
-     if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-         jSignature = ckByteArrayToJByteArray(env, bufP, ckSignatureLength);
-     }
- 
--    if (bufP != BUF) {
--        free(bufP);
--    }
-+    if (bufP != BUF) { free(bufP); }
-+
-     return jSignature;
- }
- #endif
-@@ -280,11 +308,13 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-+
-     ckKeyHandle = jLongToCKULong(jKeyHandle);
- 
-     rv = (*ckpFunctions->C_SignRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle);
- 
--    if(ckMechanism.pParameter != NULL_PTR) {
-+    if (ckMechanism.pParameter != NULL_PTR) {
-         free(ckMechanism.pParameter);
-     }
- 
-@@ -323,26 +353,38 @@
-     if (jInLen <= MAX_STACK_BUFFER_LEN) {
-         inBufP = INBUF;
-     } else {
--        inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen);
-+        inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen);
-+        if (inBufP == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return 0;
-+        }
-     }
- 
-     (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP);
-+    if ((*env)->ExceptionCheck(env)) {
-+        if (inBufP != INBUF) { free(inBufP); }
-+        return 0;
-+    }
-     rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength);
-     /* re-alloc larger buffer if it fits into our Java buffer */
-     if ((rv == CKR_BUFFER_TOO_SMALL) && (ckSignatureLength <= jIntToCKULong(jOutLen))) {
-         outBufP = (CK_BYTE_PTR) malloc(ckSignatureLength);
-+        if (outBufP == NULL) {
-+            if (inBufP != INBUF) {
-+                free(inBufP);
-+            }
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return 0;
-+        }
-         rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength);
-     }
-     if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-         (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckSignatureLength, (jbyte *)outBufP);
-     }
- 
--    if (inBufP != INBUF) {
--        free(inBufP);
--    }
--    if (outBufP != OUTBUF) {
--        free(outBufP);
--    }
-+    if (inBufP != INBUF) { free(inBufP); }
-+    if (outBufP != OUTBUF) { free(outBufP); }
-+
-     return ckSignatureLength;
- }
- #endif
-@@ -370,6 +412,8 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-+
-     ckKeyHandle = jLongToCKULong(jKeyHandle);
- 
-     rv = (*ckpFunctions->C_VerifyInit)(ckSessionHandle, &ckMechanism, ckKeyHandle);
-@@ -378,7 +422,7 @@
-         free(ckMechanism.pParameter);
-     }
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -409,7 +453,13 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-+
-     jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(ckpData);
-+        return;
-+    }
- 
-     /* verify the signature */
-     rv = (*ckpFunctions->C_Verify)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, ckSignatureLength);
-@@ -417,7 +467,7 @@
-     free(ckpData);
-     free(ckpSignature);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -456,26 +506,31 @@
-         bufP = BUF;
-     } else {
-         bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen);
--        bufP = (CK_BYTE_PTR)malloc((size_t)bufLen);
-+        bufP = (CK_BYTE_PTR) malloc((size_t)bufLen);
-+        if (bufP == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
-     }
- 
-     while (jInLen > 0) {
-         jsize chunkLen = min(bufLen, jInLen);
-         (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP);
-+        if ((*env)->ExceptionCheck(env)) {
-+            if (bufP != BUF) { free(bufP); }
-+            return;
-+        }
-+
-         rv = (*ckpFunctions->C_VerifyUpdate)(ckSessionHandle, bufP, chunkLen);
--        if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
--            if (bufP != BUF) {
--                free(bufP);
--            }
-+        if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-+            if (bufP != BUF) { free(bufP); }
-             return;
-         }
-         jInOfs += chunkLen;
-         jInLen -= chunkLen;
-     }
- 
--    if (bufP != BUF) {
--        free(bufP);
--    }
-+    if (bufP != BUF) { free(bufP); }
- }
- #endif
- 
-@@ -502,13 +557,14 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength);
-+    if ((*env)->ExceptionCheck(env)) { return; }
- 
-     /* verify the signature */
-     rv = (*ckpFunctions->C_VerifyFinal)(ckSessionHandle, ckpSignature, ckSignatureLength);
- 
-     free(ckpSignature);
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -535,15 +591,17 @@
- 
-     ckSessionHandle = jLongToCKULong(jSessionHandle);
-     jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-+    if ((*env)->ExceptionCheck(env)) { return; }
-+
-     ckKeyHandle = jLongToCKULong(jKeyHandle);
- 
-     rv = (*ckpFunctions->C_VerifyRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle);
- 
--    if(ckMechanism.pParameter != NULL_PTR) {
-+    if (ckMechanism.pParameter != NULL_PTR) {
-         free(ckMechanism.pParameter);
-     }
- 
--    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
-+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
- }
- #endif
- 
-@@ -578,26 +636,38 @@
-     if (jInLen <= MAX_STACK_BUFFER_LEN) {
-         inBufP = INBUF;
-     } else {
--        inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen);
-+        inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen);
-+        if (inBufP == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return 0;
-+        }
-     }
- 
-     (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP);
-+    if ((*env)->ExceptionCheck(env)) {
-+        if (inBufP != INBUF) { free(inBufP); }
-+        return 0;
-+    }
-+
-     rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength);
-+
-     /* re-alloc larger buffer if it fits into our Java buffer */
-     if ((rv == CKR_BUFFER_TOO_SMALL) && (ckDataLength <= jIntToCKULong(jOutLen))) {
-         outBufP = (CK_BYTE_PTR) malloc(ckDataLength);
-+        if (outBufP == NULL) {
-+            if (inBufP != INBUF) { free(inBufP); }
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return 0;
-+        }
-         rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength);
-     }
-     if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-         (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckDataLength, (jbyte *)outBufP);
-     }
- 
--    if (inBufP != INBUF) {
--        free(inBufP);
--    }
--    if (outBufP != OUTBUF) {
--        free(outBufP);
--    }
-+    if (inBufP != INBUF) { free(inBufP); }
-+    if (outBufP != OUTBUF) { free(outBufP); }
-+
-     return ckDataLength;
- }
- #endif
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c	2014-10-08 17:30:03.990103869 +0100
-@@ -73,11 +73,11 @@
-     jmethodID jConstructor;
- 
-     jObjectClass = (*env)->FindClass(env, "java/lang/Object");
--    assert(jObjectClass != 0);
-+    if (jObjectClass == NULL) { return NULL; }
-     jConstructor = (*env)->GetMethodID(env, jObjectClass, "", "()V");
--    assert(jConstructor != 0);
-+    if (jConstructor == NULL) { return NULL; }
-     jLockObject = (*env)->NewObject(env, jObjectClass, jConstructor);
--    assert(jLockObject != 0);
-+    if (jLockObject == NULL) { return NULL; }
-     jLockObject = (*env)->NewGlobalRef(env, jLockObject);
- 
-     return jLockObject ;
-@@ -200,84 +200,30 @@
-         return 0L ;
-     } else {
-         jPKCS11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION);
--        assert(jPKCS11ExceptionClass != 0);
--        jConstructor = (*env)->GetMethodID(env, jPKCS11ExceptionClass, "", "(J)V");
--        assert(jConstructor != 0);
--        jErrorCode = ckULongToJLong(returnValue);
--        jPKCS11Exception = (jthrowable) (*env)->NewObject(env, jPKCS11ExceptionClass, jConstructor, jErrorCode);
--        (*env)->Throw(env, jPKCS11Exception);
-+        if (jPKCS11ExceptionClass != NULL) {
-+            jConstructor = (*env)->GetMethodID(env, jPKCS11ExceptionClass, "", "(J)V");
-+            if (jConstructor != NULL) {
-+                jErrorCode = ckULongToJLong(returnValue);
-+                jPKCS11Exception = (jthrowable) (*env)->NewObject(env, jPKCS11ExceptionClass, jConstructor, jErrorCode);
-+                if (jPKCS11Exception != NULL) {
-+                    (*env)->Throw(env, jPKCS11Exception);
-+                }
-+            }
-+        }
-+        (*env)->DeleteLocalRef(env, jPKCS11ExceptionClass);
-         return jErrorCode ;
-     }
- }
- 
- /*
-- * this function simply throws a FileNotFoundException
-- *
-- * @param env Used to call JNI funktions and to get the Exception class.
-- * @param jmessage The message string of the Exception object.
-- */
--void throwFileNotFoundException(JNIEnv *env, jstring jmessage)
--{
--    jclass jFileNotFoundExceptionClass;
--    jmethodID jConstructor;
--    jthrowable jFileNotFoundException;
--
--    jFileNotFoundExceptionClass = (*env)->FindClass(env, CLASS_FILE_NOT_FOUND_EXCEPTION);
--    assert(jFileNotFoundExceptionClass != 0);
--
--    jConstructor = (*env)->GetMethodID(env, jFileNotFoundExceptionClass, "", "(Ljava/lang/String;)V");
--    assert(jConstructor != 0);
--    jFileNotFoundException = (jthrowable) (*env)->NewObject(env, jFileNotFoundExceptionClass, jConstructor, jmessage);
--    (*env)->Throw(env, jFileNotFoundException);
--}
--
--/*
-- * this function simply throws an IOException
-+ * This function simply throws an IOException
-  *
-  * @param env Used to call JNI funktions and to get the Exception class.
-  * @param message The message string of the Exception object.
-  */
--void throwIOException(JNIEnv *env, const char * message)
-+void throwIOException(JNIEnv *env, const char *message)
- {
--    jclass jIOExceptionClass;
--
--    jIOExceptionClass = (*env)->FindClass(env, CLASS_IO_EXCEPTION);
--    assert(jIOExceptionClass != 0);
--
--    (*env)->ThrowNew(env, jIOExceptionClass, message);
--}
--
--/*
-- * this function simply throws an IOException and takes a unicode
-- * messge.
-- *
-- * @param env Used to call JNI funktions and to get the Exception class.
-- * @param message The unicode message string of the Exception object.
-- */
--void throwIOExceptionUnicodeMessage(JNIEnv *env, const short *message)
--{
--    jclass jIOExceptionClass;
--    jmethodID jConstructor;
--    jthrowable jIOException;
--    jstring jmessage;
--    jsize length;
--    short *currentCharacter;
--
--    jIOExceptionClass = (*env)->FindClass(env, CLASS_IO_EXCEPTION);
--    assert(jIOExceptionClass != 0);
--
--    length = 0;
--    if (message != NULL) {
--        currentCharacter = (short *) message;
--        while (*(currentCharacter++) != 0) length++;
--    }
--
--    jmessage = (*env)->NewString(env, (const jchar *)message, length);
--
--    jConstructor = (*env)->GetMethodID(env, jIOExceptionClass, "", "(Ljava/lang/String;)V");
--    assert(jConstructor != 0);
--    jIOException = (jthrowable) (*env)->NewObject(env, jIOExceptionClass, jConstructor, jmessage);
--    (*env)->Throw(env, jIOException);
-+    JNU_ThrowByName(env, CLASS_IO_EXCEPTION, message);
- }
- 
- /*
-@@ -288,26 +234,9 @@
-  * @param env Used to call JNI funktions and to get the Exception class.
-  * @param jmessage The message string of the Exception object.
-  */
--void throwPKCS11RuntimeException(JNIEnv *env, jstring jmessage)
-+void throwPKCS11RuntimeException(JNIEnv *env, const char *message)
- {
--    jclass jPKCS11RuntimeExceptionClass;
--    jmethodID jConstructor;
--    jthrowable jPKCS11RuntimeException;
--
--    jPKCS11RuntimeExceptionClass = (*env)->FindClass(env, CLASS_PKCS11RUNTIMEEXCEPTION);
--    assert(jPKCS11RuntimeExceptionClass != 0);
--
--    if (jmessage == NULL) {
--        jConstructor = (*env)->GetMethodID(env, jPKCS11RuntimeExceptionClass, "", "()V");
--        assert(jConstructor != 0);
--        jPKCS11RuntimeException = (jthrowable) (*env)->NewObject(env, jPKCS11RuntimeExceptionClass, jConstructor);
--        (*env)->Throw(env, jPKCS11RuntimeException);
--    } else {
--        jConstructor = (*env)->GetMethodID(env, jPKCS11RuntimeExceptionClass, "", "(Ljava/lang/String;)V");
--        assert(jConstructor != 0);
--        jPKCS11RuntimeException = (jthrowable) (*env)->NewObject(env, jPKCS11RuntimeExceptionClass, jConstructor, jmessage);
--        (*env)->Throw(env, jPKCS11RuntimeException);
--    }
-+    JNU_ThrowByName(env, CLASS_PKCS11RUNTIMEEXCEPTION, message);
- }
- 
- /*
-@@ -318,9 +247,24 @@
-  */
- void throwDisconnectedRuntimeException(JNIEnv *env)
- {
--    jstring jExceptionMessage = (*env)->NewStringUTF(env, "This object is not connected to a module.");
-+    throwPKCS11RuntimeException(env, "This object is not connected to a module.");
-+}
- 
--    throwPKCS11RuntimeException(env, jExceptionMessage);
-+/* This function frees the specified CK_ATTRIBUTE array.
-+ *
-+ * @param attrPtr pointer to the to-be-freed CK_ATTRIBUTE array.
-+ * @param len the length of the array
-+ */
-+void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len)
-+{
-+    int i;
-+
-+    for (i=0; iGetArrayLength(env, jArray);
-     jpTemp = (jboolean*) malloc((*ckpLength) * sizeof(jboolean));
-+    if (jpTemp == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     (*env)->GetBooleanArrayRegion(env, jArray, 0, *ckpLength, jpTemp);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(jpTemp);
-+        return;
-+    }
-+
-     *ckpArray = (CK_BBOOL*) malloc ((*ckpLength) * sizeof(CK_BBOOL));
-+    if (*ckpArray == NULL) {
-+        free(jpTemp);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     for (i=0; i<(*ckpLength); i++) {
-         (*ckpArray)[i] = jBooleanToCKBBool(jpTemp[i]);
-     }
-@@ -403,13 +361,26 @@
-     }
-     *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jbyte*) malloc((*ckpLength) * sizeof(jbyte));
-+    if (jpTemp == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     (*env)->GetByteArrayRegion(env, jArray, 0, *ckpLength, jpTemp);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(jpTemp);
-+        return;
-+    }
- 
-     /* if CK_BYTE is the same size as jbyte, we save an additional copy */
-     if (sizeof(CK_BYTE) == sizeof(jbyte)) {
-         *ckpArray = (CK_BYTE_PTR) jpTemp;
-     } else {
-         *ckpArray = (CK_BYTE_PTR) malloc ((*ckpLength) * sizeof(CK_BYTE));
-+        if (*ckpArray == NULL) {
-+            free(jpTemp);
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return;
-+        }
-         for (i=0; i<(*ckpLength); i++) {
-             (*ckpArray)[i] = jByteToCKByte(jpTemp[i]);
-         }
-@@ -437,8 +408,22 @@
-     }
-     *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jTemp = (jlong*) malloc((*ckpLength) * sizeof(jlong));
-+    if (jTemp == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     (*env)->GetLongArrayRegion(env, jArray, 0, *ckpLength, jTemp);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(jTemp);
-+        return;
-+    }
-+
-     *ckpArray = (CK_ULONG_PTR) malloc (*ckpLength * sizeof(CK_ULONG));
-+    if (*ckpArray == NULL) {
-+        free(jTemp);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     for (i=0; i<(*ckpLength); i++) {
-         (*ckpArray)[i] = jLongToCKULong(jTemp[i]);
-     }
-@@ -465,8 +450,22 @@
-     }
-     *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jpTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar));
-+    if (jpTemp == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jpTemp);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(jpTemp);
-+        return;
-+    }
-+
-     *ckpArray = (CK_CHAR_PTR) malloc (*ckpLength * sizeof(CK_CHAR));
-+    if (*ckpArray == NULL) {
-+        free(jpTemp);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     for (i=0; i<(*ckpLength); i++) {
-         (*ckpArray)[i] = jCharToCKChar(jpTemp[i]);
-     }
-@@ -493,8 +492,22 @@
-     }
-     *ckpLength = (*env)->GetArrayLength(env, jArray);
-     jTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar));
-+    if (jTemp == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jTemp);
-+    if ((*env)->ExceptionCheck(env)) {
-+        free(jTemp);
-+        return;
-+    }
-+
-     *ckpArray = (CK_UTF8CHAR_PTR) malloc (*ckpLength * sizeof(CK_UTF8CHAR));
-+    if (*ckpArray == NULL) {
-+        free(jTemp);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     for (i=0; i<(*ckpLength); i++) {
-         (*ckpArray)[i] = jCharToCKUTF8Char(jTemp[i]);
-     }
-@@ -521,8 +534,15 @@
-     }
- 
-     pCharArray = (*env)->GetStringUTFChars(env, jArray, &isCopy);
-+    if (pCharArray == NULL) { return; }
-+
-     *ckpLength = strlen(pCharArray);
-     *ckpArray = (CK_UTF8CHAR_PTR) malloc((*ckpLength + 1) * sizeof(CK_UTF8CHAR));
-+    if (*ckpArray == NULL) {
-+        (*env)->ReleaseStringUTFChars(env, (jstring) jArray, pCharArray);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     strcpy((char*)*ckpArray, pCharArray);
-     (*env)->ReleaseStringUTFChars(env, (jstring) jArray, pCharArray);
- }
-@@ -552,55 +572,36 @@
-     jLength = (*env)->GetArrayLength(env, jArray);
-     *ckpLength = jLongToCKULong(jLength);
-     *ckpArray = (CK_ATTRIBUTE_PTR) malloc(*ckpLength * sizeof(CK_ATTRIBUTE));
-+    if (*ckpArray == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-+    }
-     TRACE1(", converting %d attibutes", jLength);
-     for (i=0; i<(*ckpLength); i++) {
-         TRACE1(", getting %d. attibute", i);
-         jAttribute = (*env)->GetObjectArrayElement(env, jArray, i);
-+        if ((*env)->ExceptionCheck(env)) {
-+            freeCKAttributeArray(*ckpArray, i);
-+            return;
-+        }
-         TRACE1(", jAttribute = %d", jAttribute);
-         TRACE1(", converting %d. attibute", i);
-         (*ckpArray)[i] = jAttributeToCKAttribute(env, jAttribute);
-+        if ((*env)->ExceptionCheck(env)) {
-+            freeCKAttributeArray(*ckpArray, i);
-+            return;
-+        }
-     }
-     TRACE0("FINISHED\n");
- }
- 
- /*
-- * converts a jobjectArray to a CK_VOID_PTR array. The allocated memory has to be freed after
-- * use!
-- * NOTE: this function does not work and is not used yet
-- *
-- * @param env - used to call JNI funktions to get the array informtaion
-- * @param jArray - the Java object array to convert
-- * @param ckpArray - the reference, where the pointer to the new CK_VOID_PTR array will be stored
-- * @param ckpLength - the reference, where the array length will be stored
-- */
--/*
--void jObjectArrayToCKVoidPtrArray(JNIEnv *env, const jobjectArray jArray, CK_VOID_PTR_PTR *ckpArray, CK_ULONG_PTR ckpLength)
--{
--    jobject jTemp;
--    CK_ULONG i;
--
--    if(jArray == NULL) {
--        *ckpArray = NULL_PTR;
--        *ckpLength = 0L;
--        return;
--    }
--    *ckpLength = (*env)->GetArrayLength(env, jArray);
--    *ckpArray = (CK_VOID_PTR_PTR) malloc (*ckpLength * sizeof(CK_VOID_PTR));
--    for (i=0; i<(*ckpLength); i++) {
--        jTemp = (*env)->GetObjectArrayElement(env, jArray, i);
--        (*ckpArray)[i] = jObjectToCKVoidPtr(jTemp);
--    }
--    free(jTemp);
--}
--*/
--
--/*
-  * converts a CK_BYTE array and its length to a jbyteArray.
-  *
-  * @param env - used to call JNI funktions to create the new Java array
-  * @param ckpArray - the pointer to the CK_BYTE array to convert
-  * @param ckpLength - the length of the array to convert
-- * @return - the new Java byte array
-+ * @return - the new Java byte array or NULL if error occurred
-  */
- jbyteArray ckByteArrayToJByteArray(JNIEnv *env, const CK_BYTE_PTR ckpArray, CK_ULONG ckLength)
- {
-@@ -613,18 +614,22 @@
-         jpTemp = (jbyte*) ckpArray;
-     } else {
-         jpTemp = (jbyte*) malloc((ckLength) * sizeof(jbyte));
-+        if (jpTemp == NULL) {
-+            JNU_ThrowOutOfMemoryError(env, 0);
-+            return NULL;
-+        }
-         for (i=0; iNewByteArray(env, ckULongToJSize(ckLength));
--    (*env)->SetByteArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp);
--
--    if (sizeof(CK_BYTE) != sizeof(jbyte)) {
--        free(jpTemp);
-+    if (jArray != NULL) {
-+        (*env)->SetByteArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp);
-     }
- 
-+    if (sizeof(CK_BYTE) != sizeof(jbyte)) { free(jpTemp); }
-+
-     return jArray ;
- }
- 
-@@ -643,11 +648,17 @@
-     jlongArray jArray;
- 
-     jpTemp = (jlong*) malloc((ckLength) * sizeof(jlong));
-+    if (jpTemp == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     for (i=0; iNewLongArray(env, ckULongToJSize(ckLength));
--    (*env)->SetLongArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp);
-+    if (jArray != NULL) {
-+        (*env)->SetLongArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp);
-+    }
-     free(jpTemp);
- 
-     return jArray ;
-@@ -668,11 +679,17 @@
-     jcharArray jArray;
- 
-     jpTemp = (jchar*) malloc(ckLength * sizeof(jchar));
-+    if (jpTemp == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     for (i=0; iNewCharArray(env, ckULongToJSize(ckLength));
--    (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp);
-+    if (jArray != NULL) {
-+        (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp);
-+    }
-     free(jpTemp);
- 
-     return jArray ;
-@@ -693,11 +710,17 @@
-     jcharArray jArray;
- 
-     jpTemp = (jchar*) malloc(ckLength * sizeof(jchar));
-+    if (jpTemp == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     for (i=0; iNewCharArray(env, ckULongToJSize(ckLength));
--    (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp);
-+    if (jArray != NULL) {
-+        (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp);
-+    }
-     free(jpTemp);
- 
-     return jArray ;
-@@ -736,12 +759,11 @@
-     jboolean jValue;
- 
-     jValueObjectClass = (*env)->FindClass(env, "java/lang/Boolean");
--    assert(jValueObjectClass != 0);
-+    if (jValueObjectClass == NULL) { return NULL; }
-     jConstructor = (*env)->GetMethodID(env, jValueObjectClass, "", "(Z)V");
--    assert(jConstructor != 0);
-+    if (jConstructor == NULL) { return NULL; }
-     jValue = ckBBoolToJBoolean(*ckpValue);
-     jValueObject = (*env)->NewObject(env, jValueObjectClass, jConstructor, jValue);
--    assert(jValueObject != 0);
- 
-     return jValueObject ;
- }
-@@ -761,12 +783,11 @@
-     jlong jValue;
- 
-     jValueObjectClass = (*env)->FindClass(env, "java/lang/Long");
--    assert(jValueObjectClass != 0);
-+    if (jValueObjectClass == NULL) { return NULL; }
-     jConstructor = (*env)->GetMethodID(env, jValueObjectClass, "", "(J)V");
--    assert(jConstructor != 0);
-+    if (jConstructor == NULL) { return NULL; }
-     jValue = ckULongToJLong(*ckpValue);
-     jValueObject = (*env)->NewObject(env, jValueObjectClass, jConstructor, jValue);
--    assert(jValueObject != 0);
- 
-     return jValueObject ;
- }
-@@ -787,11 +808,15 @@
-     CK_BBOOL *ckpValue;
- 
-     jObjectClass = (*env)->FindClass(env, "java/lang/Boolean");
--    assert(jObjectClass != 0);
-+    if (jObjectClass == NULL) { return NULL; }
-     jValueMethod = (*env)->GetMethodID(env, jObjectClass, "booleanValue", "()Z");
--    assert(jValueMethod != 0);
-+    if (jValueMethod == NULL) { return NULL; }
-     jValue = (*env)->CallBooleanMethod(env, jObject, jValueMethod);
-     ckpValue = (CK_BBOOL *) malloc(sizeof(CK_BBOOL));
-+    if (ckpValue == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     *ckpValue = jBooleanToCKBBool(jValue);
- 
-     return ckpValue ;
-@@ -813,13 +838,16 @@
-     CK_BYTE_PTR ckpValue;
- 
-     jObjectClass = (*env)->FindClass(env, "java/lang/Byte");
--    assert(jObjectClass != 0);
-+    if (jObjectClass == NULL) { return NULL; }
-     jValueMethod = (*env)->GetMethodID(env, jObjectClass, "byteValue", "()B");
--    assert(jValueMethod != 0);
-+    if (jValueMethod == NULL) { return NULL; }
-     jValue = (*env)->CallByteMethod(env, jObject, jValueMethod);
-     ckpValue = (CK_BYTE_PTR) malloc(sizeof(CK_BYTE));
-+    if (ckpValue == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     *ckpValue = jByteToCKByte(jValue);
--
-     return ckpValue ;
- }
- 
-@@ -839,13 +867,16 @@
-     CK_ULONG *ckpValue;
- 
-     jObjectClass = (*env)->FindClass(env, "java/lang/Integer");
--    assert(jObjectClass != 0);
-+    if (jObjectClass == NULL) { return NULL; }
-     jValueMethod = (*env)->GetMethodID(env, jObjectClass, "intValue", "()I");
--    assert(jValueMethod != 0);
-+    if (jValueMethod == NULL) { return NULL; }
-     jValue = (*env)->CallIntMethod(env, jObject, jValueMethod);
-     ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG));
-+    if (ckpValue == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     *ckpValue = jLongToCKLong(jValue);
--
-     return ckpValue ;
- }
- 
-@@ -865,11 +896,15 @@
-     CK_ULONG *ckpValue;
- 
-     jObjectClass = (*env)->FindClass(env, "java/lang/Long");
--    assert(jObjectClass != 0);
-+    if (jObjectClass == NULL) { return NULL; }
-     jValueMethod = (*env)->GetMethodID(env, jObjectClass, "longValue", "()J");
--    assert(jValueMethod != 0);
-+    if (jValueMethod == NULL) { return NULL; }
-     jValue = (*env)->CallLongMethod(env, jObject, jValueMethod);
-     ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG));
-+    if (ckpValue == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     *ckpValue = jLongToCKULong(jValue);
- 
-     return ckpValue ;
-@@ -891,11 +926,15 @@
-     CK_CHAR_PTR ckpValue;
- 
-     jObjectClass = (*env)->FindClass(env, "java/lang/Char");
--    assert(jObjectClass != 0);
-+    if (jObjectClass == NULL) { return NULL; }
-     jValueMethod = (*env)->GetMethodID(env, jObjectClass, "charValue", "()C");
--    assert(jValueMethod != 0);
-+    if (jValueMethod == NULL) { return NULL; }
-     jValue = (*env)->CallCharMethod(env, jObject, jValueMethod);
-     ckpValue = (CK_CHAR_PTR) malloc(sizeof(CK_CHAR));
-+    if (ckpValue == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return NULL;
-+    }
-     *ckpValue = jCharToCKChar(jValue);
- 
-     return ckpValue ;
-@@ -913,124 +952,172 @@
-  */
- void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env, jobject jObject, CK_VOID_PTR *ckpObjectPtr, CK_ULONG *ckpLength)
- {
--    jclass jBooleanClass     = (*env)->FindClass(env, "java/lang/Boolean");
--    jclass jByteClass        = (*env)->FindClass(env, "java/lang/Byte");
--    jclass jCharacterClass   = (*env)->FindClass(env, "java/lang/Character");
--    jclass jClassClass = (*env)->FindClass(env, "java/lang/Class");
--    /* jclass jShortClass       = (*env)->FindClass(env, "java/lang/Short"); */
--    jclass jIntegerClass     = (*env)->FindClass(env, "java/lang/Integer");
--    jclass jLongClass        = (*env)->FindClass(env, "java/lang/Long");
--    /* jclass jFloatClass       = (*env)->FindClass(env, "java/lang/Float"); */
--    /* jclass jDoubleClass      = (*env)->FindClass(env, "java/lang/Double"); */
--    jclass jDateClass      = (*env)->FindClass(env, CLASS_DATE);
--    jclass jStringClass      = (*env)->FindClass(env, "java/lang/String");
--    jclass jStringBufferClass      = (*env)->FindClass(env, "java/lang/StringBuffer");
--    jclass jBooleanArrayClass = (*env)->FindClass(env, "[Z");
--    jclass jByteArrayClass    = (*env)->FindClass(env, "[B");
--    jclass jCharArrayClass    = (*env)->FindClass(env, "[C");
--    /* jclass jShortArrayClass   = (*env)->FindClass(env, "[S"); */
--    jclass jIntArrayClass     = (*env)->FindClass(env, "[I");
--    jclass jLongArrayClass    = (*env)->FindClass(env, "[J");
--    /* jclass jFloatArrayClass   = (*env)->FindClass(env, "[F"); */
--    /* jclass jDoubleArrayClass  = (*env)->FindClass(env, "[D"); */
--    jclass jObjectClass = (*env)->FindClass(env, "java/lang/Object");
--    /* jclass jObjectArrayClass = (*env)->FindClass(env, "[java/lang/Object"); */
--    /* ATTENTION: jObjectArrayClass is always NULL !! */
--    /* CK_ULONG ckArrayLength; */
--    /* CK_VOID_PTR *ckpElementObject; */
--    /* CK_ULONG ckElementLength; */
--    /* CK_ULONG i; */
-+    jclass jLongClass, jBooleanClass, jByteArrayClass, jCharArrayClass;
-+    jclass jByteClass, jDateClass, jCharacterClass, jIntegerClass;
-+    jclass jBooleanArrayClass, jIntArrayClass, jLongArrayClass;
-+    jclass jStringClass;
-+    jclass jObjectClass, jClassClass;
-     CK_VOID_PTR ckpVoid = *ckpObjectPtr;
-     jmethodID jMethod;
-     jobject jClassObject;
-     jstring jClassNameString;
--    jstring jExceptionMessagePrefix;
--    jobject jExceptionMessageStringBuffer;
--    jstring jExceptionMessage;
-+    char *classNameString, *exceptionMsgPrefix, *exceptionMsg;
- 
-     TRACE0("\nDEBUG: jObjectToPrimitiveCKObjectPtrPtr");
-     if (jObject == NULL) {
-         *ckpObjectPtr = NULL;
-         *ckpLength = 0;
--    } else if ((*env)->IsInstanceOf(env, jObject, jLongClass)) {
-+        return;
-+    }
-+
-+    jLongClass = (*env)->FindClass(env, "java/lang/Long");
-+    if (jLongClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jLongClass)) {
-         *ckpObjectPtr = jLongObjectToCKULongPtr(env, jObject);
-         *ckpLength = sizeof(CK_ULONG);
-         TRACE1("", *((CK_ULONG *) *ckpObjectPtr));
--    } else if ((*env)->IsInstanceOf(env, jObject, jBooleanClass)) {
-+        return;
-+    }
-+
-+    jBooleanClass = (*env)->FindClass(env, "java/lang/Boolean");
-+    if (jBooleanClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jBooleanClass)) {
-         *ckpObjectPtr = jBooleanObjectToCKBBoolPtr(env, jObject);
-         *ckpLength = sizeof(CK_BBOOL);
-         TRACE0(" " : "FALSE>");
--    } else if ((*env)->IsInstanceOf(env, jObject, jByteArrayClass)) {
-+        return;
-+    }
-+
-+    jByteArrayClass = (*env)->FindClass(env, "[B");
-+    if (jByteArrayClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jByteArrayClass)) {
-         jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR*)ckpObjectPtr, ckpLength);
--    } else if ((*env)->IsInstanceOf(env, jObject, jCharArrayClass)) {
-+        return;
-+    }
-+
-+    jCharArrayClass = (*env)->FindClass(env, "[C");
-+    if (jCharArrayClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jCharArrayClass)) {
-         jCharArrayToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength);
--    } else if ((*env)->IsInstanceOf(env, jObject, jByteClass)) {
-+        return;
-+    }
-+
-+    jByteClass = (*env)->FindClass(env, "java/lang/Byte");
-+    if (jByteClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jByteClass)) {
-         *ckpObjectPtr = jByteObjectToCKBytePtr(env, jObject);
-         *ckpLength = sizeof(CK_BYTE);
-         TRACE1("", *((CK_BYTE *) *ckpObjectPtr));
--    } else if ((*env)->IsInstanceOf(env, jObject, jDateClass)) {
-+        return;
-+    }
-+
-+    jDateClass = (*env)->FindClass(env, CLASS_DATE);
-+    if (jDateClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jDateClass)) {
-         *ckpObjectPtr = jDateObjectPtrToCKDatePtr(env, jObject);
-         *ckpLength = sizeof(CK_DATE);
--        TRACE3("", (*((CK_DATE *) *ckpObjectPtr)).year,
--                                                    (*((CK_DATE *) *ckpObjectPtr)).month,
--                                                    (*((CK_DATE *) *ckpObjectPtr)).day);
--    } else if ((*env)->IsInstanceOf(env, jObject, jCharacterClass)) {
-+        TRACE3("", (*((CK_DATE *) *ckpObjectPtr)).year, (*((CK_DATE *) *ckpObjectPtr)).month, (*((CK_DATE *) *ckpObjectPtr)).day);
-+        return;
-+    }
-+
-+    jCharacterClass = (*env)->FindClass(env, "java/lang/Character");
-+    if (jCharacterClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jCharacterClass)) {
-         *ckpObjectPtr = jCharObjectToCKCharPtr(env, jObject);
-         *ckpLength = sizeof(CK_UTF8CHAR);
-         TRACE1("", *((CK_CHAR *) *ckpObjectPtr));
--    } else if ((*env)->IsInstanceOf(env, jObject, jIntegerClass)) {
-+        return;
-+    }
-+
-+    jIntegerClass = (*env)->FindClass(env, "java/lang/Integer");
-+    if (jIntegerClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jIntegerClass)) {
-         *ckpObjectPtr = jIntegerObjectToCKULongPtr(env, jObject);
-         *ckpLength = sizeof(CK_ULONG);
-         TRACE1("", *((CK_ULONG *) *ckpObjectPtr));
--    } else if ((*env)->IsInstanceOf(env, jObject, jBooleanArrayClass)) {
-+        return;
-+    }
-+
-+    jBooleanArrayClass = (*env)->FindClass(env, "[Z");
-+    if (jBooleanArrayClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jBooleanArrayClass)) {
-         jBooleanArrayToCKBBoolArray(env, jObject, (CK_BBOOL**)ckpObjectPtr, ckpLength);
--    } else if ((*env)->IsInstanceOf(env, jObject, jIntArrayClass)) {
--        jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength);
--    } else if ((*env)->IsInstanceOf(env, jObject, jLongArrayClass)) {
-+        return;
-+    }
-+
-+    jIntArrayClass = (*env)->FindClass(env, "[I");
-+    if (jIntArrayClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jIntArrayClass)) {
-         jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength);
--    } else if ((*env)->IsInstanceOf(env, jObject, jStringClass)) {
--        jStringToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength);
-+        return;
-+    }
- 
--        /* a Java object array is not used by CK_ATTRIBUTE by now... */
--/*  } else if ((*env)->IsInstanceOf(env, jObject, jObjectArrayClass)) {
--        ckArrayLength = (*env)->GetArrayLength(env, (jarray) jObject);
--        ckpObjectPtr = (CK_VOID_PTR_PTR) malloc(sizeof(CK_VOID_PTR) * ckArrayLength);
--        *ckpLength = 0;
--        for (i = 0; i < ckArrayLength; i++) {
--            jObjectToPrimitiveCKObjectPtrPtr(env, (*env)->GetObjectArrayElement(env, (jarray) jObject, i),
--                     ckpElementObject, &ckElementLength);
--            (*ckpObjectPtr)[i] = *ckpElementObject;
--            *ckpLength += ckElementLength;
--        }
--*/
--    } else {
--        /* type of jObject unknown, throw PKCS11RuntimeException */
--        jMethod = (*env)->GetMethodID(env, jObjectClass, "getClass", "()Ljava/lang/Class;");
--        assert(jMethod != 0);
--        jClassObject = (*env)->CallObjectMethod(env, jObject, jMethod);
--        assert(jClassObject != 0);
--        jMethod = (*env)->GetMethodID(env, jClassClass, "getName", "()Ljava/lang/String;");
--        assert(jMethod != 0);
--        jClassNameString = (jstring)
--                (*env)->CallObjectMethod(env, jClassObject, jMethod);
--        assert(jClassNameString != 0);
--        jExceptionMessagePrefix = (*env)->NewStringUTF(env, "Java object of this class cannot be converted to native PKCS#11 type: ");
--        jMethod = (*env)->GetMethodID(env, jStringBufferClass, "", "(Ljava/lang/String;)V");
--        assert(jMethod != 0);
--        jExceptionMessageStringBuffer = (*env)->NewObject(env, jStringBufferClass, jMethod, jExceptionMessagePrefix);
--        assert(jClassNameString != 0);
--        jMethod = (*env)->GetMethodID(env, jStringBufferClass, "append", "(Ljava/lang/String;)Ljava/lang/StringBuffer;");
--        assert(jMethod != 0);
--        jExceptionMessage = (jstring)
--                 (*env)->CallObjectMethod(env, jExceptionMessageStringBuffer, jMethod, jClassNameString);
--        assert(jExceptionMessage != 0);
-+    jLongArrayClass = (*env)->FindClass(env, "[J");
-+    if (jLongArrayClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jLongArrayClass)) {
-+        jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength);
-+        return;
-+    }
- 
--        throwPKCS11RuntimeException(env, jExceptionMessage);
-+    jStringClass = (*env)->FindClass(env, "java/lang/String");
-+    if (jStringClass == NULL) { return; }
-+    if ((*env)->IsInstanceOf(env, jObject, jStringClass)) {
-+        jStringToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength);
-+        return;
-+    }
- 
--        *ckpObjectPtr = NULL;
--        *ckpLength = 0;
-+    /* type of jObject unknown, throw PKCS11RuntimeException */
-+    jObjectClass = (*env)->FindClass(env, "java/lang/Object");
-+    if (jObjectClass == NULL) { return; }
-+    jMethod = (*env)->GetMethodID(env, jObjectClass, "getClass", "()Ljava/lang/Class;");
-+    if (jMethod == NULL) { return; }
-+    jClassObject = (*env)->CallObjectMethod(env, jObject, jMethod);
-+    assert(jClassObject != 0);
-+    jClassClass = (*env)->FindClass(env, "java/lang/Class");
-+    if (jClassClass == NULL) { return; }
-+    jMethod = (*env)->GetMethodID(env, jClassClass, "getName", "()Ljava/lang/String;");
-+    if (jMethod == NULL) { return; }
-+    jClassNameString = (jstring)
-+        (*env)->CallObjectMethod(env, jClassObject, jMethod);
-+    assert(jClassNameString != 0);
-+    classNameString = (char*)
-+        (*env)->GetStringUTFChars(env, jClassNameString, NULL);
-+    if (classNameString == NULL) { return; }
-+    exceptionMsgPrefix = "Java object of this class cannot be converted to native PKCS#11 type: ";
-+    exceptionMsg = (char *)
-+        malloc((strlen(exceptionMsgPrefix) + strlen(classNameString) + 1));
-+    if (exceptionMsg == NULL) {
-+        (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString);
-+        JNU_ThrowOutOfMemoryError(env, 0);
-+        return;
-     }
-+    strcpy(exceptionMsg, exceptionMsgPrefix);
-+    strcat(exceptionMsg, classNameString);
-+    (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString);
-+    throwPKCS11RuntimeException(env, exceptionMsg);
-+    free(exceptionMsg);
-+    *ckpObjectPtr = NULL;
-+    *ckpLength = 0;
- 
-     TRACE0("FINISHED\n");
- }
-+
-+#ifdef P11_MEMORYDEBUG
-+
-+#undef malloc
-+#undef free
-+
-+void *p11malloc(size_t c, char *file, int line) {
-+    void *p = malloc(c);
-+    printf("malloc\t%08x\t%d\t%s:%d\n", p, c, file, line); fflush(stdout);
-+    return p;
-+}
-+
-+void p11free(void *p, char *file, int line) {
-+    printf("free\t%08x\t\t%s:%d\n", p, file, line); fflush(stdout);
-+    free(p);
-+}
-+
-+#endif
-+
-diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h
---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	2014-10-08 16:35:09.000000000 +0100
-+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h	2014-10-08 17:30:03.990103869 +0100
-@@ -154,6 +154,7 @@
- 
- #include "pkcs11.h"
- #include 
-+#include 
- 
- #define MAX_STACK_BUFFER_LEN (4 * 1024)
- #define MAX_HEAP_BUFFER_LEN (64 * 1024)
-@@ -277,12 +278,14 @@
-  */
- 
- jlong ckAssertReturnValueOK(JNIEnv *env, CK_RV returnValue);
--void throwPKCS11RuntimeException(JNIEnv *env, jstring jmessage);
--void throwFileNotFoundException(JNIEnv *env, jstring jmessage);
- void throwIOException(JNIEnv *env, const char *message);
--void throwIOExceptionUnicodeMessage(JNIEnv *env, const short *message);
-+void throwPKCS11RuntimeException(JNIEnv *env, const char *message);
- void throwDisconnectedRuntimeException(JNIEnv *env);
- 
-+/* function to free CK_ATTRIBUTE array
-+ */
-+void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len);
-+
- /* funktions to convert Java arrays to a CK-type array and the array length */
- 
- void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBOOL **ckpArray, CK_ULONG_PTR ckLength);
-@@ -438,3 +441,15 @@
- extern jobject jInitArgsObject;
- extern CK_C_INITIALIZE_ARGS_PTR ckpGlobalInitArgs;
- #endif /* NO_CALLBACKS */
-+
-+#ifdef P11_MEMORYDEBUG
-+#include 
-+
-+/* Simple malloc/free dumper */
-+void *p11malloc(size_t c, char *file, int line);
-+void p11free(void *p, char *file, int line);
-+
-+#define malloc(c)       (p11malloc((c), __FILE__, __LINE__))
-+#define free(c)         (p11free((c), __FILE__, __LINE__))
-+
-+#endif
diff -r 49231b25f344 -r 06179516eff2 patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch
--- a/patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,102 +0,0 @@
-# HG changeset patch
-# User valeriep
-# Date 1293074372 28800
-# Node ID adff75ebdc00374c41e2516fca5c4d40fec0ca9f
-# Parent  d4c2d2d72cfc45e3a66e52f792af6dc90a833d95
-6924489: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_NOT_INITIALIZED
-Summary: Reset cipher state to un-initialized wherever necessary.
-Reviewed-by: weijun
-
-diff --git a/src/share/classes/sun/security/pkcs11/P11Cipher.java b/src/share/classes/sun/security/pkcs11/P11Cipher.java
---- openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java
-@@ -395,6 +395,8 @@
-             }
-         } catch (PKCS11Exception e) {
-             throw new ProviderException("Cancel failed", e);
-+        } finally {
-+            reset();
-         }
-     }
- 
-@@ -408,12 +410,18 @@
-         if (session == null) {
-             session = token.getOpSession();
-         }
--        if (encrypt) {
--            token.p11.C_EncryptInit(session.id(),
--                    new CK_MECHANISM(mechanism, iv), p11Key.keyID);
--        } else {
--            token.p11.C_DecryptInit(session.id(),
--                    new CK_MECHANISM(mechanism, iv), p11Key.keyID);
-+        try {
-+            if (encrypt) {
-+                token.p11.C_EncryptInit(session.id(),
-+                        new CK_MECHANISM(mechanism, iv), p11Key.keyID);
-+            } else {
-+                token.p11.C_DecryptInit(session.id(),
-+                        new CK_MECHANISM(mechanism, iv), p11Key.keyID);
-+            }
-+        } catch (PKCS11Exception ex) {
-+            // release session when initialization failed
-+            session = token.releaseSession(session);
-+            throw ex;
-         }
-         bytesBuffered = 0;
-         padBufferLen = 0;
-@@ -448,6 +456,16 @@
-         return result;
-     }
- 
-+    // reset the states to the pre-initialized values
-+    private void reset() {
-+        initialized = false;
-+        bytesBuffered = 0;
-+        padBufferLen = 0;
-+        if (session != null) {
-+            session = token.releaseSession(session);
-+        }
-+    }
-+
-     // see JCE spec
-     protected byte[] engineUpdate(byte[] in, int inOfs, int inLen) {
-         try {
-@@ -566,6 +584,7 @@
-                 throw (ShortBufferException)
-                         (new ShortBufferException().initCause(e));
-             }
-+            reset();
-             throw new ProviderException("update() failed", e);
-         }
-     }
-@@ -683,6 +702,7 @@
-                 throw (ShortBufferException)
-                         (new ShortBufferException().initCause(e));
-             }
-+            reset();
-             throw new ProviderException("update() failed", e);
-         }
-     }
-@@ -729,10 +749,7 @@
-             handleException(e);
-             throw new ProviderException("doFinal() failed", e);
-         } finally {
--            initialized = false;
--            bytesBuffered = 0;
--            padBufferLen = 0;
--            session = token.releaseSession(session);
-+            reset();
-         }
-     }
- 
-@@ -806,9 +823,7 @@
-             handleException(e);
-             throw new ProviderException("doFinal() failed", e);
-         } finally {
--            initialized = false;
--            bytesBuffered = 0;
--            session = token.releaseSession(session);
-+            reset();
-         }
-     }
- 
diff -r 49231b25f344 -r 06179516eff2 patches/pr2486-768_dh.patch
--- a/patches/pr2486-768_dh.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,52 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1428077961 -3600
-#      Fri Apr 03 17:19:21 2015 +0100
-# Node ID 25ae097ee625609d0ca677afbcb4fa7669fd5ea4
-# Parent  e7690bee9a7722b20bde481fb2da0bb6b903a258
-PR2486: JSSE server is still limited to 768-bit DHE
-Summary: Alter 6956398 so that legacy mode is default and 1024-bit keys come with "jdk8" mode.
-
-diff -r e7690bee9a77 -r 25ae097ee625 src/share/classes/sun/security/ssl/ServerHandshaker.java
---- openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	Fri Apr 03 18:26:32 2015 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	Fri Apr 03 17:19:21 2015 +0100
-@@ -111,15 +111,15 @@
-         String property = AccessController.doPrivileged(
-                     new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
-         if (property == null || property.length() == 0) {
--            useLegacyEphemeralDHKeys = false;
-+            useLegacyEphemeralDHKeys = true;
-             useSmartEphemeralDHKeys = false;
-             customizedDHKeySize = -1;
-         } else if ("matched".equals(property)) {
-             useLegacyEphemeralDHKeys = false;
-             useSmartEphemeralDHKeys = true;
-             customizedDHKeySize = -1;
--        } else if ("legacy".equals(property)) {
--            useLegacyEphemeralDHKeys = true;
-+        } else if ("jdk8".equals(property)) {
-+            useLegacyEphemeralDHKeys = false;
-             useSmartEphemeralDHKeys = false;
-             customizedDHKeySize = -1;
-         } else {
-@@ -1230,14 +1230,13 @@
-          * 768 bits ephemeral DH private keys were used to be used in
-          * ServerKeyExchange except that exportable ciphers max out at 512
-          * bits modulus values. We still adhere to this behavior in legacy
--         * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
--         * as "legacy").
-+         * mode (system property "jdk.tls.ephemeralDHKeySize"
-+         * is not defined).
-          *
--         * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
--         * than 1024 bits. We have to consider the compatibility requirement.
--         * 1024 bits DH key is always used for non-exportable cipher suites
--         * in default mode (system property "jdk.tls.ephemeralDHKeySize"
--         * is not defined).
-+         * New JDK (JDK 8 and later) releases use a 1024 bit DH key for
-+         * non-exportable cipher suites in default mode and this can
-+         * be enabled when the system property "jdk.tls.ephemeralDHKeySize"
-+         * is defined as "jdk8".
-          *
-          * However, if applications want more stronger strength, setting
-          * system property "jdk.tls.ephemeralDHKeySize" to "matched"
diff -r 49231b25f344 -r 06179516eff2 patches/pr2488-1024_dh.patch
--- a/patches/pr2488-1024_dh.patch	Wed May 04 02:55:09 2016 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,53 +0,0 @@
-# HG changeset patch
-# User andrew
-# Date 1437347486 -3600
-#      Mon Jul 20 00:11:26 2015 +0100
-# Node ID c1787ebf3df9ed96cd93bbd533ccf066418ade8a
-# Parent  ff3cd846027abce97fe5e7cc5a1df16fa6e5afc8
-PR2488: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize
-Summary: Backout 45680a70921daf8a5929b890de22c2fa5d117d82
-
-diff -r ff3cd846027a -r c1787ebf3df9 src/share/classes/sun/security/ssl/ServerHandshaker.java
---- openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	Sun Jul 19 18:19:29 2015 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java	Mon Jul 20 00:11:26 2015 +0100
-@@ -120,15 +120,15 @@
-         String property = AccessController.doPrivileged(
-                     new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
-         if (property == null || property.length() == 0) {
--            useLegacyEphemeralDHKeys = true;
-+            useLegacyEphemeralDHKeys = false;
-             useSmartEphemeralDHKeys = false;
-             customizedDHKeySize = -1;
-         } else if ("matched".equals(property)) {
-             useLegacyEphemeralDHKeys = false;
-             useSmartEphemeralDHKeys = true;
-             customizedDHKeySize = -1;
--        } else if ("jdk8".equals(property)) {
--            useLegacyEphemeralDHKeys = false;
-+        } else if ("legacy".equals(property)) {
-+            useLegacyEphemeralDHKeys = true;
-             useSmartEphemeralDHKeys = false;
-             customizedDHKeySize = -1;
-         } else {
-@@ -1253,14 +1253,15 @@
-          * 768 bits ephemeral DH private keys were used to be used in
-          * ServerKeyExchange except that exportable ciphers max out at 512
-          * bits modulus values. We still adhere to this behavior in legacy
--         * mode (system property "jdk.tls.ephemeralDHKeySize"
-+         * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
-+         * as "legacy").
-+         *
-+         * Older versions of OpenJDK don't support DH keys bigger
-+         * than 1024 bits. We have to consider the compatibility requirement.
-+         * 1024 bits DH key is always used for non-exportable cipher suites
-+         * in default mode (system property "jdk.tls.ephemeralDHKeySize"
-          * is not defined).
-          *
--         * New JDK (JDK 8 and later) releases use a 1024 bit DH key for
--         * non-exportable cipher suites in default mode and this can
--         * be enabled when the system property "jdk.tls.ephemeralDHKeySize"
--         * is defined as "jdk8".
--         *
-          * However, if applications want more stronger strength, setting
-          * system property "jdk.tls.ephemeralDHKeySize" to "matched"
-          * is a workaround to use ephemeral DH key which size matches the